Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ Build their own recursive DNS server     - Linux System Getting Started Learning: hard disk partition, and to deal with traps (Linux)

- Using DOS command to change UNIX administrator password (Linux)

- Hive handle count distinct inclination to produce data processing (Database)

- Under CentOS yum install Nginx smooth switch mounted to Tengine (Server)

- Summary Linux bond of multi-interface load balancing (Linux)

- Linux formatted partition error Could not stat / dev / sda No such file or directory Solution (Linux)

- Zabbix configure DataGuard monitoring (Database)

- Linux deploy Tutorial (Linux)

- Ubuntu 15.10 install the latest Arduino IDE 1.6.7 (Linux)

- Linux how to view the graphics models notebook (Linux)

- Analysis JavaBean (Programming)

- Linux users should be aware that should the 7 ls command unique skills (Linux)

- RealVNC Server 5.2.3 Installation and Configuration In Fedora (Server)

- Linux Getting Started tutorial: How to backup Linux systems (Linux)

- Ubuntu 14.10 How to install office suite Calligra Suite 2.8.7 (Linux)

- MongoDB 2.6 deployment replica set + partitions (Database)

- DNF Command Tutorial (Linux)

- numpy and SciPy installation under Python for scientific computing package (Linux)

- Haproxy multi-domain certificate HTTPS (Server)

- Zabbix using Omsa monitor hardware information of Dell server (Server)

  Build their own recursive DNS server
  Add Date : 2016-04-14      
  Under normal circumstances, when we are connected to a foreign network environment, we will inform the commission by the DHCP server to do DNS name resolution work. But in my opinion, such an approach has a great security risk.

Use DNS servers provided by others, it means that the results of your query are the server administrator wants to get the results to you. As the role of authoritative DNS was not originally to host the domain name given domain (details can be found on Wikipedia), so in general, I believe that the analysis results are not authoritative DNS will be a problem, unless the authoritative DNS administrator in a traitor:-)

However, non-authoritative DNS is not the same: Their role is not to give the hosts the domain name, but simply resolved by the domain name sent by the client, and shows the results. The most common non-authoritative DNS is a recursive DNS, it works as follows:

For example, are you going to a recursive DNS query www.linuxidc.com IP address, and the recursive DNS cache Not all addresses related to the first recursive DNS queries will be responsible for all .com domain address to the authoritative DNS root authoritative DNS, then to the authoritative DNS (tentatively titled a) query the authority responsible for linuxidc.com next level DNS - address B, and finally to query www.linuxidc.com B address, the address will be returned to the client. You can see that this is a recursive process, we can use the supplied BIND DNS debugging tools to dig $ dig + trace command to observe this process.

But another address some entirely non-authoritative DNS server set by the administrator may be returned to you, so as to achieve some of the ulterior motives. Its effects and DNS hijacking somewhat similar, but in this attack scenario no one tampered with DNS packet transmitted in the network, but you use the information returned by DNS itself is a problem.

Even if you are a non-authoritative DNS directly is not harboring evil intentions, it returned to the authoritative DNS query results are still likely to be tampered with. Although DNSSEC provides a mechanism based on a digital signature to prevent tampering, but we still can not know that we use a non-authoritative DNS if using DNSSEC.

Security can not be entrusted to others. Above realities point to a solution: in each computer on your own can be done to build a non-authoritative DNS server recursive queries, and then let the DNS client on this computer only use it for the end DNS queries.

Such free software has Unbound and BIND, I'm using is the oldest of the DNS server software --BIND.

The default configuration is a recursive BIND DNS server, also comes with the latest version of BIND support of DNSSEC. This means that when you are going to parse an authoritative DNS at all levels through the deployment of DNSSEC domain name (domain name, such as Taiwan), any tampering means are useless, and as long as those who can not stop tampering with the real results arrive, you always get the correct result.

However, DNSSEC is not yet fully universal, the reality is often the last one authoritative DNS (ie ultimately gives you intend to resolve the domain name corresponding to the authoritative DNS IP address) is not DNSSEC support, so most stubborn DNS cache poisoning attacks will still pollute our recursive DNS server's cache. But if we know some of the non-authoritative DNS, asking them for certain contaminated domain can always give the correct result, we can also use the BIND DNS zone function (Unfortunately unbound seems no such function), encountered these domain names to go to the stain on DNS resolution.

BIND configuration file named.conf main use include statements usually split into several sub-profiles for each management. We can add a sub-profile specially configured zone, such as

include "/etc/bind/named.conf.zones";
Then write forwarding rule in the sub configuration file:

zone "domain.example.com" {
type forward;
forwarders {ipaddr-of-server0; ipaddr-of-server1; ...};
Of course, the child can also use the configuration file include statement further split. More advanced usage can refer to BIND man pages.

As a result, the vast majority still depend on the deployment of domain names in non-native to the authoritative DNS recursive queries with caching, avoid untrusted, provided by others, non-authoritative DNS unknown parameters; and a few serious pollution domain then transferred to a corresponding anti-pollution DNS resolution, which point to a specific stain for DNS zone may vary with the discovery added. Combination of these two methods can withstand the most common DNS-related attacks.

If you rewrite the BIND configuration files, we recommend using the named-checkconf and named-checkzone check its syntax. BIND need to restart the configuration. Note: These operations typically require root privileges.

After you install and use BIND dig test to confirm it to work in your dhclient.conf (position may be related releases) to add a line:

prepend domain-name-servers;
Or put these words in front of the comment symbol removed. After reconnecting the network /etc/resolv.conf file is updated, the client machine will be used the information to monitor the use of the native port 53 DNS server to do DNS queries, DNS DHCP given will be blocked.

Shielded DNS DHCP given is responsible for updating resolv.conf the default configuration TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS resolvconf program functions. If you need DHCP DNS given in / etc / default / resolvconf (position may be related releases) will be set to turn off the no protection, but the previously mentioned reasons for doing so be a security risk, I do not recommend to turn it off. If you need to deal with the registration process in some public wireless LAN hotspot, can be written manually DHCP DNS information given resolv.conf, and then remove the registration is successful; the author is also studying a safer way to deal with the registration process. Of course, we have seen some particularly harsh public wireless LAN hotspots, which does not point to all the queries provided by DHCP DNS will be shielded, in which rogue hotspot only thing you can do is hide away.
- CentOS install Memcached (Server)
- About AWR More Description (Database)
- Struts2 Result Types (Programming)
- Apache Web Security Linux systems (Linux)
- PHP generates a random password several ways (Programming)
- Linux file compression and archiving (Linux)
- STL spatial Configurator (Programming)
- Enterprise Hadoop cluster architecture - NFS installation (Server)
- Let OS X support NTFS write file (Linux)
- Linux upgrade Glibc (Linux)
- Install the open source database PostgreSQL 9.4 and phpMyAdmin on Ubuntu (Database)
- Android Studio 1.0.2 set the memory size (Linux)
- Redis Design and Implementation study notes (Database)
- Ubuntu under shadowsocks configuration instructions (Linux)
- Linux system Iptables Firewall User Manual (Linux)
- Installation under Linux Mint system guidelines for Gtk (Linux)
- PyCharm new Python file name and the name of the module will import the same problem might arise (Programming)
- Use apt-p2p up a local Debian package cache (Server)
- Boost - Memory Management - smart pointers (Programming)
- Java reflection by calling the class method (Programming)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.