San Francisco

dave spink toolset




DNS:

RECORDS SECURITY COMMANDS


THE PROJECT

To document an internal DNS deployment.


RECORDS

See an extract of a zone file below.

# more /var/named/db.cpships.com
@                       IN      SOA    d1pr0003.cpships.com.    root.cpships.com.       (
                        20060616001     ; Serial Format YYYYMMDDXXX
                        3h      ; Refresh
                        1h      ; Retry
                        1w      ; Expire
                        1h )    ; Negative caching TTL

                        IN      NS      d1pr0003.cpships.com.
                        IN      NS      c1pr0001.cpships.com.

localhost               IN      A       127.0.0.1
c1pr0001                IN      A       10.140.129.10
c1pr0001-ce0            IN      A       10.140.129.12
c1pr0001-ce1            IN      A       10.140.129.13
d1de0100                IN      A       10.140.131.25
d1de0100-hme0           IN      A       10.140.131.26
d1de0100-hme1           IN      A       10.140.131.27
pvcs                    IN      CNAME   d1de0100
d1pr0002                IN      A       10.140.128.58
d1pr0002-ge0            IN      A       10.140.128.59
d1pr0002-ge1            IN      A       10.140.128.60
d1pr0003                IN      A       10.140.128.61
d1pr0003-ge0            IN      A       10.140.128.62
d1pr0003-ge1            IN      A       10.140.128.63

See an extract of the reverse pointer record zone file.

# more /var/named/db.10.140.128
@                       IN      SOA    d1pr0003.cpships.com.    root.cpships.com.       (
                        2006031701      ; Serial Format YYYYMMDDXX
                        3h      ; Refresh
                        1h      ; Retry
                        1w      ; Expire
                        1h )    ; Negative caching TTL

                        IN      NS      d1pr0003.cpships.com.
                        IN      NS      c1pr0001.cpships.com.

10                      IN      PTR     c1pr0001.cpships.com.
12                      IN      PTR     c1pr0001.cpships.com.
13                      IN      PTR     c1pr0001.cpships.com.
25                      IN      PTR     d1de0100.cpships.com.
26                      IN      PTR     d1de0100.cpships.com.
27                      IN      PTR     d1de0100.cpships.com.
58                      IN      PTR     d1pr0002.cpships.com.
59                      IN      PTR     d1pr0002.cpships.com.
60                      IN      PTR     d1pr0002.cpships.com.

See an extract of the /usr/local/etc/named.conf configuration file.

/*
 * A simple BIND configuration file for cpships.com
 * This server is the primary for cpships.com
 *
 * !!! IF YOU ADD A ZONE, MAKE SURE TO ADD TO NAMED.CONF ON ALL SLAVE SERVERS !!!
 *
 */

options {
        directory "/var/named";
};


logging {
        category lame-servers { null; };
        category cname { null; };
};

/* master forward lookup zones */

zone "." in {
        type hint;
        file "db.cache";
};

zone "cpships.com" in  {
        type master;
        file "db.cpships.com";
};

zone "trident.cpships.com" in {
        type master;
        file "db.trident.cpships.com";
};


/* reverse lookup zones */

zone "0.0.127.in-addr.arpa" in  {
        type master;
        file "db.127.0.0";
};

zone "128.140.10.in-addr.arpa" in  {
        type master;
        file "db.10.140.128";
};

zone "129.140.10.in-addr.arpa" in  {
        type master;
        file "db.10.140.129";
};


/* secondary zones */

zone "canmar.com" in {
        type slave;
        masters { 10.152.38.133;};
        file "db.canmar.com";
};

zone "contship.com" in {
        type slave;
        masters { 10.152.38.133;};
        file "db.contship.com";
};

zone "ad.cpships.corp" in {
        type slave;
        masters { 10.152.38.133;};
        file "db.ad.cpships.corp";
};

See an extract of root hints file "A" record.

.	360000	IN	NS	A.ROOT-SERVERS.NET.	;first . is root domain
A.ROOT-SERVERS.NET.	360000	A	198.41.0.4	;ip of name server - termed glue record


SECURITY

Restricting all queries to specific locations.

options {
	allow-query { 128.50.1.3/24; 130.50.2.0/24; };
};

Restricting queries on a zone only.

zone "central.sun.com" {
	type slave;
	file "db.central";
	masters { 128.50.1.1; };
	allow-query { "zoo.edu"; };
};

Authorizing zone transfer.

zone "central.sun.com" {
	type master;
	file "db.central";
	allow-transfer { 128.50.1.2; }; 
};

Blocking all zone transfer requests.

zone "central.sun.com" {
	type master;
	file "db.central";
	allow-transfer { none; };
};

Authorizing global zone transfer from a certain subnet.

options {
	allow-transfer { 128.50.1.0/24; };
};


COMMANDS

See Solaris Commands for DNS examples.