Hoja de Referencia de Gestión de DNS¶
Descripción General¶
La Gestión de DNS abarca la administración, configuración y mantenimiento de la infraestructura del Sistema de Nombres de Dominio. Esta hoja de referencia cubre comandos y procedimientos esenciales para administrar servidores DNS, zonas y registros en diferentes plataformas y entornos.
⚠️ Advertencia: Los cambios en DNS pueden afectar la conectividad de red y la disponibilidad de servicios. Siempre pruebe los cambios en entornos que no sean de producción y siga los procedimientos de gestión de cambios.
Gestión de Servidores DNS¶
BIND (Berkeley Internet Name Domain)¶
Instalación¶
# Ubuntu/Debian
sudo apt update && sudo apt install bind9 bind9utils bind9-doc
# CentOS/RHEL/Rocky Linux
sudo dnf install bind bind-utils
# macOS (using Homebrew)
brew install bind
Gestión de Servicios¶
# Start BIND service
sudo systemctl start named
sudo systemctl start bind9 # Ubuntu/Debian
# Stop BIND service
sudo systemctl stop named
sudo systemctl stop bind9 # Ubuntu/Debian
# Restart BIND service
sudo systemctl restart named
sudo systemctl restart bind9 # Ubuntu/Debian
# Enable auto-start
sudo systemctl enable named
sudo systemctl enable bind9 # Ubuntu/Debian
# Check service status
sudo systemctl status named
sudo systemctl status bind9 # Ubuntu/Debian
Gestión de Configuración¶
# Check BIND configuration syntax
sudo named-checkconf
# Check zone file syntax
sudo named-checkzone example.com /etc/bind/db.example.com
# Reload configuration without restart
sudo rndc reload
# Reload specific zone
sudo rndc reload example.com
# Flush cache
sudo rndc flush
# View BIND statistics
sudo rndc stats
Servidor DNS de Windows¶
Gestión con PowerShell¶
# Install DNS Server role
Install-WindowsFeature -Name DNS -IncludeManagementTools
# Start DNS service
Start-Service DNS
# Stop DNS service
Stop-Service DNS
# Restart DNS service
Restart-Service DNS
# Get DNS server settings
Get-DnsServer
# Get DNS server statistics
Get-DnsServerStatistics
Gestión de Zonas¶
Creación de Zonas¶
Creación de Zona en BIND¶
# Create forward lookup zone file
sudo nano /etc/bind/db.example.com
# Add zone to named.conf
echo 'zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com";
allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local
# Create reverse lookup zone
sudo nano /etc/bind/db.192.168.1
# Add reverse zone to named.conf
echo 'zone "1.168.192.in-addr.arpa" \\\\{
type master;
file "/etc/bind/db.192.168.1";
allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local
Creación de Zona en DNS de Windows¶
# Create primary zone
Add-DnsServerPrimaryZone -Name "example.com" -ZoneFile "example.com.dns"
# Create Active Directory integrated zone
Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Domain"
# Create secondary zone
Add-DnsServerSecondaryZone -Name "example.com" -ZoneFile "example.com.dns" -MasterServers "192.168.1.10"
# Create reverse lookup zone
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Domain"
Gestión de Transferencia de Zonas¶
Transferencias de Zona en BIND¶
# Configure zone transfer in named.conf
zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com";
allow-transfer \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
also-notify \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
notify yes;
\\\\};
# Force zone transfer
sudo rndc notify example.com
# Check zone transfer status
sudo rndc status
Transferencias de Zona en Windows¶
# Configure zone transfer settings
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"
# Enable zone transfer notifications
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -Notify "Yes" -NotifyServers "192.168.1.10","192.168.1.11"
# Force zone transfer
Start-DnsServerZoneTransfer -ZoneName "example.com"
Gestión de Registros DNS¶
Tipos de Registros Comunes¶
Registros A (IPv4)¶
# BIND - Add A record to zone file
echo "www IN A 192.168.1.100" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.100"
# Using nsupdate (dynamic updates)
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update add www.example.com 300 A 192.168.1.100
> send
> quit
Registros AAAA (IPv6)¶
# BIND - Add AAAA record
echo "www IN AAAA 2001:db8::1" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordAAAA -ZoneName "example.com" -Name "www" -IPv6Address "2001:db8::1"
Registros CNAME¶
# BIND - Add CNAME record
echo "mail IN CNAME www.example.com." >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordCName -ZoneName "example.com" -Name "mail" -HostNameAlias "www.example.com"
Registros MX¶
# BIND - Add MX record
echo "@ IN MX 10 mail.example.com." >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordMX -ZoneName "example.com" -Name "@" -MailExchange "mail.example.com" -Preference 10
Registros TXT¶
# BIND - Add TXT record
echo "@ IN TXT \"v=spf1 include:_spf.google.com ~all\"" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordTxt -ZoneName "example.com" -Name "@" -DescriptiveText "v=spf1 include:_spf.google.com ~all"
Registros PTR (DNS Inverso)¶
# BIND - Add PTR record to reverse zone
echo "100 IN PTR www.example.com." >> /etc/bind/db.192.168.1
# Windows PowerShell
Add-DnsServerResourceRecordPtr -ZoneName "1.168.192.in-addr.arpa" -Name "100" -PtrDomainName "www.example.com"
Modificación y Eliminación de Registros¶
Gestión de Registros en BIND¶
# Edit zone file directly
sudo nano /etc/bind/db.example.com
# Increment serial number (important!)
# Change: 2024063001 to 2024063002
# Reload zone after changes
sudo rndc reload example.com
# Delete record using nsupdate
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update delete old-server.example.com A
> send
> quit
Gestión de Registros en Windows¶
# Modify A record
Set-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.101"
# Remove A record
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "www" -RRType "A"
# Remove all records for a name
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "old-server" -Force
Gestión de Seguridad DNS¶
Configuración de DNSSEC¶
Configuración de DNSSEC en BIND¶
# Generate zone signing keys
cd /etc/bind/keys
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com
# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random|sha1sum|cut -b 1-16) -N INCREMENT -o example.com -t /etc/bind/db.example.com
# Update named.conf to use signed zone
zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com.signed";
key-directory "/etc/bind/keys";
auto-dnssec maintain;
inline-signing yes;
\\\\};
Configuración de DNSSEC en Windows¶
# Enable DNSSEC for zone
Enable-DnsServerSigningKeyRollover -ZoneName "example.com" -KeyType "KeySigningKey"
# Add Key Signing Key (KSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "KeySigningKey" -CryptoAlgorithm "RsaSha256"
# Add Zone Signing Key (ZSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "ZoneSigningKey" -CryptoAlgorithm "RsaSha256"
# Sign the zone
Invoke-DnsServerZoneSigning -ZoneName "example.com" -Sign
Listas de Control de Acceso (ACL)¶
Configuración de ACL en BIND¶
Would you like me to continue with the remaining sections?```bash
Define ACLs in named.conf¶
acl "internal-networks" \\{ 192.168.1.0/24; 10.0.0.0/8; 172.16.0.0/12; \\};
acl "dns-servers" \\{ 192.168.1.10; 192.168.1.11; \\};
Apply ACLs to zones¶
zone "example.com" \\{
type master;
file "/etc/bind/db.example.com";
allow-query \\{ internal-networks; \\};
allow-transfer \\{ dns-servers; \\};
allow-update \\{ none; \\};
\\};
#### Seguridad de DNS en Windowspowershell
Configure zone transfer security¶
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"
Disable recursion for external queries¶
Set-DnsServerRecursion -Enable $false -AdditionalTimeout 4 -RetryInterval 3 -Timeout 8
## Monitoreo y Resolución de Problemas de DNSbash
Configure logging in named.conf¶
logging \\{ channel default_debug \\{ file "data/named.run"; severity dynamic; \\}; channel query_log \\{ file "/var/log/bind/query.log" versions 3 size 5m; severity info; print-category yes; print-severity yes; print-time yes; \\}; category queries \\{ query_log; \\}; category default \\{ default_debug; \\}; \\};
Enable query logging¶
sudo rndc querylog on
View logs¶
sudo tail -f /var/log/bind/query.log
sudo journalctl -u named -f
### Gestión de Registrospowershell
Enable DNS debug logging¶
Set-DnsServerDiagnostics -All $true
Enable query logging¶
Set-DnsServerDiagnostics -Queries $true
View DNS events¶
Get-WinEvent -LogName "DNS Server"|Select-Object -First 10
Export DNS logs¶
Get-DnsServerQueryResolutionPolicy|Export-Csv -Path "C:\dns-policies.csv"
#### Registro de BINDbash
Enable statistics¶
statistics-channels \\{ inet 127.0.0.1 port 8053 allow \\{ 127.0.0.1; \\}; \\};
View statistics via HTTP¶
Command line statistics¶
sudo rndc stats
cat /var/cache/bind/named.stats
#### Registro de DNS en Windowspowershell
Get DNS server statistics¶
Get-DnsServerStatistics
Monitor DNS performance counters¶
Get-Counter "\DNS\Total Query Received/sec" Get-Counter "\DNS\Total Response Sent/sec" Get-Counter "\DNS\Recursive Queries/sec"
Export performance data¶
Get-DnsServerStatistics|Export-Csv -Path "C:\dns-stats.csv"
### Monitoreo de Rendimientobash
Test DNS resolution¶
nslookup www.example.com dig www.example.com host www.example.com
Test specific record types¶
dig MX example.com dig TXT example.com dig NS example.com
Test reverse DNS¶
dig -x 192.168.1.100
Test DNSSEC validation¶
dig +dnssec www.example.com
#### Estadísticas de BINDbash
Test zone transfer¶
dig @192.168.1.10 example.com AXFR
Test zone serial number¶
dig @192.168.1.10 example.com SOA
#### Rendimiento de DNS en Windowspowershell
Test DNS resolution¶
Resolve-DnsName -Name "www.example.com" Resolve-DnsName -Name "example.com" -Type MX
Test DNS server connectivity¶
Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com"
Validate zone¶
Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com" -RRType "SOA"
### Comandos de Resolución de Problemasbash
Backup BIND zone files¶
sudo tar -czf /backup/dns-zones-$(date +%Y%m%d).tar.gz /etc/bind/
Backup Windows DNS zones¶
Export-DnsServerZone -Name "example.com" -FileName "example.com.backup"
#### Pruebas de Resolución de DNSbash
Clear DNS cache (BIND)¶
sudo rndc flush
Clear DNS cache (Windows)¶
Clear-DnsServerCache
Clear local resolver cache (Linux)¶
sudo systemctl restart systemd-resolved
Clear local resolver cache (Windows)¶
ipconfig /flushdns
#### Pruebas de Transferencia de Zonabash
Update zone serial number¶
Edit zone file and increment serial: 2024063001 -> 2024063002¶
Reload zone¶
sudo rndc reload example.com
Force zone refresh on secondary¶
sudo rndc refresh example.com ```#### Pruebas de DNS en Windows
| Comando | Descripción |
|---|---|
named-checkconf |
Validar configuración de BIND |
named-checkzone |
Validar sintaxis de archivo de zona |
rndc reload |
Recargar configuración DNS |
rndc flush |
Limpiar caché de DNS |
rndc stats |
Generar estadísticas |
rndc querylog |
Alternar registro de consultas |
nsupdate |
Actualizaciones de Dynamic DNS |
dig |
Utilidad de búsqueda DNS |
nslookup |
Utilidad de búsqueda DNS |
host |
Utilidad de búsqueda DNS |
| Cmdlet | Descripción |
|---|---|
Get-DnsServer |
Obtener configuración del servidor DNS |
Add-DnsServerPrimaryZone |
Crear zona primaria |
Add-DnsServerSecondaryZone |
Crear zona secundaria |
Add-DnsServerResourceRecord* |
Agregar registros DNS |
Remove-DnsServerResourceRecord |
Eliminar registros DNS |
Set-DnsServerZoneTransferPolicy |
Configurar transferencias de zona |
Test-DnsServer |
Probar la funcionalidad del servidor DNS |
Clear-DnsServerCache |
Limpiar caché de DNS |
| ```bash | |
| # Check zone transfer configuration | |
| named-checkconf | |
| named-checkzone example.com /etc/bind/db.example.com |
Verify network connectivity¶
telnet secondary-dns-server 53
Check TSIG key configuration¶
rndc-confgen -a
### Gestión de Cachébash
Check DNSSEC chain¶
dig +dnssec +trace www.example.com
Verify key signatures¶
dig +dnssec example.com DNSKEY
Check DS records in parent zone¶
dig +dnssec example.com DS
### Mantenimiento de Zonabash
Monitor query load¶
rndc stats tail -f /var/log/bind/query.log
Check cache hit ratio¶
rndc dumpdb -cache grep "cache" /var/cache/bind/named_dump.db
Analyze query patterns¶
awk '\\{print $1\\}' /var/log/bind/query.log|sort|uniq -c|sort -nr ```## Referencia de Comandos