05 DNS Server


Domain Name Service (DNS)
Domain Name Service (DNS) eshte nje sherbim i Internetit qe perkthen emrat e pajisjeve ne adresa IP dhe anasjelltas. Ubuntu perdor BIND (Berkley Internet Naming Daemon), serveri DNS me popullor ne ambjente Linux.


Instalimi
Instalojme fillimisht paketen e BIND:

yum install bind*



Skedaret e Konfigurimit

Ka disa menyra per te konfirgurar nje server DNS ne Linux.
Disa nga konfigurimet me te zakonshme jane :

  • caching nameserver
    Nje caching nameserver BIND do te kerkoje per pergjigje dhe me pas do te ruaje ato ne historikun e tij per tiu ripergjigjur te njejtave pyetje. Nuk ka nje zone te veten.
  • primary master
    Nje server DNS primary master ka zonen e tij DNS per te cilen pergjigjet ne menyre autoritare.

  • secondary master.
    Nje server DNS sekondar lexon skedarin me te dhenat e zones nga serveri primar dhe i pergjigjet kerkesave te klienteve me te dhenat qe ka kopjuar nga primari.


Nje veshtrim i pergjithshem
Skedaret e konfigurimit te DNS ruhen ne dosjen /etc/named
 Skedari i pare i konfigurimit eshte /etc/named.conf.

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; 192.168.221.80; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { 192.168.221.0/24; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";






Skedari
/etc/named.rfc1912.zones
Ruan informacion mbi zonat baze qe ka serveri DNS , si per shembull zonen localhost.


Me poshte eshte nje shembull i skedarit


// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};





Me poshte eshte permbajtja e nje skedari named.ca shembull



; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34420
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::803f:235
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:c27::2:30
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:dc3::35

;; Query time: 147 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Feb 18 13:29:18 2008
;; MSG SIZE  rcvd: 615







/etc/named.rfc1912.zones
Ruan informacion mbi zonat per te cilat eshte pergjigjes ky server DNS , si per shembull zonen ict.local




Caching Nameserver

Konfigurimi baze eshte caching server. i vetmi konfigurim qe kerkohet eshte qe te vendosen IP e serverave te ISP si forwareds. Kjo behet duke modifikuar skedarin /etc/named.conf:


forwarders 
            
                 1.2.3.4; 
                 5.6.7.8; 
             };





Primary Master

Ne shembullin me poshte BIND9 do te konfigurohet si nje Primary Master per domain example.com.
Forward Zone File


Per te shtuan nje zone DNS ne BIND9, duke e kthyer ate ne nje Primary Master server, hapi i pare eshte editimi i /etc/named.rfc1912.zones:


zone "example.com" 
    
     type master; 
     file "db.example.com"; 
    };



Me tej  krijojme skedarin e databazes me rekordet e zones tone nen emrin db.example.com :



; BIND data file for example.com
;
$TTL    604800
@       IN      SOA     example.com. root.example.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
        IN      A       192.168.1.10
;
@       IN      NS      ns.example.com.
@       IN      A       192.168.1.10
@       IN      AAAA    ::1
ns      IN      A       192.168.1.10



Duhet modifikuar skedari /db.example.com duke vendosur emrin e plote FQDN te domain tone, pa e hequr piken ne fnd "." . 
Vendoset adresa IP e serverit DNS dhe root.example.com me adresen e email te administratorit te domain , por me "." ne vend te simbolit te zakonshem te email ".

Sqarime ne lidhje me permbajtjen e skedarit te zones:


$TTL
Default TTL - Time To Live. $TTL percakton kohe baze te vlefshmerise te te gjithe rekordeve ne skedar, ne rast se ajo nuk percakothet ne menyre specifike per nje rekord. Njesia matese eshte ne sekonda.
Nje vlere a zakonshme mund te jete 86400 sekonda ose 24 ore. Kjo vlere percakton se per sa kohe do te reflektohet ndryshimi i nje rekordi ne serverat DNS neper interenet.
Dynamic DNS (DDNS) zakonisht perdor nje TTL te barabarte me 5 minutes, ose 300 sekonda.


SOA
SOA (Start Of Authority) tregon cili eshte serveri qe eshte pergjegjes per kete zone , qe do te thote se ky server eshte serveri autoritar per kete zone. Mund te kete vetem nje rekord SOA ne cdo skedar te dhenash te domain (db.DOMAIN).


Te shpjegojme cfare permban SOA:
  • emri i domain psh @ ose ict.local. 
  • IN = Internet
  • SOA = Start of Authority
  • emri i serverit SOA (per shembull localhost ose myserver.ict.local.)
  • email i administratorit te domain per shembull admin.ict.local. ose root.localhost. qe do te interpretohen si admin@ict.local ose root@localhost

Me pas midis kllapave:
(
  • numri serial,
    qe tregon versionin e skedarit te te dhenave. Ky numer perdoret nga serveri sekondar i DNS per te kuptuar nese ka ndryshuar skedari i te dhenave qe nga hera e fundit qe ai eshte sinkronizuar?
  • refresh ,
    i tregon serverit sekondar pas sa kohesh duhet te pyese serish serverin primar nese ka ndryshuar skedari i te dhenave
  • retry,
    i tregon serverit sekondar pas sa kohesh duhet te riprovoje nese nuk mundi qe te kontaktoje me serverin primar
  • expiry,
    i tregon serverit sekondar se pas sa kohesh qe nuk ka komunikuar me serverin primar te dhenat e tij jane te pavlefshme
  • Negative Cache TTL ,
    i tregon klienteve DNS te cilet kane marre nje pergjigje negative per nje rekord nga serveri i DNS se sa kohe do ta mbajne mend kete pergjigje perpara se te pyesin serish serverin SoA
)


Me poshte vazhdojme me rekordet e tjesa DNS

  • NS= Name Server
  • A = A host ( emer -> adrese)
  • PTR = POINTER (adrese->emer)
  • CNAME= Canonical Name ose Sinonim


Reverse Zone File


Eshte e mundur madje e rekomandueshme qe te shtohet gijthashtu nje zone reverse qe perkthen nga IP ne emra:


Editoni /etc/named.rfc1912.zones shtuar nje rekord per zonen reverse:


zone "1.168.192.in-addr.arpa" 
 type master; 
 file "db.192"; 
};



Tani krijoni skedarin db.192 :


;
; BIND reverse data file for local 192.168.1.XXX net
;
$TTL    604800
@       IN      SOA     ns.example.com. root.example.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns.
10      IN      PTR     ns.example.com.


Edhe ne zonen reverse duhet te kujdesemi per inkrementimin e Numrit Serial sa here qe modifikojme skedarin e zones. Per cdo rekord A te krijuar ne zonen forward ne db.example.com, eshte e nevojshme te krijojme nje rekord PTR ne skedarin e zones reverse db.192.

Pas modifikimit te zones reverse duhet gjithashtu restartuar sherbimi per te aplikuar ndryshimet :

service named restart


Secondary Master


Pasi kemi konfiguruar nje Primary Master mund te shtojme nje Secondary Master per te garantuar disponibilitin e sherbimit ne rast te mos disponibilitetit te Primary .

Se pari, ne serverin Primary Master , duhet lejuar transferimi i zones . 

Kjo behet duke shtuar opsionin 
allow-transfer tek zonat Forward dhe Reverse ne /etc/named.rfc1912.zones:

zone "example.com" 
 type master; 
 file "db.example.com"; 
 allow-transfer { 192.168.1.11; }; 
}; 



 
zone "1.168.192.in-addr.arpa" 
 type master; 
 file "db.192"; 
 allow-transfer { 192.168.1.11; }; 
};



Vendosni IP e serverit Tuaj sekondar ne vend te IP 192.168.1.11 .

Restartoni named tek Primary Master:

service named restart


Se dyti , tek Secondary Master, instaloni paketen named ne te njejten menyre si tek Primary. 

Me pas editoni /etc/named.rfc1912.zones dhe shtoni deklarimet e meposhtme per zonat Forward dhe Reverse :

zone "example.com" 
 type slave; 
 file "db.example.com"; 
 masters { 192.168.1.10; }; 
}; 


 zone "1.168.192.in-addr.arpa" 
 type slave; 
 file "db.192"; 
 masters { 192.168.1.10; }; 
};



Zevendesoni 192.168.1.10 me adresen IP te serverit tuaj Primary .

Restartoni sherbimin named tek Secondary Master:

service named restart





Name server switch configuration


Menyra se si serveri Juaj ben perkthimin e emrave percaktohet ne skedarin /etc/nsswitch.conf.

Sjellja baze eshte qe permbajtja e skedarit /etc/hosts ka prioritet me pas tentohet te perdoret DNS.

Me poshte eshte nje shembull i skedarit /etc/nsswitch.conf 

hosts: files dns 







Skedari /etc/named.rfc1912.zone

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};



zone "atnet.com"  IN
{
type master;
file "atnet.com.zone";
};






zone "example.com" IN {
type slave;
file "example.com.db";
masters { 192.168.221.80; };
};


zone "endri.com" IN {
type slave;
file "endri.com.zone";
masters {192.168.221.80;};
};




zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "221.168.192.in-addr.arpa" IN {
type slave;
file "db.192";
masters { 192.168.221.80; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};