IPv6 Server: Berkeley Internet Name Domain (BIND) daemon “named”

From OnnoWiki
Revision as of 08:46, 23 June 2013 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

IPv6 di dukung sejak versi 9. Selalu menggunakan versi terakhir. Paling tidak menggunakan versi 9.1.3, karena versi yang lama mengandung security hole.


Listen ke IPv6 address

Tidak seperti versi IPv4. versi IPv6 tidak mengijinkan server untuk bind ke server soket dengan IPv6 dedicated address. Oleh karenanya hanya any dan none yang valid. Karena ini mungkin merupakan security issue, cek bagian Access Control List (ACL) dibawah.

Enable BIND named for listening on IPv6 address

Untuk mengaktifkan IPv6 untuk listen, opsi berikut perlu di ubah 

options {
        # sure other options here, too
        listen-on-v6 { any; };
};

Setelah di restart kita dapat melihat kurang lebih: 


# netstat -lnptu |grep "named\W*$" 

tcp 0 0 :::53         :::*      LISTEN 1234/named  # incoming TCP requests
udp 0 0 1.2.3.4:53    0.0.0.0:*        1234/named  # incoming UDP requests to IPv4 1.2.3.4
udp 0 0 127.0.0.1:53  0.0.0.0:*        1234/named  # incoming UDP requests to IPv4 localhost
udp 0 0 0.0.0.0:32868 0.0.0.0:*        1234/named  # dynamic chosen port for outgoing queries
udp 0 0 :::53         :::*             1234/named  # incoming UDP request to any IPv6

Test sederhana dapat dilakukan seperti berikut 

# dig localhost @::1

dan akan memperlihatkan hasilnya.

Disable BIND named for listening on IPv6 address

Untuk mendisable listen IPv6 , opsi berikut kita tulis 

options {
        # sure other options here, too
        listen-on-v6 { none; };
};

IPv6 enable Access Control Lists (ACL)

IPv6 enabled ACL sangat mungkin dan sebaiknya digunakan. Sebuah contoh akan tampak sebagai berikut: 

acl internal-net { 
        127.0.0.1; 
        1.2.3.0/24;  
        2001:0db8:100::/56; 
        ::1/128; 
        ::ffff:1.2.3.4/128; 
};
acl ns-internal-net { 
        1.2.3.4;  
        1.2.3.5;  
        2001:0db8:100::4/128; 
        2001:0db8:100::5/128; 
};

ACL ini dapat digunakan, misalnya, untuk mengatur permohonan dari client dan transfer zone ke secondary name server. Ini untuk menjaga agar name server caching kita tidak digunakan dari luar menggunakan IPv6. 


options {
        # sure other options here, too
        listen-on-v6 { none; };
        allow-query { internal-net; }; 
        allow-transfer { ns-internal-net; }; 
};

Sangat mungkin untuk menset opsi allow-query dan allow-transfer dari definisi satu zone saja.


Mengirim permohonan dengan IPv6 address dedicated

Opsi ini tidak dibutuhkan, tapi jika di inginkan: 

query-source-v6 address <ipv6address|*> port <port|*>;

Per zone defined IPv6 address dedicated

Sangat mungkin untuk mendefinisikan beberapa address IPv6 per zone.


Transfer source address

Transfer source address digunakan untuk outgoing zone transfer: 

transfer-source-v6 <ipv6addr|*> [port port];

Source address untuk Notifikasi

Notify source address is used for outgoing notify messages: 

notify-source-v6 <ipv6addr|*> [port port];

IPv6 DNS zone files examples

Some information can be also found at IPv6 DNS Setup Information (article). Perhaps also helpful is the IPv6 Reverse DNS zone builder for BIND 8/9 (webtool).

Serving IPv6 related DNS data

For IPv6 new types and root zones for reverse lookups are defined:

  • AAAA and reverse IP6.INT: specified in RFC 1886 / DNS Extensions to support IP version 6, usable since BIND version 4.9.6
  • A6, DNAME (DEPRECATED NOW!) and reverse IP6.ARPA: specified in RFC 2874 / DNS Extensions to Support IPv6 Address Aggregation and Renumbering, usable since BIND 9, but see also an information about the current state at Domain Name System Extension (dnsext)

Perhaps filled later more content, for the meantime take a look at given RFCs and

  • AAAA and reverse IP6.INT: IPv6 DNS Setup Information
  • A6, DNAME (DEPRECATED NOW!) and reverse IP6.ARPA: take a look into chapter 4 and 6 of the BIND 9 Administrator Reference Manual (ARM) distributed with the bind-package or get this here: BIND manual version 9.3

Because IP6.INT is deprecated (but still in use), a DNS server which will support IPv6 information has to serve both reverse zones.

Current best practice

Because there are some troubles around using the new formats, current best practice is:

Forward lookup support: 

   AAAA

Reverse lookup support: 

   Reverse nibble format for zone ip6.int (FOR BACKWARD COMPATIBILITY)

   Reverse nibble format for zone ip6.arpa (RECOMMENDED)

22.1.7. Checking IPv6-enabled connect

To check, whether BIND named is listening on an IPv6 socket and serving data see following examples. 22.1.7.1. IPv6 connect, but denied by ACL

Specifying a dedicated server for the query, an IPv6 connect can be forced: 

$ host -t aaaa www.6bone.net 2001:0db8:200:f101::1 
Using domain server: 
Name: 2001:0db8:200:f101::1 
Address: 2001:0db8:200:f101::1#53 
Aliases:

Host www.6bone.net. not found: 5(REFUSED)

Related log entry looks like following:

Jan 3 12:43:32 gate named[12347]: client ¬ 2001:0db8:200:f101:212:34ff:fe12:3456#32770: 

query denied

If you see such entries in the log, check whether requests from this client should be allowed and perhaps review your ACL configuration.

Successful IPv6 connect

A successful IPv6 connect looks like following: 

$ host -t aaaa www.6bone.net 2001:0db8:200:f101::1 
Using domain server: 
Name: 2001:0db8:200:f101::1 
Address: 2001:0db8:200:f101::1#53 
Aliases:

www.6bone.net. is an alias for 6bone.net. 
6bone.net. has AAAA address 3ffe:b00:c18:1::10
Retrieved from "https://onnocenter.or.id/wiki/index.php?title=IPv6_Server:_Berkeley_Internet_Name_Domain_(BIND)_daemon_“named”&oldid=37453"