Snorlax Ƶƶ( ̄▵—▵ ̄)

使用 Knot DNS 設置 IPv6 反向解析

Table of Contents

使用 Knot DNS 爲自己的前綴建立反向解析並啓用 dnssec

Intro

Knot DNS 是一個高性能的權威域名伺服器 (high-performance authoritative-only DNS),支援現代域名系統的所有關鍵功能。相似的軟件有 BIND, PowerDNS 等。

Knot DNS 使用 C 和 LuaJIT 編寫,包含一個解析器和守護進程,的主要特點有:

個人覺得 Knot DNS 的 module 也是一個非常好的 feature。之後準備自己做一個 anycast dns 來玩。

The Knot Re­solver is a caching full re­solver im­ple­men­ta­tion writ­ten in C and LuaJIT, in­clud­ing both a re­solver li­brary and a dae­mon. Mod­u­lar ar­chi­tec­ture of the li­brary keeps the core tiny and ef­fi­cien­t, and pro­vides a state-­ma­chine-­like API.

本文基於 Knot DNS 3.1.8 編寫。如果對 Knot DNS 的感興趣可以閱讀官方文檔

Knot DNS 的安裝

推薦通過 https://www.knot-dns.cz/download/ 下載最新的 Current Stable Branch,選擇對應的 distro 即可。

Debian:

#!/bin/bash

## Enable this repository:

unset SUDO
if [ "$(whoami)" != "root" ]; then
    SUDO=sudo
fi

${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates wget
${SUDO} wget -O /usr/share/keyrings/knot.gpg https://deb.knot-dns.cz/apt.gpg
${SUDO} sh -c 'echo "deb [signed-by=/usr/share/keyrings/knot.gpg] https://deb.knot-dns.cz/knot-latest/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/knot-latest.list'
${SUDO} apt-get update

## Install Knot DNS server:

${SUDO} apt-get install knot

## Install Knot DNS utilities:

${SUDO} apt-get install knot-dnsutils

啓動:systemctl start knot
重啓:systemctl restart knot
停止:systemctl stop knot
重載:knotc reload

Knot DNS 配置

Base

Knot 只需要很短的幾行配置就可以跑起來:

# This is a sample of a minimal configuration file for Knot DNS.
# See knot.conf(5) or refer to the server documentation.

server:
    rundir: "/run/knot"
    user: knot:knot
    # automatic-acl: on
    listen: [ 0.0.0.0@53, ::@53 ]

log:
  - target: syslog
    any: info

database:
    storage: "/var/lib/knot"

Zone templates

模板就是模板,不需要解釋。模板之間不存在繼承關係。

template:
  - id: default
    storage: "/var/lib/knot/"
    file: "%s.zone"

  - id: slave
    storage: "/var/lib/knot/slave"
    file: "%s.zone"

Access Control List(ACL)

automatic-acl如果未啓用, 所有需要授權的請求都會被拒絕。可以通過添加acl區塊來限制授權的請求。

對於 master 來說,需要授權 slave 伺服器進行zone transfer:

acl:
  - id: acl_slave
    address: <slave-ip>
    action: transfer

對於 slave,需要允許 master 進行notify:

acl:
  - id: acl_master
    address: <master-ip>
    action: notify

如果感興趣 secondary(slave)是如何工作的:How Does Secondary DNS Work?

關於 TSIG 的配置請參考:Secondary (slave) zone

remote

master:

remote:
  - id: secondary
    address: <slave-ip>@<port>

slave (secondary):

remote:
  - id: master
    address: <master-ip>@<port>

DNSSEC

DNSSEC 通過向現有的 DNS 記錄添加加密簽名來創建一個安全的域名系統。這些數字簽名與 A、AAAA、MX、CNAME 等常見記錄類型一起存儲在 DNS 名稱服務器中。通過檢查其相關的簽名,可以驗證請求的 DNS 記錄來自其權威的名稱服務器,並且在途中沒有被改變,而不是在中間人攻擊中注入的假記錄。如果感興趣 dnssec 如何運作:How DNSSEC Works

選擇 Knot DNS 的另外一大原因則是其支援自動簽發 DNSSEC,用戶只需要在 master 定義一個 policy 即可:

policy:
  - id: default
    algorithm: ecdsap384sha384
    ksk-lifetime: 365d
    zsk-lifetime: 30d
    nsec3: on

algorithm 可選參考:Domain Name System Security (DNSSEC) Algorithm Numbers

推薦使用 ECDSAP256SHA256ECDSAP256SHA256. 使用 ECDSA 達到 128-bit security 僅需 256-bit,RSA 則需要 3072bit。關於 ECDSA 和 RSA 的選擇推薦閱讀:ECDSA: The missing piece of DNSSEC

生成 DS:

keymgr <FQDN> ds

mod-synthrecord

這個插件可以自動爲 prefix 創建格式爲2a0c-2222-30--1.<origin>.反向解析記錄,可以通過手動添加覆蓋:

mod-synthrecord:
  - id: <unique-id>
    type: reverse
    origin: <後綴,如snorlax.blue>
    network: 2a0c:2222::/32

zone

2a0c:2222::/32 爲例:

master:

zone:
  - domain: 2.2.2.2.c.0.a.2.ip6.arpa
    notify: secondary
    acl: acl_slave
    module: mod-synthrecord/<unique-id>
    dnssec-signing: on
    dnssec-policy: default

slave:

  - domain: 2.2.2.2.c.0.a.2.ip6.arpa
    template: slave
    master: master
    acl: acl_master

完整配置示例

master

server:
    rundir: "/run/knot"
    user: knot:knot
    automatic-acl: on
    listen: [ 0.0.0.0@53, ::@53 ]

log:
  - target: syslog
    any: info

database:
    storage: "/var/lib/knot"

policy:
  - id: default
    algorithm: ecdsap384sha384
    ksk-lifetime: 365d
    zsk-lifetime: 30d
    nsec3: on

remote:
  # secondary slave server
  - id: secondary
    address: <slave-ip>@<slave-port>

acl:
  - id: acl_slave
    address: <slave-ip>
    action: transfer

template:
  - id: default
    storage: "/var/lib/knot/"
    file: "%s.zone"

mod-synthrecord:
  - id: <unique-id>
    type: reverse
    origin:
    network: 2a0c:2222::/32

zone:
    # Primary zone
  - domain: 2.2.2.2.c.0.a.2.ip6.arpa
    notify: secondary
    acl: acl_slave
    module: mod-synthrecord/<unique-id>
    dnssec-signing: on
    dnssec-policy: default

slave
server:
    rundir: "/run/knot"
    user: knot:knot
    automatic-acl: on
    listen: [ 0.0.0.0@53, ::@53 ]

log:
  - target: syslog
    any: info

database:
    storage: "/var/lib/knot"

remote:
  # secondary slave server
  - id: master
    address: <master-ip>@<master-port>

acl:
  - id: acl_master
    address: <master-ip>
    action: notify

template:
  - id: slave
    storage: "/var/lib/knot/slave"
    file: "%s.zone"

mod-synthrecord:
  - id: <unique-id>
    type: reverse
    origin:
    network: 2a0c:2222::/32

zone:
    # slave zone
  - domain: 2.2.2.2.c.0.a.2.ip6.arpa
    template: slave
    master: master
    module: mod-synthrecord/<unique-id>
    acl: acl_master

Debugging

  1. 提示 failed to update zone file (operation not permitted):
    /var/lib/knot/目錄的所有者改爲knot:knot即可

Knotc

bird提供的birdc類似,knot提供了knotc

日常需要的一般只有 4 條,更多 action 和 options 請參考:https://www.knot-dns.cz/docs/latest/html/man_knotc.html#options 和 https://www.knot-dns.cz/docs/latest/html/man_knotc.html#actions

knotc zone-begin zone...
knotc zone-set zone owner [ttl] type rdata
knotc zone-unset zone owner [type [rdata]]
knotc zone-commit zone...

添加 dns record

<FQDN> 示例:14.5.114.in-addr.arpa.

注意輸入的 ownertype 等需要加上末尾的 . 使其成爲 fully qualified domain name(FQDN). (If the record owner is not a fully qualified domain name, then it is considered as a relative name to the zone name)

> knotc zone-begin <FQDN>
> knotc zone-set <FQDN> @ 3600 SOA ns1.example.com. email.example.com 48 10800 3600 604800 3600
> knotc zone-set <FQDN> @ 3600 NS ns1.example.com.
> knotc zone-set <FQDN> @ 3600 NS ns2.example.com.
> knotc zone-commit <FQDN>

添加 PTR 記錄

> knotc zone-begin 14.5.114.in-addr.arpa.
> knotc zone-set 14.5.114.in-addr.arpa. 114.14.5.114.in-addr.arpa. 3600 PTR 1919810.com.
> knotc zone-commit 14.5.114.in-addr.arpa.

RIPE DB domain object

使用此連結或點擊「Create an Object」- 「Object Type:domain」

domain object wizard, source: ripe

注意 nserver 字段不支持直接使用 ip 地址,且不可以解析到相同 IP,需要至少兩個 IPv4 nserver。

如果你不想使用你自己的 secondary server,可以使用 ns.ripe.net

RIPE 具體要求

Keep in mind that, for a /16 (v4) and /32 (v6), you can use ns.ripe.net as the secondary server. In both cases, you have to allow zone transfers from the name server listed in the SOA resource record’s MNAME field to the RIPE NCC distribution servers. The IP addresses of the two servers are:

193.0.19.190 / 2001:67c:2e8:11::c100:13be

93.175.159.250 / 2001:67c:2d7c:66::53

If your servers are configured to send DNS notify messages and you would like ns.ripe.net to update promptly, please send them to the IP addresses listed here. Any notify messages sent directly to the addresses of ns.ripe.net will not be seen. Also bear in mind that we do not support any non-standard configurations (such as port numbers other than 53, TSIG keys and so on).

添加完 NS 記錄後,加號添加 ds-rdata ,在 master ns 上運行 keymgr <zone-name> ds,將 DS 後的 <Keytag> <Algorithm> <Digest type> <Digest> 貼入,submit 通過檢測即可

DNSSEC 校驗

  1. https://dnssec-analyzer.verisignlabs.com/
  2. https://dnsviz.net
DNSSEC Authentication Chain

Reference

#DNS #IPv6 #Linux