[Content Navigation] Page 1: UNIX System DNS Management Maintenance Page 2: UNIX DNS Test and Debug Tools Page 3: DNS Daily Safety Management Maintenance
Previous article introduced the concept of UNIX, create, etc. This introduces the management and maintenance of DNS.
First, UNIX system DNS management maintenance
1, the start and stop of DNS
If you start and stop DNS in the Solaris system: log in to the system #ps -ef | grep name as root #PS -EF | GREP NAMED View Named Process No. PID 1) Start Named: # Kill-Hup PID 2) Stop Named: # Kill PID
If you start and stop DNS in the AIX system: Log in to the system with root 1) Start Named: # startsrc -s named 2) Stop Named: # stopsrc -s named 3) Database modification After rereading the database: # refresh -s Named 2, let DNS services start with the UNIX system
When we create a DNS server, when the UNIX system is restarted, DNS service will generally not automatically, must be started manually, which is very troublesome. In the Solaris system, we must modify the inetd.conf profile, find the NAMED's comment line, remove the "#" of the previous.
In the AIX system, in order to make the system at the next startup, you should open the /etc/rc.tcpip file About NAMED NAMED (# smit stnamed).
Second, UNIX DNS test and debugging tools
After completing the installation and setting of the DNS, the client can make a name resolution to the server, and the user can test and debug the DNS server through the related tools. Named offers several built-in secondary commissioning tools, which is the most configurable log feature; we can specify debug levels in the command line or set them with NDC, or command NAMED to dump the statistics result to one Document, use DIG or NSLOOKUP to verify domain queries.
1. First we use the system command ping to test, see if it is possible to vent the # ping "Domain Name" in the UNIX system, if you can't fight, you first have to check if the DNS service is working, followed by UNIX's PS command to view Named The process exists such as ps -ef | group named; if the process already has, check the correct or not of all configuration files for DNS creation procedures. In the Windows client, you can enter the MSDoS method. If you use the ping hostname command under C /> prompt, where HostName refers to the full name of the domain name query, if the configuration is correct, immediately display the resolved IP address, otherwise no display result for a long time Indicates that the configuration is incorrectly needed to find the reason.
2. View the flexibility of the log system named log tool is good, bind4 uses system logs to report error messages and abnormalities; bind8 promotes the concept of system logs by adding another indirect layer and supports direct logs into files directly. . BIND log logging statement is configured with named.conf, BIND8 default log is configured to: logging {category default {default_syslog; default_debug;}; category panic {default_syslog; default_stderr;}; category eventlib {default_debug;}; category packet {Default_debug;};}; bind9 default log configuration is: logging {category default {default_syslog; default_debug;};} Download Adobe Reader DEFAUG;
DEFAULT_SYSLOG: The tool daemon is sent to the message of INFO and higher severity to syslog; default_debug: log records to file Named.Run, severity is set to Dynamic; default_stderr: Send the message to NAMED, the standard error output, severity INFO.
When DNS runs wrong, we can view system log files syslog and named.run, etc., comparison with Bind error message list (can be downloaded on http://www.acmebw.com/askmrdns/bind-messaged.htm website), Find a solution.
3, the debug level NAMED debug level is represented by an integer from 0 to 11; the larger the number, the more detailed the output information. Level 0 Close debugging, levels 1 and 2 apply to debug configuration and database, greater than 4 levels of maintenance personnel suitable for code. We can call debugging in the Named command line -D tag, for example: # named -d2 will start NAMED at the debug level 2, debug information is written to the Named.Run file, which is different from the UNIX system. The higher the severity level, the more information on the log record.
4. Use the NDC debug NDC command (called RNDC in BIND 9) is an advantageous tool for operating the NAMED, and the command to generate a file to place the file in the directory of the Named primary in Named.conf. Some commonly used NDC debug commands are briefly introduced as follows: Status: Display the current state of the named NAMED; dumpdb: DWDB: DNS database into named_dump.db; stats: dump statistics to Named.stats; reload: Reload Named. CONF and zone file; restart: Restart NAMED, empty cache; NOTRACE: Turn off debugging. For example, the latest version of NAMED retains the query statistics, we can use NDC Stats to access it, when the NAMED is connected to this command, write the statistics to file Named.stats.
5. Using nslookup, DIG and Host debugging with a shell method to use three tools to query DNS databases: NSLookup, DIG, and HOST, including NSlookup and DIG in Bind's software publishing. Nslookup is the oldest in these three tools, and always releases together with Bind; DIG is the exploration program of domain information, and is initially written by Steve Hotz. Host is written by Eric Wassenaar, is a tool for another open source. It is characterized by the output to the user, and the function is the syntax of the check area file. The parser library used in the other three is different: DIG and Host use bind's parser, and NSlookup has its own parser. (1) Nslookup Enter the nslookup command, you will see the> prompt symbol, then enter the query instruction. IP Address or Domain Name will generally be input to do reverse and forward parsing. Nslookup not only provides two parses described above, but also provides other data records in DNS, such as MX, NS ..., etc., we can get all the parameters or data types that can be used directly in the prompt symbol. "?" # nslookupdefault server: ghq.js.comAddress: 61.155.107.131>
(2) DIG usage: DIG [@server] [-b address] [-c class] ... (Details Please query "man Dig") #Dig ghq.js.com Send Domain Name Query Pack to Name Server The back parameters can be connected to IP address or domain name to get the relevant information provided by Name Server. Like nslookup, DIG also provides different data records, such as MX ..., etc..
(3) Host Host is basically the query of DNS, which can be connected to IP Address or Domain Name to get the corresponding Domain Name or IP. # host ghq.js.comGhq.js.com Has Address 61.155.107.131
Third, DNS daily safety management maintenance
In response to the security configuration of the BIND DNS service software, we have to make full use of Bind's own protection, enhance Bind security, so that you can resist currently known Bind security vulnerabilities, and cause potential security vulnerabilities may cause the server. The effect is as low as possible. This is also a work we have important for UNIX DNS daily management.
Safe operation management from DNS servers can consider using the following methods:
1. Use multiple domain name servers to deal with malicious attackers and deny service attacks on DNS servers. If you start from theory, then a DNS server can complete all tasks. After registering a domain name, you can actually set up 6 DNS server names for the domain name of the company. If the primary domain server is attacked, you can enable a auxiliary domain name server. If the primary auxiliary domain name server is broken, you can also work with the third or fourth domain name server. Specific setting several domain servers can be based on the enterprise Build a network condition setting.
For the majority of users, when the unique impact of this multiple DNS server stopping services is to query domain names, it will be delayed because it requires one to query until the last one is found.
2, start the Bind (DNS) security option to configure. The NAMED process startup options are as follows: -r: Turn off the recursive query function of the domain name server (default is open). This option can be overwritten using the "Recursion" option in the Options of the configuration file. -u
To prohibit DNS domain recursive queries, add: Recursion NO; FETCH-GLUE NO in Options (or specific Zone area) section
To limit the host for domain name queries to the DNS server, add: allow-query {
To limit the host of domain name recursive query on the DNS server, add: allow-recursion {
l Restrict the host of the DNS server to record transmission, add: allow-transport {
3, authenticate and verify the area recording transfer via TSIG (Transaction Signature).
First, make sure the Bind Domains Server software is updated to the latest version because the latest Bind release solves the bugs and / or security vulnerabilities found in previous versions.
If you need to use TSIG signature to make a secure DNS database manual update, the specific steps are simple: 1 Generate the TSIG key with the DNSKeygen tool comes with Bind. # DNSKEYGEN -H 128 -H -N Tsig-key. The two files are generated, put them in the configuration file of the local domain name server, remember to restart the NAMED daemon. The two key files are then copied to the client system (or auxiliary domain server), for example, for / etc / tsig directory. Finally, running as follows: nsupdate -k / etc / tsig: tsig-key.
2 If you need to transfer (automatic or manual) TSIG signature, there are two ways: the first method: generate TSIG keys with DNSKeygen, the method is the same. Second method: The contents of the primary domain server configuration file (excerpt) is as follows: // Define the authentication method and shared key key master-slave {algorithm HMAC-MD5; second "mzimnouyqpmnwsdzrx2enw ==";}; // Define auxiliary Some features of the domain name server Server 61.132.62.137 {Transfer-format Many-answers; keys {master-slave;};}; // area record definition zone "ghq.js.com" Type master; file ghq.js.com allow -Transfer {61.132.62.137;}; Completely protecting the network of enterprises with the necessary safety products and security services to protect all kinds of malicious attacks to ensure that the DNS server is safe and stable in the UNIX system environment.
