Ubuntu-Server
Bind9 Config Explantion

1. DNS Hierarchy

This goes deeper into the config we went through on the Server Monitoring tutorial

DNS operates as a hierarchical, distributed database system. It resolves domain names into IP addresses and allows users to find resources (web servers, mail servers, etc.) based on human-readable names.

  • Root Level: The top of the DNS hierarchy, represented by a dot (.). Root nameservers hold information about the authoritative nameservers for each TLD (e.g., .com, .net).
  • TLD Level: Top-level domains such as .com, .net, and country codes like .uk. TLD nameservers provide pointers to authoritative nameservers for domain names like example.com.
  • Authoritative Nameservers: These provide answers to queries regarding specific domains (e.g., example.com). In your case, DigitalOcean is the authoritative nameserver.

2. BIND Zone File Deep Dive

A zone file is a text file that contains mappings between domain names and IP addresses, as well as other resources for a domain.

Here's a more in-depth look at a zone file structure, with deeper commentary on each part.

TTL (Time To Live)

$TTL 3600
  • $TTL sets the default Time To Live (TTL) for all records in this zone file.
  • TTL is the duration (in seconds) that a resolver will cache the DNS response before querying the authoritative nameserver again. A 3600-second TTL means the DNS record will be cached for 1 hour before being revalidated.

SOA (Start of Authority) Record

@   IN  SOA     ns1.digitalocean.com. admin.example.com. (
                2024092001  ; Serial
                7200        ; Refresh
                1800        ; Retry
                1209600     ; Expire
                3600 )      ; Minimum TTL

The SOA record provides crucial information about the zone, acting as the entry point for all DNS queries about this domain.

  • Primary Nameserver: ns1.digitalocean.com. is your primary authoritative nameserver.
    • It handles DNS queries and updates. If you set up BIND on your DigitalOcean server, this would point to your DigitalOcean-hosted server.
  • Admin Email: admin.example.com. is your administrative contact (replace @ with a . for DNS compatibility).
    • If there’s a problem with the zone, this is where notifications will be sent.
SOA Timers:

  1. Serial Number (2024092001):

    • The serial number uniquely identifies the zone file version. You increment this number whenever you update the zone file. Best practice: use the YYYYMMDDXX format, where XX is the revision number for that day.
    • Example: 2024092001 means this file was created or updated on September 20, 2024, and this is the first revision of the day.

  2. Refresh (7200 seconds):

    • The time secondary (slave) nameservers wait before checking the primary (master) server for zone file updates.
    • 7200 seconds (2 hours) means secondary servers will check for changes every 2 hours.

  3. Retry (1800 seconds):

    • If the secondary server fails to contact the primary server, it will retry after this interval.
    • 1800 seconds (30 minutes) means if the secondary nameserver can’t reach the primary, it will try again in 30 minutes.

  4. Expire (1209600 seconds):

    • If the secondary nameserver can’t reach the primary server for this duration, it will stop serving the zone entirely.
    • 1209600 seconds (14 days) means after 14 days of no contact with the primary, the secondary will stop responding to queries about the zone.

  5. Minimum TTL (3600 seconds):

    • This defines the minimum TTL for negative caching (i.e., how long a DNS resolver should cache the result of a failed lookup, such as a nonexistent domain).
    • 3600 seconds (1 hour) means the resolver will remember the failure for 1 hour.

NS (Nameserver) Records

    IN  NS      ns1.digitalocean.com.
    IN  NS      ns2.digitalocean.com.
    IN  NS      ns3.digitalocean.com.
  • NS Records specify the authoritative nameservers for this domain. They point to DigitalOcean’s nameservers, which are responsible for responding to DNS queries for your domain.
  • In this case, you are using DigitalOcean’s nameservers (ns1, ns2, ns3) to manage your DNS records.

A (Address) Records

@   IN  A       192.0.2.1
www IN  A       192.0.2.1

  • A Records map domain names to IPv4 addresses. The @ symbol is shorthand for the root domain (example.com), so this line translates to:

    • example.com points to the server with the IP address 192.0.2.1.
    • www.example.com also points to the server with the IP address 192.0.2.1.
Why Multiple A Records?
  • If example.com and www.example.com serve the same content, it’s common to have both point to the same IP address.
  • You could also have different A records for different subdomains (e.g., mail.example.com or ftp.example.com).

MX (Mail Exchange) Records

@   IN  MX  10  mail.example.com.
  • MX Records define the mail servers responsible for handling email for the domain.
  • @ means this applies to the root domain (example.com), and mail.example.com. is the mail server responsible for receiving emails.
MX Priority:
  • The 10 is the priority. Lower numbers indicate higher priority. If you had multiple MX records, the one with the lowest number would be tried first.
  • Example:
    • @ IN MX 10 mail1.example.com.
    • @ IN MX 20 mail2.example.com. In this case, mail1.example.com is the primary mail server, and mail2.example.com is a backup.

CNAME (Canonical Name) Records

ftp     IN  CNAME   @
  • CNAME Records create aliases, pointing one domain to another.
  • In this case, ftp.example.com is an alias of example.com (since @ refers to the root domain).
Why Use CNAME?
  • CNAME records are useful when you want multiple domain names (like ftp.example.com, blog.example.com) to point to the same IP address or host, without repeating the same A record.
  • Important note: you cannot have an A record and a CNAME record for the same domain. CNAME effectively "replaces" the domain with the alias.

PTR (Pointer) Records (Optional)

A PTR record is the reverse of an A record, mapping an IP address back to a domain name. It’s used for reverse DNS lookups, typically for email servers to verify sending domains.

PTR records are set in the reverse DNS zone, often managed by your hosting provider (e.g., DigitalOcean).

1.2.0.192.in-addr.arpa. IN PTR example.com.

This example tells DNS resolvers that the IP address 192.0.2.1 resolves back to example.com.

SPF, DKIM, and DMARC Records (Optional)

For email authentication, you might also add SPF, DKIM, and DMARC records to your DNS zone file. Here’s an example:

  • SPF Record (prevents email spoofing):

    @   IN  TXT "v=spf1 ip4:192.0.2.1 -all"

    This record tells mail servers that only the IP 192.0.2.1 is authorized to send emails on behalf of example.com.

  • DKIM Record (signs outgoing emails with a cryptographic signature):

    default._domainkey IN  TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY"

  • DMARC Record (policy for how mail servers should handle unauthenticated emails):

    _dmarc  IN  TXT "v=DMARC1; p=none; rua=mailto:admin@example.com"

4. Zone Transfers

If you have secondary nameservers, BIND uses zone transfers (AXFR/IXFR) to sync zone data between primary and secondary servers.

  • AXFR (Full zone transfer): Transfers the entire zone file.
  • IXFR (Incremental zone transfer): Transfers only the changes (more efficient).

In named.conf, you can control who is allowed to perform zone transfers:

allow-transfer { IP_of_secondary; };

5. Securing DNS with DNSSEC

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS

DNSSEC (DNS Security Extensions) ensures that the responses to DNS queries are authentic and haven’t been tampered with. It provides integrity and origin authentication by signing DNS records with cryptographic keys. DNSSEC does not encrypt DNS data, but it adds a layer of trust.

How DNSSEC Works:

  1. Key Signing Key (KSK): The KSK is used to sign the Zone Signing Key (ZSK). This key is part of the DNSSEC chain of trust that starts at the root zone.

  2. Zone Signing Key (ZSK): The ZSK signs the zone data (e.g., A, MX, CNAME records). This signature proves the authenticity of the zone’s data.

  3. DNSSEC Records:

    • RRSIG (Resource Record Signature): Stores the digital signature of DNS records.
    • DNSKEY: Publishes the public key that is used to verify signatures in the zone file.
    • DS (Delegation Signer): A pointer to the DNSKEY record for child zones, used to link zones together in the chain of trust.
    • NSEC/NSEC3: Provides proof of non-existence of a DNS record. It’s essential for protecting against zone enumeration attacks and proving that a name doesn’t exist.

Enabling DNSSEC in BIND:

  1. Generate Keys: You can use dnssec-keygen to generate ZSK and KSK keys.

    dnssec-keygen -a RSASHA256 -b 2048 -f KSK example.com
dnssec-keygen -a RSASHA256 -b 2048 example.com

  2. Sign the Zone: After the keys are generated, you sign the zone with the dnssec-signzone utility.

    dnssec-signzone -o example.com -k Kexample.com.+005+12345.key example.com.zone

    This command creates a signed version of your zone file, typically named something like example.com.zone.signed.

  3. Publish the DNSKEY Records: Add the DNSKEY records to your zone file so that other resolvers can verify your signatures.

  4. Add the DS Record to the Parent Zone: You need to add the DS (Delegation Signer) record to the parent zone (e.g., .com in the case of example.com). This step ensures that your zone is part of the DNSSEC chain of trust.

Once DNSSEC is set up, recursive resolvers that support DNSSEC will validate your signatures, ensuring that the responses they get are legitimate.

DNSSEC Example Zone File:

$TTL 3600
@   IN  SOA     ns1.digitalocean.com. admin.example.com. (
                2024092001  ; Serial
                7200        ; Refresh
                1800        ; Retry
                1209600     ; Expire
                3600 )      ; Minimum TTL
 
; Nameservers
    IN  NS      ns1.digitalocean.com.
    IN  NS      ns2.digitalocean.com.
    IN  NS      ns3.digitalocean.com.
 
; DNSSEC Records
    IN  DNSKEY  257 3 8 AwEAAcA== ; Your DNSKEY for DNSSEC verification
    IN  RRSIG   A 8 3 3600 2024092001 2024072001 ns1.digitalocean.com. ...
    
; A Records
@   IN  A       192.0.2.1
www IN  A       192.0.2.1
 
; MX Records
@   IN  MX  10  mail.example.com.
 
; CNAME Records
ftp     IN  CNAME   @

6. Advanced Zone File Concepts

Multiple A Records (Round-Robin DNS)

You can create multiple A records for load balancing purposes using Round-Robin DNS:

@   IN  A       192.0.2.1
@   IN  A       192.0.2.2
@   IN  A       192.0.2.3

In this example, DNS queries for example.com will be distributed across three different IP addresses. This is a simple form of load balancing that can help distribute traffic, although it doesn’t account for server health or location.

Wildcard Records

Wildcard DNS records allow you to match non-specific subdomains:

*.example.com.  IN  A   192.0.2.1

Any subdomain under example.com that doesn’t have a specific record (like foo.example.com, bar.example.com) will resolve to 192.0.2.1.

Subdomains and Delegation

To delegate a subdomain (e.g., sub.example.com) to another nameserver, you need to configure NS records for that subdomain:

sub.example.com.  IN  NS  ns1.subdomain-server.com.
sub.example.com.  IN  NS  ns2.subdomain-server.com.

In this case, ns1.subdomain-server.com and ns2.subdomain-server.com are responsible for answering queries about sub.example.com.

7. Zone Transfers in Depth

AXFR (Full Zone Transfer)

A full zone transfer replicates the entire zone file to a secondary nameserver. Here’s how you configure it in named.conf:

zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
    allow-transfer { 192.0.2.2; };  # Secondary server IP
    also-notify { 192.0.2.2; };     # Notify secondary of changes
};
  • allow-transfer: Only allows the specified IP (in this case, the secondary nameserver at 192.0.2.2) to perform zone transfers.
  • also-notify: Automatically notifies the secondary nameserver when changes occur in the zone.

IXFR (Incremental Zone Transfer)

An incremental zone transfer only replicates changes (deltas) in the zone file. This is more efficient than AXFR, especially for large zone files or frequent updates.

BIND supports IXFR natively if both the primary and secondary servers support it. You can configure the secondary to request IXFR like this:

zone "example.com" {
    type slave;
    file "/etc/bind/zones/db.example.com";
    masters { 192.0.2.1; };  # Primary server IP
    transfer-source 192.0.2.2;  # Secondary IP for outgoing transfers
};

8. Querying DNS Information

As a DNS expert, you likely rely on tools to query DNS and validate your configurations. Here are some powerful tools:

dig

dig is the most commonly used command-line tool for querying DNS information.

  • Query a specific record:

    dig A example.com

    This will return the A record for example.com.

  • Query the nameservers:

    dig NS example.com

    This will show which nameservers are authoritative for example.com.

  • Query DNSSEC records:

    dig +dnssec example.com

    This will include DNSSEC records (RRSIG, DNSKEY) in the query response.

  • Check zone transfers (AXFR):

    dig @ns1.digitalocean.com example.com AXFR

    If zone transfers are allowed, this will return the entire zone file.

dnstap

dnstap is a specialized tool for DNS server monitoring and troubleshooting. It provides real-time, high-fidelity logging of DNS transactions. It’s more advanced than traditional query logging, capturing each individual DNS query and response.

9. Split-Horizon DNS

Split-Horizon DNS is used when different DNS records are returned based on the source of the query (i.e., internal vs. external queries).

You configure BIND to have different views for internal and external queries:

view "internal" {
    match-clients { 192.168.1.0/24; };
    zone "example.com" {
        type master;
        file "/etc/bind/zones/internal/db.example.com";
    };
};
 
view "external" {
    match-clients { any; };
    zone "example.com" {
        type master;
        file "/etc/bind/zones/external/db.example.com";
    };
};

In this example, queries from the internal network (192.168.1.0/24) will get records from the internal view, while all other queries will get records from the external view.

Introducing Cisco Dna Center AssuranceChecklist