• About

http://blog.fakrul.com

http://blog.fakrul.com

Tag Archives: bind

INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 2)

31 Monday Oct 2016

Posted by Fakrul Alam in Education, My Work

≈ 2 Comments

Tags

bind, DNS, NSD

In this part we will install BIND and secondary name server. For primary name server installation please check INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 1)

1. Update package library and install BIND

sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc

2. All the configuration files are in /etc/bind/ folder. Most of the cases the default options work fine. The only thing I did is add the TSIG key for zone transfer.

3. First create they key file
vi ssh.com.bd-key

key ssh.com.bd-key {
algorithm hmac-md5;
secret "N1aqkdyRDOOM01NYt3Vat3v+QmonX8bsNoSdBUyKNB0=";
};

Make sure you copy the secret properly

4. Add the key in named.conf file

sudo vi named.conf

#TSIG key kompella->martini
include "/etc/bind/ssh.com.bd-key";

server 192.0.2.10 {
keys { ssh.com.bd-key; };
};

5. Add the related zone in named.conf.default-zones file:

zone "ssh.com.bd" IN {
type slave;
file "/var/cache/bind/ssh.com.bd.zone";
masters { 192.0.2.10; };
};

zone "113.0.203.in-addr.arpa" IN {
type slave;
file "/var/cache/bind/203.0.113.zone";
masters { 192.0.2.10; };
};

6. Save and reload BIND service.

sudo /etc/init.d/bind9 restart

7. Test the zone transfer:
dig axfr @192.0.2.10 ssh.com.bd soa -k ssh.com.bd-key

If all are on; you can see all the zone entry.

Continue reading →

Install NSD as Primary DNS Server & BIND as Secondary Name Server (part 1)

31 Monday Oct 2016

Posted by Fakrul Alam in My Work

≈ 7 Comments

Tags

bind, DNS, NSD

NSD is an authoritative only, memory efficient, highly secure and simple to configure open source domain name server. In most of the cases we use BIND as our name server (authoritative/caching). But here I will show you how to configure NSD as primary name server and BIND as secondary name server; use two different flavor of DNS.

Primary DNS Server: kompella.ssh.com.bd (192.0.2.10)
Secondary DNS Server: martini.ssh.com.bd (203.0.113.10)

Make sure that hostname (/etc/hostname) has been set properly for both of the servers.

A. Install NSD as primary name server

1. NSD service expects to run as a user called nsd, but the package does not actually create this user account. To avoid an error upon installation, we will create this user before we install the software. On each of your machines, create the nsd system user by typing:

sudo useradd -r nsd

2. Update local package and install nsd.

sudo apt-get update
sudo apt-get install nsd

3. The first thing we should do is make sure all of the SSL keys and certificates that NSD uses to securely communicate between the daemon portion of the application and the controller are generated.

sudo nsd-control-setup

4. The main configuration file for NSD is a file called nsd.conf located in the /etc/nsd directory.

cd /etc/nsd
vi nsd.conf

You can use this sample nsd.conf file : http://pastebin.com/JyNyxZCu

5. Next we forward zone file. It’s the same used to have in BIND: http://pastebin.com/3xaiVkfV

6. Reverse zone file : https://pastebin.com/nFELkTZT

7. Testing the Files and Restarting the Service

Now that we have our master server configured, we can go ahead and test our configuration file and implement our changes. You can check the syntax of the main configuration file by using the included nsd-checkconf tool. Simply point the tool to your main configuration file:

sudo nsd-checkconf /etc/nsd/nsd.conf

After you are able to execute the check cleanly, you can restart the service by typing:

sudo service nsd restart

8. Check the logs to see any messages:

sudo tail -f /var/log/nsd.log

nsd_log.png

Next we will configure BIND and secondary name server. Will use TSIG to securely transfer zone file across the DNS server.

bindgraph : Monitoring DNS Queries

28 Thursday Mar 2013

Posted by Fakrul Alam in Uncategorized

≈ Leave a comment

Tags

bind, bindgraph, ubuntu

1. Install bindgraph

# apt-get install bindgraph

2. Enabling logging in bind9
Add a config file where We’ll include logging configuration:

# vi /etc/bind/named.conf
include “/etc/bind/named.conf.log”;

Add definition logging:

# vi /etc/bind/named.conf.log

# Configure the logging options
logging {

category security { security_channel; default; };
category lame-servers { null; };
category default { default; };
category queries { querylog; };

channel security_channel {
file ”/var/log/named/security.log”;
severity debug;
print-time yes;
print-category yes;
print-severity yes;
};

channel default {
file “/var/log/named/bind.log” versions 3 size 5m;
severity warning;
print-time yes;
print-category yes;
print-severity yes;
};

channel “querylog” {
file “/var/log/named/bind-queries.log”;
print-time yes;
print-category yes;
};
};

This log configuration creates a new channel that will send all log output to the log file definition and associate this channel with the predefined category named queries, included with bind software.

3. Create named directory for logging and set correctly permissions:

# mkdir /var/log/named
# chown bind:bind /var/log/named/

4. Restart bind9 service:

# service bind9 restart

5. Configuring bindgraph

Edit bindgraph settings to set the correct file queries log:

# vi /etc/default/bindgraph
DNS_LOG=/var/log/named/bind-queries.log

6. Edit apache settings to access only to the statistics from internal network:

# vi /etc/apache2/sites-enabled/000-default

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from 192.168.1.0/24

7. Restart bindgraph service and apache:

# service bindgraph restart
# service apache2 restart

8. Now we can access our statistics from the link: http://your-ip-address/cgi-bin/bindgraph.cgi

[source: http://opentodo.net/2012/09/monitoring-dns-queries-with-bindgraph/]

Social

  • View rapappu’s profile on Twitter
  • View fakrulalam’s profile on LinkedIn
  • View fakrul’s profile on GitHub
  • View FakrulAlamPappu’s profile on Google+
  • View fakrulalam’s profile on Flickr

Twitter Updates

  • krebsonsecurity.com/2021/03/whistl… 1 week ago
  • very production vs code extension marketplace.visualstudio.com/items?itemName… 1 week ago
  • afr.com/companies/tour… 1 week ago
  • RT @Tyriar: We're looking at finally adding terminal tabs to @code soon. This month we explored what the UX should look like and have some… 2 weeks ago
  • RT @teamcymru: April 7 at 10AM GMT +3 We're hosting a webinar on our FREE community services! Live DEMO of Nimbus and learn about • DDoS mi… 2 weeks ago
  • Interesting! Looks like #cloudflare is not just a CDN only. cloudflare.com/en-au/magic-wan 2 weeks ago
  • still beta but good to see #meraki is rolling out AnyConnect client for MX. Windows L2TP VPN client is pain-in-the-… twitter.com/i/web/status/1… 3 weeks ago
  • one more bug reported cisco.ios.ios_bgp_address_family module github.com/ansible-collec… #ansible #cisco #ios… twitter.com/i/web/status/1… 4 weeks ago
  • #azure canola oil https://t.co/yEj1mCbQ4K 4 weeks ago
  • My first attempt to fix bug for cisco.ios.ios_bgp_address_family ansible module. PR done. github.com/ansible-collec… 1 month ago
  • RT @C_C_Krebs: This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/0… 1 month ago
  • RT @MirjamKuhne: This morning at #apricot2021 an update from NOGs in the region. https://t.co/kv7tEhszZf 1 month ago
  • RT @hfpreston: A Type 3 LSA walks into a bar and the bartender asks, “Not from the area?” A Type 5 LSA walks into a bar and orders a drink… 1 month ago
  • ansible.com/blog/announcin… 1 month ago
  • Time to refresh home wifi. Moving from #meraki to #Unifi https://t.co/9t6FYIfQfb 1 month ago
Follow @rapappu

Tags

antismap antivirus automation Azure bangladesh BASH BASH Script BDCERT bgp bind ccsp centos CentOS mirror CERT CISA cisco Cyber Security ddos dhaka dhakacom DNS DNSSEC GSM intrusion detectoin system Intrusion prevention system ips IPv6 ISACA junos linux Looking Glass lxc lxc profile lxd mailqueue mailscanner Mail Server mailwatch Meraki mikrotik monitor mpls MPLS L3 VPN mysql My Work network network management nginx NSD observium OpenVPN perl PHP ping postfix Proxy PTA python RANCID Reading RPKI Shell Script sms sms server SNMP SSH Tutorial ubuntu Ubuntu Mirror Server Virtual Box vispan vmware websvn Youtube hack খামাখা

Blog at WordPress.com.

Cancel

 
Loading Comments...
Comment
    ×