IPv6: BIND DNS Operation

From OnnoWiki
Revision as of 09:07, 28 February 2019 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

sumber: http://what-when-how.com/ipv6-advanced-protocols-implementation/ipv6-dns-operation-with-bind-part-1/


BIND (Berkeley Internet Name Domain) adalah aplikasi DNS server yang paling banyak digunakan. Di kembangkan oleh Internet Systems Consortium, Inc. (ISC), dan tersedia secara bebas di

Versi terakhir saat tulisan ini dibuat adalah versi 9. Semua versi BIND9 mendukung IPv6.

Secara umum ada tiga (3) operasi DNS:

  • Authoritative servers
  • Caching servers
  • Stub resolvers

Package BIND berisi ke tiga (3) fungsi tersebut.Daemon named dapat berfungsi sebagai authoritative server saja, atau caching server saja, atau ke dua-nya sekaligus. Sebuah library portable resolver, biasanya dikenal sebagai libbind, dapat memberikan fungsi stub resolver.

BIND9 Secara Umum

Fitur teknis BIND9, secara umum mempunyai karakteristik berikut:

  • Full compliance pada standard protocol DNS terakhir
  • IPv6 support, untuk transport maupun content
  • Support DNS security extension (DNSSEC)
  • Thread-based software architecture untuk mendukung mesin dengan multiprocessor

Memperoleh BIND9

Secara gratis, bisa di peroleh melalui

Build & Install BIND9

Cara paling gampang di Ubuntu menggunakan perintah

apt install bind9

BIND9 untuk operasi IPv6

File named.conf

File /etc/bind/named.conf bisa di edit untuk mengatur, hal seperti,

  • Run-time parameter dari named
  • Mendefinisikan zone
  • dll.

Address Match List

  • Untuk mengontrol DNS transport, daftar address yang match yang bisa berisi IPv4 address, IPv4 prefix, IPv6 address, IPv6 prefix.
  • Untuk address IPv6 link-local atau prefix, ikita mengunkan notasi "%". Misalnya sebuah local link IPv6 address fe80::1 yang tersambung ke interface fxp0, maka penulisnya adalah fe80::1%fxp0. Dengan cara yang sama untuk satu subnet fe80::%fxp0/10.


Enable Accept Query IPv6

Untuk membuka akses agar BIND dapat di quiery menggunakan IPv6, kita dapat menggunakan opsi listen-on-v6. sebagai berikut,

listen-on-v6 { any; };

atau kalau kita ingin membatasi (hanya localhost), bisa,

listen-on-v6 { ::1; );

Access Control

BIND9 named mendukung beberapa opsi untuk kebutuhan access control. Teknik yang digunakan biasanya adalah address match list, contoh

allow-query { 192.0.2.0/24; 2001 :db8:1::/64; );

atau kalau hanya local subnetwork aja, bisa,

allow-query { localnets; };

Cara yang sama berlaku untuk opsi : allow-notify, allow-transfer, allow-recursion, dan allow-update-forwarding.

Spesifikasi Source Address

BIND9 memungkinkan user untuk menggunakan source address tertentu untuk DNS transport. The configuration options for this purpose are separated for IPv4 and IPv6. In general, options for IPv6 transport have the naming convention xxx-source-v6 where xxx identifies a particular operation. The usage is the same as that of the corresponding options for IPv4.

For example, in order to specify 2 0 01 :db8::1 as the source address of DNS queries sent from the system, the following should be added:

tmp22-163_thumb

Similarly, the following option specifies the IPv6 address 20 01 :db8::2 as the source address for zone transfers:

tmp22-164_thumb

The same notation also applies to the options notify-source-v6 and alt-transfer-source-v6. Server Address Specifications

In some cases, the IP address(es) of a remote DNS server must be specified in the configuration file. For example, to perform zone transfer, the IP address(es) of the master (primary) server must be specified in a zone-specific configuration. Both IPv4 and IPv6 addresses can be specified for these cases.

The following is an example of the zone transfer case. It specifies an IPv4 address 192.0.2.1 and an IPv6 address 2001 :db8::1 as master (primary) servers of a zone for which this system is acting as a slave (secondary):

tmp22-165_thumb

In a masters statement an arbitrary number of IPv4 or IPv6 addresses can be specified. Of course, it can consist of addresses of a single address family, either IPv4 or IPv6.

This notation works for also-notify, forwarders, and dual-stack-servers. Similarly, either an IPv4 or an IPv6 address can be specified for a server statement, which defines characteristics of a particular remote server. For example, the following specifies not to use EDNS0 with the server that has an IPv6 address 2 0 01 :db8::1:

tmp22-166_thumb Other IPv6-Related Options

The following are other options that are related to the IPv6 operation.

preferred-glue This option specifies the preference of glue resource records when not all of them can be stored in a single UDP response due to the size limitation (see Section 3.3.4). For example, consider a zone kame.example that contains the following delegation:

tmp22-167_thumb

That is, there are nine nameservers for a delegated zone child.kame.example, each of which has one A and one AAAA glue resource records.

The default limitation of UDP responses is usually too small to store all the glue resource records. By default, a BIND9 server returns some A records and some AAAA records when it returns a delegation to the child.kame.example zone. But if the following line is specified in the options statement:

tmp22-168_thumb

then the response would contain all the A resource records and (possibly) some AAAA resource records.

Similarly, if the following line is specified:

tmp22-169_thumb

then the response would probably contain as many AAAA records as possible and no A records.

This is a new feature in BIND 9.3. BIND 9.2 does not support this option.

Today it is generally advisable to specify the A record for preferred-glue. In fact, since most of the DNS (caching) server implementations that support IPv6 transport also support EDNS0 and responses to such servers will always contain a full set of glue records, this preference effectively does not have any negative impact on the caching servers; the cost at the authoritative server to handle the preference should be negligible. On the other hand, preferring A records will help older implementations that do not support IPv6 transport or EDNS0 when a response is large and some glue records must be omitted. In this case glue records of type A are clearly much more useful than AAAA glue records for these caching servers.

dual-stack-servers This option specifies the last resort forwarder for a single stack (i.e., either only IPv4 or only IPv6) caching server. Unlike the forwarders option, the caching server system normally tries to resolve names by itself in a recursive manner. However, if the system detects that a remote server cannot be reached due to address family mismatch (e.g., when the local system only has IPv4 connectivity but the remote server only has AAAA glue records), a forwarder specified in dual-stack-servers that has the missing connectivity will be used. This option does not have any effect on a dual stack node.

Note that in this context dual stack means the system can open both AF_INET and AF_INET6 sockets. This is always the case for the generic FreeBSD kernel even if the node does not have an IP address for the corresponding address family. Therefore, named must either be built with —disable-ipv6 or be invoked with the -4 option (see below for this option) in order to act as an IPv4-only node; similarly, named must be invoked with the -6 option in order to act as an IPv6-only node. Otherwise, it will be treated as a dual stack node and dual-stack-servers will not work as expected.

FIGURE 3-24

FIGURE 3-24


Referensi


Pranala Menarik