公司内有1个巨老的系统,一直访问着我们提供的老API。当我们的API升级后因为新接手这个老系统的人都没法去升级调用API的接口。
因为自己这边负责的API回滚的代价太大,临时在老的服务器上换了1个端口把老的API启动起来。并提供了1个iptables供对方服务器重定向访问的端口。
源ip:10.1.1.1
API IP:192.168.1.1
API port: 8888
API port(run old api):2222
iptables -t nat -A OUTPUT -p tcp -d 192.168.1.1 --dport 8888-j DNAT --to-destination 192.168.1.1:22222
让对方在服务器上添加以上的规则,可以让对方机器访问192.168.1.1:8888的请求被重定向到192.168.1.1:22222
sysdig是个小巧的系统诊断工具。一方面可以帮助排查应用的瓶颈,另外一方面也可做异常排查的诊断工具观察进程的一些行为。
以前一直有个问题困扰着我,大量老机房下线时,基础的DNS服务下线非常麻烦。虽然能在dns服务器上抓包查看client段的ip并刷新client机器的resolv.conf配置,但是很多应用需要重启才能使用新的resolv.conf内的DNS IP,经常是1个机器上跑了各种agent,当前的负责人压根不了解是什么进程发起的。
sysdig实际可以解决这样的case
sysdig -p"%proc.name %proc.pid %fd.cip:%fd.cport %fd.sip:%fd.sport %fd.l4proto" fd.sport="53"
另外有时也想看看ntp是否在做同步,可以用类似的方式
sysdig -p"%proc.name %proc.pid %fd.cip:%fd.cport %fd.sip:%fd.sport %fd.l4proto" fd.sport="123"
附:
1. sysdig介绍 http://www.sysdig.org/
默认情况下,连接sftp服务器(openssh内建的sftp server)时在服务器只能留下一个登陆连接的信息。为了便于知晓在一段时间内到底有哪些客户端来访问过本地的文件,可以通过调整sftp的日志。
修改/etc/ssh/sshd_config,在sftp配置行添加”-l INFO” 完成配置
[bash]
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO
[/bash]
效果图
在使用salt做配置管理的时候,有时希望minion上能自动执行特定sls定义的动作,这个时候可以借助schedule来做。
在pillar内定义好schedule的内容
schedule:
dnsmaster:
function: state.sls
args:
- dns.dnsmaster
seconds: 10
pillar的top.sls里定义某个minion需要这个任务。
base:
'*':
- dns.alldns
'master1':
- schedule
在minion上执行一次pillar数据的同步
salt-call saltutil.refresh_pillar
近期内部的递归服务器上有大量的AAAA查询,因为一些非主流NS的不响应AAAA记录,使得递归服务器上递归量比较大。
bind9内开始支持filter-aaaa-v4/v6,主要的作用其实只是对相应的报文里作删除AAAA记录(如有)。单独验证了一下
1. filter-aaaa-on-v4
1.1 默认为no
如果有AAAA记录会全量返回 AAAA记录
如果没AAAA记录返回NOERR+SOA
1.2 设置为yes(Client IP为IPV4)
如果有AAAA记录会被删除返回返回NOERR+SOA
如果没AAAA记录返回NOERR+SOA
1.3 设置为yes(Client IP为IPV6)
行为不受影响。
2. filter-aaaa-on-v6
2.1 默认为no
如果有AAAA记录会全量返回 AAAA记录
如果没AAAA记录返回NOERR+SOA
2.2 设置为yes(Client IP为IPV4)
行为不受影响。
2.3 设置为yes(Client IP为IPV6)
如果有AAAA记录会被删除返回返回NOERR+SOA
如果没AAAA记录返回NOERR+SOA
filter-aaaa即便打开,当用户查询AAAA的时候bind也会去递归查询AAAA记录,所以并不能解决bind递归量大的问题。虽然可以通过iptables丢掉AAAA的包,但是也会影响用户的体验。
bind rpz和rrl作为bind 10里默认包含的2个模块,为bind的安全提供了有力的支撑。但实际使用不当会事得其反。
[ response-policy {
zone zone_name
[ policy (given | disabled | passthru | drop |
nxdomain | nodata | cname domain) ]
[ recursive-only yes_or_no ]
[ max-policy-ttl number ]
; [...]
} [ recursive-only yes_or_no ]
[ max-policy-ttl number ]
[ break-dnssec yes_or_no ]
[ min-ns-dots number ]
[ qname-wait-recurse yes_or_no ]
; ]
在服务器上配置如下的rpz策略
response-policy { zone "rpz.zone" policy given; }
zone "rpz.zone" { type master; file "master/rpz.zone"; };
zone "lala.com" { type forward; forwarders { 8.8.8.8; };};
rpz.zone内配置如下的内容,请求www.test.fr和*.lala.com都会阻塞很久,因为虽然我们做了策略,实际bind还是会等着取回结果再去操作。
$TTL 30
@ SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30
NS localhost.
*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
*.drop.domain.com CNAME rpz-drop.
google.com IN CNAME google.com.
www.test.fr IN A 193.252.1.2
*.lala.com IN A 200.237.2.1
文档上这样说明:
qname-wait-recurse: May only appear in the global section of the response-policy statement. Takes the single value of either yes (default) or no. In normal operation, policy processing is invoked only when the results of any query are available (when the query process completes - successfully or unsuccessfully). This allows the "normal" resolver cache to contain the real results but can delay query response to the end user to an unacceptable level. The value no allows policy processing to occur when the query is received without waiting for a response. This behaviour control effectively only applies to QNAME Policy Triggers since all other triggers require query results to determine their actions.
因此需要设置qname-wait-recurse no;才能使得rpz操作的时候直接生效。
参考网上找的资料,写了一个简单的脚本,输入域名可以生成使用iptables封禁dns请求的规则,使用于内部递归dns的一些基本防护。
#!/bin/bash
create_iptables(){
name=$1
string=$( echo $name|awk -F '.' '{for(i=1;i<=NF;i++){printf("|%02x|%s",length($i),$i)}}')
string="$string|00|"
echo -e "rule for \e[1;32m $name \e[mquery:"
echo "iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "$string" --algo bm -j LOG --log-prefix "drop an dns query ""
echo "iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "$string" --algo bm -j DROP"
}
create_iptables_ex(){
name=$1
declare -A types
types["A"]="0001|"
types["MX"]="000f|"
types["CNAME"]="0005|"
types["ANY"]="00ff|"
types["AAAA"]="001c|"
types["NS"]="0002|"
types["SOA"]="0006|"
for t in ${!types[@]}
do
string=$( echo $name|awk -F '.' '{for(i=1;i<=NF;i++){printf("|%02x|%s",length($i),$i)}}')
string="$string|00${types[$t]}"
echo -e "rule for \e[1;32m $name \e \e[1;31m $t \e[mquery:"
echo "iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "$string" --algo bm -j LOG --log-prefix "drop an dns query ""
echo "iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "$string" --algo bm -j DROP"
done
}
if [ $# -lt 1 ];then
echo -e "usage:\n -t $0 www.abc.com"
fi
for domain in $@
do
echo "DROP $domain rule:"
create_iptables $domain
echo "DROP $domain TYPE rule:"
create_iptables_ex $domain
done
使用范例
DROP baidu.com rule:
rule for baidu.com query:
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|00|" --algo bm -j LOG --log-prefix "drop an dns query "
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|00|" --algo bm -j DROP
DROP baidu.com TYPE rule:
rule for baidu.com A query:
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|000001|" --algo bm -j LOG --log-prefix "drop an dns query "
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|000001|" --algo bm -j DROP
rule for baidu.com SOA query:
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|000006|" --algo bm -j LOG --log-prefix "drop an dns query "
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|000006|" --algo bm -j DROP
rule for baidu.com NS query:
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|000002|" --algo bm -j LOG --log-prefix "drop an dns query "
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|000002|" --algo bm -j DROP
rule for baidu.com CNAME query:
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|000005|" --algo bm -j LOG --log-prefix "drop an dns query "
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|000005|" --algo bm -j DROP
rule for baidu.com MX query:
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|00000f|" --algo bm -j LOG --log-prefix "drop an dns query "
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|00000f|" --algo bm -j DROP
rule for baidu.com AAAA query:
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|00001c|" --algo bm -j LOG --log-prefix "drop an dns query "
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|00001c|" --algo bm -j DROP
rule for baidu.com ANY query:
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|0000ff|" --algo bm -j LOG --log-prefix "drop an dns query "
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|0000ff|" --algo bm -j DROP
如果只是想封禁AAAA查询,可以使用–hex-string “|05|baidu|03|com|00000f|”,如果任意类型都想封禁就直接使用第一条
iptables -t raw -A PREROUTING -p udp --dport 53 -m string --hex-string "|05|baidu|03|com|00|" --algo bm -j DROP
-j LOG的规则时方便调试,实际场景下可以不使用。原文里很多都是简单做正则匹配,会有误伤。本文通过在生成的规则里批评了最后的”.”所有只会封”baidu.com.”,不会封其他的baidu.com.xxx.com
参考文档:
1. https://www.perturb.org/display/1186_Linux_Block_DNS_queries_for_specific_zone_with_IPTables.html
近两年tengine和nginx的在新特性的支持上差距越来越大。处于尝试新事物的好奇,动手升级到nginx-1.9.9。整个过程非常曲折,不再细说。。
主要的配置差异实际很小
listen 443 ssl so_keepalive=on spdy;
改为
listen 443 ssl so_keepalive=on http2;
但是因为之前开启了ssl_prefer_server_ciphers,升级前没仔细看过nginx官方的wiki,所以吃了不少苦头。升级之后页面直接就打不了, chrome 报错ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY。
Note that accepting HTTP/2 connections over TLS requires the “Application-Layer Protocol Negotiation” (ALPN) TLS extension support, which is available only since OpenSSL version 1.0.2. Using the “Next Protocol Negotiation” (NPN) TLS extension for this purpose (available since OpenSSL version 1.0.1) is not guaranteed.
Also note that if the ssl_prefer_server_ciphers directive is set to the value on, the ciphers should be configured to comply with RFC 7540, Appendix A black list and supported by clients.
搞定了http2后,另外奇葩的事情是blog打开就是空白的。php-fpm等运行正常,最终发现是nginx官方deb包里的fastcgi_params是错的,该用之前tengine使用的配置搞定。
参考:
1.http://nginx.org/en/docs/http/ngx_http_v2_module.html
近期内部开发反馈某些合作方的域名无法解析。团内同事分析发现这些域名都是托管在相同的一个域名厂商上,而且都是刷新cache后刚开始能解析,过段时间不能解析。
efly.cc
bhc888.net
直接dig的时候返回信息如下
; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> efly.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7761
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;efly.cc. IN A
;; ANSWER SECTION:
efly.cc. 600 IN A 121.9.13.185
;; AUTHORITY SECTION:
efly.cc. 168802 IN NS ns2.eflydns.net.
efly.cc. 168802 IN NS ns1.eflydns.net.
;; Query time: 1356 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 29 19:00:23 CST 20
dump内存后发现有奇怪的NS记录,dig trace时打印详细信息
# dig bhc888.net +trace +all
; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> bhc888.net +trace +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24539
;; flags: qr ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 347738 IN NS m.root-servers.net.
. 347738 IN NS g.root-servers.net.
. 347738 IN NS h.root-servers.net.
. 347738 IN NS c.root-servers.net.
. 347738 IN NS e.root-servers.net.
. 347738 IN NS d.root-servers.net.
. 347738 IN NS k.root-servers.net.
. 347738 IN NS l.root-servers.net.
. 347738 IN NS a.root-servers.net.
. 347738 IN NS f.root-servers.net.
. 347738 IN NS b.root-servers.net.
. 347738 IN NS j.root-servers.net.
. 347738 IN NS i.root-servers.net.
. 518045 IN RRSIG NS 8 0 518400 20151209050000 20151129040000 62530 . EtQ9uRmWHEfzpE2KROfPA2LcYyde+z1YKDWRbfJBQebQ0S17h8FirKlu uaQFloFKfekxT+K6YsirfivvGlO2v4qcF6XvLMhsLinlJj/6+3DG7od/ ELN3wHTTUJOchLcQTkSW2BxalK5SWP0mRXhCo7TLro8S6C893n2uYWhK SzY=
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 29 21:51:47 CST 2015
;; MSG SIZE rcvd: 397
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57915
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bhc888.net. IN A
;; AUTHORITY SECTION:
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 86400 IN DS 35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
net. 86400 IN RRSIG DS 8 1 86400 20151209050000 20151129040000 62530 . mu4PiPAwAMZ/X2wUCQTXZwwCiO9/hwlvB8sbg73q5a9jyaYnWPjpIMh2 1wJWzE2Xc+5+/VxE3uLzhALqfnvto0ACN4UlyXESJ2qiVc2k69PQ54hh 8PZO4b5CzkfG09bqccLJuGcyLuMacYSc4w1LmiSq329tk7OYZw09P2YG 0RU=
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
;; Query time: 344 msec
;; SERVER: 128.63.2.53#53(128.63.2.53)
;; WHEN: Sun Nov 29 21:51:47 CST 2015
;; MSG SIZE rcvd: 731
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64484
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bhc888.net. IN A
;; AUTHORITY SECTION:
bhc888.net. 172800 IN NS ns1.eflydns.net.
bhc888.net. 172800 IN NS ns2.eflydns.net.
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20151206063020 20151129052020 37703 net. QdTw71NidYfASViPME8hIX6IixUOqawLJgDF94/Z50pGN+V8mynVueuA 7sIYDinnSdZnkxIOUH284tZtfZRnUutLjocnd7YDb7hTqPSoP4QZij6A 8O7hGW+PRj/hRHJKhB7SN7aE6LN2zV+P6jLXLsTZmRnKBKAqzt+5/ZMe 23A=
K6E8QG8SUT2RJS20VQD9AQ0EQGOEVT99.net. 86400 IN NSEC3 1 1 0 - K6FGOS2E26R647F6LEEJI146DBAJE0PT NS DS RRSIG
K6E8QG8SUT2RJS20VQD9AQ0EQGOEVT99.net. 86400 IN RRSIG NSEC3 8 2 86400 20151206062959 20151129051959 37703 net. FxrolX/ogsqiCtZFd7KLBBfC9MibFkiFuIrTt9RTM+7RblfH6ZpgkxUD /oewDTkYarIMFNii+ABM+V9+fXDGszmSY4plFvTzfR7X5eiJWOVndvs2 ph8KubUiYd79+vCXkiHw86ILy1OEk3X79uhunpAO4lIaRwIq5TSQpjs+ KcY=
;; ADDITIONAL SECTION:
ns1.eflydns.net. 172800 IN A 121.201.11.2
ns1.eflydns.net. 172800 IN A 121.201.54.215
ns2.eflydns.net. 172800 IN A 121.201.11.2
ns2.eflydns.net. 172800 IN A 121.201.54.215
;; Query time: 201 msec
;; SERVER: 192.55.83.30#53(192.55.83.30)
;; WHEN: Sun Nov 29 21:51:48 CST 2015
;; MSG SIZE rcvd: 632
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33677
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; WARNING: Message has 8 extra bytes at end
;; QUESTION SECTION:
;bhc888.net. IN A
;; ANSWER SECTION:
bhc888.net. 600 IN A 14.17.121.64
;; AUTHORITY SECTION:
bhc888.net. 600 IN NS ns1.eflydns.net.
bhc888.net. 600 IN NS ns2.eflydns.net.
;; Query time: 41 msec
;; SERVER: 121.201.12.66#53(121.201.12.66)
;; WHEN: Sun Nov 29 21:51:48 CST 2015
;; MSG SIZE rcvd: 96
在trace内容中可以看到GLUE记录里的和实际的NS ip不一致。
glue记录显示
;; ADDITIONAL SECTION:
ns1.eflydns.net. 172800 IN A 121.201.11.2
ns1.eflydns.net. 172800 IN A 121.201.54.215
ns2.eflydns.net. 172800 IN A 121.201.11.2
ns2.eflydns.net. 172800 IN A 121.201.54.215
实际这2个IP都是不通的。很多人不清楚修改NS等需要同步改GLUE记录,就出现了这样的问题,去年当当网也出现过一次比较严重的故障。
Domain Name System Security Extensions (DNSSEC)DNS安全扩展,是由IETF提供的一系列DNS安全认证的机制,可参考RFC2535。DNSSEC主要是解决递归DNS到权威DNS直接的信任机制问题,并不能解决终端用户的任何问题。
目前在国内企业中使用dnssec的比较少。究其原因有两点:
1. 不配置也可以用。
2. 配置了意义也不大。
在国内绝大部分终端用户都是使用ISP分配的递归DNS,而这些递归dns还指望着对流量较大的域名做缓存加速以便节省网间结算费用,因此不会主动去支持DNSSEC。当这些递归DNS都不支持DNSSEC时,在权威DNS上实时DNSSEC的意义就很小了。
DNSSEC本身实施起来不难,以我自己购买的1个域名gnuers.info为例.
1. 域名注册在godaddy,支持添加DS记录。
2. 域名服务器是自己在阿里云虚拟机上部署的bind,可以支持DNSSEC。
当具备了这2个前提条件后,我就可以配置好域名服务器支持DNSSEC
实施的步凑如下:
1. 在本地生成密钥对
root# dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE gnuers.info.
root# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE gnuers.info
root#:/opt/bind/etc# ls *gnuers.info*
Kgnuers.info.+007+15644.key Kgnuers.info.+007+15644.private Kgnuers.info.+007+38841.key Kgnuers.info.+007+38841.private
$INCLUDE Kgnuers.info.+007+15644.key
$INCLUDE Kgnuers.info.+007+38841.key
然后直接签名会生成一个新的zone文件,以.signed结尾。
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o gnuers.info -t gnuers.info
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
至此dnssec的配置就结束了。可以dig +trace验证了。
参考:
1. https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server–2
