logging in or signing up bind Lucianna Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 542 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 07, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript DNS(BIND) Server Configuration: DNS(BIND) Server Configuration By 林逸祥(Yi-Hsiang Lin) 2002/1/8 @CISCC OUTLINE: OUTLINE Hardware requirements Named startup Configuration files ExampleHardware requirements: Hardware requirements BIND is a memory hog. New features of BIND9 also CPU intensive(most notably DNSSEC & IPv6) BIND 9 is multithreaded and can make full use of multiprocessor systems. Watch the size of named process to determine if a name server has enough memory PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 17399 root 6 59 0 12M 12M sleep 17:21 0.30% namedNamed startup: Named startup Started at boot time, runs continuously Use a command-line interface: ndc or rndc(BIND 9) ndc command which command can be start, stop, restart, reload, status Should be started before syslogd Do not use inetd to manage named Configuration files(1/2): Configuration files(1/2) /etc/named.conf (in BIND 8 and 9) Comments: /* */ , // , # Each statement begins with a keyword An address match list can include: IP/IP with netmask/acl name/key/! E.g. { ! 1.2.3.13; 1.2.3.24; }; { 140.113/16; 127.0.0.1; }; PS. “first match” algorithm Configuration files(2/2) Statement types in named.conf: Configuration files(2/2) Statement types in named.confThe include statement: The include statement include “path”; Put different portion of the configuration in separate files The path is relative Protect cryptographic keys not world-readable The options statement(1/4): The options statement(1/4) options { option; option; … }; BIND 8 had 30 /BIND 9 has over 50 The options statement(2/4): The options statement(2/4) version “string”; [real version of server] directory “path”; [where server started] notify yes | no; [yes] also-notify svrs_ips; [empty] recursion yes | no; [yes] allow-recursion { add_list }; [all hosts] The options statement(3/4): The options statement(3/4) check-names { master|slave|response action} valid name letters, numbers, dashes, no longer than 64c per componect, total 256c default: master: fail-log and reject bad names slave: warn-log bad names, but continue processing response: ignore-do not checking transfer-format one-answer | many-answers; The options statement(4/4): The options statement(4/4) listen-on port ip_port address_match_list; [53 all] query-source address ip_addr port ip_port; [random] forwarders { in_addr; in_addr; …}; [empty] forward only | first; [first] allow-query {address_match_list; }; allow-transfer {address_match_list;}; blackhole {address_match_list;} The acl statement: The acl statement Acl acl_name { address_match_list }; Must be a top-level statement(one pass) Predefined lists: any, localnets, localhost, noneThe server statement: The server statement server ip_addr { bogus yes | no; [no] provide-ixfr yes| no; [yes(V9 only)) request-ixfr yes| no; [yes(V9 only)] support-ixfr yes|no; [no(V8 only)] transfers number; [2(V9 only)] transfer-format one-answer|many-answers; [V8: one, V9: many] keys { key-id; key-id; … }; }; The logging statement: The logging statement Logging { channel_def; channel_def; … category category_name { channel_name; channel_name; … }; “most configurable logging system on Earth” The zone statement: The zone statement zone “domain_name” { type master|slave|stub|hint|forward; file “path”; allow-query {address_match_list; }; allow-transfer {address_match_list; }; allow-update {address_match_list; }; }; The key/trusted-keys statement: The key/trusted-keys statement key key-id { algorithm string; secret string; }; for authentication with a particular server trusted-keys { domain flags protocol algorithm key; domain flags protocol algorithm key; … }; for DNSSEC security, specified in RFC2065.The controls statement: The controls statement controls { inet ip_addr port port# allow { address_match_list|key…}; unix permission owner group; [0600 0 0] } Specifies how ndc controls a running named processThe view statement: The view statement view view-name { match-clients { address_match_list }; view_option; … zone_statement; … }; New feature of BIND 9 Split DNS You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
bind Lucianna Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 542 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 07, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript DNS(BIND) Server Configuration: DNS(BIND) Server Configuration By 林逸祥(Yi-Hsiang Lin) 2002/1/8 @CISCC OUTLINE: OUTLINE Hardware requirements Named startup Configuration files ExampleHardware requirements: Hardware requirements BIND is a memory hog. New features of BIND9 also CPU intensive(most notably DNSSEC & IPv6) BIND 9 is multithreaded and can make full use of multiprocessor systems. Watch the size of named process to determine if a name server has enough memory PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 17399 root 6 59 0 12M 12M sleep 17:21 0.30% namedNamed startup: Named startup Started at boot time, runs continuously Use a command-line interface: ndc or rndc(BIND 9) ndc command which command can be start, stop, restart, reload, status Should be started before syslogd Do not use inetd to manage named Configuration files(1/2): Configuration files(1/2) /etc/named.conf (in BIND 8 and 9) Comments: /* */ , // , # Each statement begins with a keyword An address match list can include: IP/IP with netmask/acl name/key/! E.g. { ! 1.2.3.13; 1.2.3.24; }; { 140.113/16; 127.0.0.1; }; PS. “first match” algorithm Configuration files(2/2) Statement types in named.conf: Configuration files(2/2) Statement types in named.confThe include statement: The include statement include “path”; Put different portion of the configuration in separate files The path is relative Protect cryptographic keys not world-readable The options statement(1/4): The options statement(1/4) options { option; option; … }; BIND 8 had 30 /BIND 9 has over 50 The options statement(2/4): The options statement(2/4) version “string”; [real version of server] directory “path”; [where server started] notify yes | no; [yes] also-notify svrs_ips; [empty] recursion yes | no; [yes] allow-recursion { add_list }; [all hosts] The options statement(3/4): The options statement(3/4) check-names { master|slave|response action} valid name letters, numbers, dashes, no longer than 64c per componect, total 256c default: master: fail-log and reject bad names slave: warn-log bad names, but continue processing response: ignore-do not checking transfer-format one-answer | many-answers; The options statement(4/4): The options statement(4/4) listen-on port ip_port address_match_list; [53 all] query-source address ip_addr port ip_port; [random] forwarders { in_addr; in_addr; …}; [empty] forward only | first; [first] allow-query {address_match_list; }; allow-transfer {address_match_list;}; blackhole {address_match_list;} The acl statement: The acl statement Acl acl_name { address_match_list }; Must be a top-level statement(one pass) Predefined lists: any, localnets, localhost, noneThe server statement: The server statement server ip_addr { bogus yes | no; [no] provide-ixfr yes| no; [yes(V9 only)) request-ixfr yes| no; [yes(V9 only)] support-ixfr yes|no; [no(V8 only)] transfers number; [2(V9 only)] transfer-format one-answer|many-answers; [V8: one, V9: many] keys { key-id; key-id; … }; }; The logging statement: The logging statement Logging { channel_def; channel_def; … category category_name { channel_name; channel_name; … }; “most configurable logging system on Earth” The zone statement: The zone statement zone “domain_name” { type master|slave|stub|hint|forward; file “path”; allow-query {address_match_list; }; allow-transfer {address_match_list; }; allow-update {address_match_list; }; }; The key/trusted-keys statement: The key/trusted-keys statement key key-id { algorithm string; secret string; }; for authentication with a particular server trusted-keys { domain flags protocol algorithm key; domain flags protocol algorithm key; … }; for DNSSEC security, specified in RFC2065.The controls statement: The controls statement controls { inet ip_addr port port# allow { address_match_list|key…}; unix permission owner group; [0600 0 0] } Specifies how ndc controls a running named processThe view statement: The view statement view view-name { match-clients { address_match_list }; view_option; … zone_statement; … }; New feature of BIND 9 Split DNS