Bind9 Domain Name System Server (DNS Server)

Apa itu DNS? DNS adalah sebuah program client-server yang digunakan untuk translasi domain ke ip address dan juga sebaliknya. DNS menggunakan port 53/udp untuk resolver dan port 53/tcp untuk zone transfer.

Cara Kerja Domain Name System

Topologi

Tipe Records Pada DNS

Record	Fungsi
A	Untuk mengarahkan domain/label ke ipv4
AAAA	Untuk mengarahkan domain/label ke ipv6
NS	Untuk mengarahkan ke nameserver mana yang menyimpan record dns
CNAME	Untuk alias dari domain/subdomain ke domain lain
SOA	Menyimpan informasi admin domain
PTR	Untuk memberikan jawaban reverse-lookup (merubah ip ke suatu domain)
MX	Untuk mengarahkan email ke mail server

Konfigurasi Recursive DNS

Recursive DNS berfungsi untuk mencari jawaban dari authoritative server.

Kita pastikan bind9 dan utilitasnya sudah terinstall di ns1 dan ns2.

ns1 & ns2

sysadmin@ns1:~$ sudo apt install bind9 dnsutils bind9utils -y
sysadmin@ns2:~$ sudo apt install bind9 dnsutils bind9utils -y

1. Konfigurasi Recursive pada Master DNS (ns1).

Masuk ke direktori ‘/etc/bind’ dan disable dnssec-validation di file ‘named.conf.options’.

ns1

sysadmin@ns1:~$ cd /etc/bind/sysadmin@ns1:/etc/bind$ sudo nano named.conf.options

/etc/bind/named.conf.options

options {        directory “/var/cache/bind”;
        // If there is a firewall between you and nameservers you want        // to talk to, you may need to fix the firewall to allow multiple        // ports to talk. See http://www.kb.cert.org/vuls/id/800113
        // If your ISP provided one or more IP addresses for stable        // nameservers, you probably want to use them as forwarders.        // Uncomment the following block, and insert the addresses replacing        // the all-0’s placeholder.
        // forwarders {        // 0.0.0.0;        // };
        //========================================================================        // If BIND logs error messages about the root key being expired,        // you will need to update your keys. See https://www.isc.org/bind-keys        //========================================================================        dnssec-validation no;
        listen-on-v6 { any; };};

Setelah itu restart service bind9. Lalu ubah resolver dns ke ip address 192.168.72.11. Dan uji coba dig untuk mengetahui ip address dari google.com dan ping ke domain google.com. Jika ping reply maka konfigurasi recursive sudah berhasil, seperti dibawah ini.

ns1

sysadmin@ns1:/etc/bind$ sudo systemctl restart bind9sysadmin@ns1:/etc/bind$ echo nameserver 192.168.72.11 | sudo tee /etc/resolv.confsysadmin@ns1:/etc/bind$ dig google.com +short; ping google.com -c 3142.251.12.100142.251.12.101142.251.12.138142.251.12.113142.251.12.102142.251.12.139PING google.com (142.251.12.102) 56(84) bytes of data.64 bytes from se-in-f102.1e100.net (142.251.12.102): icmp_seq=1 ttl=128 time=20.2 ms64 bytes from se-in-f102.1e100.net (142.251.12.102): icmp_seq=2 ttl=128 time=17.6 ms64 bytes from se-in-f102.1e100.net (142.251.12.102): icmp_seq=3 ttl=128 time=17.5 ms
— google.com ping statistics —3 packets transmitted, 3 received, 0% packet loss, time 2002msrtt min/avg/max/mdev = 17.480/18.431/20.244/1.282 mssysadmin@ns1:/etc/bind$

2. Konfigurasi Recursive pada Slave DNS (ns2).

Masuk ke direktori ‘/etc/bind’ dan disable dnssec-validation di file ‘named.conf.options’.

ns2

sysadmin@ns2:~$ cd /etc/bind/sysadmin@ns2:/etc/bind$ sudo nano named.conf.options

/etc/bind/named.conf.options

Setelah itu restart service bind9. Lalu ubah resolver dns ke ip address 192.168.72.12. Dan uji coba dig untuk mengetahui ip address dari google.com dan ping ke domain google.com. Jika ping reply maka konfigurasi recursive sudah berhasil, seperti dibawah ini.

ns2

sysadmin@ns2:/etc/bind$ sudo systemctl restart bind9sysadmin@ns2:/etc/bind$ echo nameserver 192.168.72.12 | sudo tee /etc/resolv.confsysadmin@ns2:/etc/bind$ dig google.com +short; ping google.com -c 364.233.170.13964.233.170.10164.233.170.11364.233.170.10064.233.170.10264.233.170.138PING google.com (64.233.170.101) 56(84) bytes of data.64 bytes from sg-in-f101.1e100.net (64.233.170.101): icmp_seq=1 ttl=128 time=23.8 ms64 bytes from sg-in-f101.1e100.net (64.233.170.101): icmp_seq=2 ttl=128 time=19.6 ms64 bytes from sg-in-f101.1e100.net (64.233.170.101): icmp_seq=3 ttl=128 time=17.6 ms
— google.com ping statistics —3 packets transmitted, 3 received, 0% packet loss, time 2003msrtt min/avg/max/mdev = 17.571/20.309/23.798/2.596 mssysadmin@ns2:/etc/bind$

Konfigurasi Authoritative DNS

Authortitative DNS berfungsi untuk memberikan jawaban kepada Recursive atau resolver. Untuk konfigurasi authoritative akan kita bagi dua, sebagai berikut:

1. Konfigurasi Authoritative Master DNS.

Masuk ke direktori ‘/etc/bind’ dan tambahkan zone dengan type master untuk domain ‘idn-academy.id’ di file ‘named.conf.local’.

ns1

sysadmin@ns1:~$ cd /etc/bind/sysadmin@ns1:/etc/bind$ sudo nano named.conf.local

/etc/bind/named.conf.local

Buat direktori baru dengan nama ‘master’ dan duplikat file ‘db.local’ menjadi ‘db.idn-academy.id’. Lalu tambahkan konten dns record (SOA, NS, CNAME dan A records) pada file zona ‘id-academy.id’. Untuk format serial biasanya 10 digit YYYYMMDDXX yang mana XX angka yang bertambah. Jangan lupa menambah dan update serial setiap melakukan perubahan.

ns1

sysadmin@ns1:/etc/bind$ sudo mkdir mastersysadmin@ns1:/etc/bind$ sudo cp db.local master/db.idn-academy.idsysadmin@ns1:/etc/bind$ sudo nano master/db.idn-academy.id

/etc/bind/master/db.idn-academy.id

;; BIND data file for local loopback interface;$TTL 604800@ IN SOA ns1.idn-academy.id. root.idn-academy.id. ( 2024070701 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL;@ IN NS ns1.idn-academy.id.@ IN NS ns2.idn-academy.id.ns1 IN A 192.168.72.11ns2 IN A 192.168.72.11@ IN A 192.168.72.11www IN CNAME idn-academy.id.

Sebelum kita restart service bind9, kita cek terlebih dahulu apakah ada yang salah dengan konfigurasi nya atau tidak dengan perintah berikut.

ns1

sysadmin@ns1:/etc/bind$ sudo named-checkconf sysadmin@ns1:/etc/bind$ sudo named-checkzone idn-academy.id master/db.idn-academy.id zone idn-academy.id/IN: loaded serial 2024070701OKsysadmin@ns1:/etc/bind$ sudo systemctl restart bind9

Setelah itu lakukan uji coba menggunakan tool dig.

ns1

sysadmin@ns1:/etc/bind$ dig @192.168.72.11 www.idn-academy.id
; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.72.11 www.idn-academy.id; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49966;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 15fdad13fc8b385201000000668a4e7316a9d591814eb8b4 (good);; QUESTION SECTION:;www.idn-academy.id. IN A
;; ANSWER SECTION:www.idn-academy.id. 604800 IN CNAME idn-academy.id.idn-academy.id. 604800 IN A 192.168.72.11
;; Query time: 0 msec;; SERVER: 192.168.72.11#53(192.168.72.11) (UDP);; WHEN: Sun Jul 07 15:14:43 WIB 2024;; MSG SIZE rcvd: 105
sysadmin@ns1:/etc/bind$

2. Konfigurasi Authoritative Slave DNS

Sebelum kita konfigurasi authoritative slave dns, cek terlebih dahulu zone transfer dari master dns ke slave dns dengan perintah dig jika gagal maka akan muncul error transfer failed.

ns2

sysadmin@ns2:/etc/bind$ dig @192.168.72.11 idn-academy.id AXFR
; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.72.11 idn-academy.id AXFR; (1 server found);; global options: +cmdidn-academy.id. 604800 IN SOA ns1.idn-academy.id. root.idn-academy.id. 2024070701 604800 86400 2419200 604800idn-academy.id. 604800 IN NS ns1.idn-academy.id.idn-academy.id. 604800 IN NS ns2.idn-academy.id.idn-academy.id. 604800 IN A 192.168.72.11ns1.idn-academy.id. 604800 IN A 192.168.72.11ns2.idn-academy.id. 604800 IN A 192.168.72.12www.idn-academy.id. 604800 IN CNAME idn-academy.id.idn-academy.id. 604800 IN SOA ns1.idn-academy.id. root.idn-academy.id. 2024070701 604800 86400 2419200 604800;; Query time: 0 msec;; SERVER: 192.168.72.11#53(192.168.72.11) (TCP);; WHEN: Sun Jul 07 17:13:05 WIB 2024;; XFR size: 6 records (messages 1, bytes 216)

Masuk ke direktori ‘/etc/bind’ dan tambahkan zone dengan type slave untuk domain ‘idn-academy.id’ di file ‘named.conf.local’.

ns2

sysadmin@ns2:~$ cd /etc/bind/sysadmin@ns2:/etc/bind$ sudo nano named.conf.local

/etc/bind/named.conf.local

Setelah itu restart service bind9, lalu cek apakah file ‘db.idn-academy.id’ di direktori ‘/var/cache/bind’.

ns2

sysadmin@ns1:/etc/bind$ sudo systemctl restart bind9sysadmin@ns2:/etc/bind$ ls /var/cache/bind/db.idn-academy.id managed-keys.bind managed-keys.bind.jnl

Setelah itu lakukan uji coba menggunakan tool dig. Jika mendapatkan jawaban berarti konfigurasi sudah berhasil.

ns2

sysadmin@ns2:/etc/bind$ dig @192.168.72.12 www.idn-academy.id
; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.72.12 www.idn-academy.id; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1359;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 66343c100d1a0b4101000000668a7f36e84e16bad5cb5a53 (good);; QUESTION SECTION:;www.idn-academy.id. IN A
;; ANSWER SECTION:www.idn-academy.id. 604800 IN CNAME idn-academy.id.idn-academy.id. 604800 IN A 192.168.72.11
;; Query time: 0 msec;; SERVER: 192.168.72.12#53(192.168.72.12) (UDP);; WHEN: Sun Jul 07 18:42:46 WIB 2024;; MSG SIZE rcvd: 105

Konfigurasi Reverse DNS

Reverse DNS berfungsi untuk merubah ip menjadi domain, biasanya digunakan untuk verifikasi mail server.

1. Konfigurasi Reverse Master DNS.

Masuk ke direktori ‘/etc/bind’ dan tambahkan zone ‘72.168.192.in-addr.arpa’ dengan type master di file ‘named.conf.local’.

ns1

sysadmin@ns1:~$ cd /etc/bind/sysadmin@ns1:/etc/bind$ sudo nano named.conf.local

/etc/bind/named.conf.local

//// Do any local configuration here//
// Consider adding the 1918 zones here, if they are not used in your// organization//include “/etc/bind/zones.rfc1918”;
zone “idn-academy.id” { type master; file “/etc/bind/master/db.idn-academy.id”;};
zone “72.168.192.in-addr.arpa” { type master; file “/etc/bind/master/db.72.168.192.in-addr.arpa”;};

Masuk ke direktori ‘master’ dan duplikat file ‘db.127’ menjadi ‘db.72.168.192.in-addr.arpa’. Lalu tambahkan konten dns record (SOA, NS dan PTR) pada file zona ‘id-academy.id’.

ns1

sysadmin@ns1:/etc/bind$ sudo mkdir mastersysadmin@ns1:/etc/bind$ sudo cp db.local master/db.idn-academy.idsysadmin@ns1:/etc/bind$ sudo nano master/db.72.168.192.in-addr.arpa

/etc/bind/master/db.72.168.192.in-addr.arpa

;; BIND reverse data file for local loopback interface;$TTL 604800@ IN SOA ns1.idn-academy.id. root.idn-academy.id. ( 2024070701 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL;@ IN NS ns1.idn-academy.id.@ IN NS ns2.idn-academy.id.
11 IN PTR ns1.idn-academy.id.12 IN PTR ns2.idn-academy.id.

Sebelum kita restart service bind9, kita cek terlebih dahulu apakah ada yang salah dengan konfigurasi nya atau tidak dengan perintah berikut.

ns1

Setelah itu lakukan uji coba menggunakan tool dig. Jika mendapatkan jawaban berarti konfigurasi sudah berhasil.

ns1

sysadmin@ns1:/etc/bind$ dig @192.168.72.11 -x 192.168.72.11
; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.72.11 -x 192.168.72.11; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40752;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: c1db75e991f2f8bc01000000668a9d3532a1e40a34d9be79 (good);; QUESTION SECTION:;11.72.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:11.72.168.192.in-addr.arpa. 604800 IN PTR ns1.idn-academy.id.
;; Query time: 0 msec;; SERVER: 192.168.72.11#53(192.168.72.11) (UDP);; WHEN: Sun Jul 07 20:50:45 WIB 2024;; MSG SIZE rcvd: 115

sysadmin@ns1:/etc/bind$ dig @192.168.72.11 -x 192.168.72.12
; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.72.11 -x 192.168.72.12; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3647;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 357d1c9d3246402401000000668a9da3f3f2e81db7657e39 (good);; QUESTION SECTION:;12.72.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:12.72.168.192.in-addr.arpa. 604800 IN PTR ns2.idn-academy.id.
;; Query time: 0 msec;; SERVER: 192.168.72.11#53(192.168.72.11) (UDP);; WHEN: Sun Jul 07 20:52:35 WIB 2024;; MSG SIZE rcvd: 115

2. Konfigurasi Reverse Slave DNS

Masuk ke direktori ‘/etc/bind’ dan tambahkan zone ‘72.168.192.in-addr.arpa’ dengan type slave di file ‘named.conf.local’.

ns2

sysadmin@ns2:~$ cd /etc/bind/sysadmin@ns2:/etc/bind$ sudo nano named.conf.local

/etc/bind/named.conf.local

//// Do any local configuration here//
// Consider adding the 1918 zones here, if they are not used in your// organization//include “/etc/bind/zones.rfc1918”;
zone “idn-academy.id” { type slave; file “db.idn-academy.id”; masters {192.168.72.11;};};
zone “72.168.192.in-addr.arpa” { type slave; file “db.72.168.192.in-addr.arpa”; masters {192.168.72.11;};};

Setelah itu restart service bind9, lalu cek apakah file ‘db.72.168.192.in-addr.arpa’ di direktori ‘/var/cache/bind’.

ns2

sysadmin@ns1:/etc/bind$ sudo systemctl restart bind9sysadmin@ns2:/etc/bind$ ls /var/cache/bind/db.72.168.192.in-addr.arpa db.idn-academy.id managed-keys.bind managed-keys.bind.jnl

Setelah itu lakukan uji coba menggunakan tool dig. Jika mendapatkan jawaban berarti konfigurasi sudah berhasil.

ns2

sysadmin@ns2:/etc/bind$ dig @192.168.72.12 -x 192.168.72.11
; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.72.12 -x 192.168.72.11; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27765;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 6f160b12135e7b2c01000000668aa16be6fb6e2097d23779 (good);; QUESTION SECTION:;11.72.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:11.72.168.192.in-addr.arpa. 604800 IN PTR ns1.idn-academy.id.
;; Query time: 0 msec;; SERVER: 192.168.72.12#53(192.168.72.12) (UDP);; WHEN: Sun Jul 07 21:08:43 WIB 2024;; MSG SIZE rcvd: 115
sysadmin@ns2:/etc/bind$ dig @192.168.72.12 -x 192.168.72.12
; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.72.12 -x 192.168.72.12; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9604;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 6ec4487d11a25fc501000000668aa16f0018cea2bead496b (good);; QUESTION SECTION:;12.72.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:12.72.168.192.in-addr.arpa. 604800 IN PTR ns2.idn-academy.id.
;; Query time: 0 msec;; SERVER: 192.168.72.12#53(192.168.72.12) (UDP);; WHEN: Sun Jul 07 21:08:47 WIB 2024;; MSG SIZE rcvd: 115

Basic Firewall DNS

Kita akan menerapkan firewall ufw di ubuntu. Kita akan izinkan traffic masuk ke port 22/tcp, 53/tcp dan 53/udp.

1. Install ufw.

Pastikan ufw terinstall di ns1 dan ns2.

ns1 & ns2

sysadmin@ns1:~$ sudo apt install ufw -y
sysadmin@ns2:~$ sudo apt install ufw -y

2. Konfigurasi ufw di server ns1.

Secara default ufw statusnya inactive, kita harus aktifkan terlebih dahulu. Setelah aktif rule defaultnya akan deny semua traffic masuk dan allow semua traffic keluar, kita akan izinkan traffic masuk ke port 22/tcp, 53/tcp dan 53/udp.

ns1

sysadmin@ns1:~$ sudo ufw enable Firewall is active and enabled on system startupsysadmin@ns1:~$ sudo ufw status verbose Status: activeLogging: on (low)Default: deny (incoming), allow (outgoing), disabled (routed)New profiles: skipsysadmin@ns1:~$ sudo ufw allow from any to any port 22 proto tcpRule addedRule added (v6)sysadmin@ns1:~$ sudo ufw allow from any to any port 53 proto tcpRule addedRule added (v6)sysadmin@ns1:~$ sudo ufw allow from any to any port 53 proto udpRule addedRule added (v6)sysadmin@ns1:~$ sudo ufw reload Firewall reloaded

Sekarang cek statusnya lagi.

ns1

sysadmin@ns1:~$ sudo ufw status verbose Status: activeLogging: on (low)Default: deny (incoming), allow (outgoing), disabled (routed)New profiles: skip
To Action From– —— —-22/tcp ALLOW IN Anywhere 53/tcp ALLOW IN Anywhere 53/udp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 53/tcp (v6) ALLOW IN Anywhere (v6) 53/udp (v6) ALLOW IN Anywhere (v6)

Konfigurasi ufw di server ns2.

Untuk konfigurasi ufw di server ns2 sama seperti di server ns1, kita akan izinkan traffic masuk ke port 22/tcp, 53/tcp dan 53/udp.

ns2

sysadmin@ns2:~$ sudo ufw enable Firewall is active and enabled on system startupsysadmin@ns2:~$ sudo ufw status verbose Status: activeLogging: on (low)Default: deny (incoming), allow (outgoing), disabled (routed)New profiles: skipsysadmin@ns2:~$ sudo ufw allow from any to any port 22 proto tcpRule addedRule added (v6)sysadmin@ns2:~$ sudo ufw allow from any to any port 53 proto tcpRule addedRule added (v6)sysadmin@ns2:~$ sudo ufw allow from any to any port 53 proto udpRule addedRule added (v6)sysadmin@ns2:~$ sudo ufw reload Firewall reloaded

Sekarang cek statusnya lagi.

ns2

sysadmin@ns2:~$ sudo ufw status verbose Status: activeLogging: on (low)Default: deny (incoming), allow (outgoing), disabled (routed)New profiles: skip
To Action From– —— —-22/tcp ALLOW IN Anywhere 53/tcp ALLOW IN Anywhere 53/udp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 53/tcp (v6) ALLOW IN Anywhere (v6) 53/udp (v6) ALLOW IN Anywhere (v6)

Tertarik mengikuti training di ID-Networkers? Kami menyediakan berbagai pilihan training yang bisa kamu ikuti, klik disini untuk info lengkapnya.

Penulis : Achmad Alif Nasrulloh

Bind9 Domain Name System Server (DNS Server)

Berlangganan Jadwal Training ID-Networkers

Jakarta office

Semarang Office

Page