dns

Domain Name Servers (DNS) are the Internet’s equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses.

———————————————————————————————-
[root@server-rhel6 ~]# ip a | grep inet
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
inet 172.16.28.168/24 brd 172.16.28.255 scope global eth0
inet6 fe80::20c:29ff:feb5:974a/64 scope link
———————————————————————————————-
[root@server-rhel6 ~]# yum install bind*
———————————————————————————————-
[root@server-rhel6 ~]# service named status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
named is stopped
———————————————————————————————-
[root@server-rhel6 ~]# netstat -tlpn | grep 53
———————————————————————————————-
[root@server-rhel6 ~]# service named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]
———————————————————————————————-
[root@server-rhel6 ~]# netstat -tlpn | grep 53
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      2921/named
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      2921/named
tcp        0      0 ::1:53                      :::*                        LISTEN      2921/named
tcp        0      0 ::1:953                     :::*                        LISTEN      2921/named

———————————————————————————————-
[root@server-rhel6 ~]# service named status
version: 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7
CPUs found: 1
worker threads: 1
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named (pid  2921) is running…
———————————————————————————————-
[root@server-rhel6 ~]# ls -l /etc/named
named/               named.conf           named.iscdlv.key     named.rfc1912.zones  named.root.key
———————————————————————————————–
[root@server-rhel6 ~]# cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query     { localhost; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;

managed-keys-directory “/var/named/dynamic”;
};

logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};

zone “.” IN {
type hint;
file “named.ca”;
};

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

———————————————————————————————-

[root@server-rhel6 etc]# cat named.iscdlv.key 
/* $Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9.  As of the current release, the only
# trust anchors it contains are those for the DNS root zone (“.”), and for
# the ISC DNSSEC Lookaside Validation zone (“dlv.isc.org”).  Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set “dnssec-validation auto;” in
# named.conf options.  To use the built-in DLV key, set
# “dnssec-lookaside auto;”.  Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011.  If any key fails to
# initialize correctly, it may have expired.  In that event you should
# replace this file with a current version.  The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.

managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
# NOTE: This key is activated by setting “dnssec-lookaside auto;”
# in named.conf.
dlv.isc.org. initial-key 257 3 5 “BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh”;

# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting “dnssec-validation auto;”
# in named.conf.
. initial-key 257 3 8 “AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=”;
};
———————————————————————————————-
[root@server-rhel6 etc]# cat named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone “localhost.localdomain” IN {
type master;
file “named.localhost”;
allow-update { none; };
};

zone “localhost” IN {
type master;
file “named.localhost”;
allow-update { none; };
};

zone “1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa” IN {
type master;
file “named.loopback”;
allow-update { none; };
};

zone “1.0.0.127.in-addr.arpa” IN {
type master;
file “named.loopback”;
allow-update { none; };
};

zone “0.in-addr.arpa” IN {
type master;
file “named.empty”;
allow-update { none; };
};

———————————————————————————————-
[root@server-rhel6 etc]# cat named.root.key
managed-keys {
# DNSKEY for the root zone.
# Updates are published on root-dnssec-announce@icann.org
. initial-key 257 3 8 “AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=”;
};

———————————————————————————————-

[root@server-rhel6 ~]# service named configtest

zone localhost.localdomain/IN: loaded serial 0

zone localhost/IN: loaded serial 0

zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0

zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0

zone 0.in-addr.arpa/IN: loaded serial 0

———————————————————————————————-

[root@server-rhel6 ~]# named-checkconf /etc/named.conf

———————————————————————————————-

[root@server-rhel6 ~]# named-checkconf -t /var/named/chroot /etc/named.conf

———————————————————————————————-

[root@server-rhel6 ~]# named-checkzone example.com /var/named/example.com

———————————————————————————————-

[root@server-rhel6 etc]# chown root:named /etc/named.conf /etc/named.rfc1912.zones
[root@server-rhel6 etc]# ls -l named.conf named.rfc1912.zones
-rw-r—–. 1 root named 1061 Mar 23 19:44 named.conf
-rw-r—–. 1 root named  931 Jun 21  2007 named.rfc1912.zones

——————————————————————————————

[root@server-rhel6 named]# cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query     {  any; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;

managed-keys-directory “/var/named/dynamic”;
};

logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};

zone “.” IN {
type hint;
file “named.ca”;
};

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

########################### changes @rafi####################
zone “rafi.com” IN {
type master;
file “rafi.com”;
allow-update { none; };
};
——————————————————————————————–

[root@server-rhel6 ~]# cat /var/named/rafi.com 

$TTL 1D

@ IN SOA ns1.rafi.com. master.rafi.com. (

0; serial

1D; refresh

1H; retry

1W; expire

3H ); minimum

INNSns1.rafi.com.

@ IN MX 10 mail.rafi.com.

ns1 IN A 172.16.28.168

webserver IN A 192.168.0.15

www IN CNAME webserver.rafi.com.

mail IN A 192.168.1.1

——————————————————————————————–
[root@server-rhel6 named]# dig @localhost rafi.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> @localhost rafi.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17184
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;rafi.com. IN A

;; AUTHORITY SECTION:
rafi.com. 10800 IN SOA ns1.rafi.com. master.rafi.com. 0 86400 3600 604800 10800

;; Query time: 2 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 24 01:01:13 2016
;; MSG SIZE  rcvd: 73

[root@server-rhel6 named]# dig @localhost webserver.rafi.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> @localhost webserver.rafi.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3357
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;webserver.rafi.com. IN A

;; ANSWER SECTION:
webserver.rafi.com. 86400 IN A 192.168.0.15

;; AUTHORITY SECTION:
rafi.com. 86400 IN NS ns1.rafi.com.

;; ADDITIONAL SECTION:
ns1.rafi.com. 86400 IN A 172.16.28.168

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 24 01:01:25 2016
;; MSG SIZE  rcvd: 86

[root@server-rhel6 named]# dig @localhost http://www.rafi.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> @localhost http://www.rafi.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 192
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.rafi.com. IN A

;; ANSWER SECTION:
http://www.rafi.com. 86400 IN CNAME webserver.rafi.com.
webserver.rafi.com. 86400 IN A 192.168.0.15

;; AUTHORITY SECTION:
rafi.com. 86400 IN NS ns1.rafi.com.

;; ADDITIONAL SECTION:
ns1.rafi.com. 86400 IN A 172.16.28.168

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 24 01:01:37 2016
;; MSG SIZE  rcvd: 104

[root@server-rhel6 named]# dig @localhost mail.rafi.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> @localhost mail.rafi.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;mail.rafi.com. IN A

;; ANSWER SECTION:
mail.rafi.com. 86400 IN A 192.168.1.1

;; AUTHORITY SECTION:
rafi.com. 86400 IN NS ns1.rafi.com.

;; ADDITIONAL SECTION:
ns1.rafi.com. 86400 IN A 172.16.28.168

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 24 01:01:50 2016
;; MSG SIZE  rcvd: 81
=================================================================

EMAIL

MX-record

 This test will list MX records for a domain in priority order. The MX lookup is done directly against the domain’s authoritative name server, so changes to MX Records should show up instantly. You can click Diagnostics , which will connect to the mail server, verify reverse DNS records, perform a simple Open Relay check and measure response time performance. You may also check each MX record (IP Address) against 105 DNS based blacklists . (Commonly called RBLs, DNSBLs)

A mail exchanger record (MX record) is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient’s domain, and a preference value used to prioritize mail delivery if multiple mail servers are available.

SPF-record

Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses or subnets that are authorized to send email on their behalf.  The goal is to reduce the amount of spam and fraud by making it much harder for malicious senders to disguise their identity.  To learn more, visit the SPF Website.

An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain

DKIM-record

DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signer’s public key published in the DNS. In technical terms, DKIM is a technique to authorize the domain name which is associated with a message through cryptographic authentication.
The DKIM Record tool will test a domain name and selector for a valid published DKIM key record. DomainKeys Identified Mail (DKIM) defines a domain-level digital signature authentication framework for email by permitting a signing domain to assert responsibility for a message in transit. DKIM authenticates the reputation and identity

Advertisements
Posted in: dns

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s