Aide-mémoire de Gestion DNS
Vue d’ensemble
La gestion DNS englobe l’administration, la configuration et la maintenance de l’infrastructure du système de noms de domaine. Cet aide-mémoire couvre les commandes et procédures essentielles pour gérer les serveurs DNS, les zones et les enregistrements sur différentes plateformes et environnements.
⚠️ Avertissement : Les modifications DNS peuvent affecter la connectivité réseau et la disponibilité des services. Testez toujours les modifications dans des environnements hors production et suivez les procédures de gestion des changements.
Gestion des Serveurs DNS
BIND (Berkeley Internet Name Domain)
Installation
# Ubuntu/Debian
sudo apt update && sudo apt install bind9 bind9utils bind9-doc
# CentOS/RHEL/Rocky Linux
sudo dnf install bind bind-utils
# macOS (using Homebrew)
brew install bindGestion des Services
# Start BIND service
sudo systemctl start named
sudo systemctl start bind9 # Ubuntu/Debian
# Stop BIND service
sudo systemctl stop named
sudo systemctl stop bind9 # Ubuntu/Debian
# Restart BIND service
sudo systemctl restart named
sudo systemctl restart bind9 # Ubuntu/Debian
# Enable auto-start
sudo systemctl enable named
sudo systemctl enable bind9 # Ubuntu/Debian
# Check service status
sudo systemctl status named
sudo systemctl status bind9 # Ubuntu/DebianGestion de la Configuration
# Check BIND configuration syntax
sudo named-checkconf
# Check zone file syntax
sudo named-checkzone example.com /etc/bind/db.example.com
# Reload configuration without restart
sudo rndc reload
# Reload specific zone
sudo rndc reload example.com
# Flush cache
sudo rndc flush
# View BIND statistics
sudo rndc statsServeur DNS Windows
Gestion PowerShell
# Install DNS Server role
Install-WindowsFeature -Name DNS -IncludeManagementTools
# Start DNS service
Start-Service DNS
# Stop DNS service
Stop-Service DNS
# Restart DNS service
Restart-Service DNS
# Get DNS server settings
Get-DnsServer
# Get DNS server statistics
Get-DnsServerStatisticsGestion des Zones
Création de Zones
Création de Zone BIND
# Create forward lookup zone file
sudo nano /etc/bind/db.example.com
# Add zone to named.conf
echo 'zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com";
allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local
# Create reverse lookup zone
sudo nano /etc/bind/db.192.168.1
# Add reverse zone to named.conf
echo 'zone "1.168.192.in-addr.arpa" \\\\{
type master;
file "/etc/bind/db.192.168.1";
allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.localCréation de Zone DNS Windows
# Create primary zone
Add-DnsServerPrimaryZone -Name "example.com" -ZoneFile "example.com.dns"
# Create Active Directory integrated zone
Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Domain"
# Create secondary zone
Add-DnsServerSecondaryZone -Name "example.com" -ZoneFile "example.com.dns" -MasterServers "192.168.1.10"
# Create reverse lookup zone
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Domain"Gestion des Transferts de Zone
Transferts de Zone BIND
# Configure zone transfer in named.conf
zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com";
allow-transfer \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
also-notify \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
notify yes;
\\\\};
# Force zone transfer
sudo rndc notify example.com
# Check zone transfer status
sudo rndc statusTransferts de Zone Windows
# Configure zone transfer settings
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"
# Enable zone transfer notifications
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -Notify "Yes" -NotifyServers "192.168.1.10","192.168.1.11"
# Force zone transfer
Start-DnsServerZoneTransfer -ZoneName "example.com"Gestion des Enregistrements DNS
Types d’Enregistrements Courants
Enregistrements A (IPv4)
# BIND - Add A record to zone file
echo "www IN A 192.168.1.100" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.100"
# Using nsupdate (dynamic updates)
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update add www.example.com 300 A 192.168.1.100
> send
> quitEnregistrements AAAA (IPv6)
# BIND - Add AAAA record
echo "www IN AAAA 2001:db8::1" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordAAAA -ZoneName "example.com" -Name "www" -IPv6Address "2001:db8::1"Enregistrements CNAME
# BIND - Add CNAME record
echo "mail IN CNAME www.example.com." >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordCName -ZoneName "example.com" -Name "mail" -HostNameAlias "www.example.com"Enregistrements MX
# BIND - Add MX record
echo "@ IN MX 10 mail.example.com." >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordMX -ZoneName "example.com" -Name "@" -MailExchange "mail.example.com" -Preference 10Enregistrements TXT
# BIND - Add TXT record
echo "@ IN TXT \"v=spf1 include:_spf.google.com ~all\"" >> /etc/bind/db.example.com
# Windows PowerShell
Add-DnsServerResourceRecordTxt -ZoneName "example.com" -Name "@" -DescriptiveText "v=spf1 include:_spf.google.com ~all"Enregistrements PTR (DNS Inverse)
# BIND - Add PTR record to reverse zone
echo "100 IN PTR www.example.com." >> /etc/bind/db.192.168.1
# Windows PowerShell
Add-DnsServerResourceRecordPtr -ZoneName "1.168.192.in-addr.arpa" -Name "100" -PtrDomainName "www.example.com"Modification et Suppression d’Enregistrements
Gestion des Enregistrements BIND
# Edit zone file directly
sudo nano /etc/bind/db.example.com
# Increment serial number (important!)
# Change: 2024063001 to 2024063002
# Reload zone after changes
sudo rndc reload example.com
# Delete record using nsupdate
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update delete old-server.example.com A
> send
> quitGestion des Enregistrements Windows
# Modify A record
Set-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.101"
# Remove A record
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "www" -RRType "A"
# Remove all records for a name
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "old-server" -ForceGestion de la Sécurité DNS
Configuration DNSSEC
Configuration DNSSEC BIND
# Generate zone signing keys
cd /etc/bind/keys
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com
# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random|sha1sum|cut -b 1-16) -N INCREMENT -o example.com -t /etc/bind/db.example.com
# Update named.conf to use signed zone
zone "example.com" \\\\{
type master;
file "/etc/bind/db.example.com.signed";
key-directory "/etc/bind/keys";
auto-dnssec maintain;
inline-signing yes;
\\\\};Configuration DNSSEC Windows
# Enable DNSSEC for zone
Enable-DnsServerSigningKeyRollover -ZoneName "example.com" -KeyType "KeySigningKey"
# Add Key Signing Key (KSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "KeySigningKey" -CryptoAlgorithm "RsaSha256"
# Add Zone Signing Key (ZSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "ZoneSigningKey" -CryptoAlgorithm "RsaSha256"
# Sign the zone
Invoke-DnsServerZoneSigning -ZoneName "example.com" -SignListes de Contrôle d’Accès (ACLs)
Configuration ACL BIND
Would you like me to continue with the remaining sections?```bash
Define ACLs in named.conf
acl “internal-networks” \\{ 192.168.1.0/24; 10.0.0.0/8; 172.16.0.0/12; \\};
acl “dns-servers” \\{ 192.168.1.10; 192.168.1.11; \\};
Apply ACLs to zones
zone “example.com” \\{ type master; file “/etc/bind/db.example.com”; allow-query \\{ internal-networks; \\}; allow-transfer \\{ dns-servers; \\}; allow-update \\{ none; \\}; \\};
```powershell
# Configure zone transfer security
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"
# Disable recursion for external queries
Set-DnsServerRecursion -Enable $false -AdditionalTimeout 4 -RetryInterval 3 -Timeout 8
```## Surveillance et dépannage DNS
```bash
# Configure logging in named.conf
logging \\\\{
channel default_debug \\\\{
file "data/named.run";
severity dynamic;
\\\\};
channel query_log \\\\{
file "/var/log/bind/query.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
\\\\};
category queries \\\\{ query_log; \\\\};
category default \\\\{ default_debug; \\\\};
\\\\};
# Enable query logging
sudo rndc querylog on
# View logs
sudo tail -f /var/log/bind/query.log
sudo journalctl -u named -f
```### Gestion des journaux
```powershell
# Enable DNS debug logging
Set-DnsServerDiagnostics -All $true
# Enable query logging
Set-DnsServerDiagnostics -Queries $true
# View DNS events
Get-WinEvent -LogName "DNS Server"|Select-Object -First 10
# Export DNS logs
Get-DnsServerQueryResolutionPolicy|Export-Csv -Path "C:\dns-policies.csv"
```#### Journalisation BIND
```bash
# Enable statistics
statistics-channels \\\\{
inet 127.0.0.1 port 8053 allow \\\\{ 127.0.0.1; \\\\};
\\\\};
# View statistics via HTTP
curl http://127.0.0.1:8053/
# Command line statistics
sudo rndc stats
cat /var/cache/bind/named.stats
```#### Journalisation DNS Windows
```powershell
# Get DNS server statistics
Get-DnsServerStatistics
# Monitor DNS performance counters
Get-Counter "\DNS\Total Query Received/sec"
Get-Counter "\DNS\Total Response Sent/sec"
Get-Counter "\DNS\Recursive Queries/sec"
# Export performance data
Get-DnsServerStatistics|Export-Csv -Path "C:\dns-stats.csv"
```### Surveillance des performances
```bash
# Test DNS resolution
nslookup www.example.com
dig www.example.com
host www.example.com
# Test specific record types
dig MX example.com
dig TXT example.com
dig NS example.com
# Test reverse DNS
dig -x 192.168.1.100
# Test DNSSEC validation
dig +dnssec www.example.com
```#### Statistiques BIND
```bash
# Test zone transfer
dig @192.168.1.10 example.com AXFR
# Test zone serial number
dig @192.168.1.10 example.com SOA
```#### Performances DNS Windows
```powershell
# Test DNS resolution
Resolve-DnsName -Name "www.example.com"
Resolve-DnsName -Name "example.com" -Type MX
# Test DNS server connectivity
Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com"
# Validate zone
Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com" -RRType "SOA"
```### Commandes de dépannage
```bash
# Backup BIND zone files
sudo tar -czf /backup/dns-zones-$(date +%Y%m%d).tar.gz /etc/bind/
# Backup Windows DNS zones
Export-DnsServerZone -Name "example.com" -FileName "example.com.backup"
```#### Test de résolution DNS
```bash
# Clear DNS cache (BIND)
sudo rndc flush
# Clear DNS cache (Windows)
Clear-DnsServerCache
# Clear local resolver cache (Linux)
sudo systemctl restart systemd-resolved
# Clear local resolver cache (Windows)
ipconfig /flushdns
```#### Test de transfert de zone
```bash
# Update zone serial number
# Edit zone file and increment serial: 2024063001 -> 2024063002
# Reload zone
sudo rndc reload example.com
# Force zone refresh on secondary
sudo rndc refresh example.com
```#### Test DNS Windows
| Commande | Description |
|---------|-------------|
| `named-checkconf` | Valider la configuration BIND |
| `named-checkzone` | Valider la syntaxe du fichier de zone |
| `rndc reload` | Recharger la configuration DNS |
| `rndc flush` | Vider le cache DNS |
| `rndc stats` | Générer des statistiques |
| `rndc querylog` | Activer la journalisation des requêtes |
| `nsupdate` | Mises à jour Dynamic DNS |
| `dig` | Utilitaire de recherche DNS |
| `nslookup` | Utilitaire de recherche DNS |
| `host` | Utilitaire de recherche DNS |## Tâches de maintenance DNS
| Cmdlet | Description |
|--------|-------------|
| `Get-DnsServer` | Obtenir la configuration du serveur DNS |
| `Add-DnsServerPrimaryZone` | Créer une zone primaire |
| `Add-DnsServerSecondaryZone` | Créer une zone secondaire |
| `Add-DnsServerResourceRecord*` | Ajouter des enregistrements DNS |
| `Remove-DnsServerResourceRecord` | Supprimer les enregistrements DNS |
| `Set-DnsServerZoneTransferPolicy` | Configurer les transferts de zone |
| `Test-DnsServer` | Tester la fonctionnalité du serveur DNS |
| `Clear-DnsServerCache` | Vider le cache DNS |### Sauvegarde des fichiers de zone
```bash
# Check zone transfer configuration
named-checkconf
named-checkzone example.com /etc/bind/db.example.com
# Verify network connectivity
telnet secondary-dns-server 53
# Check TSIG key configuration
rndc-confgen -a
```### Gestion du cache
```bash
# Check DNSSEC chain
dig +dnssec +trace www.example.com
# Verify key signatures
dig +dnssec example.com DNSKEY
# Check DS records in parent zone
dig +dnssec example.com DS
```### Maintenance des zones
```bash
# Monitor query load
rndc stats
tail -f /var/log/bind/query.log
# Check cache hit ratio
rndc dumpdb -cache
grep "cache" /var/cache/bind/named_dump.db
# Analyze query patterns
awk '\\\\{print $1\\\\}' /var/log/bind/query.log|sort|uniq -c|sort -nr
```## Référence des commandes