Authoritative DNS 伺服器的設定

Authoritative DNS server 為提供註冊 DNS 資源記錄所在的伺服器。

• 以下顯示 nthu.edu.tw 的 Authoritative DNS server 有 4 筆 (共有 4 個 IPv4 地址與 4 個 IPv6 地 址 )

  # dig @140.114.64.1 nthu.edu.tw ns
  
  ; <<>> DiG 9.6-ESV-R8 <<>> @140.114.64.1 nthu.edu.tw ns
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56108
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8
  
  ;; QUESTION SECTION:
  ;nthu.edu.tw.                   IN      NS
  
  ;; ANSWER SECTION:
  nthu.edu.tw.            127     IN      NS      dns1.nthu.edu.tw.
  nthu.edu.tw.            127     IN      NS      dns3.twaren.net.
  nthu.edu.tw.            127     IN      NS      dns2.nthu.edu.tw.
  nthu.edu.tw.            127     IN      NS      dns3.nthu.edu.tw.
  
  ;; ADDITIONAL SECTION:
  dns1.nthu.edu.tw.       69389   IN      A       140.114.64.10
  dns2.nthu.edu.tw.       14      IN      A       140.114.63.10
  dns3.nthu.edu.tw.       3113    IN      A       140.114.63.20
  dns3.twaren.net.        204     IN      A       211.79.61.47
  dns1.nthu.edu.tw.       69389   IN      AAAA    2001:288:e001:64::10
  dns2.nthu.edu.tw.       14      IN      AAAA    2001:288:e001:63::10
  dns3.nthu.edu.tw.       3113    IN      AAAA    2001:288:e001:63::20
  dns3.twaren.net.        204     IN      AAAA    2001:e10:5c00:1::47
  
  ;; Query time: 2 msec
  ;; SERVER: 140.114.64.1#53(140.114.64.1)
  ;; WHEN: Wed Aug  8 16:26:41 2018
  ;; MSG SIZE  rcvd: 291

以下例子為設定 DNS 伺服器 140.114.XX.YY 的 named.conf 設定檔，取消使用遞迴查詢權限，以免造成 open DNS resolver 問題，讓有心人士利用。

• 設定參數 recursion no ，取消使用遞迴查詢權限。
• 設定參數 allow-query-cache { none; } ，不允許讀取 cache 暫存資料。
• 設定參數 allow-query { any; }，允許任何人查詢註冊資料

options {
   //(其他參數略...)
   // Authoritative-only Name Server
   recursion no;
   allow-query-cache { none; };
   allow-query { any; };

};

修改完上述設定並重新啟動 named 後，再以指令測試，若查詢為所轄註冊資料，則可獲得正確回應資料(status: NOERROR)；若非所轄註冊資料，則拒絕回應(status: REFUSED)。

• 查詢為所轄註冊資料

# dig @140.114.64.10 www.nthu.edu.tw a

; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.64.10 www.nthu.edu.tw a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57004
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.nthu.edu.tw.               IN      A

;; ANSWER SECTION:
www.nthu.edu.tw.        86400   IN      A       140.114.69.135

;; AUTHORITY SECTION:
nthu.edu.tw.            86400   IN      NS      dns1.nthu.edu.tw.
nthu.edu.tw.            86400   IN      NS      dns3.twaren.net.
nthu.edu.tw.            86400   IN      NS      dns2.nthu.edu.tw.
nthu.edu.tw.            86400   IN      NS      dns3.nthu.edu.tw.

;; ADDITIONAL SECTION:
dns1.nthu.edu.tw.       86400   IN      A       140.114.64.10
dns1.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:64::10
dns2.nthu.edu.tw.       86400   IN      A       140.114.63.10
dns2.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:63::10
dns3.nthu.edu.tw.       86400   IN      A       140.114.63.20
dns3.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:63::20

;; Query time: 1 msec
;; SERVER: 140.114.64.10#53(140.114.64.10)
;; WHEN: Tue Sep 24 10:40:09 2013
;; MSG SIZE  rcvd: 267

• 查詢為非所轄註冊資料

# dig @140.114.64.10 gmail.com any

; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.64.10 gmail.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20592
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gmail.com.                     IN      ANY

;; Query time: 1 msec
;; SERVER: 140.114.64.10#53(140.114.64.10)
;; WHEN: Tue Sep 24 10:39:58 2013
;; MSG SIZE  rcvd: 27

• 做為網域 nthu.edu.tw 的 master DNS 伺服器 named.conf 參考設定

options {
    // Working directory
    directory "/etc/namedb";
    // Do not allow access to cache
    allow-query-cache { none; };
    // This is the default
    allow-query { any; };
    // Do not provide recursive service
    recursion no;
    // Notify slave
    notify yes;
    // Hidden version
    version none;
};

// Provide a reverse mapping for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
    type master;
    file "localhost.rev";
    notify no;
};

// master server for nthu.edu.tw
zone "nthu.edu.tw" {
    type master;
    file "example.com.db";
    // IP addresses of slave servers allowed to
    // transfer example.com
    allow-transfer { 140.114.63.10; };  
};

• 做為網域 nthu.edu.tw 的 slave DNS 伺服器 named.conf 參考設定

options {
    // Working directory
    directory "/etc/namedb";
    // Do not allow access to cache
    allow-query-cache { none; };
    // This is the default
    allow-query { any; };
    // Do not provide recursive service
    recursion no;
    // Hidden version
    version none;
};

// We are a slave server for nthu.edu.tw
zone "nthu.edu.tw" {
    type slave;
    file "nthu.edu.tw.bk";
    // IP address of eng.example.com master server
    masters { 140.114.64.10; };
};

BIND documentation