Konfigurasi Split DNS

13 Dec

bind_configBeberapa waktu lalu saya menginstall BIND 9.10 yang digunakan sebagai authoritative name server untuk beberapa public domain yang juga digunakan untuk infrastruktur internal seperti active directory, mail service, proxy, aplikasi internal, mesin absensi, mesin foto copy, dsb.

Secara defacto, BIND adalah aplikasi DNS Server yang digunakan sebagian besar infrastruktur DNS internet, mereka juga banyak mengeluarkan RFC yang akhirnya digunakan sebagai standar untuk sistem penamaan domain di internet.

Split DNS adalah metode yang tepat untuk memisahkan informasi yang dapat diakses oleh public (internet) dan informasi yang hanya bisa diakses oleh internal. Berikut list skenarionya:

Domain: pnyet.web.id

Record yang di publish ke internet:

pnyet.web.id. IN A 103.10.0.10
ns1.pnyet.web.id. IN A 103.10.0.11
ns2.pnyet.web.id. IN A 103.10.0.12
mail.pnyet.web.id. IN A 103.10.0.13
ftp.pnyet.web.id. IN A 103.10.0.14
pos.pnyet.web.id. IN A 103.10.0.15

Record untuk internal

pnyet.web.id. IN A 172.16.7.2
ns1.pnyet.web.id. IN A 172.16.7.3
ns2.pnyet.web.id. IN A 172.16.7.4
mail.pnyet.web.id. IN A 172.16.7.5
ftp.pnyet.web.id. IN A 172.16.7.6
pos.pnyet.web.id. IN A 172.16.7.7
erp.pnyet.web.id. IN A 172.16.7.8
dc1.pnyet.web.id. IN A 172.16.7.9
dc2.pnyet.web.id. IN A 172.16.7.10
proxy.pnyet.web.id. IN A 172.16.7.11

Langkah pertama adalah mempersiapkan sistem operasinya, kali ini saya menggunakan FreeBSD 10.2 64bit. Jangan khawatir, pada prinsipnya konfigurasi ini bisa digunakan untuk semua platform selama menggunakan BIND karena installasinya menggunakan source.

Download BIND 9.10 dari isc.org

wget https://www.isc.org/downloads/file/bind-9-10-3/?version=tar-gz -O bind9.10.3.tar.gz

Selanjutnya dibawah ini adalah langkah-langkah install BIND hingga selesai dan siap dikonfigurasi:

# tar -zxvf bind9.10.3.tar.gz
# cd bind9.10.3
# ./configure –prefix=/usr/local/named –enable-ipv6 –with-geoip –with-python –with-libtool –enable-threads –enable-largefile –enable-getifaddrs –enable-isc-spnego –enable-fetchlimit –enable-querytrace –enable-full-report –with-make-clean
# make
# make install

Langkah selanjutnya adalah konfigurasi split DNS di BIND:

Persiapkan database zone untuk domain-domain yang diperlukan seperti dibawah ini:

Buat 0.db yang akan digunakan untuk loopback:

$TTL 3h

@ IN SOA ns1.pnyet.web.id. hostmaster.pnyet.web.id. (
2015120500 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour
; Name servers
IN NS ns1.pnyet.web.id.
IN NS ns2.pnyet.web.id.

Buat database untuk loopback dengan nama file 255.db:

$TTL 3h

@ IN SOA ns1.pnyet.web.id. hostmaster.pnyet.web.id. (
2015120500 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour

; Name servers
IN NS ns1.pnyet.web.id.
IN NS ns2.pnyet.web.id.

Buat 127.db yang akan digunakan untuk zone 0.0.127.in-addr.arpa.

$TTL 3h

@ IN SOA ns1.pnyet.web.id. hostmaster.pnyet.web.id. (
2015120500 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour

; Name servers
IN NS ns1.pnyet.web.id.
IN NS ns2.pnyet.web.id.

; Addresses (pointing to canonical names)
1.0.0 IN PTR localhost.

Zone database untuk record pnyet.web.id yang dapat dilookup oleh internet dengan nama file pnyet-internet.db.

$TTL 3h

@ IN SOA ns1.pnyet.web.id. hostmaster.pnyet.web.id. (
2015120503 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour

; Name servers
IN NS ns1.pnyet.web.id.
IN NS ns2.pnyet.web.id.

; Mail exchangers
IN MX 0 mail.pnyet.web.id.
IN MX 5 automail.pnyet.web.id.

;Address record
pnyet.web.id. IN A 103.10.0.10
ns1.pnyet.web.id. IN A 103.10.0.11
ns2.pnyet.web.id. IN A 103.10.0.12
mail.pnyet.web.id. IN A 103.10.0.13
ftp.pnyet.web.id. IN A 103.10.0.14
pos.pnyet.web.id. IN A 103.10.0.15
www.pnyet.web.id. IN CNAME pnyet.web.id.

Zone database untuk pnyet.web.id yang hanya dapat dilookup oleh internal network dengan  nama pnyet-internal.db

$TTL 3h
@ IN SOA ns1.pnyet.web.id. hostmaster.pnyet.web.id. (
2015120503 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour

; Name servers
IN NS ns1.pnyet.web.id.
IN NS ns2.pnyet.web.id.

; Mail exchangers
IN MX 0 mail.pnyet.web.id.
IN MX 5 automail.pnyet.web.id.

pnyet.web.id. IN A 172.16.7.2
ns1.pnyet.web.id. IN A 172.16.7.2
ns2.pnyet.web.id. IN A 172.16.7.3
mail.pnyet.web.id. IN A 172.16.7.4
ftp.pnyet.web.id. IN A 172.16.7.5
pos.pnyet.web.id. IN A 172.16.7.6
erp.pnyet.web.id. IN A 172.16.7.7
dc1.pnyet.web.id. IN A 172.16.7.8
dc2.pnyet.web.id. IN A 172.16.7.9
proxy.pnyet.web.id. IN A 172.16.7.10

Zone database untuk localhost.db

$TTL 3h
@ IN SOA ns1.pnyet.web.id. hostmaster.pnyet.web.id. (
2015120500 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour

; Name servers
IN NS ns1.pnyet.web.id.
IN NS ns2.pnyet.web.id.

; Addresses for the canonical names
IN A 127.0.0.1
IN AAAA ::1

File named.root dapat didownload dari internic.net dan simpan di direktori /usr/local/var/named/master

# wget https://www.internic.net/domain/named.root

Generate konfigurasi RNDC yang akan digunakan di named.conf dan rndc.conf

#/usr/local/named/sbin/rndc-confgen

Dan hasilnya seperti dibawah ini:

Tambahkan parameter dibawah ini ke file /usr/local/named/rndc.conf

# Start of rndc.conf
key “rndc-key” {
algorithm hmac-md5;
secret “kfqhd72AY533jBKrl9nqGw==”;
};

options {
default-key “rndc-key”;
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf

#Kemudian tambahkan parameter dibawah ke file /usr/local/named/etc/named.conf dan hilangkan tanda # mulai dari baris 2 sampai baris 10.

# Use with the following in named.conf, adjusting the allow list as needed:
# key “rndc-key” {
# algorithm hmac-md5;
# secret “kfqhd72AY533jBKrl9nqGw==”;
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { “rndc-key”; };
# };
# End of named.conf

 

Dibawah ini adalah konfigurasi named.conf:

acl “xfer” { 172.16.7.3; };
acl “internal” {
localhost;
192.168.0.0/24;
172.16.7.0.0/24;
};
acl “bogon” {
0.0.0.0/8;
169.254.0.0/16;
192.0.0.0/24;
192.0.2.0/24;
192.168.0.0/16;
198.18.0.0/15;
224.0.0.0/3;
};

logging {
category lame-servers { null; };
category edns-disabled { null; };
channel named_log { syslog local2;
severity warning;
};

channel named_log {
file “/usr/local/named/var/logs/named.log” versions 3 size 200m;
severity debug;
print-severity yes;
print-time yes;
print-category yes;
};
channel audit_log {
file “/usr/local/named/var/logs/audit.log” versions 3 size 200m;
severity debug;
print-severity yes;
print-time yes;
print-category yes;
};

channel xfer_log {
file “/usr/local/named/var/logs/xfer.log” versions 3 size 200m;
severity debug;
print-severity yes;
print-time yes;
print-category yes; };

channel queries_log {
file “/usr/local/named/var/logs/query.log” versions 3 size 200m;
severity debug;
print-severity yes;
print-time yes;
print-category yes;
};

category default { named_log; };
category general { named_log; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { xfer_log; };
category xfer-out { xfer_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { queries_log; };
category lame-servers { audit_log; };
};

options {
directory “/usr/local/named/var”;
allow-transfer { “xfer”; };
pid-file “named.pid”;
auth-nxdomain no;
listen-on port 53 { any; };
listen-on-v6 { any; };
statistics-file “data/named.stats”;
memstatistics-file “data/named.memstats”;
dump-file “data/named.dump”;
zone-statistics yes;
notify yes;
max-cache-ttl 1200;
max-ncache-ttl 1800;
max-cache-size 8M;
minimal-responses yes;
transfer-format many-answers;
max-transfer-time-in 100;
interface-interval 0;
recursion no ;
allow-query { any;};
additional-from-auth no;
additional-from-cache no;
blackhole { bogon; };
version “0_0”;
};

view “internal” in {
match-clients { “internal”;};
allow-transfer { “xfer”; };
allow-query { any; };
# Loopback address

zone “0.in-addr.arpa” IN {
type master;
file “master/0.db”;
};

zone “255.in-addr.arpa” IN {
type master;
file “master/255.db”;
};

zone “localhost” IN {
type master;
file “master/localhost.db”;
};

zone “0.0.127.in-addr.arpa” IN {
type master;
file “master/127.db”;
};

zone “0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa” IN {
type master;
file “master/ipv6.db”;
};

zone “.” IN {
type hint;
file “master/named.root”;
};

#Add zone below

zone “pnyet.web.id” IN {
type master;
file “master/pnyet-internal.db”;
};

zone “7.16.172.in-addr.arpa” IN {
type master;
file “master/172.db”;
};

zone “0.168.192.in-addr.arpa” IN {
type master;
file “master/192.db”;
};
};

view “internet” in {
match-clients { any;};
allow-transfer { “xfer”; };
allow-query { any; };
# Loopback address

zone “0.in-addr.arpa” IN {
type master;
file “master/0.db”;
};

zone “255.in-addr.arpa” IN {
type master;
file “master/255.db”;
};

zone “localhost” IN {
type master;
file “master/localhost.db”;
};

zone “0.0.127.in-addr.arpa” IN {
type master;
file “master/127.db”;
};

zone “0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa” IN {
type master;
file “master/ipv6.db”;
};

zone “.” IN {
type hint;
file “master/named.root”;
};

#Add zone below

zone “pnyet.web.id” IN {
type master;
file “master/pnye-internet.db”;
};
};

view “external-chaos” chaos {
match-clients { any; };
recursion no;

zone “.” {
type hint;
file “/dev/null”;
};
};

key “rndc-key” {
algorithm hmac-md5;
secret “kfqhd72AY533jBKrl9nqGw==”;
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “rndc-key”; };
};
# End of named.conf

Selanjutnya create user yang akan menjalankan bind / named, untuk os selain FreeBSD bisa disesuaikan perintahnya:

$ sudo pw adduser named

Ubah permission dir direktori /usr/local/named/var/master

$ sudo chown -R named:named /usr/local/named/var/master

Lalu coba jalankan bind

$ sudo /usr/local/named/sbin/named -u named -c /usr/local/named/etc/named.conf

Lalu test lookup domain pnyet.web.id menggunakan jaringan atau IP diluar 192.168.0.0/24, 172.16.7.0/24 (internet), dan bandingkan hasilnya ketika melakukan lookup melalui jaringan LAN atau server itu sendiri.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.