- Linux Networking Cookbook
- Gregory Boyce
- 691字
- 2021-07-02 16:32:45
Setting up a local recursive resolver
Since all attempts to access a website require that you look up the hostname, the responsiveness of your nameserver can have a large impact on the loading of a webpage. A slow nameserver can delay the initial loading of the webpage as well as the loading of the various embedded images, video, and JavaScript, which might have been pulled third-party sites.
In this section, we'll be looking at setting up our own recursive nameserver, which will help cut down on the round trips between you and your resolver. We will additionally configure it to forward uncached queries to a public recursive nameserver in order to take advantage of their caching.
How to do it…
Let's set up the local recursive resolver:
- Install
bind9on Ubuntu; this can be done withsudo apt-get install bind9. On Red Hat and CentOS, it can be done withyum install bindinstead. For other distributions, consult the relevant documentation. - Add an
allow-recursionentry in the options section of thebind9configuration in order to prevent it from being used for denial of service attacks:allow-recursion { 192.168.1.0/24; "localhost;" }; - Consider listening to only your internal IP address with the following option:
listen-on { 192.168.1.1; }; - If you want to use a
forwarders, add the following to your options section:forwarders { 8.8.8.8; 8.8.4.4; };
How it works…
While your mileage may vary from distribution to distribution, bind9 is often distributed with a default configuration that acts as a recursive nameserver with no restrictions on who can issue queries against it. This sort of configuration can be abused by people looking to perform a DNS-based amplified denial of service attack by sending you a spoofed UDP packet containing a request, which results in a large response. This causes you and a large number of other servers to send the large responses to the DoS target.
The allow-recursion setting that we've provided tells bind9 to only answer to recursive queries from your local network and the special localhost variable that includes all IP addresses configured on the server itself. Once this setting is in place, the server will respond to these queries with a short refused response rather than a potentially large data response.
listen-on takes restrictions one step further by allowing you to tell the server to not bind to particular network interfaces at all. If you're running on a router with multiple interfaces, you can choose to have bind9 to only listen on the internal interface. Depending on your firewall configuration, this means that someone sending a request on an external interface will either get an ICMP destination port unreachable message or no response at all.
Finally, the forwarders' setting configures a list of DNS servers that you can go to in the event that it does not already have an entry cached. In this case, we're using the two public Google servers again, but you can choose to use your ISP's nameservers instead.
There's more…
There's one additional piece of information that is very useful to know if you are planning on running your own DNS server. As previously noted, the DNS protocol typically operates over UDP port 53. This is due to the low overhead nature of the UDP protocol, which does not require any sort of handshake to create and then tear down the connections. Over UDP, DNS is able to issue a single packet for a request and mostly receive a single packet as a response.
You may note that I said typically. Due to a limit on the maximum size of a UDP DNS request or response packet, the protocol can switch to TCP instead. The maximum size of a DNS request/response is 512 bytes unless EDNS0 is being used to increase the size to 4096 bytes. Any packet larger than those sizes will trigger a switch from UDP to TCP by the server sending a partial packet with the truncated bit set.
While a majority of DNS traffic that you'll see will be UDP, keep in mind that during troubleshooting and firewall rule writing, you may see TCP as well.
- scikit-learn Cookbook
- Web程序設(shè)計(jì)及應(yīng)用
- SQL Server 2012數(shù)據(jù)庫(kù)技術(shù)及應(yīng)用(微課版·第5版)
- Mastering QGIS
- SQL for Data Analytics
- Python從入門到精通(精粹版)
- 數(shù)據(jù)結(jié)構(gòu)與算法JavaScript描述
- Java項(xiàng)目實(shí)戰(zhàn)精編
- Getting Started with Greenplum for Big Data Analytics
- RESTful Java Web Services(Second Edition)
- SciPy Recipes
- Webpack實(shí)戰(zhàn):入門、進(jìn)階與調(diào)優(yōu)(第2版)
- RocketMQ實(shí)戰(zhàn)與原理解析
- Practical Microservices
- JQuery風(fēng)暴:完美用戶體驗(yàn)