Dynamic Update is a method for adding, replacing or deleting records in a master server by sending
Edit /etc/named.conf file in forward zone allow-udpate { any; }; for dynamic DNS
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.10.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
allow-transfer { localhost; 192.168.10.20; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "zmailtech.com" IN {
type master;
file "zmailtech.com.zone";
allow-update { any; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "10.168.192.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@master ~]#
now add A record with nsupdate command.
[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> update add server12.zmailtech.com. 3600 IN A 192.168.10.12
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;zmailtech.com. IN SOA
;; UPDATE SECTION:
server12.zmailtech.com. 3600 IN A 192.168.10.12
> send
> quit
[root@master ~]#
check server12.zmailtech.com A record with dig command.
[root@master ~]# dig server12.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server12.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20726
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server12.zmailtech.com. IN A
;; ANSWER SECTION:
server12.zmailtech.com. 3600 IN A 192.168.10.12
;; AUTHORITY SECTION:
zmailtech.com. 86400 IN NS ns1.zmailtech.com.
;; ADDITIONAL SECTION:
ns1.zmailtech.com. 86400 IN A 192.168.10.2
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 12:39:59 IST 2018
;; MSG SIZE rcvd: 101
[root@master named]#
now Delete A record with nsupdate command.
[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> update delete server14.zmailtech.com
> send
> quit
[root@master ~]#
now check server14.zmailtech.com with dig command.
[root@master ~]# dig server14.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server14.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1243
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server14.zmailtech.com. IN A
;; AUTHORITY SECTION:
zmailtech.com. 10800 IN SOA ns1.zmailtech.com. admin.zmailtech.com. 2018021005 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 13:15:16 IST 2018
;; MSG SIZE rcvd: 97
[root@master ~]#
it a special form of DNS messages.The format and meaning of these messages is specified in RFC 2136.
Dynamic update is enabled by including an allow-update or an update-policy clause in the zone statement.
If the zone's update-policy is set to local, updates to the zone will be permitted for the key local-ddns,
which will be generated by named at startup.
Dynamic updates using Kerberos signed requests can be made using the TKEY/GSS protocol by
setting either the tkey-gssapi-keytab option, or alternatively by setting both the tkey-gssapi-credential
and tkey-domain options. Once enabled, Kerberos signed requests will be matched against the update
policies for the zone, using the Kerberos principal as the signer for the request.
Updating of secure zones (zones using DNSSEC) follows RFC 3007: RRSIG, NSEC and NSEC3 records
affected by updates are automatically regenerated by the server using an online zone key. Update
authorization is based on transaction signatures and an explicit server policy.
zone "example.com" IN {
type master;
file "zmailtech.com.zone";allow-update { any; };
};
It is not good configuration, it should be allowed from one or two authorized computer only.
(Later you will know how to encrypt and protect it with TSIG).
Some thing like allow-update { 192.168.10.xx; };
[root@master ~]# vim /etc/named.conf[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.10.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
allow-transfer { localhost; 192.168.10.20; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "zmailtech.com" IN {
type master;
file "zmailtech.com.zone";
allow-update { any; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "10.168.192.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@master ~]#
now add A record with nsupdate command.
[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> update add server12.zmailtech.com. 3600 IN A 192.168.10.12
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;zmailtech.com. IN SOA
;; UPDATE SECTION:
server12.zmailtech.com. 3600 IN A 192.168.10.12
> send
> quit
[root@master ~]#
check server12.zmailtech.com A record with dig command.
[root@master ~]# dig server12.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server12.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20726
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server12.zmailtech.com. IN A
;; ANSWER SECTION:
server12.zmailtech.com. 3600 IN A 192.168.10.12
;; AUTHORITY SECTION:
zmailtech.com. 86400 IN NS ns1.zmailtech.com.
;; ADDITIONAL SECTION:
ns1.zmailtech.com. 86400 IN A 192.168.10.2
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 12:39:59 IST 2018
;; MSG SIZE rcvd: 101
[root@master named]#
now Delete A record with nsupdate command.
[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> update delete server14.zmailtech.com
> send
> quit
[root@master ~]#
now check server14.zmailtech.com with dig command.
[root@master ~]# dig server14.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server14.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1243
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server14.zmailtech.com. IN A
;; AUTHORITY SECTION:
zmailtech.com. 10800 IN SOA ns1.zmailtech.com. admin.zmailtech.com. 2018021005 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 13:15:16 IST 2018
;; MSG SIZE rcvd: 97
[root@master ~]#
No comments:
Post a Comment