IPv6: BIND DNS Operation
sumber: http://what-when-how.com/ipv6-advanced-protocols-implementation/ipv6-dns-operation-with-bind-part-1/
BIND (Berkeley Internet Name Domain) adalah aplikasi DNS server yang paling banyak digunakan. Di kembangkan oleh Internet Systems Consortium, Inc. (ISC), dan tersedia secara bebas di
Versi terakhir saat tulisan ini dibuat adalah versi 9. Semua versi BIND9 mendukung IPv6.
Secara umum ada tiga (3) operasi DNS:
- Authoritative servers
- Caching servers
- Stub resolvers
Package BIND berisi ke tiga (3) fungsi tersebut.Daemon named dapat berfungsi sebagai authoritative server saja, atau caching server saja, atau ke dua-nya sekaligus. Sebuah library portable resolver, biasanya dikenal sebagai libbind, dapat memberikan fungsi stub resolver.
BIND9 Secara Umum
Fitur teknis BIND9, secara umum mempunyai karakteristik berikut:
- Full compliance pada standard protocol DNS terakhir
- IPv6 support, untuk transport maupun content
- Support DNS security extension (DNSSEC)
- Thread-based software architecture untuk mendukung mesin dengan multiprocessor
Memperoleh BIND9
Secara gratis, bisa di peroleh melalui
- ISC Web
- FTP ftp://ftp.isc.org/isc/bind9/VERSION/
Build & Install BIND9
Cara paling gampang di Ubuntu menggunakan perintah
apt install bind9
BIND9 untuk operasi IPv6
File named.conf
File /etc/bind/named.conf bisa di edit untuk mengatur, hal seperti,
- Run-time parameter dari named
- Mendefinisikan zone
- dll.
Address Match List
- Untuk mengontrol DNS transport, daftar address yang match yang bisa berisi IPv4 address, IPv4 prefix, IPv6 address, IPv6 prefix.
- Untuk address IPv6 link-local atau prefix, ikita mengunkan notasi "%". Misalnya sebuah local link IPv6 address fe80::1 yang tersambung ke interface fxp0, maka penulisnya adalah fe80::1%fxp0. Dengan cara yang sama untuk satu subnet fe80::%fxp0/10.
Enable Accept Query IPv6
Untuk membuka akses agar BIND dapat di quiery menggunakan IPv6, kita dapat menggunakan opsi listen-on-v6. sebagai berikut,
listen-on-v6 { any; };
atau kalau kita ingin membatasi (hanya localhost), bisa,
listen-on-v6 { ::1; );
Access Control
BIND9 named mendukung beberapa opsi untuk kebutuhan access control. Teknik yang digunakan biasanya adalah address match list, contoh
allow-query { 192.0.2.0/24; 2001 :db8:1::/64; );
atau kalau hanya local subnetwork aja, bisa,
allow-query { localnets; };
Cara yang sama berlaku untuk opsi : allow-notify, allow-transfer, allow-recursion, dan allow-update-forwarding.
Spesifikasi Source Address
BIND9 memungkinkan user untuk menggunakan source address tertentu untuk DNS transport. Secara umum, opsi untuk IPv6 transport menggunakan konvensi penamaan xxx-source-v6 dimana xxx mengidentifikasikan operasi yang dilakukan. Penggunaannya sama dengan IPv4 yang equivalen.
Contoh, untuk menset source address DNS query yang dikirim dari sistem misalnya dari 2001:db8::1 maka kita dapat menggunakan perintah berikut,
query-source-v6 address 2001:db8::1;
Untuk source address untuk domain transfer,
transfer-source-v6 2001:db8::1;
Spesifikasi Server Address
In some cases, the IP address(es) of a remote DNS server must be specified in the configuration file. For example, to perform zone transfer, the IP address(es) of the master (primary) server must be specified in a zone-specific configuration. Both IPv4 and IPv6 addresses can be specified for these cases.
The following is an example of the zone transfer case. It specifies an IPv4 address 192.0.2.1 and an IPv6 address 2001 :db8::1 as master (primary) servers of a zone for which this system is acting as a slave (secondary):
tmp22-165_thumb
In a masters statement an arbitrary number of IPv4 or IPv6 addresses can be specified. Of course, it can consist of addresses of a single address family, either IPv4 or IPv6.
This notation works for also-notify, forwarders, and dual-stack-servers. Similarly, either an IPv4 or an IPv6 address can be specified for a server statement, which defines characteristics of a particular remote server. For example, the following specifies not to use EDNS0 with the server that has an IPv6 address 2 0 01 :db8::1:
tmp22-166_thumb Other IPv6-Related Options
The following are other options that are related to the IPv6 operation.
preferred-glue This option specifies the preference of glue resource records when not all of them can be stored in a single UDP response due to the size limitation (see Section 3.3.4). For example, consider a zone kame.example that contains the following delegation:
tmp22-167_thumb
That is, there are nine nameservers for a delegated zone child.kame.example, each of which has one A and one AAAA glue resource records.
The default limitation of UDP responses is usually too small to store all the glue resource records. By default, a BIND9 server returns some A records and some AAAA records when it returns a delegation to the child.kame.example zone. But if the following line is specified in the options statement:
tmp22-168_thumb
then the response would contain all the A resource records and (possibly) some AAAA resource records.
Similarly, if the following line is specified:
tmp22-169_thumb
then the response would probably contain as many AAAA records as possible and no A records.
This is a new feature in BIND 9.3. BIND 9.2 does not support this option.
Today it is generally advisable to specify the A record for preferred-glue. In fact, since most of the DNS (caching) server implementations that support IPv6 transport also support EDNS0 and responses to such servers will always contain a full set of glue records, this preference effectively does not have any negative impact on the caching servers; the cost at the authoritative server to handle the preference should be negligible. On the other hand, preferring A records will help older implementations that do not support IPv6 transport or EDNS0 when a response is large and some glue records must be omitted. In this case glue records of type A are clearly much more useful than AAAA glue records for these caching servers.
dual-stack-servers This option specifies the last resort forwarder for a single stack (i.e., either only IPv4 or only IPv6) caching server. Unlike the forwarders option, the caching server system normally tries to resolve names by itself in a recursive manner. However, if the system detects that a remote server cannot be reached due to address family mismatch (e.g., when the local system only has IPv4 connectivity but the remote server only has AAAA glue records), a forwarder specified in dual-stack-servers that has the missing connectivity will be used. This option does not have any effect on a dual stack node.
Note that in this context dual stack means the system can open both AF_INET and AF_INET6 sockets. This is always the case for the generic FreeBSD kernel even if the node does not have an IP address for the corresponding address family. Therefore, named must either be built with —disable-ipv6 or be invoked with the -4 option (see below for this option) in order to act as an IPv4-only node; similarly, named must be invoked with the -6 option in order to act as an IPv6-only node. Otherwise, it will be treated as a dual stack node and dual-stack-servers will not work as expected.
FIGURE 3-24
FIGURE 3-24
Referensi
- http://what-when-how.com/ipv6-advanced-protocols-implementation/ipv6-dns-operation-with-bind-part-1/