Upgrade Primary DNS Server
Version 1.0
Author: gtoms<henry at gultom dot or dot id>
Last edited 30/07/2008

- Backup File dan Konfigurasi Primary DNS Server (/etc/bind dsb)
- Disconnect Primary DNS Server.
- Instal sistem operasi Primary DNS baru menggunakan sistem operasi linux dengan distro kesayangan saya yaitu : mbah Debian yang saat ini sudah versi 4.0 release 3 dengan kode nama Etch.
- Install software DNS Server yang versi terbaru dalam hal ini menurut rilis Debian Security adalah bind9_9.3.4-2etch3_i386.deb sampai dengan tanggal 30 Juli 2008
- Konfigurasi Bind-Chroot(Debian).
- Menyesuaikan konfigurasi Bind (/etc/bind)
- Testing terhadap vulnerable DNS cache poisoning
- Optimalkan firewal
- Monitoring & Maintenance

Saya menggunakan installer Debian Network install from a minimal CD(netinst) sebesar 180 MB, dan di burn ke cdrom, lalu hanya menginstall system nya saja dan software-software pendukung diinstall menyusul melalui repositori debian atau dari official situs software tersebut.
Uuntuk sebuah DNS cukuplah menset partisi sbb:
/
swap
/home

Untuk Instalasi Sistem operasi Linux Debian 4.0 bisa melihat langkah dan screenshotnya di :
http://www.howtoforge.com/perfect_setup_debian_etch
tidak semua dalam langkah di website itu saya terapkan, jadi sesuaikan sesuai kebiasaan kita menginstall server debian dengan hasil yang sudah kita ketahui sebelumnya.
Menginstall sistem operasi Debian itu tidalah sulit jika sudah memahami prosesnya, tinggal enter dan mengikuti petunjuk instalasi. Update network mirrornya menggunakan repositori di Indonesia bisa ke vlsm.org atau indika.net.id keduanya terdaftar di Network Mirror pada Debian installer Netinst.

Berikut copy paste dari konsol yang sempat terdokumentasikan dan beberapa bagian ada yg tidak terdokumentasi atau telah saya edit :

Setelah proses instalasi sistem operasi selesai, edit /etc/apt/sources.list untuk menggunakan network mirror, lalu update, dan upgrade agar sistem operasi ini benar-benar up to date.

custrelay:/home/gtoms# apt-get update

custrelay:/home/gtoms# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages will be upgraded:
linux-image-2.6.18-6-686
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 16.3MB of archives.
After unpacking 1819kB disk space will be freed.
Do you want to continue [Y/n]? y
Get:1 http://security.debian.org etch/updates/main linux-image-2.6.18-6-686 2.6.18.dfsg.1-18etch6 [16.3MB]
Fetched 16.3MB in 4m27s (61.1kB/s)
Preconfiguring packages ...
(Reading database ... 18560 files and directories currently installed.)
Preparing to replace linux-image-2.6.18-6-686 2.6.18.dfsg.1-18etch1 (using .../linux-image-2.6.18-6-686_2.6.18.dfsg.1-18etch6_i386.deb) ...
The directory /lib/modules/2.6.18-6-686 still exists. Continuing as directed.
Done.
Unpacking replacement linux-image-2.6.18-6-686 ...
Running postrm hook script /sbin/update-grub.
You shouldn't call /sbin/update-grub. Please call /usr/sbin/update-grub instead!

Searching for GRUB installation directory ... found: /boot/grub
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-2.6.18-6-686
Updating /boot/grub/menu.lst ... done

Setting up linux-image-2.6.18-6-686 (2.6.18.dfsg.1-18etch6) ...

Hmm. The package shipped with a symbolic link /lib/modules/2.6.18-6-686/source
However, I can not read the target: No such file or directory
Therefore, I am deleting /lib/modules/2.6.18-6-686/source

Running depmod.
Finding valid ramdisk creators.
Using mkinitramfs-kpkg to build the ramdisk.
Not updating initrd symbolic links since we are being updated/reinstalled
(2.6.18.dfsg.1-18etch1 was configured last, according to dpkg)
Not updating image symbolic links since we are being updated/reinstalled
(2.6.18.dfsg.1-18etch1 was configured last, according to dpkg)
Running postinst hook script /sbin/update-grub.
You shouldn't call /sbin/update-grub. Please call /usr/sbin/update-grub instead!

Searching for GRUB installation directory ... found: /boot/grub
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-2.6.18-6-686
Updating /boot/grub/menu.lst ... done

REBOOT
custrelay:/home/gtoms#reboot

Melengkapi Debian building tools :

custrelay:/home/gtoms# apt-get install devscripts
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
binutils dpkg-dev make
Suggested packages:
binutils-doc devscripts-el build-essential cvs-buildpackage cvs subversion tla bazaar debian-keyring dupload dput gnuplot libtimedate-perl libwww-perl
lintian linda patchutils wdiff make-doc-non-dfsg
Recommended packages:
fakeroot gcc c-compiler bzip2
The following NEW packages will be installed:
binutils devscripts dpkg-dev make
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 3540kB of archives.
After unpacking 10.8MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://debian.indika.net.id etch/main binutils 2.17-3 [2605kB]
Get:2 http://debian.indika.net.id etch/main make 3.81-2 [382kB]
Get:3 http://debian.indika.net.id etch/main dpkg-dev 1.13.25 [166kB]
Get:4 http://debian.indika.net.id etch/main devscripts 2.9.26 [386kB]
Fetched 3540kB in 2s (1579kB/s)
Selecting previously deselected package binutils.
(Reading database ... 18560 files and directories currently installed.)
Unpacking binutils (from .../binutils_2.17-3_i386.deb) ...
Selecting previously deselected package make.
Unpacking make (from .../archives/make_3.81-2_i386.deb) ...
Selecting previously deselected package dpkg-dev.
Unpacking dpkg-dev (from .../dpkg-dev_1.13.25_all.deb) ...
Selecting previously deselected package devscripts.
Unpacking devscripts (from .../devscripts_2.9.26_i386.deb) ...
Setting up binutils (2.17-3) ...

Setting up make (3.81-2) ...
Setting up dpkg-dev (1.13.25) ...
Setting up devscripts (2.9.26) ...

Instalasi Bind9 :

custrelay:/home/gtoms# apt-get install bind9 bind9-doc dnsutils
Reading package lists... Done
Building dependency tree... Done
dnsutils is already the newest version.
The following NEW packages will be installed:
bind9 bind9-doc
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 486kB of archives.
After unpacking 1393kB of additional disk space will be used.
Get:1 http://security.debian.org etch/updates/main bind9 1:9.3.4-2etch3 [297kB]
Get:2 http://security.debian.org etch/updates/main bind9-doc 1:9.3.4-2etch3 [190kB]
Fetched 486kB in 4s (112kB/s)
Selecting previously deselected package bind9.
(Reading database ... 18963 files and directories currently installed.)
Unpacking bind9 (from .../bind9_1%3a9.3.4-2etch3_i386.deb) ...
Selecting previously deselected package bind9-doc.
Unpacking bind9-doc (from .../bind9-doc_1%3a9.3.4-2etch3_all.deb) ...
Setting up bind9 (9.3.4-2etch3) ...
Adding group `bind' (GID 104) ...
Done.
Adding system user `bind' (UID 104) ...
Adding new user `bind' (UID 104) with group `bind' ...
Not creating home directory `/var/cache/bind'.
wrote key file "/etc/bind/rndc.key"
Starting domain name service...: bind.

Setting up bind9-doc (9.3.4-2etch3) ...
custrelay:/home/gtoms#

Konfigurasi Bind-Chroot(Debian)
Chroot pada linux base operating system merupakan prosedur yang melakukan perubahan root directory yang terlihat bagi sebuah service yang sedang berjalan dan child process nya. Pada saat service pada moda chroot dijalankan, service tersebut membutuhkan ruang, file konfigurasi, node device dan shared library yang sudah diset sebelumnnya.

custrelay:/home/gtoms# /etc/init.d/bind9 stop
Stopping domain name service...: bind.

custrelay:/home/gtoms# nano /etc/default/bind9
#edit dan ganti menjadi#
OPTIONS="-u bind -t /var/lib/named"

custrelay:/home/gtoms# mkdir -p /var/lib/named/etc
custrelay:/home/gtoms# mkdir /var/lib/named/dev
custrelay:/home/gtoms# mkdir -p /var/lib/named/var/cache/bind
custrelay:/home/gtoms# mkdir -p /var/lib/named/var/run/bind/run
custrelay:/home/gtoms# mv /etc/bind /var/lib/named/etc
custrelay:/home/gtoms# ln -s /var/lib/named/etc/bind /etc/bind
custrelay:/home/gtoms# mknod /var/lib/named/dev/null c 1 3
custrelay:/home/gtoms# mknod /var/lib/named/dev/random c 1 8
custrelay:/home/gtoms# chmod 666 /var/lib/named/dev/*
custrelay:/home/gtoms# chown -R bind:bind /var/lib/named/var/*
custrelay:/home/gtoms# chown -R bind:bind /var/lib/named/etc/bind


Menyesuaikan konfigurasi file DNS untuk Primary dan mencopy zone-zone DNS Forward dan Reverse.
custrelay:/home/gtoms# cd /etc/bind
custrelay:/home/gtoms# ls
db.0 db.127 db.255 db.empty db.local db.root named.conf named.conf.local named.conf.options rndc.key zones.rfc1918 zones
cek satu persatu dan sesuaikan sebagai Primary DNS.

Mengatur log Bind :
custrelay:/home/gtoms# nano /etc/default/syslogd
SYSLOGD="-a /var/lib/named/dev/log"

custrelay:/home/gtoms# /etc/init.d/sysklogd restart
Restarting system log daemon: syslogd.

custrelay:/home/gtoms# /etc/init.d/bind9 start
Starting domain name service...: bind.

Cek service named sudah running ke IP dan port 53
custrelay:/home/gtoms# netstat -nltup

Contoh output perintah diatas ini sudah saya edit :

tcp 0 0 202.51.xxx.x:53 0.0.0.0:* LISTEN 2xxx/named
udp 0 0 202.51.xxx.x:53 0.0.0.0:* 2xxx/named

/home/gtoms# tail -f /var/log/syslog
------------edit-----------------
Jul 27 22:17:26 custrelay named[2779]: starting BIND 9.3.4-P1.1 -u bind -t /var/lib/named
Jul 27 22:17:26 custrelay named[2779]: found 1 CPU, using 1 worker thread
Jul 27 22:17:26 custrelay named[2779]: loading configuration from '/etc/bind/named.conf'
Jul 27 22:17:26 custrelay named[2779]: listening on IPv6 interfaces, port 53
Jul 27 22:17:26 custrelay named[2779]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 27 22:17:26 custrelay named[2779]: listening on IPv4 interface eth0, 202.51.xxx.xxx#53
Jul 27 22:17:26 custrelay named[2779]: listening on IPv4 interface eth0:0, 202.51.xxx.#53
Jul 27 22:17:26 custrelay named[2779]: command channel listening on 127.0.0.1#953
Jul 27 22:17:26 custrelay named[2779]: command channel listening on ::1#953
Jul 27 22:17:26 custrelay named[2779]: zone 0.in-addr.arpa/IN: loaded serial 1
Jul 27 22:17:26 custrelay named[2779]: zone 127.in-addr.arpa/IN: loaded serial 1
Jul 27 22:17:26 custrelay named[2779]: zone 255.in-addr.arpa/IN: loaded serial 1
..................................
..........................

Perhatikan juga proses transfer zona dari Primary ke Secondary berjalan lancar, Log secondary server juga harus dijalankan saat menjalankan service bind9.


Install Konfigurasi Iptables for DNS Firewall dan Fail2ban

custrelay:/home/gtoms# apt-get install fail2ban
Reading package lists... Done
Building dependency tree... Done
Suggested packages:
python-gamin
The following NEW packages will be installed:
fail2ban
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 63.6kB of archives.
After unpacking 500kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
fail2ban
Install these packages without verification [y/N]? y
Get:1 http://debian.indika.net.id etch/main fail2ban 0.7.5-2etch1 [63.6kB]
Fetched 63.6kB in 0s (179kB/s)
Selecting previously deselected package fail2ban.
(Reading database ... 19371 files and directories currently installed.)
Unpacking fail2ban (from .../fail2ban_0.7.5-2etch1_all.deb) ...
Setting up fail2ban (0.7.5-2etch1) ...

custrelay:/home/gtoms#nano /etc/fail2ban/jail.local

custrelay:/home/gtoms#/etc/init.d/fail2ban restart

custrelay:/home/gtoms# /etc/init.d/fail2ban status
Status of authentication failure monitor: fail2ban is running

custrelay:/home/gtoms# /etc/init.d/fail2ban restart
Restarting authentication failure monitor: fail2ban.

custrelay:/home/gtoms# tail -f /var/log/fail2ban.log
2008-07-27 16:19:08,797 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2008-07-27 16:19:08,801 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2008-07-27 16:19:08,805 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2008-07-27 16:19:08,810 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2008-07-27 16:19:08,813 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2008-07-27 16:19:11,403 fail2ban.actions: WARNING [ssh] Ban 201.168.65.23

custrelay:/home/gtoms# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP 0 -- ip-201-168-65-23.marcatel.net.mx anywhere
RETURN 0 -- anywhere anywhere

Testing ke domain-domain di internet :

custrelay:~/scripts/schedule# dig

; <<>> DiG 9.3.4-P1.1 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45497
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 517834 IN NS f.root-servers.net.
. 517834 IN NS g.root-servers.net.
. 517834 IN NS h.root-servers.net.
. 517834 IN NS i.root-servers.net.
. 517834 IN NS j.root-servers.net.
. 517834 IN NS k.root-servers.net.
. 517834 IN NS l.root-servers.net.
. 517834 IN NS m.root-servers.net.
. 517834 IN NS a.root-servers.net.
. 517834 IN NS b.root-servers.net.
. 517834 IN NS c.root-servers.net.
. 517834 IN NS d.root-servers.net.
. 517834 IN NS e.root-servers.net.

;; ADDITIONAL SECTION:
j.root-servers.net. 517834 IN A 192.58.128.30
j.root-servers.net. 517834 IN AAAA 2001:503:c27::2:30

;; Query time: 2 msec
;; SERVER: 202.51.xxx.x#53(202.51.xxx.x)
;; WHEN: Sun Jul 27 22:03:24 2008
;; MSG SIZE rcvd: 272


custrelay:/home/gtoms# nslookup
custrelay:/home/gtoms# dig namadomainkantor.net.id

custrelay:/home/gtoms# dig gtoms.com

; <<>> DiG 9.3.4-P1.1 <<>> gtoms.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53514
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;gtoms.com. IN A

;; ANSWER SECTION:
gtoms.com. 14400 IN A 202.80.126.18

;; AUTHORITY SECTION:
gtoms.com. 86400 IN NS ns1.gtoms.com.
gtoms.com. 86400 IN NS ns2.gtoms.com.

;; Query time: 290 msec
;; SERVER: 202.51.xxx.x#53(202.51.xxx.x)
;; WHEN: Sun Jul 27 16:22:47 2008
;; MSG SIZE rcvd: 79

custrelay:/home/gtoms#host -t mx gtoms.com
gtoms.com mail is handled by 0 gtoms.com.

custrelay:/home/gtoms# dig google.com

; <<>> DiG 9.3.4-P1.1 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54839
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 300 IN A 64.233.167.99
google.com. 300 IN A 64.233.187.99
google.com. 300 IN A 72.14.207.99

;; AUTHORITY SECTION:
google.com. 345600 IN NS ns1.google.com.
google.com. 345600 IN NS ns2.google.com.
google.com. 345600 IN NS ns3.google.com.
google.com. 345600 IN NS ns4.google.com.

;; Query time: 211 msec
;; SERVER: 202.51.xxx.x#53(202.51.xxx.x)
;; WHEN: Sun Jul 27 16:24:56 2008
;; MSG SIZE rcvd: 148

custrelay:/home/gtoms# dig yahoo.com

; <<>> DiG 9.3.4-P1.1 <<>> yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45131
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 2

;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 21600 IN A 68.180.206.184
yahoo.com. 21600 IN A 206.190.60.37

;; AUTHORITY SECTION:
yahoo.com. 171199 IN NS ns1.yahoo.com.
yahoo.com. 171199 IN NS ns2.yahoo.com.
yahoo.com. 171199 IN NS ns3.yahoo.com.
yahoo.com. 171199 IN NS ns4.yahoo.com.
yahoo.com. 171199 IN NS ns5.yahoo.com.
yahoo.com. 171199 IN NS ns6.yahoo.com.
yahoo.com. 171199 IN NS ns8.yahoo.com.

;; ADDITIONAL SECTION:
ns6.yahoo.com. 171199 IN A 202.43.223.170
ns8.yahoo.com. 171199 IN A 202.165.104.22

;; Query time: 69 msec
;; SERVER: 202.51.xxx.x#53(202.51.xxx.x)
;; WHEN: Sun Jul 27 16:25:01 2008
;; MSG SIZE rcvd: 217

custrelay:/home/gtoms# traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 72.14.235.99
traceroute to www.l.google.com (72.14.235.99), 30 hops max, 40 byte packets
1 xxxxxxxxxxxxxxxxxxxxxxxxxxxx 0.443 ms 0.420 ms 0.401 ms
2 xxxxxxxxxxxxxxxxxxxxxxxxxxxx 0.806 ms 0.753 ms 0.770 ms
3 ge-0-1-0.gw-01.jkt.indosat.net.id (202.155.27.29) 0.826 ms 0.875 ms 0.745 ms
4 ge-0-2-0.distri-04.jkt.ipbb.indosat.net.id (202.155.137.17) 0.906 ms 0.990 ms 0.793 ms
5 202.93.46.219 (202.93.46.219) 0.918 ms 0.970 ms 0.728 ms
6 202.93.41.113 (202.93.41.113) 62.176 ms 62.408 ms 62.521 ms
7 72.14.196.77 (72.14.196.77) 62.386 ms 64.191 ms 62.824 ms
8 64.233.175.209 (64.233.175.209) 62.111 ms 63.149 ms 62.156 ms
9 209.85.250.120 (209.85.250.120) 84.550 ms 209.85.240.28 (209.85.240.28) 79.913 ms 79.680 ms
10 209.85.243.23 (209.85.243.23) 82.914 ms 85.458 ms 209.85.250.101 (209.85.250.101) 84.707 ms
11 72.14.232.217 (72.14.232.217) 93.618 ms 72.14.232.221 (72.14.232.221) 85.379 ms 95.766 ms
12 tw-in-f99.google.com (72.14.235.99) 84.124 ms 82.807 ms 84.274 ms


Testing terhadap vulnerable dns cache poisoning menggunakan http://www.doxpara.com/
Your name server, at 202.51.xxx.x, appears to be safe, but make sure the ports listed below aren't following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100...).Requests seen for 138176cf2612.doxdns5.com:
202.51.xxx.x:1701 TXID=15492
202.51.xxx.x:7728 TXID=50979
202.51.xxx.x:6234 TXID=25400
202.51.xxx.x:21827 TXID=48219
202.51.xxx.x:3121 TXID=44774

Testing terhadap vulnerable dns cache poisoning menggunakan nameserver kantor :
gtoms@custrelay:~$ dig +short @ns1.domainkantor.net.id porttest.dns-oarc.net TXT
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"202.51.xxx.x is GREAT: 26 queries in 7.4 seconds from 26 ports with std dev 16639"
gtoms@custrelay:~$

Dokumentasi capture :

Disclaimer:
******************************************************

This website was created for the author's personal use and entertainment. There is absolutely no warranty. Use entirely at your own risk.

Any information contained herein is freely available elsewhere and simply reinterpreted, or more likely misinterpreted, and cannot be assumed to be accurate. There are mistakes in this website and there may or may not be any effort to correct those mistakes in the future.

The author accepts no responsibility for any loss or damage caused by the use, lack of use, or misuse, of information contained in this website.

Where links are provided to other websites, the author accepts no responsibility and shall not be liable, either directly or indirectly for the content, legality, accuracy, reliability, suitability, quality or decency of content, information, product, advice or services provided by and contained in those sites.

Downloading any information from the Internet is done at your own risk, and the risk can be substantial. You knew that, right?

All trademarks are the property of their respective owners.

Baca juga :

• Migrasi Mailserver
• Migrasi Radius Server
• Images Spam
• Upgrade Secondary DNS Server

Index
Henry Gultom
henry at gultom dot or dot id
JUL 30 2008