DNS minmin@jprs.co.jp DNS DAY Internet Week 2003 ( ) 2
DNS DNS(Domain Name System) named(bind), tinydns(djbdns), MicrosoftDNS(Windows), etc 3 2 (1) ( ) www.example.jp IP IP 10.20.30.40 DNS 4
PC /etc/resolv.conf nameserver DHCP PPP 5 www.example.jp IP NS PC PC NS www.example.jp IP NS. ( ) ns IP.. ns jp ns NS jp ns IP jp jp ns example.jp ns NS example.jp ns IP example.jp example.jp ns www.example.jp IP NS PC IP (ns ) 6
2 (2) ( ) www.example.jp IP? 10.20.30.40? or 7 % dig @a.dns.jp example.jp ns ;; ANSWER SECTION: example.jp. 1D IN NS ns0.example.jp. example.jp. 1D IN NS ns1.example.jp. ;; ADDITIONAL SECTION: ns0.example.jp. 1D IN A xx.xxx.xxx.xx ns1.example.jp. 1D IN A yy.yyy.yyy.yy 8
www.example.jp IP NS PC PC NS www.example.jp IP NS. ( ) ns IP.. ns jp ns NS jp ns IP jp jp ns example.jp ns NS example.jp ns IP example.jp example.jp ns www.example.jp IP NS PC IP (ns ) 9 ns.example.jp www.example.com IP dig @ns.example.jp www.example.com a 10
BIND9 DoS 11 BIND zone "." { type hint; file "named.root" ; options { recursion yes ; fetch-glue no ; allow-query { localhost ; 10.0.0.0/8 ; } ; zone "0.0.127.IN-ADDR.ARPA" { type master ; file "localhost.rev" ; zone "example.jp" { type master ; file "example.jp.zone" ; allow-query { any; 10.0.0.0/8 12
BIND named Windows DNS BIND BIND, WindowsDNS djbdns tinydns( ) dnscache( ) 13 BIND options { named.conf recursion no; fetch-glue no; BIND9 no hint (zone. ) recursion no; fetch-glue no; } ; zone "example.jp" { type master ; file "example.jp.zone" ; zone } ; 14
BIND options { 2 recursion yes; fetch-glue no; allow-query { recursion yes; 10.0.0.0/8 ; hint allow-query zone "." { type hint; 127.0.0.1 (localhost) file "named.root"; zone "0.0.127.IN-ADDR.ARPA" { ::1 type master; 1 BIND file "localhost.rev"; 15 Windows DNS DNS DNS Windows BIND 16
DNS BIND options zone allow-transfer IP zone example.jp { allow-transfer { x.x.x.x ; y.y.y.y ; 17 Windows DNS NS 18
BIND 2003 11 28 BIND BIND 9 Version 9.2.3 2003 10 23 BIND 8. Version 8.4.3 2003 11 26 19 named root named named u <user> /var/run/named.pid named chroot named t <chroot > BIND9 http://www.unixwiz.net/techtips/bind9-chroot.html djbdns chroot 20
? ( ) 21 acl IDS acl DNS TCP IDS 22
DNS LAN ARP Poisoning ARP Spoofing Google ARP Poisoning 7,610 ARP Spoofing 57,800 23 ARP Poisoning (1/2) hosta( hostb( ) gw( ) IP MAC gw 10.10.10.1 0:1:1:1:1:1 hosta 10.10.10.2 0:2:2:2:2:2 hostb 10.10.10.3 0:3:3:3:3:3 hostb root hostb ARP hosta 10.10.10.1 MACaddr 0:3:3:3:3:3 gw 10.10.10.2 MACaddr 0:3:3:3:3:3 hosta gw ARP hostb 24
ARP Poisoning (2/2) hostb IP Layer2 hostb ARP Poisoning OS ARP syslog 25 ARP Poisoning ARP 26
27
1 (1/3) named 2 BIND9 v6 1 listen-on-v6 {any; (?) /etc/named.conf options { recursion no; fetch-glue no; listen-on { 10.10.10.1 ; } ; } ; listen-on IP /etc/resolv.conf nameserver 127.0.0.1 29 1 (2/3) /etc/cache.conf named c /etc/cache.conf options { pid-file "/var/run/cache-named.pid" ; listen-on { 127.0.0.1 ; } ; controls { unix "/var/run/cache-ndc" perm 0600 owner 0 group 0; } ; 127.0.0.1 30
1 (3/3) dump-file, memstatistics-file, statistics-file 2 named (BIND8 ) dump-file "cache_dump.db" ; memstatistics-file "cache.memstats" ; statistics-file "cache.stats" ; 31 Private Address Space - RFC 1918 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 IPv4 Link-Local Address Dynamic Configuration of IPv4 Link-Local Addresses draft-ietf-zeroconf-ipv4-linklocal-07.txt 169.254.0.0/16 ISP! 32
named.conf zone "10.in-addr.arpa" { type master; file "dummy.zone"; zone "16.172.in-addr.arpa" { type master; file "dummy.zone";.. zone "31.172.in-addr.arpa" { type master; file "dummy.zone"; zone "168.192.in-addr.arpa" { type master; file "dummy.zone"; zone "254.169.in-addr.arpa" { type master; file "dummy.zone"; dummy.zone SOA NS $TTL 1D @ IN SOA ns.example.jp. root.example.jp. ( 1 1H 15M 1W 1D ) IN NS ns.example.jp. 33