===================================================================
===================================================================
@@@@@ DNS Master Server Named as ns1.mithu.com(172.16.0.11)
*******************************************************************
Web Server Ips are {172.16.0.3} {172.16.0.4} {172.16.0.5}
*******************************************************************
Two MX for mail exchange of all hosted domains {mx1.inodecare.com}
{mx2.inodecare.com}
===================================================================
===================================================================
1.# apt-get install bind9 dnsutils
2.# vim /etc/hosts
-----------------------------------------------------------
127.0.0.1 localhost
127.0.1.1 ns1
172.16.0.11 ns1.mithu.com
172.16.0.12 ns2.mithu.com
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
------------------------------------------------------------
3.# vim /etc/resolv.conf
------------------------------------------------------------
domain mithu.com
search mithu.com otherdomains.com
nameserver 172.16.0.11
nameserver 172.16.0.12
------------------------------------------------------------
4.# vim /etc/bind/named.conf
------------------------------------------------------------------------------
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
#include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/bind.keys";
acl internals { 172.16.0.0/16; 192.168.0.0/24; };
acl externals { 122.144.12.0/27; 202.84.33.13/28; };
acl rfc5735-deny {
0.0.0.0/8; 10.0.0.0/8; 169.254.0.0/16; 192.0.0.0/24; 192.0.2.0/24;
192.88.99.0/24; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24;
224.0.0.0/4; 240.0.0.0/4;};
options {
directory "/var/cache/bind";
version "unknown";
forward only;
forwarders { // forward to external servers
8.8.8.8;
};
#allow-transfer { none; }; // sample allow-transfer (no one)
allow-query { internals; externals; }; // restrict query access
allow-recursion { internals; }; // restrict recursion
allow-query-cache { internals; }; // for BIND 9.4+
additional-from-auth no;
additional-from-cache no;
blackhole { rfc5735-deny; };
query-source address * port *;
query-source-v6 address * port *;
queryport-pool-ports 8;
queryport-pool-updateinterval 15;
allow-update {none;};
notify yes;
};
zone "mithu.com" {
type master;
file "/etc/bind/zones/mithu-fz";
allow-transfer {172.16.0.12;};
};
zone "0.16.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/mithu-rz";
allow-transfer {172.16.0.12;};
};
zone "mehedi.com" {
type master;
file "/etc/bind/zones/mehedi-fz";
allow-transfer {172.16.0.12;};
};
zone "hasan.com" {
type master;
file "/etc/bind/zones/hasan-fz";
allow-transfer {172.16.0.12;};
};
//include "/etc/bind/rndc.key"
--------------------------------------------------------------------------------
5. We will create directory named zones
# mkdir /etc/bind/zones [here we will keep all the forward & reverse lookup zone files...]
6.Now we will create forward lookup zone file (mithu-fz)
#vim /etc/bind/zones/mithu-fz
--------------------------------------------------------
$TTL 86400
@ IN SOA ns1.mithu.com. root.ns1.mithu.com. (
1 ;serial
604800 ;refresh
86400 ;retry
2419200 ;expire
86400 ) ;negetive cache TTL
;
IN NS ns1.mithu.com.
IN NS ns2.mithu.com.
mithu.com. IN A 172.16.0.3
IN MX 10 mx1.inodecare.com.
IN MX 20 mx2.inodecare.com.
IN A 172.16.0.3
IN A 172.16.0.4
IN A 172.16.0.5
ns1 IN A 172.16.0.11
ns2 IN A 172.16.0.12
www IN CNAME mithu.com.
ftp IN CNAME mithu.com.
mithu.com IN CNAME www.mithu.com.
--------------------------------------------------------
7. Now we will create reverse lookup zone file (mithu-rz)
#vim /etc/bind/zones/mithu-rz
---------------------------------------------------------
$TTL 86400
@ IN SOA ns1.mithu.com. root.mithu.com. (
1 ;serial
604800 ;refresh
86400 ;retry
2419200 ;expire
86400 ) ;negetive cache TTL
;
IN NS ns1.mithu.com.
IN NS ns2.mithu.com.
11 IN PTR ns1.mithu.com.
12 IN PTR ns2.mithu.com.
3 IN PTR mithu.com.
4 IN PTR mithu.com.
5 IN PTR mithu.com.
----------------------------------------------------------
8. Change ownership of the Zone folder/ directory:
# chown -R bind:bind /etc/bind/zones/
9. now we will check /etc/host.conf (It is optional, not mendatory to modify)
# vim /etc/ host.conf
[The configuration script should look like this....]
order hosts,bind
10. now we will restart the bind service
#/etc/init.d/bind9 restart
=============================================================
@@@@@ DNS Slave Server Named as ns2.mithu.com(172.16.0.12)
=============================================================
1.# apt-get install bind9 dnsutils
2.# vim /etc/hosts
-----------------------------------------------------------
127.0.0.1 localhost
127.0.1.1 ns2
172.16.0.12 ns2.mithu.com
172.16.0.11 ns1.mithu.com
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
------------------------------------------------------------
3.# vim /etc/resolv.conf
------------------------------------------------------------
domain mithu.com
search mithu.com otherdomains.com
nameserver 172.16.0.12
nameserver 172.16.0.11
------------------------------------------------------------
4.# vim /etc/bind/named.conf
----------------------------------------------------------------------------
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
#include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/bind.keys";
acl internals { 172.16.0.0/16; 192.168.0.0/24; };
acl externals { 122.144.12.0/27; 202.84.33.13/28; };
acl rfc5735-deny {
0.0.0.0/8; 10.0.0.0/8; 169.254.0.0/16; 192.0.0.0/24; 192.0.2.0/24;
192.88.99.0/24; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24;
224.0.0.0/4; 240.0.0.0/4;};
options {
directory "/var/cache/bind";
version "unknown";
forward only;
forwarders { // forward to external servers
8.8.8.8;
};
#allow-transfer { none; }; // sample allow-transfer (no one)
allow-query { internals; externals; }; // restrict query access
allow-recursion { internals; }; // restrict recursion
allow-query-cache { internals; }; // for BIND 9.4+
additional-from-auth no;
additional-from-cache no;
blackhole { rfc5735-deny; };
query-source address * port *;
query-source-v6 address * port *;
queryport-pool-ports 8;
queryport-pool-updateinterval 15;
allow-update {none;};
notify yes;
};
zone "mithu.com" {
type slave;
file "/etc/bind/zones/mithu-fz";
masters {172.16.0.11;};
};
zone "0.16.172.in-addr.arpa" {
type slave;
file "/etc/bind/zones/mithu-rz";
masters {172.16.0.11;};
};
zone "mehedi.com" {
type slave;
file "/etc/bind/zones/mehedi-fz";
masters {172.16.0.11;};
};
zone "hasan.com" {
type slave;
file "/etc/bind/zones/hasan-fz";
masters {172.16.0.11;};
};
//include "/etc/bind/rndc.key"
------------------------------------------------------------------------------
5. We will create directory named zones
# mkdir /etc/bind/zones [here we will keep all the forward & reverse lookup zone files...]
6. Change ownership of the Zone folder/ directory:
# chown -R bind:bind /etc/bind/zones/
7.Now we don't need to create forward & reverse lookup zone files in Seccondary or slave DNS Server.
All the zone files will be automatically populated from the Primary or Master DNS.
8.To take effect restart the dns service:
#/etc/init.d/bind9 restart
================================================================
iptables for both Master and Slave DNS (with Advanced Protections)
================================================================
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!/bin/sh
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
iptables -F
iptables -X
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Enable SSH.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-level info --log-prefix "Anti SSH-Bruteforce: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Allow Loopback Access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
# Prevent TCP Sync Attack.
#iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Force Fragments packets check
iptables -A INPUT -f -j DROP
# Incoming malformed XMAS packets drop them
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow DNS
iptables -A INPUT -p tcp -i eth0 -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 600/m --hashlimit-burst 1200 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 600/m --hashlimit-burst 1200 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 600/m --hashlimit-burst 1200 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 600/m --hashlimit-burst 1200 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 53 -j ACCEPT
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Advanced Options of BIND 9:
==========================
===============================================================
There are currently latest updates & patches available for 9.8.latest and 9.9.latest to
support RRL on UNIX systems. Red Hat has made updated packages available for Red Hat
Enterprise Linux 6 to provide the necessary changes in advisory RHSA-2013:0550-1
===============================================================
#include "/etc/bind/named.conf.options"; {This line shoud be commentd out as options declared below.}
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/bind.keys";
acl internals { 172.16.0.0/16; 192.168.0.0/24; };
acl externals { 122.144.12.0/27; 202.84.33.13/28; };
acl rfc5735-deny {
0.0.0.0/8; 10.0.0.0/8; 169.254.0.0/16; 192.0.0.0/24; 192.0.2.0/24;
192.88.99.0/24; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24;
224.0.0.0/4; 240.0.0.0/4;};
options {
listen-on port 53 { 127.0.0.1; 192.168.1.201; }; // DNS own IP (for BIND 9.8.6 or 9.9.4 versions)
listen-on-v6 port 53 { ::1; };
directory "/var/cache/bind"; // we need to add this line as we commented out the named.conf.options line
version "unknown";
forward only;
forwarders { // forward to external servers
8.8.8.8;
};
allow-transfer { none; }; // sample allow-transfer (no one)
allow-query { internals; externals; }; // restrict query access
allow-recursion { internals; }; // restrict recursion (So we don't need to include {recursion no} option)
allow-query-cache { internals; }; // for BIND 9.4+
additional-from-auth no;
additional-from-cache no;
blackhole { rfc5735-deny; };
query-source address * port *;
query-source-v6 address * port *;
queryport-pool-ports 8;
queryport-pool-updateinterval 15;
};
rate-limit { // for BIND 9.8.6 or 9.9.4(Extended Support versions)
responses-per-second 5;
window 5;
};
zone "site1.example.com" { // sample master zone
type master;
file "m/site1.example.com";
forwarders { }; // do normal iterative
// resolution (do not forward)
allow-query { internals; externals; };
allow-transfer { internals; };
};
zone "site2.example.com" { // sample slave zone
type slave;
file "s/site2.example.com";
masters { 172.16.72.3; };
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};
zone "site1.internal" {
type master;
file "m/site1.internal";
forwarders { };
allow-query { internals; };
allow-transfer { internals; }
};
zone "site2.internal" {
type slave;
file "s/site2.internal";
masters { 172.16.72.3; };
forwarders { };
allow-query { internals };
allow-transfer { internals; }
};
===================================================================
@@@@@ DNS Master Server Named as ns1.mithu.com(172.16.0.11)
*******************************************************************
Web Server Ips are {172.16.0.3} {172.16.0.4} {172.16.0.5}
*******************************************************************
Two MX for mail exchange of all hosted domains {mx1.inodecare.com}
{mx2.inodecare.com}
===================================================================
===================================================================
1.# apt-get install bind9 dnsutils
2.# vim /etc/hosts
-----------------------------------------------------------
127.0.0.1 localhost
127.0.1.1 ns1
172.16.0.11 ns1.mithu.com
172.16.0.12 ns2.mithu.com
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
------------------------------------------------------------
3.# vim /etc/resolv.conf
------------------------------------------------------------
domain mithu.com
search mithu.com otherdomains.com
nameserver 172.16.0.11
nameserver 172.16.0.12
------------------------------------------------------------
4.# vim /etc/bind/named.conf
------------------------------------------------------------------------------
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
#include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/bind.keys";
acl internals { 172.16.0.0/16; 192.168.0.0/24; };
acl externals { 122.144.12.0/27; 202.84.33.13/28; };
acl rfc5735-deny {
0.0.0.0/8; 10.0.0.0/8; 169.254.0.0/16; 192.0.0.0/24; 192.0.2.0/24;
192.88.99.0/24; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24;
224.0.0.0/4; 240.0.0.0/4;};
options {
directory "/var/cache/bind";
version "unknown";
forward only;
forwarders { // forward to external servers
8.8.8.8;
};
#allow-transfer { none; }; // sample allow-transfer (no one)
allow-query { internals; externals; }; // restrict query access
allow-recursion { internals; }; // restrict recursion
allow-query-cache { internals; }; // for BIND 9.4+
additional-from-auth no;
additional-from-cache no;
blackhole { rfc5735-deny; };
query-source address * port *;
query-source-v6 address * port *;
queryport-pool-ports 8;
queryport-pool-updateinterval 15;
allow-update {none;};
notify yes;
};
zone "mithu.com" {
type master;
file "/etc/bind/zones/mithu-fz";
allow-transfer {172.16.0.12;};
};
zone "0.16.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/mithu-rz";
allow-transfer {172.16.0.12;};
};
zone "mehedi.com" {
type master;
file "/etc/bind/zones/mehedi-fz";
allow-transfer {172.16.0.12;};
};
zone "hasan.com" {
type master;
file "/etc/bind/zones/hasan-fz";
allow-transfer {172.16.0.12;};
};
//include "/etc/bind/rndc.key"
--------------------------------------------------------------------------------
5. We will create directory named zones
# mkdir /etc/bind/zones [here we will keep all the forward & reverse lookup zone files...]
6.Now we will create forward lookup zone file (mithu-fz)
#vim /etc/bind/zones/mithu-fz
--------------------------------------------------------
$TTL 86400
@ IN SOA ns1.mithu.com. root.ns1.mithu.com. (
1 ;serial
604800 ;refresh
86400 ;retry
2419200 ;expire
86400 ) ;negetive cache TTL
;
IN NS ns1.mithu.com.
IN NS ns2.mithu.com.
mithu.com. IN A 172.16.0.3
IN MX 10 mx1.inodecare.com.
IN MX 20 mx2.inodecare.com.
IN A 172.16.0.3
IN A 172.16.0.4
IN A 172.16.0.5
ns1 IN A 172.16.0.11
ns2 IN A 172.16.0.12
www IN CNAME mithu.com.
ftp IN CNAME mithu.com.
mithu.com IN CNAME www.mithu.com.
--------------------------------------------------------
7. Now we will create reverse lookup zone file (mithu-rz)
#vim /etc/bind/zones/mithu-rz
---------------------------------------------------------
$TTL 86400
@ IN SOA ns1.mithu.com. root.mithu.com. (
1 ;serial
604800 ;refresh
86400 ;retry
2419200 ;expire
86400 ) ;negetive cache TTL
;
IN NS ns1.mithu.com.
IN NS ns2.mithu.com.
11 IN PTR ns1.mithu.com.
12 IN PTR ns2.mithu.com.
3 IN PTR mithu.com.
4 IN PTR mithu.com.
5 IN PTR mithu.com.
----------------------------------------------------------
8. Change ownership of the Zone folder/ directory:
# chown -R bind:bind /etc/bind/zones/
9. now we will check /etc/host.conf (It is optional, not mendatory to modify)
# vim /etc/ host.conf
[The configuration script should look like this....]
order hosts,bind
10. now we will restart the bind service
#/etc/init.d/bind9 restart
=============================================================
@@@@@ DNS Slave Server Named as ns2.mithu.com(172.16.0.12)
=============================================================
1.# apt-get install bind9 dnsutils
2.# vim /etc/hosts
-----------------------------------------------------------
127.0.0.1 localhost
127.0.1.1 ns2
172.16.0.12 ns2.mithu.com
172.16.0.11 ns1.mithu.com
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
------------------------------------------------------------
3.# vim /etc/resolv.conf
------------------------------------------------------------
domain mithu.com
search mithu.com otherdomains.com
nameserver 172.16.0.12
nameserver 172.16.0.11
------------------------------------------------------------
4.# vim /etc/bind/named.conf
----------------------------------------------------------------------------
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
#include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/bind.keys";
acl internals { 172.16.0.0/16; 192.168.0.0/24; };
acl externals { 122.144.12.0/27; 202.84.33.13/28; };
acl rfc5735-deny {
0.0.0.0/8; 10.0.0.0/8; 169.254.0.0/16; 192.0.0.0/24; 192.0.2.0/24;
192.88.99.0/24; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24;
224.0.0.0/4; 240.0.0.0/4;};
options {
directory "/var/cache/bind";
version "unknown";
forward only;
forwarders { // forward to external servers
8.8.8.8;
};
#allow-transfer { none; }; // sample allow-transfer (no one)
allow-query { internals; externals; }; // restrict query access
allow-recursion { internals; }; // restrict recursion
allow-query-cache { internals; }; // for BIND 9.4+
additional-from-auth no;
additional-from-cache no;
blackhole { rfc5735-deny; };
query-source address * port *;
query-source-v6 address * port *;
queryport-pool-ports 8;
queryport-pool-updateinterval 15;
allow-update {none;};
notify yes;
};
zone "mithu.com" {
type slave;
file "/etc/bind/zones/mithu-fz";
masters {172.16.0.11;};
};
zone "0.16.172.in-addr.arpa" {
type slave;
file "/etc/bind/zones/mithu-rz";
masters {172.16.0.11;};
};
zone "mehedi.com" {
type slave;
file "/etc/bind/zones/mehedi-fz";
masters {172.16.0.11;};
};
zone "hasan.com" {
type slave;
file "/etc/bind/zones/hasan-fz";
masters {172.16.0.11;};
};
//include "/etc/bind/rndc.key"
------------------------------------------------------------------------------
5. We will create directory named zones
# mkdir /etc/bind/zones [here we will keep all the forward & reverse lookup zone files...]
6. Change ownership of the Zone folder/ directory:
# chown -R bind:bind /etc/bind/zones/
7.Now we don't need to create forward & reverse lookup zone files in Seccondary or slave DNS Server.
All the zone files will be automatically populated from the Primary or Master DNS.
8.To take effect restart the dns service:
#/etc/init.d/bind9 restart
================================================================
iptables for both Master and Slave DNS (with Advanced Protections)
================================================================
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!/bin/sh
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
iptables -F
iptables -X
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Enable SSH.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-level info --log-prefix "Anti SSH-Bruteforce: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Allow Loopback Access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
# Prevent TCP Sync Attack.
#iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Force Fragments packets check
iptables -A INPUT -f -j DROP
# Incoming malformed XMAS packets drop them
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow DNS
iptables -A INPUT -p tcp -i eth0 -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 600/m --hashlimit-burst 1200 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 600/m --hashlimit-burst 1200 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 600/m --hashlimit-burst 1200 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 600/m --hashlimit-burst 1200 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 53 -j ACCEPT
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Advanced Options of BIND 9:
==========================
===============================================================
There are currently latest updates & patches available for 9.8.latest and 9.9.latest to
support RRL on UNIX systems. Red Hat has made updated packages available for Red Hat
Enterprise Linux 6 to provide the necessary changes in advisory RHSA-2013:0550-1
===============================================================
#include "/etc/bind/named.conf.options"; {This line shoud be commentd out as options declared below.}
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/bind.keys";
acl internals { 172.16.0.0/16; 192.168.0.0/24; };
acl externals { 122.144.12.0/27; 202.84.33.13/28; };
acl rfc5735-deny {
0.0.0.0/8; 10.0.0.0/8; 169.254.0.0/16; 192.0.0.0/24; 192.0.2.0/24;
192.88.99.0/24; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24;
224.0.0.0/4; 240.0.0.0/4;};
options {
listen-on port 53 { 127.0.0.1; 192.168.1.201; }; // DNS own IP (for BIND 9.8.6 or 9.9.4 versions)
listen-on-v6 port 53 { ::1; };
directory "/var/cache/bind"; // we need to add this line as we commented out the named.conf.options line
version "unknown";
forward only;
forwarders { // forward to external servers
8.8.8.8;
};
allow-transfer { none; }; // sample allow-transfer (no one)
allow-query { internals; externals; }; // restrict query access
allow-recursion { internals; }; // restrict recursion (So we don't need to include {recursion no} option)
allow-query-cache { internals; }; // for BIND 9.4+
additional-from-auth no;
additional-from-cache no;
blackhole { rfc5735-deny; };
query-source address * port *;
query-source-v6 address * port *;
queryport-pool-ports 8;
queryport-pool-updateinterval 15;
};
rate-limit { // for BIND 9.8.6 or 9.9.4(Extended Support versions)
responses-per-second 5;
window 5;
};
zone "site1.example.com" { // sample master zone
type master;
file "m/site1.example.com";
forwarders { }; // do normal iterative
// resolution (do not forward)
allow-query { internals; externals; };
allow-transfer { internals; };
};
zone "site2.example.com" { // sample slave zone
type slave;
file "s/site2.example.com";
masters { 172.16.72.3; };
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};
zone "site1.internal" {
type master;
file "m/site1.internal";
forwarders { };
allow-query { internals; };
allow-transfer { internals; }
};
zone "site2.internal" {
type slave;
file "s/site2.internal";
masters { 172.16.72.3; };
forwarders { };
allow-query { internals };
allow-transfer { internals; }
};
No comments:
Post a Comment