Domain Name Service (DNS)
Domain Name Service (DNS) eshte nje sherbim i Internetit qe perkthen emrat e pajisjeve ne adresa IP dhe anasjelltas. Ubuntu perdor BIND (Berkley Internet Naming Daemon), serveri DNS me popullor ne ambjente Linux.
Instalimi
Instalojme fillimisht paketen e BIND:
sudo apt-get install bind9
Eshte mire te instalojme gjithashtu edhe nje pakete qe permban utilitete per administimrin e serverit DNS dnsutils :
sudo apt-get install dnsutils
Ka disa menyra per te konfirgurar nje server DNS ne Linux.
Disa nga konfigurimet me te zakonshme jane :
caching nameserver,
primary master
secondary master.
Nje caching nameserver BIND9 do te kerkoje per pergjigje dhe me pas do te ruaje ato ne historikun e tij per tiu ripergjigjur te njejtave pyetje. Nuk ka nje zone te veten.
Nje server DNS primary master ka zonen e tij DNS per te cilen pergjigjet ne menyre autoritare.
Nje server DNS sekondar lexon skedarin me te dhenat e zones nga serveri primar dhe i pergjigjet kerkesave te klienteve me te dhenat qe ka kopjuar nga primari.
Skedaret e konfigurimit te DNS ruhen ne dosjen /etc/bind. Skedari i pare i konfigurimit eshte /etc/bind/named.conf.
Me poshte shfaqet shembulli i nje skedari named.conf.
student@ubuntu:/etc/bind$ cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
student@ubuntu:/etc/bind$
Sejcili nga skedaret me lart ruan parametra konfigurimi:
/etc/bind/named.conf.options
Ruan informacion mbi parametra te konfigurimit te DNS , si per shembull adresat e serverave te tjere DNS qe perdoren si forwarders
Me poshte eshte nje shembull
student@ubuntu:/etc/bind$ cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
student@ubuntu:/etc/bind$
/etc/bind/named.conf.default-zones
Ruan informacion mbi zonat baze qe ka serveri DNS , si per shembull zonen localhost.
Me poshte eshte nje shembull
student@ubuntu:/etc/bind$ cat named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
student@ubuntu:/etc/bind$
Sic duket edhe nga shembulli tek zonat defalut perfshihet localhost si edhe zona rrenje (root). Per sejcilen nga zonat ka nje tip (hint, master,stup ose slave,reverse) dhe nje skedar i cili ruan te dhenat per ate zone.
Per shembull ne rastin e zones root ka nje skedar me emrin /etc/bind/db.root.
Ky skedar ruan informacion mbi serverat rrenje te DNS ne internet. Keta servera jane pergjegjes per domain rrenje si .com, .net etj
Me poshte eshte permbajtja e nje skedari db.root shembull
student@ubuntu:/etc/bind$ cat db.root
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jun 17, 2010
; related version of root zone: 2010061700
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
student@ubuntu:/etc/bind$
Nje shembull i skedarir db.local i cili ruan informacione mbi localhost
student@ubuntu:/etc/bind$ cat db.local
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
student@ubuntu:/etc/bind$
Sqarime ne lidhje me permbajtjen e skedarit db.local
$TTL
Default TTL - Time To Live. $TTL percakton kohe baze te vlefshmerise te te gjithe rekordeve ne skedar, ne rast se ajo nuk percakothet ne menyre specifike per nje rekord. Njesia matese eshte ne sekonda.
Nje vlere a zakonshme mund te jete 86400 sekonda ose 24 ore. Kjo vlere percakton se per sa kohe do te reflektohet ndryshimi i nje rekordi ne serverat DNS neper interenet.
Dynamic DNS (DDNS) zakonisht perdor nje TTL te barabarte me 5 minutes, ose 300 sekonda.
SOA
SOA (Start Of Authority) tregon cili eshte serveri qe eshte pergjegjes per kete zone , qe do te thote se ky server eshte serveri autoritar per kete zone. Mund te kete vetem nje rekord SOA ne cdo skedar te dhenash te domain (db.DOMAIN).
Te shpjegojme cfare permban SOA:
emri i domain psh @ ose ict.local.
IN = Internet
SOA = Start of Authority
emri i serverit SOA (per shembull localhost ose myserver.ict.local.)
email i administratorit te domain per shembull admin.ict.local. ose root.localhost. qe do te interpretohen si admin@ict.local ose root@localhost
Me pas midis kllapave:
(
numri serial, ku tregon versionin e skedarit te te dhenave. Ky numer perdoret nga serveri sekondar i DNS per te kuptuar nese ka ndryshuar skedari i te dhenave qe nga hera e fundit qe ai eshte sinkronizuar?
refresh , i tregon serverit sekondar pas sa kohesh duhet te pyese serish serverin primar nese ka ndryshuar skedari i te dhenave
retry, i tregon serverit sekondar pas sa kohesh duhet te riprovoje nese nuk mundi qe te kontaktoje me serverin primar
expiry, i tregon serverit sekondar se pas sa kohesh qe nuk ka komunikuar me serverin primar te dhenat e tij jane te pavlefshme
Negative Cache TTL , i tregon klienteve DNS te cilet kane marre nje pergjigje negative per nje rekord nga serveri i DNS se sa kohe do ta mbajne mend kete pergjigje perpara se te pyesin serish serverin SoA
)
Me poshte vazhdojme me rekordet e tjesa DNS
NS= Name Server
A = A host ( emer -> adrese)
PTR = POINTER (adrese->emer)
CNAME= Canonical Name ose Sinonim
/etc/bind/named.conf.local
Ruan informacion mbi zonat per te cilat eshte pergjigjes ky server DNS , si per shembull zonen ict.local
Caching Nameserver
Konfigurimi baze eshte caching server. E vetmi konfigurim qe kerkohet eshte qe te vendosen IP e serverave te ISP si forwareds. Kjo behet duke modifikuar skedarin /etc/bind/named.conf.options:
forwarders { 1.2.3.4; 5.6.7.8; };
Pas restart DNS server, funksionon si nje caching server
sudo service bind9 restart
Ne shembullin me poshte BIND9 do te konfigurohet si nje Primary Master per domain example.com.
Forward Zone File
Per te shtuan nje zone DNS ne BIND9, duke e kthyer ate ne nje Primary Master server, hapi i pare eshte editimi i /etc/bind/named.conf.local:
zone "example.com" { type master; file "/etc/bind/db.example.com"; };
Me tej per lehtesi mund te kopjojme nje zone ekzistuese si nje model per te krijuar skedarin e databaze me rekordet e zones tone, per shembull mund te perdorni db.local duke e kopjuar ate nen emrin /etc/bind/db.example.com :
sudo cp /etc/bind/db.local /etc/bind/db.example.com
Duhet modifikuar skedari /etc/bind/db.example.com duke vendosur ne vend te localhost. emrin e plote FQDN te domain tone, pa e hequr piken ne fnd "." . Zevendesohet 127.0.0.1 me adresen IP te serverit DNS dhe root.localhost me adresen e email te administratorit te domain , por me "." ne vend te simbolit te zakonshem te email ".
Krijohet nje rekord A per domain baze example.com. Gjithashtu duhet krijuar nje rekord A per ns.example.com, emri i dns serverit ne kete shembull:
; BIND data file for example.com ; $TTL 604800 @ IN SOA example.com. root.example.com. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN A 192.168.1.10 ; @ IN NS ns.example.com. @ IN A 192.168.1.10 @ IN AAAA ::1 ns IN A 192.168.1.10
Numri serial i skedarit te zones duhet rritur me nje sa here qe modifikojme skedarin per ti sinjalizuar versionin e tij serverave sekandare (slave) qe mund te ekzistojne aktualisht apo qe mund te shtohen ne te ardhmen.
Tanime, mund te shtojme rekorde DNS ne fund te skedarit te zones.
Mund te jete e nevojshme te restartohet sherbimi BIND9 per te aplikuar ndryshime:
sudo service bind9 restart
Reverse Zone File
Eshte e mundur madje e rekomandueshme qe te shtohet gijthashtu nje zone reverse qe perkthen nga IP ne emra:
Editoni /etc/bind/named.conf.local duke shtuar nje rekord per zonen reverse:
zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; };
Tani krijoni skedarin /etc/bind/db.192 :
sudo cp /etc/bind/db.127 /etc/bind/db.192
Me pas editojme /etc/bind/db.192 duke modifikuar te njtejat opsione si tek /etc/bind/db.example.com:
; ; BIND reverse data file for local 192.168.1.XXX net ; $TTL 604800 @ IN SOA ns.example.com. root.example.com. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns. 10 IN PTR ns.example.com.
Edhe ne zonen reverse duhet te kujdesemi per inkrementimin e Numrit Serial sa here qe modifikojme skedarin e zones. Per cdo rekord A te kruijuar ne zonen forward ne /etc/bind/db.example.com, eshte e nevojshme te krijojm enje rekord PTR ne skedarin e zones reverse /etc/bind/db.192.
Pas modofikimit te zones revers duhet gjithashtu restartuar sherbimi per te aplikuar ndryshimet :
sudo service bind9 restart
Pasi kemi konfiguruar nje Primary Master mund te shtojme nje Secondary Master per te garantuar disponibilietin e sherbimir ne rast te mos disponibilitetit te Primary .
Se pari, ne serverin Primary Master , duhet lejuar transferimi i zones . Kjo behet duke shtuat opsionin allow-transfer tek zonat Forward dhe Reverse ne /etc/bind/named.conf.local:
zone "example.com" { type master; file "/etc/bind/db.example.com"; allow-transfer { 192.168.1.11; }; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; allow-transfer { 192.168.1.11; }; };
Vendosni IP e serverit Tuaj sekondar ne vend te IP192.168.1.11 .
Restartoni BIND9 tek Primary Master:
sudo service bind9 restart
Se dyti , tek Secondary Master, instaloni paketen bind9 ne te njejten menyre si tek Primary. Me pas editoni /etc/bind/named.conf.local dhe shtoni deklarimet e meposhtme per zonat Forward dhe Reverse :
zone "example.com" { type slave; file "db.example.com"; masters { 192.168.1.10; }; }; zone "1.168.192.in-addr.arpa" { type slave; file "db.192"; masters { 192.168.1.10; }; };
Zevendesoni 192.168.1.10 me adresen IP te serverit tuaj Primary .
Restartoni BIND9 tek Secondary Master:
sudo service bind9 restart
Menyra se si serveri Juaj ben perkthimin e emrave percaktohet ne skedarin /etc/nsswitch.conf.
Sjellja baze eshte qe permbajtja e skedarit /etc/hosts ka prioritet me pas tentohet te perdoret DNS.
Me poshte eshte nje shembull i skedarit /etc/nsswitch.conf
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
Ky konfigurim percakton sjelljen sipas se ciles perdoren mekanizmat e perkthimit sipas menyres qe jane listuar
files: tenton te perktheje emrat duke perdorur /etc/hosts
mdns4_minimal : tenton te perktheje emrat duke perdorur multicast dns
[NOTFOUND=return] do te thote qe cdo pergjigje notfound duhet trajtuar si autoritare dhe se serveri nuk duhet te kerkoje me per nje pergjigje
dns perfaqeson unicast DNS query
mdns4 perfaqeson nje Multicast DNS query
Nje konfigurim minimal do te rekomandohej per efekt te shembujve ne kete kurs. Konfigurimi default mund te shkaktoje nje anomali ne ambjent testi qe do te shfaqet me fenomenin e meposhtem:
- eshte e mundur te behet perkthim emrash me nslookup por nuk eshte e mundur qe te pingohen emrat e hosteve
hosts: files dns