Assalammualaikum, kali ini saya akan
membahas mengenai BIND. BIND adalah singkatan dari Barkeley Internet
Name Daemon, yang biasa digunakan untuk DNS server. DNS server adalah,
server yang berfungsi untuk mentraslate ip address menjadi domain.
Dengan adanya domain ini, ketika kita ingin mengakses suatu webiste,
kita tidak perlu mengingat ip address nya, cukup dengan memngingat nama
domain nya saja yang tentunya lebih mudah diingat untuk manusia. contoh
ketika kita ingin mendakses facebook, kita cukup mengetikan
www.facebook.com saja pada browser, kita tidak perlu mengetik ip address
facebook tersebut.
DNS juga terdiri dari 3 level yaitu :
1. root "."
2. top level domain server contoh "org"
3. nameserver, contoh server1.rizal.org
contoh cara kerja dns :
1. kita ingin mengakses www.google.com dari browser
2. browser menanyakan kepada dns lokal kita
3. jika tidak ketemu, dns server akan menayakan kepada root server
4. jika tidak ketemu, root server akan melanjutkan pertanyaan kepada
top level domain untuk .com
5. top level domain tidak tau domain "www.google.com" tapi dia tau name
server yang tau domain tersebut ip address nya 64.233.167.99 dan bernama
ns1.google.com
6. setelah itu dns lokal kita proses the address 64.233.167.99, membaca
direktori informasi mengenai ns1.google.com kemudia memberitau browser
bahwa ip 64.233.167.99 adalah www.google.com
7. dns server lokal kita akan menyimpan informasi tersebut, sehingga
dns server tidak perlu melakukan tahap" seperti diatas
ada 3 konfigurasi yang akan kita lakukan pada artikel kali ini, yaitu :
1. menjalankan bind9 di chroot
2. konfigurasi dns master slave menggunakan bind9
3. dnssec menggunakan bind9
disini saya menggunakan 2 buah server(master dan slave) dengan OS Debian 8
hostname : master
ip : 192.168.0.1
hostname : slave
ip : 192.168.0.2
sebelum mulai ada baiknya kita mengetahui komponen" dari bind9 ini :
1. named (namee-dee) -> menjawab panggilan
2. resolver library -> berkerja ketika web browser, email atau aplikasi lain
mencari keterangan server berdasarkan DNS,
3. dig
setelah kita mengetahui komponen" yang ada bind, saat kita melakukan konfigurasi yang pertama, yaitu membuat bind9 berjalan di lingkungan chroot.
apa itu chroot ? chroot adalah sebuah direktori untuk meng isolasi sistem (disini kita akan meng isolasi bind9), tujuannya adalah melindungi attacker yang mungkin memnemukan celah keamanan pada bind dan memungkinkan menyerang named daemon untuk mendapatakan akses ke sistem. dengan menjalankan bind9 pada chroot bahkan ketika named di exploitasi, chroot membatasi kerusakan pada name service saja, tidak merambat ke sistem yang lain.
berikut adalah konfigurasi menjalankan bind9 pada lingkungan chroot(cara nya sama, baik untuk master maupun slave) :
install bind9 :
# apt-get install bind9
stop service bind9
# /etc/init.d/bind9 stop
configure agar bind menjalan kan file chroot (/var/lib/named)
# vim /etc/default/bind9
ubah OPTS="-u bind" menjadi OPTIONS="-u bind -t /var/lib/named"
siapkan direktori untuk chroot :
# mkdir -p /var/lib/named/etc
# mkdir /var/lib/named/dev
# mkdir -p /var/lib/named/var/cache/bind
# mkdir -p /var/lib/named/var/run/bind/run
pindahkan konfigurasi dari /etc/bind ke /var/lib/named/etc
# mv /etc/bind /var/lib/named/etc
buat symbolic link dari direktori konfigurasi yang baru ke direktori yang lama, untuk menghindari kesalahan ketika BIND di upgrade/dikonfigurasi
#ln -s /var/lib/named/etc/bind /etc/bind
buat null dan random device untuk digunakan oleh bind
# mknod /var/lib/named/dev/null c 1 3
# mknod /var/lib/named/dev/random c 1 8
ganti user persmission dan owner
# chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
# chown -R bind:bind /var/lib/named/var/*
# chown -R bind:bind /var/lib/named/etc/bind
start bind9
# /etc/init.d/bind9 start
contoh output :
[ ok ] Starting bind9 (via systemctl): bind9.service.
cek juga menggunakan netstat -ntulp | grep named
root@master:~# netstat -ntulp | grep named
tcp 0 0 192.168.0.1:53 0.0.0.0:* LISTEN 428/named
tcp 0 0 10.0.2.15:53 0.0.0.0:* LISTEN 428/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 428/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 428/named
tcp6 0 0 :::53 :::* LISTEN 428/named
tcp6 0 0 ::1:953 :::* LISTEN 428/named
udp 0 0 192.168.0.1:53 0.0.0.0:* 428/named
udp 0 0 10.0.2.15:53 0.0.0.0:* 428/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 428/named
udp6 0 0 :::53 :::* 428/named
check menggunakan rndc status
root@master:~# rndc status
version: 9.9.5-9+deb8u4-Debian <id:f9b8a50e>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 100
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
pada tahapan ini, bind9 ada sudah berjalan pada lingkungan chroot
DNS juga terdiri dari 3 level yaitu :
1. root "."
2. top level domain server contoh "org"
3. nameserver, contoh server1.rizal.org
contoh cara kerja dns :
1. kita ingin mengakses www.google.com dari browser
2. browser menanyakan kepada dns lokal kita
3. jika tidak ketemu, dns server akan menayakan kepada root server
4. jika tidak ketemu, root server akan melanjutkan pertanyaan kepada
top level domain untuk .com
5. top level domain tidak tau domain "www.google.com" tapi dia tau name
server yang tau domain tersebut ip address nya 64.233.167.99 dan bernama
ns1.google.com
6. setelah itu dns lokal kita proses the address 64.233.167.99, membaca
direktori informasi mengenai ns1.google.com kemudia memberitau browser
bahwa ip 64.233.167.99 adalah www.google.com
7. dns server lokal kita akan menyimpan informasi tersebut, sehingga
dns server tidak perlu melakukan tahap" seperti diatas
ada 3 konfigurasi yang akan kita lakukan pada artikel kali ini, yaitu :
1. menjalankan bind9 di chroot
2. konfigurasi dns master slave menggunakan bind9
3. dnssec menggunakan bind9
disini saya menggunakan 2 buah server(master dan slave) dengan OS Debian 8
hostname : master
ip : 192.168.0.1
hostname : slave
ip : 192.168.0.2
sebelum mulai ada baiknya kita mengetahui komponen" dari bind9 ini :
1. named (namee-dee) -> menjawab panggilan
2. resolver library -> berkerja ketika web browser, email atau aplikasi lain
mencari keterangan server berdasarkan DNS,
3. dig
setelah kita mengetahui komponen" yang ada bind, saat kita melakukan konfigurasi yang pertama, yaitu membuat bind9 berjalan di lingkungan chroot.
apa itu chroot ? chroot adalah sebuah direktori untuk meng isolasi sistem (disini kita akan meng isolasi bind9), tujuannya adalah melindungi attacker yang mungkin memnemukan celah keamanan pada bind dan memungkinkan menyerang named daemon untuk mendapatakan akses ke sistem. dengan menjalankan bind9 pada chroot bahkan ketika named di exploitasi, chroot membatasi kerusakan pada name service saja, tidak merambat ke sistem yang lain.
berikut adalah konfigurasi menjalankan bind9 pada lingkungan chroot(cara nya sama, baik untuk master maupun slave) :
install bind9 :
# apt-get install bind9
stop service bind9
# /etc/init.d/bind9 stop
configure agar bind menjalan kan file chroot (/var/lib/named)
# vim /etc/default/bind9
ubah OPTS="-u bind" menjadi OPTIONS="-u bind -t /var/lib/named"
siapkan direktori untuk chroot :
# mkdir -p /var/lib/named/etc
# mkdir /var/lib/named/dev
# mkdir -p /var/lib/named/var/cache/bind
# mkdir -p /var/lib/named/var/run/bind/run
pindahkan konfigurasi dari /etc/bind ke /var/lib/named/etc
# mv /etc/bind /var/lib/named/etc
buat symbolic link dari direktori konfigurasi yang baru ke direktori yang lama, untuk menghindari kesalahan ketika BIND di upgrade/dikonfigurasi
#ln -s /var/lib/named/etc/bind /etc/bind
buat null dan random device untuk digunakan oleh bind
# mknod /var/lib/named/dev/null c 1 3
# mknod /var/lib/named/dev/random c 1 8
ganti user persmission dan owner
# chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
# chown -R bind:bind /var/lib/named/var/*
# chown -R bind:bind /var/lib/named/etc/bind
start bind9
# /etc/init.d/bind9 start
contoh output :
[ ok ] Starting bind9 (via systemctl): bind9.service.
cek juga menggunakan netstat -ntulp | grep named
root@master:~# netstat -ntulp | grep named
tcp 0 0 192.168.0.1:53 0.0.0.0:* LISTEN 428/named
tcp 0 0 10.0.2.15:53 0.0.0.0:* LISTEN 428/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 428/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 428/named
tcp6 0 0 :::53 :::* LISTEN 428/named
tcp6 0 0 ::1:953 :::* LISTEN 428/named
udp 0 0 192.168.0.1:53 0.0.0.0:* 428/named
udp 0 0 10.0.2.15:53 0.0.0.0:* 428/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 428/named
udp6 0 0 :::53 :::* 428/named
check menggunakan rndc status
root@master:~# rndc status
version: 9.9.5-9+deb8u4-Debian <id:f9b8a50e>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 100
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
pada tahapan ini, bind9 ada sudah berjalan pada lingkungan chroot
Konfigurasi BIND DNS master slave
master.rizal.org : 192.168.0.1
slave.rizal.org : 192.168.0.2
karna kita sudah membuat symbolic link dari /var/lib/named/etc/bind/ ke /etc/bind maka, setiap kita mengedit file di /etc/bind, file yang ada di /var/lib/named/etc/bind juga akan teredit/terupdate.
KONFIGURASI DI MASTER :
buat zone
# vim /etc/bind/named.conf.local
tambahkan baris berikut :
zone "rizal.org" {
type master;
file "/etc/bind/db.rizal.org";
allow-transfer {
192.168.0.2;
};
also-notify {
192.168.0.2;
};
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/rev.rizal.org";
allow-transfer {
192.168.0.2;
};
also-notify {
192.168.0.2;
};
};
copy db.local ke db.rizal.org
# cp db.local db.rizal.org
edit db.rizal.org menjadi seperti berikut
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA master.rizal.org. root.rizal.org. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS master.rizal.org.
@ IN NS slave.rizal.org.
@ IN A 192.168.0.1
@ IN A 192.168.0.2
@ IN AAAA ::1
master IN A 192.168.0.1
slave IN A 192.168.0.2
copy db.127 ke rev.rizal.org
# cp db.127 rev.rizal.org
edit rev.rizal.org menjadi seperti berikut
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA master.rizal.org. root.rizal.org. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS master.
@ IN NS slave.
@ IN A 192.168.0.1
@ IN A 192.168.0.2
1 IN PTR master.rizal.org.
2 IN PTR slave.rizal.org.
jika sudah, restart bind9
# /etc/init.d/bind9 restart
tes dengan nslookup rizal.org
root@master:~# nslookup rizal.org
Server: 192.168.0.1
Address: 192.168.0.1#53
Name: rizal.org
Address: 192.168.0.1
Name: rizal.org
Address: 192.168.0.2
tes dengan dig rizal.org
root@master:~# dig rizal.org
; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> rizal.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63875
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rizal.org. IN A
;; ANSWER SECTION:
rizal.org. 604800 IN A 192.168.0.1
rizal.org. 604800 IN A 192.168.0.2
;; AUTHORITY SECTION:
rizal.org. 604800 IN NS slave.rizal.org.
rizal.org. 604800 IN NS master.rizal.org.
;; ADDITIONAL SECTION:
slave.rizal.org. 604800 IN A 192.168.0.2
master.rizal.org. 604800 IN A 192.168.0.1
;; Query time: 5 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Fri Dec 25 13:40:15 WIB 2015
;; MSG SIZE rcvd: 143
KONFIGURASI DI SLAVE :
buat zone
# vim /etc/bind/named.conf.local
tambahkan baris berikut
zone "rizal.org" {
type slave;
file "/etc/bind/db.rizal.org";
masters {
192.168.0.1;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "/etc/bind/rev.rizal.org";
masters {
192.168.0.1;
};
};
restart bind9
# /etc/init.d/bind9 restart
untuk zone file dan revers zone file akan dikirim dari server master
master.rizal.org : 192.168.0.1
slave.rizal.org : 192.168.0.2
karna kita sudah membuat symbolic link dari /var/lib/named/etc/bind/ ke /etc/bind maka, setiap kita mengedit file di /etc/bind, file yang ada di /var/lib/named/etc/bind juga akan teredit/terupdate.
KONFIGURASI DI MASTER :
buat zone
# vim /etc/bind/named.conf.local
tambahkan baris berikut :
zone "rizal.org" {
type master;
file "/etc/bind/db.rizal.org";
allow-transfer {
192.168.0.2;
};
also-notify {
192.168.0.2;
};
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/rev.rizal.org";
allow-transfer {
192.168.0.2;
};
also-notify {
192.168.0.2;
};
};
copy db.local ke db.rizal.org
# cp db.local db.rizal.org
edit db.rizal.org menjadi seperti berikut
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA master.rizal.org. root.rizal.org. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS master.rizal.org.
@ IN NS slave.rizal.org.
@ IN A 192.168.0.1
@ IN A 192.168.0.2
@ IN AAAA ::1
master IN A 192.168.0.1
slave IN A 192.168.0.2
copy db.127 ke rev.rizal.org
# cp db.127 rev.rizal.org
edit rev.rizal.org menjadi seperti berikut
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA master.rizal.org. root.rizal.org. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS master.
@ IN NS slave.
@ IN A 192.168.0.1
@ IN A 192.168.0.2
1 IN PTR master.rizal.org.
2 IN PTR slave.rizal.org.
jika sudah, restart bind9
# /etc/init.d/bind9 restart
tes dengan nslookup rizal.org
root@master:~# nslookup rizal.org
Server: 192.168.0.1
Address: 192.168.0.1#53
Name: rizal.org
Address: 192.168.0.1
Name: rizal.org
Address: 192.168.0.2
tes dengan dig rizal.org
root@master:~# dig rizal.org
; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> rizal.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63875
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rizal.org. IN A
;; ANSWER SECTION:
rizal.org. 604800 IN A 192.168.0.1
rizal.org. 604800 IN A 192.168.0.2
;; AUTHORITY SECTION:
rizal.org. 604800 IN NS slave.rizal.org.
rizal.org. 604800 IN NS master.rizal.org.
;; ADDITIONAL SECTION:
slave.rizal.org. 604800 IN A 192.168.0.2
master.rizal.org. 604800 IN A 192.168.0.1
;; Query time: 5 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Fri Dec 25 13:40:15 WIB 2015
;; MSG SIZE rcvd: 143
KONFIGURASI DI SLAVE :
buat zone
# vim /etc/bind/named.conf.local
tambahkan baris berikut
zone "rizal.org" {
type slave;
file "/etc/bind/db.rizal.org";
masters {
192.168.0.1;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "/etc/bind/rev.rizal.org";
masters {
192.168.0.1;
};
};
restart bind9
# /etc/init.d/bind9 restart
untuk zone file dan revers zone file akan dikirim dari server master
KONFIGURASI DNSSEC DI BIND9
Lakukan ini pada kedua server (master dan slave)
Setup Additional Entropy, digunakan agar saat generate KSK dan ZSK menjadi lebih cepat
# apt-get install haveged rng-tools
tes, setelah penginstallan
# cat /dev/random | rngtest -c 100a
kurang lebih hasilnya seperti ini
root@master:~# cat /dev/random | rngtest -c 1000
rngtest 2-unofficial-mt.14
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 1000
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=606.052; avg=5214.173; max=8241.034)Kibits/s
rngtest: FIPS tests speed: (min=18.608; avg=62.077; max=110.251)Mibits/s
rngtest: Program run time: 4061195 microseconds
konfigurasi dnssec untuk master
# cd /etc/bind
# vim named.conf.options
edit isinya sehingga menjadi seperti ini
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
buat ZSK key
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE rizal.org
buat KSK key
# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE rizal.org
tambahkan ZSK dan KSK key ke zone file
# for key in `ls Krizal.org.*.key`
> do
> echo "\$INCLUDE $key" >> db.rizal.org
> done
tandai zone dengan perintah dnssec-signzone
# dnssec-signzone -t -g -o rizal.org db.rizal.org Krizal.org.*.private
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
db.rizal.org.signed
Signatures generated: 11
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.080
Signatures per second: 136.371
Runtime in seconds: 0.118
root@master:/etc/bind#
cek dns key
# dig DNSKEY rizal.org. @localhost +multiline
; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> DNSKEY rizal.org. @localhost +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62469
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rizal.org. IN DNSKEY
;; ANSWER SECTION:
rizal.org. 604800 IN DNSKEY 257 3 7 (
AwEAAb9BZKZRv1QHmkcFRNpw72JkRQbwWZu4O4O3qN8v
4t1J1aGEUP5MDQZoi2TuPs4/bIeQOR20mnN/Obr+I3xb
90sY0nKEf6pTCiie15mWbJTZjPznAWREUiSVdxVMMVph
uMS4LCIetRlqPApRy/BeZxe1tv/Wbi+0Pg/apoWlf2CP
sea1PSbLtiPfzRyYUdvouoj9MmbBkRzerWp5VFBMl28w
6tNvs8cO/A8+ycdBb/V87Ch3juRBlRLKjhCP0qLUXfcO
oEb4LQ+i1Py4j9C4lQ95cYgYhe4Yq0nq5s+HDH6ygcsh
dK7sERfHyWsYmM/RZLQrxojFsg+GEtCI85h8fpIBlUtD
nf4LctD7qU0+3q82a0XqDvM5+Deh5kwShLyjgRyNSuzK
Pnu0pseZ1VtO7N8Lo4ROypSHbYOtoHvrvA5XIHaxpGU8
ckhPqdYloJ8ScKQXrrnQWRNG0mInR4SRYF8G+HO78t+u
exPLJNN9AS1YAWzzHaiLbgzO7lT/DYTGXdOH3J8cUXmv
lXhtxME2jTp1CeQTTgJa7fwFPcVIvoDF5HA8hT2rwsYA
D0jZ5qDvNRAJXOwr4f1nzsnWI/Fbi9KK/2Os4OB2TtYT
2bDF5yOsYWOoicAB6xVsC+Jo2bIRVkzTBQpSWzG1ZFP3
JtNN51kDGqBq4qry1OWxK4yKb+f5
) ; KSK; alg = NSEC3RSASHA1; key id = 25128
rizal.org. 604800 IN DNSKEY 256 3 7 (
AwEAAavjBFabWe3N4jcGftwgw6RyHwErMcy95ea870/N
wQcSIr8dbQBBuf31QJ2gXnH0OKkV5OOycKlzE/ch2/9a
+PaI8snBEKJTLFlB45ejVUwkqbYP6a1r/3p5G1PoFRt5
uE/TaMTJHOsJQISs7u4xG6ME/KgLYKmz/GRfzXCIHMn6
89PmZzVneFRnyg39oUSmFq6OPjj5cCKPZSYLP8a/tZ9P
KB06jCUvb44cT8x6EX3sw+d5OiDmGvQpxz5ISR+KY86x
qB6Ep9ZqxpxvzreXHQ0mZBukJaWfsUQZ3PSy2nyRqpxx
tePrx5V8lLTpqGo9+ZzaRDzkKgJ6gEL+Ytw+Ny8=
) ; ZSK; alg = NSEC3RSASHA1; key id = 30959
;; Query time: 4 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Dec 25 17:48:41 WIB 2015
;; MSG SIZE rcvd: 846
untuk konfigurasi di server slave
edit named.conf.optiosn menjadi seperti ini
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
edit zone file menjadi seperti ini
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "rizal.org" {
type slave;
file "/etc/bind/db.rizal.org.signed";
masters {
192.168.0.1;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "/etc/bind/rev.rizal.org";
masters {
192.168.0.1;
};
};
restart bind :
# /etc/init.d/bind9 restart
referensi : ebook linux system administrator O'REILLY
https://drive.google.com/folderview?id=0B8CJF0KOi9GPfk5jQUpJVEhSQ1ZGM2trLVhna1RtdlNYdEJyZ090enFEUlBzRlBOY2Z1YWs&usp=sharing
http://www.unixmen.com/setup-dns-server-debian-7-wheezy/
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2
Lakukan ini pada kedua server (master dan slave)
Setup Additional Entropy, digunakan agar saat generate KSK dan ZSK menjadi lebih cepat
# apt-get install haveged rng-tools
tes, setelah penginstallan
# cat /dev/random | rngtest -c 100a
kurang lebih hasilnya seperti ini
root@master:~# cat /dev/random | rngtest -c 1000
rngtest 2-unofficial-mt.14
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 1000
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=606.052; avg=5214.173; max=8241.034)Kibits/s
rngtest: FIPS tests speed: (min=18.608; avg=62.077; max=110.251)Mibits/s
rngtest: Program run time: 4061195 microseconds
konfigurasi dnssec untuk master
# cd /etc/bind
# vim named.conf.options
edit isinya sehingga menjadi seperti ini
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
buat ZSK key
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE rizal.org
buat KSK key
# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE rizal.org
tambahkan ZSK dan KSK key ke zone file
# for key in `ls Krizal.org.*.key`
> do
> echo "\$INCLUDE $key" >> db.rizal.org
> done
tandai zone dengan perintah dnssec-signzone
# dnssec-signzone -t -g -o rizal.org db.rizal.org Krizal.org.*.private
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
db.rizal.org.signed
Signatures generated: 11
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.080
Signatures per second: 136.371
Runtime in seconds: 0.118
root@master:/etc/bind#
cek dns key
# dig DNSKEY rizal.org. @localhost +multiline
; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> DNSKEY rizal.org. @localhost +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62469
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rizal.org. IN DNSKEY
;; ANSWER SECTION:
rizal.org. 604800 IN DNSKEY 257 3 7 (
AwEAAb9BZKZRv1QHmkcFRNpw72JkRQbwWZu4O4O3qN8v
4t1J1aGEUP5MDQZoi2TuPs4/bIeQOR20mnN/Obr+I3xb
90sY0nKEf6pTCiie15mWbJTZjPznAWREUiSVdxVMMVph
uMS4LCIetRlqPApRy/BeZxe1tv/Wbi+0Pg/apoWlf2CP
sea1PSbLtiPfzRyYUdvouoj9MmbBkRzerWp5VFBMl28w
6tNvs8cO/A8+ycdBb/V87Ch3juRBlRLKjhCP0qLUXfcO
oEb4LQ+i1Py4j9C4lQ95cYgYhe4Yq0nq5s+HDH6ygcsh
dK7sERfHyWsYmM/RZLQrxojFsg+GEtCI85h8fpIBlUtD
nf4LctD7qU0+3q82a0XqDvM5+Deh5kwShLyjgRyNSuzK
Pnu0pseZ1VtO7N8Lo4ROypSHbYOtoHvrvA5XIHaxpGU8
ckhPqdYloJ8ScKQXrrnQWRNG0mInR4SRYF8G+HO78t+u
exPLJNN9AS1YAWzzHaiLbgzO7lT/DYTGXdOH3J8cUXmv
lXhtxME2jTp1CeQTTgJa7fwFPcVIvoDF5HA8hT2rwsYA
D0jZ5qDvNRAJXOwr4f1nzsnWI/Fbi9KK/2Os4OB2TtYT
2bDF5yOsYWOoicAB6xVsC+Jo2bIRVkzTBQpSWzG1ZFP3
JtNN51kDGqBq4qry1OWxK4yKb+f5
) ; KSK; alg = NSEC3RSASHA1; key id = 25128
rizal.org. 604800 IN DNSKEY 256 3 7 (
AwEAAavjBFabWe3N4jcGftwgw6RyHwErMcy95ea870/N
wQcSIr8dbQBBuf31QJ2gXnH0OKkV5OOycKlzE/ch2/9a
+PaI8snBEKJTLFlB45ejVUwkqbYP6a1r/3p5G1PoFRt5
uE/TaMTJHOsJQISs7u4xG6ME/KgLYKmz/GRfzXCIHMn6
89PmZzVneFRnyg39oUSmFq6OPjj5cCKPZSYLP8a/tZ9P
KB06jCUvb44cT8x6EX3sw+d5OiDmGvQpxz5ISR+KY86x
qB6Ep9ZqxpxvzreXHQ0mZBukJaWfsUQZ3PSy2nyRqpxx
tePrx5V8lLTpqGo9+ZzaRDzkKgJ6gEL+Ytw+Ny8=
) ; ZSK; alg = NSEC3RSASHA1; key id = 30959
;; Query time: 4 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Dec 25 17:48:41 WIB 2015
;; MSG SIZE rcvd: 846
untuk konfigurasi di server slave
edit named.conf.optiosn menjadi seperti ini
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
edit zone file menjadi seperti ini
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "rizal.org" {
type slave;
file "/etc/bind/db.rizal.org.signed";
masters {
192.168.0.1;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "/etc/bind/rev.rizal.org";
masters {
192.168.0.1;
};
};
restart bind :
# /etc/init.d/bind9 restart
referensi : ebook linux system administrator O'REILLY
https://drive.google.com/folderview?id=0B8CJF0KOi9GPfk5jQUpJVEhSQ1ZGM2trLVhna1RtdlNYdEJyZ090enFEUlBzRlBOY2Z1YWs&usp=sharing
http://www.unixmen.com/setup-dns-server-debian-7-wheezy/
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2