본문 바로가기

리눅스

[리눅스] bind view zonetransfer test(dns)

728x90

bind view zonetransfer 테스트(bind)

 

출처-https://learn.microsoft.com/ko-kr/windows-server/networking/media/dns-split-brain/dns-split-brain-01.jpg

 

마스터 서버

named 설정 파일(/etc/named.conf)

vim /etc/named.conf
// named.conf
options {
        listen-on port 53 { any; };
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file "/var/named/data/named.recursing";
        secroots-file "/var/named/data/named.secroots";
        version "UNKNOWN";
        allow-query { any; };
        allow-query-cache { any; };
        allow-transfer {
                127.0.0.1;
                192.168.0.62;
                192.168.0.63;
        };
        notify yes;
        also-notify { 192.168.0.63; };

        recursion yes;
        recursive-clients 10000;

        check-names master ignore;
        check-names slave ignore;
        check-names response ignore;

        zone-statistics yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

};

statistics-channels {
        inet 192.168.0.62 port 7777 allow { 192.168.0.0/24; };
};

include "/etc/named.root.key";
include "/etc/named.logging.conf";

//internal zone(default)
view "internal-view" {

include "/etc/named.rfc1912.zones";
        //match-clients { 127.0.0.1; 192.168.0.0/24; !192.168.0.63; };
        match-clients { 127.0.0.1; 192.168.0.62; };

        zone "." IN {
                type hint;
                file "named.ca";
        };

        zone "mocha.sangchul.kr" IN {
                type master;
                file "mocha.sangchul.kr.zone";
                allow-transfer { 192.168.0.63; };
                allow-update { 192.168.0.63; };
                zone-statistics yes;
        };

        zone "0.168.192.in-addr.arpa" IN {
                type master;
                file "192_168_0.zone";
                allow-transfer { 192.168.0.63; };
                allow-update { 192.168.0.63; };
        };
};

//external zone
view "external-view" {
        match-clients { any; };
        recursion no;

        zone "." IN {
                type hint;
                file "named.ca";
        };

        zone "mocha.sangchul.kr" IN {
                type master;
                file "ext-mocha.sangchul.kr.zone";
                allow-transfer { 192.168.0.63; };
                allow-update { 192.168.0.63; };
        };

        zone "0.168.192.in-addr.arpa" IN {
                type master;
                file "ext-192_168_0.zone";
                allow-transfer { 192.168.0.63; };
                allow-update { 192.168.0.63; };
        };
};

zone file 목록 확인

ls -l /var/named/ | grep zone
$ ls -l /var/named/ | grep zone
-rw-r----- 1 named named  774 Jan 16 12:14 192_168_0.zone
-rw-r----- 1 named named  774 Jan 16 13:38 ext-192_168_0.zone
-rw-r----- 1 named named  359 Jan 16 13:44 ext-mocha.sangchul.kr.zone
-rw-r----- 1 named named  360 Jan 16 12:14 mocha.sangchul.kr.zone

슬레이브 서버

named 설정 파일(/etc/bind/named.conf)

vim /etc/bind/named.conf
// named.conf
options {
        listen-on port 53 { any; };
        directory "/var/cache/bind";
        dump-file "/var/cache/bind/data/cache_dump.db";
        statistics-file "/var/cache/bind/data/named_stats.txt";
        memstatistics-file "/var/cache/bind/data/named_mem_stats.txt";
        recursing-file "/var/cache/bind/data/named.recursing";
        secroots-file "/var/cache/bind/data/named.secroots";
        version "UNKNOWN";
        allow-query { any; };
        allow-query-cache { any; };
        allow-transfer {
                127.0.0.1;
                192.168.0.63;
        };
        allow-notify { 192.168.0.62; };

        recursion yes;
        recursive-clients 10000;

        masterfile-format text;

        // forwarders {
        //      0.0.0.0;
        // };

        dnssec-validation auto;

};

statistics-channels {
        inet 192.168.0.63 port 7777 allow { 192.168.0.0/24; };
};

//include "/etc/bind/named.conf.options";
//include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.logging.conf";

//internal zone(default)
view "internal-view" {

include "/etc/bind/named.conf.default-zones";
        //match-clients { 127.0.0.1; 192.168.0.0/24; !192.168.0.63; };
        match-clients { 127.0.0.1; 192.168.0.62; };

        zone "mocha.sangchul.kr" IN {
                type slave;
                file "slaves/mocha.sangchul.kr.zone";
                masters { 192.168.0.62; };
                zone-statistics yes;
        };

        zone "0.168.192.in-addr.arpa" IN {
                type slave;
                file "slaves/192_168_0.zone";
                masters { 192.168.0.62; };
        };
};

//external zone
view "external-view" {
        match-clients { any; };
        recursion no;

        zone "mocha.sangchul.kr" IN {
                type slave;
                file "slaves/ext-mocha.sangchul.kr.zone";
                masters { 192.168.0.62; };
        };

        zone "0.168.192.in-addr.arpa" IN {
                type slave;
                file "slaves/ext-192_168_0.zone";
                masters { 192.168.0.62; };
        };
};

zone file 목록 확인

ls -l /var/cache/bind/slaves
$ ls -l /var/cache/bind/slaves
total 16
-rw-r--r-- 1 bind bind 523 Jan 16 14:22 192_168_0.zone
-rw-r--r-- 1 bind bind 523 Jan 16 14:22 ext-192_168_0.zone
-rw-r--r-- 1 bind bind 435 Jan 16 14:22 ext-mocha.sangchul.kr.zone
-rw-r--r-- 1 bind bind 435 Jan 16 14:22 mocha.sangchul.kr.zone

질의 테스트(query test)

내부 dns client(match-clients) : 127.0.0.1, 192.168.0.62

외부 dns client(match-clients) : any

dig @192.168.0.62 mocha.sangchul.kr

- 192.168.0.62 client - 내부 zone flie 아이피로 반환

root@192.168.0.62:~$ dig @192.168.0.62 mocha.sangchul.kr

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @192.168.0.62 mocha.sangchul.kr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55545
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mocha.sangchul.kr.             IN      A

;; ANSWER SECTION:
mocha.sangchul.kr.      60      IN      A       192.168.0.61

;; AUTHORITY SECTION:
mocha.sangchul.kr.      60      IN      NS      ns2.mocha.sangchul.kr.
mocha.sangchul.kr.      60      IN      NS      ns.mocha.sangchul.kr.

;; ADDITIONAL SECTION:
ns.mocha.sangchul.kr.   60      IN      A       192.168.0.62
ns2.mocha.sangchul.kr.  60      IN      A       192.168.0.63

;; Query time: 0 msec
;; SERVER: 192.168.0.62#53(192.168.0.62)
;; WHEN: Mon Jan 16 14:31:29 KST 2023
;; MSG SIZE  rcvd: 129

- 192.168.0.63 client - 외부 zone file 아이피로 반환

root@192.168.0.63:~$ dig @192.168.0.62 mocha.sangchul.kr    

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @192.168.0.62 mocha.sangchul.kr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59508
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8e19d8eed1f9367ccfb93c9b63c4e18f6dab5ba58f3930db (good)
;; QUESTION SECTION:
;mocha.sangchul.kr.             IN      A

;; ANSWER SECTION:
mocha.sangchul.kr.      60      IN      A       10.10.10.61

;; AUTHORITY SECTION:
mocha.sangchul.kr.      60      IN      NS      ns.mocha.sangchul.kr.
mocha.sangchul.kr.      60      IN      NS      ns2.mocha.sangchul.kr.

;; ADDITIONAL SECTION:
ns.mocha.sangchul.kr.   60      IN      A       192.168.0.62
ns2.mocha.sangchul.kr.  60      IN      A       192.168.0.63

;; Query time: 4 msec
;; SERVER: 192.168.0.62#53(192.168.0.62) (UDP)
;; WHEN: Mon Jan 16 14:33:04 KST 2023
;; MSG SIZE  rcvd: 157

 

참고URL

- bind view 설정 시 rndc 명령어 : https://scbyun.com/87

- Understanding views in BIND 9, with examples : https://kb.isc.org/docs/aa-00851

- 스플릿 브레인 DNS 배포에 DNS 정책 사용 : https://learn.microsoft.com/ko-kr/windows-server/networking/dns/deploy/split-brain-dns-deployment

 

728x90