Wiki Markup |
---|
h3. Background
In order to test different CommIT environments, it is necessary to override the authoritative DNS |
Background
...
server(s) for the *commonidtrust.or{*}g domain with one that directs the user to the front door |
...
(loadbalancer) for the CPR and IDP instances in the desired environment. |
...
To that end, we have set up separate DNS servers for the CommIT VPC-Dev and VPC-Prod environments. |
...
These are configured to serve up the A and/or CNAME records for *account.commonidtrust.org* and *login.commonidtrust.org* for the specific VPC environment. |
...
Currently, the DNS server for VPC-Dev runs on the CommIT VPC Gitolite server in the VPC-Dev public subnet and is accessible at |
...
EIP address {color:#444444}{*}54.68.170.122. |
...
*{color} {color:#444444} The DNS server for VPC-Prod runs on a t2.micro instance in the VPC-Prod public subnet and is accessible at |
...
EIP address {color}{color:#444444}{*}54.149.84.152 |
...
Installation
yum -y install bind
...
.*{color} h3. *Installation* yum \-y install bind Configure */etc/named.conf* and zone files, */var/named/masters/commonidtrust-dev.local* and */var/named/masters/commonidtrust.org (see examples for VPC-Dev attached). |
...
* chkconfig named |
...
Logging
...
on h3. *Logging* named logs to */var/log/messages |
...
* *Start/Stop Commands |
...
* /etc/init.d/named start |
...
/etc/init.d/named |
...
Open Nameserver Protection
Since users who need to leverage the VPC DNS servers are speckled around the internet and not accessing them from a well-defined IP address or CIDR block, we needed to leave the VPC DNS servers open to serve requests from anywhere. This is done by configuring:
No Format |
---|
stop h3. *Open Nameserver Protection* Since users who need to leverage the VPC DNS servers are speckled around the internet and not accessing them from a well-defined IP address or CIDR block, we needed to leave the VPC DNS servers open to serve requests from anywhere. This is done by configuring: {noformat} allow-query { all; }; {noformat} Furthermore, once a client is configured to use these DNS servers, they may need to access additional name servers, for example, those for wisc.edu. |
...
We therefore configured: |
...
{noformat |
} recursion yes; {noformat} Of course, it didn't take very long for some nefarious outfit to realize this and set up a DNS amplification attack ( |
...
see [https://www.us-cert.gov/ncas/alerts/TA13-088A]) ricocheting off of our open DNS server. |
...
To resolve this, |
...
To start this version:
/usr/local/sbin/named -u named
To stop this version:
ps -ef | grep named
...
we include the *rate-limit* option.
rate-limit {
responses-per-second 10;
};
{noformat}
rate-limit {
responses-per-second 10;
};
{noformat} |