Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
DNS CacheTM
Version: 3.1
ADMINISTRATOR GUIDE
December 5, 2013
Copyright © 2003-2013 Secure64 Software Corporation
ALL RIGHTS RESERVED
SECURE64 DNS CACHE 3.1
ii
Copyright Notices
© Copyright 2003-2013 Secure64 Software Corporation. ALL RIGHTS RESERVED.
U.S. Patents 7,509,644; 7,509,639; and 8,176,179
The information contained herein is subject to change without notice. The only warranties for Secure64 products
and services are set forth in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty. Secure64 shall not be liable for technical
or editorial errors or omissions contained herein.
EFI fsck tools (fsckfat.efi and fsckffs.efi) Copyright (c) 2008-2010 Secure64 Software Corporation.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along with this program on the documentation
CD; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
USA. For a copy of the EFI fsck source code for fsckfat.efi and fsckffs.efi, email a request to
support@secure64.com.
iii
SECURE64 DNS CACHE 3.1
Net-SNMP License
Various copyrights apply to this package, listed in various separate parts below. Please make sure that you read all
the parts.
---- Part 1: CMU/UCD copyright notice: (BSD like) -----
Copyright 1989, 1991, 1992 by Carnegie Mellon University
Derivative Work - 1996, 1998-2000
Copyright 1996, 1998-2000 The Regents of the University of California
All Rights Reserved
Permission to use, copy, modify and distribute this software and its documentation for any purpose and without
fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright
notice and this permission notice appear in supporting documentation, and that the name of CMU and The
Regents of the University of California not be used in advertising or publicity pertaining to distribution of the
software without specific written permission.
CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE
UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
---- Part 2: Networks Associates Technology, Inc copyright notice (BSD) -----
Copyright (c) 2001-2003, Networks Associates Technology, Inc
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
iv
---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) -----
Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
* The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
---- Part 4: Sun Microsystems, Inc. copyright notice (BSD) -----
Copyright © 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A. All rights reserved.
Use is subject to license terms below.
This distribution may include materials developed by third parties.
Sun, Sun Microsystems, the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc.
in the U.S. and other countries.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of the Sun Microsystems, Inc. nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
v
SECURE64 DNS CACHE 3.1
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---- Part 5: Sparta, Inc copyright notice (BSD) -----
Copyright (c) 2003-2009, Sparta, Inc
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of Sparta, Inc nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
---- Part 6: Cisco/BUPTNIC copyright notice (BSD) -----
Copyright (c) 2004, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of Cisco, Inc, Beijing University of Posts and Telecommunications, nor the names of their
contributors may be used to endorse or promote products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
vi
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
---- Part 7: Fabasoft R&D Software GmbH & Co KG copyright notice (BSD) -----
Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003
oss@fabasoft.com
Author: Bernhard Penz
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
* The name of Fabasoft R&D Software GmbH & Co KG or any of its subsidiaries, brand or product names may not
be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
---- Part 8: Apple Inc. copyright notice (BSD) -----
Copyright (c) 2007 Apple Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of Apple Inc. ("Apple") nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
vii
SECURE64 DNS CACHE 3.1
viii
Trademarks
Secure64®, SourceT®, Secure64 DNS Authority™, and Secure64 DNS Cache™ are trademarks or registered
trademarks of Secure64 Software Corporation.
All trade names referenced herein are the service mark, trademark, or registered trademark of the respective owner.
Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries. Linux is a registered trademark of Linus Torvalds in the United States and other countries.
UNIX is a registered trademark of The Open Group. Microsoft, Windows, and Active Directory are registered
trademarks of Microsoft Corporation in the United States and/or other countries.
Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as
allowed under the copyright laws.
Corporate Address
Secure64 Software Corporation
5600 South Quebec Street, Suite 320D
Greenwood Village, CO 80111-2216
Main: (303) 242-5890
FAX: (720) 489-0694
Certifications
The SourceT micro operating system has received the IPv6 Ready Phase-2 Logo certification from the IPv6 Forum.
http://www.ipv6ready.org/phase-2_approved_list
ix
SECURE64 DNS CACHE 3.1
x
Table of Contents
About Secure64 DNS Cache ............................................................................................... 1
Overview ......................................................................................................................................... 1
Secure64 DNS Cache Application Software .................................................................................. 1
Name Server .............................................................................................................................................1
Secure Console ........................................................................................................................................1
User Accounts, Roles, and RADIUS or LDAP Support .............................................................................1
SNMP and Syslog for Monitoring and Reporting ......................................................................................2
BGP for Anycast .......................................................................................................................................2
SourceT Micro Operating System .................................................................................................. 2
Hardware ........................................................................................................................................ 2
Additional Features ......................................................................................................................... 3
What’s New in Version 3.1 .............................................................................................................4
New and Enhanced Features ...................................................................................................................4
Other Command Changes and Additions .................................................................................................4
New and Modified Configuration Attributes ...............................................................................................5
Document Conventions .................................................................................................................. 7
About this Guide ............................................................................................................................. 8
Chapter 1. Operating Environment and User Accounts ................................................... 9
About the Command-Line Interface ................................................................................................9
Using the CLI ............................................................................................................................................9
View Mode, Enabling Roles, and Exiting the System .............................................................................10
Secure Console ............................................................................................................................ 12
Accessing the CLI with SSH ...................................................................................................................12
Using the iLO MP Console ......................................................................................................................17
Additional Information About the HP Integrity iLO MP ............................................................................19
Removing and Creating Server/Client SSH Keys ...................................................................................22
Secure Copy ................................................................................................................................. 23
Incoming and Outgoing Ports ....................................................................................................... 26
Roles and User Accounts ............................................................................................................. 27
About Authorization, Accountability, and Authentication (AAA) ..............................................................27
Authorization and Roles ..........................................................................................................................27
User Account Administration ...................................................................................................................31
Authentication .........................................................................................................................................49
Accounting .................................................................................................................................... 54
User Account Examples ............................................................................................................... 55
Small Non-RADIUS or Non-LDAP Installation Scenario .........................................................................55
Large Non-RADIUS or Non-LDAP Installation Scenario .........................................................................56
RADIUS or LDAP Installation Scenario ..................................................................................................58
xi
SECURE64 DNS CACHE 3.1
xii
Filtering Requests Based on Incoming Query Type ..............................................................................173
Blacklisting Domains Using Local Zone Configuration ..........................................................................173
Specifying an Unbound Configuration File .................................................................................177
Chapter 5. Managing Secure64 DNS Cache .................................................................. 179
Overview .....................................................................................................................................179
Multiple Resolver Instances ........................................................................................................180
Caches and Size Distribution ................................................................................................................180
Independent Caches and Query Handling ............................................................................................181
Multiple Instances and Views ................................................................................................................181
Query Logging ......................................................................................................................................183
Resolver Instances, Physical Processors, and Logical Processors ......................................................183
Starting and Stopping the Name Server .....................................................................................184
Starting the Name Server .....................................................................................................................184
Stopping the Name Server ....................................................................................................................184
Reloading Configuration Changes Dynamically .........................................................................185
Using the Reload Command .................................................................................................................186
Verifying the Reload Configuration Results ..........................................................................................187
Testing the Name Server ............................................................................................................189
Checking the Server Status and Using the Dig Command ...................................................................189
Troubleshooting Response, Validation, and Caching Errors ................................................................192
Troubleshooting Startup Errors .............................................................................................................192
Caching Server Utility Commands ..............................................................................................193
Flushing the Cache ...............................................................................................................................193
Displaying Cache Information for a Domain Name ...............................................................................196
Displaying Caching Server Configuration .............................................................................................201
Saving and Loading the Cache ..................................................................................................204
Preserving the Cache on Stop and Start ..............................................................................................204
Preloading the Cache for Specific Zones ..............................................................................................206
Prefetching Expiring Entries ..................................................................................................................206
DNS Query Monitoring ...............................................................................................................207
Real Time Query Monitoring (RTQM) ...................................................................................................207
DNS Query Logging ..............................................................................................................................211
Server Activity Reporting and Statistics ......................................................................................215
Displaying Statistics at the Command Line ...........................................................................................215
Information Displayed ...........................................................................................................................219
xiii
SECURE64 DNS CACHE 3.1
xiv
Chapter 9. Enabling RADIUS or LDAP for User Authentication ................................... 331
Overview .....................................................................................................................................331
About RADIUS and Secure64 DNS Cache ................................................................................332
Defining Secure64 Vendor-Specific Attributes ...........................................................................332
RADIUS Dictionary Files .......................................................................................................................332
Assigning Login Permissions to Users ..................................................................................................333
Configuring the Secure64 DNS Cache RADIUS Client ..............................................................336
Format and Rules .................................................................................................................................336
Configuration File Attributes ..................................................................................................................337
Configuring Access to RADIUS Servers .....................................................................................338
Preparations ..........................................................................................................................................338
Encrypting the Shared Secret ...............................................................................................................339
Editing the RADIUS Configuration File .................................................................................................339
Testing RADIUS Server Settings ..........................................................................................................340
Using RADIUS Commands ........................................................................................................342
Starting and Stopping RADIUS Authentication .....................................................................................342
Viewing the Current RADIUS System State ..........................................................................................343
Viewing the RADIUS Configuration ......................................................................................................344
Managing RADIUS .....................................................................................................................345
Troubleshooting RADIUS ......................................................................................................................345
Backing Up and Restoring RADIUS Information ...................................................................................346
About LDAP Authentication and Secure64 DNS Cache .............................................................347
Defining Password Authentication on the LDAP server .............................................................347
Defining Secure64 DNS Cache Roles on the LDAP Server .......................................................349
Determining Server Groups and/or Schemas .......................................................................................349
Configuring the Secure64 DNS Cache LDAP Client ..................................................................351
Format and Rules .................................................................................................................................351
Encrypting the LDAP Bind Password ....................................................................................................351
Example Secure64 DNS Cache LDAP Configurations .........................................................................352
Server, Client, and Search Attributes ....................................................................................................354
Mapping Roles in Secure64 DNS Cache ..............................................................................................355
Editing the Secure64 DNS Cache LDAP Configuration ............................................................357
Using LDAP Commands .............................................................................................................357
Starting and Stopping LDAP Authentication .........................................................................................357
Viewing the Current LDAP System State ..............................................................................................359
Viewing the LDAP Configuration ...........................................................................................................360
Managing LDAP .........................................................................................................................362
Troubleshooting LDAP ..........................................................................................................................362
Backing Up and Restoring LDAP Information .......................................................................................363
xv
SECURE64 DNS CACHE 3.1
xvi
About Secure64 DNS Cache
This chapter provides an overview of the Secure64 DNS Cache software and platform
technologies. For additional information, visit the Secure64 web site at www.secure64.com.
Overview
Secure64 DNS Cache is a caching and validating DNS resolver that runs on the HP Integrity
server hardware platform. The software is designed for high performance, attack resistance, and
DNSSEC validation.
The user interface includes a management console connection through a serial or Ethernet port.
Configuration and administrative tasks are performed with a command-line interface (CLI) in a
vt100 terminal emulation, through a serial connection or a Secure Shell (SSH) version 2 session
over the network.
The following sections summarize each of the three main system components: the Secure64 DNS
Cache application software, the Secure64 SourceT micro operating system, and the server
hardware.
Secure Console
Configuration and administrative tasks are performed through commands at the command-line
interface (CLI), using a secure management console. Secure64 DNS Cache management console
options include an SSH2 connection and a serial console. The SSH2 connection supports public-
key authentication. In addition, the HP Integrity iLO (Integrated Lights-Out) management
processor connection is built into the HP Integrity server. It provides access to certain out-of-
band management capabilities. For more information, see Additional Information About the HP
Integrity iLO MP on page 19.
1
SECURE64 DNS CACHE 3.1
About Secure64 DNS Cache
If you prefer to use Remote Authentication Dial In User Service (RADIUS) or the Lightweight
Directory Access Protocol (LDAP) for user account management and authentication, Secure64
DNS Cache provides a configurable RADIUS client or LDAP client.
Hardware
Secure64 DNS Cache runs on the HP Integrity rx2660, rx2800 i2/i4, BL860c (blade), and
BL860c i2/i4 (blade) server platforms with the following specifications:
• 1 or 2 dual-core or 1 quad-core Intel® Itanium® processor
• 4 GB of memory minimum (additional memory may be required, depending on
configuration and desired performance)
• 36 GB, 2.5-inch SAS HDD
2
About Secure64 DNS Cache
Additional Features
In addition to performance, interoperability, and security features, Secure64 DNS Cache provides
the following features and benefits:
• Automatically starts DNS upon system reboot
• Uses a streamlined DNS configuration file format that’s easy to manage and deploy
• Supports UDP and TCP query/response
• Delivers high query throughput
• Provides real-time query monitoring features
• Offers NXDOMAIN redirection and blacklisting capabilities
• Provides a Capacity Expansion Module (CEM) with multiple resolver instances for higher
performance
Secure64 DNS Cache includes support for all or a portion of the following DNS RFCs:
• General DNS: RFCs 1034, 1035
• Localhost: RFC 1918
• Clarifications: RFC 2181
• Negative Caching: RFC 2308EDNS(0): RFC 2671
• Resolver support for DNSSEC: RFC 3225
• DNSSEC: RFCs 4033, 4034, 4035
• TLSA and DANE: RFC 6698
• DNS Resiliency: RFC 5452
3
SECURE64 DNS CACHE 3.1
About Secure64 DNS Cache
4
About Secure64 DNS Cache
5
SECURE64 DNS CACHE 3.1
About Secure64 DNS Cache
6
About Secure64 DNS Cache
Document Conventions
The typographical conventions for identifying information in this document are shown in
Table 1.
7
SECURE64 DNS CACHE 3.1
About Secure64 DNS Cache
8
Chapter 1. Operating Environment and User
Accounts
This chapter describes the Secure64 DNS Cache operating environment, user accounts, and roles.
After reviewing the information in this chapter, proceed to Chapter 2. Getting Started to perform
the initial configuration steps.
9
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Use command history scrolling or Use the up- and down-arrow keys to scroll through the command
command line completion history. Command line completion is not currently available.
Use wildcards in commands with file and If the file or directory specified includes path information, the wildcard
directory names (*,?) must be defined in the last part of the path.
For example, ls zones/*.dat is valid and
ls zone*/files.dat is not valid.
Use double quotes (" ") to cause the system to interpret the file or
Use spaces and/or special characters in directory name literally. Use a slash (/) without quotes to escape the
commands with file and directory names next character.
For example, "abc def" is interpreted as a file or directory named
’abc def’ and / abc is interpreted as a file or directory named
’ abc’.
Configurable timeout based on seconds of inactivity. By default, SSH
is limited to five simultaneous connections. If five simultaneous SSH
Log in via SSH console or serial console connections exist, additional attempts to open more connections are
disregarded and the client system may not respond. You can modify
this limit when configuring the console.
10
Chapter 1. Operating Environment and User Accounts
• Whenever you log in to Secure64 DNS Cache with your user account, you are
automatically in the view mode, as indicated by the view prompt shown below:
[view@Secure64DNS]>
• To access the commands that correspond to a role assigned to your user account, you
can:
— Execute a corresponding enable <role> command at the view mode prompt., and
enter the commands within the enabled role
— Enter role-specific commands from view mode or any role you are authorized for
using the role command syntax:
[<role>][/<directory_path>] <command>
where:
<role> is the Secure64 role corresponding to the command (required except for
view mode commands or commands corresponding to the currently enabled role)
<directory path> is the an optional location which, if present, is the directory
pathname that the command executes under
<command> is the Secure64 DNS Cache command to execute, including any
arguments or parameters
11
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
• Or use the role command syntax, which allows you to execute privileged mode
commands for your authorized roles without explicitly enabling the role:
[view@Secure64DNS]> bgpadmin stop bgp
If you want to change to a different role to execute commands directly from the role, first exit
to view mode and then execute the enable command for the different role. (Your user account
must be assigned to the role you want to enable.)
Example:
[bgpadmin@Secure64DNS]# exit
[view@Secure64DNS]> enable sysadmin
[sysadmin@Secure64DNS]#
• If you attempt to enable a role that is not assigned to your user account, Secure64 DNS
Cache denies access and you remain in view mode.
• To exit Secure64 DNS Cache, type exit or quit at the view mode prompt and press
ENTER.
• For a complete description of view mode commands and commands available in each
privileged role, see Appendix A. Command Reference on page 421.
Secure Console
Secure64 DNS Cache offers two options for console access to the machine and the system’s
command-line interface:
• SSH via a configured Ethernet port (usually eth0)
• Terminal emulation, SSH, or web via the HP Integrity iLO MP console interface
The console screen performs best at a display of 80 characters wide by 24 lines in length.
Note To log into Secure64 DNS Cache, you need a user account. The system ships with a default user
account called Installer, which you can use to get started creating the necessary user accounts. For
additional information, see Roles and User Accounts on page 27.
12
Chapter 1. Operating Environment and User Accounts
Note For RADIUS and LDAP servers, Secure64 DNS Cache uses password-based authentication.
• You can execute any Secure64 DNS Cache command from an SSH command line,
provided you are an authorized user for the role associated with the command.
• Executing the enable <role> command from an SSH command line does not enable the
role or change the privileged role status for the next SSH command.
To access the Secure64 DNS Cache command-line interface with SSH (non-RADIUS
and non-LDAP):
1. Access the Secure64 DNS Cache name server via a secure shell (SSH) session:
— For Linux/UNIX administrative machines, enter the following command:
ssh [-P <port>] [<user>]@<host>
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 281 for details about changing the default port)
<user> is the Secure64 DNS Cache user account
<host> is the Secure 64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
Note If you are using X11 forwarding or agent forwarding, add the –x (to disable X11 forwarding) and/or
–a (to disable agent forwarding) flags to the ssh command.
— For Windows administrative machines, use an SSH application such as PuTTY (see
OpenSSH at www.openSSH.org/windows.html.)
Enter the IP address for the Secure64 DNS Cache name server in the appropriate box
in the SSH application.
2. If prompted for a password or pass phrase, enter the appropriate password or pass phrase
for the user account.
3. The system displays the view mode command prompt:
[view@Secure64DNS]>
13
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Note For additional security, the system defaults to ending SSH sessions after five (5) minutes of inactivity
and allowing a maximum of five (5) SSH logins per IP address. If five simultaneous SSH connections
exist, additional attempts to open more connections are disregarded and the client system may not
respond.
You can modify or disable the timeout as described in Changing the Console Timeout on page 283.
You can override the simultaneous connections limit as described in Adding and Removing Console
Interfaces on page 281. You can restrict console connections as described in Restricting Console
Connections on page 242.
To execute Secure64 DNS server commands from the SSH command line:
1. Use the following syntax from an SSH shell prompt:
— For Linux/UNIX administrative machines:
ssh [<user>]@<host> [<role>][/<directory_path>] <command>
where:
<user> is the Secure64 DNS Cache user account
<host> is the Secure 64 DNS Cache server IPv4 address, [IPv6 address] in
square brackets, or hostname
<role> is the Secure64 role corresponding to the command (required except
for view role commands)
<directory path> is the an optional location which, if present, is the
directory pathname that the command executes under
<command> is the Secure64 DNS Cache command to execute, including any
arguments or parameters
Note The syntax is intended to provide the same functionality as the UNIX system command
su -<user> (cd<directory path> ;<command>)
— For Windows administrative machines, use the format above with an SSH
command-line application such as Plink (see they PuTTY link on OpenSSH at
www.openSSH.org/windows.html.):
2. If prompted, enter your Secure64 DNS Cache password.
14
Chapter 1. Operating Environment and User Accounts
Note You may or may not be prompted for a password, depending on how you have configured authentication.
For more information, see Authentication on page 49.
3. Assuming you are authorized to execute the command, the command is executed and any
related output displays on the SSH command line.
Note Commands are executed just as they are at the Secure64 DNS server command line. For example, if you
execute a sysadmin command that requires the activate and save commands to change the system
configuration, be sure to execute them at the SSH command line.
Examples:
admin1@server:~$ ssh user@192.168.127.1 show bgp info
user@192.168.127.1's password:
Copyright (c) 2003-2013 Secure64 Software Corp.
All Rights Reserved
Authorized access only
No information available.
bgp is not running
15
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
16
Chapter 1. Operating Environment and User Accounts
Note Refer to the next section for important security information about the iLO MP interface.
For details about configuring the console through either the iLO MP Serial Console port or the
iLO MP LAN port, refer to Connecting and Logging into the iLO Console on page 61. Once the
connection is configured, refer to the following instructions for login procedures.
To log into Secure64 DNS Cache via the iLO MP Console:
1. If the physical connection is to the Serial Console (iLO MP):
— Using a vt100 serial terminal program, with port settings of 9600, 8N1 (8 databits, no
parity, 1 stop bit), no flow control, connect to the HP Integrity server.
If the physical connection is to the iLO MP LAN:
— Connect to the HP Integrity server via SSH or a web browser.
2. If you are using a command line interface (serial terminal or SSH) the MP Login prompt
displays:
— For the iLO 2 (rx2660, BL860c) enter Admin for the user and enter Admin for the
password.
For the iLO 3 (rx2800 i2/i4, BL860c i2/i4) enter Administrator for the user and the
randomly generated password found on the iLO Network Information Tag on the
server.
Note This is the default password if you have not yet changed it. See the HP Integrity server documentation for
password management details.
17
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Note (This is the default password if you have not yet changed it. See the HP Integrity server
documentation for password management details.)
3. At the login prompt, log into Secure64 DNS Cache with a Secure64 DNS Cache user
account. (If you do not have a user account, refer to User Account Administration on
page 31.)
4. Enter your Secure64 DNS Cache password.
5. The view mode prompt displays:
[view@Secure64DNS]>
Note For additional security, the system ends serial terminal and SSH connections after five (5) minutes of
inactivity. You can modify or disable the timeout as described in Changing the Console Timeout on
page 283.
18
Chapter 1. Operating Environment and User Accounts
! WARNING The iLO MP console provides access to the system’s EFI (Extensible Firmware Interface) shell.
From the shell, an administrator can modify the system configuration, including the boot procedure,
firmware, security (Trusted Platform Module state), and configuration options. Do not modify the
configuration. A modified configuration can cause a boot failure of the Secure64 DNS Cache
server.
Note HP offers an Advanced Pack iLO license for the iLO 2 MP and includes it automatically with the iLO 3 MP.
The Advanced Pack enables additional functionality for directory-based authorization and authentication,
such as LDAP and LDAP-lite integration, and access to the integrated remote console.
LDAP integration allows you to define Integrity iLO users and roles centrally in a company directory. Note
that it does not provide LDAP integration with the Secure64 DNS Cache server itself. For LDAP support
with the Secure64 DNS Cache server, see Chapter 9. Enabling RADIUS or LDAP for User Authentication
on page 331.
19
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Security Considerations
The HP iLO management processor (MP) incorporates many security features, including
encrypted communication with SSL and SSH, as well as management of user accounts with
authorization and authentication. Nevertheless, you must take certain precautions or you risk
exposing the server to very serious attack scenarios.
Note Integrity iLO users and user privileges are defined only for the Integrity iLO management subsystem.
They do not carry over to the Secure64 DNS Cache server.
20
Chapter 1. Operating Environment and User Accounts
Note LDAP integration allows you to define Integrity iLO users and roles centrally in a company directory. Note
that it does not provide LDAP integration with the Secure64 DNS Cache server itself. For LDAP support
with the Secure64 DNS Cache server, see Chapter 9. Enabling RADIUS or LDAP for User Authentication
on page 331.
Note If multiple administrators are logged in to the iLO interface, all of them can view the virtual serial console
simultaneously. This can be very useful to train new administrators at remote locations on how to use the
Secure64 DNS Cache server commands. However, any administrator with serial console access can
take write privilege to the console at any time. Do not leave a console session unattended or you may
find someone else logged in to your account, even from a remote location.
! WARNING The iLO virtual serial console emulates serial hardware; it is not an actual serial connection. Do not
use the standard CTRL/S and CTRL/Q commands to control data flow when connected to the
Secure64 DNS Cache server through the iLO virtual serial console.
21
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Recommended Resources
HP publishes documents and white papers on its web site at www.hp.com. The following are
recommended to better understand the iLO interface, its integration with LDAP and Active
Directory, and various other security considerations.
• HP Integrity iLO 2 MP Operations Guide
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c01936251/
c01936251.pdf
• HP Integrity iLO 3 MP Operations Guide
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02111169-6.pdf
• HP Integrated Lights-Out Security; technology brief
• Configuring HP Integrated Lights-Out with Microsoft Active Directory
• HP Directory Services Schema Information Booklet
To remove the Secure64 DNS Cache server’s SSH keys and create new SSH keys:
1. Log into Secure64 DNS Cache with a user account assigned to the securityadmin role.
2. At the view prompt, type enable securityadmin and press ENTER to enable
securityadmin mode.
3. At the securityadmin prompt, type remove sshkeys and press ENTER.
4. To determine whether the DNS server is running, type show cachedns status and
press ENTER.
If DNS is running, login as a user assigned to the cachednsadmin role, enable
cachednsadmin, and issue the stop cachedns command to stop the DNS server.
5. To determine whether BGP is running, type show bgp status and press ENTER.
If BGP is running, login as a user assigned to the bgpadmin role, enable bgpadmin, and
issue the stop bgp command to stop the BGP service.
6. To determine whether SNMP is running, type show snmp status and press ENTER.
If SNMP is running, login as a user assigned to the snmpadmin role, enable
snmpadmin, and issue the stop snmp command to stop the SNMP service.
7. Enable the securityadmin role or the sysadmin role, type reboot, and press ENTER.
Respond yes to the reboot prompt.
8. The server restarts and automatically generates new SSH keys.
22
Chapter 1. Operating Environment and User Accounts
9. Start DNS, BGP, and/or SNMP as necessary by enabling the cachednsadmin role and
entering start cachedns (for DNS), enabling the bgpadmin role and entering start bgp
(for BGP), and/or enabling the snmpadmin role and entering start snmp.
Example:
[view@Secure64]> enable securityadmin
[securityadmin@Secure64]# exit
[cachednsadmin@Secure64]# exit
[securityadmin@Secure64]# reboot
Secure Copy
Administrators need to copy files to and from the Secure64 DNS Cache server. Examples of files
to copy to the system include ASCII zone files and DNS configuration files. Files to copy from
the system include BGP or DNS configuration files for editing and backup.
23
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Note The remote client system must use the scp protocol for file transfers. Other file transfer protocols, such
as SFTP, are not supported.
To use the scp command to copy a file from a remote system to Secure64 DNS Cache:
• Type the following at the remote system, and press ENTER:
scp [-r] [-P <port>] <file> <user>@<host>:/<role>/[destination]
where:
-r is the optional recursive copy flag
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 281 for details about changing the default port)
<file> is the path and file name of the source file
<user> is the Secure64 DNS Cache user account
<host> is the Secure 64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
<role>is the Secure64 mode the user is acting in (cachednsadmin, sysadmin,
bgpadmin, loginadmin, securityadmin, snmpadmin, upgrade, or backup)
[destination] is the optional destination path and file name within the Secure64 role
Note If you are copying an SSH public key, refer to Using SSH Keys for User Authentication on page 50 for
special instructions.
To use the scp command to copy a file from the Secure64 DNS Cache to a remote
system:
• Type the following at the remote system:
scp [-r] [-P <port>] <user>@<host>:/<role>/<file> <destination>
where:
-r is the optional recursive copy flag
-P <port> is the optional destination port
<user> is the Secure64 DNS Cache user account
<host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
<role>is the Secure64 mode the user is acting in (cachednsadmin, sysadmin,
bgpadmin, loginadmin, securityadmin, snmpadmin, upgrade, or backup)
24
Chapter 1. Operating Environment and User Accounts
Note Secure64 DNS Cache supports wildcard * option with the scp command.
25
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Destination
Incoming (Remote)
Service (Secure64) Port System Port Security Measures
UDP or TCP port 53 UDP or TCP port Built-in security and configurable defense and
DNS
(default) 53 mitigation rules
26
Chapter 1. Operating Environment and User Accounts
Note A user account can be assigned to any number or roles and to both creator and administrator roles. Your
organization should determine role distribution as appropriate for your security and administration
environment. Your organization should also take measures to ensure only authorized users have access
to the Installer role/account.
27
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Installer Role
Secure64 DNS Cache ships with a special Installer role, which is a predefined Installer user
account.
• The Installer role is not accessible through SSH. You must connect to the Secure64
DNS Cache name server’s iLO MP to log in with the Installer account. For details, see
Using the iLO MP Console on page 17.
• When you first log in to Secure64 DNS Cache, you use the Installer account to create
initial user accounts and assign them to creator roles. Creator roles are used to create
the administrator accounts that control various components of the system.
• In addition to creating the initial user accounts, the Installer role provides a means to
disable and reset all user accounts in the event of a security breach or other user
account issue. The Installer account establishes the password required to execute the
reset command.
• Your organization should take measures to ensure only authorized users have access to
the Installer account.
• When one user account is assigned to each of the creator roles, Secure64 DNS Cache
automatically disables the Installer role.
Creator Roles
Creator roles assign administrator roles to user accounts. Creator roles can also create and
remove user accounts. Each creator role has the authority to assign specific administrator
role(s). Creator roles include:
• syscreate (assigns the sysadmin, upgrade, and backup roles to user accounts)
• cachednscreate (assigns the cachednsadmin role to user accounts)
• bgpcreate (assigns the bgpadmin role to user accounts)
• logincreate (assigns the loginadmin role to user accounts)
• securitycreate (assigns the securityadmin role to user accounts)
• snmpcreate (assigns the snmpadmin role to user accounts)
In addition to assigning administrator roles, creator accounts can assign their own creator
role(s) to a user account. For example, if you are logged in as a user account with the syscreate
role, you can create user Mary and assign her to the syscreate role.
Administrator Roles
Administrator roles operate and administer different functions of the Secure64 DNS Cache
server, such as system administration and DNS administration. Administrator roles include:
• sysadmin (system administration tasks and commands)
• cachednsadmin (caching DNS server administration tasks and commands)
• upgrade (system upgrade tasks and commands)
28
Chapter 1. Operating Environment and User Accounts
Note If you configure the RADIUS or LDAP client in Secure64 DNS, you manage users and roles through your
authentication server. However, you must create certain users in Secure64 DNS Cache to install the
software, configure networking, and configure RADIUS or LDAP. See About User Account Administration
with RADIUS or LDAP on page 31 for more information.
29
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
The Installer account is available at installation and when one or more creator roles are not
assigned. Creator roles assign users to the administrative roles that configure and operate
different components of the system.
For a summary about the roles in Secure64 DNS Cache, refer to Table 4.
30
Chapter 1. Operating Environment and User Accounts
bgpadmin Administrator Performs BGP administration tasks (optional; assign if will implement BGP).
loginadmin Administrator Performs user account, login, and authentication administration tasks.
securityadmin Administrator Performs system SSH key administration tasks.
snmpadmin Administrator Performs SNMP administration tasks.
Note When each creator account has one user assigned to it, the Installer account is disabled. If any of the
creator accounts are not assigned to a user, the Installer account remains enabled and becomes a
security risk. Even if you are not implementing BGP, RADIUS, LDAP, and/or SNMP you should assign
users to the bgpcreate, logincreate, and snmpcreate roles in addition to all other create roles.
• The syscreate role creates a user account (or uses an existing account) and assigns it to the
sysadmin role to configure networking for Secure64 DNS
• The logincreate role creates a user account (or uses an existing account) and assigns it to
the loginadmin role to configure the Secure64 DNS RADIUS or LDAP client
• All other user accounts are created and managed on the RADIUS or LDAP server
• If the RADIUS/LDAP server is unavailable, the local Secure64 DNS user accounts are
enabled
For detailed procedures, see Chapter 9. Enabling RADIUS or LDAP for User Authentication on
page 331.
31
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Note When each creator account has one user assigned to it, the Installer account is disabled. If any of the
creator accounts are not assigned, the Installer account remains and becomes a security risk. Even if
you are not implementing BGP, RADIUS, LDAP, and/ or SNMP, you should assign users to the
bgpcreate, logincreate, and snmpcreate roles, in addition to all other create roles.
• The syscreate role creates user accounts and assigns them to the sysadmin, backup, and
upgrade roles
• The cachednscreate role creates user accounts and assigns them to cachednsadmin role
• The bgpcreate role creates user accounts and assigns them to the bgpadmin role
• The securitycreate role creates user accounts and assigns them to the securityadmin role
• The snmpcreate role creates user accounts and assigns them to the snmpadmin role
General rules for user account administration with Secure64 DNS Cache include:
• A create mode is enabled by typing enable <role> at the default view mode prompt,
where role is syscreate, cachednscreate, bgpcreate, logincreate, securitycreate,
or snmpcreate
• User accounts can be associated with any number or roles and both creator and
administrator roles
• A creator account can administer only those user accounts that belong to the role
controlled by the creator account; for example, the cachednscreate account can assign
and remove users to/from the cachednsadmin and cachednscreate accounts only
• User accounts require a password or public key for SSH2 access (for more information,
see Secure Console on page 1)
Table 5 summarizes the user administration commands in Secure64 DNS Cache. The sections
that follow provide instructions for specific user administration tasks. For initial set up of user
accounts, refer to Logging Into Secure64 DNS Cache and Creating Users on page 69.
32
Chapter 1. Operating Environment and User Accounts
Note If you configure the RADIUS or LDAP client, the commands below do not apply to users or roles
managed by the RADIUS or LDAP server.
Command Description
adduser <username> -a <days> [options] Adds the username to the list of valid user accounts for Secure64
DNS Cache.
The username must consist of 3-32 characters, start with an alpha
character, and contain alphanumeric characters (after the first
character).
-a <days> for account aging (required) defines the number of days of
inactivity before disabling the account. Configurable to 0 to disable
feature (weakens security), or between 20-90 days.
Available options are:
[-r realname] Displays in the show users command results, with up
to 64 alphanumeric characters and 10 words
[-p password_age] System defaults to 60 days before requiring users
to change password. Configurable to 0 to disable feature (weakens
security), or between 20-90 days.
[-c lockout_count] System defaults to lock out a user account after
greater than 3 failed logins, for the number of minutes defined by the
-t lockout-time. Configurable to 0 to disable feature (weakens
security), or between 3-5 attempts.
[-i lockout_interval] System defaults to 60 minutes before resetting
the lockout counter. Configurable to 0 to disable feature (weakens
security), or between 15-60 minutes.
[-t lockout_time] If the user account has been locked out, system
defaults to lock out the account for 60 minutes. Configurable to 0 to
require the loginadmin to reset locked out user, or between 15-60
minutes.
[-h history] System defaults to preventing the user from re-using the
last 5 passwords for the user account. Configurable to 0 to disable
feature (weakens security), or between 0-5 passwords.
deluser <username> Removes a user account from Secure64 DNS Cache. Before issuing
this command, you must use the usermod command to remove any
roles assigned to the user account.
Invoking this command for a user that is not associated with any
roles removes the user account and all associated data, including
SSH keys.
reset Disables all user accounts and enables the predefined Installer
account. Prompts for the reset password. FOR EMERGENCY USE
ONLY. For more information about the reset password, refer to
Logging Into Secure64 DNS Cache and Creating Users on page 69.
passwd [username] Sets or changes the password for the specified user account.
Passwords must be a minimum of 8 characters and include at least 3
alphabetic characters and at least 1 non-alphabetic character.
33
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
passwd reset Changes the reset command password. Prompts for the current
reset password.
show users [<username>] Without the <username> parameter, lists system users, one per line,
in the format of:
<username> : [real name]: <enabled|disabled>
To see details about a specific user account, add the <username>
parameter.
show roles Lists system roles, one per line, in the format of:
<role name> : [<user name1>, <user name2> [, ...]]
userdisable <username> Disables the specified user account.
userenable <username> Re-enables the specified user account after the reset command or
the userdisable <username> command is executed.
usermod +r <role name> <username> Adds (+r) or removes (-r) the username to/from the role name.
The issuer of the command must be a member of the corresponding
usermod -r <role name> <username>
create role to assign or remove the role.
34
Chapter 1. Operating Environment and User Accounts
Note For a list of user account scenarios, see User Account Examples on page 55.
Note For initial set up of user accounts, including the syscreate, cachednscreate, bgpcreate, logincreate,
securitycreate, and snmpcreate accounts, refer to Logging Into Secure64 DNS Cache and Creating
Users on page 69.
2. Type enable <role> and press ENTER, where <role> is syscreate, cachednscreate,
bgpcreate, logincreate, securitycreate, or snmpcreate.
3. At the create prompt, type the following command and press ENTER, where
<username> is the user account name, <days> is the number of days of inactivity before
disabling account (between 20-90 days or 0 to disable, which weakens security), and
[options] are user and password management options:
adduser <username> -a <days> [options]
The required account aging parameter (-a <days>) and [options] can appear in any order after the
username. If you omit the account aging parameter, an error message displays stating that account aging
must be explicitly set when adding a user.
35
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
[-i lockout_interval] System defaults to 60 minutes before resetting the lockout counter.
Configurable to 0 to disable feature (weakens security), or between 15-60 minutes.
[-t lockout_time] If the user account has been locked out, system defaults to lock out the
account for 60 minutes. Configurable to 0 to require the loginadmin to reset locked out
user, or between 15-60 minutes.
[-h history] System defaults to preventing the user from re-using the last 5 passwords for
the user account. Configurable to 0 to disable feature (weakens security), or between 0-
5 passwords.
! WARNING Disabling user account and password security options is not recommended. For best practices
information about user account and password management, refer to NIST SP 800-118 Guide to
Enterprise Password Management at http://csrc.nist.gov/publications/PubsSPs.html and the
Center for Strategic and International Studies Twenty Critical Controls for Effective Cyber
Defense: Consensus Audit Guidelines at
http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.pdf
4. Type passwd <username> and press ENTER, where <username> is the name of the
user account you created in the previous step.
Note Passwords must be a minimum of 8 characters and include at least 3 alphabetic characters
and at least 1 non-alphabetic character. Passwords are not recoverable. If you lose a password,
you must delete the user account and create a new user account. If you enable RADIUS or LDAP, the
local password and user account information is referenced only if all configured RADIUS or LDAP
servers are unavailable or authentication is disabled.
Note The owner of the user account can modify the password after logging into Secure64 DNS Cache. The
account owner must provide the current password upon log in and when modifying the password. The
account owner must also supply the password when installing an SSH2 public key for Secure64 DNS
Cache.
36
Chapter 1. Operating Environment and User Accounts
Example:
[view@Secure64DNS]> enable syscreate
6. To verify the information about the user account, type show users <username> and
press ENTER.
Example:
[create@Secure64DNS]# show users joe
Current time: Wed Feb 3 13:07:57 2010
User: joe
Real name: Joseph Doe
User is enabled
SSH password authentication: Yes
Account expires after 20 days of no activity (plus 3 days grace period)
Account inactive for less than 1 day
Password expires after 20 days of no change
Last password change: Wed Feb 3 13:07:43 2010
Password history: 5
Lockout after more than 3 failed logins for 60 minutes
Current failed logins counter: 0
Failed logins counter reset every 60 minutes, or after successful login
Last activity: Wed Feb 3 13:05:54 2010 created by admin
37
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
7. If any of the information is incorrect, you can use the deluser <username> command
to remove the account (if you have not yet assigned roles to the account) and use the
adduser <username> -a <days> [<options>] command to re-add the account.
Alternatively, the loginadmin user can modify account and password management
settings. For more information, see Modifying User Account and Password Management
Configuration on page 46.
8. Proceed to the next section to assign a role to the user account.
Note When each creator account has one user assigned to it, the Installer account is disabled. You can
enter the show roles command to display the roles assigned to each local (non-RADIUS or non-
LDAP) user account.
Example:
[view@Secure64DNS]> enable syscreate
[create@Secure64DNS]# usermod +r syscreate Joe
Added Joe to syscreate
Note For redundancy, assigning a minimum of two users to each creator role is recommended.
38
Chapter 1. Operating Environment and User Accounts
Note If you want to implement RADIUS or LDAP, you need to set up networking and configure the Secure64
DNS Cache RADIUS or LDAP client. To configure networking, a syscreate user account must assign a
user to the sysadmin role. For RADIUS or LDAP configuration, a logincreate user account must assign a
user to the loginadmin role. Refer to Logging Into Secure64 DNS Cache and Creating Users on page 69
for more information. After RADIUS or LDAP is configured, you can manage all other users and roles
through the RADIUS or LDAP server.
Optional administrator roles include bgpadmin and snmpadmin. If you want to implement BGP,
then a bgpcreate user account must assign a user to the BGP administrator role (bgpadmin). If
you want to implement SNMP, then an snmpcreate user account must assign a user to the SNMP
administrator role (snmpadmin).
Note If you have multiple creator roles assigned to your user account, you do not need to exit and enable each
role separately to assign administrator roles. For example, if your user account is assigned to the
bgpcreate and syscreate roles, you can enable bgpcreate and assign bgpadmin, sysadmin, backup, and
upgrade roles to users without logging out and enabling the syscreate role.
39
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Example:
[view@Secure64DNS]> enable syscreate
[create@Secure64DNS]# usermod +r sysadmin Bill
Added Bill to sysadmin
Example:
[view@Secure64DNS]> enable cachednscreate
40
Chapter 1. Operating Environment and User Accounts
Example:
[view@Secure64DNS]> enable securitycreate
Example:
[view@Secure64DNS]> enable bgpcreate
Example:
[view@Secure64DNS]> enable snmpcreate
41
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Note User administration commands apply only to the user information stored locally in Secure64 DNS
Cache. If you have configured RADIUS or LDAP, use your RADIUS/LDAP server to manage user
information stored on the server.
Example:
[create@Secure64DNS]# show users
Installer : Installer : disabled
Mary : : enabled
Jim : : enabled
Jane : Jane Doe : enabled
Bill : William Smith : enabled
42
Chapter 1. Operating Environment and User Accounts
Example:
[create@Secure64DNS]# show users joe
Current time: Wed Feb 3 13:07:57 2010
User: joe
Real name: Joseph Doe
User is enabled
SSH password authentication: Yes
Account expires after 20 days of no activity (plus 3 days grace period)
Account inactive for less than 1 day
Password expires after 20 days of no change
Last password change: Wed Feb 3 13:07:43 2010
Password history: 5
Lockout after more than 3 failed logins for 60 minutes
Current failed logins counter: 0
Failed logins counter reset every 60 minutes, or after successful login
Last activity: Wed Feb 3 13:05:54 2010 created by admin
43
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Note Commands to remove roles from a user account apply only to the user information stored locally in
Secure64 DNS Cache. If you have configured RADIUS or LDAP, use your RADIUS or LDAP server to
manage user and role information configured on the server.
where <role> is the role to remove and <username> is the Secure64 DNS Cache user
account.
Example:
[view@Secure64DNS]> enable syscreate
[create@Secure64DNS]# usermod -r sysadmin Bill
Removed Bill from sysadmin
Note Commands to delete user accounts apply only to the user information stored locally in Secure64 DNS
Cache. If you have configured RADIUS or LDAP, use your RADIUS or LDAP server to manage user
and role information stored on the server.
Before you can remove a user account, you must remove all currently assigned roles from the
user account.
44
Chapter 1. Operating Environment and User Accounts
Example:
[create@Secure64DNS]# deluser Bill
User Bill removed successfully
45
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
! WARNING Disabling user account and password security options is not recommended. For best practices
information about user account and password management, refer to NIST SP 800-118 Guide to
Enterprise Password Management at http://csrc.nist.gov/publications/PubsSPs.html and the
Center for Strategic and International Studies Twenty Critical Controls for Effective Cyber
Defense: Consensus Audit Guidelines at
http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.pdf
To manage account and password security for existing user accounts, the loginadmin role
includes the commands described in :
Command Description
No system default, must be set when user is added.to
define the number of days of inactivity before disabling
user <username> age account <0, 20-90> account. Configurable to 0 to disable feature (weakens
security), or between 20-90 days. A three-day grace
period is applied before disabling the account.
System defaults to 60 days before requiring users to
user <username> age passwd <0, 20-90> change password. Configurable to 0 to disable feature
(weakens security), or between 20-90 days.
System defaults to lock out a user account after greater
than 3 failed logins, for the number of minutes defined
user <username> lockout count <0, 3-5>
by the lockout time. Configurable to 0 to disable feature
(weakens security), or between 3-5 attempts.
System defaults to 60 minutes before resetting the
user <username> lockout interval <0, 15-60> lockout counter. Configurable to 0 to disable feature
(weakens security), or between 15-60 minutes.
If the user account has been locked out, system
defaults to lock out the account for 60 minutes.
user <username> lockout time <0, 15-60>
Configurable to 0 to require the loginadmin to reset
locked out user, or between 15-60 minutes.
System defaults to preventing the user from re-using the
last 5 passwords for the user account. Configurable to 0
user <username> history <0-5>
to disable feature (weakens security), or between 0-5
passwords.
Generates a random temporary password. After logging
in with a temporary password, the user must change it,
and the temporary password becomes invalid. The
user <username> randompass
random password is not included in the password
history. The following characters will not be used: “ ‘ , . [
] { } ( ) | and spaces, backspaces, or deletes.
user <username> <enable|disable> Enable or disable the user account.
46
Chapter 1. Operating Environment and User Accounts
Note Commands to reset all user accounts apply only to the user information stored locally in Secure64 DNS
Cache. If you have configured RADIUS or LDAP, use your RADIUS or LDAP server to manage user and
role information configured on the server.
In an emergency situation, such as an internal security breach or if the only user assigned to a
creator role leaves the organization, a creator role can disable all user accounts. To do so, you
must enable a creator role, issue the reset command, and enter the correct reset password.
The reset command password is initially established by the Installer account when Secure64 DNS
Cache is installed.
Note If your system was preinstalled or if you want to change the reset password for other reasons, you can do
so with the passwd reset command. The command is available to creator accounts and requires you to
provide the current reset password. Be sure to store the new password in a secure location available to
authorized personnel only.
After issuing the reset command and entering the correct password, you can delete or re-enable
user accounts. Note that you must re-enable your own user account.
Note Be certain to enable your own user account so that it is available after you exit Secure64 DNS Cache. If
you neglect to do so and you exit the system, use the Installer account to regain access.
47
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Example:
[view@Secure64DNS]> enable syscreate
[create@Secure64DNS]# reset
Enter reset password: **********
48
Chapter 1. Operating Environment and User Accounts
Authentication
Authentication is handled at the initiation of the login session by SSH or the code handling the
serial console. For SSH sessions, authentication is performed with a user account and password
OR a user account and an SSH key. For the serial console, Secure64 DNS Cache requires a user
account and password.
Note The following sections apply only to the user information stored locally in Secure64 DNS Cache. If you
have configured RADIUS or LDAP for user authentication, use your RADIUS or LDAP server to manage
user authentication. For more information, see Chapter 9. Enabling RADIUS or LDAP for User
Authentication on page 331.
Note If you use the PuTTY Key Generator, do not use the “Save Public Key” button to save the public key
information. Instead, select the Conversions menu and select Export OpenSSH key. Then select the
“Save Private Key” button.
49
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Note The SSH key information applies only to the user information stored locally in Secure64 DNS Cache. If
you have configured RADIUS or LDAP for user authentication, use your LDAP server to manage user
authentication. For more information, see Chapter 9. Enabling RADIUS or LDAP for User
Authentication on page 331.
To add an SSH public key to your Secure64 DNS Cache log in:
1. A creator account must create a user account for you to log into Secure64 DNS Cache.
The creator account must also assign your account an initial password and role(s). If
you do not have a user account, refer to User Account Administration on page 31.
2. At the client machine you plan to use for Secure64 DNS Cache, generate a public/
private key pair. See Creating SSH Keys for User Authentication on page 49 for more
information.
3. At the client machine, type the following and press ENTER:
scp [-P <port>] <keyfilename> <user>@<Secure64_host>:/ssh/add
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 281 for information about changing the default port)
<keyfilename> is the name of the file containing the public key,
<user> is your Secure64 DNS Cache user account
<Secure64_host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in
square brackets, or hostname
4. When prompted, enter the Secure64 DNS Cache password for your account.
5. Log into your Secure64 DNS Cache user account. If you used a pass phrase when you
created your key pair, a prompt displays for you to enter the pass phrase.
50
Chapter 1. Operating Environment and User Accounts
To remove an SSH public key from your Secure64 DNS Cache log in:
• At the client machine, type the following and press ENTER:
scp [-P <port>] <keyfilename> <user>@<Secure64_host>:/ssh/delete
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 281 for information about changing the default port)
<keyfilename> is the name of the file containing the public key
<user> is your Secure64 DNS Cache user account
<Secure64_host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in
square brackets, or hostname
Note The password information applies only to the user information stored locally in Secure64 DNS Cache. If
you have configured RADIUS or LDAP for user authentication, use your RADIUS or LDAP server to
manage user passwords. For more information, see Chapter 9. Enabling RADIUS or LDAP for User
Authentication on page 331.
When a creator account establishes a user account, the creator account must also assign a
password for the account holder to use upon logging into Secure64 DNS Cache. After the first
login using this initial password, new user accounts can change their passwords using the passwd
command.
For additional security, the Secure64 server stores passwords using a scheme based on the SHA-
256 hash algorithm.
Note Passwords must be a minimum of 8 characters and include at least 3 alphabetic characters and
at least 1 non-alphabetic character. Passwords are not recoverable. If you lose a password, you must
delete the user account and create a new user account. See User Account Administration on page 31 for
more information.
Passwords can be changed only once per 24 hours. If required, you can request a temporary password
from a login administrator as described in Modifying User Account and Password Management
Configuration on page 46.
1. Log into your Secure64 DNS Cache account, type your current password when
prompted, and press ENTER.
51
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Example:
[view@Secure64DNS]> passwd
Changing password for tester.
Enter OLD password:
! WARNING If you disable SSH password authentication, the user must have SSH keys in place for
authentication in order to access the Secure64 DNS Cache server through SSH.
Example:
[loginadmin@Secure64]# sshpwdauth
SSH password authentication status:
jkj: Enabled.
fred: Disabled.
Ben: Enabled.
52
Chapter 1. Operating Environment and User Accounts
! WARNING The sshpwdauth off command disables SSH password authentication for all user accounts.
The users will not be able to access the Secure64 DNS Cache server through SSH unless they
have configured SSH keys for authentication. For more information, see Using SSH Keys for User
Authentication on page 50.
Example:
[loginadmin@Secure64]# sshpwdauth on
Enabled SSH password authentication for all
53
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Accounting
Secure64 DNS Cache logs user account activity and user administration activity to syslog.
Actions that are logged include:
• Login with an invalid user name
• Login to a user account without a password
• Login of a disabled user
• Login with an invalid password
• Successful login
• Role assignment/authorization
• Addition of a new user account
• Deletion of a user account
• Attempted password changes
• RADIUS or LDAP activity, if the Secure64 DNS Cache RADIUS or LDAP client is
configured
54
Chapter 1. Operating Environment and User Accounts
Note When the syscreate, bgpcreate, cachednscreate, logincreate, securitycreate, and snmpcreate roles all
have at least one user account assigned to them, Secure64 DNS Cache automatically disables the
Installer account.
Note Although Joe enabled the syscreate role, he can assign cachednsadmin, bgpadmin, and snmpadmin
roles without logging out and enabling each create role separately (because he is authorized for the
cachednscreate, bgpcreate, and snmpcreate roles).
55
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
The following summary shows the distribution of roles for this example:
syscreate X X
bgpcreate X X
cachednscreate X X
logincreate X X
securitycreate X X
snmpcreate X
sysadmin X X
upgrade X
backup X
cachednsadmin X X
bgpadmin X X
securityadmin X
snmpadmin X
56
Chapter 1. Operating Environment and User Accounts
Note Although Joe enabled the bgpcreate role, he can assign the backup role without logging out and enabling
the syscreate role separately (because he is authorized for the syscreate role).
syscreate X X
bgpcreate X X
cachednscreate X X
logincreate X
securitycreate X
snmpcreate X
sysadmin X X
upgrade X
backup X
cachednsadmin X X
bgpadmin X X
securityadmin X
snmpadmin X
57
SECURE64 DNS CACHE 3.1
Chapter 1. Operating Environment and User Accounts
Note When the syscreate, cachednscreate, bgpcreate, logincreate, securitycreate, and snmpcreate roles all
have at least one user account assigned to them, Secure64 DNS Cache automatically disables the
Installer account.
syscreate X
bgpcreate X
cachednscreate X
logincreate X
securitycreate X
snmpcreate X
sysadmin X X
loginadmin X
Joe or Mary can configure networking for the Secure64 DNS Cache server. Mary can configure
and enable the RADIUS or LDAP client on the Secure64 DNS Cache server, and then she can
use the RADIUS or LDAP server to create user accounts, establish passwords, and assign
Secure64 DNS Cache roles to user accounts.
58
Chapter 2. Getting Started
The following sections provide detailed instructions for initial configuration. Alternatively, you
can refer to the printed Quick Start Guide included with your software or available online on the
Secure64 Support Portal.
Note If the Secure64 DNS Cache software is not pre-installed, refer to the printed Installation Guide included
with your software or available online on the Secure64 Support Portal. Complete the installation
instructions prior to configuring interfaces and routing.
Note The eth0 interface is preconfigured with IP address 192.168.64.1. As part of the system configuration
process, you will modify the IP address and netmask for your operations.
59
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Note The Secure64 DNS Cache server supports a total of 256 configured IP addresses. You can configure
each physical interface with multiple IP addresses and define VLAN IDs, up to a total allocation of 256
IP addresses for the server. In addition, you can use the same IP address for multiple services,
including the console, the DNS server, BGP, SNMP, and other services. Both IPv4 and IPv6 addresses
are supported.
Next Steps
Refer to the following sections, based on the type of installation process:
• If the software was pre-installed, proceed to Connecting and Logging into the iLO Console on
page 61.
• If you just completed installing the Secure64 DNS Cache software onsite, skip this
section and proceed to Logging Into Secure64 DNS Cache and Creating Users on page 69.
60
Chapter 2. Getting Started
Connecting and Logging into the iLO 2 MP Console (HP rx2660 Server)
To initially configure the Ethernet interface(s) for Secure64 DNS Cache and enable management
of the server hardware, you can connect to the HP rx2660 iLO 2 MP Serial Console port (local)
or the iLO 2 MP LAN port (local or remote). Both ports connect to the server’s iLO 2 MP on the
system board and provide console access. If AC power is present, the iLO 2 MP is active, even if
the power switch is off. (For information about using the iLO 2 after initial set up, see Using the
iLO MP Console on page 17 and Additional Information About the HP Integrity iLO MP on page 19.)
Figure 3. Secure64 DNS Cache connections (HP Integrity rx2660 server, rear)
61
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
62
Chapter 2. Getting Started
Note If you prefer to use DHCP/DNS to configure the IP address, see the HP rx2660 User Service Guide for
details).
63
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Note To protect passwords and other private information, you should disable telnet access after initial
configuration is complete. See Disabling Telnet Access on page 77 for details.
2. Enter Admin for the user and enter Admin for the password. (This is the default
password if you have not yet changed it. See the HP Integrity rx2660 documentation
for secure console password management details.)
3. If you used SSH or telnet, at the MP Main Menu type CO and press ENTER to select
Console. If you are using a web browser, select the Remote Console tab and the
Launch button.
4. The Secure64 DNS Cache login prompt displays.
5. Proceed to Logging Into Secure64 DNS Cache and Creating Users on page 69 for
information and instructions about logging in and creating users.
64
Chapter 2. Getting Started
Connecting and Logging into the iLO 3 MP Console (HP rx2800 Server)
To initially configure the Ethernet interface(s) for Secure64 DNS Cache and enable management
of the server hardware, you can connect to the HP rx2800 i2/i4 iLO 3 MP Serial Console port
(local) or the iLO 3 MP LAN port (local or remote). Both ports connect to the server’s iLO 3 MP
on the system board and provide console access. If AC power is present, the iLO 3 MP is active,
even if the power switch is off. (For information about using the iLO after initial set up, see Using
the iLO MP Console on page 17 and Additional Information About the HP Integrity iLO MP on
page 19.)
Figure 4. Secure64 DNS Cache connections (HP Integrity rx2800 server, rear)
65
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
If you have not already done so, you must assign an IP address to access the iLO 3 MP through
the iLO 3 MP LAN. See the HP rx2800 Installation Guide for details.
66
Chapter 2. Getting Started
Connecting and Logging into the iLO MP Console (HP Integrity Blade)
To initially configure the Ethernet interface(s) for Secure64 DNS Cache and enable management
of the HP Integrity blade hardware, the server uses the iLO MP. If AC power is present, the iLO
MP is active, even if the power switch is off. (For information about using the iLO after initial set
up, see Using the iLO MP Console on page 17 and Additional Information About the HP Integrity iLO
MP on page 19.)
To access the server blade iLO MP, use the Onboard Administrator iLO (OA/iLO) port on the
rear of the enclosure or the RS-232 port on the serial, USB, video (SUV) cable. The method to
use depends on how your server blade enclosure is set up:
• If the OA iLO port on the enclosure is connected to the local network that has a DHCP
server, your iLO MP IP address is automatically generated by the DHCP server.
• If the enclosure is not connected to a network, you must configure the server through the
serial port on the SUV cable.
For detailed information about the iLO 2 MP (BL860c blade), refer to the HP Integrity BL860c
Server Blade User Service Guide, Chapter 3, in the section “Accessing the Integrated Lights Out 2
Management Processor,” available online at http://h20000.www2.hp.com/bc/docs/support/
SupportManual/c01157868/c01157868.pdf
For detailed information about the iLO 3 MP (BL860c i2/i4 blade), refer to the HP Integrity iLO 3
Operations Guide, Chapter 3, in the section “Getting Connected to iLO 3.” This guide is available
online at http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02111169-6.pdf.
Figure 5. Secure64 DNS Cache connections (HP Integrity BL860c blade server, front)
Figure 6. Secure64 DNS Cache connections (HP Integrity BL860c i2/i4 blade server, front)
67
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Figure 7. Secure64 DNS Cache connections (HP BladeSystem c3000 Enclosure, rear)
Note To protect passwords and other private information, you should disable telnet access after initial
configuration is complete. See Disabling Telnet Access on page 77 for details.
2. Enter Admin for the user and enter Admin for the password. (This is the default
password if you have not yet changed it. See the HP Integrity server documentation for
secure console password management details.)
3. If you used SSH or telnet, at the MP Main Menu type CO and press ENTER to select
Console. If you are using a web browser, select the Remote Console tab and the
Launch button.
4. The Secure64 DNS Cache login prompt displays.
5. Proceed to the next section for information and instructions about logging in and
creating users.
68
Chapter 2. Getting Started
To connect to the iLO 3 MP LAN (BL860c i2/i4) using the assigned IP address:
1. After you have configured the iLO 3 MP connection, use SSH or a web browser to
connect to the iLO 3 MP from a host on the local subnet.
2. At the login prompt, enter Administrator for the user and enter the randomly generated
password found on the iLO Network Information Tag on the right side of the monarch
blade. (This is the default password. See the HP documentation for console password
details.)
3. If you used SSH or a serial terminal, at the MP Main Menu type CO and press ENTER to
select Console. If you are using a web browser, select the Remote Console tab and the
Launch button.
4. The Secure64 DNS Cache login prompt displays.
5. Proceed to the next section for information and instructions about logging in and
creating users.
Note The Installer creates user accounts and assigns them to the syscreate, cachednscreate, bgpcreate,
logincreate, securitycreate, and snmpcreate roles only. The syscreate, cachednscreate, bgpcreate,
logincreate, securitycreate, and snmpcreate user accounts create and assign user accounts to their
respective administrative roles as needed for your Secure64 DNS Cache implementation.
69
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Use the worksheet below to define the local user accounts to create and the roles to assign.
Required Required
without with Account that
RADIUS or RADIUS or assigns the
Role LDAP LDAP role User account(s) to create and assign
! WARNING In an emergency situation, such as an internal security breach, a creator role can disable all user
accounts. To do so, you must issue the reset command and enter the correct reset password.
70
Chapter 2. Getting Started
Note Be sure to store the reset password in a secure location, such as a sealed envelope in a safe that is
accessible to authorized personnel only. Passwords are not recoverable from the system. For more
information about the reset command, see Resetting All User Accounts on page 47.
Note The username must consist of 3-32 characters, start with an alpha character, and contain alphanumeric
characters (after the first character). User accounts are case sensitive. The realname is optional. It can
contain up to 64 characters and 10 words.
8. Type passwd <username> and press ENTER to create a password for the new user
account.
[create@Secure64DNS]# passwd Joe
Changing password for Joe.
Enter NEW password:
Confirm NEW password:
User Joe password changed.
71
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Note You must create a password so that the new user account can log in to Secure64 DNS Cache. Users
can then create SSH keys, or they can log in and change their passwords using the passwd
command, according to your organization’s security policies. See Authentication on page 49 for more
information.
9. Type the following to add the user account to the appropriate create role and press
ENTER, where <role> is syscreate, cachednscreate, bgpcreate, logincreate,
securitycreate, or snmpcreate and <username> is the user account:
[create@Secure64DNS]# usermod +r <role> <username>
10. Repeat steps 6 through 8 as needed to assign one user to each of the syscreate,
cachednscreate, bgpcreate, logincreate, securitycreate, and snmpcreate roles. (You can
assign the same user or different users to the creator roles.)
Note When each creator account has one user assigned to it, the Installer account is disabled. Even if your
organization does not plan to use a feature such as BGP or LDAP authentication, an account should
be assigned to each of the create roles. Otherwise, the default Installer account remains available and
poses a security risk.
11. When account creation and role assignment for the creator roles is complete, type exit
and press ENTER to return to the view mode prompt.
12. At the view mode prompt, type exit and press ENTER to return to the user log in
prompt.
13. The user accounts assigned to the create roles should now login to create and assign
accounts to creator and administrator roles. For detailed instructions, refer to Creating
User Accounts on page 35, Assigning Creator Roles on page 38, and Assigning Administrator
Roles on page 39.
72
Chapter 2. Getting Started
5. Enter the command below to configure eth0 as a management console on your server:
ifconfig <interface> <ipv4 address> <ipv4 netmask>
or
ifconfig <interface> <ipv6 address>/<ipv6 prefix length>
Note You can configure each physical interface with multiple IP addresses and define VLAN IDs, up to a total
allocation of 256 IP addresses for the server. In addition, you can use the same IP address for multiple
services, including the console, the DNS server, BGP, SNMP, and other services. Both IPv4 and IPv6
addresses are supported. For more information about the ifconfig command and configuring multiple IP
addresses per interface, see Adding and Removing IP Addresses for Interfaces on page 276.
Note Ethernet bonding for failover is also supported. For details, see Configuring Ethernet Bonding on
page 284.
73
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Examples:
Configure the first IPv4 address of an interface (no VLAN):
ifconfig eth0 192.168.12.14 255.255.255.0
6. Enter the command below to set the interface as the management console:
console [-P <port>] [-S <sessionmax>] <interface>
Example:
[sysadmin@Secure64DNS]# no ifconfig eth0 192.168.64.1
Pending configuration changed
[sysadmin@Secure64DNS]# activate
stopping interface eth0
Running configuration changed
74
Chapter 2. Getting Started
[sysadmin@Secure64DNS]# activate
stopping interface eth0, address 192.168.64.1
starting interface eth0:1.1, address 192.168.12.14
[sysadmin@Secure64DNS]# save
running configuration successfully saved
Note If you need to modify the console IP address after initial configuration, see Changing the IP Address of a
Console Interface on page 282.
Example:
[sysadmin@Secure64DNS]# route default 10.0.0.1
Pending configuration changed
Note You can configure routing for Secure64 DNS Cache to locate other resources, such as your syslog
server(s). For detailed information about routing configuration, see Configuring the Default Gateway and
Other Routes on page 252.
75
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Note The Secure64 DNS Cache server also supports default route using an IPv6 link local address. For
details, see Adding an IPv6 Link Local Default Gateway on page 254.
For information about configuring inbound routing, see Configuring In-Bound Traffic Routing Style on
page 255.
Example:
[sysadmin@Secure64DNS]# route net 192.168.255.0 255.255.255.0
10.1.2.3
Pending configuration changed
Example:
[sysadmin@Secure64DNS]# ping eth0:1.1 192.168.95.95
ping to 192.168.95.95 on interface eth0:1.1
ping successful
76
Chapter 2. Getting Started
4. If the ping command is not successful, enter show config and verify network settings
and routing information. Also check cable connections and try pinging a different
external machine. If necessary, use the no ifconfig command to remove an incorrect
configuration and the ifconfig command to correct the configuration.
77
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Note Ethernet bonding for failover support is also supported. For details, see Configuring Ethernet Bonding
on page 284.
2. Repeat the ifconfig command for each additional interface you want to configure.
Secure64 DNS Cache supports a total allocation of 256 IP addresses on the server.
3. To initiate the configuration settings, type activate and press ENTER.
4. To save the new configuration, type save and press ENTER.
5. To verify the interface is functioning, enter the ping or ping6 command for an
external IP address or hostname from the management port (for ping6, you can use
the optional [datasize] to define the number of octets to send, from 1-1500):
ping <interface> <external_ipv4|hostname>
or
ping6 <interface> [datasize] <external_ipv6|hostname>
78
Chapter 2. Getting Started
Example:
[sysadmin@Secure64DNS]# ping eth0:1.1 192.168.95.95
ping to 192.168.95.95 on interface eth0:1.1
ping successful
6. If the ping command is not successful, enter show config and verify network settings
and routing information. Also check cable connections and try pinging a different
external machine. If necessary, use the no ifconfig command to remove an incorrect
configuration and the ifconfig command to correct the configuration.
Note The provided rules are a recommended minimum that may or may not apply to your system needs. After
initial configuration and testing are complete, refer to Defending Against DNS DDoS Attacks on page 224
for details about refining the attack mitigation rules according to your specific system needs and
architecture. For additional console security, also refer to Restricting Console Connections on page 242.
where <interface> is the console interface in the form of ethX, ethX.I, ethX:V.I,
or bondX, bondX.I and
X= the number of the physical interface
V= the VLAN ID
I= the address identifier
2. Repeat the previous command for each console interface.
3. To initiate the configuration settings, type activate and press ENTER.
4. To save the new configuration, type save and press ENTER.
79
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Note The provided console rule limits the number of established TCP connections on port 22 (SSH logins)
to 8 per minute.
To attach the provided UDP and TCP rules to your DNS interface(s):
1. At the sysadmin prompt, type the following command:
attach <interface> UDPQUERYLIM TCPXFERLIM
where <interface> is the DNS interface in the form of ethX, ethX.I, ethX:V.I,
or bondX, bondX.I and
X= the number of the physical interface
V= the VLAN ID
I= the address identifier
2. Repeat the previous command for each DNS interface.
3. To initiate the configuration settings, type activate and press ENTER.
4. To save the new configuration, type save and press ENTER.
Note The provided UDP and TCP rules limit UDP queries incoming on port 53 to 92,160 per second
(90x1024) and TCP packets incoming on port 53 to 10,240 per second (10x1024).
80
Chapter 2. Getting Started
Note Secure64 DNS Cache supports up to four syslog servers. Configuring at least one syslog server
is strongly recommended. Certain actionable error messages that may not be available at the
command line are sent to syslog.
Note The bgpadmin and loginadmin roles do not have access to interface and system configuration
commands; the sysadmin role must configure the interface(s) and IP addresses.
81
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Configure RAIDUS or LDAP authentication Chapter 9. Enabling RADIUS or LDAP for User
(optional). Authentication on page 331
Chapter 8. Enabling BGP for Anycast on
Configure BGP (optional).
page 303
82
Chapter 2. Getting Started
State Description
pending The modified configuration that has not been saved.
If you have not issued the activate command, use the discard command to
remove pending modifications.
running The configuration that is currently running, which may be different than the
saved configuration.
If you modify configuration settings, issue the activate command to make the
changes the new running configuration. Use the revert command to reverse
the activated changes and return to the saved configuration state.
saved The configuration saved in the configuration file that is read on startup.
Issue the save command for a running configuration file to overwrite the
existing saved configuration.
After issuing the save command, you cannot return to the previous
configuration.
83
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Note For system configuration changes to be saved and in effect upon rebooting the machine, the sysadmin
mode must issue the activate and save commands. For RADIUS or LDAP configuration
changes to be saved and in effect upon rebooting the machine, the loginadmin mode must issue the
activate and save commands.This does not apply to DNS configuration file cache.conf
changes, BGP configuration file bgp.conf changes, or SNMP configuration file snmpd.conf
changes.
84
Chapter 2. Getting Started
Note If the console session times out before you activate a pending configuration, the system returns to the
Saved Configuration. In addition, if multiple user accounts have enabled the sysadmin role and are
modifying the system configuration, one of the user accounts may be instructed to use the discard
command. Doing so ensures that the user account is working with the most current configuration.
You can view information about the physical hardware network interfaces by typing the following
command:
• show interfaces
85
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
Example:
[view@Secure64DNS]> show interfaces
Interfaces:
For a complete description of the interface information that displays, see Displaying Physical
Interfaces on page 378.
86
Chapter 2. Getting Started
Note Rebooting the Secure64 DNS Cache server should be performed at the Secure64 DNS Cache command
line.
87
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
5. If BGP is also running log into a Secure64 DNS Cache user account assigned to the
bgpadmin role, enter enable bgpadmin, enter stop bgp, and enter exit twice.
6. If SNMP is also running, log into a Secure64 DNS Cache user account assigned to the
snmpadmin role, enter enable snmpadmin, enter stop snmp, and enter exit twice.
7. To power off the server, log into a Secure64 DNS Cache user account assigned to the
sysadmin role, enter enable sysadmin, and enter halt.
8. A prompt appears on-screen allowing you to confirm (Y) or cancel (N).
[sysadmin@Secure64DNS]# halt
are you sure? (y/n)
Note To enhance security for DNS data and configuration files, other operational modes cannot perform
directory-related functions such as removing directories, creating directories, or viewing directory
contents.
88
Chapter 2. Getting Started
Command Description
cat <file> Display the contents of the specified file. Note that the
system displays as much as is allowed by the screen buffer.
cd [directory] Change to the specified directory. If a directory is not
specified, change to the top-level directory.
cp [-r] <source> <destination> Copy one or more files and/or directories. If more than one
source is defined, destination must be a directory. Use -r to
copy the entire directory tree starting with source to the
destination directory.
ls [-R] [directory|file] Display the contents of the current directory (if no directory is
defined) or the specified directory or file. Wildcards are
permitted and multiple files/directories can be defined.
Include the -R argument to include descendent directories.
edit <file> Load the specified file in the Secure64 text editor.
mkdir [-p] <directory> Create the specified directory, for example:
mkdir data. Include -p to create subdirectories, for
example: mkdir -p data/zones/example
mv <from > <to> Move or rename the from filename to the to filename, within
the same directory or different directories.
rm [<file>|-r <directory>] Delete the specified file or directory. Wildcards are permitted
and multiple files/directories can be specified. If specifying a
directory, the -r argument is required to remove all
descendent directories and files.
rmdir <directory> Remove the specified directory. The directory must be
empty.
touch <file> Change the modification time of the specified file to the
current time. If the specified file does not exist, it is created.
89
SECURE64 DNS CACHE 3.1
Chapter 2. Getting Started
90
Chapter 3. Configuring Secure64 DNS Cache
Overview
The configuration file cache.conf defines the DNS server’s caching and resolver options. DNS-
related configuration tasks require you to login to cachednsadmin mode. For more information
about operational logins, see Roles and User Accounts on page 19.
Configuration attributes allow you to control basic server operations, cache sizes, local zone
information, and hardening for security.
Note For more advanced configuration information, such as configuring DNSSEC, forward zones to forward
queries to a different resolving DNS server, and stub zones to obtain authoritative answers to queries
without resolver processing, see Chapter 4. Advanced Configuration Topics on page 127.
91
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
8 Configure and monitor DNS query activity (optional). DNS Query Logging on page 211
Configure and monitor caching server performance, Server Activity Reporting and Statistics
9
security, and activity statistics (optional). on page 215
92
Chapter 3. Configuring Secure64 DNS Cache
Note Secure64 DNS Cache does not support all of the configuration attributes in the Unbound server. For
more information, see Appendix C: Unbound Configuration Differences on page 479.
! WARNING You must list the server: clause, stub-zone: clause, merge-zone: clause,
forward-zone: clause, and all related attributes before any view: clauses and attributes.
• Options within each clause are defined with attributes and values. Some attributes contain
additional attributes. The notation is attribute: value
• There must be whitespace after the colon that ends a clause or attribute and is followed
by an option or value.
93
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
• Quotation marks are optional for value strings, unless otherwise noted. Note that if the
string includes spaces, quotation marks are required.
• Comments start with # and continue to the end of the line.
• Empty lines and whitespace at the beginning of a line are ignored.
• Both IPv4 and IPv6 addresses are supported.
• If an attribute is listed multiple times and multiple attributes are not supported for that
item, the last value specified is used.
• Files can be included using the include: attribute. The attribute can appear anywhere.
It takes a single filename as an argument, and you can nest include files 10 deep.
Processing occurs as if the text from the included file is present at the point the
attribute appears. For details, see Specifying an Include File on page 124.
• To view the contents of the example configuration file included with Secure64 DNS
Cache, refer to Appendix D: Example Configuration File on page 483.
To securely copy the configuration file to another system for editing outside of
Secure64 DNS Cache:
• The syntax is:
scp [-P <port>] <user>@<host>:/cachednsadmin/<file> <destination>/
cache.conf
where:
-P <port> is the optional destination port
<user> is a Secure64 DNS Cache user account assigned to the cachednsadmin role
94
Chapter 3. Configuring Secure64 DNS Cache
<host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
<file> is the sample s64_example.conf (new systems) or the cache.conf file
(existing systems)
<destination> is the location to copy the file to
After editing the file outside of Secure64 DNS Cache, securely copy the cache.conf file to
the Secure64 DNS Cache server:
• Type the following at a client machine, and press ENTER:
scp [-P <port>] cache.conf <user>@<host>:/cachednsadmin/
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 251 for details about changing the default port)
<user> is a Secure64 DNS Cache user account assigned to the cachednsadmin role
<host> is the Secure 64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
To edit the cache.conf file using the basic text editor included in Secure64 DNS Cache
(designed for small editing tasks):
1. Login as a user assigned to the cachednsadmin role.
2. At the view prompt, type enable cachednsadmin and press ENTER.
3. Type edit cache.conf and press ENTER.
4. The editor screen displays 24 lines of the file contents at one time, and it supports 80
characters per line. Use the arrow keys and control commands to navigate the file
contents. The keyboard control commands for the editor are listed at the top of the editor
screen.
95
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Note Many attributes use default values if they are not defined. However, for ease of reference, it is strongly
recommended that your cache.conf configuration file reflect the default values, which are
included in the example file installed on the Secure64 DNS Cache server.
In addition, ensure that the following attributes are configured correctly for your system and
DNS operations:
• interface:
The IPv4 or IPv6 address(es) to answer queries from.
• outgoing-interface:
The IPv4 or IPv6 address(es) to send queries to authoritative servers and receive their
replies.
• access-control:
The clients that can make recursive queries to this server. The default is to refuse all
except the local host. This attribute allows you to whitelist/blacklist IP addresses that
can use the server for recursive queries.
These attributes are critical to define the clients that can access the server and receive DNS
responses. Refer to Table 15 for a complete description of each attribute.
Attribute: Value
Example(s) Description
auto-start: <no|yes> Set to yes for the Secure64 DNS Cache server to automatically
auto-start: no start when the system is rebooted. If problems occur during
autostart, see Troubleshooting Startup Errors on page 192.
If not defined, the default is no.
auto-bgp: <no|yes> Ensures that BGP is enabled only when the DNSserver is
auto-bgp: no running. When set to yes, causes BGP to automatically start
when the DNS server starts and automatically stop BGP when
the DNS server stops.If not defined, the default is no.
Note: Do not use the autostart parameter in bgp.conf
when auto-bgp is yes.
96
Chapter 3. Configuring Secure64 DNS Cache
Attribute: Value
Example(s) Description
interface: <ip_address> Specify the set of IPv4 and IPv6 addresses to listen for queries
interface: 192.0.2.153 from clients and provide answers back to clients.
interface: 2001:DB8::5 At least one address must must be specified, and the addresses
must already be configured with the ifconfig command in the
sysadmin role.
Specify 0.0.0.0 to listen on all configured IPv4 addresses, and
specify ::0 to listen on all available IPv6 addresses.
Specify one or more IP addresses on a separate interface: lines.
port: <number> Use for testing purposes to answer DNS queries on the
port: 53 specified port.
If not defined, the default is 53 (the standard DNS port).
outgoing-interface: <ip_address> Specify the source IP address(es) used to send outgoing
outgoing-interface: 192.0.2.153 queries to authoritative servers. In general, the Secure64 DNS
outgoing-interface: 2001:DB8::5 server selects the outgoing interface to use based on the route
to the destination server. You should ensure that default routing
and IP addresses are configured such that the Secure64 DNS
Cache server can reach the necessary authoritative servers.
If you define multiple outgoing-interface: attributes,
and multiple interfaces are routable to the destination server,
the Secure64 DNS Cache server randomizes the interface
selection for security purposes.
If only one outgoing-interface: is configured, it is used
as the source address regardless of routing. For example, if
destination servers are on the Internet but the default route is
not routable to the Internet, define one outgoing interface.
If no outgoing interfaces are defined, the Secure64 DNS Cache
server selects and randomizes all of the system-configured IP
addresses that match the routing to the destination server.
access-control: <ip netblock> Define the clients that can make recursive queries to this server.
<allow|deny|refuse> The default is to refuse all except the local host.
access-control: 192.168.1.0/24 allow The <ip netblock> is an IP4 or IP6 address with
access-control: 127.0.0.0/8 allow /size appended for a classless network block.
access-control: ::ffff:127.0.0.1 allow Options for the action to take:
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse allow: The server gives access to clients from the defined
netblock. It gives access only to recursion clients--
nonrecursive queries are refused.
deny: The server drops messages from the defined clients
with no response.
refuse: The server drops messages from the defined clients
and responds with a DNS rcode REFUSED error message.
do-ip4: <no|yes> Enable or disable whether IPv4 queries are answered or issued.
do-ip4: yes If not defined, the default is yes.
97
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Attribute: Value
Example(s) Description
do-ip6: <no|yes> Enable or disable whether IPv6 queries are answered or issued.
do-ip6: yes If disabled, queries are not answered on IPv6, and queries are
not sent on IPv6 to the Internet nameservers.
If no IPv6 interfaces are configured on the system, setting do-
ip6 to “no” can improve performance.
If not defined, the default is yes.
do-tcp: <no|yes> Enable or disable whether inbound TCP queries are accepted.
do-tcp: yes If not defined, the default is yes.
incoming-num-tcp: <number> Define the number of incoming simultaneous TCP buffers. If set
incoming-num-tcp: 10 to 0, or if do_tcp is "no", no TCP queries from clients are
accepted
If not defined, the default is 10.
edns-buffer-size: <bytes> Number of bytes to advertise as the EDNS reassembly buffer
edns-buffer-size: 4096 size. This value is placed in datagrams over UDP to peers.
If fragmentation reassembly problems occur, usually seen as
timeouts, a value of 1480 may help. Setting to 512 bypasses
even the most stringent path MTU problems, but is seen as
extreme, since the amount of TCP fallback generated is
excessive. (For more information about IP fragmentation
settings, see Configuring IP Fragmentation Resource Limits on
page 226.)
Minimum is 512 and the maximum is 65535. If not defined, the
default is 4096.
root-hints: <filename> Define a root hints file for the resolver. The file has the format of
root-hints: root.hints DNS zone files, with root name server names and addresses.
Because the built-in default may become outdated when
servers change, it is good practice to define and use a root hints
file. You can obtain a current file at
ftp://FTP.INTERNIC.NET/domain/named.cache
Use scp to copy the current root hints file to the Secure64 DNS
Cache server. For more information about the scp command,
see Secure Copy on page 15.
Note: If your network is not connected to the Internet, you must
define a root hints file and replace the NS and A records with
NS and A records of the authoritative DNS servers for the root
of your private TCP/IP network.
If root hints is not defined, the server defaults to built-in root
hints for the IN class. If you define a custom root hints file,
ensure that it includes IPv4 and/or IPv6 address type(s) that
correspond to your defined outgoing interfaces. If it does not,
the server uses the default root hints.
To define different root hint files, such as for internal and
external queries, use views. For more information, see Defining
Views on page 163.
98
Chapter 3. Configuring Secure64 DNS Cache
Attribute: Value
Example(s) Description
minimal-responses: <yes|no> Define which sections to return in DNS responses. If no, return
minimal-responses: no the Answer, Authority, and Additional sections. If yes, respond
with the Answer section only, unless the query specified
DNSSEC or the answer is an NXDOMAIN response with an
associated SOA in the Authority section.
Setting the attribute to yes can speed up performance.
If not defined, the server defaults to no and includes the Answer,
Authority, and Additional sections in DNS responses.
rrset-roundrobin: <yes|no> Define whether to rotate the order of RRs within RRsets in DNS
rrset-roundrobin: no responses. If no, the order is not rotated. If yes, the order is
rotated (the random number source is the query ID).
If not defined, the default is no.
99
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
The following is an example of the server: clause portion of the cache.conf configuration
file using the basic configuration attributes.
Note These attributes provide basic functionality for the server. Additional attributes control other features
such as security, performance, local zones and data, forward zones, stub zones, merge zones, and
views as discussed in following sections and chapter. To view the contents of the example
configuration file included with Secure64 DNS Cache, refer to Appendix D: Example Configuration File
on page 483.
Example:
# This is a comment.
server:
#auto-start caching server on reboot
auto-start: yes
#Other Options
do-ip4: yes
do-ip6: yes
do-tcp: yes
incoming-num-tcp: 10
edns-buffer-size: 4096
100
Chapter 3. Configuring Secure64 DNS Cache
Note To view the entire contents of the example configuration file included with Secure64 DNS Cache, refer to
Appendix D: Example Configuration File on page 483.
Note Latency for cached data is extremely fast and does not reflect a caching server’s recursive lookup
capability.
• Throughput is defined as the number of queries the server can process per second.
Throughput varies based on network bandwidth, the number of incoming queries
configured for the server’s incoming interfaces, memory, and the availability of the answer
(cache hit or cache miss).
Note Performance information for other, non-performance related attributes are included in their respective
descriptions.
101
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Attribute: Value
Example(s) Description
num-recursive-clients: <number> Define the number of recursive client queries per listening
num-recursive-clients: 768 interface for incoming DNS queries. The number applies to
UDP client requests and controls the total number of queries
that can be answered at one time for each interface (defined
by the interface: attribute). The number must be
between 10 and 32767.
This attribute allows you to scale resource use based on the
level of expected queries.
If not defined, the default is 768 per logical interface.
incoming-query-timeout: <seconds> Define the number of seconds to allow for resolution of
incoming-query-timeout: 30 incoming client queries. If the query is not resolved in this
time, the query is dropped to avoid bottlenecks at the query
front end; however, the server still attempts to obtain an
answer and cache the result.
(Note: In addition to the timeout, Secure64 DNS Cache limits
the total number of resolver query traversals to other servers
to 30. If this number is exceeded, the Secure64 DNS Cache
server sends the original querier a SERVFAIL response.)
If incoming-query-timeout is not defined, the default
value is 30 seconds. The minimum value is 1 and the
maximum value is 30.
outgoing-query-timeout: <milliseconds> Define the number of milliseconds to wait to receive a
outgoing-query-timeout: 400 response to an outgoing query during name resolution. If the
queried server does not respond within this time, Secure64
DNS Cache queries the next authoritative name server. The
timeout value should provide enough time to receive a
response in most cases, but not so large as to affect
performance. For example, a caching server that normally
receives responses very quickly can set the timeout to a
lower number than the default.
If none of the authoritative servers respond, Secure64 DNS
Cache adds the outgoing-query-increment value
(described below) to the original timeout and attempts the
query again. If no answer is received after multiple attempts,
the server sends the original querier a SERVFAIL response.
If not defined, the default is 400 milliseconds. The minimum
value is 200 and the maximum value is 4096.
outgoing-query-increment: Define the number of milliseconds to increment the
<milliseconds> outgoing-query-timeout when no response is received
outgoing-query-increment: 400 from any authoritative server when resolving a query.
If not defined, the default is 400 milliseconds. The minimum
value is 200 and the maximum value is 4096.
102
Chapter 3. Configuring Secure64 DNS Cache
103
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Note The TTLs for cached information are internal to the Secure64 DNS Cache server. Responses to
clients still contain the TTL information based on the original values obtained during the query
resolution process.
The types of caches and TTL information are described in Table 17. Configuration information
for caches and TTL attributes are described in the following sections.
104
Chapter 3. Configuring Secure64 DNS Cache
Table 18. Message (answer) and RRset (referral) cache configuration attributes
Attribute: Value
Example(s) Description
msg-cache-size: <bytes>[k|m|g] Define the amount of memory to use for the answer
msg-cache-size: 128m cache. Plain value is in bytes or you can append k
(kilobytes), m (megabytes) or g (gigabytes), with
1024*1024 bytes in a megabyte. The value must be an
integer. If the server uses multiple resolver instances, the
memory is divided and allocated evenly to each instance.
If not defined, the default is 128 megabytes (128m). The
minimum is 512 kilobytes.
msg-cache-slabs: <num> Define the number of slabs in the answer cache.
msg-cache-slabs: 1 Increasing the number of slabs reduces lock contention,
but fragments memory usage.
If not defined, the default is 1.
cache-servfail-ttl: <seconds> Define the number of seconds to store a SERVFAIL
cache-servfail-ttl: 300 response in the message cache when there are issues
resolving the name, such as the resolver running out of
servers to ask, asking too many questions, or taking too
long to resolve the query. Acceptable range is 1-300
seconds. If not defined, the default is 300 seconds.
rrset-cache-size: <bytes>[k|m|g] Define the amount of memory to use for the referral
rrset-cache-size: 128m (RRset) cache. Plain value is in bytes or you can append
k (kilobytes), m (megabytes) or g (gigabytes), with
1024*1024 bytes in a megabyte. The value must be an
integer. If the server uses multiple resolver instances, the
memory is divided and allocated evenly to each instance.
If not defined, the default is 128 megabytes (128m). The
minimum is 512 kilobytes.
105
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
rrset-cache-slabs: <num> Define the number of slabs in the referral (rrset) cache.
rrset-cache-slabs: 1 Increasing the number of slabs reduce lock contention,
but fragments memory usage.
If not defined, the default is 1.
cache-max-ttl: <seconds> Define the maximum TTL for RRsets and answer
cache-max-ttl: 86400 messages in the server’s internal cache. Defining a
maximum TTL helps prevent the use of large TTL values
for RRsets and answer messages.
Answers with TTLs shorter than the cache-max-ttl value
expire normally.
Answers with TTLs longer than the cache-max-ttl value
decrement until they reach the defined maximum, and
then they expire from the cache.
Setting the maximum to a low value, such as 900
seconds (15 minutes), can cause slower performance
because the server must update answers more
frequently. Setting the maximum to below 60 seconds can
cause SERVFAIL responses. The minimum allowable
value is 20 seconds
If not defined, the default is 86400 seconds (1 day).
Note You can configure the server to refresh the message (answer) cache when the TTL is expiring. For
more information, see the prefetch: attribute in Prefetching Expiring Entries on page 206.
106
Chapter 3. Configuring Secure64 DNS Cache
Attribute: Value
Example(s) Description
infra-host-ttl: <seconds> Define the time to live for entries in the host infrastructure
infra-host-ttl: 900 cache. The host cache contains RTT and EDNS
information for hosts.
If not defined, the default is 900.
infra-cache-numhosts: <num> Define the number of hosts for which RTT and EDNS
infra-cache-numhosts: 10000 information is cached.
If not defined, the default is 10000.
infra-cache-slabs: <num> Define the number of slabs in the infrastructure cache.
infra-cache-slabs: 1 Increasing the number of slabs reduces lock contention,
but fragments memory usage.
If not defined, the default is 1.
infra-lame-ttl: <seconds> Define the time to live for entries in the lame delegation
infra-lame-ttl: 900 cache.
If not defined, the default is 900.
infra-cache-lame-size: <bytes>[k|m|g] Define the amount of memory to use for the lame
infra-cache-lame-size: 10k delegation cache, per host. Plain value is in bytes or you
can append k (kilobytes), m (megabytes) or g (gigabytes),
with 1024*1024 bytes in a megabyte. The value must be
an integer. If the server uses multiple resolver instances,
the memory is divided and allocated evenly to each
instance.
If not defined, the default is 10 kilobytes (10k).
107
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Attribute: Value
Example(s) Description
key-cache-size: <bytes>[k|m|g] Define the amount of memory to use for the key cache.
key-cache-size: 64m Plain value is in bytes or you can append k (kilobytes), m
(megabytes) or g (gigabytes), with 1024*1024 bytes in a
megabyte. The value must be an integer. If the server
uses multiple resolver instances, the memory is divided
and allocated evenly to each instance.
If not defined, the default is 64 megabytes (64m). The
minimum is 512 kilobytes.
key-cache-slabs: <num> Define the number of slabs in the key cache. Increasing
key-cache-slabs: 1 the number of slabs reduces lock contention, but
fragments memory usage.
If not defined, the default is 1.
108
Chapter 3. Configuring Secure64 DNS Cache
Table 21 details the local zone attributes for cache.conf. Examples and a list of default values
follow.
Attribute: Value
Example(s) Description
local-zone: <zone> <type> [RRtype] [log] Configure a local zone. Use local-data: to enter data into
local-zone: “example.com” redirect the local zone. If there is no match from the local-data:
local-zone: example.com deny attribute, the defined type determines the answer to give.
local-zone: example.com deny ANY Answers for local zones are authoritative.
local-zone: example.com static log
Use the RRtype option to define a specific DNS Resource
Record for this local zone and type. See Blacklisting Domains
Using Local Zone Configuration on page 173 for examples.
Use the log option to log activity related to this local zone to a
local file. See Logging Local Zone Activity on page 116 for
details.
For type:
deny- if there is a match from local data, answers the query;
otherwise, drops queries.
refuse- if there is a match from local data, answers the query;
otherwise, replies with rcode REFUSED.
static- if there is a match from local data, answers the query;
otherwise, sends NXDOMAIN or NOERROR NODATA answer.
CNAME entries are matches when the name and class match,
but the specific type queried for is not found. For a negative
answer, an SOA is included if present as local-data for the zone
apex domain.
transparent- if there is a match from local data, provides the
answer to the query; otherwise, the query is resolved normally.
CNAME entries are matches when the name and class match,
but the specific type queried for is not found. If the query is for a
name in local data, but no such type of data is present, then a
NOERROR NODATA answer is returned. If local-data is
defined without local-zone, a transparent zone is created by
default.
redirect- answers queries for the zone and all subdomains of
the zone with the local data for the zone. It can be used to
redirect a domain to a different address.
nodefault- turns off default content for AS112 zones. The other
types also turn off default contents for the zone, but the
nodefault option has no other effect than turning off default
contents for the given zone. For a list of the default AS112
zones, see Default Local Zone Contents on page 114.
local-zone-log-file-num: <num> Define the total number of local zone log files to maintain, within
local-zone-log-file-num: 128 the range of 1-128. This setting applies to all local zones with
logging enabled.The files are stored in the lz_logging directory
of the cachednsadmin role. Filenames use the syntax
localzone_log_<8-digit-rolling-number>.
If local zone logging is enabled and the number of files is not
defined, the default is 128.
109
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
local-zone-log-file-size: <bytes> Define the size of the local zone log file(s). This setting applies
local-zone-log-file-size: 143654912 to all local zones with logging enabled.
If local zone logging is enabled and the log file size is not
defined, the default is 143654912 (137 MB).
local-data: "<resource record string>” Configures local data to serve in reply to queries. The query
local-data: “my.local. IN A 192.0.2.51” must match exactly unless you configure the local-zone as
redirect or define CNAME data.
If not matched exactly, the local-zone <type> determines
further processing. For transparent and static types, CNAME
entries are matches when the name and class match, but the
specific type queried for is not found. If local-data is configured
that is not a subdomain of a local-zone, a transparent local-
zone is created by default.
For record types such as TXT, use single quotes, as in local-
data: 'example. TXT "text"'. If you need other types of
authoritative data, you can set up a stub zone to point to a full
authoritative server as detailed in Defining Stub Zones on
page 140 or a merge zone to act as an authoritative server as
described in Defining Merge Zones on page 143.
local-data-ptr: "<resource record Configures local data shorthand for a PTR record with the IPv4
string>” or IPv6 address and the corresponding host name without
local-data-ptr: “192.0.2.4 reversing the IP address manually. TTL can be included, for
www.example.com” example:
local-data-ptr: "2001:DB8::4 7200 www.example.com"
Note You can configure different local zone behavior for specific clients using the view clause. For details,
see Defining Views on page 163.
110
Chapter 3. Configuring Secure64 DNS Cache
• For local-data:, the query must match exactly unless you configure the local-zone:
as redirect or you use a CNAME (where they query matches except the type queried
for). If not matched exactly, the local-zone: <type> determines further processing.
• If local-data: is configured that is not a subdomain of a local-zone:, a
transparent local-zone is assumed. (If there is a match from local data, it provides the
answer to the query; otherwise, the query is resolved normally.)
• For details and examples of using local zones to blacklist zones, see Blacklisting Domains
Using Local Zone Configuration on page 173.
• For local data record types such as TXT, use single quotes:
local-data: 'example. TXT "text"'
Note For additional information and examples of using a CNAME record with local-data, refer to CNAME Local
Data Examples on page 113
111
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
112
Chapter 3. Configuring Secure64 DNS Cache
Given the configuration attributes defined above, queries to the local zones provide the following
results:
dig @caching-server search.example.com A IN
— Finds a match in local-zone/local-data processing
— Responds with a CNAME chased through www.google.com to the appropriate A
records for www.google.com.
113
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Note If an NXDOMAIN response results from a CNAME chase initiated from local-data processing, an
NXDOMAIN redirection check occurs.Otherwise, if an NXDOMAIN response results from any other
local-data processing, NXDOMAIN redirection does not occur.
Note To remove a default setting, define your own local-zone: or use the nodefault type as
follows: local-zone: <zone> nodefault
As noted above, the nodefault type turns off default content for AS112 zones. The other types
for local-zone: turn off default contents, but also provide other behaviors.
114
Chapter 3. Configuring Secure64 DNS Cache
Reverse RFC 1918 data for the zones listed below. The local-zone: is set to static and
local-data: SOA and NS records are provided:
10.in-addr.arpa
16.172.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
168.192.in-addr.arpa
Reverse data for RFC 3330 IPv4 addresses for this network, link local, testnet, and broadcast
zones:
0.in-addr.arpa
254.169.in-addr.arpa
2.0.192.in-addr.arpa
255.255.255.255.in-addr.arpa
Reverse data for RFC 4193 IPv6 locally assigned local addresses:
D.F.ip6.arpa
115
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Note These are global settings that apply to all local zones with logging enabled. The default values and
acceptable ranges are detailed in Table 21 on page 109.
• Stop and start the server (issue the stop cachedns and start cachedns commands.
• To help you identify the amount of hard disk space allocated for different types of log
files, the start cachedns command displays the total disk space allocated for
116
Chapter 3. Configuring Secure64 DNS Cache
NXDOMAIN redirection logging, local zone logging, and query logging. The server
makes use of the allocation(s) for only the specific logging features you have enabled.
The log output contains the date/time, the view name, the client IP address, the domain name,
and the action taken.
Action taken messages are as follows:
• If local-data is served: “local data returned”
• If the query is dropped: “query dropped”
• If the response is rcode refuse: “query refused”
• If the response is nxdomain: “nxdomain returned”
• If the response is nodata: “no data returned”
• If the response is to redirect: “response redirected”
117
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
118
Chapter 3. Configuring Secure64 DNS Cache
Randomization makes spoofing more difficult. With more random data, a spoofed reply must
contain more correct data to get through, lowering the chances of a successful poison attempt.
Randomization features include:
• All 16 bits in the ID are used.
• If configured with multiple public IP addresses, Secure64 DNS Cache can perform a
random choice of outgoing interfaces.
• If IPv6 is available, the server obtains another random bit by choosing the IPv4 or IPv6
transport protocol randomly.
• Query aggregation prevents identical outstanding queries to the same server, which
prevents birthday-paradox attacks.
• Query name strict matching prevents an answer from matching a query for which it is not
meant. If an answer can match multiple queries, you get the birthday paradox attack again
(from the previous item).
• The server uses a cryptographically strong random number generator for ports, which is
built into the Secure64 DNS Cache server stack. UDP ports are randomly selected from
the range of 1024 to 65535, and TCP ports are randomly selected from the range of
16384 to 65535.
Table 22. Identity and version security attributes in the server: clause of cache.conf
Attribute: Value
Example(s) Description
hide-identity: <yes|no> If set to yes, the server refuses id.server and hostname.bind queries.
hide-identity: yes If not defined, the default is yes.
hide-version: <no|yes> If set to yes, the server refuses version.server and version.bind queries.
hide-version: yes If not defined, the default is yes.
identity: “<string>” Set the identity to report for id.server and hostname.bind queries.
identity: “unknown”
If not defined and hide-identity: is set to no, the default is the
system node name.
version: “<string>” Set the version to report for version.server and version.bind queries.
version: “unknown”
If not defined and hide-version: is set to no, the default is the output
from the Secure64 Cache DNS version command.
To provide a different answer if hide-identity: and/or hide-version: are no, include the
following in the server: clause of the cache.conf configuration file:
identity: “string”
version: “string”
where “string” is the text to use in the response.
119
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
To test the responses, use the dig command (from another system) as follows, where
<Secure64_server > is the Secure64 DNS Cache server:
dig @<Secure64_server> CH TXT id.server
dig @<Secure64_server> CH TXT id.bind
dig @<Secure64_server> CH TXT hostname.server
dig @<Secure64_server> CH TXT hostname.bind
dig @<Secure64_server> CH TXT version.server
dig @<Secure64_server> CH TXT version.bind
To use 0x20 forgery resistance, add the following to the server: clause of the
cache.conf configuration file:
use-caps-for-id: yes
Note The longer the query name, the more protection the 0x20 technique provides.
120
Chapter 3. Configuring Secure64 DNS Cache
Responses from most authoritative server software preserve the query name casing. However, a
small minority do not. If the response from the authoritative server does not preserve the correct
casing when 0x20 forgery resistance is enabled, the Secure64 DNS Cache server:
• Records related messages to syslog:
— %s: label comparison failure for %s
— Response from server %s for query %s: response name <%s> bit for
bit comparison failed
• Records statistics (see Server Activity Reporting and Statistics on page 215)
• Queries the next authoritative server
Unless it is known for certain that the responding authoritative server preserves query name
casing, it is not possible to determine whether an incorrect response is due to a forgery attempt
or the lack of 0x20 support from the responding authoritative server.
Attribute: Value
Example(s) Description
harden-glue: <no|yes> Define whether to avoid spoofing attempts by hardening
harden-glue: yes against out-of-zone RRsets in glue information.
If not defined, the default is yes.
WARNING: Setting this option to no opens systems
connected to the Internet to cache poisoning.
harden-dnssec-stripped: <no|yes> Define whether to require DNSSEC data for zones with
harden-dnssec-stripped: yes trust-anchors. If set to no, failing to validate DNSSEC or
DNSKEY data for a trust anchor causes the server to
treat the zone as insecure.
You may want to set this to no if the system is sometimes
behind an intrusive firewall that removes DNSSEC data
from packets, or a zone changes from signed to unsigned
or badly signed often. When set to no, a downgrade
attack could disable security for a zone.
If not defined, the default is yes.
harden-mismatch: <no|yes> Define whether to protect against cache poisoning
harden-mismatch: no attempts that use mismatches of the DNS message ID
and query name in a response when compared to the
original question.
If the answer message ID does not match, but the query
name does match, then the minimum information is
returned to the querier and the answer is not cached. If
the query name does not match, the answer is not
returned or cached.
If not defined, the default is no.
121
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Attribute: Value
Example(s) Description
private-address: <IP address or subnet> Define IPv4/IPV6 addresses or subnets on your private
private-address: 10.0.0.0/8 network that are not allowed to be returned for public
private-address: fd00::/8 Internet names. Any occurrence of such addresses are
removed from DNS answers.
Additionally, the DNSSEC validator may mark the
answers bogus. This protects against DNS rebinding,
where a user’s browser is turned into a network proxy,
allowing remote access through the browser to other
parts of your private network.
Some names can be allowed to contain your private
addresses. By default, all the local-data that you
configure is allowed to contain private addresses, and
you can specify additional names using private-domain.
If not defined, no private addresses are enabled.
private-domain: <domain name> Allow this domain and all of its subdomains to contain
private-domain: example.com private addresses. List multiple times to allow multiple
domain names to contain private addresses.
If not defined, the default is none.
do-not-query-address: <IP address>[/num] Do not query the given IPv4 or IPv6 address. Append
do-not-query-address: 10.2.3.4/24 /num to indicate a classless delegation netblock.
do-not-query-address: 127.0.0.1/8
do-not-query-address: ::1 If not defined, the default is 0 (no IP address).
122
Chapter 3. Configuring Secure64 DNS Cache
Attribute: Value
Example(s) Description
val-clean-additional: <no|yes> If yes, protects users that rely on the Secure64 DNS
val-clean-additional: yes Cache server for authentication from potentially bad data
in the Additional section of the response.
Removes all unsigned data from the Additional section of
secure messages. Does not affect insecure, bogus,
indeterminate, or unchecked messages.
If not defined, the default is yes.
val-permissive-mode: <no|yes> Define whether to permit bogus messages. When set to
val-permissive-mode: no yes, instructs the validator to mark bogus messages as
indeterminate. The security checks are performed, but if
the result is bogus (failed security), the reply is not
withheld from the client with SERVFAIL as usual. The
client receives the bogus data. For messages that are
found to be secure, the AD bit is set in replies.
Note: While DNSSEC is still in the early stages of
deployment, it may be best to use the permissive mode
(set to yes). This will result in a response, but AD bit will
not be set.
If not defined, the default value is no.
val-nsec3-keysize-iterations: “<keysize Define a list of key sizes and Next Secure version 3
iterations>” (NSEC3) iteration count values, separated by spaces. An
val-nsec3-keysize-iterations: “1024 150 NSEC3 message with a larger iteration count for the
2048 500 4096 2500” corresponding key size is marked insecure instead of
performing all hashing iterations. This protects against
DoS attacks that attempt to use a large number of hash
iterations.
The list must be in ascending order and have at least one
entry. Defining a very long list can cause slower
operation. Setting the attribute to "1024 65535" forces no
restriction on NSEC3 iteration values.
If not defined, the default is "1024 150 2048 500 4096
2500"
123
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
Example:
# The server clause sets the main parameters and must come FIRST.
server:
#Start/stop options
include: include_start_stop_options
124
Chapter 3. Configuring Secure64 DNS Cache
include: include_caches_config
# Specify local data shorthand for a PTR record with the reversed IPv4
# IPv6 address and the hostname. A TTL can be included.
# local-data-ptr: "192.0.2.3 7200 www.example.com"
125
SECURE64 DNS CACHE 3.1
Chapter 3. Configuring Secure64 DNS Cache
126
Chapter 4. Advanced Configuration Topics
Overview
This chapter provides information about optional advanced features controlled by the DNS
server’s cache.conf configuration file. DNS-related configuration tasks require you to login to
cachednsadmin mode. For more information about operational logins, see Roles and User
Accounts on page 19.
Prior to configuring advanced options, the basic configuration and set up options should be
operational in cache.conf. For details, refer to Chapter 3. Configuring Secure64 DNS Cache on
page 91.
Use the following references to locate information in this chapter:
Enabling DNSSEC-Validated Queries.........................................128
Defining Resolver Forwarding.....................................................138
Defining Stub Zones....................................................................140
Defining Merge Zones.................................................................143
Configuring IPv6 Transition Technologies ...................................148
Redirecting NXDOMAIN Responses...........................................156
Defining Views ............................................................................163
Advanced Security Configuration................................................172
Specifying an Unbound Configuration File ..................................177
127
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Note Defining trust anchors or a DLV causes DNSSEC validation to occur for all queries.
Exceptions are queries for configured local zones or queries that have the checking disabled (CD) bit
set.
Note The val-permissive-mode: attribute in cache.conf determines how queries that fail
validation are handled. If set to no, SERVFAIL is returned for bogus responses. If set to yes, the bogus
response is returned.
128
Chapter 4. Advanced Configuration Topics
Use Table 24 to determine query and response behavior based on the configuration of these
variables in the cache.conf configuration file.
129
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Attribute: Value
Example(s) Description
trust-anchor-file: <filename> Specify one or more trusted key files that contain DS and
trust-anchor-file: trustanchor.lst DNSKEY records using the zone file format. List one file
trust-anchor-file: /secure/keys.txt per trust-anchor-file attribute.
If not defined, the default is no trust anchor file.
trust-anchor: “DS or DNSKEY record” Specify a DS or DNSKEY record, including the trusted
trust-anchor: “example.com DNSKEY 257 3 5 key information. List one record per trust-anchor
AQPzzTWMz8q...” attribute. Note that the TTL is ignored and class is IN by
default.
If not defined, the default is no trust anchor.
trusted-keys-file: <bind9-style-file> Specify one or more trusted key files that use the BIND-9
trusted-keys-file: trust_anchor_table.txt style format with the trusted-keys clause.
Wildcards in filenames are currently not supported.
If not defined, the default is no trust anchor file.
domain-insecure: <domain name> Define a domain to omit from DNSSEC validation. This
domain-insecure: www.example.com can be used to define a “negative trust anchor” to
temporarily disable DNSSEC validation for a specific
domain name.
List a separate attribute for each domain name to omit.
The defined domain name creates an endpoint for the
resolver to stop validation of the authentication chain. For
example, defining www.example.com affects only names
within the www.example.com domain; validation is still
performed on example.com, .com, and the root (".")
Note that if you set a trust anchor for the specific domain
name, it overrides this setting and the domain name is
secured. For example, defining a trust anchor for
www.example.com overrides the setting
domain-insecure: www.example.com
If not defined, the default is none.
If you have a trust anchor file for example.com in zone file format and a trust anchor file for
example.net in BIND-9 format, define the following attributes in the server: clause of the
cache.conf configuration file:
server:
trust-anchor-file: com.anchor
trusted-keys-file: net.keys
130
Chapter 4. Advanced Configuration Topics
Contents of com.anchor:
example.com. IN DS 6109 5 1 e1eccc7262384c2e7708b6a80d0aac958252135a
Contents of net.keys:
trusted-keys {
example.net 257 3 5
"AwEAAb1Uz2SnHcZc0g5uhKZ3w7dAXwD1R++sTfSZ
yQiLuU6VQbQnQdznJPmGNLviSIp/8eSRzq9f
AU7k3pkrV4COh3FIX5Ypqw3jgjs6Qic4voyH
zEBSkKeDNkCScidt05Kc6fte8u1QyKEMqzGQ
dCLF1Ax+RJJ4y22BvhdiOlYHYSGR";
};
Note The Secure64 DNS Cache server does not currently support automated root trust anchor updating.
To maintain the root trust anchor in the Secure64 DNS Cache server:
1. Go to the Internet Assigned Numbers Authority web site at
https://www.iana.org/dnssec/.
2. Download the root trust anchor from the IANA web site and verify its authenticity.
Note The root trust anchor file format and verification options are described in the Draft ICANN document
DNSSEC Trust Anchor Publication for the Root Zone, which is provided on the IANA web site.
3. Place the contents of the root trust anchor in DS record format, for example, in a
root.key text file.
131
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Example:
Contents of root.key:
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
4. Use scp to copy the root.key file to the Secure64 DNS Cache server:
scp [-P <port>] root.key <user>@<host>:/cachednsadmin
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 251 for details about changing the default port)
<user> is a Secure64 DNS Cache user account assigned to the cachednsadmin role
<host> is the Secure 64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
132
Chapter 4. Advanced Configuration Topics
5. Login as a user assigned to the cachednsadmin role. Add the following argument to
cache.conf in the server: clause section:
server:
trust-anchor-file: root.key
6. To activate the changes to the cache.conf configuration file, stop and start the server:
[cachednsadmin@Secure64]# stop cachedns
Stopping cachedns
Statistic logging stopped.
Stopping cachedns with 2 queries in progress
Stopped cachedns
The response should return NOERROR for the status and the AD bit should be included
in the flags list indicating authentication was successful.
8. To receive notification of key rollovers and other important information, subscribe to the
IANA root announcement e-mail list as described on the organization’s web site.
9. For information about obtaining trust anchors for domains that do not have a chain of
trust up to the root zone, refer to the next section.
133
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
• The Sandia Laboratories DNSSEC visualization tool, which creates a diagram showing
the DNSSEC status for a domain: http://dnsviz.net/
As described in RFC 4986, you must establish the authenticity of any keys you plan to configure
as a trust anchor. The RFC states:
“Operators of security-aware resolvers must ensure that they initially obtain any Trust
Anchors in a trustworthy manner.... This might be accomplished through a
combination of technical, procedural, and contractual relationships, or use other
existing trust relationships outside the current DNS protocol. Those responsible for
the operation of the security-aware resolver are responsible for establishing policies and
procedures to ensure that a sufficient Initial Trust Relationship is in place before adding
Trust Anchors for a particular DNS zone to their security-aware resolver
configuration.”
How you establish trust for a trust anchor key depends on the method the zone owner offers
for validation. Methods for obtaining trust anchors include:
• Visiting the zone owner’s secure web site and validating the key information.
• Obtaining the trust anchors from the zone owner via secure email.
• Using the SecSpider trusted keys file http://secspider.cs.ucla.edu/ta.html.
• Configuring DNSSEC Lookaside Validation (DLV) for zones registered with a DLV
repository. For more information, see Using DLV on page 134.
Note For information about the root trust anchor, see Obtaining and Configuring the Root Trust Anchor on
page 131.
Using DLV
DNSSEC Lookaside Validation (DLV) uses an alternate resource record called a DLV RR to
validate DNS records. As stated in RFC 5074, DNSSEC Lookaside Validation (DLV) is a
134
Chapter 4. Advanced Configuration Topics
mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation
chain. It allows validating resolvers to validate DNSSEC-signed data for zones whose parents
aren’t signed or don’t publish DS records.
Zone owners register their zones with a DLV registry, such as Internet Systems Consortium (ISC)
DLV at https://dlv.isc.org. The registry publishes a DLV record for each zone. The DLV record
is defined in RFC 4431, and it uses the same format as the DS record.
Secure64 DNS Cache enables DLV support when you define a DLV anchor file or record in the
cache.conf configuration file. Table 26 provides a description of the DLV-related configuration
attributes.
Attribute: Value
Example(s) Description
dlv-anchor-file: <filename> File with trusted keys for a DLV (DNSSEC Lookaside
dlv-anchor-file: dlv.isc.org.key Validation) registry. DS and DNSKEY entries are
supported, in the same format as for trust-anchor-file:
statements.
Configure only one DLV registry. The DLV registry is used
as a root trusted DLV; you cannot limit DLV queries to
specific domains such as .com. The registry domain is
inferred from the DS or DNSKEY record in the file.
Default is no DLV anchor file.
dlv-anchor: “DS or DNSKEY record” Alternative to the dlv-anchor-file: attribute.
dlv-anchor: “dlv.isc.org. IN DNSKEY 257 3 Specify a DS or DNSKEY record, including the trusted
5 BEAAAAPHMu/5onzr...” key information, for the DLV registry. See the dlv-anchor-
file description for additional information.
If not defined, the default is no DLV anchor.
neg-cache-size: <bytes> Define the byte size of the aggressive negative cache for
neg-cache-size: 128m DLV. A plain number is in bytes, append 'k', 'm' or 'g' for
kilobytes, megabytes or gigabytes (1024*1024 bytes in a
megabyte). If the server uses multiple resolver instances,
the memory is divided and allocated evenly to each
instance.
If not defined, the default is 128 megabytes.
When processing a query with a DLV registry defined, Secure64 DNS Cache:
1. Checks to see if there is a trust anchor defined in cache.conf. If a trust anchor is
defined, Secure64 DNS Cache validates the response using the trust anchor information.
2. If no trust anchor exists or if the response using the trust anchor is insecure or
indeterminate, Secure64 DNS Cache checks whether DLV is configured.
3. If DLV is configured, Secure64 DNS Cache checks the DLV registry for the DLV record
of the zone. If a DLV record is defined, Secure64 DNS Cache uses it to validate the
response. Otherwise, an unvalidated response is provided.
135
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
In addition, Secure64 DNS Cache implements DLV using the following format and rules:
• The registry domain to query, such as dlv.isc.org, is inferred from the DS or DNSKEY
record defined in the dnssec-anchor-file: or dnssec-anchor: argument.
• The maximum query name is 255 characters, including the name of the DLV registry
(such as dlv.isc.org). When this limit is exceeded, an unvalidated answer is provided.
• You cannot limit DLV queries to specific domain names such as .com or .org. (The
DLV registry is used as a root trusted DLV).
• Enabling DLV affects query performance. DLV checking adds an additional step to the
querying process when:
— A trust anchor is not defined for the zone being validated
— Trust anchor validation returns an insecure or indeterminate result
• To reduce the impact of DLV on performance and minimize the load on DLV
registries, Secure64 DNS Cache implements aggressive negative caching as described in
RFC 5074. Using aggressive negative caching, the server does not make queries for any
name covered by a cached and validated NSEC record. The records must be signed
with NSEC (not NSEC3) and cannot use wildcards, although they can have (secured)
delegations inside the DLV repository.
Note Secure64 DNS Cache also performs standard negative caching (caching an NXDOMAIN response,
for example), which is the negative caching that comes from the SOA TTL value in the zone.
136
Chapter 4. Advanced Configuration Topics
5. To activate the changes to the cache.conf configuration file, stop and start the server:
[cachednsadmin@Secure64]# stop cachedns
Stopping cachedns
Statistic logging stopped.
Stopping cachedns with 6 queries in progress
Stopped cachedns
6. From another system, use the dig utility to test and query the server. For example, the
command below queries for the isc.org. NS record type (assumes the ISC’s DLV registry
is defined):
dig @<server_IP_address> +dnssec +multiline -t ns isc.org.
The response should return NOERROR for the status, the AD bit should be included in
the flags list, and the RRSIG record should be included in the Answer section.
7. To receive notification about key rollovers and other important information, subscribe to
the ISC DLV announcement e-mail list as described on the organizations web site.
137
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Note For authoritative data, use a stub zone as discussed in Defining Stub Zones on page 140.
Attribute: Value
Example(s) Description
name: <domain name> Name of the zone to forward. To forward all queries sent
name: “secure64.com” to the Secure64 DNS Cache server, use ‘.’
forward-addr: <IP address> IPv4 or IPv6 address of the server to forward to. To use a
forward-addr: 192.168.127.99 non-default port for DNS communication, append '@' with
forward-addr: 192.168.127.95@5355 the port number. You must define at least one forward-
addr or forward-host. The maximum combined forward-
addr: and forward-host:attributes per forward zone is 16.
forward-host: <domain name> Name of server to forward to. The name itself is resolved
forward-host: forward.secure64.com before it is used. You must define at least one forward-
addr or forward-host. The maximum combined forward-
addr: and forward-host:attributes per forward zone is 16.
138
Chapter 4. Advanced Configuration Topics
— The Secure64 DNS Cache server attempts to contact the forward zone server(s) a
total of three times. If the query is not answered, the Secure64 DNS Cache server
responds with SERVFAIL.
• The forwarding server handles further recursion for the query and returns the answer to
the Secure64 DNS Cache server.
• The Secure64 DNS Cache server provides the answer from the forward zone server to
the querier.
• With the exception of CNAME and/or DNAME responses from a forward zone server,
the Secure64 DNS Cache server caches the result from the forward zone. CNAME or
DNAME/CNAME pair responses are not cached to allow for consistent responses from
the forward zone server.
• A forward-zone entry with name "." and a forward-addr:<IP_address> forwards all
queries to the targeted server (unless it can answer from the cache).
Example:
forward-zone:
name: "example.com"
forward-addr: 192.0.2.68
forward-addr: 192.0.2.73@5355
forward-zone:
name: "example.org"
forward-host: fwd.example.com
139
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Note For local data and CNAME records, you can use local zones as discussed in Configuring Local Zones
on page 108. To configure the Secure64 DNS Cache server to act as an authoritative server for zone
data, see Defining Merge Zones on page 143
To use a stub zone, first configure the zone on an authoritative server on a different host. In
the cache.conf configuration file, configure the stub-zone: clause to point to the different
host for the zone. This allows the zone to be served by the authoritative server.
If you want DNSSEC validation for a stub zone that is signed, you can place a trusted key entry
with the zone’s public key in either the trust-anchor: (see Table 25 on page 130) or stub-
trust: (see Table 28 on page 141) attribute. The Secure64 DNS Cache server can then
validate the data and set the AD (authenticated data) bit on replies for the private zone
(authoritative servers do not set the AD bit). Note that the AA (authoritative) bit is not set on
these replies.
140
Chapter 4. Advanced Configuration Topics
Attribute: Value
Example(s) Description
name: <domain name>
Name of the stub zone.
name: secure64.com
stub-addr: <IP address> IPv4 or IPv6 address of the server to forward to. To use a
stub-addr: 192.168.127.99 non-default port for DNS communication, append '@' with
stub-addr: 192.168.127.95@5355 the port number. You must define at least one stub-addr
or stub-host. The maximum combined stub-addr and
stub-host attributes per stub zone is 16.
stub-host: <domain name> Name of stub zone nameserver. The name itself is
stub-host: ns.example.com resolved before it is used. You must define at least one
stub-addr or stub-host. The maximum combined stub-
addr and stub-host attributes per stub zone is 16.
stub-trust: “<DS or DSKEY>” If validation is required, specify a DS or DNSKEY record
stub-trust: “example. DS 12345 3 1 for the trust anchor of the stub zone, including the trusted
123456789abcdef6789012...” key information. List one record per line. Note that the
TTL is ignored and class is IN by default.
If preferred for organizational purposes, you can define
stub-trust: in the server: clause or use the
trust-anchor: attribute in the server: clause
instead of stub-trust:.
If not defined, the default is no stub trust anchor.
141
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
• The stub zone server returns the authoritative answer to the Secure64 DNS Cache
server. The stub zone processing will follow delegations returned by the configured
authoritative server.
• The Secure64 DNS Cache server provides the answer to the querier and caches the
result.
Example:
stub-zone:
name: "example.com"
stub-addr: 192.0.2.68
stub-zone:
name: "example.org"
stub-host: ns.example.com.
stub-trust: “example.org DS 36157 3 1 akdjfakldjajfdkagjlsd..."
142
Chapter 4. Advanced Configuration Topics
Note Do not configure a zone where domains or subdomains are duplicated across multiple servers and each
server has a specific non-overlapping record type(s). For example, do not define a zone where all A
records are on server A, all AAAA records are on server B, and TXT records are on server C. Once a
domain or subdomain is found to reside on a particular server, the merge zone feature assumes that all
configured record types for that domain or subdomain are in the same location.
The stub zone feature (see Defining Stub Zones on page 140) also provides answers from
authoritative servers. However, the merge zone feature differs from the stub zone feature in the
following ways:
• Merge zone responses are not validated, stub zone responses are validated.
• If a merge zone query receives a referral from the authoritative server, the information is
returned as the response. For a stub zone, the information is used to continue recursive
resolution.
• For a merge zone, NXDOMAIN responses indicate that the Secure64 DNS Cache server
needs to check the next authoritative server. For a stub zone, the NXDOMAIN response
is considered an answer.
• The merge zone feature passes the AA (Authoritative Answer) bit set by an authoritative
server in the response. The stub zone feature does not pass the AA bit.
143
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Table 29 describes the nsd.conf configuration attributes for the merge-zone clause:
Attribute: Value
Example(s) Description
name: <domain name>
Name of the merge zone.
name: secure64.com
merge-addr: <IP address> IPv4 or IPv6 address of an authoritative server to query
merge-addr: 192.168.127.99 for the defined name. To use a non-default port for DNS
merge-addr: 192.168.127.95@5355 communication, append '@' with the port number. You
must define at least one merge-addr. The maximum
merge-addr attributes per merge zone is 16.
144
Chapter 4. Advanced Configuration Topics
• If all defined authoritative servers return NODATA (SOA or empty NOERROR) the
Secure64 DNS Cache server provides the NODATA response received from the last
server queried.
• The Secure64 DNS Cache server does not provide DNSSEC validation for merge zone
answers. However, if the DO (DNSSEC OK) bit was in the request, the Secure64 DNS
Cache server will return the necessary DNSKEY, RRSIG, NSEC, and DS RRsets in the
response, if defined on the configured authoritative server(s).
• CNAME responses are not re-queried. The Secure64 DNS Cache server returns the
CNAME response it receives from the authoritative server
• If the query does not include the RD (Recursion Desired) bit, but the query is for a
defined merge zone, merge zone processing takes place. All non-merge zone queries
received without the RD bit are REFUSED by the Secure64 DNS Cache server.
• When the RD bit is set, queries for domains covered by a merge zone definition are
processed as merge zones. Queries for domains not covered by a merge zone definition
are handled through normal recursion and processing.
• Merge zone responses do not use IPv4 filtering or trigger DNS64 processing if a
requested AAAA record does not exist. (See Configuring IPv6 Transition Technologies on
page 148 for more information about IPv4 filtering and DNS64 processing.)
• Merge zone responses do not use NXDOMAIN redirection processing. (See Redirecting
NXDOMAIN Responses on page 156 for more information about NXDOMAIN
redirection.)
• The Secure64 DNS Cache server acting as an authoritative server through the merge zone
feature does not respond to queries it may receive related to zone transfers (such as IXFR
or AXFR) or other authoritative server maintenance. The zone data is managed on the
authoritative server(s) as usual.
• The Secure64 DNS Cache server acting as an authoritative server through the merge zone
feature is authoritative for the configured merge zone name(s) only. It continues to
operate as a DNS caching server for all other domains. As with any Secure64 DNS Cache
server configuration, you can limit access to the server through its configured incoming
interfaces and access control specifications.
• The Secure64 DNS Cache server caches a result as follows:
— Full responses are cached based on the TTL of the response RRs.
— SERVFAIL and empty NOERROR responses are cached based on the cache-
servfail-ttl: configuration attribute.
— NXDOMAIN responses are cached based on the TTL of the SOA.
— Cached responses do not use the prefetch feature.
145
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Example:
merge-zone:
name: “example.com”
merge-addr: 192.168.127.1
merge-addr: 192.168.127.2
merge-addr: 192.168.127.3
146
Chapter 4. Advanced Configuration Topics
Example:
[cachednsadmin@Secure64]# cachedns lookup secure64.com referral A
View: default
Cache: default
The following name servers are used for lookup of secure64.com.:
Queries for secure64.com. are resolved from the authoritative
server(s) at:
147
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
DNS64
About DNS64 and NAT64
DNS64 works in conjunction with a NAT64 device to translate IPv4 addresses into IPv6
addresses. It applies to requests from an IPv6-only client for a name that does not have an IPv6
address (AAAA record).
As shown in Figure 9, when an IPv6 client requests an IPv6 destination on the Internet, the
traffic is handled via IPv6. With DNS64 and NAT64 enabled, when an IPv6 client requests an
IPv4 destination, the DNS64 mechanisms synthesizes the IPv4 destination response into an
IPv6 destination. The packets are translated by the NAT64 device to access the IPv4 Internet.
To the client, it appears that every destination on the Internet has an IPv6 address.
148
Chapter 4. Advanced Configuration Topics
Figure 10 illustrates how an IPv4 address is synthesized into an IPv6 address when DNS64 is
enabled. If an authoritative DNS server responds that there is not an AAAA resource record the
for the name, the Secure64 DNS Cache server requests the A resource record. DNS64
synthesizes an AAAA resource record from the A resource record via an algorithm and a
configured IPv6 prefix.
The synthesized AAAA response is sent to the requesting client, which uses a separately
configured NAT64 IPv6/IPv4 translator to convert the response. In order to perform the
translation, the NAT64 device must be configured to use the same IPv6 prefix as the DNS64
configuration.
149
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Configuring DNS64
To implement DNS64/NAT64, you need to enable DNS64 in the Secure64 DNS Cache
server’s cache.conf configuration file. This is done by configuring one or more IPv6 prefixes
for one or more NAT64 devices. The NAT64 device(s) must be configured to use the same
IPv6 prefix(es) as the DNS64 configuration.
Note DNS64 synthesized answers are not retained in the Secure64 DNS Cache server’s caches. As a
result, enabling DNS64 can affect server performance.
To configure DNS64 for Secure64 DNS Cache, define the following in the server:
clause of the cache.conf configuration file:
dns64-prefix: <Pref64::/n>
where:
— Pref64:: is the IPv6 prefix to use when synthesizing an IPv6 address from an
IPv4 address.
— n is the prefix length. Acceptable prefix lengths are 32, 40, 48, 56, 64, or 96.
Example:
dns64-prefix: 2001:db8:122:344::/96
The prefix length determines the position of the IPv4 address within the synthesized IPv6
address. Specifically, the synthesized address algorithm is:
• Concatenate the prefix, the 32 bits of the IPv4 address, and the suffix (if needed, set to
zero) to obtain an 128-bit address
• If the prefix length is less than /96, insert the null octet “u” at the appropriate position
(bits 64 to 71)
For example, a prefix length of /96 causes the four octets of the IPv4 address to become the
last four octets of the synthesized IPv6 address. (As noted, bits 64-71 must be set to zero in the
synthesized IPv6 address. For a /96 prefix length, you can do this by constructing a /96 prefix
using a /64 prefix and adding four octets set to zero.)
Examples:
• With a prefix of 2001:db8:122:344::/96 and an IPv4 address of 192.0.2.33
The synthesized IPv6 address is 2001:db8:122:344::192.0.2.33
• With a prefix of 2001:db8:122:344::/64 and an IPv4 address of 192.0.2.33
The synthesized IPv6 address is 2001:db8:122:344:c0:2:2100::
• With a prefix of 2001:db8:122:300::/56 and an IPv4 address of 192.0.2.33
The synthesized IPv6 address is 2001:db8:122:3c0:0:221::
150
Chapter 4. Advanced Configuration Topics
Note For additional details about addressing techniques and standards for DNS64, see the Internet Draft
“draft-ietf-behave-address-format.”
Example:
dns64-prefix: 2607:fb90:beef::/96
dns64-prefix: 2001:db8:01a0::/96
dns64-prefix: 1234:db8:5678::/96
Using the above example, assume the client’s IP address is 2001:abcd::1998. The modulo of 98/3
is 2, which causes the third dns64-prefix: to be selected (since the internal ordering is 0, 1, 2).
For the given client, the same dns64-prefix: is always selected (assuming the same number of
defined prefixes and the same client IP address).
Note DNS64 and IPv4 filtering can be used together. For more information, see Using IPv4 Filtering with
DNS64 on page 155.
151
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
IPv4 Filtering
Enabling IPv4 filtering on the Secure64 DNS Cache server can help prevent connection
problems and delays for clients attempting to access IPv4-based content. The issue can occur
when some applications or operating systems request AAAA DNS records by default, even if
the client’s IPv6 Internet connectivity is broken.
Figure 11. Delays can occur with AAAA queries over IPv4 connections
152
Chapter 4. Advanced Configuration Topics
When enabled, IPv4 filtering causes the Secure64 DNS Cache server to return AAAA records
only to clients that successfully connect via IPv6. Enabling filtering causes Secure64 DNS Cache
to remove the AAAA record from the response to clients that connect via IPv4. Filtering applies
to both authoritative and non-authoritative answers.
! WARNING You should enable IPv4 filtering only if necessary, as it changes the default behavior of the DNS.
In addition, IPv4 filtering is not performed for answers from DNSSEC-signed zones.
Note When filter-aaaa-on-v4: is enabled, the Secure64 DNS Cache server does not provide
AAAA records in the answer section of the response. It does allow AAAA records in the additional
section.
153
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
;; QUESTION SECTION:
;ipv6.google.com. IN AAAA
;; ANSWER SECTION:
ipv6.google.com. 10567 IN CNAME ipv6.l.google.com.
ipv6.l.google.com. 67 IN AAAA 2001:4860:8007::63
;; AUTHORITY SECTION:
google.com. 78086 IN NS ns1.google.com.
google.com. 78086 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 78082 IN A 216.239.32.10
ns2.google.com. 78082 IN A 216.239.34.10
;; QUESTION SECTION:
;ipv6.google.com. IN AAAA
;; ANSWER SECTION:
ipv6.google.com. 10567 IN CNAME ipv6.l.google.com.
;; AUTHORITY SECTION:
google.com. 78086 IN NS ns1.google.com.
google.com. 78086 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 78082 IN A 216.239.32.10
ns2.google.com. 78082 IN A 216.239.34.10
154
Chapter 4. Advanced Configuration Topics
To configure IPv4 filtering for Secure64 DNS Cache, define the following in the server:
clause of the cache.conf configuration file:
filter-aaaa-on-v4: <yes|no>
If set to yes, the server filters out AAAA records in the answer section of a response to clients
connecting via IPv4. If not defined, the default is no.
Example:
filter-aaaa-on-v4: yes
155
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
For authorization to use the NXDOMAIN redirection feature, you must include the NXDOMAIN
redirection feature in your organization’s Secure64 DNS Cache license agreement.
Note To simply redirect all queries for a specific domain, use the local-zone attribute with the redirect option
as discussed in Configuring Local Zones on page 108.
To provide security and interoperability with the DNS, Secure64 DNS Cache offers the
following features:
• By default, NXDOMAIN redirection is disabled.
• When enabled, NXDOMAIN redirection applies only to A and AAAA DNS records.
All other record types are not redirected.
• By default, NXDOMAIN redirection is not executed on a DNSSEC-signed response
of non-existence of a domain. You can configure the server to redirect signed
NXDOMAIN responses when certain conditions are met, as discussed in DNSSEC
and NXDOMAIN Redirection on page 157.
• A rule syntax is available to specifically define the domain queries to redirect.
Note The rule syntax does NOT follow regular expression format. See the configuration information and
examples that follow for details about the rule syntax.
• The time-to-live (TTL) for NXDOMAIN redirection for the recipient (client) defaults
to 0 (no TTL) and cannot be set longer than 60 seconds. This minimizes conflicts with
domain owners’ changes in the DNS that modify former NXDOMAIN responses into
responses where the name does exist.
156
Chapter 4. Advanced Configuration Topics
• Server administrators can offer users a method for opting out of NXDOMAIN
redirection.
• You can configure Secure64 DNS Cache to log NXDOMAIN redirection activity. For
details, see Logging NXDOMAIN Redirection Activity on page 162.
Note You can configure different NXDOMAIN redirection behavior for specific clients using the view: clause.
For details, see Defining Views on page 163.
Table 30 summarizes the expected behaviors based on the client query and the cache.conf
configuration file settings, when NXDOMAIN redirection is enabled:
Client Query Unsigned Response Signed, Valid Response Signed, Bogus Response
CD flag or DO flag set Redirect Do not redirect Do not redirect
If redirection for DNSSEC is If redirection for DNSSEC is
configured no (default), do not configured no (default), do
CD flag not set and DO redirect not redirect
Redirect
flag not set
If redirection for DNSSEC is If redirection for DNSSEC is
configured yes, redirect configured yes, redirect
157
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Attribute: Value
Example(s) Description
nxdomain-redirect-destination: <IP_address> The IPv4 or IPv6 address of the servers to
nxdomain-redirect-destination: 71.33.226.72 receive redirected NXDOMAIN
nxdomain-redirect-destination: 192.168.127.94 responses. This can be an external
service over the Internet or an internal
network server that you host.
The IP addresses appear in the A or
AAAA records in the redirect response.
Multiple IP addresses can be listed;
define one line per IP address.
There is no limit on the number of
destinations listed; however, a maximum
of 13 are referred in each response. If
more than 13 IP addresses are defined,
the system circulates through the list.
If not defined, the default is no
NXDOMAIN redirection.
nxdomain-redirect-modify: “<rule1>” [<AND|OR> Defines a rule string to match one or more
“<rule2>”]... fully qualified domain names. When the
nxdomain-redirect-modify: “example” domain owner response is NXDOMAIN,
nxdomain-redirect-modify: “^exam” AND “.net.$” domains that match the defined rules are
nxdomain-redirect-modify: “^example.com.$” redirected to the defined redirect
nxdomain-redirect-modify: “.” destination. Note that the syntax does
NOT follow regular expression format.
Multiple nxdomain-redirect-
modify: attributes are allowed.
Rule strings can use the following syntax
and symbols for matching:
<string>- The domain name includes
the defined string.
^<string>- The start of the domain
name must match the rule string.
<string>.$- The end of the domain
name must match the rule string.
AND|OR- operators that you can use to
combine rule strings.
“.” - redirect all remaining domains;
should be after all other nxdomain-
redirect-modify: attributes.
158
Chapter 4. Advanced Configuration Topics
159
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Note You can configure different NXDOMAIN redirection information for specific clients using the view
clause. For details, see Defining Views on page 163.
Example:
server:
auto-start: yes
interface: 192.168.127.99
interface: 2001:DB8::5
port: 53
access-control: 192.168.0.0/16 allow
access-control: ::1 allow
access-control: 217.132.248.134 deny
edns-buffer-size: 4096
root-hints: root.hints
do-ip4: yes
do-ip6: yes
do-tcp: yes
160
Chapter 4. Advanced Configuration Topics
#Do not redirect domains that contain “my” and end with
#“secure64.com.”
nxdomain-redirect-pass: “my” AND “secure64.com.$”
161
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Note These are global setting. The default values and acceptable ranges are detailed in Table 31 on
page 158.
• Stop and start the server (issue the stop cachedns and start cachedns commands.
Log output contains the date/time, the view name, the client IP address, the domain name
queried, and the action taken, for example:
Aug 23 15:50:11 View: default, Query from client 192.168.127.17 for
domain staticlog.com. IN A redirected
162
Chapter 4. Advanced Configuration Topics
Defining Views
A view allows you to configure different functionality and attributes based on characteristics of
the requesting client. The methods used to characterize clients for a view are:
• The source IP address of the requesting client, and/or
• The query destination IP address of the incoming message (the IP address on the
Secure64 DNS server to which the query was sent)
Note When based on the destination IP address, a view is valid only if the Secure64 DNS Cache server is
configured to listen for queries on multiple IP addresses (defined with the interface: attribute in the
server: clause).
To customize behaviors based on the requesting client defined by the view, you can define the
following configuration attributes in a view:
• Root hints information (root-hints: attribute)
• DNS64 functionality (dns64-prefix: attribute)
• IPv4/AAAA record filtering (filter-aaaa-on-v4: attribute)
• Local zones information (local-zone:, local-data:, local-data-ptr: attributes)
• NXDOMAIN redirection (nxdomain-redirect-ttl:, nxdomain-redirect-
destination:, nxdomain-redirect-pass:, nxdomain-redirect-modify:,
nxdomain-redirect-optout:, nxdomain-redirect-dnssec-allow:, nxdomain-
redirect-log: attributes, assuming your organization is authorized for NXDOMAIN
functionality)
• One IPv4 and/or one IPv6 outgoing interface (outgoing-interface: attribute) to
define the source of queries from the defined view (see also Creating Location-Based Views
on page 169 for more information)
• Drop type ANY (drop-any: attribute) to drop all incoming queries of the type ANY
• Drop type MX (drop-mx: attribute) to drop all incoming queries of type MX
163
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Attribute: Value
Example(s) Description
view-name: <name> Required. Defines a unique name for the view; maximum
view-name: internal of 64 characters.
cache-name: <name> Optional. Defines a configured cache to use for this view.
cache-name: central The cache must be defined using the cache attribute in
the server clause (see Configuring Separate Caches
on page 168 for details). Multiple views can use the same
cache-name.
Note: If a view defines its own root-hints: file, then a
separate cache is required for the view.
If not defined, the view uses the default shared cache.
match-clients: <ip_spec> Defines the clients to use the view based on the IPv4 or
match-clients: 3ffe:801::/32 IPv6 source address(es) of the incoming message. At
least one match-clients or match-destinations
attribute is required (defining both is allowed).
For ip-spec:
Plain IP address (IPv4 or IPv6): 1.2.3.4
Subnet: 1.2.3.0/24
Note that if used in combination with different match-
destinations, you can define a specific ip-spec
more than once.
To define multiple match-clients for a view name,
list one attribute for each, one per line.
match-destinations: <ip_address> Defines the clients to use the view based on the
match-destinations: 192.168.127.100 destination IPv4 or IPv6 address(es) of the incoming
message (the IP address on the Secure64 DNS server to
which the query was sent). At least one match-clients
or match-destinations attribute is required (defining
both is allowed).
The Secure64 DNS Cache server must be listening for
queries on multiple IP addresses (defined by the
interface attribute), and the destination IP address
must be one of the addresses defined.
Note that if used in combination with different match-
clients, you can define a specific IP address more
than once.
To define multiple match-destinations for a view
name, list one attribute for each, one per line.
164
Chapter 4. Advanced Configuration Topics
! WARNING If defining multiple views, take care when configuring the match-clients: and match-
destinations: attributes to ensure that each view definition is unique. If multiple views have
the same definition, the last one in the list is used.
• The view: clause and a unique view-name: for each view are required.
• At least one match-clients: or match-destinations: attribute is required (defining
both is allowed).
• If only match-destinations: is specified for a view name, that view becomes the
default for all traffic received on that interface (as opposed to the non-view
configuration). To use other views on the interface, specify match-clients: in addition
to the same match-destinations: attribute.
• If only match-clients: is specified for a view name, that view becomes the default
view for the specified client IP address(es).
• A match-clients: attribute defined for one view can be a superset of a match-
clients: attribute defined for another view.
• If you add, remove, or change the view-name:, match-clients:, match-
destinations:, or cache-name: attributes, you must stop and start the server to make
the changes effective (you cannot use the cachedns reload command for this purpose).
• The cachedns reload command is operational for reloading DNS64, IPv4 filtering, local
zone, NXDOMAIN redirection, and drop type ANY components of the view.
165
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
• Views use the default shared cache, unless the view includes the cache-name: attribute
to link to a separately configured cache (discussed in Configuring Separate Caches on
page 168).
• Views use the default root-hints:, unless the view includes the root-hints:
attribute. If the view includes the root-hints: attribute, it must also use a separately
configured cache (see Configuring Separate Caches on page 168).
• Implementing views reduces the performance of the server both for cache hits and
misses.
Examples:
view:
view-name: IPv6transition
# applies to all clients with the specified IP address, regardless
# of the destination IP address receiving the query
match-clients: 192.168.111.0/24
filter-aaaa-on-v4: yes
view:
view-name: no_google # don't let clients use Google search
# applies to clients with the specified IP address querying
# the match-destinations IP address
match-destinations: 192.168.127.45
match-clients: 192.168.122.0/24
local-zone: "google.com" static
view:
view-name: no_bing # don't let clients use Bing search
# applies to clients with the specified IP address querying
# the match-destinations IP address
match-destinations: 192.168.127.55
match-clients: 192.168.133.0/24
local-zone: "bing.com" static
view:
view-name: redirect
# applies to all clients querying the specified destination IP
# address
# Except those matching the IPv6transition view
match-destinations: 192.168.127.65
166
Chapter 4. Advanced Configuration Topics
nxdomain-redirect-destination: 212.33.231.83
Figure 13 provides an illustration of the previous examples, showing how incoming queries are
directed to the configured views or the default (non-view) configuration.
167
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Note Do not define the same cache in views that you expect to receive different answer values for the same
set of queries.
• If the view does not define a separate cache, it uses the default shared cache.
• If you define a separate cache, it must be used in a view or the server will not start.
• Named caches use memory separate from the default cache. To ensure total memory
use does not exceed available memory, be sure to consider all memory specified. For
example, if the system as configured prior to adding named caches was close to using all
system memory, then cache sizes must be reduced to allow for the new named caches.
Example:
cache: name: ”north” msg-cache-size: 1024m rrset-cache-size: 512m
cache: name: ”central” msg-cache-size: 1024m rrset-cache-size: 512m
168
Chapter 4. Advanced Configuration Topics
Note For an example of how to use separate caches in views, see Creating Location-Based Views on
page 169.
169
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
2. In the view clause, link the separate cache to the view using the cache-name: attribute.
3. In the view clause, define the match-clients: attribute
4. In the view clause, define the outgoing-interface: attribute based on location. You
can define one IPv4 address and one IPv6 address.
Example:
The north and central locations are using a separate cache so that client queries directed to
those views can use a different outgoing-interface:. The south location is using the default
shared cache.
server:
auto-start: yes
incoming-query-timeout: 30
num-recursive-clients: 20000
outgoing-query-timeout: 400
outgoing-query-increment: 800
interface: 0.0.0.0
outgoing-interface: 1.2.3.4
msg-cache-size: 1024m
msg-cache-slabs: 1
rrset-cache-size: 512m
rrset-cache-slabs: 1
170
Chapter 4. Advanced Configuration Topics
171
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
Configurable Options
These options allow you to:
• Mitigate and rate limit UDP and TCP data floods (see About Data Flood Protection
Mechanisms on page 226
• Mitigate and rate limit excessive queries based on query type (see DNS RRtype Filtering
Rules on page 238)
• Enable DNSSEC validation in the Secure64 DNS Cache resolver (see Enabling
DNSSEC-Validated Queries on page 128).
• Control the clients that can or cannot access the DNS server (use the access-
control: attribute (see Configuring Basic Server Attributes on page 96)
• Define certain IP addresses that the server will not query, (use the do-not-query-
address: attribute, see Other Security, Hardening, and Testing Settings on page 121)
• Configure basic security settings to defend against cache poisoning, spoofing, and other
security issues (see Configuring for Basic Security on page 118)
• Filter queries based on query type (see Filtering Requests Based on Incoming Query Type in
the following section)
• Compare a query to an internal list of blacklisted domains via a local zone (use the
local-zone: clause, see Blacklisting Domains Using Local Zone Configuration on page 173)
• Forward a query to a different server running rbldnsd or similar software for DNS
blacklist (DNSBL) support (use the forward-zone: clause and related attributes, see
Defining Resolver Forwarding on page 138)
• Dynamically change certain configuration attributes without stopping and starting the
server (see Reloading Configuration Changes Dynamically on page 185)
172
Chapter 4. Advanced Configuration Topics
173
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
• For the optional RRtype local-zone: parameter, the supported RRtypes are:
Example:
local-zone: “badzone1.” static
local-zone: “badzone2.” static
local-zone: “badzone3.” static
local-zone: “badzone4.” static
To configure the server to return a REFUSED response for queries within the domain,
including subdomains:
• Specify the following in the server: clause of cache.conf:
local-zone: <zone> refuse
Example:
local-zone: “badzone1.” refuse
local-zone: “badzone2.” refuse
local-zone: “badzone3.” refuse
local-zone: “badzone4.” refuse
174
Chapter 4. Advanced Configuration Topics
To configure the server to return a REFUSED response for a specific RRtype for a
domain and its subdomains:
• Specify the following in the server: clause of cache.conf:
local-zone: “<zone>” refuse <RRtype>
Example:
#Send REFUSED in response to ANY queries for example.com and its
# subdomains
local-zone: “example.com” refuse ANY
To configure the server to return drop queries for a specific RRtype for a domain and its
subdomains:
• Specify the following in the server: clause of cache.conf:
local-zone: “<zone>” deny <RRtype>
Example:
#Drop MX queries for example.com and its subdomains
local-zone: “example.com” deny MX
To configure the server to return specific data for queries to a specific domain:
• Specify the following in the server: clause of cache.conf:
local-data: “<resource record>”
Example:
#return the defined record for queries to adserver.example.com
local-data: "adserver.example.com IN A 127.0.0.1"
To configure the server to return specific data for queries to a domain or subdomain:
• Specify the following in the server: clause of cache.conf:
local-zone: “<zone>” redirect
local-data: “<resource record>”
Example:
#return the defined record for queries to example.com and subdomains
local-zone: “example.com” redirect
local-data: "example.com IN A 10.0.0.1"
175
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
where:
<user> is a Secure64 DNS Cache user account assigned to the cachednsadmin role
<host> is the Secure 64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
3. Login to the Secure64 DNS Cache server as a user assigned to the cachednsadmin role.
4. At the view prompt, type enable cachednsadmin and press ENTER.
5. In the server: clause of the cache.conf configuration file, add the following
statement:
include: <blacklist>
6. To load the configuration file changes, either stop and start the server (issue the stop
cachedns and start cachedns commands) or use the cachedns reload command.
The cachedns reload command loads the configuration changes without stopping the
server.
7. Use the dig command to verify that queries to the domains defined in the blacklist file
return the desired response. (For details about using the dig command, see Using the
Secure64 DNS Cache dig Command on page 369.)
where:
<user> is a Secure64 DNS Cache user account assigned to the cachednsadmin role
<host> is the Secure 64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
3. Use a script to perform the cachedns reload command from the cachednsadmin role.
176
Chapter 4. Advanced Configuration Topics
Note Due to the differences in configuration attributes, some Unbound configuration clauses and statements
will be ignored by Secure64 DNS Cache. The unsupported attributes are noted when you start the server
and are detailed in Appendix C: Unbound Configuration Differences on page 479.
To specify the Unbound configuration file to import, securely copy the Unbound file to Secure64
DNS Cache and modify cache.conf to include the include: statement, as instructed below.
Note Define configuration parameters in the unbound.conf file, not the cache.conf file.
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 251 for details about changing the default port)
<user> is a Secure64 DNS Cache user account assigned to the cachednsadmin role
<host> is the Secure 64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
2. Add the include: statement to the cache.conf configuration file:
include: unbound.conf
177
SECURE64 DNS CACHE 3.1
Chapter 4. Advanced Configuration Topics
178
Chapter 5. Managing Secure64 DNS Cache
Overview
This chapter discusses how to start and stop the server, test the server, flush items from the
cache, and monitor server information and statistics.
Use the following references to locate information in this chapter:
179
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Each cache has a separately configured cache size that defines the amount of memory to use
for the cache.
180
Chapter 5. Managing Secure64 DNS Cache
With systems using multiple resolver instances, each of the cache sizes are divided evenly among
the instances, as illustrated in Figure 14. For example, the answer and referral cache have 128 MB
of memory total by default. Each instance is allocated 1/3 of the total, or approximately 42.67
MB of memory:
181
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
A view can use the default shared cache or a separately configured named cache. A separate
named cache includes its own answer and referral cache (the infrastructure cache, key cache,
and negative cache are always shared). It also defines memory sizes for the answer and referral
caches separate from the default shared caches. Figure 15 shows that the named cache assigned
to a view has separate answer and referral caches, and they are equally divided among instances.
Figure 15. Allocation of caches for multiple resolver instances, with a named cache for a view
182
Chapter 5. Managing Secure64 DNS Cache
Query Logging
Because the resolver behavior and DNS information can differ for each instance, Secure64 DNS
Cache creates separate query log directories and file sets for each instance. This maintains the
query/response sequences for each resolver instance to facilitate analysis and diagnostics. If the
server is running a single resolver instance, the server maintains one directory and with one set of
log files. For details, see DNS Query Logging on page 211.
183
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Note You can configure the Secure64 DNS Cache server to automatically load a previously saved cache
from a file. For more information, see Saving and Loading the Cache on page 204.
184
Chapter 5. Managing Secure64 DNS Cache
185
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
forward-host
stub-zone name
stub-addr
stub-host
merge-zone name
merge-addr
do-not-query-address
private-domain
private-address
• nxdomain reloadable attributes:
nxdomain-redirect-destination
nxdomain-redirect-log
nxdomain-redirect-ttl
nxdomain-redirect-pass
nxdomain-redirect-modify
nxdomain-redirect-optout
nxdomain-redirect-dnssec-allow
To reload cache.conf configuration changes without stopping and starting the server:
1. Edit the cache.conf configuration file, either directly or via an include file.
— For information about editing the file, see Editing the Configuration File on page 94.
— For information about using include files, see Using Include Files on page 124.
2. Log in as user assigned to the cachednsadmin role, if you are not already, and type
enable cachednsadmin and press ENTER.
3. To reload all dynamically changeable configuration changes, type cachedns reload and
press ENTER.
Note As the configuration change(s) become effective, the server will experience a brief time in which it
does not respond to queries.
4. If the change affects data that may be cached and you want to serve the new data, you
can flush the cache to remove any previously cached data. See Flushing the Cache on
page 193 for more information.
5. After you execute the cachedns reload command, use the show cachedns reload
status command to verify the results. For details, see Verifying the Reload Configuration
Results on page 187.
186
Chapter 5. Managing Secure64 DNS Cache
Note The server replaces the previous configuration value with the new value; the changes are not additive.
Example:
[cachednsadmin@Secure64]# cachedns reload
Successfully launched cachedns reload task
Run 'show cachedns reload status' from the command line to see the
result
After the cachedns reload completes, the command displays the following information:
• reload submitted: The last date/time a reload was requested
• runtime: The time to complete the reload, in seconds
• status: success|failed
• error code: Error code found during processing, for use by Secure64 support
• error message: Information and/or recommended actions corresponding to the error
If the command is successful, the Status line reads “success.” If an error occurs, the Status line
reads “failed.” Check the Error Message line for additional details to help you identify any issues.
Syslog messages also identify cachedns reload activity.
187
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
188
Chapter 5. Managing Secure64 DNS Cache
Example:
[cachednsadmin@Secure64DNS]# show cachedns status
The server is running
where:
<server> is the IP address of the Secure64 DNS Cache server
<name> is the host or domain name to query
<type> is the resource record to query
<queryopt> is a query option, such as +dnssec to request DNSSEC validation,
+cdflag to request that DNSSEC validation is disabled (helpful to examine a validated
query that returns SERVFAIL)
<-flag> is an optional flag, such as -o to write the output to a file
Note For a full description of the dig command implementation in Secure64 DNS Cache, see Using the
Secure64 DNS Cache dig Command on page 369.
189
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Example:
[cachednsadmin@Secure64]# dig @192.168.127.175 secure64.com +dnssec
; <<>> DiG SourceT 3.x <<>> @192.168.127.175 secure64.com +dnssec
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41191
;;flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL:
1
;; QUESTION SECTION:
;secure64.com. IN A
;; ANSWER SECTION:
secure64.com. 3600 IN A 72.167.37.13
secure64.com. 3600 IN RRSIG A RSASHA1 2
3600 20100208100007 20100201090007 53733 secure64.com.
oBkFdR78z+LV9O5QGwWNdktNLgmPPOENdLM+4K9OqObLKULp04155+M5ScDisdp4g4F
U+RhLOBYegSvvoQF0taScbpyXz3wzutMvPQ2aWJ0be2P5PLeDIa2Nq2GKnD6noLmwP5
sVCSA5LuGi8m0ZyRAFSDAj+RgOQWTh26ITM= )
;; QUESTION SECTION:
;secure64.com. IN A
;; ANSWER SECTION:
secure64.com. 3494 IN A 72.167.37.13
;; AUTHORITY SECTION:
190
Chapter 5. Managing Secure64 DNS Cache
secure64.com. 3494 IN NS
ns1.secure64.com.
secure64.com. 3494 IN NS
ns2.secure64.com.
;; ADDITIONAL SECTION:
ns1.secure64.com. 3494 IN A 64.92.220.221
ns2.secure64.com. 3494 IN A 216.17.193.194
;; QUESTION SECTION:
;secure64.com. IN A
;; ANSWER SECTION:
secure64.com. 3403 IN A 72.167.37.13
;; AUTHORITY SECTION:
secure64.com. 3403 IN NS
ns1.secure64.com.
secure64.com. 3403 IN NS
ns2.secure64.com.
;; ADDITIONAL SECTION:
ns1.secure64.com. 3403 IN A 64.92.220.221
ns2.secure64.com. 3403 IN A 216.17.193.194
;; QUESTION SECTION:
;secure64.com. IN NS
;; ANSWER SECTION:
secure64.com. 3600 IN NS
ns1.secure64.com.
191
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
secure64.com. 3600 IN NS
ns2.secure64.com.
;; ADDITIONAL SECTION:
ns1.secure64.com. 3600 IN A 64.92.220.221
ns2.secure64.com. 3600 IN A 216.17.193.194
Note By default, when DNSSEC validation is enabled, SERVFAIL is sent as a response for all queries that
result in a bogus result (cannot be validated). For more information, see Understanding Validation
Behavior on page 128.
192
Chapter 5. Managing Secure64 DNS Cache
Note If the system restarts abnormally, [SYSTEM:STARTUP] messages relating to safe boot mode are written
to syslog, and the server boots into safe mode. For more information, see Starting in Safe Mode on
page 262.
To remove a specified name and its common records from the answer and referral caches:
1. Log into Secure64 DNS Cache with a user account assigned to the cachednsadmin role.
2. At the view prompt, type enable cachednsadmin and press ENTER to enable
cachednsadmin mode.
3. At the cachednsadmin prompt type:
cachedns flush name <name> [cachename|default] and press ENTER., where
<name> is the domain name to flush and [cachename|default] is the optional cache
name.
Examples:
[cachednsadmin@Secure64]# cachedns flush name org
Flushing common record types from all caches for <org>
193
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
4. For the specified name, the server removes the A, AAAA, NS, SOA, CNAME,
DNAME, MX, PTR, SRV, NAPTR, RRSIG, DNSKEY, DS, NSEC, NSEC3, and DLV
records from the answer and referral caches for the specified name.
To remove a specific record for a specific name from the answer and referral caches:
1. Log into Secure64 DNS Cache with a user account assigned to the cachednsadmin role.
2. At the view prompt, type enable cachednsadmin and press ENTER to enable
cachednsadmin mode.
3. At the cachednsadmin prompt type:
cachedns flush type <name> <type> [cachename|default] and press ENTER,
where <name> is the domain name to flush the record from, <type> is A, AAAA,
NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, RRSIG, DNSKEY, DS,
NSEC, NSEC3, or DLV, and [cachename|default] is the optional cache name.
Examples:
[cachednsadmin@Secure64]# cachedns flush type secure64.com NS
Flushing record type <NS> from all caches for <secure64.com>
4. The server removes the specified record from the answer and referral caches only for
the specified domain name.
Note If the record is part of a larger cached answer, it is not flushed from the answer cache. For example, if
the NS records are flushed for a specific name, they are removed from the referral cache. They are not
removed from the answer cache if the NS records are a subset of a cached answer's records.
To remove all records at or below a specified name from the answer and referral caches:
1. Log into Secure64 DNS Cache with a user account assigned to the cachednsadmin role.
2. At the view prompt, type enable cachednsadmin and press ENTER to enable
cachednsadmin mode.
3. At the cachednsadmin prompt type:
cachedns flush zone <name> [cachename|default] and press ENTER, where
<name> is the domain name to flush and [cachename|default] is the optional cache
name.
194
Chapter 5. Managing Secure64 DNS Cache
Examples:
[cachednsadmin@Secure64]# cachedns flush zone org
Flushing all zone data from all caches at or below <org>
4. The server removes all records for the domain and all subdomains from the answer and
referral caches.
Note The cachedns flush zone command sets the records' TTL entries to "expired." Expired records
are included in show cachedns info entry counts until they are reclaimed, based on least
recently used activity.
To remove the cached validation status for a specific zone from the answer and referral
caches:
1. Log into Secure64 DNS Cache with a user account assigned to the cachednsadmin role.
2. At the view prompt, type enable cachednsadmin and press ENTER to enable
cachednsadmin mode.
3. At the cachednsadmin prompt type:
cachedns flush validation <zone> [cachename|default] and press ENTER, where
<zone> is the zone to flush and [cachename|default] is the optional cache name.
Examples:
[cachednsadmin@Secure64]# cachedns flush validation s64
Flushing all validation data from all caches at or below <s64>
4. The server removes the cached validation status for the specified zone. This forces
validation to occur the next time the zone is queried (assuming validation is enabled for
the zone).
195
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Note Any configuration attributes that are not defined in a separate view use the “default” view, and any
views that do not define a separate cache use the “default” cache. See Defining Views on page 163 for
more information.
196
Chapter 5. Managing Secure64 DNS Cache
View: default
Cache: default
Instance: 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
197
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
View: default
Cache: default
Instance: 2
View: default
Cache: default
Instance: 3
View: test65
Cache: t65
Instance: 1
View: test65
Cache: t65
Instance: 2
View: test65
Cache: t65
Instance: 3
198
Chapter 5. Managing Secure64 DNS Cache
Note Any configuration attributes that are not defined in a separate view use the “default” view, and any views
that do not define a separate cache use the “default” cache. See Defining Views on page 163 for more
information.
View: default
Cache: default
Instance: 1
199
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
View: default
Cache: default
Instance: 2
View: default
Cache: default
Instance: 3
View: test65
Cache: t65
Instance: 1
View: test65
Cache: t65
Instance: 2
View: test65
Cache: t65
Instance: 3
200
Chapter 5. Managing Secure64 DNS Cache
The command displays the caching configuration settings from running memory (what the server
is actively using).
To make the output more readable, you can select one of the following modifiers to display a
subset of the active configuration, as follows:
— show cachedns config basic - Displays system settings
— show cachedns config sizes - Displays cache size settings
Note The cache sizes displayed differ from the numbers configured in cache.conf. The system
automatically adjusts the sizes for memory allocation overhead, which prevents extending over the
maximum memory allowed.
Note The IP addresses in the cache.conf file and the format displayed by the show cachedns
config zone command output can differ. For example, if you define a set of IP addresses and then
a sub-set of the same set, only the overriding set displays. In addition, if a netblock is not specified, the
command displays the IP address with the appropriate netblock notation.
201
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Example:
[cachednsadmin@Secure64]# show cachedns config basic
start the server automatically on system boot = <no>
start the bfd service automatically on system boot = <no>
start the bgp service automatically on system boot = <no>
dump the answer and referral caches automatically on server stop =
<no>
load the answer and referral caches automatically on server start =
<no>
return minimal responses = <no>
statistics interval = <0>
cumulative statistics = <0>
prefetch almost expired cache entries = <no>
port = <53>
do ip4 = <yes>
do ip6 = <yes>
do tcp = <yes>
incoming tcp connections = <10>
EDNS buffer size = <4096>
Filter AAAA responses on IPv4 = <no>
dns64-prefix list:
There are no dns64 prefixes defined.
number of simultaneous recursive clients = <768>
initial timeout value for outbound UDP requests = <400>
increment value for timedout UDP queries = <400>
maximum processing time for incoming DNS queries = <30>
number of incoming interfaces = <8>
incoming interface 0 = <192.168.127.81>
incoming interface 1 = <192.168.95.81>
incoming interface 2 = <192.168.95.84>
incoming interface 3 = <192.168.127.85>
incoming interface 4 = <fd64:0:0:127::81>
incoming interface 5 = <fd64:0:0:95::81>
incoming interface 6 = <2001:470:1f04:ad8:1::51>
incoming interface 7 = <2002::1>
number of outgoing interfaces = <8>
outgoing interface 0 = <192.168.127.81>
outgoing interface 1 = <192.168.95.81>
outgoing interface 2 = <192.168.95.84>
outgoing interface 3 = <192.168.127.85>
outgoing interface 4 = <fd64:0:0:127::81>
outgoing interface 5 = <fd64:0:0:95::81>
outgoing interface 6 = <2001:470:1f04:ad8:1::51>
202
Chapter 5. Managing Secure64 DNS Cache
Note The show cachedns config command lists the active root hints entries. If the DNS server has only IPv4
outgoing interfaces specified, then only the IPv4 address in the root hints entries display. If both IPv4 and
IPv6 outgoing interfaces are specified, then both IPv4 and IPv6 root hints entries display. If you define a
custom root hints file, ensure that it includes IP address type(s) that correspond to3.13.1 your defined
outgoing interfaces. If it does not, the server uses the default root hints.
203
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
204
Chapter 5. Managing Secure64 DNS Cache
Attribute: Value
Example(s) Description
dump-cache-on-stop: <yes|no> Define whether to save the answer and referral cache to
dump-cache-on-stop: no a file when the server is stopped. If yes, the information is
saved to files in the top-level directory of the
cachednsadmin role.
If not defined, the default is no.
load-cache-on-start: <yes|no> Define whether to load saved cache file(s) into the cache
load-cache-on-start: no when the server starts. The file(s) must be located in the
top-level directory of the cachednsadmin role. To prevent
loading a tampered file, the files contain a checksum and
the server will not load a file if it has been modified.
If not defined, the default is no.
205
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Note If the message or referral caches do not contain information, the saved cache file(s) are not created.
For example, if you start and then stop the server before it receives and caches queries, the file is not
created.
If load-cache-on-start: is yes, an error message is generated during the next server start
if the saved cache file(s) are not present; however, the server continues to start.
Examples:
preload-zone: yahoo.com A
preload-zone: yahoo.com AAAA
preload-zone: google.com A
preload-zone: google.com AAAA
preload-zone: amazon.com A
preload-zone: amazon.com AAAA
Example:
prefetch: yes
206
Chapter 5. Managing Secure64 DNS Cache
About RTQM
RTQM is a feature that you enable as needed to monitor incoming DNS queries. By default,
RTQM is not started or running on the Secure64 DNS Cache server, and users assigned to the
cachednsadmin role have the ability to start and stop RTQM
After RTQM is started, it begins collecting query information and stores the information in
memory. This allows you to quickly obtain data about the queries via the command line.
The amount of query information retained by RTQM is based on the amount of memory
allocated when it is started. By default, the system allocates 128 MB of memory, and you can
specify more or less memory when you start RTQM. Note that each megabyte of memory
captures information for about 10,000 queries.
If RTQM reaches the limits of the allocated memory as it collects query information, it discards
information about the oldest queries as needed to allow for incoming queries. This ensures that
the monitoring data pertains to the most recent queries and that the allocated memory is not
exceeded.
207
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Note If the system cannot allocate the requested amount of memory when you attempt to start RTQM, the
message “Error starting realtime query-monitoring: out of memory”
displays at the command line and the following syslog message is generated:
[APPLICATION:RTQM] ERROR: out of memory
To stop RTQM:
1. Log into Secure64 DNS Cache with a user account assigned to the cachednsadmin role.
2. At the view prompt, type enable cachednsadmin and press ENTER to enable the
cachednsadmin mode.
3. Type stop rtqm and press ENTER.
where:
N is the maximum number of queriers to report, from 1 to 1000 (if there are more
queriers than the defined limit, the top N are reported)
T is the number of minutes of capture history to report on (minimum value of 1),
starting from the end of the capture (if T is not specified, history is reported for the
last 1 minute of data)
clients or domains indicates whether to report the top queries by requesting client
IP address (clients) or the domain queried for (domains)
208
Chapter 5. Managing Secure64 DNS Cache
Explanatory Examples:
• show rtqm 100 clients - displays the top 100 clients over the past 1 minute
• show rtqm 100/5 clients - displays the top 100 clients over the last 5 minutes
• show rtqm 5/60 domains - displays the top 5 queried-for domains over the last hour
Note For illustration purposes, clients 3-99 are not displayed in the example above
209
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Reported Data
The real time query monitoring command show rtqm <N>/[T] <clients|domains>
displays the following information:
• Heading line:
— Number of clients or domains reported
— If T was not specified, the time of the oldest recorded query
If T was specified, the newer of the time T minutes in the past or the first recorded
query
— Ending time period of the reported data
— Total number of queries captured
— Average number of queries per second over the reported data
• Client/domain information lines (one line per client/domain):
— Rank
— IP address of client or domain name queried for
— Number of queries from the client or for the domain
— Percentage of the total number of queries from the client or for the domain
210
Chapter 5. Managing Secure64 DNS Cache
Note A Secure64 proprietary format for log files (set by the logging-file-pcap: no attribute in
cache.conf) was in affect prior to the pcap implementation.The standard pcap format is now
recommended, as support for the proprietary format may be phased out in future releases. The multi-
instance behavior and directory/file structure operate in the same manner for both file formats.
Note TCP queries are not distributed across processors. All TCP queries are handled by resolver instance 1.
As a result, all TCP logging is done to query log file 1.
211
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Example:
/query_logging_1
logfile1_00000000.pcap
logfile1_00000001.pcap
logfile1_00000002.pcap
/query_logging_2
logfile2_00000000.pcap
logfile2_00000001.pcap
logfile2_00000002.pcap
• Use configuration options (described in Table 34 on page 213) to control the amount
of hard disk space consumed by the query log files:
— The configured log file size (logging-file-size:) applies to each individual log
file.
— The configured number of log files per directory (logging-file-num:) applies to
each individual query logging directory.
— The server log file automatically rolls to the next file when the logging file size is
reached. Because the log data can differ on a per-instance basis, the log files for
each instance may roll at different times in a multi-instance resolver environment.
• To help you identify the amount of hard disk space allocated for different types of log
files, the start cachedns command displays the total disk space allocated for
NXDOMAIN redirection logging, local zone logging, and query logging. The server
makes use of the allocation(s) for only the specific logging features you have enabled.
Example:
[cachednsadmin@Secure64DNS]# start cachedns
Starting cachedns
cache.conf:18: config parser: 0 errors, 0 warnings
Reading configuration file.
212
Chapter 5. Managing Secure64 DNS Cache
Attribute: Value
Example(s) Description
logging-file-pcap: <yes|no> Specify whether to save log data in standard pcap format
logging-file-pcap: yes (yes) or the Secure64 proprietary format (no). The pcap
format is recommended, as support for the proprietary
format may be phased out in future releases.
If not defined, the default is yes.
logging-file-num: <number> Specify the maximum number of logging files that should
logging-file-num: 10 exist at any one time within each query logging directory;
acceptable values are 1-128.
If undefined and a logging flag is set to yes, the default is
10 files per directory.
logging-file-size: <bytes> Specify the maximum size of each log file, in bytes.
logging-file-size: 1000000000 If undefined and a logging flag is set to yes, the default is
(1024*1024*1024 or 1,073,741,824 bytes)
logging-flag-query-recv: <yes|no> Specify whether to log queries received from clients.
logging-flag-query-recv: no If undefined, the default is no.
logging-flag-query-resp: <yes|no> Specify whether to log responses sent to clients.
logging-flag-query-resp: no If undefined, the default is no.
logging-flag-resolv-query: <yes|no> Specify whether to log resolver queries to authoritative
logging-flag-resolv-query: no servers.
If undefined, the default is no.
logging-flag-resolv-resp: <yes|no> Specify whether to log responses from authoritative
logging-flag-resolv-resp: no servers.
If undefined, the default is no.
logging-file-write-immediate: <yes|no> Specify whether to write query log entries immediately
logging-file-write-immediate: no instead of buffering them. Setting the attribute to yes can
reduce performance.
If undefined, the default is no.
213
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Note A new log file is started each time the server is started even if all logging flags are set to ‘no.’ This
allows for changing the logging flags during a cachedns reload operation. Initially, the file contains
only header information.
To copy the files to another system, use the scp command as follows:
scp [-P <port>] <user>@<host>:/cachednsadmin/query_logging_<instance>/<logfiles>
<destination>
where:
-P <port> is the optional destination port
<user> is the Secure64 DNS Cache user account with cachednsadmin privileges
<host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
<instance> is the resolver instance number
<logfiles> are the files to copy
<destination> is the location to copy the file(s) to
Note If you attempt to copy a log file that is active, errors may occur when attempting to open the file in a
pcap-compatible application. To ensure log files are closed, stop the server prior to executing the scp
command or temporarily set the logging-file-write-immediate: yes attribute,
issue the cachedns reload command, then reverse the process after you have copied the file.
214
Chapter 5. Managing Secure64 DNS Cache
Note For detailed descriptions of the items displayed by the show cachedns info command, refer to Table 35
on page 219.
215
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
The default version of the show cachedns info command allows you to obtain a summary of
statistics for the server overall since the last time the server was started.
• If you have not configured views and the server is using a single resolver instance, the
summary version is the only version that applies to your operations.
• If you have configured views or are using multiple resolver instances, the summary
version of the command includes all views and instances. You can use other versions of
the command (described in the following sections) to break down information by view,
instance, or both.
Example:
[cachednsadmin@Secure64DNS]# show cachedns info
====== requested operation =====
Reporting statistics for : all instances
Statistics collected on : Mon Nov 11 10:52:05 MST 2013
Statistics collection start time: Mon Nov 11 10:48:41 MST 2013
< 64 ms : 20
64 - 127 ms : 0
128 - 255 ms : 0
256 - 511 ms : 0
512 - 1023 ms : 0
1024 - 2047 ms : 0
2048 - 4095 ms : 0
> 4095 ms : 0
216
Chapter 5. Managing Secure64 DNS Cache
== defensive stats ==
scrubbed rrsets : 1
acl denied requests : 0
acl refused requests : 0
dns 0x20 mismatches : 0
transaction id mismatches : 0
dropped type ANY queries : 0
dropped type MX queries : 0
217
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
218
Chapter 5. Managing Secure64 DNS Cache
Information Displayed
The data that displays for the show cachedns info command is described in Table 35. Because
not all data applies to all forms of the command, the data that displays is based on the command
options you specify.
As noted in the Context column:
• All - data displays for all forms of the command
• Summary - data displays for show cachedns info
• View - data displays for show cachedns info view <viewname>
• Instance - data displays for show cachedns info <instance>
• View/Instance - data displays for show cachedns info view <viewname>
<instance>
219
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
220
Chapter 5. Managing Secure64 DNS Cache
filtered aaaa on v4 Number of AAAA answers filtered from IPv4 queries. For more information
All
answers about filtering AAAA responses, see IPv4 Filtering on page 152.
Number of NXDOMAIN (non-existent domain) answers. This number
should be a small percentage of the overall number of queries. A high
number of NXDOMAIN answers can indicate a misconfiguration or a
NXDOMAIN answers All
possible attack. Note that the counter continues to function even when
NXDOMAIN redirection is enabled. For more information about redirection,
see Redirecting NXDOMAIN Responses on page 156.
Number of SERVFAIL (server failure) answers. SERVFAIL responses can
SERVFAIL answers All occur when validation fails and the data is bogus or when a bad packet is
received.
Number of NXDOMAIN responses that are redirected by the attributes in
NXDOMAIN redirects All the cache.conf configuration file. For more information, see Redirecting
NXDOMAIN Responses on page 156.
resolver loops Number of resolver loops detected, which indicates that the resolution
All
detected process for a lookup is looping.
Number of lame delegations. This indicates name servers configured as
lame delegations All
authoritative for a zone that do not have authoritative data for the zone.
Number of failed validation attempts. Numerous failed validations can
failed validation
All indicate configuration issues with trust anchors, a DLV, or keys. It can also
attempts
indicate upstream trust or signing/key problems.
cachedns application stats
The time the server has been running since it was last started. This
cachedns uptime All
provides a timeframe for understanding the overall statistics.
number of cache entries
Summary
referral cache entries View Number of RRset cache entries
View/Instance
Summary
answer cache entries View Number of message cache entries
View/Instance
Summary
key cache entries View Number of key cache entries
View/Instance
Summary
infrastructure cache
View Number of infrastructure cache entries
entries
View/Instance
Summary
entries total View Number of total cache entries
View/Instance
memory usage breakdown
Summary
referral cache
View RRset cache size in kb
memory
View/Instance
Summary
answer cache
View Message cache size in kb
memory
View/Instance
Summary
key cache memory View Key cache size in kb
View/Instance
221
SECURE64 DNS CACHE 3.1
Chapter 5. Managing Secure64 DNS Cache
Summary
infrastructure cache
View Infrastructure cache size in kb
memory
View/Instance
Summary
negative cache
View Negative cache size in kb
memory
View/Instance
Total amount of memory allocated to recursive client queries configured for
Summary logical interfaces. Configuring a larger number of permitted client queries
udp context memory View requires more memory. For more information, see the num-
View/Instance recursive-clients configuration attribute as discussed in
Configuring Basic Server Attributes on page 96.
general purpose
Summary General purpose memory size in kb
memory
222
Chapter 6. Secure Configuration
Overview
Many security features are built into the Secure64 DNS Cache system. Operating system and
platform security, such as protection from protocol exploits and TCP SYN flood attacks, are
automatic and require no additional configuration or activation.
For UDP and TCP data flood attacks, Secure64 DNS Cache includes rules-based limits. The
system administrator (sysadmin role) configures rate limiting and DoS/DDoS mitigation.
A number of issues related to securing DNS are outside the scope of the name server software.
For your convenience, this chapter includes many of the security recommendations found in the
Secure Domain Name System (DNS) Deployment Guide published by the National Institute of
Standards and Technology, located at
http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf.
Use the following references to locate information in this chapter:
• For information about automatic security mechanisms, see Inherent Security on
page 224.
• For configuration instructions and information about DNS DDoS attack
mitigation, see Defending Against DNS DDoS Attacks on page 224.
• For configuration instructions and information about mitigating queries based on
query type, see DNS RRtype Filtering Rules on page 238
• For information and commands related to the Sensitive Data Protocol (SDP), see
Securing Sensitive Data on page 244.
223
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Inherent Security
The Secure64 DNS Cache platform is powered by the secure, high-performance Secure64
SourceT micro operating system. The micro OS is secure by design at the root to take full
advantage of the advanced security capabilities found only in the Intel Itanium processor. The
system utilizes the unique security and parallel performance characteristics of the processor,
and the OS is designed to be self-defending from various attacks.
In addition, the system includes detection and mitigation for protocol exploits and TCP SYN
flood attacks. Segregated roles and responsibilities, a secure console, and an SSH command-line
interface help defend against additional types of security threats and attacks.
Table 36 summarizes threat types and built-in mitigation methods. The following sections
provide additional information about security measures built into Secure64 DNS Cache.
224
Chapter 6. Secure Configuration
Note For details about built-in cache poisoning protections and setting up the cache.conf server configuration
file to protect against caching-related security exploits, refer to Configuring for Security on page 119,
Enabling DNSSEC-Validated Queries on page 128, and Advanced Security Configuration on page 172.
Threat Countermeasure
Automatic detection and mitigation via DNS packet inspection. See
Malformed DNS requests
DNS Packet Inspection below.
Automatic blacklisting, rules-based flood protection, and high-
performance system that can operate while under attack. See About
UDP packet flood attacks
UDP Data Flood Protection on page 226 and About Rate-Limiting
Rules on page 227.
Automatic blacklisting, rules-based flood protection, and high-
performance system that can operate while under attack. See About
TCP packet flood attacks
TCP Flood Protection on page 226 and About Rate-Limiting Rules on
page 227.
Rules-based DNS RRtype request filtering and high-performance
DNS query type request flood system that can operate while under attack. See DNS RRtype
Filtering Rules on page 238.
Restrict console connections. See Restricting Console Connections
Malicious host on same LAN as DNS client
on page 242.
225
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Note The mitigation system computes a running average of incoming traffic to compare to the traffic limits. A
running average makes use of data over time, which introduces a phase delay as the running
averages are calculated. This can cause a lag before the mitigation system begins blacklisting, which
means that the real-time traffic rate when blacklisting begins may be slightly higher than the limits.
• If the flood from the blacklisted IP address backs off, traffic is accepted after a timeout
period. This helps ensure that a spoofed IP address does not block a real user.
• Repeat offenses result in faster blacklisting than the first-time offense. The system
retains blacklisted IP addresses for a period of time, which is known as graylisting.
• If the configured aggregate UDP limit is reached, a rate-controller mechanism begins
probabilistically dropping packets in order to maintain the incoming rate at the
configured limit. This may result in some good traffic loss; however, the server can
remain available to a quantity of good traffic and to administrators for remediation and
recovery.
226
Chapter 6. Secure Configuration
• Administrators can configure the software to limit the number of TCP packets accepted
per second. This is an aggregate limit, regardless of the source IP address.
• Once an administrator configures the aggregate limit, Secure64 DNS automatically
invokes a packets-per-second limit, per source IP address. The per source IP address limit
can be customized.
• The system continuously compares the limits with the average packet rate, on both an
aggregate and a per-source-IP basis.
• Administrators can specify that trusted TCP traffic, such as an internal DNS caching
server, is not subject to the mitigation features.
• If an IP address surpasses the packets-per-second limit, the software issues a TCP reset
(RST) packet to block the specific attacker. (A RST is issued because blocking TCP traffic
based on IP address can incorrectly stop valid TCP traffic.)
• If the configured aggregate limit is reached, packets arriving in excess of the limit are
dropped.
227
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Component
Examples Description
name
A text string that provides a name for the rule. Do not use
udprule
spaces in the string.
tcprule
logical_expression Operators include:
udp.dstport == 22 > greater than
udp.port == 53 >= greater than or equal to
ip.addr == 192.168.127.63/16
< less than
ip.addr == 2001:db8:aaa:bbb:/64
icmp.type == 8 <= less than or equal to
tcp.dstport == 22 == equal to
tcp.port != not equal to
ip.addr == 10.20.0.220/24 && tcp.port == 53 && and
|| or
Variables include :
eth.type Payload indicator in the Ethernet header
icmp.type ICMP type (number)
ip.addr IPv4 or IPv6 address/prefix (CIDR notation)
ip.srcaddr IPv4 or IPv6 source address/prefix (CIDR
notation)
ip.dstaddr IPv4 or IPv6 destination address/prefix (CIDR
notation)
ip.proto The IP protocol number in the IP header
describing the payload of the IP packet
tcp.port incoming (destination) TCP port or remote host
(originating) TCP port
tcp.dstport incoming TCP (destination) port
tcp.srcport outgoing TCP (source) port
udp.port incoming (destination) UDP port or remote host
(originating) UDP port
udp.dstport incoming UDP (destination) port
udp.srcport outgoing UDP (source) port
action [value][/per_IP_value] limit <value>[/per_IP_value] for <value>, define a
limit 100 limit for the number of incoming kilopackets per second (UDP
limit 5/1024 and TCP); for [per_IP_value], define a limit for the number of
estblimit 8 incoming packets per second for each unique source IP
drop address, if undefined the per_IP_value is 4096
pass estblimit <value> define a limit for the number of
established connections per minute (TCP)
drop drop traffic from a specific IP address (UDP and TCP)
pass allow all traffic from a specific IP address (TCP, trusted
UDP)
228
Chapter 6. Secure Configuration
Example Description
rule udptraffic udp.dstport == 53 : limit 10 Creates the rule named
udptraffic that limits
the aggregate incoming
traffic on UDP port 53 to 10
kilopackets (10 x 1024) per
second
rule udptraffic udp.dstport == 53 : limit 100/1024 Creates the rule named
udptraffic that limits
the aggregate incoming
traffic on UDP port 53 to 100
kilopackets (100 x 1024) per
second and incoming traffic
for each unique IP address
to 1024 packets per second
rule block ip.addr == 2001:db8:aaaa::/48 : drop Creates the rule named
block that drops all
incoming UDP/TCP traffic
from IP address block
2001:db8:aaaa::/48
rule SSHLIMIT tcp.dstport == 22 : estblimit 8 Creates the rule named
SSHLIMIT that limits the
number of established TCP
connections on TCP port 22
(the default SSH port) to 8
per minute
rule IPv4PINGBLOCK icmp.type == 8 : drop Blocks IPv4 ICMP Echo
(ping) requests
rule IPv6PINGBLOCK icmp.type == 128 : drop Blocks IPv6 ICMP Echo
(ping) requests
229
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Note To retain rule configuration changes, issue the activate and save commands. When the configuration
changes are activated, the system resets the accumulated mitigation state. Any blacklisted or
graylisted hosts are cleared, but they will retrigger their status if attacks continue. In addition, syslog
messages and SNMP traps are reset.
Note The above is an example only. You can attach more than three rules to an interface.
Examples:
• In the following example, all traffic from IP address 10.1.1.54/32 is passed with no port
restriction, while traffic to port 53 from any other IP address is rate limited:
rule MAILWHITE ip.addr == 10.1.1.54/32 : pass
rule UDPLIMIT udp.dstport == 53 : limit 100
attach eth0 MAILWHITE UDPLIMIT
230
Chapter 6. Secure Configuration
• If the rules are attached in reverse order, the system applies the first rule that matches and
any remaining rules are not applied. As a result, all traffic to port 53, including traffic
from 10.1.1.54/32, is rate limited:
attach eth0 UDPLIMIT MAILWHITE
• If the order of the expressions is reversed, then 192.168.1.0/24 is rate limited, but all
other traffic is blocked. This occurs for all other traffic because the first expression
(udp.dstport == 53) matches, but the subsequent expression (ip.addr ==
192.168.1.0/24) does not.
rule LIMIT udp.dstport == 53 : limit 5 && ip.addr == 192.168.1.0/24
231
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Default Rules
To provide initial security and attack mitigation for the console and DNS interfaces you have
configured, Secure64 DNS Cache provides default rules to limit UDP, TCP, and SSH attack
traffic. Attaching Mitigation Rules to Console and DNS Interfaces on page 79 describes how to attach
the default rules to the Secure64 DNS Cache interfaces.
For reference, the format of the default rules are:
rule LOGINLIM tcp.dstport == 22 : estblimit 8
rule TCPXFERLIM tcp.dstport == 53 : limit 10/4096
rule UDPQUERYLIM udp.dstport == 53 : limit 90/4096
After initial configuration and testing is complete, you can remove the default rules and create
and attach new rules based on your system’s configuration and architecture. For details about
removing rules, see the following section. More information about creating rules for UDP and
TCP rate limiting is provided in Configuring UDP Rate Limit or Drop Rules on page 234 and
Configuring TCP Rules for SSH and DNS Traffic on page 236.
! WARNING Disabling rule actions requires administrators to carefully monitor activity and determine whether
to take action, rather than using the built-in mitigation features of Secure64 DNS Cache.
Disablling rule actions affects all rules and is not recommend for production use.
In addition, reporting and logging details will not reflect mitigation activity, such as automatic
blacklisting discussed in About Data Flood Protection Mechanisms on page 226, that would
occur if the rule actions were enabled.
Example:
[sysadmin@Secure64DNS]# ruleactions off
Rule actions disabled.
Pending configuration changed.
232
Chapter 6. Secure Configuration
• After typing activate and save to make the configuration changes effective, type show
config and press ENTER. The server configuration information should display “rule
actions enabled.”
Removing a Rule
To remove a rule, you must first unattach any interfaces linked to the rule.
Example:
[sysadmin@Secure64DNS]# no attach eth3:43.2
Pending configuration changed
Note The no attach command removes ALL rules from the defined interface. You must use the
attach command to reattach the rules you want to retain, if any, and attach them in the order you want
them applied.
Example:
[sysadmin@Secure64DNS]# no rule mytest2
Rule mytest2 removed
233
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Note To retain rule configuration changes, issue the activate and save commands. When the configuration
changes are activated, the system resets the accumulated mitigation state. Any blacklisted or
graylisted hosts are cleared, but they will retrigger their status if attacks continue. In addition, syslog
messages and SNMP traps are reset.
In addition to an aggregate limit, you can also define a limit per source IP address. If you do not
define a custom per-IP address limit, the server defaults to limiting each IP address to 4096
incoming packets per second.
where <name> is the name of the rule, <value> is the aggregate limit in kilopackets
per second, and [per_IP_value] is the optional custom per source IP limit in packets
per second.
Example:
[sysadmin@Secure64DNS]# rule mytest udp.dstport == 53 : limit 100/
2048
Rule mytest added
2. To attach the rule to the interface(s) configured for DNS traffic, type the following
command and press ENTER:
attach <interface> <name>
234
Chapter 6. Secure Configuration
You can use other information about your server’s traffic to customize its rule set. For example, if
a specific IP range identifies a known attacker, you can use the drop action to ignore all traffic
originating from it.
235
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Note If you are in the process of creating multiple rules for your DNS interface(s), wait to use the attach,
activate, and save commands until you have created all necessary rules. You can then attach
the rules in the order you want them applied. See Understanding Rule Attachment, Multiple Rules, and
Compound Rules on page 230 for more information.
Note To retain rule configuration changes, issue the activate and save commands. When the configuration
changes are activated, the system resets the accumulated mitigation state. Any blacklisted or
graylisted hosts are cleared, but they will retrigger their status if attacks continue. In addition, syslog
messages and SNMP traps are reset.
You can establish rules to limit the number of established TCP connections for DNS and SSH
traffic on a per-port basis. You can also configure rules to allow the traffic to pass without
limits for trusted internal traffic. To prevent DDoS attacks on TCP ports used for SSH and
DNS traffic:
• Configure a rule to limit the number of established TCP connections per minute on
SSH port 22 (or an alternate port if configured); this prevents a host attacking on port
(trying to repeatedly connect) from blocking out a valid host on the same port
• Configure a rule to limit the number of incoming TCP packets per second on DNS
port 53 (or alternate port if configured)
• If you want to allow all TCP traffic to pass, you can configure a pass rule
• Attach SSH rules to any interfaces used for console connections (see Adding and
Removing Console Interfaces on page 281 and Restricting Console Connections on page 242)
• Attach the DNS rule(s) to the interfaces used for DNS traffic (see Adding and Removing
IP Addresses for Interfaces on page 276)
To create a rule that limits the number of established connections on TCP port 22
(SSH):
• At the sysadmin prompt, type the following command and press ENTER:
rule <name> tcp.dstport == 22 : estblimit <value>
where <name> is the name of the rule and <value> is the number of established
connections.
Example:
[sysadmin@Secure64DNS]# rule SSH tcp.dstport == 22 : estblimit 8
Rule SSH added
236
Chapter 6. Secure Configuration
To create a rule that limits the number of incoming packets per second on a specific TCP
port, such as DNS port 53:
• At the sysadmin prompt, type the following command and press ENTER:
rule <name> tcp.dstport == <port_number> : <value>[/per_IP_value]
where <name> is the name of the rule, <port_number> is the TCP port, <value> is
the aggregate limit in kilopackets per second, and [per_IP_value] is the optional
custom per source IP limit in packets per second
Example:
[sysadmin@Secure64DNS]# rule DNS tcp.dstport == 53 : limit 10
Rule DNS added
To create rules that allow internal traffic to bypass incoming TCP packet limits:
• At the sysadmin prompt, type the following command and press ENTER:
rule <name> ip.addr == <internalIP> && tcp.port == 53 : pass
where <name> is the name of the rule <internalIP> is the IP address/prefix of the
internal, trusted server
Note If you are in the process of creating multiple rules for your DNS interface(s), wait to use the attach,
activate, and save commands until you have created all necessary rules. You can then attach the
rules in the order you want them applied. See Understanding Rule Attachment, Multiple Rules, and
Compound Rules on page 230 for more information.
237
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Note The mitigation system computes a running average of incoming traffic to compare to the traffic limits. A
running average makes use of data over time, which introduces a phase delay as the running
averages are calculated. This can cause a lag before the mitigation system begins blacklisting, which
means that the real-time traffic rate when blacklisting begins may be slightly higher than the limits.
• If the flood from the blacklisted IP address backs off, traffic is accepted after a timeout
period. This helps ensure that a spoofed IP address does not block a real user.
• Repeat offenses result in faster blacklisting than the first-time offense. The system
retains blacklisted IP addresses for a period of time, which is known as graylisting.
• If the configured aggregate query limit is reached, a rate-controller mechanism begins
probabilistically dropping queries in order to maintain the incoming rate at the
configured limit. This may result in some good traffic loss; however, the server can
remain available to a quantity of good traffic and to administrators for remediation and
recovery.
238
Chapter 6. Secure Configuration
Note To retain rule configuration changes, issue the activate and save commands. When the configuration
changes are activated, the system resets the accumulated mitigation state. Any blacklisted or graylisted
hosts are cleared, but they will retrigger their status if attacks continue. In addition, syslog messages and
SNMP traps are reset.
You can establish rules to drop or limit specific DNS RRtype queries received by the Secure64
DNS Cache server. You can also configure rules to allow specific DNS RRtype queries to pass
without limits.
For DNS RRtype filtering, the rule command syntax is:
rule <name> dns.rrtype <operator> <RRtype> : <action>
where:
• <name> is a text string that provides a name for the rule (no spaces)
• <operator> is one of the following symbols:
= = (equal to)
!= (not equal to)
|| (or)
Note The additional operators described inTable 38 on page 228 are operable for RRtype filtering, but there
are not practical applications for their use.
• <RRtype> is the numeric code or alpha representation of the DNS query type
• <action> is one of the following parameters:
limit <value>[/per_IP_value]
For <value>, define an aggregate limit for the number of incoming queries per
second; for [per_IP_value], define a limit for the number of incoming queries per
second for each unique source IP address, if undefined the per_IP_value is 4096
drop
Drop traffic for a specific RRtype query
pass
Allow all traffic for a specific RRtype query
239
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Example Description
rule TXTlimit dns.rrtype == 16 : limit 4/100 Creates the rule named
TXTlimit that limits the
aggregate incoming queries
for RRtype 16 (TXT) to 4 x
1024 queries per second
and the per IP address limit
to 100 queries per second.
rule TSIGexempt dns.rrtype == TSIG : pass Creates the rule named
TSIGexempt that allows
all incoming TSIG queries
without mitigation.
rule ANYdrop dns.rrtype == ANY : drop Creates the rule named
ANYdrop that drops all
incoming ANY RRtype
queries.
rule TXTMX dns.rrtype == TXT || dns.rrtype == MX : drop Creates the rule named
TXTMX that drops all
incoming TXT or MX
RRtype queries.
Where <rule1>, [rule2], and [rule3] are the names of rules you have created.
Note The above is an example only. You can attach more than three RRtype filter rules to the server.
240
Chapter 6. Secure Configuration
Examples:
• In the following example, two RRtype rules are attached to the server. Based on the order,
the ANYdrop rule is examined first. If the incoming query does not match, the server
compares it to the TXTlimit rule.
rule ANYdrop dns.rrtype == ANY : drop
rule TXTlimit dns.rrtype == 16 : limit 4/100
attach dnsserver ANYdrop TXTlimit
Disabling Rules
Secure64 DNS Cache provides a mechanism to monitor logging and SNMP traps generated by
rules without enforcing the actions defined by the rules. For details, refer to Disabling Rule Actions
on page 232.
Example:
[sysadmin@Secure64DNS]# no attach dnsserver
Pending configuration changed
Note The no attach command removes ALL rules from the server. You must use the attach
command to reattach the rules you want to retain, if any, and attach them in the order you want them
applied.
Example:
[sysadmin@Secure64DNS]# no rule mytest2
Rule mytest2 removed
241
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Note If no restrictions are configured, all IP addresses are allowed to connect to the console by default.
Adding a Restriction
To limit the systems allowed to establish a connection with the console via SSH:
• At the sysadmin prompt, type the following command and press ENTER, where
<ipaddress> defines the IP address and [netmask] (optional) defines a netmask for
the console connection(s):
allow <ipv4 address> [ipv4 netmask]
or
allow <ipv6 address>[/<ipv6 prefix length>]
If an IPv4 netmask or IPv6 prefix length is not specified, only the system matching the
explicit IP address can connect to the console.
242
Chapter 6. Secure Configuration
Examples:
The following example allows systems with IPv4 addresses in the range 192.168.152.0
through 192.168.152.255 to establish connections to the console via SSH:
[sysadmin@Secure64DNS]# allow 192.168.152.0 255.255.255.0
Examples:
[sysadmin@Secure64DNS]# no allow 192.168.152.0
[sysadmin@Secure64DNS]# no allow 2001:db8:aaaa::/48
243
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Components
The components of SDP include:
• Protection key - A 128-bit AES encryption key automatically generated by the system.
A unique key is used for each subsystem.
• SDU - The data (Sensitive Data Unit) being secured. It must consist of an extended
ASCII set (EAS) string, and it is case sensitive.
Note Do not use the NUL character (EAS code 0) in the value of the SDU. To enter a non-printable EAS
character, use the convention \x<ascii-code> where <ascii-code> is the hexadecimal code for the
character.
• Subsystem - The Secure64 DNS server subsystem linked to the SDU. Options are
RADIUS or LDAP.
• Keyword - The keyword linked to the SDU, based on subsystem. It is not case
sensitive.
— RADIUS subsystem - The keyword is the value of the server: attribute in
radius.conf associated with the SDU. Multiple keywords are supported (one for
each RADIUS server defined).
— LDAP subsystem - The keyword is the string: bindpasswd
This is the only keyword supported or necessary. The ldap.conf configuration
uses a single bind password for multiple LDAP servers.
244
Chapter 6. Secure Configuration
Creating an SDU
To create an SDU:
• From the securityadmin role, execute:
sdu protect <subsystemID> <keyword> <SDU>
where
<subsystemID> is the related subsystem (RADIUS or LDAP)
<keyword> is the identifier linked to the SDU
— RADIUS subsystem - The value of the server: attribute in radius.conf
associated with the SDU. Multiple keywords are supported (one for each RADIUS
server defined).
— LDAP subsystem - The string: bindpasswd
This is the only keyword supported or necessary. The ldap.conf configuration uses
a single password for multiple LDAP servers.
<SDU> is the data to protect
Example:
[securityadmin@Secure64]# sdu protect RADIUS 192.168.127.1 mysecret
SDU created for keyword 192.168.127.1
245
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
where the optional <subsystemID> limits the list to the defined subsystem (RADIUS or
LDAP)
Example:
[securityadmin@Secure64]# sdu list
RADIUS:
192.168.127.2
192.168.127.1
To display the plain text (unencrypted) content of an SDU associated with a specific
subsystem and keyword:
• From the securityadmin role, execute:
sdu reveal <subsystemID> <keyword>
where
<subsystemID> is the related subsystem (RADIUS or LDAP)
<keyword> is the identifier linked to the SDU
— RADIUS subsystem - The value of the server: attribute in radius.conf
associated with the SDU. Multiple keywords are supported (one for each RADIUS
server defined).
— LDAP subsystem - The string: bindpasswd
This is the only keyword supported or necessary. The ldap.conf configuration
uses a single password for multiple LDAP servers.
Example:
[securityadmin@Secure64]# sdu reveal RADIUS 192.168.127.1
SDU is mysecret
246
Chapter 6. Secure Configuration
Replacing an SDU
where
<subsystemID> is the related subsystem (RADIUS or LDAP)
<keyword> is the identifier linked to the SDU
— RADIUS subsystem - The value of the server: attribute in radius.conf
associated with the SDU. Multiple keywords are supported (one for each RADIUS
server defined).
— LDAP subsystem - The string: bindpasswd
This is the only keyword supported or necessary. The ldap.conf configuration uses
a single password for multiple LDAP servers.
<SDU> is the new SDU data
Example:
[securityadmin@Secure64]# sdu replace RADIUS 192.168.127.1 newsecret
Deleting an SDU
where
<subsystemID> is the related subsystem (RADIUS or LDAP)
<keyword> is the identifier linked to the SDU
— RADIUS subsystem - The value of the server: attribute in radius.conf
associated with the SDU. Multiple keywords are supported (one for each RADIUS
server defined).
— LDAP subsystem - The string: bindpasswd
This is the only keyword supported or necessary. The ldap.conf configuration uses
a single password for multiple LDAP servers.
247
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
Example:
[securityadmin@Secure64]# sdu delete RADIUS 192.168.127.2
SDU deleted for keyword 192.168.127.2
! WARNING Executing this command removes all content in the SDP. This action cannot be reversed.
Example:
[securityadmin@Secure64]# sdu reset
248
Chapter 6. Secure Configuration
249
SECURE64 DNS CACHE 3.1
Chapter 6. Secure Configuration
250
Chapter 7. System Administration
251
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note If you are configuring your machine for the first time, see Chapter 2. Getting Started on page 59.
There are three forms for the route command: standard default gateway routes, other routes,
and IPv6 link local default gateway routes.
For standard default gateway routes and other routes, the command syntax is:
route default <ipv4_or_ipv6_gateway>
or
route net <ipv4 address> <ipv4 netmask> <gateway>
or
route net <ipv6 address>/<prefix length> <gateway>
The Secure64 DNS Cache software does not allow addition of a route that conflicts with the subnet of
a configured interface.
If you are using BGP, you must stop and start the BGP service if static routes are added or deleted.
See Stopping and Starting BGP on page 320 for more information.
For IPv6 link local default gateway routes, the command syntax is:
route default <IPv6_linklocal>%<interface>
where <IPv6_linklocal> is an IPv6 link local address and <interface> is the
interface to use.
Note The IPV6 link local address cannot be the ::1 loopback address. The interface must be configured with
a valid IPv6 address.
252
Chapter 7. System Administration
Example:
[sysadmin@Secure64DNS]# route default 10.0.0.1
Pending configuration changed.
Example:
[sysadmin@Secure64DNS]# route net 192.168.255.0 255.255.255.0 10.1.2.3
Pending configuration changed.
253
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Example:
[sysadmin@Secure64DNS]# route default fe80::2c0:9fff:fe05:2327%eth1
Pending configuration changed.
Note You can use the show interfaces command to display the IPv6 link local address for the
configured interfaces.
Deleting a Route
• Use the no form of the command.
Examples:
[sysadmin@Secure64DNS]# no route default 10.0.0.1
Pending configuration changed.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration changes, type reboot.
254
Chapter 7. System Administration
Note Outbound TCP and UDP traffic originating from Secure64 DNS Cache always uses standard IP route
and ARP lookups.
Symmetrical Routing
With symmetrical routing, responses to in-bound requests are automatically sent back to the
neighboring router that sent in the request. For example, if a DNS query comes in on eth0 with a
specific source Ethernet address, the reply goes out the same interface to the Ethernet address of
the query source. Symmetrical routing does not perform route look ups.
Advantages of symmetrical routing include:
• Lower memory usage by the internal routing table
• Reduced CPU utilization by removing the per packet IP route lookup
• Easier management because only routes for outbound connections need to be configured
or learned via BGP
The disadvantage of symmetrical routing is a sub-optimal response path, in the rare case that the
optimal path for the out-bound response differs from the optimal path for its in-bound request.
To configure symmetrical routing:
• Enter the following command at the sysadmin prompt:
route sym
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
255
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Asymmetrical Routing
With asymmetrical routing, every packet sent by Secure64 DNS involves an IP route and ARP
table lookup before transmission. Advantages of asymmetrical routing include:
• All IP packets are sent to their destination via the optimal path
• TCP connections are maintained across route table changes
Disadvantages of asymmetrical routing include potentially more manual configuration of routes
and increased CPU/memory use for per packet IP route and ARP lookups.
Note You can use BGP to update routing tables. For more information, see Chapter 8. Enabling BGP for
Anycast on page 303.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
256
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# ip frag timeout 10
Pending configuration changed.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Example:
[sysadmin@Secure64]# nullchecksums allow
UDP checksum processing disabled (NULL checksums are allowed).
Pending configuration changed.
257
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# nullchecksums disallow
UDP checksum processing enabled (NULL checksums are disallowed).
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Configuring a Nodename
To specify the name that appears in the system prompt and in syslog messages:
• At the sysadmin prompt, type the following command and press ENTER, where
<name> is the identifier of the Secure64 DNS Cache name server:
nodename <name>
The new nodename is not reflected in the system prompt until you enter activate to
invoke the change.
Example:
[sysadmin@Secure64DNS]# nodename MyServer
Nodename set to MyServer
Pending configuration changed
[sysadmin@Secure64DNS]# activate
Running configuration changed
[sysadmin@MyServer]# save
running configuration successfully saved
The default nodename (Secure64DNS) is not reflected in the system prompt until you enter
activate to invoke the change.
258
Chapter 7. System Administration
Example:
[sysadmin@MyServer]# no nodename MyServer
nodename set to Secure64DNS
[sysadmin@MyServer]# activate
Running configuration changed
[sysadmin@Secure64DNS]# save
running configuration successfully saved
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Note When you specify multiple name servers, Secure64 DNS Cache uses them according to the order listed
in the system configuration. To see the currently running configuration, enter show config. To see
the currently saved configuration, enter show saved.
To specify name servers for address resolution for Secure64 DNS Cache:
• At the sysadmin prompt, type the following command and press ENTER, where 0|1|2
defines one of the three name servers <ipaddress> is the corresponding IPv4 or IPv6
address, and [timeout] is the number of seconds to wait to retry a name server:
nameserver <0|1|2> <ipaddress> [timeout]
Example:
[sysadmin@Secure64DNS]# nameserver 1 192.168.127.11 20
Pending configuration changed.
[sysadmin@Secure64DNS]# nameserver 2 2001:db8::1 10
Pending configuration changed.
259
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Where <spec> is the designation for the desired <timezone> or the <region>/
<timezone>.
Example:
[sysadmin@Secure64DNS]# tz MST
Example:
[sysadmin@Secure64DNS]# no tz MST7MDT
timezone set to GMT
260
Chapter 7. System Administration
Example:
tz Chile
Chile time zones:
EasterIsland Continental
Example:
tz Chile/EasterIsland
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Note To ensure that the date and time is synchronized with other systems, configure up to five NTP servers for
the Secure64 DNS Cache server. For more information, see Managing NTP Servers on page 263. The
NTP server synchronization overrides changes made using the date command.
Where MMDDhhmmYYYY is the month (01-12), day of the month (01-31), hour (00-23),
minute (00-59) and four-digit year.
261
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# date
Thu Sep 15 14:40:22 GMT 2011
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
262
Chapter 7. System Administration
For unauthenticated NTP servers, do not specify a server that you think might be compromised, or over
which you do not have control. The ideal server is a server on an internal network that can be fixed if
broken or attacked.
The Secure64 DNS Cache name server does not respond to NTP time broadcasts.
263
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
If the NTP server you are configuring does not support authentication, use the following
procedures for configuration.
! WARNING Using an NTP server without authentication is strongly discouraged. Authentication prevents NTP
server messages from being spoofed.
Note If you have configured two or more Secure64 DNS Cache IP addresses on the same subnet, define a
source IP address when you need to designate a specific IP address for NTP traffic, for example, to
allow traffic through a firewall.
2. For redundancy, you can configure up to five NTP servers. Repeat the command for
each NTP server you want to define.
Example:
[sysadmin@Secure64DNS]# ntp 10.0.0.1 192.168.127.175
Added NTP server 10.0.0.1
Pending configuration changed.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
264
Chapter 7. System Administration
Where:
— <keynum> is the NTP key number (between 1 and 4,294,967,295)
— <method> is M, for the MD5 hashing method
— <secret> is the shared secret string (1-8 characters, case sensitive)
3. To activate the NTP authentication key, type activate and press ENTER.
4. To save the NTP authentication key, type save and press ENTER.
5. At the sysadmin prompt, type the following command and press ENTER:
ntp <host> <keynum> [source_ipaddress]
Where:
— <host> is the IPv4/IPv6 address or hostname of the NTP server
— <keynum> is the unique NTP key number shared with the NTP server
— [source_ipaddress] is the optional source IPv4/IPv6 address
Note If you have configured two or more Secure64 DNS Cache IP addresses on the same subnet, define a
source IP address when you need to designate a specific IP address for NTP traffic, for example, to allow
traffic through a firewall.
6. For redundancy, you can configure up to five NTP servers. Repeat the command for each
NTP server you want to define.
265
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# ntpkey 204 M ctPq8iU
NTP key #204 added to pending configuration
[sysadmin@Secure64]# activate
Running configuration changed
[sysadmin@Secure64]# save
Running configuration successfully saved.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Example:
[sysadmin@Secure64]# show ntp keys
204 M ctPq8iU
Example:
[sysadmin@Secure64]# no ntpkey 204
NTP authentication key 204 marked for removal (pending activation)
266
Chapter 7. System Administration
Example:
[sysadmin@Secure64DNS]# show ntp
remote refid st when poll reach delay offset
================================================================
*192.168.127.1 72.232.254.202 3 1540 3600 1 0 3
209.114.111.1 132.163.4.102 2 1582 3600 1 0 3
Table 42 describes the items and values in the show ntp command output::
Item Description
The remote server name or address, truncated to a maximum of 15 characters. The asterisk to the left of
remote
the remote server indicates that the NTP subsystem is using the server for synchronization attempts.
The server reference identifier, as described in RFC 4330. If the refid shows as “.ERR,” there is a problem
refid setting up the session to the remote server. This can occur if the server name cannot be resolved or if the
server is valid but does not respond to the NTP query.
The NTP stratum of the server. Stratum 1 servers are "primary references" connected to a precision
st hardware clock source. Stratum 2 servers get their time from stratum 1 servers, stratum 3 from stratum 2
servers, and so on.
when The number of seconds since the last successful contact with the NTP server.
poll The synchronization polling interval to the NTP server, in seconds.
An 8-bit shift register. For every successful NTP server contact, the register is left-shifted one bit and the
least significant bit is set to 1. This register displays in base 8 (octal) for a quick overview of the
reach reachability of the NTP server over the last eight attempts. The value 001 indicates the most recent
attempt was answered, while 357 indicates one attempt was not answered. The value 377 indicates all
recent attempts have been answered.
delay The network transmission delay to the NTP server, in seconds.
offset The last adjustment made to the client clock, in seconds.
267
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note The ntpdate command does not set the local clock and requires the NTP server you are querying
to be configured as an NTP server in Secure64 DNS Cache.
2. To check the server status, type the following command and press ENTER:
show ntp
Note For a description of the show ntp command output, see Displaying NTP Server Information on
page 267.
Example:
[sysadmin@Secure64DNS]# no ntp 192.168.127.99
NTP server 192.168.127.99 removed
Pending configuration changed.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
268
Chapter 7. System Administration
Note Secure64 DNS Cache supports up to four syslog servers. Configuring at least one syslog server
is strongly recommended. Certain actionable error messages that may not be available at the
command line are sent to syslog.
In addition to writing messages to the syslog server(s), Secure64 DNS Cache writes a portion of
the syslog messages to a local file. The sysadmin role can define the size of the file using the
loglevel command as described below. The file is created whether or not a syslog server is
configured. To view the contents of the local log file, see Displaying and Exporting the Local Log File
on page 274.
Note Ensure that the syslog server(s) will accept messages from remote systems. For example, on Linux,
syslogd is not configured by default to accept syslog entries from remote systems. You can set up the
syslog server on another subnet. To do so, you also need to configure the appropriate routing for
Secure64 DNS Cache to locate the syslog server. For more information, see Configuring the Default
Gateway and Other Routes on page 252.
269
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note If you have configured two or more Secure64 DNS Cache IP addresses on the same subnet, define a
source IP address when you need to designate a specific IP address for syslog traffic, for example, to
allow traffic through a firewall.
When source is specified, if server is an IP address, source must be in the same IPv4 or
IPv6 family; if server is a host name, name resolution will query for an address of the same type
(IPv4 or IPv6) as the source. If source is not specified and server is a host name, name
resolution will query for an IPv4 (A) record, and then and IPv6 (AAAA) record.
Examples:
[sysadmin@Secure64DNS]# syslog 2001:db8::1
Syslog server[0]: 2001:db8::1
2. To define the syslog level, type the command below and press ENTER, where
<level> is the level of messages sent to the syslog server(s) as defined in Table 43 and
[entries] is the number of syslog entries to store in the local log file, from 50-10,000.
Setting [entries] to 0 disables the local log file.
loglevel <level> [entries]
270
Chapter 7. System Administration
Note The log level value you define includes all levels numerically less than the value specified. For example,
if you define level 6, the system logs levels 0 through 6. The higher the log level, the more messages that
are sent and logged
Defining a log level of 7 (LOG_DEBUG) will noticeably affect performance due to the large volume of
messages sent to syslog. Enable log level 7 only for as long as needed to capture debug information.
Example:
[sysadmin@Secure64DNS]# loglevel 7 50
Pending configuration changed
3. To define a syslog logging facility for Secure64 DNS Cache to correspond to the syslog
server configuration, type the following command and press ENTER, where
log_local# is log_local0 – log_local7 or 0-7:
logfacility <log_local#>
Example:
[sysadmin@Secure64DNS]# logfacility log_local7
Pending configuration changed.
[sysadmin@Secure64DNS]# logfacility 4
Pending configuration changed.
Note If logfacility is not defined or you use the no logfacility <log_local#> command to
remove a configured log facility, Secure64 DNS Cache logs to the system daemon facility.
271
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# logfacility
Syslog log facility is LOG_DAEMON (default)
Example:
[sysadmin@Secure64DNS]# no syslog 192.168.127.99
Syslog server 192.168.127.99 removed
Pending configuration changed.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration change, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
272
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# logmsg 4 this is a test
syslog message sent
To display information about all active syslog servers, including run state, host address,
current log level, and facility settings:
• At any prompt, type the following command and press ENTER:
show syslog status
Example:
[sysadmin@Secure64]# show syslog status
Level 7, Facility Default (System Daemon)
Running 2001:db8::1
Idle denverbranch (Unresolved)
273
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
274
Chapter 7. System Administration
Examples:
[sysadmin@Secure64]# export syslog tester@192.168.127.99:mysyslog
Syslog file transfer successful.
275
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note If you are adding an administration console, you must also invoke the console command. See
Adding and Removing Console Interfaces on page 281.
If you are using BGP, you must stop and start the BGP service if static routes are added or deleted.
See Stopping and Starting BGP on page 320 for more information.
Note You can configure each physical interface with multiple IP addresses and define VLAN IDs, up to a
total allocation of 256 IP addresses for the server. In addition, you can use the same IP address for
multiple services, including the console, the DNS server, BGP, SNMP, and other services.
276
Chapter 7. System Administration
Examples:
Configure the first IPv4 address of an interface (with no VLAN):
ifconfig eth0 192.168.12.14 255.255.255.0
Example:
[sysadmin@Secure64DNS]# ping eth0:1.1 192.168.95.95
ping to 192.168.95.95 on interface eth0:1.1
ping successful
277
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# show config
running configuration:
ifconfig bond9 192.168.88.2 255.255.255.0
ifconfig bond9.1 192.168.89.3 255.255.255.0
ifconfig bond9.2 2001:db8:aaa:bbb1:/64
ifconfig bond9.3 2001:db8:aaa:bbb2:/64
ifconfig bond9.4 2001:db8:aaa:bbb3:/64
ifconfig bond9.5 192.168.86.3 255.255.255.0
ifconfig bond9.6 2001:db8:aaa:bbb4:/64
ifconfig bond9.7 2001:db8:aaa:bbb5:/64
ifconfig bond9.8 2001:db8:aaa:bbb6:/64
ifconfig bond9.9 2001:db8:aaa:bbb7:/64
ifconfig bond9.10 2001:db8:aaa:bbb8:/64
ifconfig bond9.11 2001:db8:aaa:bbb9:/64
ifconfig bond9.12 2001:db8:aaa:ccc1:/64 DISABLED
ifconfig eth2 192.168.110.100 255.255.255.0
ifconfig eth2.1 2001:db8:aaa:ccc2:/64
ifconfig eth3 192.168.95.86 255.255.255.0
ifconfig eth3.1 2001:db8:aaa:ccc3:/64
ifconfig lo0 192.168.130.110 255.255.255.255
console eth2
route asym
nameserver 0 192.168.127.1 6
nameserver 1 192.168.127.8 4
ntp 192.168.95.65
tz America/Denver
syslog 192.168.95.65
loglevel 0 50
nodename Secure64
No defense rules configured.
ruleactions on
nullchecksums allow
278
Chapter 7. System Administration
timeout 0
ip frag timeout 5
ip frag high 40
ip frag low 30
bondcfg bond9 eth0 eth1
bondcfg bond9 mode miimon 1000 5000
bondcfg bond9 gratarp 3
bondcfg bond9 unsolnd 3
Note If the interface is currently in use by a service, you must stop the service(s) before you can remove the
configuration. To check the configuration of various services, use the show config (general system
configuration), show cachedns config (DNS configuration), show bgp config (BGP
configuration), and show authenticate config <radius | ldap > authentication
configuration commands.
If you remove or change an IP address, be sure to modify any configuration files that use the IP address
accordingly. Also verify whether any rules need to be modified or attached to different interfaces. (See
About Rate-Limiting Rules on page 227 for more information).
If the interface is configured as a console and you want to change the IP address configured for the
console, see Changing the IP Address of a Console Interface on page 282.
2. Based on the type of IP address configured, at the sysadmin prompt type the IPv4 or
IPv6 command and press ENTER:
no ifconfig <interface> <ipv4 ipaddress>
or
no ifconfig <interface> <ipv6 ipaddress>/<ipv6 prefix length>
279
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Example:
[sysadmin@Secure64DNS]# no ifconfig eth0 192.168.64.1
Configuration removed
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Note You can assign a regular unicast address to a loopback interface (lo0 or lo0.I). A loopback address
(127/8, ::1/128) can only be assigned to a loopback interface, not a physical interface.
Examples:
[sysadmin@Secure64]# ifconfig lo0 10.22.0.99 255.255.255.255
Pending configuration changed.
280
Chapter 7. System Administration
Note After adding or removing a console interface, make sure to attach a rule to limit the number of SSH logins
per minute for security. For more information, see Configuring TCP Rules for SSH and DNS Traffic on
page 236.
If you are using BGP, you must stop and start the BGP service if static routes are added or deleted. See
Stopping and Starting BGP on page 320 for more information.
281
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Example:
[sysadmin@Secure64DNS]# no console eth3
eth3 console disabled
Pending configuration changed.
[sysadmin@Secure64DNS]# activate
282
Chapter 7. System Administration
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Note If a user changes the console timeout setting, the change affects the current session of the user
executing the command; all other users are affected upon their next log in.
283
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
where
<num> is the bond number, 0-99 (only 8 total bonds allowed)
<ethX> <ethY> are two or more physical interfaces
284
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# bondcfg bond0 eth1 eth2
Pending configuration changed.
where
<num> is the bond number
<polltime> is the time in milliseconds to poll the state of the Ethernet link, ranging
from 100 to 5000. If not defined for an existing bond, the default is 1000.
<holdtime> is the time in milliseconds to wait before changing the link state of a
detected failure, ranging from 2x the polltime to 100x the polltime. If not defined for an
existing bond, the default is 5000. Holdtime should be a multiple of polltime.
Note After the holdtime expires, the standby interface begins initiating its startup process. This results in a
delay after the holdtime expires before the standby interface becomes fully active.
2. At the sysadmin prompt, type the following command and press ENTER to configure
the number of gratuitous ARPs and unsolicited neighbor discoveries
bondcfg bond<num> gratarp <arp>
bondcfg bond<num> unsolnd <neighbor>
where
<num> is the bond number
<arp> is the number of gratuitous ARPs to send to configured IPv4 addresses on a newly
active port. The acceptable range is 0-255. If the value is 0, then ARPs are not sent. If not
defined for an existing bond, the default is 3.
<neighbor> is the number of unsolicited neighbor discoveries to send to configured
IPv6 addresses on a newly active port. The acceptable range is 0-255. If the value is 0,
then unsolicited neighbor discoveries are not sent. If not defined for an existing bond, the
default is 3.
Example:
[sysadmin@Secure64]# bondcfg bond0 mode miimon 1000 5000
Pending configuration changed.
285
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Examples:
[sysadmin@Secure64]# ifconfig bond0 192.168.127.180 255.255.255.255
Pending configuration changed.
286
Chapter 7. System Administration
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
where
<num> is the bond number
Example:
[sysadmin@Secure64]# show bond0 status
bond0 mode miimon poll 1000 down 5000 gratarp 3 unsolnd 3
interface eth1 link up status active
interface eth2 link up status standby
where
<num> is the bond number
Example:
[sysadmin@Secure64]# show bond0 config
bondcfg bond0 eth1 eth2
bondcfg bond0 mode miimon 1000 5000
bondcfg bond0 gratarp 3
bondcfg bond0 unsolnd 3
287
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note If the interface is currently in use by a service, you must stop the service(s) before you can remove the
configuration. To check the configuration of various services, use the show config (general
system configuration), show cachedns config (DNS configuration), show bgp config
(BGP configuration), and show authenticate config <ldap | radius >
configuration commands.
If you remove or change an IP address, be sure to modify any configuration files that use the IP
address accordingly. Also verify whether any rules need to be modified or attached to different
interfaces. (See About Rate-Limiting Rules on page 227 for more information).
If the interface is configured as a console and you want to change the IP address configured for the
console, see Changing the IP Address of a Console Interface on page 282.
2. At the sysadmin prompt, type the following command and press ENTER:
no bondcfg bond<num>
288
Chapter 7. System Administration
Example:
[sysadmin@Secure64]# no bondcfg bond3
Pending configuration changed.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
Note The issue file must be plain text. Escape characters and other non-text character sequences are not
recognized.
To edit the default issue file, use scp to copy a file you created on another system or edit the
default file directly on the Secure64 DNS Cache server.
289
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note To generate syslog messages for the power supply and other sensor changes, you must set a chassis
polling interval.
Example:
[sysadmin@Secure64]# chassispoll 120
Pending configuration changed.
Note To invoke the configuration change, type activate and press ENTER.
To confirm the pending configuration, type show pending and press ENTER.
To return to the saved configuration, type revert and press ENTER.
To save the running (changed and activated) configuration, type save and press ENTER.
To restart the system with the configuration change, type reboot.
290
Chapter 7. System Administration
Configuring RAID
You can configure the Secure64 DNS Cache server with multiple drives for RAID. This
configuration is useful for servers located in harsh or high-availability environments. The RAID
configuration allows complete disk redundancy so that in the event of a disk failure, the system
continues to function. The malfunctioning unit can be hot-swapped with a new unit.
Note that when multiple disks are installed, the server’s default configuration does not
automatically enable disk mirroring. The HP Integrity Installation Guide provides instructions for
configuring RAID.
Accessing the utilities necessary for RAID configuration differs based on whether you are
configuring RAID prior to or after installing the Secure64 DNS Cache software:
• RECOMMENDED: Prior to installing Secure64 DNS Cache software. The HP
Integrity server powers up to the EFI (Extensible Firmware Interface) console. From the
console menu, select the EFI shell and enter drvcfg –s to begin the RAID
configuration. Refer to HP’s documentation for additional details.
• After installing Secure64 DNS Cache software. To configure RAID after Secure64
DNS Cache is installed and running, you must backup the Secure64 DNS Cache software
and data, configure RAID, and re-install the Secure64 DNS Cache software and data. For
assistance with this process, contact Secure64 support at support@secure64.com.
291
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
292
Chapter 7. System Administration
If the system is functioning normally, then the total number of requested reboots and
halts should equal the number of reported reboots.
• Processes such as DNS, RADIUS, LDAP, BGP, and SNMP are not started.
• Configured networking is disabled.
• Access to the server is available only through the serial console.
293
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Note If you use RADIUS or LDAP, the users you originally created to configure the Secure64 DNS Cache
server are available when RADIUS or LDAP is disabled.
where:
-P <port> is the optional destination port
<user> is a Secure64 user account assigned to the cachednsadmin role
<Secure64_host> is the IPv4 address, [IPv6 address] in square brackets, or
hostname of the Secure64 DNS Cache administrative console
<file> is the configuration file to copy
<target> is the destination for the file
294
Chapter 7. System Administration
4. After you revert the system configuration and complete troubleshooting steps, at the
sysadmin prompt, type reboot and press ENTER to reset the autostart cycle counter and
allow the system to boot normally.
Example:
[sysadmin@Secure64DNS]# reset autostart cycle-counter
autostart cycle counter successfully reset to zero
Example:
[sysadmin@Secure64DNS]# reset autostart history
autostart history successfully reset to zero
295
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
The steps for recovering your system depend on the type of failure that occurs. For example,
the software may become corrupt in the case of a power failure, static electricity, or a power
surge. Recovery is also necessary if your system experiences a hardware failure.
The following sections describe backing up and restoring system configuration files and
backing up and restoring DNS information.
296
Chapter 7. System Administration
Note This procedure backs up the Secure64 DNS Cache system configuration as seen in the show
config command. It also backs up user and role information, BGP configuration information (if
enabled), RADIUS or LDAP configuration information (if enabled and running), and SDP (Secure Data
Protection) information.
297
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
To back up DNS information, use the scp command at the remote system as follows:
scp –r [-P <port>] <user>@<host>:/cachednsadmin/* <backup_dest>
where:
-P <port> is the optional destination port
<user> is the user account assigned to the cachednsadmin role
<host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
<backup_dest> is the destination for the backup files
To restore DNS information, use the scp command at the remote system as follows:
scp –r [-P <port>] <backup_dest>/* <user>@<host>:/cachednsadmin/
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 281 for information about changing the default port)
<backup_dest> is the location of the backup files,
<user> is a user account assigned to the cachednsadmin role, and
<host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
298
Chapter 7. System Administration
System Recovery
The steps for recovering your system depend on the type of failure that occurs. For example, the
software may become corrupt in the case of a power failure, static electricity, or a power surge.
Recovery is also necessary if your system experiences a hardware failure.
Table 45 identifies different types of failures, the recommended recovery actions, and
corresponding references for more information.
where:
— all displays the state of all cryptographic module instances
— # displays the state of the given cryptographic module instance (1, 2, 3, etc.)
— no parameters displays the state of cryptographic module instance 1
299
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
Examples:
[securityadmin@Secure64]# status
Cryptographic module is in the Ready state.
[securityadmin@Secure64]# status 2
Cryptographic module #2 is in the Powerup state.
300
Chapter 7. System Administration
Note If you do not know your license key information, see Determining the Secure64 DNS Cache License Key
on page 302.
3. When the Thank You web page displays, click the link provided to download the upgrade
files to a location where you can unzip, untar, and scp them to the Secure64 DNS Cache
server. For Windows systems use a utility that recognizes .tar.gz files, such as WinZip.
For Linux/UNIX systems, use the tar command, for example:
tar –xvzf Secure64*.tar.gz
Note The unzipped, decompressed filenames are s64dns and secure.efi. To successfully upgrade
your system, an upgrade user must scp both the s64dns and secure.efi files to the Secure64
DNS Cache server. You can copy the files one at a time or together as shown below.
4. Use scp to copy the upgrade files to the Secure64 DNS Cache server:
scp -P <port> s64dns secure.efi <upgrade_user>@<Secure64_host>:/upgrade/
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 281 for information about changing the default port)
upgrade_user is a user account assigned to the upgrade role
Secure64_host is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in
square brackets, or hostname.
! WARNING Before issuing the upgrade command, ensure that the DNS server, BGP (if applicable), and SNMP
(if applicable) are stopped. To stop the DNS server, login as a user with the cachednsadmin role
and enter stop cachedns. To stop BGP, login as a user with the bgpadmin role and enter stop bgp.
To stop SNMP, login as a user with the snmpadmin role and enter stop snmp.
1. Log into Secure64 DNS Cache with a user account assigned to the upgrade role.
2. Enter enable upgrade to change from view mode to upgrade mode.
3. Type upgrade and press ENTER:
[upgrade@Secure64DNS]# upgrade
Current executable backed up
Upgrade complete. Reboot to run.
301
SECURE64 DNS CACHE 3.1
Chapter 7. System Administration
4. Type reboot and press ENTER to restart the Secure64 DNS Cache system.
[upgrade@Secure64DNS]# reboot
5. If you want to verify the new system version, log into Secure64 DNS Cache view mode
and enter the version command.
[cachednsadmin@Secure64DNS]# version
Secure64 DNS Cache 3.1.0 B (ZX-2) built Dec 2 2013 16:40:36 (4.3.1)
5. If you want to verify that the system version has changed, log into Secure64 DNS
Cache view mode and enter the version command.
Example:
[upgrade@Secure64DNS]# license
4712CJ80000012345678
302
Chapter 8. Enabling BGP for Anycast
Overview
BGP (Border Gateway Protocol) is a dynamic routing protocol. It allows two or more collections
of networks, known as autonomous systems, to exchange routing information. An autonomous
system (AS) is a collection of networks under a common administration and routing strategy.
The routing information maintained by BGP is dependent upon the routing style enabled for the
Secure64 DNS server. If you enable symmetrical routing, you can use BGP to update outbound
routing information. If you enable asymmetrical routing, BGP can update inbound and outbound
routing information. For more details about symmetrical and asymmetrical routing, see Configuring
In-Bound Traffic Routing Style on page 255.
You can also use BGP to implement an anycast IPv4 or IPv6 addressing scheme. In the context
of the Secure64 DNS Cache server, an anycast address is an IPv4 or IPv6 addressing technique
that assigns the same IP unicast address to multiple hosts. Routes are configured accordingly so
that queries sent to the anycast address go to the topologically closest server.
When combined with BGP, anycast routing can provide DNS servers with:
• Load distribution
• Increased reliability
• Decreased latency
• Localization of DoS attacks and distributed response to DDoS attacks
As an example of anycast and BGP for DNS, consider the fictitious company, example.com,
shown in Figure 16. The company’s DNS name server is dns.example.com, which resolves to
the IP address 1.2.3.4. The company has configured a DNS server in Argentina and another in
Australia using this anycast address.
303
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
The routers in Argentina direct queries from clients in Argentina to the server in Argentina,
and the routers in Australia direct the queries from clients in Australia to the server in Australia.
To do this, the DNS server in Argentina announces an anycast address route to its BGP
neighbors in Argentina, and the DNS server in Australia announces a route to the same anycast
address to its BGP neighbors in Australia. Normal Internet routing sends the traffic to the
correct place.
An anycast cloud is a group of servers that share a service address and routing information. In
the example, the Argentina and Australia servers are in the same anycast cloud and the service
address is 1.2.3.4. If one of the DNS servers in the anycast cloud goes down, the route to its
address is withdrawn from the cloud. Queries directed to that server are redirected to the next
topologically available server.
Note For an additional level of failover protection, best practices for anycast DNS server operations indicate
a need for two separate overlapping clouds of anycast servers.
304
Chapter 8. Enabling BGP for Anycast
Note Secure64 DNS Cache also supports bidirectional forwarding detection (BFD). BFD is often used in
conjunction with BGP because it typically detects failures faster than BGP. For details about
implementing BFD, see Using BFD on page 388.
Memory Requirements
BGP requires a minimum of 1 MB of memory on the Secure64 DNS Cache server. In addition,
for each BGP neighbor configured, the server requires approximately 125 MB of memory. To
determine the available memory when the server is running, use the memstat command as
described in Displaying Available Memory, Physical Memory, or Drive Space on page 368.
305
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
306
Chapter 8. Enabling BGP for Anycast
• For complete descriptions of the global configuration parameters, see Global BGP
Configuration Parameters on page 309.
• For descriptions of the group and neighbor configuration parameters, see Group and
Neighbor BGP Configuration Parameters on page 310.
• For descriptions of UPDATE filtering, see UPDATE Filter Rules on page 311.
Below is an example bgp.conf file that defines a group with two neighbors and UPDATE
filtering rules:
# global configuration
autostart yes
AS 65001
router-id 1.2.3.4
holdtime 180
holdtime min 30
route-collector no
neighbor 10.0.0.1 {
descr "AS 65001 peer 1"
set localpref 200
tcp md5sig password neSR3s77pY
}
neighbor 10.0.0.2 {
descr "AS 65001 peer 2"
}
}
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any prefixlen 8 – 24
# do not accept a default route
deny from any prefix 0.0.0.0/0
# filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
307
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
Note IPv4 and IPv6 information must be defined in different neighbor sections and cannot share local-
address, neighbor, or announce prefix attributes.
# macros
box=192.168.89.250
ipv6addr=2001:db8:3c4d:15::abcd:2
# global configuration
autostart no
AS 65000
router-id 1.2.3.4
holdtime 180
holdtime min 30
route-collector no
# neighbors and peers
group "AS65001 peers" {
remote-as 65001
neighbor 2001:db8:3c4d:15::abcd:3 {
descr "AS 65001 peer 1 (terminus IPv6)"
local-address $ipv6addr
announce prefix 2001:db8:3c4d:15::/64
announce prefix 2001:db8:3c4d:15::abcd:8/128
announce prefix 2001:db0::1/64
}
neighbor 192.168.250.1 {
descr "AS 65001 peer 2 (gateway IPv4)"
local-address $box
announce prefix 192.168.89.0/24
announce prefix 192.168.90.0/24
}
}
308
Chapter 8. Enabling BGP for Anycast
router-id <id-number> Set the router ID to an IPv4-style address to use for the
BGP identifier. The address must be local to the Secure64
DNS Cache server. If not given, the BGP identifier is
determined as the biggest IP address assigned to the router-id 10.0.0.1
local machine. (Note: The router-id is not designed or
intended to accept an IPv6-style address.)
autostart <yes|no> If autostart it set to yes, then BGP automatically starts
when the Secure64 DNS Cache server boots. If autostart
is set to no, then BGP is not automatically started. You
can use the command start bgp to start BGP manually.
The default setting is no.
Note: Configure DNS to start automatically if you
autostart yes
configure BGP to start automatically.
To automatically start BGP when the DNS server starts
and automatically stop BGP when the DNS server stops,
use instead the auto-bgp: yes attribute in
cache.conf. See Configuring Basic Server Attributes
on page 98 for more information.
holdtime <seconds> Set the holdtime in seconds. Neighboring BGP systems
negotiate the holdtime used when establishing a
connection. Each neighbor announces its configured
holdtime; the smaller value is agreed upon.
holdtime 120
The holdtime is reset to its initial value when a
KEEPALIVE or an UPDATE message is received from a
BGP neighbor. If the holdtime expires, the session is
dropped. The default value is 90 seconds.
holdtime min <seconds> Defines the minimum holdtime value in seconds. The
value for seconds must be 3 or greater.
The holdtime negotiated between Secure64 DNS Cache holdtime min 30
and its BGP neighbors must be greater than or equal to
this value.
log updates Log received and sent UPDATE messages to syslog. The
default is not to log updates.
log updates
WARNING: Configuring log updates can generate a large
amount of syslog traffic.
route-collector <yes|no> When set to yes, the route selection process is not
route-collector no
operable. The default is no, which enables route selection.
309
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
310
Chapter 8. Enabling BGP for Anycast
Syntax
List filter rules in the bgp.conf configuration file using the following syntax:
<action> <from|to> <peer> [parameter1] [parameter2] [...]
<action>
allow Pass the UPDATE
deny Block the UPDATE
match Apply the filter set without affecting the filter decision
<from|to>
from Apply the rule to incoming UPDATES
to Apply the rule to outgoing UPDATES
<peer>
any Evaluate the rule for any neighbor
<ipaddress> Evaluate the rule for neighbors that match the defined IP address
group <descr> Evaluate the rule for neighbors in the defined group
[parameter]
See the following section.
311
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
Filter Parameters
You can use one or more parameters to define the rules to apply to UPDATES. An UPDATE
always comes from or goes to one neighbor. Rules are applied to the UPDATE packets that
match the rule attributes.
Note that you do not need to define a parameter. Examples of rules that do not include a
parameter include:
deny from any
allow to any
allow from 251.28.16.2
deny from any prefix 0.0.0.0/0
Table 48 describes the available parameters and provides example rules that use each parameter.
Parameter
Example(s) Description
<as-type> <as-number> Applies only to UPDATES where the AS path matches the defined
<as-type> and <as-number>.
deny from any AS 1
For <as-type>, use the options below:
deny from any source-as 2 AS: The <as-number> matches any part of the AS
source-as: The <as-number> matches the rightmost AS number
transit-as: The <as-number> matches any except the rightmost AS
number
prefix <ipaddress>/<length> Applies to UPDATES for the specified IPv4 prefix.
Note: You can specify multiple <ipaddress>/<length> entries
deny from any prefix 0.0.0.0/0
separated by commas or whitespace, if enclosed in curly brackets.
deny from any prefix 192.168.0.0/16 You can also specify macros for multiple lists.
prefixlen <range> Applies to UPDATES for IPv4 prefixes where the defined prefix length
matches.
allow from any prefixlen 8 - 24
Use the following operators to define the prefix length range:
deny from any prefix 10.0.0.0/8 prefixlen >= 8 = equal
!= not equal
allow from any prefix 10.0.0.0/8 prefixlen > 16
< less than
> greater than
<= less than or equal to
>= greater than or equal to
- range, including the boundaries in the range
>< except the range
312
Chapter 8. Enabling BGP for Anycast
To view your current system configuration, which includes configured interfaces and IP
addresses:
• Type show config at the bgpadmin prompt, and press ENTER.
Example:
[bgpadmin@Secure64DNS]# show config
running configuration:
ifconfig eth0 192.168.95.99 255.255.255.0
ifconfig eth1 192.168.127.99 255.255.255.0
console eth0
route default 10.81.0.2
route sym
nameserver 0 192.168.95.95 4
ntp 2001:db8::1
tz MST7MDT
syslog 192.168.95.95
loglevel 5 75
nodename Secure64DNS
No defense rules configured.
rule actions enabled
nullchecksums disallow
timeout 300
ip frag timeout 5
ip frag high 40
ip frag low 30
313
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
Note You can configure each physical interface with multiple IP addresses and define VLAN IDs, up to a
total allocation of 256 IP addresses for the server. In addition, you can use the same IP address for
multiple services, including the console, the DNS server, BGP, SNMP, and other services.
Example:
[sysadmin@Secure64]# ifconfig eth1.2 10.20.0.99 255.255.255.0
Pending configuration changed.
Example:
[sysadmin@Secure64]# ifconfig lo0 10.22.0.99 255.255.255.255
Pending configuration changed.
314
Chapter 8. Enabling BGP for Anycast
315
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
Note If you are using symmetrical routing (see Configuring In-Bound Traffic Routing Style on page 255) and
do not need to create RIB and FIB information for outbound connections, you can simply set the filter
to “deny from all.”
6. Save the bgp.conf file and exit the Secure64 DNS Cache editor.
7. If BGP is already enabled and running, type stop bgp and press ENTER to stop the
service.
Note You must stop and start BGP to read the new configuration. This clears the current BGP session,
including any routing, forwarding, and update information.
316
Chapter 8. Enabling BGP for Anycast
317
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
BGP Commands
Table 50 lists the BGP administration and information commands. For examples showing how
to use many of the commands, see Using BGP Commands on page 320 and Testing and Managing
BGP on page 324.
Command Description
BGP administration commands
start bgp Reads the bgp.conf configuration file and enables BGP services for
Secure64 DNS.
stop bgp Stops BGP services for Secure64 DNS Cache.
bgp neighbor <peer> up Takes the BGP session to the specified neighbor up.
<peer> can be the neighbor’s IPv4/IPv6 address or description.
bgp neighbor <peer> down Takes the BGP session to the specified neighbor down.
<peer> can be the neighbor’s IPv4/IPv6 address or description.
bgp neighbor <peer> clear Stops and restarts the BGP session to the specified neighbor.
<peer> can be the neighbor’s IPv4/IPv6 address or description.
bgp neighbor <peer> refresh Requests the specified neighbor to re-send all routes. Note that the
neighbor is not required to re-send routes, even if it announced the route
refresh capability.
<peer> can be the neighbor’s IPv4/IPv6 address or description.
bgp announce <ipaddress/prefix> [-n Sends a BGP UPDATE message to the neighbor(s) identified to re-
peer] establish the specified IPv4/IPv6 address/prefixes in the anycast cloud,
where ip_address/prefix is one or more IPv4/IPv6 address/
prefixes to announce and peer is the IPv4/IPv6 address or description
of the neighbor; you can list multiple neighbors after –n. To announce to
all neighbors, omit the –n flag.
bgp withdraw <ipaddress/prefix> [-n Sends a BGP UPDATE message to the neighbor(s) indicated. The
peer] UPDATE message contains the listed IPv4/IPv6 address/prefixes in the
withdrawn routes portion of the message, where ip_address/
prefix is one or more IPv4/IPv6 address/prefixes to withdraw and
peer is the IPv4/IPv6 address or description of the neighbor; you can list
multiple neighbors after –n. To withdraw from all neighbors, omit the –n
flag.
BGP information commands (Available in all modes)
show bgp config Displays the contents of the bgp.conf configuration file.
show bgp fib <filter> Displays routes from the Secure64 DNS Cache server’s Forwarding
Information Base.
For <filter>, define a specific IP address or one of the options
below:
connected: Show only connected routes
static: Show only static routes
bgp: Show only routes originating from the Secure64 DNS server
nexthop: Show only routes required to reach a BGP nexthop.
show bgp info Displays information about the messages sent and received by BGP on
the Secure64 DNS Cache server.
show bgp interfaces Displays the interface states.
318
Chapter 8. Enabling BGP for Anycast
show bgp neighbor [peer] [modifier] Displays detailed information about the neighbor identified by the peer.
[peer] can be the neighbor’s IPv4/IPv6 address or description,
according to the modifier defined.
For [modifier], define one of the options below:
messages: Show statistics about sent and received BGP messages.
timers: Show the BGP timers.
show bgp nexthop Displays the list of BGP nexthops and the result of their validity check.
show bgp rib [options] [filter] Show routes from the RIB.
For [options]:
detail: Show more detailed output for matched routes.
For [filter]:
<address>: Show best matching route for the address.
as <as>: Show all entries with <as> anywhere in the AS path.
source-as <as>: Show all entries with <as> as the rightmost AS.
transit-as <as>: Show all entries with <as> anywhere but rightmost.
neighbor <peer>: Show only entries from the specified peer.
summary: Display a list of all neighbors, including information about the
session state and message counters.
memory: Show RIB memory statistics.
show bgp status Displays the current state of the BGP system in Secure64 DNS Cache.
show bgp summary Displays a list of all neighbors, including information about the session
state and message counters.
show bgp summary terse Display a list of all neighbors, including information about the session
state, in a condensed format.
319
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
Note You can start BGP without the DNS server started; however, the addresses announced by the BGP
configuration will not be available to clients sending queries to the DNS server.
5. If DNS is not started, a user account assigned to the cachednsadmin role must log in
and start the server.
6. Secure64 DNS Cache reads the bgp.conf file, starts the BGP service, and begins
contacting the configured BGP neighbors.
Example:
[bgpadmin@Secure64DNS]# start bgp
bgp.conf:65: BGP configuration done with 0 errors, 0 warnings
successfully started bgp configuration bgp.conf
Example:
[bgpadmin@Secure64DNS]# stop bgp
successfully stopped bgp bgp.conf
320
Chapter 8. Enabling BGP for Anycast
Example:
[view@Secure64DNS]> show bgp status
BGP instance: bgp.conf state: running AS: 65001 router-id 10.71.0.2
listening on the following addresses:
10.71.0.2
bgp is running
Example:
[view@Secure64DNS]> show bgp info
BGP instance: bgp.conf state: running AS: 65001 router-id 10.71.0.2
listening on the following addresses:
10.71.0.2
sent messages:
open 1
update 1
notification 0
keepalive 0
rrefresh 0
321
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
Example:
[bgpadmin@Secure64DNS]# bgp withdraw 10.71.0.2/32
Successfully sent withdraw to all neighbors
request sent.
322
Chapter 8. Enabling BGP for Anycast
4. Secure64 DNS Cache sends a BGP UPDATE message to the neighbor(s) identified to re-
establish the ip_address/prefix in the anycast cloud.
Example:
[bgpadmin@Secure64DNS]# bgp announce 10.71.0.2/32
Successfully sent updates to all neighbors
request sent.
323
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
324
Chapter 8. Enabling BGP for Anycast
Example:
[view@Secure64DNS]> show bgp neighbor
BGP neighbor is 12.40.5.3, remote AS 65003
Description: cisco neighbor
BGP version 4, remote router-id 100.100.50.1
BGP state = Established, up for 00:00:08
Last read 00:00:08, holdtime 90s, keepalive interval 30s
Message statistics:
Sent Received
Opens 1 1
Notifications 0 0
Updates 1 2
Keepalives 1 3
Route Refresh 0 0
Total 3 6
Message statistics:
Sent Received
Opens 1 1
Notifications 0 0
Updates 1 2
Keepalives 1 1
Route Refresh 0 0
Total 3 4
325
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
To view condensed information about BGP neighbor session states and messages:
1. At any Secure64 DNS Cache prompt, type show bgp summary or show bgp
summary terse and press ENTER.
2. For show bgp summary, Secure64 DNS Cache displays a summary of BGP neighbor
information, including:
— MsgRcvd - The number messages received from the neighbor
— MsgSent - The number of messages sent to the neighbor
— OutQ - The number of queued messages waiting to be sent (a nonzero value can
indicate a connectivity problem)
— Up/Down - The time since the last transition from the UP state to the DOWN
state, or vice versa since BGP was last started
— State/PrefixRcvd - If in the ESTABLISHED state, displays the number of
prefixes received from the peer, otherwise displays the BGP state for that peer (Idle,
Connect, Active, OpenSent, or OpenConfirm)
The show bgp summary terse command displays the neighbor information in a
shortened format.
Example:
[bgpadmin@Secure64DNS]# show bgp summary
Neighbor AS MsgRcvd MsgSent OutQ Up/Down State/PrefixRcvd
AS 65001 Peer1 65001 3 3 0 00:00:03 1
326
Chapter 8. Enabling BGP for Anycast
Note If the RIB information contains a large number of routes, displaying this information may require
some time to complete.
Example:
[view@Secure64DNS]> show bgp rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced
origin: i=IGP, e=EGP, ?=Incomplete flags destination gateway lpref med aspath origin
*> 10.20.5.0/24 10.40.5.3 100 0 65003 i
* 10.20.5.0/24 10.40.5.2 100 0 65002 65001 i *> 10.30.5.0/24 10.40.5.2 100 0 65002 i
* 10.30.5.0/24 10.40.5.3 100 0 65003 65001 i *> 10.40.5.0/24 10.40.5.3 100 0 65003 i
* 10.40.5.0/24 10.40.5.2 100 0 65002 i
*> 192.168.95.0/24 10.40.5.3 100 0 65003 65001 i
327
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
Note If the FIB information contains a large number of routes, displaying this information may
require some time to complete.
Example:
[view@Secure64DNS]> show bgp fib
flags: * = valid, B = BGP, C = Connected, S = Static N = BGP Nexthop reachable via this
route r = reject route, b = blackhole route
Troubleshooting BGP
If the traceroute command or id.server CHAOS TXT query is unsuccessful, or the system is
not responding as expected, you can troubleshoot the issue by:
• Monitoring BGP error logging in syslog
• Verifying the contents of the bgp.conf configuration file
• Checking BGP information
The following sections discuss each of these methods.
328
Chapter 8. Enabling BGP for Anycast
329
SECURE64 DNS CACHE 3.1
Chapter 8. Enabling BGP for Anycast
330
Chapter 9. Enabling RADIUS or LDAP for
User Authentication
Overview
The Secure64 DNS Cache server comes with built-in user and role capabilities. However, you can
configure Secure64 DNS Cache to act as a RADIUS (Remote Authentication Dial In User
Service) or LDAP (Lightweight Directory Access Protocol) LDAP client for user authentication
and authorization.
Deploying RADIUS or LDAP for user authentication provides:
• Centralized administration of users and roles. When you add/remove users or alter
their roles, it is easier and less costly to update a single, centralized data base rather than
individual data bases on many different machines with different operating systems.
• Detailed audit trail. Centralized administration of user logins allows for a single, detailed
audit trail.
• Single user name and password. With centralized user administration, you can assign a
particular individual one user name and password for access to multiple applications and
systems.
• Separation of users and roles. A centralized data base facilitates a fine granularity of
roles for a particular user, which in turn helps overall security by assigning roles to only
those users who really need them.
• Ease of policy implementation. If all devices in an enterprise’s network authenticate to
a centralized service, the service can implement standardized policies for users and roles,
such as strong password requirements.
This chapter provides details for RADIUS and LDAP configuration:
• For details about RADIUS configuration, refer to the next section.
• For details about LDAP configuration, refer to About LDAP Authentication and Secure64
DNS Cache on page 347.
• For details about how RADIUS and LDAP interoperate with the Secure64 DNS Cache
local user database, refer to Roles and User Accounts on page 27 and About User Account
Administration with RADIUS or LDAP on page 31.
Note It is not possible to configure a Secure64 DNS Cache server as both a RADIUS client and an LDAP
client.
331
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note During initial installation, Secure64 DNS Cache requires local users assigned to some of the roles for
security and configuration purposes. See About User Account Administration with RADIUS or LDAP
on page 31 for more information.
Note Public-key authentication through Secure64 DNS Cache is available for the local user data base, but it
is not available when RADIUS is enabled.
Client Dictionary
For the client (Secure64 DNS), the system automatically generates the dictionary file in the
RADIUS directory of the Secure64 DNS Cache loginadmin user. The file contains the attributes
required for the Secure64 DNS client to communicate with the RADIUS server. Although a
loginadmin user can modify the file to include additional attributes, it is not recommended. If
the file becomes unusable, you can delete it and a new default file is automatically generated
when needed.
332
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Server Dictionary
To configure your RADIUS server dictionary, you need to specify vendor information for
Secure64 DNS products and roles in the RADIUS server configuration scheme:
• Secure64 IANA PEN (Private Enterprise Number):
— Identification tag: 28428
• Product attributes:
— Secure64 DNS Cache: Secure64Cache
— Secure64 DNS Authority: Secure64Authority
— Secure64 DNS Signer: Secure64Signer
Example:
The information below illustrates the server dictionary definition in FreeRADIUS 2.* server
format. (The format required by other RADIUS server software may differ significantly from this
example):
VENDOR Secure64 28428
BEGIN-VENDOR Secure64
ATTRIBUTE Secure64Cache 1 string
ATTRIBUTE Secure64Signer 2 string
ATTRIBUTE Secure64Authority 3 string
END-VENDOR Secure64
333
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
• The Secure64Signer attribute for the Secure64 DNS Signer server and the
Secure64Authority attribute for the Secure64 DNS Authority server can also include
the following role identifiers:
— authdnscreate, authdnsadmin
Example:
• Assume 3 users defined in RADIUS require access to Secure64 DNS product roles as
follows:
— user1: sysadmin in Secure64 DNS Cache and Secure64 DNS Signer; loginadmin
in all Secure64 systems; bgpadmin in all Secure64 systems; securityadmin in
Secure64 DNS Signer.
— user2: loginadmin in Secure64 DNS Cache; securityadmin in Secure64 DNS
Signer; view only in Secure64 DNS Authority.
— user3: All roles in Secure64 DNS Cache; view only in Secure64 DNS Signer.
334
Chapter 9. Enabling RADIUS or LDAP for User Authentication
• The configuration example below illustrates how to assign each of the users to these
Secure64 DNS roles for the various Secure64 DNS product attributes, in FreeRADIUS
2.* format:
user1 Cleartext-Password := "password1"
Secure64Cache = "sysadmin,loginadmin, bgpadmin",
Secure64Signer = "securityadmin,loginadmin,bgpadmin",
Secure64Authority = "loginadmin, bgpadmin"
335
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Example
# This is a sample radius.conf file with 3 servers defined.
# Server 1 defines all attributes, including default values
server: radius.secure64.com
port: 1812
PAP: PAP
timeout: 5
retries: 3
local: 192.168.127.23
336
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Parameter
Example Description
server: <IP address | hostname> The IPv4/IPv6 address or host name of
a RADIUS server for authentication,
server: radius.example.com
limited to 128 characters (required).
server: 192.168.127.194
For IPv6 addresses, including [ ] around
server: [2001:db8::1] the address is optional.
port: <number> Port number for the RADIUS server. If
not defined, the default is 1812
port: 1812
(optional).
secret: <shared_secret> Unencrypted shared secret string. The
maximum length is 48 characters.
secret: example-secret
Use extended ASCII (EAS) for non-
printable characters. To enter a non-
printable EAS character in the secret, use
the convention \x<ascii-code> where
<ascii-code> is the hexadecimal code for
the character
Define only if you do not want to encrypt
the shared secret using the Sensitive
Data Protection (SDP) feature.
The recommended practice is to omit
this attribute and use an encrypted
shared secret via SDP as described in
Securing Sensitive Data on page 244.
PAP: [PAP | CHAP] Password Authentication Protocol (PAP)
PAP: PAP identifier that specifies how to combine
the shared secret and password.
PAP- Password authentication protocol
CHAP- Challenge-handshake
authentication protocol
If not defined, the default is PAP
(optional).
337
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Parameter
Example Description
timeout: <seconds> The number of seconds to wait for a
timeout: 5 response from the RADIUS server. The
acceptable range is 0 (no timeout)
through 86400 seconds. If not defined,
the default is 5 (optional).
retries: <integer> The number of attempts to reach the
RADIUS server with no response.
retries: 3
Attempts cease after this number. The
acceptable range is 0 (no retries)
through 32. If not defined, the default is
3 (optional).
local: <IP address> IPv4 or IPv6 address of the client
local: 192.168.27.99 interface (Secure64 DNS Cache server)
to use to communicate with the RADIUS
local: 2001:db8::2 server. This must match a currently
configured Secure64 DNS Cache
interface.
For IPv6 addresses, include [ ] around
the address.
If not specified, Secure64 DNS Cache
automatically selects one of the
currently configured interfaces
(optional).
Preparations
To add a RADIUS server to the configuration file, you need:
• RADIUS server IP address or host name
A host name must be resolvable via DNS.
• RADIUS server port number
Required if the port number differs from the standard port 1812.
• RADIUS server shared secret
The shared secret specified by the RADIUS server and used for security within the
password protocol. The string must be an extended ASCII (EAS) string.
338
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note Do not use the NUL character (EAS code 0) in the shared secret. To enter a non-printable EAS character
in the secret, use the convention \x<ascii-code> where <ascii-code> is the hexadecimal code for the
character.
Note Encrypting the shared secret is recommended, but it is not required. If you want to use an unencrypted
shared secret, define it in the radius.conf using the secret: attribute. For more information,
see Configuration File Attributes on page 337.
339
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Example:
# first server block
server: 10.10.10.1
port: 1812
PAP: PAP
timeout: 3
retries: 2
local: 192.168.127.1
5. Save the radius.conf file and exit the Secure64 DNS Cache editor. Or use scp to
copy the file to the Secure64 DNS Cache server if you edited it offline.
6. If RADIUS is already enabled and running, type no authenticate radius and press
ENTER to stop the service.
7. To enable the changed configuration, start RADIUS as described in Starting and Stopping
RADIUS Authentication on page 342.
Testing Authentication
If you want to verify that a specific user and password are valid for a RADIUS server, execute
the following:
• authprobe radius <username> <password> <pap> <server> <port>
<shared-secret> <timeout> <retries>
All parameters are required. For details about each parameter, refer to the configuration
attributes described in Configuration File Attributes on page 337.
The server uses the provided information to login to the RADIUS server; any information in
the radius.conf file is disregarded. In fact, you can use the command when a radius.conf
file does not exist.
340
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Example:
[loginadmin@Secure64DNS]# authprobe radius user1 User1Password PAP
RADIUSServer 1812 RADIUSServerSecret 5 1
Testing Connectivity
1. If you have already configured the RADIUS servers in the radius.conf file, use the
authprobe radius command without arguments to test connectivity only (no
authentication occurs):
authprobe radius
2. The server scans the current contents of the radius.conf file and attempts to reach
each of the servers listed. Results of the probe display on the command line and in syslog.
3. If connectivity issues are reported, refer to Troubleshooting RADIUS on page 345 for
troubleshooting information.
Example:
[loginadmin@Secure64DNS]# authprobe radius
10.10.10.1 ... OK
10.10.10.2 ... Timed out
341
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note After the activate command is entered, all subsequent logins are authenticated using RADIUS.
The local user data base is consulted only if TCP communication to all configured RADIUS servers
fails or RADIUS authentication is stopped.
Example:
[view@Secure64DNS]> enable loginadmin
[loginadmin@Secure64DNS]# activate
Running configuration changed.
[loginadmin@Secure64DNS]# save
Running configuration successfully saved.
342
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note If users assigned to the loginadmin role are logged in when you disable RADIUS, the users continue to
have RADIUS authentication capability until they log out of the Secure64 DNS server and log in again.
Example:
[loginadmin@Secure64DNS]# no authenticate radius
Pending configuration changed.
Please type "activate" to disable radius authentication
[loginadmin@Secure64DNS]# activate
Running configuration changed.
[loginadmin@Secure64DNS]# save
Running configuration successfully saved.
Example:
[loginadmin@Secure64DNS]# show authenticate status
LDAP authentication disabled
RADIUS authentication enabled
343
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note The contents of the radius.conf file can differ from the activated configuration if you have not
issued commands to enable configuration changes (no authenticate radius, authenticate radius,
activate, and save).
Example:
[view@Secure64DNS]> show authenticate config radius
# first server block
server: 10.10.10.1
port: 1812
PAP: PAP
timeout: 3
retries: 2
local: 192.168.127.1
344
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Managing RADIUS
Troubleshooting RADIUS
When a RADIUS problem occurs, error messages display at the command line and in syslog. You
can troubleshoot the issue by:
• Monitoring RADIUS error logging in syslog
• Verifying the contents of the radius.conf configuration file
• Checking the RADIUS dictionary files
• Checking network information and the shared secret
The following sections discuss each method.
Examples:
[loginadmin@Secure64]# authenticate radius
RADIUS configuration file: Invalid retries figure (Line 6)
345
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
346
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note During initial installation, Secure64 DNS Cache requires local users assigned to some of the roles for
security and configuration purposes. See About User Account Administration with RADIUS or LDAP on
page 31 for more information.
Note Public-key authentication through Secure64 DNS Cache is available for the local user data base, but it is
not available when LDAP is enabled.
347
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note Values of password attributes, regardless of storage scheme used, should be protected as if they
were clear text. Hashed passwords are subject to dictionary attacks and brute-force attacks.
On the LDAP server, the userPassword attribute can have more than one value, and it is
possible for each value to be stored in a different form. The storage scheme is a hash tag prefix
on the value. For example, the following is a hashed password using the salted SHA1 (SSHA)
scheme:
userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
Standards-compliant hash tags supported by the Secure64 DNS Cache LDAP client include
{SHA}, {SSHA}, {MD5}, {SMD5}, {CRYPT}, and {UNIX}. The {CRYPT} and {UNIX}
tags are essentially synonymous, indicating that the password information that follows is hashed
with the UNIX/Linux crypt(3) function. There are a variety of crypt(3) functions that the
Secure64 DNS Cache LDAP client supports.
The crypt(3) functions supported by Secure64 DNS Cache are listed in Table 52:
ID Method
MD5 extension supported by most
1
UNIX/Linux systems
2a Blowfish
md5 MD5 extension used by Solaris
5 SHA-256
6 SHA-512
-- Traditional DES-based
348
Chapter 9. Enabling RADIUS or LDAP for User Authentication
349
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Table 53 lists the Secure64 DNS Cache role definitions and includes space for you to note your
corresponding LDAP server definitions. For more information about Secure64 DNS Cache
roles and their responsibilities, see Authorization and Roles on page 27.
Note If you are not using a role, you can disable the role for LDAP in the Secure64 DNS Cache
ldap.conf configuration file and omit it from your LDAP server. For details about disabling the role
for LDAP in Secure64 DNS Cache, see Disabling Unused Roles for LDAP on page 356.
350
Chapter 9. Enabling RADIUS or LDAP for User Authentication
To add Secure64 DNS Cache users and roles to your LDAP server:
1. Using the LDAP server group definition or schema, assign users on the LDAP server to
the Secure64 DNS Cache roles as needed. Note that:
— You can map users to multiple roles.
— All roles automatically include view capability. However, if you want to assign a user
only view capability, use the VIEWER role definition.
2. Secure64 DNS Cache requires an LDAP server administrator and administrator password
defined for the database. On an OpenLDAP server, this is the rootdn and rootpw. For
Microsoft Active Directory, this is the administrator or a user with administrator
privileges and corresponding password.
Note Encrypting the bind password is recommended, but it is not required. If you want to use an unencrypted
bind password, define it in the ldap.conf using the BINDPASSWD: attribute. For more
information, see Server, Client, and Search Attributes on page 354.
351
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
#===local address===#
LOCALADDR 192.168.127.199
#===DN===#
BINDDN CN=Administrator,CN=Users,DC=example,DC=com
BINDPASSWD secret
#===search base===#
BASE DC=example,DC=com
#===search filter===#
SEARCHFILTER sAMAccountName
#===mappings===#
SYSADMIN memberOf=CN=s64sysadmin,DC=example,DC=com
BACKUP memberOf=CN=s64backup,DC=example,DC=com
UPGRADE memberOf=CN=s64upgrade,DC=example,DC=com
CACHEDNSADMIN memberOf=CN=s64cachednsadmin,DC=example,DC=com
BGPADMIN memberOf=CN=s64bgpadmin,DC=example,DC=com
LOGINADMIN memberOf=CN=s64loginadmin,DC=example,DC=com
SECURITYADMIN memberOf=CN=s64securityadmin,DC=example,DC=com
SNMPADMIN memberOf=CN=s64snmpadmin,DC=example,DC=com
VIEWER memberOf=CN=s64viewer,DC=example,DC=com
352
Chapter 9. Enabling RADIUS or LDAP for User Authentication
OpenLDAP
#===Server URI(s)===#
URI ldap://192.168.127.24
URI ldap://[2001:db8::1]
#===local address===#
LOCALADDR 192.168.127.199
#===DN===#
BINDDN cn=root,dc=example,dc=com
BINDPASSWD secret
#===search base===#
BASE dc=example,dc=com
#===search filter===#
SEARCHFILTER uid
#===authentication===#
AUTHSCHEME compare
#===mappings===#
SYSADMIN ou=s64sysadmin
BACKUP ou=s64backup
UPGRADE ou=s64upgrade
CACHEDNSADMIN ou=s64cachednsadmin
BGPADMIN ou=s64bgpadmin
LOGINADMIN ou=s64loginadmin
SECURITYADMIN ou=s64securityadmin
SNMPADMIN ou=s64snmpadmin
VIEWER ou=s64viewer
353
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Parameter
Example Description
URI ldap://<server IPv4 address>[:port] The IPv4/IPv6 address or host name of
URI ldap://<[server IPv6 address]>[:port] one or more LDAP servers for
authentication.
URI ldap://192.168.127.194
For IPv6 addresses, include [ ] around
URI ldap://192.168.127.194 ldap://secure.example.com:99 the address.
URI ldap://[2001:db8::1]
BASE <domain> The distinguished name (DN) of the
branch of the directory where all
BASE dc=example,dc=com
searches should begin.
BASE dc=ldaptest,dc=example,dc=com
SEARCHFILTER <attribute> The attribute to use as the search filter
for the LDAP server when the user logs
in to the Secure64 DNS Cache server.
Active Directory Example:
SEARCHFILTER sAMAccountName For Active Directory servers, use the
sAMAccountName value.
OpenLDAP Example:
BINDDN cn=root,dc=example,dc=com
BINDPASSWD <password> Administrator or root user password of
BINDPASSWD secret the LDAP server (required). Define only
if you do not want to encrypt the
password using the Sensitive Data
Protection (SDP) feature.
The recommended practice is to omit
this attribute and use an encrypted
password as described in Securing
Sensitive Data on page 244.
If you define multiple servers, Secure64
DNS Cache assumes the same
password is used for each.
354
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Parameter
Example Description
AUTHSCHEME <bind|compare> Authentication scheme between the
Secure64 DNS Cache LDAP client and
AUTHSCHEME bind
the LDAP server.
bind: Authenticate with username and
clear text password.
compare: Authenticate with username
and hashed form of password stored on
the LDAP server. See Defining
Password Authentication on the LDAP
server on page 347 for additional
information.
If not specified, the default is bind.
LOCALADDR <ip_address> The IPv4 or IPv6 address of the LDAP
LOCALADDR 192.168.27.99 client (Secure64 DNS Cache server).
This must match a currently configured
LOCALADDR 2001:db8::2 Secure64 DNS Cache interface.
If not specified, Secure64 DNS Cache
automatically selects one of the
currently configured interfaces.
Example:
SYSCREATE memberOf=CN=s64syscreate,DC=ldaptest,DC=example,DC=com
355
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Mapping OpenLDAP
For OpenLDAP, the Secure64 DNS Cache ldap.conf syntax is:
<Secure64 role> <attribute>=<server group>
where <Secure64 role> is a Secure64 DNS Cache role, <attribute> is the attribute
defined on the OpenLDAP server, and <server group> is the corresponding group
defined on the OpenLDAP server.
Example:
SYSCREATE ou=s64syscreate
Example:
#===mappings===#
SYSADMIN ou=s64sysadmin
BACKUP ou=s64backup
UPGRADE ou=s64upgrade
CACHEDNSADMIN ou=s64cachednsadmin
LOGINADMIN ou=s64loginadmin
SECURITYADMIN ou=s64securityadmin
SNMPADMIN ou=snmpadmin
VIEWER ou=s64viewer
Note Within the Secure64 DNS Cache local user database, you should create and assign all create roles to
disable the Installer role for security reasons. See About User Account Administration with RADIUS or
LDAP on page 31 for more information.
356
Chapter 9. Enabling RADIUS or LDAP for User Authentication
357
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note After the activate command is entered, all subsequent logins are authenticated using LDAP. The
local user data base is consulted only if TCP communication to all configured LDAP servers fails or
LDAP authentication is stopped.
Example:
[view@Secure64DNS]> enable loginadmin
[loginadmin@Secure64DNS]# activate
Running configuration changed
[loginadmin@Secure64DNS]# save
running configuration successfully saved
358
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note If users assigned to the loginadmin role are logged in when you disable LDAP, the users continue to have
LDAP authentication capability until they log out of the Secure64 DNS server and log in again.
Example:
[loginadmin@Secure64DNS]# no authenticate ldap
[loginadmin@Secure64DNS]# activate
Running configuration changed
[loginadmin@Secure64DNS]# save
Running configuration successfully saved
Example:
[loginadmin@Secure64]# show authenticate status
LDAP authentication disabled
RADIUS authentication disabled
359
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Note The contents of the ldap.conf file can differ from the activated configuration if you have not
issued commands to enable configuration changes (no authenticate ldap, authenticate ldap,
activate, and save).
Example:
[view@Secure64DNS]> show authenticate config ldap
#===Server URI(s)===#
#openLDAP server
URI ldap://192.168.95.65
#===search base===#
#search base for openLDAP
BASE dc=sec64,dc=com
#===search filter===#
#search filter for openLDAP
SEARCHFILTER cn
#===mappings===#
#mappings for openLDAP
SYSCREATE objectClass=s64syscreate
SYSADMIN objectClass=s64sysadmin
BACKUP objectClass=s64backup
UPGRADE objectClass=s64upgrade
CACHEDNSCREATE objectClass=s64cachednscreate
CACHEDNSADMIN objectClass=s64cachednsadmin
BGPCREATE objectClass=s64bgpcreate
BGPADMIN objectClass=s64bgpadmin
LOGINCREATE objectClass=s64logincreate
360
Chapter 9. Enabling RADIUS or LDAP for User Authentication
LOGINADMIN objectClass=s64loginadmin
SECURITYCREATE objectClass=s64securitycreate
SECURITYADMIN objectClass=s64securityadmin
SNMPCREATE objectClass=s64snmpcreate
SNMPADMIN objectClass=s64snmpadmin
VIEWER objectClass=s64viewer
#===local address===#
LOCALADDR 192.168.95.81
#===DN===#
#DN and password for openLDAP
BINDDN uid=root,ou=People,dc=sec64,dc=com
BINDPASSWD secret
361
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
Managing LDAP
Troubleshooting LDAP
When LDAP problems occur, error messages display at the command line and in syslog. You
can troubleshoot the issue by:
• Monitoring LDAP error logging in syslog
• Verifying the contents of the ldap.conf configuration file
• Checking network information
The following sections discuss each method.
Example:
[loginadmin@Secure64DNS]# authenticate ldap
Failed to start LDAP authentication client: Invalid argument
Failed to enable LDAP authentication.
362
Chapter 9. Enabling RADIUS or LDAP for User Authentication
363
SECURE64 DNS CACHE 3.1
Chapter 9. Enabling RADIUS or LDAP for User Authentication
364
Chapter 10. Information and Diagnostics
System Information and Diagnostics
If you configure the syslog server, application and system messages are recorded to syslog at the
log level you define. You can also connect a monitor to one of the machine’s VGA ports to
monitor activity. In addition, Secure64 DNS Cache includes a number of system utility
commands, which are described in this chapter.
Note To display up to 50 entries in the local log file, use the show syslog command at any Secure64
DNS Cache system prompt.
For a list of logging messages, causes, and explanations, see Appendix B. Syslog and System Boot
Messages on page 443. A sample output from syslog appears below. In this example, Secure64DNS
is the nodename of the Secure64 DNS Cache name server.
Note If you set the syslog logging level to 7 (LOG_DEBUG), it may affect performance due to the large volume
of messages sent to syslog. Enable log level 7 only for as long as needed to capture debug information.
365
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Note The show commands listed here apply only to system settings such as networking. For configuration
information about DNS, use the show cachedns config command. For BGP, use the show
bgp config command. For RADIUS or LDAP, use the show authenticate config
command.
Example:
[sysadmin@Secure64]# show config
running configuration:
ifconfig eth2 192.168.110.100 255.255.255.0
ifconfig eth2.1 2001:db8:aaaa::/48
ifconfig eth3 192.168.95.86 255.255.255.0
ifconfig eth3.1 2001:db8:bbbb::/48
ifconfig lo0 192.168.130.110 255.255.255.255
console eth2
console eth3
console eth3.1
route asym
nameserver 0 192.168.127.1 6
nameserver 1 192.168.127.8 4
ntp 192.168.95.65
tz America/Denver
syslog 192.168.95.65
loglevel 0 50
nodename Secure64
No defense rules configured.
366
Chapter 10. Information and Diagnostics
ruleactions on
nullchecksums allow
timeout 0
ip frag timeout 5
ip frag high 40
ip frag low 30
367
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Example:
[sysadmin@Secure64DNS]# ping eth0:1.1 192.168.95.95
ping to 192.168.95.95 on interface eth0:1.1
ping successful
Examples:
[view@Secure64DNS]> memstat
2916656 kilobytes of memory available
[view@Secure64DNS]> memstat -g
2.78 gigabytes of memory available
[view@Secure64DNS]> memstat -p
4194304 kilobytes of memory installed
[view@Secure64DNS]> memstat -p -g
4 gigabytes of memory installed
368
Chapter 10. Information and Diagnostics
Example:
[view@Secure64DNS]> df
Free drive space: 26,548,696 kilobytes, 5% full.
File nodes used: 484 files, 5% full.
Example (non-RAID):
[view@Secure64DNS]> show disks
disk: DG146BB976 slot: 5
capacity: 32718MB errors: 0
Example (RAID):
[view@Secure64DNS]> show disks
primary disk: DH036BB977 slot: 3
capacity: 38302MB status: okay errors: 0
369
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
To display information from the hardware sensors located on the Secure64 DNS Cache
hardware:
• Type show sensors and press ENTER.
Note Use the chassispoll command to set the interval for checking the hardware sensors. To
generate syslog messages for the power supply and other sensor changes, you must set a chassis
polling interval. For details, see Setting the Chassis Polling Interval on page 290.
370
Chapter 10. Information and Diagnostics
371
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
DIMM4A-R2 Temp: 0 C ok
DIMM5C-R2 Temp: 0 C ok
DIMM6B-R2 Temp: 0 C ok
DIMM1B-R3 Temp: 0 C ok
DIMM2C-R3 Temp: 0 C ok
DIMM3A-R3 Temp: 0 C ok
DIMM4A-R3 Temp: 0 C ok
DIMM5C-R3 Temp: 0 C ok
DIMM6B-R3 Temp: 0 C ok
DIMM1B-R4 Temp: 0 C ok
DIMM2C-R4 Temp: 0 C ok
DIMM3A-R4 Temp: 0 C ok
DIMM4A-R4 Temp: 0 C ok
DIMM5C-R4 Temp: 0 C ok
DIMM6B-R4 Temp: 0 C ok
IOR1 Temp Int: 27 C ok
IOR1 Temp ExtD1: 30 C ok
IOR1 Temp ExtD2: 28 C ok
IOR1 Temp ExtD3: 27 C ok
IOR2 Temp Int: 0 C ok
IOR2 Temp ExtD1: 0 C ok
IOR2 Temp ExtD2: 0 C ok
IOR2 Temp ExtD3: 0 C ok
PSU 1 Inlet Temp: 31 C ok
PSU 2 Inlet Temp: 46 C ok
Power Supply Sensors
Power Supply 1: installed
Power Supply 2: installed
Power Redundancy: redundancy lost
Voltage Sensors
1_5V IOH PWR: performance met
3_3V System PWR: performance met
5V PWR: performance met
5V HD_PWR: performance met
0_9V IOH PWR: performance met
1_1V IOH PWR: performance met
1_8V IOH PWR: performance met
1_1V CPU0 PWR: performance met
1_8V CPU0 PWR: performance met
1_1V CPU1 PWR: performance met
1_8V CPU1 PWR: performance met
MEM RISER1 PWR: performance met
MEM RISER2 PWR: performance met
372
Chapter 10. Information and Diagnostics
373
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
To display the Secure64 DNS Cache software version information (applies to all
modes):
• Type version and press ENTER.
The output includes the platform designation as follows:
If the Capacity Expansion Module is installed, the “CEM” designation displays after the
product name and before the version number. For more information about the CEM, refer to
Multiple Resolver Instances on page 176.
To display the Secure64 DNS Cache server processor information (applies to all
modes):
• Type cpuinfo and press ENTER.
374
Chapter 10. Information and Diagnostics
Note The processor code name is shown in italics for informational purposes, but it does not display in the
cpuinfo command output.
Example:
[view@Secure64DNS]> cpuinfo
GenuineIntel Itanium Processor 9300 Series 1.33 GHz
Number of enabled CPU cores : 4
Number of configured CPU cores: 4
cpu core 0: I/O-A
cpu core 1: App-1
cpu core 2: App-2
cpu core 3: App-3
Example:
[view@Secure64DNS]> uptime
CPU 8.7% (App CPU 0.6%, I/O CPU 16.9%), uptime 35 days, 03:18:15
375
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
To break down the information by core and/or processor type (applies to all modes):
• Execute the command with the appropriate argument(s):
uptime [[-cpu | -app | -io] [n]]
where:
-cpu requests information for both the application processor and the I/O processor
-app requests information for the application processor only
-io requests information for the I/O processor only
n is used with a processor argument (-cpu, -app, -io) to designate a specific processor
number to report; if not specified, all processor numbers are listed
The Secure64 DNS Cache server automatically assigns processor numbers as shown:
You can use the processor numbers with the uptime command to help identify and monitor
the load for a specific processor core. For example, CPU processor 2 is the equivalent of APP
processor 1.
Note The number of processors displayed are the number authorized for use by the Secure64 DNS
software, regardless of the number of available processors.
Examples:
[view@Secure64DNS]> uptime -cpu 3
APP-2 15.2%
376
Chapter 10. Information and Diagnostics
377
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Example:
[view@Secure64DNS]> show interfaces
Interfaces:
378
Chapter 10. Information and Diagnostics
Note Because the loopback interface is virtual, the Ethernet address and IPv6 link local address are not
applicable in the show interfaces output.
379
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Example:
[sysadmin@Secure64]# netstat
Ip:
569817 packets delivered to upper layer protocol
575376 total packets received
0 received header errors
0 fragments received
0 successfully reassembled packets
0 failed reassembled packets
0 sent packets fragmented
0 fragmented packets failed
0 fragments created
Arp:
506 requests received
506 replies sent
108 requests sent
108 replies received
0 outbound IP packets dropped because of full queue
Dns:
100115 valid queries received
0 short requests received
0 illegal responses received
Icmp:
50 messages received
0 messages received with failed checksums
Icmp incoming histogram:
0 destination unreachable
0 time exceeded
0 invalid parameters
0 source quenches
0 redirects
380
Chapter 10. Information and Diagnostics
40 echo requests
0 echo replies
0 time stamp requests
0 time stamp replies
0 address mask requests
0 address mask replies
126 unknown/invalid requests
40 outgoing messages sent
0 outgoing messages failed
Icmp outgoing histogram:
0 destination unreachable
0 time exceeded
0 invalid parameters
0 source quenches
0 redirects
0 echo requests
40 echo replies
0 time stamp requests
0 time stamp replies
0 address mask requests
0 address mask replies
Tcp:
0 syns received with hash table full
907 syns received
907 syn acks sent
907 acks received establishing a connection
0 packets with bad MD5 received
Udp:
196742 packets received
1 packets received with errors
205443 packets sent
307 packets to unknown port received
196446 packets queued
0 packets dropped when queue was full
0 packets filtered
0 rules rejected
381
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Example:
[view@Secure64]> show ip route
Destination Gateway Genmask Interface
192.168.25.0 192.168.95.61 255.255.255.0 eth5
0.0.0.0 192.168.127.1 0.0.0.0 eth1
10.95.0.0 0.0.0.0 255.255.255.0 eth5:95
192.168.95.0 0.0.0.0 255.255.255.0 eth5
63.146.91.192 0.0.0.0 255.255.255.248 eth4
10.10.0.0 0.0.0.0 255.255.255.0 eth3:10
10.20.0.0 0.0.0.0 255.255.0.0 eth3
192.168.127.0 0.0.0.0 255.255.255.0 eth1
192.168.64.0 0.0.0.0 255.255.255.0 eth0
Example:
[view@Secure64]> show ipv6 route
Destination Gateway prefix length
2000:: 2001:470:1f04:ad8:1::2 3
2002::1 :: 64
2001:470:1f04:ad8:1::51 :: 80
Note To view IPv6 information for interfaces, see Displaying IPv6 Addresses Assigned to Interfaces on
page 383.
382
Chapter 10. Information and Diagnostics
To display IPv6 addresses assigned to physical interfaces for the Secure64 DNS server
(applies to any mode):
• Type show ipv6 addr or show ipv6 and press ENTER.
The information includes the IPv6 address scope in accordance with RFC 4291:
• Link scope: Limited to the physical “wire” (allows for switches, but not routers) that the
interface is connected to. Usually, the link local address is automatically generated when
the interface is activated. These addresses never cross routers.
• Global scope: Assigned from the regional registry, the global scope address is globally
unique and fully routed.
• Multicast scope: Defined multicast groups identify IPv6 nodes within a given scope.
Defined groups include interface local all-nodes group (FF01::1) and link-local all-nodes
group (FF02::1). IPv6 makes extensive use of multicast for automatic address
management.
Example:
[view@Secure64]> show ipv6 addr
eth1.1
fe80::21a:4bff:fe06:45df/64 preferred Scope:Link
fd64:0:0:127::99/64 preferred Scope:Global
ff02::1:ff06:45df/64 preferred Scope:Multi
eth2.0
fe80::204:23ff:fec4:288/64 preferred Scope:Link
fd64:0:0:10::99/64 preferred Scope:Global
ff02::1:ffc4:288/64 preferred Scope:Multi
eth5.1
fe80::204:23ff:fec4:23b/64 preferred Scope:Link
fd64:0:0:95::99/64 preferred Scope:Global
ff02::1:ffc4:23b/64 preferred Scope:Multi
lo0.0
2002::1/64 preferred Scope:Link
2002::1/64 preferred Scope:Global
383
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Example:
[sysadmin@Secure64DNS]# comm
Serial Interfaces:
[0]: ttyS0
To display the current settings for the defined interface, where <interface> is the serial
interface:
1. Log into Secure64 DNS Cache with an account that is assigned to the sysadmin role.
2. Type enable sysadmin and press ENTER to enable the system administration mode.
3. Type comm <interface> and press ENTER
Example:
[sysadmin@Secure64DNS]# comm ttyS0
ttyS0 115200 8N1 None
To display the console connections and users currently logged into the Secure64 DNS
Cache server (applies to all modes and includes users logged in with RADIUS or LDAP
authentication):
• Type who and press ENTER
Examples:
[view@Secure64DNS]> who
serial: tester
[view@Secure64DNS]> who
Joe 10.139.0.234:2459
tester 10.139.0.234:2461
384
Chapter 10. Information and Diagnostics
To display information about the system’s RSA key (applies to all modes):
• Type show fingerprint and press ENTER.
Example:
[view@Secure64DNS]> show fingerprint
RSA key fingerprint is
15:5a:08:bb:37:23:5a:c8:b0:f4:26:81:4e:a3:e0:2d.
385
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
386
Chapter 10. Information and Diagnostics
Item Description
Active clients The number of unique IP addresses that are being tracked. An IP address is
tracked when it has a mitigation rule associated with the type of network traffic it
is sending.
For information about rules, see Configuring UDP Rate Limit or Drop Rules on
page 234, Configuring TCP Rules for SSH and DNS Traffic on page 236, and
DNS RRtype Filtering Rules on page 238.
Blacklisted The number of active clients on the blacklist (temporarily prevented from
communicating).
Graylisted The number of active clients on the graylist (allowed to send traffic, but strong
candidate for blacklisting).
Incoming SYN The rate of TCP SYN packet arrival.
Established TCP The number of established TCP sessions.
Incoming ssh The rate of attempted (not established) ssh sessions.
No listener The rate of packets arriving on closed UDP/TCP ports, where no process is
listening on a port. If the 1-minute average exceeds 61 (a packet per second or
more), a SYSTEM:DDOS warning regarding possible malicious activity is
generated in syslog.
Aggregate drops The rate of packets dropped due to an established rule.
Free controllers The number of internal control structures available for handling flood and attack
mitigation. The number drops as more active clients are established. If the
number reaches zero, no additional active clients can connect. Note: There is not
a one-to-one correspondence between the number of free controllers and the
number of active clients, but the number must be higher than zero for the self-
defense system to handle more connections.
Top offenders Displays the top attacking IP addresses and related information.
387
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Using BFD
You can configure the Secure64 DNS Cache server to use the bidirectional forwarding
detection (BFD) protocol to provide fast failover detection for configured remote peers. BFD
makes no routing decisions. It simply detects and informs routers whether or not the session
between BFD peers is still operational.
Although it is independent from BGP, you can use BFD in conjunction with BGP because it
typically detects failures faster than BGP. (For more information about using BGP with
Secure64 DNS Cache, see Chapter 8. Enabling BGP for Anycast on page 303.)
Configuring BFD
Attribute: Value
Example(s) Description
interface: <IP address> IPv4 or IPv6 address of the Secure64 DNS Cache server
interface: 192.168.127.99 to listen on for incoming BFD packets. This must be a
configured interface on the server and at least one
interface is required.
peer: <IP address> <rx_interval> A remote BFD peer, where:
<tx_interval> <multiplier> <IP address> IPv4 or IPv6 address of the remote BFD
peer: 192.168.2.1 100 100 5 peer.
<rx_interval> The minimum interval between received
BFD control packets in milliseconds. Typical values are
between 100 and 10000. Values higher than 10000
defeat the purpose of BFD. Values lower than 100 can
result in instability of the BFD session.
<tx_interval> The minimum interval when transmitting
BFD control packets in milliseconds. Typical values are
between 100 and 10000. Values higher than 10000
defeat the purpose of BFD. Values lower than 100 can
result in instability of the BFD session.
<multiplier> The amount to multiply the negotiated
transmit interval by to determine the connection failure
detection time. Typical values are 3-10. Higher values
result in increased failure detection time, and lower
values can result in instability of the BFD session.
There must be at least one peer configured.
4. If you want to add comments, proceed the comment lines with the # symbol.
5. Save the bfd.conf configuration file.
388
Chapter 10. Information and Diagnostics
BFD Commands
Note If you want BFD to automatically start/stop when you start/stop the DNS server, add the following to the
server: section of the cache.conf configuration file:
bfd-auto-start: yes
Example:
[cachednsadmin@Secure64]# start bfd
BFD started
Example:
[cachednsadmin@Secure64]# stop bfd
BFD stopped
Example:
[cachednsadmin@Secure64]# show bfd status
BFD service is running
389
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Example:
[cachednsadmin@Secure64]# show bfd info
390
Chapter 10. Information and Diagnostics
Implementing SNMP
About SNMP and Secure64 DNS Cache
You can configure the Secure64 DNS Cache software to act as an SNMP (Simple Network
Management Protocol) host agent for reporting information about the server. As an SNMP host
agent, Secure64 DNS Cache supports a set of managed information bases (MIBs) that you can
import into an SNMP management application or NMS (Network Management System) to
retrieve information about the server. It also supports sending a variety of SNMP traps related to
the server and mitigation of attack behavior.
The Secure64 DNS Cache SNMP host agent:
• Complies with SNMP v2c as defined in RFC 1901, RFC 1905, and RFC 1906
• Supports SNMP get requests (GetRequest, GetNextRequest, and GetBulkRequest)
• Does not support SNMP set requests
• Sends SNMP v2c trap notifications to the configured SNMP management application or
NMS
• Uses the IANA PEN (Private Enterprise Number) 28428
• Supports multiple SNMP hosts
• Supports traditional access methods and does not currently support View-based Access
Control Model (VACM)
• Provides the snmpadmin operational role, which administers the snmpd.conf
configuration file and commands for configuring and managing the Secure64 DNS Cache
SNMP host agent
391
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
RFC or Secure64
MIB Filename Proprietary Description
SNMPv2-MIB.txt RFC 3418 Standard SNMPv2 MIB objects and traps.
HOST-RESOURCES-MIB.txt Host resources MIB objects; used with HOST-
RFC 2790
RESOURCES-TYPES.txt.
HOST-RESOURCES-TYPES.txt Type definitions for storage, device, and file system
RFC 2790
types; used with HOST-RESOURCES-MIB.txt.
IF-MIB.txt RFC 2863 Network interfaces MIB objects.
IP-MIB.txt RFC 4293 IP and ICMP MIB objects.
TCP-MIB.txt RFC 4022 TCP MIB objects.
UDP-MIB.txt RFC 4113 UDP MIB objects.
Secure64 product platform object identifiers, resulting
Secure64 in the sysObjectID value of 1.3.6.1.4.1.28428.1.3 for
SECURE64-PRODUCTS-MIB.txt
Proprietary Secure64 DNS Cache and 1.3.6.1.4.1.28428.1.4 for
Secure64 DNS Signer; requires SECURE64-SMI.txt.
S64-MITIGATION-MIB.txt Mitigation and defense traps for irregular traffic flows
Secure64 directed at the Secure64 DNS server. See Secure64
Proprietary Mitigation Trap Type Categories and Notifications on
page 406 for details. Requires SECURE64-SMI.txt.
S64-CACHE-MIB.txt Caching server statistics and metrics objects. Refer to
Secure64
the MIB contents for details. Requires SECURE64-
Proprietary
SMI.txt.
S64-CHASSIS-MIB.txt Secure64 Information about the state of the Secure64 hardware
Proprietary platform.
SECURE64-SMI.txt Secure64
Secure64 Structure of Management Information (SMI).
Proprietary
Note Not all objects within the RFC standard MIBs apply to the Secure64 DNS Cache server or are
supported.
392
Chapter 10. Information and Diagnostics
393
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Standard IETF MIBs, such as IF-MIB.txt and IP-MIB.txt, are normally included with the NMS software.
You can also find the IETF MIBs in MIB repositories such as http://www.mibDepot.com.
2. Import the SMI file and MIB files into your NMS software.
3. Follow the procedures as outlined in your NMS software to configure SNMP for use
with the Secure64 DNS Cache server SNMP host agent.
394
Chapter 10. Information and Diagnostics
395
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Command Description
auto-start <yes|no> Determines whether the SNMP host agent starts
auto-start yes automatically upon boot.
If undefined, the default is no.
Define the Secure64 DNS Cache listening
address(es) for incoming SNMP requests. For the
server to respond to SNMP requests, you must
define at least one agentadress and either
rocommunity or rocommunity6.
For UDP over IPv4 transport, use the udp prefix.
agentaddress <udp|udp6>:<transport_address>[:port] For UDP over IPv6 transport, use the udp6 prefix.
agentaddress udp:192.168.2.1 For transport-address, use a dotted decimal IPv4
agentaddress udp6:[2001:470:1f04:446:f002::1] address (udp), or a hexadecimal IPv6 address
agentaddress udp:192.168.127.99:161 wrapped by square braces (udp6).
For multiple addresses, use multiple
agentaddress lines.
Note: You must use IP address(es) configured for
Secure64 DNS Cache. If you need to configure
an IP address, see Adding and Removing IP
Addresses for Interfaces on page 276.
rocommunity <community> [source_ip/prefix [OID]] If one or more udp agentaddress(es) are
rocommunity myprivatecommunity specified, a corresponding rocommunity is
rocommunity public 192.168.2.0/24 required. Define an SNMPv2c community for
rocommunity public 192.168.2.0/24 .1.3.6.1.2.1.1 traditional read-only (GET and GETNEXT)
access.
To restrict access to a specified system or
systems, define source_ip/prefix as an IPv4
address followed by the prefix size.
To restrict access to a subtree, define OID as the
root of the subtree to restrict access to.
rocommunity6 <community> [source_ip/prefix [OID]] If one or more udp6 agentaddress(es) are
rocommunity6 myprivatecommunity specified, a corresponding rocommunity6 is
rocommunity6 public 2001:470:1f04:446:f002::/96 required. Define an SNMPv2c community for
traditional read-only (GET and GETNEXT)
access.
To restrict access to a specified system or
systems, define source_ip/prefix as an IPv6
address followed by the prefix size.
To restrict access to a subtree, define OID as the
root of the subtree to restrict access to.
396
Chapter 10. Information and Diagnostics
397
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
398
Chapter 10. Information and Diagnostics
To view your current system configuration, which includes configured interfaces and IP
addresses:
• Type show config at any prompt, and press ENTER.
Example:
[sysadmin@Secure64DNS]# show config
running configuration:
ifconfig eth0 192.168.95.99 255.255.255.0
ifconfig eth1 192.168.127.99 255.255.255.0
console eth0
route default 10.81.0.2
route sym
nameserver 0 192.168.95.95 4
ntp 2001:db8::1
tz MST7MDT
syslog 192.168.95.95
loglevel 5 75
nodename Secure64DNS
No defense rules configured.
rule actions enabled
nullchecksums disallow
timeout 300
ip frag timeout 5
ip frag high 40
ip frag low 30
399
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Note You can configure each physical interface with multiple IP addresses and define VLAN IDs, up to a
total allocation of 256 IP addresses for the server. In addition, you can use the same IP address for
multiple services, including the console, the DNS server, BGP, SNMP, and other services.
Note You must stop and start SNMP to read the new configuration. This clears the current SNMP session.
400
Chapter 10. Information and Diagnostics
Command Description
SNMP administration commands
start snmp Reads the snmpd.conf configuration file and enables SNMP host
agent services for Secure64 DNS Cache.
stop snmp Stops SNMP services for Secure64 DNS Cache.
sendtrap <type> Sends the specified S64-MITIGATION-MIB trap type event or S64-
CHASSIS-MIB trap type event for testing purposes.
For S64-MITIGATION-MIB traps, specify <type> as one of the following:
blacklist, blacklistactive, blacklistinactive, graylist, graylistactive,
graylistinactive, packetfloodstart, packetfloodend, synfloodstart,
synfloodend.
For S64-CHASSIS-MIB traps, specify <type> as one of the following:
temperaturetrap, voltagetrap, fantrap, chassisintrusiontrap,
powersupplytrap, powerredundancytrap
For details, see Secure64 Mitigation Trap Type Categories and
Notifications on page 406.
SNMP information commands (Available in all modes)
show snmp config Displays the information in the snmpd.conf configuration file.
show snmp info Displays details about SNMPv2-MIB information
show snmp status Displays the current state of the SNMP system in Secure64 DNS Cache.
401
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Example:
[snmpadmin@Secure64DNS]# start snmp
Started transport, UDP: [192.168.95.113]:161.
Started transport, UDP: [192.168.127.113]:161.
Successfully started snmp agent
Example:
[snmpadmin@Secure64DNS]# stop snmp
Stopping snmp
Successfully stopped transport, UDP: [192.168.95.113]:161.
Successfully stopped transport, UDP: [192.168.127.113]:161.
Successfully stopped snmp
Note Secure64 DNS Cache also generates messages related to the status of the SNMP server in syslog.
For details, see System Logging Messages on page 443
402
Chapter 10. Information and Diagnostics
Example:
[view@Secure64DNS]> show snmp status
snmp agent is running
Example:
[view@Secure64DNS]> show snmp info
snmp agent info:
snmpInPkts 0
snmpOutPkts 1
snmpOutTraps 1
snmpInBadVersions 0
snmpInBadCommunityNames 0
snmpInBadCommunityUses 0
snmpInASNParseErrs 0
snmpEnableAuthenTraps 0
snmpSilentDrops 0
snmpProxyDrops 0
403
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Example:
[view@Secure64DNS]> show snmp config
auto-start off
blacklist-interval 0
graylist-interval 0
maxGetbulkRepeats 0
maxGetbulkResponses 100
agentaddress 192.168.127.113,192.168.95.113
rocommunity public 192.168.95.99
syscontact m@whitehall
sysname jackrabbit
sysdescr Secure64 DNS server
syslocation server room
synfloodtrapenable is disabled
blacklisttrapenable is disabled
packetfloodtrapenable is disabled
graylisttrapenable is disabled
Testing SNMP
In addition to the SNMP commands in Secure64 DNS Cache described in Using SNMP
Commands on page 401, you can use the Net-SNMP software suite (www.netsnmp.org) to test
and troubleshoot SNMP. The Net-SNMP suite includes command-line applications to:
• Retrieve information from an SNMP-capable device, either using single requests
(snmpget, snmpgetnext), or multiple requests (snmpwalk, snmptable, snmpdelta).
Note To obtain all of the SNMP information from a Secure64 DNS server, issue the following command from
a system that has the Net-SNMP software installed:
snmpwalk -v 2c -r 0 -c <community_name> <S64_server_ipaddresss> 1.3
404
Chapter 10. Information and Diagnostics
Troubleshooting SNMP
If the SNMP host agent is not responding as expected, you can troubleshoot the issue by:
• Monitoring SNMP error logging in syslog
Secure64 DNS Cache sends SNMP-related messages to syslog. The number and type of
messages sent depend upon the severity level configured. For more information about
configuring syslog, see Managing Syslog Servers and Local Logging on page 269.
• Verifying the contents and syntax of the snmpd.conf configuration file using the show
snmp config command
• Checking SNMP information using the show snmp info command
• Using the Net-SNMP tool or other tools
where:
-P <port> is the optional destination port
<user> is the user account assigned to the snmpadmin role
<host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
<backup_dest> is the destination for the backup files
where:
-P <port> is the optional incoming SSH port (if different than port 22, see Adding and
Removing Console Interfaces on page 281 for information about changing the default port)
<backup_dest> is the location of the backup files,
<user> is a user account assigned to the snmpadmin role, and
<host> is the Secure64 DNS Cache server IPv4 address, [IPv6 address] in square
brackets, or hostname
405
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Note To receive black list, gray list, and packet flood traps, you must configure one or more mitigation rules
and attach the rule(s) to the Secure64 DNS Cache name server. This is in addition to importing the
S64-MITIGATION-MIB into your NMS. For details, see Configuring UDP Rate Limit or Drop Rules on
page 234, Configuring TCP Rules for SSH and DNS Traffic on page 236, and DNS RRtype Filtering
Rules on page 238.
406
Chapter 10. Information and Diagnostics
Blacklist Traps
The blackListActive, blackListInActive, and blackList traps and objects listed in the following
table are sent when you enable the blacklist trap type category with the blacklisttrapenable
configuration attribute in the snmpd.conf configuration file.
Note To receive black list, gray list, and packet flood traps, you must configure one or more mitigation rules
and attach the rule(s) to the Secure64 DNS Cache name server. This is in addition to importing the S64-
MITIGATION-MIB into your NMS. For details, see Configuring UDP Rate Limit or Drop Rules on
page 234, Configuring TCP Rules for SSH and DNS Traffic on page 236, and DNS RRtype Filtering
Rules on page 238.
407
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Graylist Traps
The grayListActive, grayListInActive, and grayList traps and objects listed in the following table
are sent when you enable the graylist trap type category with the graylisttrapenable
configuration attribute in the snmpd.conf configuration file.
Note To receive black list, gray list, and packet flood traps, you must configure one or more mitigation rules
and attach the rule(s) to the Secure64 DNS Cache name server. This is in addition to importing the
S64-MITIGATION-MIB into your NMS. For details, see Configuring UDP Rate Limit or Drop Rules on
page 234, Configuring TCP Rules for SSH and DNS Traffic on page 236, and DNS RRtype Filtering
Rules on page 238.
408
Chapter 10. Information and Diagnostics
Note To receive black list, gray list, and packet flood traps, you must configure one or more mitigation rules
and attach the rule(s) to the Secure64 DNS Cache name server. This is in addition to importing the S64-
MITIGATION-MIB into your NMS. For details, see Configuring UDP Rate Limit or Drop Rules on
page 234, Configuring TCP Rules for SSH and DNS Traffic on page 236, and DNS RRtype Filtering
Rules on page 238.
409
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
410
Chapter 10. Information and Diagnostics
blacklist
blacklistactive
blacklistinactive
graylist
graylistactive
graylistinactive
packetfloodstart
packetfloodend
synfloodstart
synfloodend
3. If the trap is sent successfully, the system displays Trap sent.
Example:
[snmpadmin@Secure64DNS]# sendtrap blacklist
Trap sent
If the trap is not sent successfully, the system displays an error message:
• Unrecognized Trap Type- Verify that you are entering the command and the trap event
type using correct spelling and upper- and lower-case letters.
• sendtrap failed- Type show snmp config and verify SNMP settings. If you change the
configuration or make corrections to it, type stop snmp and start snmp to read the
changes before retrying the test trap. Secure64 DNS Cache also generates messages
related to the status of the SNMP server in syslog.
411
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Note The S64-CHASSIS-MIB must be installed on your NMS. For details, see Importing the Secure64 DNS
Cache MIBs into the NMS on page 394.
412
Chapter 10. Information and Diagnostics
413
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
If the trap is not sent successfully, the system displays an error message:
• Unrecognized Trap Type- Verify that you are entering the command and the trap
event type using correct spelling and upper- and lower-case letters.
• sendtrap failed- Type show snmp config and verify SNMP settings. If you change
the configuration or make corrections to it, type stop snmp and start snmp to read
the changes before retrying the test trap. Secure64 DNS Cache also generates messages
related to the status of the SNMP server in syslog.
414
Chapter 10. Information and Diagnostics
Note The output of the dig command is a representation of a DNS message. For a detailed description of DNS
message contents, refer to RFC 1035, RFC 2136, and http://www.zytrax.com/books/dns/ch15/.
415
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
Component Description
server Name or IPv4/IPv6 address of the DNS server to query. If you define a host name,
dig attempts to resolve the name before querying the server.
Note: You can query the same server you are running the dig command on.
name Host of domain name for the query.
type Type of resource record (RR) to query. Supported types include:
A (default if none specified)
AAAA
AFSDB
APL
AXFR
CERT
CNAME
DNAME
DS
HINFO
ISDN
IXFR=sn (where sn is the SOA serial number)
KX
LOC
MG
MINFO
MR
MX
NAPTR
NS
NSAP
NXT
PTR
PX
RP
RT
SOA
SRV
SSHFP
TLSA
TXT
WKS
X25
416
Chapter 10. Information and Diagnostics
+queryopt Query option keywords. Precede each query option with a plus symbol (+). Some
keywords set or reset an option, using the string 'no' to negate the meaning of the
keyword. Other keywords assign values to options and have the form
+keyword=value.
+[no]tcp
Use [do not use] TCP when querying name servers. The default behavior is to use
UDP unless an AXFR or IXFR query is requested, which uses TCP.
+[no]cdflag
Set [do not set] the CD (checking disabled) bit in the query. Use +cdflag to
disable DNSSEC validation of responses by the destination server.
+[no]short
Provide [do not provide] a terse answer. The default is verbose.
+time=<seconds>
Set the timeout for a query to seconds. The default is 5 seconds, and the minimum
is 1 second.
+tries=<number>
Set the number of times to try UDP queries. The default is 3, and the minimum is 1.
+retry=<number>
Set the number of times to retry the UDP queries. The default is 2. Unlike
+tries, this does not include the initial query.
+bufsize=<B>
Set the UDP message buffer size advertised using EDNS0 to <B> bytes.The
maximum and minimum sizes of this buffer are 65535 and 0, respectively. Values
other than zero cause an EDNS query to be sent.
+[no]dnssec
Request [do not request] DNSSEC records by setting the DNSSEC OK bit (DO) in
the OPT record in the additional section of the query.
417
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
-flag -o <filename>
Define a file to use for storing the dig queryoutput. When performing an AXFR or
IXFR query, use this option to avoid displaying large amounts of data. (Note: This
option is available only to the cachednsadmin role. The sysadmin role does not
have file system privileges.)
-p <port>
Define an alternate port of the DNS server to query. If not defined, the default is
DNS port 53.
-b <ip_address>[#port]
Define a source IP address and optional port to send the query from. The address
must be locally configured.
-k <filename>
Specify a TSIG key file to sign the DNS queries and responses using transaction
signatures.
-y [<hmac>:]<name>:<key>
Specify a TSIG key on the command line.
<hmac>
The type of TSIG, defaulting to hmac-md5 if not defined
<name>
The name of the TSIG key.
<key>
The base-64 encoded key string.
Note: Because you can expose the key information, use only if the -k <filename>
option is not available.
Examples:
• Get the A record for any record without a label and return the SOA for the host or
domain:
[cachednsadmin@Secure64DNS]# dig @192.168.127.99 s64
; <<>> DiG SourceT 3.x <<>> @192.168.127.99 s64.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37363
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s64. IN A
;; AUTHORITY SECTION:
s64. 3600 IN SOA z97. root.localhost. (578 60 100 602200 604800)
418
Chapter 10. Information and Diagnostics
419
SECURE64 DNS CACHE 3.1
Chapter 10. Information and Diagnostics
420
Appendix A. Command Reference
This appendix lists and describes commands for the view, create (syscreate, cachednscreate,
bgpcreate, logincreate, securitycreate, and snmpcreate), sysadmin, cachednsadmin, bgpadmin,
loginadmin, securityadmin, snmpadmin, and upgrade roles. For additional details about
roles, see Roles and User Accounts on page 27.
Note The backup role has scp access to Secure64 DNS Cache only. The role does not have command line
access, and therefore does not execute commands on the server.
Command Description
Log in/log out commands
Enters system administration mode (from view mode only). The user
enable sysadmin
invoking this command must be assigned to the sysadmin role.
Enters DNS administration mode (from view mode only). The user invoking
enable cachednsadmin
this command must be assigned to the cachednsadmin role.
Enters BGP administration mode (from view mode only). The user invoking
enable bgpadmin
this command must be assigned to the bgpadmin role.
Enters login administration mode (from view mode only) for authentication
enable loginadmin and login configuration. The user invoking this command must be assigned
to the loginadmin role.
Enters security administration mode (from view mode only). The user
enable securityadmin
invoking this command must be assigned to the securityadmin role.
Enters SNMP administration mode (from view mode only). The user
enable snmpadmin
invoking this command must be assigned to the snmpadmin role.
Enters upgrade mode (from view mode only). The user invoking this
enable upgrade
command must be assigned to the upgrade role.
Enters user administration mode (from view mode only). The user invoking
enable [syscreate|cachednscreate|
this command must be assigned to the syscreate, cachednscreate,
bgpcreate|logincreate|securitycreate|
bgpcreate, logincreate, securitycreate, and/or snmpcreate role. If at least
snmpcreate]
one user is assigned to all of the create roles, the Installer user is disabled.
Ends the current operational mode. In sysadmin, cachednsadmin,
exit or quit bgpadmin, securityadmin, snmpadmin, or create mode, exits to view
mode. In view mode, exits the system.
421
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
Sets the password for a local user account. User accounts can modify their
own passwords and optionally omit the username parameter. User
accounts assigned to a create role define the password for the specified
passwd [username]
username, if the create role is authorized to modify the specified username
account. Passwords must be a minimum of 8 characters and include at
least 3 alphabetic characters and at least 1 non-alphabetic character.
System information commands
cpuinfo Displays processor information.
date Displays the current date and time.
Displays the current amount of available disk drive space in kilobytes.
df
(1KB=1024 bytes)
help [command] Displays the commands available in the current mode. To display help for
? [command] a specific command, include the [command] name.
memstat [-b | -k | -m | -g ] [-p] Displays available memory in kilobytes. Add -b to specify bytes, -k for
kilobytes, -m for megabytes, or -g for gigabytes. Add -p to display total
physical memory instead of available memory.
netstat [clear] Displays network statistics since last server boot or the last time statistics
were cleared with the netstat clear command.
show <cmd> Where cmd is interfaces, config, saved, or pending.
interfaces — displays information about the available physical network
interfaces, which are sequentially numbered beginning at zero.
pending — displays configuration information that is invoked when the
administrator enters the activate command in sysadmin mode
config — displays currently running system configuration
saved — displays stored configuration information, which persists after
system boot
show cachedns config [display Displays the contents of the cache.conf configuration file for the DNS
option] server. Use the display option to display a subset of the active
configuration. Options include basic, sizes, local, security, validation, zone,
nxdomain, and views.
show cachedns info [views Displays DNS statistics, if queries have been received and the server is
viewname] [instance] running. For information about a specific view, add the views argument
and the viewname to display. For information about a specific resolver
instance number, add the number of the instance.
show cachedns reload status Displays the status of the cachedns reload command operations.
show cachedns status Displays the current DNS status of the Secure64 DNS Cache server. If
multiple resolver instances are running, the number of instances are also
reported.
show authenticate config <radius | Displays the specified RADIUS or LDAP configuration information. If
ldap> [<server>] specified, information displays only for the given RADIUS or LDAP server
hostname, IPv4 address, or [IPv6] address.
show authenticate info <radius | ldap> Displays a list of RADIUS or LDAP servers in the radius.conf or
ldap.conf configuration file.
show authenticate status Displays the current authentication status of the Secure64 DNS Cache
server.
show autostart status Displays the current autostart and reboot cycle status.
show bgp config Displays the contents of the bgp.conf configuration file for BGP.
422
Appendix A. Command Reference
Command Description
show bgp fib <filter> Displays routes from the Secure64 DNS server's Forwarding Information
Base.
Note: If the FIB information contains a large number of routes, displaying
this information may require some time to complete.
For <filter>, define a specific IP address or one of the options below:
connected: Show only connected routes
static: Show only static routes
bgp: Show only routes originating from the Secure64 DNS server
nexthop: Show only routes required to reach a BGP nexthop.
show bgp info Displays information about the messages sent and received by BGP on
the Secure64 DNS Cache server.
show bgp interfaces Displays the interface states.
show bgp neighbor <peer> <modifier> Displays detailed information about the neighbor identified by the peer.
<peer> can be the neighbor's IPv4/IPv6 address or description, according
to the modifier defined.
For <modifier>, define one of the options below:
messages: Show statistics about sent and received BGP messages.
timers: Show the BGP timers.
show bgp nexthop Displays the list of BGP nexthops and the result of their validity check.
show bgp rib [options] [filter] Show routes from the RIB.
Note: If the RIB information contains a large number of routes, displaying
this information may require some time to complete.
For [options]:
detail: Show more detailed output for matched routes.
For [filter]:
<address>: Show best matching route for the address.
as <as>: Show all entries with <as>anywhere in the AS path.
source-as <as>: Show all entries with <as> as the rightmost AS.
transit-as <as>: Show all entries with <as> anywhere but rightmost.
neighbor <peer>: Show only entries from the specified peer.
summary: Display a list of all neighbors, including information about the
session state and message counters.
memory: Show RIB memory statistics.
show bgp status Displays the current state of the BGP system in Secure64 DNS Cache.
show bgp summary Displays a list of all neighbors, including information about the session
state and message counters.
show bgp summary terse Displays a list of all neighbors, including information about the session
state, in a condensed format.
show comm Displays the available serial devices. (Note: This replicates the comm
command in the sysadmin role.)
show bfd status Displays the current state of the BFD service in Secure64 DNS Cache.
show bfd info Displays details about the current BFD session.
show bfd config Displays the BFD configuration.
423
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
show defense config Displays configuration information related to mitigation rules configured on
the Secure64 DNS Cache server.
show defense info Displays information about TCP, SSH, and other activity coming into the
Secure64 DNS Cache server.
show disks Displays information about the disk or disks used by the file system.
show fingerprint Displays the system’s RSA fingerprint.
show ip route Displays the IPv4 routing information.
show ipv6 [addr|route] Display the IPv6 addresses assigned to the Secure64 DNS server
interfaces, or display the IPv6 routing information.
show ntp [keys] Displays status information about the NTP server(s) configured for the
Secure64 DNS server. Add the keys argument to display information
about NTP keys for authentication.
show roles If the user account is assigned a create role, displays all of the roles and
users assigned. Otherwise, displays the role assigned to the current user
account only.
show rtqm <N> [T] <clients|domains> Displays real time query monitoring information to identify the top number
of defined client queries, where N is the number of clients to display (from
1 to 1000); T is the optional number of minutes to monitor (minimum of 1; if
not defined the default is 1 minute), and clients|domains is the IP address
of the requesting clients (clients) or domain names being queried for
(domains). To display information, real time query monitoring must first be
started with the start rtqm command.
show sensors Displays hardware sensor status information.
show snmp config Displays SNMP configuration information.
show snmp status Displays whether SNMP is running.
show snmp info Displays SNMP object information.
show syslog [status] If status is not specified, displays up to 50 entries from the local log file.
If status is specified, displays information about all active syslog servers.
show users If the user account is assigned a create role, displays all user accounts.
Otherwise, displays the current user account only.
show zone status zone <zone> Displays status information about the specified zone.
uptime [[-cpu | -app | -io] [#]] Shows CPU utilization and the amount of time the system has been
running. Use the options to specify CPU, APP, and/or I/O information or a
processor #.
version Shows the Secure64 DNS Cache software version information.
who Shows the user accounts currently logged in to the Secure64 DNS Cache
server, including RADIUS or LDAP accounts.
424
Appendix A. Command Reference
Command Description
adduser <username> -a <days> [options] Adds the username to the list of valid user accounts for Secure64
DNS Cache.
The username must consist of 3-32 characters, start with an alpha
character, and contain alphanumeric characters (after the first
character). The -a <days> account aging attribute (required) defines
the number of days of inactivity before disabling the account. It is
configurable to 0 to disable feature (weakens security), or between
20-90 days.
Available options are:
[-r realname] Displays in the show users command results, with up
to 64 alphanumeric characters and 10 words
[-p password_age] System defaults to 60 days before requiring users
to change password. Configurable to 0 to disable feature (weakens
security), or between 20-90 days.
[-c lockout_count] System defaults to lock out a user account after
greater than 3 failed logins, for the number of minutes defined by the
-t lockout-time. Configurable to 0 to disable feature (weakens
security), or between 3-5 attempts.
[-i lockout_interval] System defaults to 60 minutes before resetting
the lockout counter. Configurable to 0 to disable feature (weakens
security), or between 15-60 minutes.
[-t lockout_time] If the user account has been locked out, system
defaults to lock out the account for 60 minutes. Configurable to 0 to
require the loginadmin to reset locked out user, or between 15-60
minutes.
[-h history] System defaults to preventing the user from re-using the
last 5 passwords for the user account. Configurable to 0 to disable
feature (weakens security), or between 0-5 passwords.
deluser <username> Removes a user account from Secure64 DNS Cache. This command
requires that you first use the usermod command to remove any
roles assigned to the user account.
Invoking this command on an existing user that is not associated with
any roles will remove the user from the database.
reset Disables all user accounts and enables the predefined Installer
account. Prompts for the reset password. FOR EMERGENCY USE
ONLY.
passwd [username] Sets or changes the password for the specified user account.
Passwords must be a minimum of 8 characters and include at least 3
alphabetic characters and at least 1 non-alphabetic character.
passwd reset Changes the reset command password. Prompts for the current reset
password.
425
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
show users Lists system users, one per line, in the format of:
<username> : [real name]: <enabled|disabled>
show roles Lists system roles, one per line, in the format of:
<role name> : [<user name>[, ...]]
userdisable <username> Disables the specified user account.
userenable <username> Re-enables the specified user account after the reset command or
the userdisable command is executed.
usermod +r <role name> <username> Adds (+r) or removes (-r) the username to/from the role name.
The issuer of the command must be a member of the
usermod -r <role name> <username>
cachednscreate role to manage users of the cachednsadmin role; a
member of the syscreate role to manage users of the sysadmin,
upgrade, or backup roles; a member of the bgpcreate role to manage
users of the bgpadmin role, a member of the logincreate role to
manage users of the loginadmin role, a member of the securitycreate
role to manage users of the securityadmin role, and/or a member of
the snmpcreate role to manage users of the snmpadmin role.
426
Appendix A. Command Reference
Command Description
System state commands
activate Makes the pending configuration the running configuration.
discard Reverses pending changes that have not been activated.
reboot Restarts the system. A prompt appears on-screen allowing
you to confirm (Y) or cancel (N) the reboot before it actually
occurs.
revert Cancels the running (activated) configuration and
reinstates the saved configuration.
save Saves the running (activated) configuration. This becomes
the running configuration upon the next system boot. When
you save a configuration, it overwrites the existing saved
configuration.
Network configuration commands
bondcfg bond<num> ethX ethY [ethZ...] Configures a Ethernet bond to create a virtual interface for
no bondcfg bond<num> failover.
<num> is the bond number, 0-99 (but only 8 total bonds
allowed)
Use the no form of the command to remove the
configuration.
bondcfg bond<num> mode miimon <polltime> Configures link status monitoring for the specified bond
<holdtime> number.
<polltime> is the time in milliseconds to poll the state of the
Ethernet link, ranging from 100 to 5000. If not defined for
an existing bond, the default is 1000.
<holdtime> is the time in milliseconds to wait before
changing the link state of a detected failure, ranging from
2x the polltime to 100x the polltime. If not defined for an
existing bond, the default is 5000. Holdtime should be a
multiple of polltime.
bondcfg bond<num> <gratarp|unsolnd> <num> Defines the number of gratuitous ARPs (gratarp) for IPv4
addresses or unsolicited neighbor discoveries (unsolnd) for
IPv6 addresses to send on a newly active port.
The acceptable range for both is 0-255. If the value is 0 for
gratarp, ARPs are not sent. If the value is 0 for
unsolnd, unsolicited neighbor discoveries are not sent.
If not defined for an existing bond, the default is 3.
chassispoll <seconds> Configures the number of seconds for chassis hardware
no chassispoll polling, between 1 and 86,400 (1 day). Use the show
sensors command or chassis SNMP traps to view the
polling information.
Use the no form of the command to remove the
configuration.
427
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
comm Displays the serial port for console configuration. The
comm [interface] default configuration is 9600, 8N1 (8 databits, no parity, 1
stop bit), no flow control.
428
Appendix A. Command Reference
Command Description
ifconfig <interface> <ipv4 address> <ipv4 netmask> Specifies an IPv4 or IPv6 address for a given interface,
no ifconfig <interface> <ipv4 address> where interface is defined in the form: ethX, ethX.I, or
ethX:V.I or bondX, bondX.I and
X= the number of the physical interface
ifconfig <interface> <ipv6 address>/<ipv6 prefix length> V= the VLAN ID
no ifconfig <interface> <ipv6 address>/<ipv6 prefix length> I= the address identifier (you can use the identifier to
configure additional IP addresses for each physical
interface, 1-255 for non-bonded and 1-11 for bonded
interfaces.)
Note: The Secure64 DNS server supports a total of 256 IP
address.
Examples:
Configure the first IPv4 address of an interface (no VLAN):
ifconfig eth0 192.168.12.14
255.255.255.0
429
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
loglevel <level> [entries] Specifies the level of messages that are transmitted via
no loglevel <level> syslog, as follows:
Name Level # Description
LOG_EMERG 0 system unusable
LOG_ALERT 1 action must be taken
immediately
LOG_CRIT 2 critical conditions
LOG_ERR 3 error conditions
LOG_WARNING 4 warning conditions
LOG_NOTICE 5 normal but significant
conditions
LOG_INFO 6 informational
LOG_DEBUG 7 debug-level messages
For [entries], define the number of syslog entries to store in
the local syslog copy, from 50-10,000. An [entries] value of
0 disables the local log file.
Use the show syslog command to display up to 50
entries or export syslog to export the file to a different
system for viewing.
Use the no form of the command to return to the default
loglevel (4).
Sends a user defined message to the configured syslog
logmsg [<0-7>] [log_local#] <message> servers, where <0-7> is an optional custom syslog level
and log_local# is an optional custom logging facility.
nameserver <0|1|2> <ipaddress> [timeout] Specifies name servers for address resolution for the
no nameserver <0|1|2> Secure64 DNS Cache system to locate its NTP and syslog
servers. You can specify as many as three name servers,
numbered 0, 1, and 2. Timeout defines the number of
seconds to wait until retrying a name server; the default is
4 seconds.
Use the no form of the command to remove a configured
nameserver.
nodename <name> Sets the name of the system as it appears in the command
no nodename <name> prompt and syslog messages.
Use the no form of the command to return to the default
nodename (Secure64DNS).
ntp <host> [keynum] [source_ipaddress] Specifies Network Time Protocol (NTP) servers by
no ntp <host> providing the IPv4/IPv6 address or hostname of the
servers so the system automatically synchronizes its time-
of-day. You can define up to 5 NTP servers; issue the
command once for each server to configure. For
authenticated NTP, use the ntpkey command to configure
an NTP key and include the [keynum] argument with the
ntp command when configuring the server.
Use the no form of the command to remove the
configuration.
430
Appendix A. Command Reference
Command Description
ntpdate <ntp_server> Query a configured NTP server. Use show ntp to view the
results.
ntpkey <keynum> <method> <secret> Create an NTP key for NTP server authentication, where
<keynum> is the NTP key number; <method> is M, for
the MD5 hashing method; and <secret> is the shared
secret string (1-8 characters, case sensitive).
nullchecksums <allow|disallow> Allow or disallow UDP packets that do not contain a
checksum. The default behavior is to drop UDP packets
with no checksum (disallow). UDP packets with bad
checksums are always dropped.
ping <interface> <ipv4_address|hostname> Verifies that the configured ethX, ethX.I, or
ping6 <interface> [datasize] <ipv6_address|hostname> ethX:V.I interface is able to contact an external IP
address or hostname, where:
X= the number of the physical interface
V= the VLAN ID
I= the address identity
For ping6, you can use the optional [datasize] to define
the number of octets to send, from 1-1500.
reset autostart <cycle-counter|history> Resets autostart tracking parameters that track abnormal
restart behavior when the DNS server is configured to
automatically start. (To view the value of the parameters,
use the show autostart status command).
cycle-counter: Resets the autostart cycle counter.
history: Resets the number of reported and requested
reboots.
route default <ipv4_or_ipv6gateway> Configures network routing. There are two forms for the
no route default <ipv4_or_ipv6gateway> route command: default routes and other routes.
To add a default route where 10.0.0.1 is the default
route default <ipv6linklocal%interface> gateway (IPv4), the form is: route default
10.0.0.1
no route default <ipv6linklocal%interface>
To add a default route where 2608:0300:03c0:B is the
default gateway (IPv6), the form is:
route net <ipv4address> <netmask> <gateway>
route default 2608:0300:03c0:B
no route net <ipv4address> <netmask> <gateway>
For other routes, the IPv4 form is:
route net 192.168.250.0 255.255.255.0 10.1.2.3
route net <ipv6address>/<prefixlength> <gateway>
The IPv6 form is:
no route net <ipv6address>/<prefixlength> <gateway> route net 2001:db8:aaa:bbb::ccc/64
2001:db8:ddd:eee::97
Use the no form of the command to remove the
configuration.
route <sym|asym> Configures the routing style for inbound traffic.
sym: Sets symmetrical routing, which sends responds to
in-bound requests to the source of the request.
asym: Sets asymmetrical routing, which performs an IP
route and ARP table lookup before sending every packet.
431
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
syslog <server> [source] Specify a syslog server, where server is the IPv4/IPv6
no syslog <server|all> address or server host name and source is the optional
IPv4/IPv6 source IP address for the syslog server. Up to
four syslog servers can be configured.
Use the no form of the command to remove a configured
syslog server or all configured syslog servers.
timeout <seconds> Specifies the number of seconds of inactivity before
no timeout Secure64 DNS Cache automatically logs out of the SSH or
serial console. The default is 300 seconds (5 minutes), and
the maximum value is 3600 (1 hour). The user changing
the timeout is affected immediately; all other users’
timeouts are affected upon their next log in.
Use the no form of the command to disable the console
timeout, which sets the timeout to 0 (no timeout).
tz [spec] Sets the time zone. If spec is omitted, a list of top level
no tz [spec] zones and regions displays. For a list of time zones within
a region, enter
tz region_name. Use the no form of the command to
set the time zone to GMT.
Security configuration commands
allow <ipv4 address> [netmask]
Adds the specified system to the list of systems allowed to
no allow <ipv4 address> [netmask]
establish connections to the console via SSH.
Use the no form of the command to remove the
allow <ipv6 address>[/<prefix length>]
configuration.
no allow <ipv6address>[/<prefix length>]
attach <interface|dnsserver> <rule1> [rule2…] Attaches a set of rules to an ethX, ethX.I, or
no attach <interface|dnsserver> ethX:V.I interface, where
X= the number of the physical interface
V= the VLAN ID
I= the address identity
If attaching RRtype rules, use the dnsserver keyword to
attach the rules at the server level.
Use the no form of the command to remove the
configuration.
rule <name> <logical_expression> : <action> Creates a rule with the given name and a
no rule <name> logical_expression consisting of one or more
conditions which if they evaluate to true, result in the traffic
defined in the rule to be treated according to the specified
action. See Defending Against DNS DDoS Attacks on
page 224 for more information.
Use the no form of the command to remove the
configuration.
ruleactions <on|off> Enables and disables rules for mitigation and rate-limiting.
Logging and SNMP traps are not affected by the
command. Default is on (enable rules).
432
Appendix A. Command Reference
Command Description
Dynamically reload caching configuration changes without
cachedns reload
stopping or starting the server.
Provides information about the status and results of the last
cachedns reload status
cachedns reload operation.
For the specified name, remove associated records from all
answer and referral caches. If multiple caches are
cachedns flush name <name>
configured, use the optional [cachename|default] parameter
[cachename|default]
to limit the action to a specific cache name or the default
shared cache.
Flush the specified record type from all answer and referral
caches for the specified name. If multiple caches are
cachedns flush type <name> <type>
configured, use the optional [cachename|default] parameter
[cachename|default]
to limit the action to a specific cache name or the default
shared cache.
Set the validation status of the specified validated zone to
cachedns flush validation <zone> unvalidated. If multiple caches are configured, use the
[cachename|default] optional [cachename|default] parameter to limit the action to
a specific cache name or the default shared cache.
Flush everything at or below the specified name from all
answer and referral caches. If multiple caches are
cachedns flush zone <name>
configured, use the optional [cachename|default] parameter
[cachename|default]
to limit the action to a specific cache name or the default
shared cache.
Display answer or referral cache information for the specified
name. Include the optional record_type to display information
cachedns lookup <name> [answer|referral]
for a specific DNS record (defaults to A if not defined).
[record_type] [view]
Include the optional view to limit the lookup information to a
specific view name in the cache.conf configuration file.
Statistical commands for the caching server.
cachedns stats <dump|reset> dump: Dump all caching statistics to the command line
reset: Reset all caching statistic counters to zero
cat <file> Displays the contents of the specified file. Note that the
system displays as much as is allowed by the screen buffer.
cd [directory] Changes to the specified directory. If no directory is specified,
changes to the top-level directory.
cp [-r] <source> <destination> Copy one or more files and/or directories. If more than one
source is defined, destination must be a directory. Use -r to
copy the entire directory tree starting with source to the
destination directory.
dig @<server> [<name>] [<type>] [<+queryopt>...] Send a DNS query to the specified server, where name is the
[<-flag>...] host or domain name, type is the DNS RR type, queryopt is
query options, and flag is additional query flags.
edit <file> Loads the specified file in the Secure64 DNS text editor.
433
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
ls [-R] [directory|filename] Displays the contents of the current directory (if no directory
is defined) or the specified directory or filename. Wildcards
are permitted and multiple files/directories can be specified.
Note that the system displays as much as is allowed by the
screen buffer. Use the -r argument to include descendent
directories in the list.
mkdir [-p] <directory> Creates the specified directory for example: mkdir data.
Include -p to create a subdirectories, for example: mkdir -
p data/zones/example
pwd Displays the current directory path.
mv <from> <to> Renames or moves the specified from filename to the to
filename, within the same directory or different directories.
rm [<file>| -r <directory>] Deletes the specified file or directory. Wildcards are permitted
and multiple files/directories can be specified. If specifying a
directory, the -r argument is required and all descendent
directories and files are also removed.
rmdir <directory> Removes the specified directory. The directory must be
empty.
touch <file> Change the modification time of the specified file to the
current time. If the specified file does not exist, it is created.
start cachedns Start the Secure64 DNS Cache server.
stop cachedns Stop the Secure64 DNS Cache server.
start bfd Start the BFD service, if configured.
stop bfd Stop the BFD service, if configured.
start rtqm [max memory] Start real time query monitoring to collect query data, where
max memory is the maximum amount of memory used by
the service, with a minimum of 1 MB. If not defined, the
maximum memory is 128 MB.
stop rtqm Stop real time query monitoring.
434
Appendix A. Command Reference
Command Description
File system commands
cat <file> Displays the contents of the specified file. Note that the
system displays as much as is allowed by the screen buffer.
cd [directory] Changes to the specified directory. If no directory is
specified, changes to the top-level directory.
cp [-r] <source> <destination> Copy one or more files and/or directories. If more than one
source is defined, destination must be a directory. Use -r to
copy the entire directory tree starting with source to the
destination directory.
edit <file> Loads the specified file in the Secure64 DNS text editor.
ls [-R] [directory|filename] Displays the contents of the current directory (if no directory
is defined) or the specified directory or filename. Wildcards
are permitted and multiple files/directories can be specified.
Note that the system displays as much as is allowed by the
screen buffer. Use the -R argument to include descendent
directories in the list.
mkdir [-p] <directory> Creates the specified directory for example: mkdir data.
Include -p to create a subdirectories, for example: mkdir -
p data/zones/example
pwd Displays the current directory path.
mv <from> <to> Renames or moves the specified from filename to the to
filename, within the same directory or different directories.
rm [<file>| -r <directory>] Deletes the specified file or directory. Wildcards are
permitted and multiple files/directories can be specified. If
specifying a directory, the -r argument is required and all
descendent directories and files are also removed.
rmdir <directory> Removes the specified directory. The directory must be
empty.
touch <file> Change the modification time of the specified file to the
current time. If the specified file does not exist, it is created.
BGP administration commands
start bgp Reads the bgp.conf configuration file and enables BGP
services for Secure64 DNS Cache.
stop bgp Stops BGP services for Secure64 DNS Cache.
bgp announce <ipaddress/prefix> [-n peer] Sends a BGP UPDATE message to the neighbor(s)
identified to re-establish the ip_address/prefix in the
anycast cloud, where ip_address/prefix is one or
more IPv4/IPv6 address/prefixes to announce and peer is
the IPv4/IPv6 address or description of the neighbor; you
can list multiple neighbors after –n. To announce all
neighbors, omit the –n flag.
435
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
bgp neighbor <peer> up Takes the BGP session to the specified neighbor up. <peer>
can be the neighbor's IPv4/IPv6 address or description.
bgp neighbor <peer> down Takes the BGP session to the specified neighbor down.
<peer> can be the neighbor's IPv4/IPv6 address or
description.
bgp neighbor <peer> clear Stops and restart the BGP session to the specified neighbor.
<peer> can be the neighbor's IPv4/IPv6 address or
description.
bgp neighbor <peer> refresh Requests the specified neighbor to re-send all routes. Note
that the neighbor is not required to re-send routes, even if it
announced the route refresh capability. <peer> can be the
IPv4/IPv6 neighbor's address or description.
bgp withdraw <ipaddress/prefix> [-n peer] Sends a BGP UPDATE message to the neighbor(s)
indicated. The UPDATE message contains the listed IP
address/prefixes in the withdrawn routes portion of the
message, where ip_address/prefix is one or more
of the IPv4/IPv6 address/prefixes to withdraw and peer is
the IPv4/IPv6 address or description of the neighbor; you
can list multiple neighbors after –n. To withdraw from all
neighbors, omit the –n flag.
436
Appendix A. Command Reference
Command Description
File system commands
cat <file> Displays the contents of the specified file. Note that the
system displays as much as is allowed by the screen
buffer.
cd [directory] Changes to the specified directory. If no directory is
defined, changes to the top-level directory.
cp [-r] <source> <destination> Copy one or more files and/or directories. If more than
one source is defined, destination must be a directory.
Use -r to copy the entire directory tree starting with source
to the destination directory.
edit <file> Loads the specified file in the Secure64 DNS text editor.
ls [-R] [directory|filename] Displays the contents of the current directory (if no
directory is defined) or the specified directory or filename.
Wildcards are permitted and multiple files/directories can
be specified. Note that the system displays as much as is
allowed by the screen buffer. Use the -R argument to
include descendent directories in the list.
mkdir [-p] <directory> Creates the specified directory for example: mkdir data.
Include -p to create a subdirectories, for example: mkdir
-p data/zones/example
pwd Displays the current directory path.
mv <from> <to> Renames or moves the specified from filename to the to
filename, within the same directory or different directories.
rm [<file>|-r <directory>] Deletes the specified file. Wildcards are permitted and
multiple files/directories can be specified. If specifying a
directory, the -r argument is required and all descendent
directories and files are also removed.
rmdir <directory> Removes the specified directory. The directory must be
empty.
touch <file> Change the modification time of the specified file to the
current time. If the specified file does not exist, it is
created.
Authentication administration commands
authprobe radius [<username> <password> <pap> Probe the RADIUS server to test connectivity from the
<server> <port> <secret> <retries> <timeout>] Secure64 DNS server or test authentication for a specific
username and password.
To test connectivity settings in radius.conf, do not
specify the optional parameters (authentication is not
attempted). To test settings outside of radius.conf,
such as authentication of a specific username and
password, specify all parameters.
437
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
authenticate <ldap | radius> Reads the specified RADIUS or LDAP configuration file
and enables the RADIUS or LDAP client for Secure64
DNS Cache. Use the activate and save commands to
save the configuration change.
no authenticate <ldap | radius> Disables the RADIUS or LDAP client for Secure64 DNS
Cache. Use the activate and save commands to save the
configuration change.
activate Makes the pending configuration the running
configuration.
save Saves the running (activated) configuration.
discard Reverses pending changes that have not been activated.
Login administration commands
Display or enable/disable SSH password authentication.
sshpwdauth- Displays password authentication
information for user accounts
sshpwdauth [<on|off>] [<username>] sshpwdauth <on|off>- Enables/disables SSH password
authentication for all user accounts
sshpwdauth <on|off> <username>- Enables/disables
SSH password authentication for the specified username.
No system default, must be set when user is added.to
define the number of days of inactivity. Configurable to 0
user <username> age account <0, 20-90> to disable feature (weakens security), or between 20-90
days. A three-day grace period is applied before disabling the
account.
System defaults to 60 days before requiring users to
user <username> age passwd <0, 20-90> change password. Configurable to 0 to disable feature
(weakens security), or between 20-90 days.
System defaults to lock out a user account after 3 failed
logins, for the number of minutes defined by the lockout
user <username> lockout count <0, 3-5>
time. Configurable to 0 to disable feature (weakens
security), or between 3-5 attempts.
System defaults to 60 minutes before resetting the lockout
user <username> lockout interval <0, 15-60> counter. Configurable to 0 to disable feature (weakens
security), or between 15-60 minutes.
If the user account has been locked out, system defaults
to lock out the account for 60 minutes. Configurable to 0 to
user <username> lockout time <0, 15-60>
require the loginadmin to reset locked out user, or
between 15-60 minutes.
System defaults to preventing the user from re-using the
last 5 passwords for the user account. Configurable to 0 to
user <username> history <0-5>
disable feature (weakens security), or between 0-5
passwords.
Generates a random temporary password. After logging in
with a temporary password, the user must change it, and
user <username> randompass
the temporary password becomes invalid. The random
password is not included in the password history.
user <username> <enable|disable> Enable or disable the user account.
438
Appendix A. Command Reference
Upgrade Commands
Table 75 provides information about the upgrade commands, which are available only in the
upgrade role. View commands are also available.
Command Description
Restarts the system. A prompt appears on-screen allowing you to confirm
reboot
(Y) or cancel (N) the reboot before it actually occurs.
Reverses a Secure64 DNS Cache system upgrade, returning to the
rollback
previous version.
license Displays the 20-character Secure64 DNS Cache license key.
upgrade Upgrades the Secure64 DNS Cache system.
Command Description
Restarts the system. A prompt appears on-screen allowing you
reboot
to confirm (Y) or cancel (N) the reboot before it actually occurs.
Removes the server’s SSH keys. New keys are automatically
remove sshkeys
generated upon reboot.
Deletes the Sensitive Data Unit (SDU) associated with the
sdu delete <subsystem> <keyword>
specified <subsystem> and <keyword>.
Displays the existing SDU(s); use the optional <subsystem>
sdu list [<subsystem>]
parameter to limit the list to the specified <subsystem>
Add the specified <SDU> to the Sensitive Data Protection
sdu protect <subsystem> <keyword> <SDU>
(SDP) database for the specified <subsystem> and <keyword>.
Replace the existing SDU value with the newly defined <SDU>
sdu replace <subsystem> <keyword> <SDU>
for the specified <subsystem> and <keyword>.
Remove the contents of the SDP database. This clears all
sdu reset
content and is not reversible.
Displays the plain text (unencrypted) content of the SDU
sdu reveal <subsystem> <keyword>
associated with the specified <subsystem> and <keyword>.
439
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
Removes the server’s cryptographic module keys. New keys
are automatically generated upon reboot.
remove cmkeys
CAUTION: This command should be used only after consulting
with Secure64 support.
Reports the status of the cryptographic module (CM)
instance(s), in accordance with FIPS 140-2 Level 2 certification
requirements. Use the all option to display the status for all CM
status [all|#]
instances. Use the # option to display the status for a given CM
instance (1, 2, or 3). Non-CEM systems have a single CM
instance (1). Defining no options displays the status for CM 1.
440
Appendix A. Command Reference
Command Description
File system commands
cat <file> Displays the contents of the specified file. Note that the
system displays as much as is allowed by the screen
buffer.
cd [directory] Changes to the specified directory. If no directory is
defined, changes to the top-level directory.
cp [-r] <source> <destination> Copy one or more files and/or directories. If more than
one source is defined, destination must be a directory.
Use -r to copy the entire directory tree starting with source
to the destination directory.
edit <file> Loads the specified file in the Secure64 DNS text editor.
ls [-R] [directory|filename] Displays the contents of the current directory (if no
directory is defined) or the specified directory or filename.
Wildcards are permitted and multiple files/directories can
be specified. Note that the system displays as much as is
allowed by the screen buffer. Use the -R argument to
include descendent directories in the list.
mkdir [-p] <directory> Creates the specified directory for example: mkdir data.
Include -p to create a subdirectories, for example: mkdir
-p data/zones/example
pwd Displays the current directory path.
mv <from> <to> Renames or moves the specified from filename to the to
filename, within the same directory or different directories.
rm [<file>|-r <directory>] Deletes the specified file. Wildcards are permitted and
multiple files/directories can be specified. If specifying a
directory, the -r argument is required and all descendent
directories and files are also removed.
rmdir <directory> Removes the specified directory. The directory must be
empty.
touch <file> Change the modification time of the specified file to the
current time. If the specified file does not exist, it is
created.
SNMP administration commands
start snmp Reads the snmpd.conf configuration file and enables
SNMP agent services for Secure64 DNS Cache.
441
SECURE64 DNS CACHE 3.1
Appendix A. Command Reference
Command Description
stop snmp Stops SNMP services for Secure64 DNS Cache.
sendtrap <type> Sends the specified S64-MITIGATION-MIB trap type
event or S64-CHASSIS-MIB trap type event for testing
purposes.
For S64-MITIGATION-MIB traps, specify <type> as one of
the following: blacklist, blacklistactive, blacklistinactive,
graylist, graylistactive, graylistinactive, packetfloodstart,
packetfloodend, synfloodstart, synfloodend.
For S64-CHASSIS-MIB traps, specify <type> as one of
the following: temperaturetrap, voltagetrap, fantrap,
chassisintrusiontrap, powersupplytrap,
powerredundancytrap.
442
Appendix B. Syslog and System Boot
Messages
System Logging Messages
Table 78 lists the system logging System: Subsystem, Severity, and Text.
Note Currently, Secure64 DNS does not output the Severity to syslog.
443
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
444
Appendix B. Syslog and System Boot Messages
445
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
Note Currently, Secure64 DNS does not output the Severity to syslog.
446
Appendix B. Syslog and System Boot Messages
447
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
448
Appendix B. Syslog and System Boot Messages
449
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
450
Appendix B. Syslog and System Boot Messages
451
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
Note Currently, Secure64 DNS does not output the Severity to syslog.
452
Appendix B. Syslog and System Boot Messages
453
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
454
Appendix B. Syslog and System Boot Messages
455
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
456
Appendix B. Syslog and System Boot Messages
457
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
458
Appendix B. Syslog and System Boot Messages
459
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
460
Appendix B. Syslog and System Boot Messages
461
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
462
Appendix B. Syslog and System Boot Messages
463
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
464
Appendix B. Syslog and System Boot Messages
465
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
466
Appendix B. Syslog and System Boot Messages
467
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
468
Appendix B. Syslog and System Boot Messages
Note Currently, Secure64 DNS does not output the Severity to syslog.
469
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
470
Appendix B. Syslog and System Boot Messages
Note Currently, Secure64 DNS does not output the Severity to syslog.
471
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
472
Appendix B. Syslog and System Boot Messages
473
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
Note Currently, Secure64 DNS does not output the Severity to syslog.
474
Appendix B. Syslog and System Boot Messages
475
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
476
Appendix B. Syslog and System Boot Messages
477
SECURE64 DNS CACHE 3.1
Appendix B. Syslog and System Boot Messages
478
Appendix C: Unbound Configuration Differences
Attribute: Description
verbosity: In Secure64 DNS Cache, syslog verbosity is configured
by the sysadmin user with the loglevel command.
extended-statistics: Secure64 DNS Cache provides a custom statistics set as
described in Server Activity Reporting and Statistics on
page 215.
num-threads: Secure64 DNS Cache does not support threading at this
time.
interface-automatic: Detects source interface on UDP queries and copies
them to replies. Unbound experimental feature.
do-udp: Deprecated in Secure64 DNS Cache version 2.8; the
server always accepts UDP queries, making the attribute
unnecessary.
outgoing-range: Secure64 DNS Cache is not a general-purpose server
and does not require port restrictions.
outgoing-port-permit: Secure64 DNS Cache is not a general-purpose server
and does not require port restrictions.
outgoing-port-avoid: Secure64 DNS Cache is not a general-purpose server
and does not require port restrictions.
num-queries-per-thread: Secure64 DNS Cache does not support threading at this
time.
jostle-timeout: Secure64 DNS Cache and the SourceT micro operating
system provide defense mitigation and rules.
do-daemonize: Secure64 DNS Cache is not a general-purpose server.
chroot: Secure64 DNS Cache provides a built-in chroot
mechanism based on roles.
username: Secure64 DNS Cache has a built-in user and role
structure.
479
SECURE64 DNS CACHE 3.1
Appendix C: Unbound Configuration Differences
480
Appendix C: Unbound Configuration Differences
481
SECURE64 DNS CACHE 3.1
Appendix C: Unbound Configuration Differences
482
Appendix D: Example Configuration File
Note To enable an attribute, remove the # (comment) symbol from the beginning of the line. You must also
stop and start the caching server software for configuration changes to be read.
483
SECURE64 DNS CACHE 3.1
Appendix D: Example Configuration File
# Specifies if the DNS caching server should respond with only the
# answer section (dropping the authority and additional sections)
# The default is no.
# minimal-responses: no
# Specify the set of IPv4 and IPv6 addresses to listen for queries from
# clients and give answers back to clients. At least one address must
# must be specified, and the addresses must already be configured with
# the ifconfig command in the sysadmin role. Specify 0.0.0.0 to listen on
# all configured IPv4 addresses, and specify ::0 to listen on all available
# IPv6 addresses. Specify one or more IP addresses on a separate
# 'interface:' line.
#
# interface: 192.168.127.199
# interface: 192.0.2.154
# interface: 2001:DB8::5
484
Appendix D: Example Configuration File
# classless netblocks with /size and action. Choose deny (drop message),
# refuse (polite error reply), allow. By default, everything except the
# local host is refused.
access-control: 0.0.0.0/0 allow
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
# specify a value (in milliseconds) for the UDP read timeout for
# recursive queries
# outgoing-query-timeout: 400
# specify the amount (in milliseconds) to increment the UDP read timeout on
# subsequent queries to the same server when a previous query timed out
# outgoing-query-increment: 400
# specify a value (in seconds) between 1 and 30 for the amount of time to
# tie up resources trying to answer a query before dropping it in favor
# of servicing the next incoming query in the queue. Information gained
# from intermediate recursive queries will be cached, even after the
# original external query is dropped.
# incoming-query-timeout: 30
485
SECURE64 DNS CACHE 3.1
Appendix D: Example Configuration File
# Specify the file to read root hints from. Get one from
# ftp://FTP.INTERNIC.NET/domain/named.cache. The default is no
# root hints file.
# root-hints: ""
# Specify in bytes the buffer size for handling DNS data. No messages
# (answers) larger than this size can be sent or received, by UDP or TCP.
# The default is 65552.
# msg-buffer-size: 65552
# Specify the amount of memory to use for the message (answer) cache. A
# plain number of bytes or append k, m or g. The default is '128m'.
# msg-cache-size: 128m
# Specify the number of slabs to use for the message (answer) cache. The
# number # of slabs must be a power of 2. More slabs reduce lock
# contention, but fragment memory usage. The default is 1 slab.
# msg-cache-slabs: 1
# Specify the amount of memory to use for the RRset cache. A plain
# number of bytes or append k, m or g. The default is '4m'.
# rrset-cache-size: 128m
# Specify the number of slabs to use for the RRset cache. The number
# of slabs must be a power of 2. More slabs reduce lock contention,
# but fragment memory usage. The default is 1 slab.
# rrset-cache-slabs: 1
# Specify in seconds the time to live (TTL) value cap for RRsets and
# messages in the cache. Items are not cached for longer. The default
# is 86400 seconds (24 hours).
# cache-max-ttl: 86400
# Specify in seconds the time to live (TTL) value cap for cached
# servfail responses in the message cache.
# Items are not cached for longer. The default is 300 seconds (5 minutes).
# The minimum value is 1 second, the maximum value is 300 seconds.
# cache-servfail-ttl: 300
486
Appendix D: Example Configuration File
# Specify in seconds the time to live (TTL) value for cached roundtrip
# times and EDNS version information for hosts. The default is 900 seconds.
# infra-host-ttl: 900
# Specify in seconds the time to live (TTL) value for cached lame
# delegations. The default is 900 seconds.
# infra-lame-ttl: 900
# Specify the number of slabs to use for the Infrastructure cache. The
# number of slabs must be a power of 2. More slabs reduce lock contention,
# but fragment memory usage. The default is 1 slab.
# infra-cache-slabs: 1
# Specify the maximum number of hosts that are cached (roundtrip times,
# EDNS). The default is 10000 hosts.
# infra-cache-numhosts: 10000
# Specify in bytes the maximum size of the lame zones cached per host. A
# plain number of bytes or append k, m or g. The default is '10k'.
# infra-cache-lame-size: 10k
# Specify the amount of memory to use for the key cache. A plain
# number of bytes or append k, m or g. The default is '64m'.
# key-cache-size: 64m
# Specify the number of slabs to use for the key cache. The number
# of slabs must be a power of 2. More slabs reduce lock contention,
# but fragment memory usage. The default is 1 slab.
# key-cache-slabs: 1
# Specify whether or not the server should drop all incoming queries
# for data of the type "ANY". Default is 'no'.
# drop-any: no
# Specify whether or not the server should drop all incoming queries
# for data of the type "MX". Default is 'no'.
# drop-mx: no
487
SECURE64 DNS CACHE 3.1
Appendix D: Example Configuration File
# Specify local data shorthand for a PTR record with the reversed IPv4
# IPv6 address and the hostname. A TTL can be included.
# local-data-ptr: "192.0.2.3 7200 www.example.com"
488
Appendix D: Example Configuration File
489
SECURE64 DNS CACHE 3.1
Appendix D: Example Configuration File
# Do not query the following ip-addresses. No DNS queries are sent there.
# List one ip-address per entry. List classless netblocks with /size.
# The default is to query all ip-addresses.
# do-not-query-address: 127.0.0.0/8
# do-not-query-address: ::1
# Override the date for validation with a specific fixed date. The
# date format is <YYYMMDDHHmmss>. Set this only when debugging signature
# inception and expiration. The default is the current date.
# "" or "0" turns the feature off which is the default.
# val-override-date: ""
# Specify in seconds the time to live for bogus data, rrsets and messages.
# This avoids some of the revalidation, until the time interval expires.
# The default is 60 seconds.
# val-bogus-ttl: 60
490
Appendix D: Example Configuration File
# Specify file(s) with trusted keys for validation. The files must
# be in zone file format, with DS and DNSKEY entries. Specify each file
# on a separate 'trust-anchor-file:' line. The default is no trust
# anchor files.
# trust-anchor-file: ""
# Specify DS and DNSKEY trusted keys for validation. Place the entire
# RR on a single line, surrounded by "". TTL is ignored and the default
# class is IN. Specify each trusted key on a separate 'trust-anchor:'
# line. The default is no trust anchor keys.
# (These examples are from August 2007 and may not be valid anymore).
# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5
AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/
xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW
6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1
14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
# Specify file(s) with trusted keys for validation. The file must
# be in BIND-9 style format, the trusted-keys
# { name flag proto algo "key"; }; clauses are read. The default is
# no trusted keys files.
# trusted-keys-file: ""
# Specify a file that contains DLV trusted keys in the same format as
# a trust-anchor-file. There can be only one DLV configured, it is
# trusted from root down.
# Download https://secure.isc.org/ops/dlv/dlv.isc.org.key
# dlv-anchor-file: "dlv.isc.org.key"
# dlv-anchor-file:""
# Specify the amount of memory to use for the aggressive negative cache
# for DLV. A plain number of bytes or append k, m or g. The default
# is '128m'.
# neg-cache-size: 128m
491
SECURE64 DNS CACHE 3.1
Appendix D: Example Configuration File
492
Appendix D: Example Configuration File
# Direct the server to rotate the order of RRs within RRsets in the
# answer for a query.
# rrset-roundrobin: no
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. List zero or more
# nameservers by hostname or by ip-address.
# stub-zone:
# name: "example.com"
# stub-addr: 192.0.2.68
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
# recursion to other nameservers. List zero or more nameservers by hostname
# or by ip-address. Use an entry with 'name: "."' to forward all queries.
# forward-zone:
# name: "example.com"
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
493
SECURE64 DNS CACHE 3.1
Appendix D: Example Configuration File
# views
# views can be used to control the resolver behavior with respect to
# local zones, nxdomain redirection, dns64 resolution and filtering
# AAAA responses from IPv4 queries, based upon the IP address of either
# the client or the destination. The IP can be an IP, range, subnet, etc...
# View names must be unique. See the entries for local data, nxdomain
# redirection, filter-aaa-on-v4, and dns64 for more details on these
# configuration items.
#
#view:
#view-name: oddball
#
# view for oddball information
#
# match-clients: 192.168.127.12
#
# Specify an alternate set of root hints for this view. The default
# is to use the same hints as the server above. The default is no
# root hints file.
# root-hints: ""
#
# we want to deny access to google, queries will get NXDOMAIN
# local-zone: "google.com" static
#
#
#view:
#view-name: nosearch
#
# don't let the Zap team use Internet search
#
# match-clients: 192.168.133.0/24
# match-destinations: 192.168.127.45
#
# local-zone: "google.com" static
# local-zone: "yahoo.com" static
# local-zone: "bing.com" static
#
# filter-aaaa-on-v4: yes
#
# dns64-prefix: feed::1:0000:0000/96
#
494
Appendix D: Example Configuration File
495
SECURE64 DNS CACHE 3.1
Appendix D: Example Configuration File
496
Index
497
SECURE64 DNS CACHE 3.1
Index
498
Index
499
SECURE64 DNS CACHE 3.1
Index
500
Index
Disabling 359 M
Enabling 342, 357 MAC address (physical interface) 378
Encrypting bind password with SDP 244, 351 Management Processor See Integrity iLO
Example configuration (Secure64 client) 352 match-clients attribute 164
Groups (server) 349 match-destinations attribute 164
Hash tag and passwords 347 Memory Requirements
Interface (LOCALADDR) 355 Answer cache size 105
Mapping roles (LDAP server) 350 BGP 305
Mapping roles (Secure64 client) 355 Caching and performance 103
Roles, disabling 356 Key cache size 108
Schemas 349 Lame delegation cache size 107
Search attribute 354 Minimum 2
Secure passwords with hashing 347 Referral cache size 105
Servers supported 347 Memory, see memstat command
Starting 342, 357 memstat command 368
Status 343, 359 Merge Zones 143
Stopping 359 merge-addr attribute 144
Syslog messages 474 merge-zone clause 144
Troubleshooting 362 merge-zone name attribute 144
User account example 58 MIBs for SNMP 392
Version 3 347 Microsoft Active Directory Server See LDAP
ldap.conf 357 minimal-responses attribute 99, 480
license command 302, 439 mkdir command 89
Lightweight Directory Access Protocol See LDAP Modes, About 10
Link Local Address (IPv6) 254, 378 Monitor See VGA
load-cache-on-start attribute 205 Monitoring Query Data (RTQM) 207
Loading the Cache 204 MP Login See Serial Console and Integrity iLO
Local Zone msg-buffer-size attribute 480
CNAME entries examples 113 msg-cache-size attribute 105
Configuring 108 msg-cache-slabs attribute 105
Default zones 114 Multiple Resolver Instances 180
Logging activity 116 Caches and 181
PTR record 110 Processors and 183
Rules and examples 110 Query logging and 211
local-data attribute 110 Views and 181
local-data-ptr attribute 110 MX Queries (Drop) 122, 173
localpref (BGP) 310
local-zone attribute 109 N
local-zone-log-file-num attribute 109 Name Server (Configuring External) 259
local-zone-log-file-size attribute 110 nameserver command 259
Log Level (syslog) 270 NAT64 148
Logfacility (syslog) 271 Negative Trust Anchor (domain-insecure
logfacility command 271 attribute) 130
Logging neg-cache-size attribute 135
Local zone activity 116 Neighbor, BGP
Query data 211 Commands 318
Syslog and syslog local file 269 Configuration 310
Logging In 10 netstat command 380
Logging Out See Exiting Secure64 Network Statistics (netstat command) 380
logging-file-num attribute 213, 214 nodename command 258
logging-file-pcap attribute 213 Nodename, Configuring 258
logging-file-size attribute 213, 214 NOERROR Response 190
logging-file-write-immediate attribute 213 NSEC3 Iteration Limit 123
logging-flag-query-recv attribute 213 ntp command 264, 265
logging-flag-query-resp attribute 213 NTP Server
logging-flag-resolv-query attribute 213 Adding an NTP key 265
logging-flag-resolv-resp attribute 213 Configuring with authentication 265
loginadmin role 31 Configuring without authentication 263
logincreate role 30 Deleting an NTP key 266
LOGINLIM rule 79 Displaying NTP keys 266
loglevel command 270 Displaying NTP server information 267
logmsg command 273 Overview 263
Loopback Interface 280 Removing a configured NTP server 268
ls command 89 Sending a query to an NTP server 267
501
SECURE64 DNS CACHE 3.1
Index
502
Index
Rate Limiting (UDP and TCP) See also DDoS, DoS 227 Summary 30
Real Time Query Monitoring (RTQM) rollback command 302
Commands 207 root-hints attribute 98
Data 208, 210 Round Robin DNS Responses (rrset-roundrobin attribute) 99
Examples 209 route asym command 256
reboot command 87 route sym command 255
Recovery Routing
See also, Restoring 299 Adding routes 252
See also, Safe Mode 292 Asymmetrical (Inbound) 256
System overview 299 BGP 303
Redundant Disk 291 Changing and BGP 328
Remote Authentication Dial In User Service See RADIUS Configuring initial 75
remove cmkeys command 440 Default gateway 252
rename command 89 Deleting routes 254
Reporting, See Statistics Displaying IPv4 information with show ip route 382
reset autostart cycle-counter command 295 Displaying IPv6 information with show ipv6 route 382
reset autostart history command 295 Inbound traffic options 255
reset command 33, 47 Link local (IPv6) 252, 254
Reset Password 70 Outbound traffic (standard ARP table) 255
Resolver Route collector 309
Forwarding to another server 138 Symmetrical (Inbound) 255
Multiple instances 180 Routing Information Base See RIB
Performance attributes 101 rrset-cache-size attribute 105
Syslog messages 452 rrset-cache-slabs attribute 106
Timeouts for incoming/outgoing query resolution 102 rrset-roundrobin attribute 99
Transversal limit during query resolution 102 RRSIG
Responses Key cache 104, 108
NOERROR 190 Override expiration (val-override-date attribute) 122
Omitting Authority and Additional sections 99 RRtype Filtering (Incoming Queries) 173, 238
Omitting private addresses from (private-address attribute) 122 RSA Key Information (system) 385
Testing with dig 189 RTQM, see Real Time Query Monitoring
Troubleshooting 192 rule command 227
Types of DNS during testing 190 ruleactions command 232
Restoring Rules
BGP files 297 Attachment of RRtype filtering 240
DNS files 298 Attachment to interface 230
LDAP files 297 BGP filter 311
Overview 296 Command 228
RADIUS files 297 Configuration (general) 227
Sensitive Data Protection (SDP) files 297 Configuration (RRtype filtering) 239
System files 297 Configuration (TCP security) 236
revert command 83, 85 Configuration (UDP security) 234
RFC 2181 118 Default for installation 79
RFCs Disabling actions 232
BGP 305, 306 Drop traffic 235
DNS 3 Examples of RRtype filtering 240
LDAP 347 Examples of UDP and TCP 228
NTP 263, 267 Examples of UDP, TCP, ICMP 229
RADIUS 332 Internal traffic 236
SNMP 391 Order 230
RIB, BGP 327 Pass traffic 237
rm command 89 Removal from interface 233
rmdir command 89 Removal of RRtype filter 241
Roles RRtype filtering 238
About 27 Syntax for RRtype filtering 239
Administrator 28, 31, 32 Syntax for UDP and TCP 227
Changing 10 Running Configuration State 83
Compartmentalization 83 rx2660, see HP Integrity rx2660
Creator 28 rx2800, see HP Integrity rx2800
Enabling 10
Hierarchy 29 S
Installer 28, 30 S64-CACHE-MIB.txt 392
Listing 43 S64-CHASSIS-MIB.txt 392
Removing from user account 44 s64_example.conf 94, 483
503
SECURE64 DNS CACHE 3.1
Index
504
Index
505
SECURE64 DNS CACHE 3.1
Index
V
val-bogus-ttl attribute 122
val-clean-additional attribute 123
Validation
AD (Authenticated Data) 190
506