Authoritative DNS 伺服器的設定

Authoritative DNS server 為提供註冊 DNS 資源記錄所在的伺服器。

  • 以下顯示 nthu.edu.tw 的 Authoritative DNS server 有 4 筆 (共有 4 個 IPv4 地址與 4 個 IPv6 地 址 )
    # dig @140.114.64.1 nthu.edu.tw ns
    
    ; <<>> DiG 9.6-ESV-R8 <<>> @140.114.64.1 nthu.edu.tw ns
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56108
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8
    
    ;; QUESTION SECTION:
    ;nthu.edu.tw.                   IN      NS
    
    ;; ANSWER SECTION:
    nthu.edu.tw.            127     IN      NS      dns1.nthu.edu.tw.
    nthu.edu.tw.            127     IN      NS      dns3.twaren.net.
    nthu.edu.tw.            127     IN      NS      dns2.nthu.edu.tw.
    nthu.edu.tw.            127     IN      NS      dns3.nthu.edu.tw.
    
    ;; ADDITIONAL SECTION:
    dns1.nthu.edu.tw.       69389   IN      A       140.114.64.10
    dns2.nthu.edu.tw.       14      IN      A       140.114.63.10
    dns3.nthu.edu.tw.       3113    IN      A       140.114.63.20
    dns3.twaren.net.        204     IN      A       211.79.61.47
    dns1.nthu.edu.tw.       69389   IN      AAAA    2001:288:e001:64::10
    dns2.nthu.edu.tw.       14      IN      AAAA    2001:288:e001:63::10
    dns3.nthu.edu.tw.       3113    IN      AAAA    2001:288:e001:63::20
    dns3.twaren.net.        204     IN      AAAA    2001:e10:5c00:1::47
    
    ;; Query time: 2 msec
    ;; SERVER: 140.114.64.1#53(140.114.64.1)
    ;; WHEN: Wed Aug  8 16:26:41 2018
    ;; MSG SIZE  rcvd: 291

以下例子為設定 DNS 伺服器 140.114.XX.YY 的 named.conf 設定檔,取消使用遞迴查詢權限,以免造成 open DNS resolver 問題,讓有心人士利用。

  • 設定參數 recursion no ,取消使用遞迴查詢權限
  • 設定參數 allow-query-cache { none; } ,不允許讀取 cache 暫存資料。
  • 設定參數 allow-query { any; },允許任何人查詢註冊資料
options {
   //(其他參數略...)
   // Authoritative-only Name Server
   recursion no;
   allow-query-cache { none; };
   allow-query { any; };

};

修改完上述設定並重新啟動 named 後,再以指令測試,若查詢為所轄註冊資料,則可獲得正確回應資料(status: NOERROR);若非所轄註冊資料,則拒絕回應(status: REFUSED)。

  • 查詢為所轄註冊資料
# dig @140.114.64.10 www.nthu.edu.tw a

; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.64.10 www.nthu.edu.tw a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57004
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.nthu.edu.tw.               IN      A

;; ANSWER SECTION:
www.nthu.edu.tw.        86400   IN      A       140.114.69.135

;; AUTHORITY SECTION:
nthu.edu.tw.            86400   IN      NS      dns1.nthu.edu.tw.
nthu.edu.tw.            86400   IN      NS      dns3.twaren.net.
nthu.edu.tw.            86400   IN      NS      dns2.nthu.edu.tw.
nthu.edu.tw.            86400   IN      NS      dns3.nthu.edu.tw.

;; ADDITIONAL SECTION:
dns1.nthu.edu.tw.       86400   IN      A       140.114.64.10
dns1.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:64::10
dns2.nthu.edu.tw.       86400   IN      A       140.114.63.10
dns2.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:63::10
dns3.nthu.edu.tw.       86400   IN      A       140.114.63.20
dns3.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:63::20

;; Query time: 1 msec
;; SERVER: 140.114.64.10#53(140.114.64.10)
;; WHEN: Tue Sep 24 10:40:09 2013
;; MSG SIZE  rcvd: 267
  • 查詢為非所轄註冊資料
# dig @140.114.64.10 gmail.com any

; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.64.10 gmail.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20592
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gmail.com.                     IN      ANY

;; Query time: 1 msec
;; SERVER: 140.114.64.10#53(140.114.64.10)
;; WHEN: Tue Sep 24 10:39:58 2013
;; MSG SIZE  rcvd: 27

master DNS 伺服器

  • 做為網域 nthu.edu.tw 的 master DNS 伺服器 named.conf 參考設定
options {
    // Working directory
    directory "/etc/namedb";
    // Do not allow access to cache
    allow-query-cache { none; };
    // This is the default
    allow-query { any; };
    // Do not provide recursive service
    recursion no;
    // Notify slave
    notify yes;
    // Hidden version
    version none;
};

// Provide a reverse mapping for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
    type master;
    file "localhost.rev";
    notify no;
};

// master server for nthu.edu.tw
zone "nthu.edu.tw" {
    type master;
    file "example.com.db";
    // IP addresses of slave servers allowed to
    // transfer example.com
    allow-transfer { 140.114.63.10; };  
};

slave DNS 伺服器

  • 做為網域 nthu.edu.tw 的 slave DNS 伺服器 named.conf 參考設定
options {
    // Working directory
    directory "/etc/namedb";
    // Do not allow access to cache
    allow-query-cache { none; };
    // This is the default
    allow-query { any; };
    // Do not provide recursive service
    recursion no;
    // Hidden version
    version none;
};

// We are a slave server for nthu.edu.tw
zone "nthu.edu.tw" {
    type slave;
    file "nthu.edu.tw.bk";
    // IP address of eng.example.com master server
    masters { 140.114.64.10; };
};