Introduction to DNS server security under Solaris10

Article Title: DNS server security strategy under solaris10. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

A DNS server is a server that provides domain name resolution services for hosts on the network. Although Solaris 10 comes with BIND 9.2.4, it is not a product of Sun. Internet Software Consortium is responsible for updating the BIND Software. We should download the latest version of BIND Software from www.isc.org, because new versions of software can prevent some vulnerabilities.

Next we will introduce how to configure the DNS server.

　　1. install and configure the DNS server from the source code

(1) To download the latest BIND software, we download the bind-9.3.2.tar.gz to the http://www.isc.org/products/BIND.

(2) Place the downloaded software in a directory in the system, and put the software in the usr/local/src directory in this example.

# Cd usr/local/src

# Wget http://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz

# Cp bind-9.3.2.tar.gz ..

# Cd ..

# Gzip-d bind-9.3.2.tar.gz

# Tar-vxf bind-9.3.2.tar

# Rm bind-9.3.2.tar

# Cd bind-9.3.2

#./Configure

# Make

# Make install

# Cd/usr/sbin

(3) The generated executable file is located in the/usr/local/sbin directory. The most important executable files are named and rndc.

#/Usr/local/sbin/rndc-confgen>/etc/rndc. conf

# Cat/etc/rndc. conf

Output:

# Start of rndc. conf

Key "rndc-key "...{

Algorithm hmac-md5;

Secret "y9xvvfQjdWv9f/Fo7wquBg = ";

};

Options ...{

Default-key "rndc-key ";

Default-server 127.0.0.1;

Default-port 953;

};

# End of rndc. conf

# Use with the following in named. conf, adjusting the allow list as needed:

# Key "rndc-key "...{

# Algorithm hmac-md5;

# Secret "y9xvvfQjdWv9f/Fo7wquBg = ";

#};

# Controls ...{

# Inet 127.0.0.1 port 953

# Allow... {127.0.0.1;} keys... {"rndc-key ";};

#};

# End of named. conf

(9) Create an rndc. key File. Copy the comments in the rndc. conf file to generate the following file:

# Vi/etc/rndc. key

Key "rndc-key "...{

Algorithm hmac-md5;

Secret "y9xvvfQjdWv9f/Fo7wquBg = ";

};

Controls ...{

Inet 127.0.0.1 port 953 \

Allow... {127.0.0.1;} keys... {"rndc-key ";};\

};

Check whether rndc works properly:

#/Usr/local/sbin/named-g

Jan 11 11:56:45. 075 starting BIND 9.2.3-g

Jan 11 11:56:45. 076 using 1 CPU

Jan 11 11:56:45. 079 loading configuration from '/etc/named. conf'

......

#/Usr/local/sbin/rndc status

(10) edit the named. conf configuration file.

# Vi/etc/named. conf

The content of the first section is as follows:

// Generated by named-bootconf.pl

Options ...{

Directory "/var/named ";

/**//*

* If there is a firewall between you and nameservers you want

* To talk to, you might need to uncomment the query-source

* Directive below. Previous versions of BIND always asked

* Port by default.

*/

// Query-source address * port 53;

};

The above section is set in options at the beginning of this file. First, use directory to specify the named Resource Record (the location of the RR-Resource Record file directory is "/var/named ". That is to say, it will find the DNS record file under this directory ). Therefore, we do not need to use absolute paths for the files specified in the following sections, but they must be placed under this directory.

The commented text, if you read it carefully, roughly means that if the DNS server and client you want to set are separated by the firewall, remove the annotation symbol "//" in front of "// query-source address * port 53;" (of course, you must set your fire wall ). However, this only affects earlier versions, and does not have to worry about this setting after bind 8.1. Next let's look at the next sentence:

//

// A caching only nameserver config

//

Zone "." IN ...{

Type hint;

File "named. root ";

};

Using these statements, we define the root zone setting IN the DNS System for named. It is also an internet (IN) region category. The root zone server type is also specified as "hint" (only this zone will use this type ). Finally, specify the region record file as "named. root", that is, "/var/named. root. After the root zone, you should see the following two sections:

Zone "localhost" IN ...{

Type master;

File "localhost. zone ";

Allow-update... {none ;};

};

Zone "0.0.127.in-addr. arpa" IN ...{

Type master;

File "named. local ";

Allow-update... {none ;};

};

Here is the DNS explanation that defines the name of the Local Machine: The first zone is the correct zone of localhost, its server type is master, and the record file name is localhost. zone (under the/var/named directory), but this zone does not allow the client host (or server) to update DNS records on its own. The second zone is the reverse resolution zone of the local area.

Let's look at the following two sections, which are the forward and reverse resolution of the cjh.com domain.

Zone "cjh.com" IN... {// newly added cjh.com domain

Type master;

File "cjh.com. zone ";

Allow-update... {none ;};

};

Reverse resolution of zone "9.168.192.in-addr. arpa" IN... {// Singapore domain

Type master;

File "named.192.168.9 ";

Allow-update... {none ;};

};

The last line is the new feature of bind 9.x, which is used for encryption for zone transfer or DNS update.

Include "/etc/rndc. key ";

(11) Create the/var/named directory.

# Mkdir/var/named

# Cd/var/named

(12) log on to the ftp site FTP. RS. INTERNIC. NET anonymously, obtain the named. root file under the/domain directory, and place the file under the/var/named directory.

(13) Create the localhost. zone file.

# Vi/var/named/localhost. zone

$ TTL 86400

$ ORIGIN localhost.

@ 1D in soa @ root (

42; serial (d. adams)

3 H; refresh

15 M; retry

1 W; expiry

1D); minimum

1D in ns @

1D in a 127.0.0.1

(14) Create the named. local file.

# Vi named. local

$ TTL 86400

@ In soa localhost. root. localhost .(

2005022700; Serial

28800; Refresh

14400; Retry

3600000; Expire

86400); Minimum

In ns localhost.

1 in ptr localhost.

[Root @ Linux etc] # mkdir/var/named

// Enter/var/named

[Root @ Linux etc] # cd/var/named

// Create a localhost. zone File

[Root @ Linux named] # vi localhost. zone

$ TTL 86400

$ ORIGIN localhost.

@ 1D in soa @ root (

42; serial (d. adams)

3 H; refresh

15 M; retry

1 W; expiry

1D); minimum

1D in ns @

1D in a 127.0.0.1

// Create a named. local file

[Root @ Linux named] # vi named. local

$ TTL 86400

@ In soa localhost. root. localhost .(

1997022700; Serial

28800; Refresh

14400; Retry

3600000 61.177.252; Expire

86400); Minimum

In ns localhost.

1 in ptr localhost.

　　

(15) Create the cjh.com. zone file.

# Vi cworkflow. zone

$ TTL 1D

@ In soa cjh.com. root.cjh.com .(

　　

1053891162

3 H

15 M

1 W

1D)

In ns cjh.com.

In mx 5 cjh.com.

Www in a 192.168.9.9

　　

(16) Create the named.192.168.9 file.

# Vi named.192.168.9

$ TTL 86400

@ In soa cjh.com. root.cjh.com .(

20031001;

7200;

3600;

43200;

86400 );

@ In ns cjh.com.

9 in ptr dns.cjh.com.

(17) Start the DNS service in the Solaris 10 operating system.

# Svcadm enable/network/dns/server

View:

# Svcs-l/network/dns/server

Fmri svc:/network/dns/server: default

Name Internet domain name server (DNS)

Enabled true

State online

Next_state none

Restarter svc:/system/svc/restarter: default

Contract_id 25

Dependency require_all/none svc:/system/filesystem/minimal (online)

Dependency require_all/none file: // localhost/etc/named. conf (online)

Dependency require_any/error svc:/network/loopback (online)

Dependency optional_all/error svc:/network/physical (online)

(18) test whether reverse DNS resolution is successful.

# Host 192.168.9.9

9.9.168.192.in-addr. arpa domain name pointer dns.cjh.com.

(19) test whether DNS resolution is successful.

# Nslookup

> Www.cjh.com

Server: 192.168.9.9

Address: 192.168.9.9 #53

Name: www.cjh.com

Address: 192.168.9.9

>

The above prompt indicates that the DNS service has been started successfully.

Application description:

The Bind 9 DNS Server has been installed on Solaris 10. Therefore, there is no installation problem. But why write this article? To some extent, it is related to the new Service Management Facility (SMF) feature of Solaris 10, and this article also helps to gain an in-depth understanding of SMF.

To start and stop a DNS server earlier than Solaris 10, follow these steps:

Start the DNS Server command:

/Etc/init. d/named start

Stop DNS Server command:

/Etc/init. d/named

To start and stop a DNS server of Solaris 10, follow these steps:

Start the DNS Server command:

Svcadm enable dns/server or svcadm enable dns/server: default

Stop DNS Server command:

Stop svcadm disable dns/server or svcadm disable dns/server: default

[1] [2] [3] [4] Next page