Zum Inhalt

DNS-Verwaltungs-Cheat-Sheet

Überblick

DNS-Verwaltung umfasst die Administration, Konfiguration und Wartung der Domain Name System-Infrastruktur. Dieser Cheat Sheet behandelt wesentliche Befehle und Verfahren zur Verwaltung von DNS-Servern, Zonen und Einträgen in verschiedenen Plattformen und Umgebungen.

⚠️ Warnung: DNS-Änderungen können die Netzwerkverbindung und Dienstverfügbarkeit beeinflussen. Testen Sie Änderungen immer in Nicht-Produktionsumgebungen und befolgen Sie Change-Management-Verfahren.

DNS-Server-Verwaltung

BIND (Berkeley Internet Name Domain)

Installation

# Ubuntu/Debian
sudo apt update && sudo apt install bind9 bind9utils bind9-doc

# CentOS/RHEL/Rocky Linux
sudo dnf install bind bind-utils

# macOS (using Homebrew)
brew install bind

Service-Verwaltung

# Start BIND service
sudo systemctl start named
sudo systemctl start bind9  # Ubuntu/Debian

# Stop BIND service
sudo systemctl stop named
sudo systemctl stop bind9   # Ubuntu/Debian

# Restart BIND service
sudo systemctl restart named
sudo systemctl restart bind9  # Ubuntu/Debian

# Enable auto-start
sudo systemctl enable named
sudo systemctl enable bind9   # Ubuntu/Debian

# Check service status
sudo systemctl status named
sudo systemctl status bind9   # Ubuntu/Debian

Konfigurationsverwaltung

# Check BIND configuration syntax
sudo named-checkconf

# Check zone file syntax
sudo named-checkzone example.com /etc/bind/db.example.com

# Reload configuration without restart
sudo rndc reload

# Reload specific zone
sudo rndc reload example.com

# Flush cache
sudo rndc flush

# View BIND statistics
sudo rndc stats

Windows DNS-Server

PowerShell-Verwaltung

# Install DNS Server role
Install-WindowsFeature -Name DNS -IncludeManagementTools

# Start DNS service
Start-Service DNS

# Stop DNS service
Stop-Service DNS

# Restart DNS service
Restart-Service DNS

# Get DNS server settings
Get-DnsServer

# Get DNS server statistics
Get-DnsServerStatistics

Zonen-Verwaltung

Zonen erstellen

BIND-Zonenerstellung

# Create forward lookup zone file
sudo nano /etc/bind/db.example.com

# Add zone to named.conf
echo 'zone "example.com" \\\\{
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local

# Create reverse lookup zone
sudo nano /etc/bind/db.192.168.1

# Add reverse zone to named.conf
echo 'zone "1.168.192.in-addr.arpa" \\\\{
    type master;
    file "/etc/bind/db.192.168.1";
    allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local

Windows DNS-Zonenerstellung

# Create primary zone
Add-DnsServerPrimaryZone -Name "example.com" -ZoneFile "example.com.dns"

# Create Active Directory integrated zone
Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Domain"

# Create secondary zone
Add-DnsServerSecondaryZone -Name "example.com" -ZoneFile "example.com.dns" -MasterServers "192.168.1.10"

# Create reverse lookup zone
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Domain"

Zonenübertragung-Verwaltung

BIND-Zonenübertragungen

# Configure zone transfer in named.conf
zone "example.com" \\\\{
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
    also-notify \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
    notify yes;
\\\\};

# Force zone transfer
sudo rndc notify example.com

# Check zone transfer status
sudo rndc status

Windows-Zonenübertragungen

# Configure zone transfer settings
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"

# Enable zone transfer notifications
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -Notify "Yes" -NotifyServers "192.168.1.10","192.168.1.11"

# Force zone transfer
Start-DnsServerZoneTransfer -ZoneName "example.com"

DNS-Eintrags-Verwaltung

Häufige Eintragstypen

A-Einträge (IPv4)

# BIND - Add A record to zone file
echo "www    IN    A    192.168.1.100" >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.100"

# Using nsupdate (dynamic updates)
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update add www.example.com 300 A 192.168.1.100
> send
> quit

AAAA-Einträge (IPv6)

# BIND - Add AAAA record
echo "www    IN    AAAA    2001:db8::1" >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordAAAA -ZoneName "example.com" -Name "www" -IPv6Address "2001:db8::1"

CNAME-Einträge

# BIND - Add CNAME record
echo "mail    IN    CNAME    www.example.com." >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordCName -ZoneName "example.com" -Name "mail" -HostNameAlias "www.example.com"

MX-Einträge

# BIND - Add MX record
echo "@    IN    MX    10    mail.example.com." >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordMX -ZoneName "example.com" -Name "@" -MailExchange "mail.example.com" -Preference 10

TXT-Einträge

# BIND - Add TXT record
echo "@    IN    TXT    \"v=spf1 include:_spf.google.com ~all\"" >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordTxt -ZoneName "example.com" -Name "@" -DescriptiveText "v=spf1 include:_spf.google.com ~all"

PTR-Einträge (Reverse DNS)

# BIND - Add PTR record to reverse zone
echo "100    IN    PTR    www.example.com." >> /etc/bind/db.192.168.1

# Windows PowerShell
Add-DnsServerResourceRecordPtr -ZoneName "1.168.192.in-addr.arpa" -Name "100" -PtrDomainName "www.example.com"

Eintragänderung und -löschung

BIND-Eintragsmanagement

# Edit zone file directly
sudo nano /etc/bind/db.example.com

# Increment serial number (important!)
# Change: 2024063001 to 2024063002

# Reload zone after changes
sudo rndc reload example.com

# Delete record using nsupdate
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update delete old-server.example.com A
> send
> quit

Windows-Eintragsmanagement

# Modify A record
Set-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.101"

# Remove A record
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "www" -RRType "A"

# Remove all records for a name
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "old-server" -Force

DNS-Sicherheitsverwaltung

DNSSEC-Konfiguration

BIND DNSSEC-Einrichtung

# Generate zone signing keys
cd /etc/bind/keys
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com

# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random|sha1sum|cut -b 1-16) -N INCREMENT -o example.com -t /etc/bind/db.example.com

# Update named.conf to use signed zone
zone "example.com" \\\\{
    type master;
    file "/etc/bind/db.example.com.signed";
    key-directory "/etc/bind/keys";
    auto-dnssec maintain;
    inline-signing yes;
\\\\};

Windows DNSSEC-Einrichtung

# Enable DNSSEC for zone
Enable-DnsServerSigningKeyRollover -ZoneName "example.com" -KeyType "KeySigningKey"

# Add Key Signing Key (KSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "KeySigningKey" -CryptoAlgorithm "RsaSha256"

# Add Zone Signing Key (ZSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "ZoneSigningKey" -CryptoAlgorithm "RsaSha256"

# Sign the zone
Invoke-DnsServerZoneSigning -ZoneName "example.com" -Sign

Zugriffssteuerungslisten (ACLs)

BIND ACL-Konfiguration

The translation preserves the markdown formatting, keeps technical terms in English, and maintains the overall structure of the original document.```bash

Define ACLs in named.conf

acl "internal-networks" \\{ 192.168.1.0/24; 10.0.0.0/8; 172.16.0.0/12; \\};

acl "dns-servers" \\{ 192.168.1.10; 192.168.1.11; \\};

Apply ACLs to zones

zone "example.com" \\{ type master; file "/etc/bind/db.example.com"; allow-query \\{ internal-networks; \\}; allow-transfer \\{ dns-servers; \\}; allow-update \\{ none; \\}; \\}; #### Windows DNS-Sicherheitpowershell

Configure zone transfer security

Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"

Disable recursion for external queries

Set-DnsServerRecursion -Enable $false -AdditionalTimeout 4 -RetryInterval 3 -Timeout 8 ## DNS-Überwachung und Fehlerbehebungbash

Configure logging in named.conf

logging \\{ channel default_debug \\{ file "data/named.run"; severity dynamic; \\}; channel query_log \\{ file "/var/log/bind/query.log" versions 3 size 5m; severity info; print-category yes; print-severity yes; print-time yes; \\}; category queries \\{ query_log; \\}; category default \\{ default_debug; \\}; \\};

Enable query logging

sudo rndc querylog on

View logs

sudo tail -f /var/log/bind/query.log sudo journalctl -u named -f ### Protokollverwaltungpowershell

Enable DNS debug logging

Set-DnsServerDiagnostics -All $true

Enable query logging

Set-DnsServerDiagnostics -Queries $true

View DNS events

Get-WinEvent -LogName "DNS Server"|Select-Object -First 10

Export DNS logs

Get-DnsServerQueryResolutionPolicy|Export-Csv -Path "C:\dns-policies.csv" #### BIND-Protokollierungbash

Enable statistics

statistics-channels \\{ inet 127.0.0.1 port 8053 allow \\{ 127.0.0.1; \\}; \\};

View statistics via HTTP

curl http://127.0.0.1:8053/

Command line statistics

sudo rndc stats cat /var/cache/bind/named.stats #### Windows DNS-Protokollierungpowershell

Get DNS server statistics

Get-DnsServerStatistics

Monitor DNS performance counters

Get-Counter "\DNS\Total Query Received/sec" Get-Counter "\DNS\Total Response Sent/sec" Get-Counter "\DNS\Recursive Queries/sec"

Export performance data

Get-DnsServerStatistics|Export-Csv -Path "C:\dns-stats.csv" ### Leistungsüberwachungbash

Test DNS resolution

nslookup www.example.com dig www.example.com host www.example.com

Test specific record types

dig MX example.com dig TXT example.com dig NS example.com

Test reverse DNS

dig -x 192.168.1.100

Test DNSSEC validation

dig +dnssec www.example.com #### BIND-Statistikenbash

Test zone transfer

dig @192.168.1.10 example.com AXFR

Test zone serial number

dig @192.168.1.10 example.com SOA #### Windows DNS-Leistungpowershell

Test DNS resolution

Resolve-DnsName -Name "www.example.com" Resolve-DnsName -Name "example.com" -Type MX

Test DNS server connectivity

Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com"

Validate zone

Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com" -RRType "SOA" ### Fehlerbehebungs-Befehlebash

Backup BIND zone files

sudo tar -czf /backup/dns-zones-$(date +%Y%m%d).tar.gz /etc/bind/

Backup Windows DNS zones

Export-DnsServerZone -Name "example.com" -FileName "example.com.backup" #### DNS-Auflösungstestsbash

Clear DNS cache (BIND)

sudo rndc flush

Clear DNS cache (Windows)

Clear-DnsServerCache

Clear local resolver cache (Linux)

sudo systemctl restart systemd-resolved

Clear local resolver cache (Windows)

ipconfig /flushdns #### Zonenübertragungstestsbash

Update zone serial number

Edit zone file and increment serial: 2024063001 -> 2024063002

Reload zone

sudo rndc reload example.com

Force zone refresh on secondary

sudo rndc refresh example.com ```#### Windows DNS-Tests

Befehl Beschreibung
named-checkconf BIND-Konfiguration validieren
named-checkzone Zonen-Dateisyntax validieren
rndc reload DNS-Konfiguration neu laden
rndc flush DNS-Cache leeren
rndc stats Generiere Statistiken
rndc querylog Query-Logging umschalten
nsupdate Dynamische DNS-Updates
dig DNS Lookup-Dienstprogramm
nslookup DNS Lookup-Dienstprogramm
host DNS Lookup Utility
Cmdlet Beschreibung
Get-DnsServer DNS-Server-Konfiguration abrufen
Add-DnsServerPrimaryZone Primäre Zone erstellen
Add-DnsServerSecondaryZone Sekundäre Zone erstellen
Add-DnsServerResourceRecord* DNS-Einträge hinzufügen
Remove-DnsServerResourceRecord DNS-Einträge entfernen
Set-DnsServerZoneTransferPolicy Zonetransfers konfigurieren
Test-DnsServer DNS-Server-Funktionalität testen
Clear-DnsServerCache DNS-Cache leeren
```bash
# Check zone transfer configuration
named-checkconf
named-checkzone example.com /etc/bind/db.example.com

Verify network connectivity

telnet secondary-dns-server 53

Check TSIG key configuration

rndc-confgen -a ### Cache-Verwaltungbash

Check DNSSEC chain

dig +dnssec +trace www.example.com

Verify key signatures

dig +dnssec example.com DNSKEY

Check DS records in parent zone

dig +dnssec example.com DS ### Zonenwartungbash

Monitor query load

rndc stats tail -f /var/log/bind/query.log

Check cache hit ratio

rndc dumpdb -cache grep "cache" /var/cache/bind/named_dump.db

Analyze query patterns

awk '\\{print $1\\}' /var/log/bind/query.log|sort|uniq -c|sort -nr ```## Befehlsreferenz