DNS Gestion de la feuille de chaleur
Aperçu général
DNS La gestion englobe l'administration, la configuration et la maintenance de l'infrastructure du système de noms de domaine. Cette feuille de tri couvre les commandes et procédures essentielles pour la gestion des serveurs, zones et enregistrements DNS sur différentes plateformes et environnements.
C'est pas vrai. Attention : Les modifications du DNS peuvent affecter la connectivité du réseau et la disponibilité des services. Toujours tester les changements dans les environnements hors production et suivre les procédures de gestion du changement.
Gestion des serveurs DNS
BIND (domaine de noms Internet de Berkeley)
Installation
# Ubuntu/Debian
sudo apt update && sudo apt install bind9 bind9utils bind9-doc
# CentOS/RHEL/Rocky Linux
sudo dnf install bind bind-utils
# macOS (using Homebrew)
brew install bind
Gestion des services
# Start BIND service
sudo systemctl start named
sudo systemctl start bind9 # Ubuntu/Debian
# Stop BIND service
sudo systemctl stop named
sudo systemctl stop bind9 # Ubuntu/Debian
# Restart BIND service
sudo systemctl restart named
sudo systemctl restart bind9 # Ubuntu/Debian
# Enable auto-start
sudo systemctl enable named
sudo systemctl enable bind9 # Ubuntu/Debian
# Check service status
sudo systemctl status named
sudo systemctl status bind9 # Ubuntu/Debian
```_
#### Gestion de la configuration
```bash
# Check BIND configuration syntax
sudo named-checkconf
# Check zone file syntax
sudo named-checkzone example.com /etc/bind/db.example.com
# Reload configuration without restart
sudo rndc reload
# Reload specific zone
sudo rndc reload example.com
# Flush cache
sudo rndc flush
# View BIND statistics
sudo rndc stats
```_
### Windows DNS Serveur
#### Gestion de PowerShell
```powershell
# Install DNS Server role
Install-WindowsFeature -Name DNS -IncludeManagementTools
# Start DNS service
Start-Service DNS
# Stop DNS service
Stop-Service DNS
# Restart DNS service
Restart-Service DNS
# Get DNS server settings
Get-DnsServer
# Get DNS server statistics
Get-DnsServerStatistics
Gestion des zones
Création de zones
Création de zones BIND
# Create forward lookup zone file
sudo nano /etc/bind/db.example.com
# Add zone to named.conf
echo 'zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com";
allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local
# Create reverse lookup zone
sudo nano /etc/bind/db.192.168.1
# Add reverse zone to named.conf
echo 'zone "1.168.192.in-addr.arpa" \\\\{
type master;
file "/etc/bind/db.192.168.1";
allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local
Windows DNS Création de zones
# Create primary zone
Add-DnsServerPrimaryZone -Name "example.com" -ZoneFile "example.com.dns"
# Create Active Directory integrated zone
Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Domain"
# Create secondary zone
Add-DnsServerSecondaryZone -Name "example.com" -ZoneFile "example.com.dns" -MasterServers "192.168.1.10"
# Create reverse lookup zone
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Domain"
Gestion des transferts de zones
BIND Transferts de zones
# Configure zone transfer in named.conf
zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com";
allow-transfer \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
also-notify \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
notify yes;
\\\\};
# Force zone transfer
sudo rndc notify example.com
# Check zone transfer status
sudo rndc status
Transferts de zone Windows
# Configure zone transfer settings
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"
# Enable zone transfer notifications
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -Notify "Yes" -NotifyServers "192.168.1.10","192.168.1.11"
# Force zone transfer
Start-DnsServerZoneTransfer -ZoneName "example.com"
DNS Gestion des dossiers
Types d'enregistrements communs
A Documents (IPv4)
# BIND - Add A record to zone file
echo "www IN A 192.168.1.100" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.100"
# Using nsupdate (dynamic updates)
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update add www.example.com 300 A 192.168.1.100
> send
> quit
AAAA Records (IPv6)
# BIND - Add AAAA record
echo "www IN AAAA 2001:db8::1" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordAAAA -ZoneName "example.com" -Name "www" -IPv6Address "2001:db8::1"
CNAME Comptes rendus
# BIND - Add CNAME record
echo "mail IN CNAME www.example.com." >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordCName -ZoneName "example.com" -Name "mail" -HostNameAlias "www.example.com"
MX Comptes rendus
# BIND - Add MX record
echo "@ IN MX 10 mail.example.com." >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordMX -ZoneName "example.com" -Name "@" -MailExchange "mail.example.com" -Preference 10
TXT Comptes rendus
# BIND - Add TXT record
echo "@ IN TXT \"v=spf1 include:_spf.google.com ~all\"" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordTxt -ZoneName "example.com" -Name "@" -DescriptiveText "v=spf1 include:_spf.google.com ~all"
PTR Dossiers (DNS inversés)
# BIND - Add PTR record to reverse zone
echo "100 IN PTR www.example.com." >> /etc/bind/db.192.168.1
# Windows PowerShell
Add-DnsServerResourceRecordPtr -ZoneName "1.168.192.in-addr.arpa" -Name "100" -PtrDomainName "www.example.com"
Modification et suppression des enregistrements
BIND Gestion des dossiers
# Edit zone file directly
sudo nano /etc/bind/db.example.com
# Increment serial number (important!)
# Change: 2024063001 to 2024063002
# Reload zone after changes
sudo rndc reload example.com
# Delete record using nsupdate
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update delete old-server.example.com A
> send
> quit
Gestion des enregistrements Windows
# Modify A record
Set-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.101"
# Remove A record
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "www" -RRType "A"
# Remove all records for a name
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "old-server" -Force
DNS Gestion de la sécurité
DNSSEC Configuration
BIND DNSSEC Configuration
# Generate zone signing keys
cd /etc/bind/keys
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com
# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random|sha1sum|cut -b 1-16) -N INCREMENT -o example.com -t /etc/bind/db.example.com
# Update named.conf to use signed zone
zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com.signed";
key-directory "/etc/bind/keys";
auto-dnssec maintain;
inline-signing yes;
\\\\};
Windows DNSSEC Configuration
# Enable DNSSEC for zone
Enable-DnsServerSigningKeyRollover -ZoneName "example.com" -KeyType "KeySigningKey"
# Add Key Signing Key (KSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "KeySigningKey" -CryptoAlgorithm "RsaSha256"
# Add Zone Signing Key (ZSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "ZoneSigningKey" -CryptoAlgorithm "RsaSha256"
# Sign the zone
Invoke-DnsServerZoneSigning -ZoneName "example.com" -Sign
Listes de contrôle d'accès (LAC)
Configuration de BIND ACL
# Define ACLs in named.conf
acl "internal-networks" \\\\{
192.168.1.0/24;
10.0.0.0/8;
172.16.0.0/12;
\\\\};
acl "dns-servers" \\\\{
192.168.1.10;
192.168.1.11;
\\\\};
# Apply ACLs to zones
zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com";
allow-query \\\\{ internal-networks; \\\\};
allow-transfer \\\\{ dns-servers; \\\\};
allow-update \\\\{ none; \\\\};
\\\\};
Windows DNS Sécurité
# Configure zone transfer security
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"
# Disable recursion for external queries
Set-DnsServerRecursion -Enable $false -AdditionalTimeout 4 -RetryInterval 3 -Timeout 8
Surveillance DNS et dépannage
Gestion des journaux
Exploitation forestière
# Configure logging in named.conf
logging \\\\{
channel default_debug \\\\{
file "data/named.run";
severity dynamic;
\\\\};
channel query_log \\\\{
file "/var/log/bind/query.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
\\\\};
category queries \\\\{ query_log; \\\\};
category default \\\\{ default_debug; \\\\};
\\\\};
# Enable query logging
sudo rndc querylog on
# View logs
sudo tail -f /var/log/bind/query.log
sudo journalctl -u named -f
Windows DNS Exploitation forestière
# Enable DNS debug logging
Set-DnsServerDiagnostics -All $true
# Enable query logging
Set-DnsServerDiagnostics -Queries $true
# View DNS events
Get-WinEvent -LogName "DNS Server"|Select-Object -First 10
# Export DNS logs
Get-DnsServerQueryResolutionPolicy|Export-Csv -Path "C:\dns-policies.csv"
Surveillance de la performance
BIND Statistiques
# Enable statistics
statistics-channels \\\\{
inet 127.0.0.1 port 8053 allow \\\\{ 127.0.0.1; \\\\};
\\\\};
# View statistics via HTTP
curl http://127.0.0.1:8053/
# Command line statistics
sudo rndc stats
cat /var/cache/bind/named.stats
Windows DNS Rendement
# Get DNS server statistics
Get-DnsServerStatistics
# Monitor DNS performance counters
Get-Counter "\DNS\Total Query Received/sec"
Get-Counter "\DNS\Total Response Sent/sec"
Get-Counter "\DNS\Recursive Queries/sec"
# Export performance data
Get-DnsServerStatistics|Export-Csv -Path "C:\dns-stats.csv"
Dépannage des commandes
Essai de résolution DNS
# Test DNS resolution
nslookup www.example.com
dig www.example.com
host www.example.com
# Test specific record types
dig MX example.com
dig TXT example.com
dig NS example.com
# Test reverse DNS
dig -x 192.168.1.100
# Test DNSSEC validation
dig +dnssec www.example.com
Essais de transfert de zone
# Test zone transfer
dig @192.168.1.10 example.com AXFR
# Test zone serial number
dig @192.168.1.10 example.com SOA
Windows DNS Essais
# Test DNS resolution
Resolve-DnsName -Name "www.example.com"
Resolve-DnsName -Name "example.com" -Type MX
# Test DNS server connectivity
Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com"
# Validate zone
Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com" -RRType "SOA"
DNS Tâches d'entretien
Sauvegarde des fichiers zone
# Backup BIND zone files
sudo tar -czf /backup/dns-zones-$(date +%Y%m%d).tar.gz /etc/bind/
# Backup Windows DNS zones
Export-DnsServerZone -Name "example.com" -FileName "example.com.backup"
Gestion des caches
# Clear DNS cache (BIND)
sudo rndc flush
# Clear DNS cache (Windows)
Clear-DnsServerCache
# Clear local resolver cache (Linux)
sudo systemctl restart systemd-resolved
# Clear local resolver cache (Windows)
ipconfig /flushdns
Entretien des zones
# Update zone serial number
# Edit zone file and increment serial: 2024063001 -> 2024063002
# Reload zone
sudo rndc reload example.com
# Force zone refresh on secondary
sudo rndc refresh example.com
Référence de commande
| Command | Description |
|---|---|
named-checkconf |
Validate BIND configuration |
named-checkzone |
Validate zone file syntax |
rndc reload |
Reload DNS configuration |
rndc flush |
Clear DNS cache |
rndc stats |
Generate statistics |
rndc querylog |
Toggle query logging |
nsupdate |
Dynamic DNS updates |
dig |
DNS lookup utility |
nslookup |
DNS lookup utility |
host |
DNS lookup utility |
Cmdlets PowerShell DNS
| Cmdlet | Description |
|---|---|
Get-DnsServer |
Get DNS server configuration |
Add-DnsServerPrimaryZone |
Create primary zone |
Add-DnsServerSecondaryZone |
Create secondary zone |
Add-DnsServerResourceRecord* |
Add DNS records |
Remove-DnsServerResourceRecord |
Remove DNS records |
Set-DnsServerZoneTransferPolicy |
Configure zone transfers |
Test-DnsServer |
Test DNS server functionality |
Clear-DnsServerCache |
Clear DNS cache |
Meilleures pratiques
Sécurité
- Mettre en œuvre le DNSSEC pour la signature des zones
- Utiliser TSIG pour l'authentification du transfert de zone
- Restreindre les transferts de zone aux serveurs autorisés
- Désactiver la récursion pour les serveurs faisant autorité
- Mettre en œuvre la limitation des taux
- Mises à jour régulières de sécurité
Rendement
- Optimiser les valeurs TTL
- Mettre en œuvre des stratégies de mise en cache appropriées
- Utiliser des serveurs géographiquement répartis
- Surveiller les modèles de requête
- Mettre en œuvre l'équilibrage des charges
Entretien
- Sauvegardes régulières des fichiers de zone
- Surveiller les journaux DNS
- Mettre en œuvre la gestion du changement
- Documenter toutes les configurations
- Procédures expérimentales de reprise après sinistre
- Gardez le logiciel à jour
Surveillance
- Mettre en place une alerte pour les pannes de service
- Surveiller les temps de réponse aux requêtes
- Statut de transfert de zone de voie
- Surveiller DNSSEC expiration de la clé
- Enregistrer les événements de sécurité
Questions et solutions communes
Défauts de transfert de zone
# Check zone transfer configuration
named-checkconf
named-checkzone example.com /etc/bind/db.example.com
# Verify network connectivity
telnet secondary-dns-server 53
# Check TSIG key configuration
rndc-confgen -a
DNSSEC Erreurs de validation
# Check DNSSEC chain
dig +dnssec +trace www.example.com
# Verify key signatures
dig +dnssec example.com DNSKEY
# Check DS records in parent zone
dig +dnssec example.com DS
Problèmes de performance
# Monitor query load
rndc stats
tail -f /var/log/bind/query.log
# Check cache hit ratio
rndc dumpdb -cache
grep "cache" /var/cache/bind/named_dump.db
# Analyze query patterns
awk '\\\\{print $1\\\\}' /var/log/bind/query.log|sort|uniq -c|sort -nr
Cette feuille de tricherie fournit une couverture complète des tâches de gestion DNS sur différentes plateformes et scénarios. Testez toujours les changements dans les environnements de non-production et maintenez la documentation appropriée de votre infrastructure DNS.