Zum Inhalt

DNS Management Cheat Sheet

generieren

Überblick

DNS Das Management umfasst die Verwaltung, Konfiguration und Wartung der Domain Name System Infrastruktur. Dieses Betrugsblatt umfasst wesentliche Befehle und Verfahren zur Verwaltung von DNS-Servern, Zonen und Aufzeichnungen über verschiedene Plattformen und Umgebungen.

ZEIT Warning: DNS-Änderungen können Netzwerk-Konnektivität und Service-Verfügbarkeit beeinflussen. Prüfen Sie immer Änderungen in Nichtproduktionsumgebungen und folgen Sie den Change Management Verfahren.

DNS Server Management

BIND (Berkeley Internet Name Domain)

Installation

```bash

Ubuntu/Debian

sudo apt update && sudo apt install bind9 bind9utils bind9-doc

CentOS/RHEL/Rocky Linux

sudo dnf install bind bind-utils

macOS (using Homebrew)

brew install bind ```_

Service Management

```bash

Start BIND service

sudo systemctl start named sudo systemctl start bind9 # Ubuntu/Debian

Stop BIND service

sudo systemctl stop named sudo systemctl stop bind9 # Ubuntu/Debian

Restart BIND service

sudo systemctl restart named sudo systemctl restart bind9 # Ubuntu/Debian

Enable auto-start

sudo systemctl enable named sudo systemctl enable bind9 # Ubuntu/Debian

Check service status

sudo systemctl status named sudo systemctl status bind9 # Ubuntu/Debian ```_

Konfigurationsmanagement

```bash

Check BIND configuration syntax

sudo named-checkconf

Check zone file syntax

sudo named-checkzone example.com /etc/bind/db.example.com

Reload configuration without restart

sudo rndc reload

Reload specific zone

sudo rndc reload example.com

Flush cache

sudo rndc flush

View BIND statistics

sudo rndc stats ```_

Windows DNS Server

PowerShell Management

```powershell

Install DNS Server role

Install-WindowsFeature -Name DNS -IncludeManagementTools

Start DNS service

Start-Service DNS

Stop DNS service

Stop-Service DNS

Restart DNS service

Restart-Service DNS

Get DNS server settings

Get-DnsServer

Get DNS server statistics

Get-DnsServerStatistics ```_

Abteilungsleitung

Erstellen von Zonen

BIND Zone Creation

```bash

Create forward lookup zone file

sudo nano /etc/bind/db.example.com

Add zone to named.conf

echo 'zone "example.com" \\{ type master; file "/etc/bind/db.example.com"; allow-transfer \\{ 192.168.1.10; \\}; \\};'|sudo tee -a /etc/bind/named.conf.local

Create reverse lookup zone

sudo nano /etc/bind/db.192.168.1

Add reverse zone to named.conf

echo 'zone "1.168.192.in-addr.arpa" \\{ type master; file "/etc/bind/db.192.168.1"; allow-transfer \\{ 192.168.1.10; \\}; \\};'|sudo tee -a /etc/bind/named.conf.local ```_

Windows DNS Zone Creation

```powershell

Create primary zone

Add-DnsServerPrimaryZone -Name "example.com" -ZoneFile "example.com.dns"

Create Active Directory integrated zone

Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Domain"

Create secondary zone

Add-DnsServerSecondaryZone -Name "example.com" -ZoneFile "example.com.dns" -MasterServers "192.168.1.10"

Create reverse lookup zone

Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Domain" ```_

Verwaltung von Transfers

BIND Zone Transfers

```bash

Configure zone transfer in named.conf

zone "example.com" \\{ type master; file "/etc/bind/db.example.com"; allow-transfer \\{ 192.168.1.10; 192.168.1.11; \\}; also-notify \\{ 192.168.1.10; 192.168.1.11; \\}; notify yes; \\};

Force zone transfer

sudo rndc notify example.com

Check zone transfer status

sudo rndc status ```_

Windows Zone Transfers

```powershell

Configure zone transfer settings

Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"

Enable zone transfer notifications

Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -Notify "Yes" -NotifyServers "192.168.1.10","192.168.1.11"

Force zone transfer

Start-DnsServerZoneTransfer -ZoneName "example.com" ```_

DNS Datenverwaltung

Common Record Types

A Records (IPv4)

```bash

BIND - Add A record to zone file

echo "www IN A 192.168.1.100" >> /etc/bind/db.example.com

Windows PowerShell

Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.100"

Using nsupdate (dynamic updates)

nsupdate -k /etc/bind/rndc.key

server 192.168.1.10 zone example.com update add www.example.com 300 A 192.168.1.100 send quit ```_

AAAA Records (IPv6)

```bash

BIND - Add AAAA record

echo "www IN AAAA 2001:db8::1" >> /etc/bind/db.example.com

Windows PowerShell

Add-DnsServerResourceRecordAAAA -ZoneName "example.com" -Name "www" -IPv6Address "2001:db8::1" ```_

KN-Code Rekorde

```bash

BIND - Add CNAME record

echo "mail IN CNAME www.example.com." >> /etc/bind/db.example.com

Windows PowerShell

Add-DnsServerResourceRecordCName -ZoneName "example.com" -Name "mail" -HostNameAlias "www.example.com" ```_

MX Rekorde

```bash

BIND - Add MX record

echo "@ IN MX 10 mail.example.com." >> /etc/bind/db.example.com

Windows PowerShell

Add-DnsServerResourceRecordMX -ZoneName "example.com" -Name "@" -MailExchange "mail.example.com" -Preference 10 ```_

TXT Rekorde

```bash

BIND - Add TXT record

echo "@ IN TXT \"v=spf1 include:_spf.google.com ~all\"" >> /etc/bind/db.example.com

Windows PowerShell

Add-DnsServerResourceRecordTxt -ZoneName "example.com" -Name "@" -DescriptiveText "v=spf1 include:spf.google.com ~all" ```

PTR Aufzeichnungen (Reverse DNS)

```bash

BIND - Add PTR record to reverse zone

echo "100 IN PTR www.example.com." >> /etc/bind/db.192.168.1

Windows PowerShell

Add-DnsServerResourceRecordPtr -ZoneName "1.168.192.in-addr.arpa" -Name "100" -PtrDomainName "www.example.com" ```_

Protokolländerung und Löschung

BIND Datenverwaltung

```bash

Edit zone file directly

sudo nano /etc/bind/db.example.com

Increment serial number (important!)

Change: 2024063001 to 2024063002

Reload zone after changes

sudo rndc reload example.com

Delete record using nsupdate

nsupdate -k /etc/bind/rndc.key

server 192.168.1.10 zone example.com update delete old-server.example.com A send quit ```_

Windows Record Management

```powershell

Modify A record

Set-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.101"

Remove A record

Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "www" -RRType "A"

Remove all records for a name

Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "old-server" -Force ```_

DNS Sicherheitsmanagement

DNSSEC Konfiguration

BIND DNSSEC Setup

```bash

Generate zone signing keys

cd /etc/bind/keys dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com

Sign the zone

| dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t /etc/bind/db.example.com |

Update named.conf to use signed zone

zone "example.com" \\{ type master; file "/etc/bind/db.example.com.signed"; key-directory "/etc/bind/keys"; auto-dnssec maintain; inline-signing yes; \\}; ```_

Windows DNSSEC Setup

```powershell

Enable DNSSEC for zone

Enable-DnsServerSigningKeyRollover -ZoneName "example.com" -KeyType "KeySigningKey"

Add Key Signing Key (KSK)

Add-DnsServerSigningKey -ZoneName "example.com" -Type "KeySigningKey" -CryptoAlgorithm "RsaSha256"

Add Zone Signing Key (ZSK)

Add-DnsServerSigningKey -ZoneName "example.com" -Type "ZoneSigningKey" -CryptoAlgorithm "RsaSha256"

Sign the zone

Invoke-DnsServerZoneSigning -ZoneName "example.com" -Sign ```_

Zugangskontrolllisten (ACLs)

BIND ACL Konfiguration

```bash

Define ACLs in named.conf

acl "internal-networks" \\{ 192.168.1.0/24; 10.0.0.0/8; 172.16.0.0/12; \\};

acl "dns-servers" \\{ 192.168.1.10; 192.168.1.11; \\};

Apply ACLs to zones

zone "example.com" \\{ type master; file "/etc/bind/db.example.com"; allow-query \\{ internal-networks; \\}; allow-transfer \\{ dns-servers; \\}; allow-update \\{ none; \\}; \\}; ```_

Windows DNS Sicherheit

```powershell

Configure zone transfer security

Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"

Disable recursion for external queries

Set-DnsServerRecursion -Enable $false -AdditionalTimeout 4 -RetryInterval 3 -Timeout 8 ```_

DNS Monitoring und Fehlerbehebung

Verwaltung

BIND Protokollierung

```bash

Configure logging in named.conf

logging \\{ channel default_debug \\{ file "data/named.run"; severity dynamic; \\}; channel query_log \\{ file "/var/log/bind/query.log" versions 3 size 5m; severity info; print-category yes; print-severity yes; print-time yes; \\}; category queries \\{ query_log; \\}; category default \\{ default_debug; \\}; \\};

Enable query logging

sudo rndc querylog on

View logs

sudo tail -f /var/log/bind/query.log sudo journalctl -u named -f ```_

Windows DNS Protokoll

```powershell

Enable DNS debug logging

Set-DnsServerDiagnostics -All $true

Enable query logging

Set-DnsServerDiagnostics -Queries $true

View DNS events

Get-WinEvent -LogName "DNS Server"|Select-Object -First 10

Export DNS logs

Get-DnsServerQueryResolutionPolicy|Export-Csv -Path "C:\dns-policies.csv" ```_

Leistungsüberwachung

BIND Statistik

```bash

Enable statistics

statistics-channels \\{ inet 127.0.0.1 port 8053 allow \\{ 127.0.0.1; \\}; \\};

View statistics via HTTP

curl http://127.0.0.1:8053/

Command line statistics

sudo rndc stats cat /var/cache/bind/named.stats ```_

Windows DNS Leistung

```powershell

Get DNS server statistics

Get-DnsServerStatistics

Monitor DNS performance counters

Get-Counter "\DNS\Total Query Received/sec" Get-Counter "\DNS\Total Response Sent/sec" Get-Counter "\DNS\Recursive Queries/sec"

Export performance data

Get-DnsServerStatistics|Export-Csv -Path "C:\dns-stats.csv" ```_

Fehlerbehebung Befehle

DNS-Resolution Testing

```bash

Test DNS resolution

nslookup www.example.com dig www.example.com host www.example.com

Test specific record types

dig MX example.com dig TXT example.com dig NS example.com

Test reverse DNS

dig -x 192.168.1.100

Test DNSSEC validation

dig +dnssec www.example.com ```_

Prüfung von Zone Transfers

```bash

Test zone transfer

dig @192.168.1.10 example.com AXFR

Test zone serial number

dig @192.168.1.10 example.com SOA ```_

Windows DNS Prüfung

```powershell

Test DNS resolution

Resolve-DnsName -Name "www.example.com" Resolve-DnsName -Name "example.com" -Type MX

Test DNS server connectivity

Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com"

Validate zone

Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com" -RRType "SOA" ```_

DNS Wartungsaufgaben

Zone Dateisicherung

```bash

Backup BIND zone files

sudo tar -czf /backup/dns-zones-$(date +%Y%m%d).tar.gz /etc/bind/

Backup Windows DNS zones

Export-DnsServerZone -Name "example.com" -FileName "example.com.backup" ```_

Cache Management

```bash

Clear DNS cache (BIND)

sudo rndc flush

Clear DNS cache (Windows)

Clear-DnsServerCache

Clear local resolver cache (Linux)

sudo systemctl restart systemd-resolved

Clear local resolver cache (Windows)

ipconfig /flushdns ```_

Zone Maintenance

```bash

Update zone serial number

Edit zone file and increment serial: 2024063001 -> 2024063002

Reload zone

sudo rndc reload example.com

Force zone refresh on secondary

sudo rndc refresh example.com ```_

Befehlsnummer

| | Command | Description | | | --- | --- | | | named-checkconf | Validate BIND configuration | | | | named-checkzone | Validate zone file syntax | | | | rndc reload | Reload DNS configuration | | | | rndc flush | Clear DNS cache | | | | rndc stats | Generate statistics | | | | rndc querylog | Toggle query logging | | | | nsupdate | Dynamic DNS updates | | | | dig | DNS lookup utility | | | | nslookup | DNS lookup utility | | | | host | DNS lookup utility | |

PowerShell DNS Cmdlets

| | Cmdlet | Description | | | --- | --- | | | Get-DnsServer | Get DNS server configuration | | | | Add-DnsServerPrimaryZone | Create primary zone | | | | Add-DnsServerSecondaryZone | Create secondary zone | | | | Add-DnsServerResourceRecord* | Add DNS records | | | | Remove-DnsServerResourceRecord | Remove DNS records | | | | Set-DnsServerZoneTransferPolicy | Configure zone transfers | | | | Test-DnsServer | Test DNS server functionality | | | | Clear-DnsServerCache | Clear DNS cache | |

Best Practices

Sicherheit

  • DNSSEC zur Zonenunterzeichnung implementieren
  • Verwenden Sie TSIG für die Zonentransfer-Authentifizierung
  • Sperrzone Transfers an autorisierte Server
  • Deaktivieren Sie Rekursion für autoritäre Server
  • Ergänzungsquotenbegrenzung
  • Regelmäßige Sicherheitsupdates

Leistung

  • TTL-Werte optimieren
  • Durchführung richtiger Cache-Strategien
  • Verwenden Sie geografisch verteilte Server
  • Abfragemuster überwachen
  • Implementieren Lastausgleich

Wartung

  • Regelmäßige Backups von Zonendateien
  • DNS-Protokolle überwachen
  • Implementierung von Change Management
  • Dokumentieren Sie alle Konfigurationen
  • Prüfverfahren zur Rückgewinnung von Katastrophen
  • Software aktualisiert

Überwachung

  • Alarmierung für Serviceausfälle einrichten
  • Abfrage-Antwortzeiten überwachen
  • Status der Transferzone
  • DNSSEC überwachen Schlüssel Ablauf
  • Log Security Events

Gemeinsame Themen und Lösungen

Zone Transfer Failures

```bash

Check zone transfer configuration

named-checkconf named-checkzone example.com /etc/bind/db.example.com

Verify network connectivity

telnet secondary-dns-server 53

Check TSIG key configuration

rndc-confgen -a ```_

DNSSEC Validierungsfehler

```bash

Check DNSSEC chain

dig +dnssec +trace www.example.com

Verify key signatures

dig +dnssec example.com DNSKEY

Check DS records in parent zone

dig +dnssec example.com DS ```_

Leistungsfragen

```bash

Monitor query load

rndc stats tail -f /var/log/bind/query.log

Check cache hit ratio

rndc dumpdb -cache grep "cache" /var/cache/bind/named_dump.db

Analyze query patterns

| awk '\\{print $1\\}' /var/log/bind/query.log | sort | uniq -c | sort -nr | ```_

Dieses Betrugsblatt bietet eine umfassende Erfassung von DNS-Management-Aufgaben auf verschiedenen Plattformen und Szenarien. Testen Sie immer Änderungen in Nicht-Produktionsumgebungen und pflegen Sie die ordnungsgemäße Dokumentation Ihrer DNS-Infrastruktur.