Table des matières
Version : 2026.01
Dernière mise-à-jour : 2025/12/07 14:09
LDF406 - Sécurité Applicative
Contenu du Module
- LDF406 - Sécurité Applicative
- Contenu du Module
- Le Problématique
- Préparation
- Les Outils
- LAB #1 - Netwox
- 1.1 - Installation
- 1.2 - Utilisation
- 1.3 - Avertissement important
- LAB #2 - Greenbone Vulnerability Management (GVM)
- 2.1 - Présentation
- 2.2 - Préparation
- 2.3 - Installation
- 2.4 - Configuration
- 2.5 - Utilisation
- 2.6 - Analyse des Résultats
- LAB #3 - Sécuriser le Serveur DNS
- 3.1 - Le Serveur DNS
- 3.2 - Préparation à l'Installation
- 3.3 - Installation
- 3.4 - Les fichiers de configuration
- 3.5 - Utilisation
- 3.6 - Créer les Pairs de Clefs
- 3.7 - Modifier la Configuration de Bind
- 3.8 - Signer la Zone
- 3.9 - La chaîne de confiance DNS
Le Problématique
La plupart des failles de sécurité ne sont pas du fait du système d'exploitation mais des applications installées.
Préparation
Les Outils
LAB #1 - Netwox
Le programme netwox est un utilitaire puissant de vérification de la sécurité.
1.1 - Installation
Netwox s'installe en utilisant APT :
root@debian12:~# cd /tmp root@debian12:/tmp# cd ~ root@debian12:~# apt install netwox -y
1.2 - Utilisation
root@debian12:~# netwox Netwox toolbox version 5.39.0. Netwib library version 5.39.0. ######################## MAIN MENU ######################### 0 - leave netwox 3 - search tools 4 - display help of one tool 5 - run a tool selecting parameters on command line 6 - run a tool selecting parameters from keyboard a + information b + network protocol c + application protocol d + sniff (capture network packets) e + spoof (create and send packets) f + record (file containing captured packets) g + client h + server i + ping (check if a computer if reachable) j + traceroute (obtain list of gateways) k + scan (computer and port discovery) l + network audit m + brute force (check if passwords are weak) n + remote administration o + tools not related to network Select a node (key in 03456abcdefghijklmno):
L'utilisation de netwox en mode interactif se fait a l'aide des menus proposés. Dans notre cas, nous souhaitons utiliser un des outils de la section network audit. Il convient donc de choisir le menu l :
Select a node (key in 03456abcdefghijklmno): l ###################### network audit ####################### 0 - leave netwox 1 - go to main menu 2 - go to previous menu 3 - search tools 4 - display help of one tool 5 - run a tool selecting parameters on command line 6 - run a tool selecting parameters from keyboard a + network audit using Ethernet b + network audit using IP c + network audit using TCP d + network audit using ICMP e + network audit using ARP Select a node (key in 0123456abcde):
Choisissez ensuite le menu c :
Select a node (key in 0123456abcde): c ################# network audit using TCP ################## 0 - leave netwox 1 - go to main menu 2 - go to previous menu 3 - search tools 4 - display help of one tool 5 - run a tool selecting parameters on command line 6 - run a tool selecting parameters from keyboard a - 76:Synflood b - 77:Check if seqnum are predictible c - 78:Reset every TCP packet d - 79:Acknowledge every TCP SYN Select a node (key in 0123456abcd):
Notre choix de test s'arrête sur un test du type Synflood sur un de nos serveurs internes. Nous choisissons donc le menu a :
Select a node (key in 0123456abcd): a
################# help for tool number 76 ##################
Title: Synflood
+------------------------------------------------------------------------+
| This tool sends a lot of TCP SYN packets. |
| It permits to check how a firewall behaves when receiving packets |
| which have to be ignored. |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here |
| is the list of accepted values: |
| - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
| a firewall is installed, or on some systems, this might not work. |
| - 'linkf' means to spoof at link level (currently, only Ethernet is |
| supported). The 'f' means to Fill source Ethernet address. |
| However, if source IP address is spoofed, it might be impossible |
| to Fill it. So, linkf will not work: use linkb or linkfb instead. |
| - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
| source Ethernet address (0:0:0:0:0:0, do not try to Fill it). |
| - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
| source Ethernet address, but if it is not possible, it is left |
| Blank. |
| - 'rawlinkf' means to try 'raw', then try 'linkf' |
| - 'rawlinkb' means to try 'raw', then try 'linkb' |
| - 'rawlinkfb' means to try 'raw', then try 'linkfb' |
| - 'linkfraw' means to try 'linkf', then try 'raw' |
| - 'linkbraw' means to try 'linkb', then try 'raw' |
| - 'linkfbraw' means to try 'linkfb', then try 'raw' |
| - 'link' is an alias for 'linkfb' |
| - 'rawlink' is an alias for 'rawlinkfb' |
| - 'linkraw' is an alias for 'linkfbraw' |
| - 'best' is an alias for 'linkraw'. It should work in all cases. |
| |
| This tool may need to be run with admin privilege in order to spoof. |
+------------------------------------------------------------------------+
Usage: netwox 76 -i ip -p port [-s spoofip]
Parameters:
-i|--dst-ip ip destination IP address {5.6.7.8}
-p|--dst-port port destination port number {80}
-s|--spoofip spoofip IP spoof initialization type {linkbraw}
Example: netwox 76 -i "5.6.7.8" -p "80"
Example: netwox 76 --dst-ip "5.6.7.8" --dst-port "80"
Press 'r' or 'k' to run this tool, or any other key to continue
Il convient ensuite d'appuyer sur la touche [r] ou [k] pour lancer l'utilitaire.
Il est a noter que netwox peut être utilisé sans faire appel au menus interactifs, à condition de connaître le numéro netwox du test à lancer:
# netwox 76 -i "10.0.2.3" -p "80"
1.3 - Avertissement important
netwox est un outil puissant. Il convient de noter que:
- il ne doit pas être installé sur un serveur de production mais sur le poste de l'administrateur,
- netwox existe aussi en version Windows™,
- l'utilisation de netwox à des fins autres que de test est interdite.
LAB #2 - Greenbone Vulnerability Management (GVM)
2.1 - Présentation
Greenbone Vulnerability Management (GVM), aussi connu sous le nom d'OpenVAS, est le successeur libre du scanner Nessus, devenu propriétaire. GVM, tout comme Nessus, est un scanner de vulnérabilité qui balaie un hôte ou une plage d'hôtes pour essayer de détecter des failles de sécurité.
2.2 - Préparation
Mettez SELinux en mode permissive et désactivez-le dans le fichier /etc/selinux/config :
[root@centos7 ~]# setenforce permissive [root@centos7 ~]# sed -i 's/=enforcing/=disabled/' /etc/selinux/config [root@centos7 ~]# reboot
Insérez une règle dans le pare-feu pour permettre la consultation de l'interface HTML du client OpenVAS :
[root@centos7 ~]# firewall-cmd --zone=public --add-port=9443/tcp --permanent success [root@centos7 ~]# firewall-cmd --reload success
2.3 - Installation
Téléchargez et installez epel-release-7-14.noarch.rpm :
[root@centos7 ~]# wget https://archives.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm --2025-12-01 15:29:01-- https://archives.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm Resolving archives.fedoraproject.org (archives.fedoraproject.org)... 38.145.32.23, 38.145.32.22, 38.145.32.24 Connecting to archives.fedoraproject.org (archives.fedoraproject.org)|38.145.32.23|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 15608 (15K) [application/x-rpm] Saving to: ‘epel-release-7-14.noarch.rpm’ 100%[========================================================================================================================================================================>] 15,608 --.-K/s in 0.03s 2025-12-01 15:29:01 (532 KB/s) - ‘epel-release-7-14.noarch.rpm’ saved [15608/15608] [root@centos7 ~]# yum localinstall epel-release-7-14.noarch.rpm --nogpgcheck
Installez ensuite openvas-scanner, openvas-manager, openvas-gsa et openvas-cli en utilisant yum :
[root@centos7 ~]# yum install openvas-scanner openvas-manager openvas-gsa openvas-cli coreutils openssl
2.4 - Configuration
Les commandes d'OpenVAS sont les suivantes :
[root@centos7 ~]# ls -l /usr/sbin/openvas* -rwxr-xr-x. 1 root root 18066 Sep 6 2016 /usr/sbin/openvas-certdata-sync -rwxr-xr-x. 1 root root 2182496 Sep 6 2016 /usr/sbin/openvasmd -rwxr-xr-x. 1 root root 37993 Sep 6 2016 /usr/sbin/openvas-migrate-to-postgres -rwxr-xr-x. 1 root root 11998 Sep 6 2016 /usr/sbin/openvas-mkcert -rwxr-xr-x. 1 root root 10976 Sep 6 2016 /usr/sbin/openvas-nvt-sync -rwxr-xr-x. 1 root root 766 Sep 6 2016 /usr/sbin/openvas-nvt-sync-cron -rwxr-xr-x. 1 root root 2555 Sep 6 2016 /usr/sbin/openvas-portnames-update -rwxr-xr-x. 1 root root 38378 Sep 6 2016 /usr/sbin/openvas-scapdata-sync -rwxr-xr-x. 1 root root 86640 Sep 6 2016 /usr/sbin/openvassd
- /usr/sbin/openvas-mkcert,
- Cette commande permet de générer un certificat SSL,
- /usr/sbin/openvas-nvt-sync,
- Cette commande permet la mise à jour des modules d'extensions de OpenVAS,
- /usr/sbin/openvasd,
- Cette commande lance le serveur OpenVAS.
Exécutez maintenant la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
ERROR: No CA certificate file of OpenVAS Scanner found.
FIX: Run 'openvas-mkcert'.
ERROR: Your OpenVAS-8 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Important - Notez l'erreur ERROR: No CA certificate file of OpenVAS Scanner found.
Créez donc un certificat SSL :
[root@centos7 ~]# openvas-mkcert
-------------------------------------------------------------------------------
Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.
CA certificate life time in days [1460]: 3650
Server certificate life time in days [365]: 3650
Your country (two letter code) [DE]: UK
Your state or province name [none]: SURREY
Your location (e.g. town) [Berlin]: ADDLESTONE
Your organization [OpenVAS Users United]: I2TCH LIMITED
-------------------------------------------------------------------------------
Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
Congratulations. Your server certificate was properly created.
The following files were created:
. Certification authority:
Certificate = /etc/pki/openvas/CA/cacert.pem
Private key = /etc/pki/openvas/private/CA/cakey.pem
. OpenVAS Server :
Certificate = /etc/pki/openvas/CA/servercert.pem
Private key = /etc/pki/openvas/private/CA/serverkey.pem
Press [ENTER] to exit
[Entrée]
[root@centos7 ~]#
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
/bin/openvas-check-setup: line 219: redis-server: command not found
ERROR: No redis-server installation found.
FIX: You should install redis-server for improved scalability and ability to trace/debug the KB
ERROR: Your OpenVAS-8 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Important - Notez l'erreur ERROR: No redis-server installation found.
Installez donc redis :
[root@centos7 ~]# yum install redis
Activez les deux lignes suivantes dans le fichier /etc/redis.conf :
... # unixsocket /tmp/redis.sock # unixsocketperm 700...
[root@centos7 ~]# sed -i '/^#.*unixsocket/s/^# //' /etc/redis.conf
Ajoutez la ligne kb_location = /tmp/redis.sock dans le fichier /etc/openvas/openvassd.conf :
... # KB test replay : kb_dont_replay_scanners = no kb_dont_replay_info_gathering = no kb_dont_replay_attacks = no kb_dont_replay_denials = no kb_max_age = 864000 kb_location = /tmp/redis.sock #--- end of the KB section ...
Activez et démarrez le service redis :
[root@centos7 ~]# systemctl enable redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
[root@centos7 ~]# systemctl start redis
[root@centos7 ~]# systemctl status redis
● redis.service - Redis persistent key-value database
Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/redis.service.d
└─limit.conf
Active: active (running) since Mon 2025-12-01 15:45:16 CET; 3s ago
Main PID: 13037 (redis-server)
CGroup: /system.slice/redis.service
└─13037 /usr/bin/redis-server 127.0.0.1:6379
Dec 01 15:45:16 centos7.fenestros.loc systemd[1]: Starting Redis persistent key-value database...
Dec 01 15:45:16 centos7.fenestros.loc systemd[1]: Started Redis persistent key-value database.
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.2.10.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
ERROR: The NVT collection is very small.
FIX: Run a synchronization script like openvas-nvt-sync or greenbone-nvt-sync.
...
Important - Notez l'erreur ERROR: The NVT collection is very small.
Téléchargez le script greenbone-nvt-sync :
[root@centos7 ~]# wget https://www.dropbox.com/scl/fi/10hf8fpdq2yhd821qb5pk/greenbone-nvt-sync?rlkey=7f4taliexlpg54pa1c1yz8czx&st=tkvnjg55 [root@centos7 ~]# mv greenbone-nvt-sync?rlkey=7f4taliexlpg54pa1c1yz8czx greenbone-nvt-sync
Si vous ne pouvez pas téléchargez le script greenbone-nvt-sync, copiez son contenu ci-dessous et créez-le :
[root@centos7 ~]# vi greenbone-nvt-sync
[root@centos7 ~]# cat greenbone-nvt-sync
#!/bin/sh
# Copyright (C) 2009-2021 Greenbone Networks GmbH
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
# This script updates the local Network Vulnerability Tests (NVTs) from the
# Greenbone Security Feed (GSF) or the Greenbone Community Feed (GCF).
VERSION=@OPENVAS_VERSION@
# SETTINGS
# ========
# PRIVATE_SUBDIR defines a subdirectory of the NVT directory that is excluded
# from the feed sync. This is where to place your own NVTs.
if [ -z "$PRIVATE_SUBDIR" ]
then
PRIVATE_SUBDIR="private"
fi
# RSYNC_DELETE controls whether files which are not part of the repository will
# be removed from the local directory after synchronization. The default value
# for this setting is
# "--delete --exclude \"$PRIVATE_SUBDIR/\"",
# which means that files which are not part of the feed or private directory
# will be deleted.
RSYNC_DELETE="--delete --exclude $PRIVATE_SUBDIR/"
# RSYNC_SSH_OPTS contains options which should be passed to ssh for the rsync
# connection to the repository.
RSYNC_SSH_OPTS="-o \"UserKnownHostsFile=/dev/null\" -o \"StrictHostKeyChecking=no\""
# RSYNC_COMPRESS specifies the compression level to use for the rsync connection.
RSYNC_COMPRESS="--compress-level=9"
# RSYNC_CHMOD specifies the permissions to chmod the files to.
RSYNC_CHMOD="--perms --chmod=Fugo+r,Fug+w,Dugo-s,Dugo+rx,Dug+w"
# Verbosity flag for rsync. "-q" means a quiet rsync, "-v" a verbose rsync.
RSYNC_VERBOSE="-q"
# RSYNC_OPTIONS controls the general parameters for the rsync connection.
RSYNC_OPTIONS="--links --times --omit-dir-times $RSYNC_VERBOSE --recursive --partial --progress"
# Script and feed information which will be made available to user through
# command line options and automated tools.
# Script name which will be used for logging
SCRIPT_NAME="greenbone-nvt-sync"
# Result of selftest () is stored here. If it is not 0, the selftest has failed
# and the sync script is unlikely to work.
SELFTEST_FAIL=0
# Port to use for synchronization. Default value is 24.
PORT=24
# Directory where the OpenVAS configuration is located
OPENVAS_SYSCONF_DIR="@OPENVAS_SYSCONF_DIR@"
# Directory where the feed update lock file will be placed.
OPENVAS_FEED_LOCK_PATH="@OPENVAS_FEED_LOCK_PATH@"
# Location of the GSF Access Key
ACCESS_KEY="@GVM_ACCESS_KEY_DIR@/gsf-access-key"
# If ENABLED is set to 0, the sync script will not perform a synchronization.
ENABLED=1
# LOG_CMD defines the command to use for logging. To have logger log to stderr
# as well as syslog, add "-s" here. The logging facility is checked. In case of error
# all will be logged in the standard error and the socket error check will be
# disabled.
LOG_CMD="logger -t $SCRIPT_NAME"
check_logger () {
logger -p daemon.info -t $SCRIPT_NAME "Checking logger" --no-act 1>/dev/null 2>&1
if [ $? -gt 0 ]
then
LOG_CMD="logger -s -t $SCRIPT_NAME"
$LOG_CMD -p daemon.warning "The log facility is not working as expected. All messages will be written to the standard error stream."
fi
}
check_logger
# Source configuration file if it is readable
[ -r $OPENVAS_SYSCONF_DIR/greenbone-nvt-sync.conf ] && . $OPENVAS_SYSCONF_DIR/greenbone-nvt-sync.conf
# NVT_DIR is the place where the NVTs are located.
if [ -z "$NVT_DIR" ]
then
NVT_DIR="@OPENVAS_NVT_DIR@"
fi
log_write () {
$LOG_CMD -p daemon.notice $1
}
log_debug () {
$LOG_CMD -p daemon.debug "$1"
}
log_info () {
$LOG_CMD -p daemon.info "$1"
}
log_notice () {
$LOG_CMD -p daemon.notice "$1"
}
log_warning () {
$LOG_CMD -p daemon.warning "$1"
}
log_err () {
$LOG_CMD -p daemon.err "$1"
}
stderr_write ()
{
echo "$1" > /dev/stderr
}
# Read the general information about the feed origin from
# the file "plugin_feed_info.inc" inside the feed directory.
get_feed_info ()
{
INFOFILE="$NVT_DIR/plugin_feed_info.inc"
if [ -r $INFOFILE ] ; then
FEED_VERSION=`grep PLUGIN_SET $INFOFILE | sed -e 's/[^0-9]//g'`
FEED_NAME=`awk -F\" '/PLUGIN_FEED/ { print $2 }' $INFOFILE`
FEED_VENDOR=`awk -F\" '/FEED_VENDOR/ { print $2 }' $INFOFILE`
FEED_HOME=`awk -F\" '/FEED_HOME/ { print $2 }' $INFOFILE`
FEED_PRESENT=1
else
FEED_PRESENT=0
fi
if [ -z "$FEED_NAME" ] ; then
FEED_NAME="Unidentified Feed"
fi
if [ -z "$FEED_VENDOR" ] ; then
FEED_VENDOR="Unidentified Vendor"
fi
if [ -z "$FEED_HOME" ] ; then
FEED_HOME="Unidentified Feed Homepage"
fi
}
# Prevent that root executes this script
if [ "`id -u`" -eq "0" ]
then
stderr_write "$0 must not be executed as privileged user root"
stderr_write
stderr_write "Unlike the actual scanner the sync routine does not need privileges."
stderr_write "Accidental execution as root would prevent later overwriting of"
stderr_write "files with a non-privileged user."
log_err "Denied to run as root"
exit 1
fi
# Always try to get the information when started.
# This also ensures variables like FEED_PRESENT are set.
get_feed_info
# Determine whether a GSF access key is present. If yes,
# then use the Greenbone Security Feed. Else use the
# Greenbone Community Feed.
if [ -e $ACCESS_KEY ]
then
RESTRICTED=1
else
RESTRICTED=0
if [ -z "$COMMUNITY_NVT_RSYNC_FEED" ]; then
COMMUNITY_NVT_RSYNC_FEED=rsync://feed.community.greenbone.net:/nvt-feed
# An alternative syntax which might work if the above doesn't:
# COMMUNITY_NVT_RSYNC_FEED=rsync@feed.community.greenbone.net::/nvt-feed
fi
fi
RSYNC=`command -v rsync`
if [ -z "$TMPDIR" ]; then
SYNC_TMP_DIR=/tmp
# If we have mktemp, create a temporary dir (safer)
if [ -n "`which mktemp`" ]; then
SYNC_TMP_DIR=`mktemp -t -d greenbone-nvt-sync.XXXXXXXXXX` || { echo "ERROR: Cannot create temporary directory for file download" >&2; exit 1 ; }
trap "rm -rf $SYNC_TMP_DIR" EXIT HUP INT TRAP TERM
fi
else
SYNC_TMP_DIR="$TMPDIR"
fi
# Initialize this indicator variable with default assuming the
# feed is not up-to-date.
FEED_CURRENT=0
# This function uses gos-state-manager to get information about the settings.
# If gos-state-manager is not installed the values of the settings can not be
# retrieved.
#
# Input: option
# Output: value as string or empty String if gos-state-manager is not installed
# or option not set
get_value ()
{
value=""
key=$1
if which gos-state-manager 1>/dev/null 2>&1
then
if gos-state-manager get "$key.value" 1>/dev/null 2>&1
then
value="$(gos-state-manager get "$key.value")"
fi
fi
echo "$value"
}
# Creates a restricted access copy of the access key if necessary.
setup_temp_access_key () {
if [ -e "$ACCESS_KEY" ]
then
FILE_ACCESS=`stat -c%a "$ACCESS_KEY" | cut -c2-`
fi
if [ -n "$FILE_ACCESS" ] && [ "00" != "$FILE_ACCESS" ]
then
TEMP_ACCESS_KEY_DIR=`mktemp -d`
TEMP_ACCESS_KEY="$TEMP_ACCESS_KEY_DIR/gsf-access-key"
cp "$ACCESS_KEY" "$TEMP_ACCESS_KEY"
chmod 400 "$TEMP_ACCESS_KEY"
else
TEMP_ACCESS_KEY_DIR=""
TEMP_ACCESS_KEY="$ACCESS_KEY"
fi
}
# Deletes the read-only copy of the access key.
cleanup_temp_access_key () {
if [ -n "$TEMP_ACCESS_KEY_DIR" ]
then
rm -rf "$TEMP_ACCESS_KEY_DIR"
fi
TEMP_ACCESS_KEY_DIR=""
TEMP_ACCESS_KEY=""
}
is_feed_current () {
if [ -z "$FEED_VERSION" ]
then
log_write "Could not determine feed version."
FEED_CURRENT=0
return $FEED_CURRENT
fi
if [ -z "$RSYNC" ]
then
log_notice "rsync not available, skipping feed version test"
FEED_CURRENT=0
rm -rf $FEED_INFO_TEMP_DIR
cleanup_temp_access_key
return 0
fi
FEED_INFO_TEMP_DIR=`mktemp -d`
if [ -e $ACCESS_KEY ]
then
gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
syncport=$(get_value syncport)
if [ "$syncport" ]
then
PORT="$syncport"
fi
read feeduser < $ACCESS_KEY
custid=`awk -F@ 'NR > 1 { exit }; { print $1 }' $ACCESS_KEY`
if [ -z "$feeduser" ] || [ -z "$custid" ]
then
log_err "Could not determine credentials, aborting synchronization."
exit 1
fi
setup_temp_access_key
if [ "$gsmproxy" = "proxy_feed" ] || [ -z "$gsmproxy" ]
then
RSYNC_SSH_PROXY_CMD=""
else
if [ -e $OPENVAS_SYSCONF_DIR/proxyauth ] && [ -r $OPENVAS_SYSCONF_DIR/proxyauth ]
then
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $OPENVAS_SYSCONF_DIR/proxyauth\""
else
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
fi
fi
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD "$feeduser"plugin_feed_info.inc $FEED_INFO_TEMP_DIR
if [ $? -ne 0 ]
then
log_err "Error: rsync failed."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
else
# Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
# IP blocking due to network equipment in between keeping the previous connection too long open.
sleep 5
log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
eval "$RSYNC -ltvrP \"$COMMUNITY_NVT_RSYNC_FEED/plugin_feed_info.inc\" \"$FEED_INFO_TEMP_DIR\""
if [ $? -ne 0 ]
then
log_err "rsync failed, aborting synchronization."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
fi
FEED_VERSION_SERVER=`grep PLUGIN_SET $FEED_INFO_TEMP_DIR/plugin_feed_info.inc | sed -e 's/[^0-9]//g'`
if [ -z "$FEED_VERSION_SERVER" ]
then
log_err "Could not determine server feed version."
rm -rf $FEED_INFO_TEMP_DIR
cleanup_temp_access_key
exit 1
fi
# Check against FEED_VERSION
if [ $FEED_VERSION -lt $FEED_VERSION_SERVER ] ; then
FEED_CURRENT=0
else
FEED_CURRENT=1
fi
# Cleanup
rm -rf "$FEED_INFO_TEMP_DIR"
cleanup_temp_access_key
return $FEED_CURRENT
}
do_rsync_community_feed () {
# Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
# IP blocking due to network equipment in between keeping the previous connection too long open.
sleep 5
log_notice "Configured NVT rsync feed: $COMMUNITY_NVT_RSYNC_FEED"
mkdir -p "$NVT_DIR"
eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_NVT_RSYNC_FEED\" \"$NVT_DIR\" --exclude=plugin_feed_info.inc"
if [ $? -ne 0 ] ; then
log_err "rsync failed."
exit 1
fi
# Sleep for five seconds (after the above rsync call) to prevent IP blocking due
# to network equipment in between keeping the previous connection too long open.
sleep 5
eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_NVT_RSYNC_FEED/plugin_feed_info.inc\" \"$NVT_DIR\""
if [ $? -ne 0 ] ; then
log_err "rsync failed."
exit 1
fi
}
sync_nvts(){
if [ $ENABLED -ne 1 ]
then
log_write "NVT synchronization is disabled, exiting."
exit 0
fi
if [ -e $ACCESS_KEY ]
then
log_write "Synchronizing NVTs from the Greenbone Security Feed into $NVT_DIR..."
if [ $FEED_PRESENT -eq 1 ] ; then
FEEDCOUNT=`grep -E "nasl$|inc$" $NVT_DIR/md5sums | wc -l`
log_write "Current status: Using $FEED_NAME at version $FEED_VERSION ($FEEDCOUNT NVTs)"
else
log_write "Current status: No feed installed."
fi
notsynced=1
retried=0
mkdir -p "$NVT_DIR"
read feeduser < $ACCESS_KEY
custid=`awk -F@ 'NR > 1 { exit }; { print $1 }' $ACCESS_KEY`
if [ -z "$feeduser" ] || [ -z "$custid" ]
then
log_err "Could not determine credentials, aborting synchronization."
exit 1
fi
setup_temp_access_key
while [ $notsynced -eq 1 ]
do
gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
syncport=$(get_value syncport)
if [ "$syncport" ]
then
PORT="$syncport"
fi
if [ "$gsmproxy" = "proxy_feed" ] || [ -z "$gsmproxy" ]
then
RSYNC_SSH_PROXY_CMD=""
else
if [ -e $OPENVAS_SYSCONF_DIR/proxyauth ] && [ -r $OPENVAS_SYSCONF_DIR/proxyauth ]; then
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $OPENVAS_SYSCONF_DIR/proxyauth\""
else
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
fi
fi
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" --exclude=plugin_feed_info.inc $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD $feeduser $NVT_DIR
if [ $? -ne 0 ] ; then
log_err "rsync failed, aborting synchronization."
exit 1
fi
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD "$feeduser"plugin_feed_info.inc $NVT_DIR
if [ $? -ne 0 ] ; then
log_err "rsync failed, aborting synchronization."
exit 1
fi
eval "cd \"$NVT_DIR\" ; md5sum -c --status \"$NVT_DIR/md5sums\""
if [ $? -ne 0 ] ; then
if [ -n "$retried" ]
then
log_err "Feed integrity check failed twice, aborting synchronization."
cleanup_temp_access_key
exit 1
else
log_write "The feed integrity check failed. This may be due to a concurrent feed update or other temporary issues."
log_write "Sleeping 15 seconds before retrying ..."
sleep 15
retried=1
fi
else
notsynced=0
fi
done
cleanup_temp_access_key
log_write "Synchronization with the Greenbone Security Feed successful."
get_feed_info
if [ $FEED_PRESENT -eq 1 ] ; then
FEEDCOUNT=`grep -E "nasl$|inc$" $NVT_DIR/md5sums | wc -l`
log_write "Current status: Using $FEED_NAME at version $FEED_VERSION ($FEEDCOUNT NVTs)"
else
log_write "Current status: No feed installed."
fi
else
log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
do_rsync_community_feed
fi
}
do_self_test ()
{
MD5SUM_AVAIL=`command -v md5sum`
if [ $? -ne 0 ] ; then
SELFTEST_FAIL=1
stderr_write "The md5sum binary could not be found."
fi
RSYNC_AVAIL=`command -v rsync`
if [ $? -ne 0 ] ; then
SELFTEST_FAIL=1
stderr_write "The rsync binary could not be found."
fi
}
do_describe ()
{
echo "This script synchronizes an NVT collection with the '$FEED_NAME'."
echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'."
echo "Online information about this feed: '$FEED_HOME'."
}
do_feedversion () {
if [ $FEED_PRESENT -eq 1 ] ; then
echo $FEED_VERSION
else
stderr_write "The file containing the feed version could not be found."
exit 1
fi
}
do_sync ()
{
do_self_test
if [ $SELFTEST_FAIL -ne 0 ] ; then
exit $SELFTEST_FAIL
fi
if [ $FEED_CURRENT -eq 1 ]
then
log_write "Feed is already current, skipping synchronization."
else
(
chmod +660 $OPENVAS_FEED_LOCK_PATH
flock -n 9
if [ $? -eq 1 ] ; then
log_warning "Another process related to the feed update is already running"
exit 1
fi
date > $OPENVAS_FEED_LOCK_PATH
sync_nvts
echo -n $OPENVAS_FEED_LOCK_PATH
)9>>$OPENVAS_FEED_LOCK_PATH
fi
}
do_help () {
echo "$0: Sync NVT data"
echo " --describe display current feed info"
echo " --feedcurrent just check if feed is up-to-date"
echo " --feedversion display version of this feed"
echo " --help display this help"
echo " --identify display information"
echo " --nvtdir dir set dir as NVT directory"
echo " --selftest perform self-test and set exit code"
echo " --verbose makes the sync process print details"
echo " --version display version"
echo ""
echo ""
echo "Environment variables:"
echo "NVT_DIR where to extract plugins (absolute path)"
echo "PRIVATE_SUBDIR subdirectory of \$NVT_DIR to exclude from synchronization"
echo "TMPDIR temporary directory used to download the files"
echo "Note that you can use standard ones as well (e.g. RSYNC_PROXY) for rsync"
echo ""
exit 0
}
while test $# -gt 0; do
case "$1" in
--version)
echo $VERSION
exit 0
;;
--identify)
echo "NVTSYNC|$SCRIPT_NAME|$VERSION|$FEED_NAME|$RESTRICTED|NVTSYNC"
exit 0
;;
--selftest)
do_self_test
exit $SELFTEST_FAIL
;;
--describe)
do_describe
exit 0
;;
--feedversion)
do_feedversion
exit 0
;;
--help)
do_help
exit 0
;;
--nvt-dir)
NVT_DIR="$2"
shift
;;
--feedcurrent)
is_feed_current
exit $?
;;
--verbose)
RSYNC_VERBOSE="-v"
;;
esac
shift
done
do_sync
exit 0
Rendez le script exécutable :
[root@centos7 ~]# chmod +x greenbone-nvt-sync
Déplacez le script vers /usr/sbin/ :
[root@centos7 ~]# mv greenbone-nvt-sync /usr/sbin mv: overwrite ‘/usr/sbin/greenbone-nvt-sync’? y
Devenez l'utilisateur trainee et mettez à jour les modules d'extensions de OpenVAS :
[root@centos7 ~]# su - trainee
Last login: Mon Dec 1 15:30:45 CET 2025 on pts/0
[trainee@centos7 ~]$ greenbone-nvt-sync
...
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be temporarily blocked.
receiving incremental file list
plugin_feed_info.inc
330 100% 322.27kB/s 0:00:00 (xfr#1, to-chk=0/1)
sent 57 bytes received 436 bytes 328.67 bytes/sec
total size is 330 speedup is 0.67
[trainee@centos7 ~]$ exit
[root@centos7 ~]#
Important - En cas d'erreur, relancez simplement la commande.
Déplacez les plugins vers le répertoire /var/lib/openvas/plugins :
[root@centos7 ~]# mv /home/trainee/@OPENVAS_NVT_DIR@/* /var/lib/openvas/plugins
Vérifiez ensuite la réussite de la commande précédente :
[root@centos7 ~]# ls -l /var/lib/openvas/plugins/ | more total 41280 drwxr-xr-x. 6 trainee trainee 24576 Dec 1 11:30 2008 drwxr-xr-x. 14 trainee trainee 65536 Dec 1 11:30 2009 drwxr-xr-x. 12 trainee trainee 65536 Dec 1 11:30 2010 drwxr-xr-x. 13 trainee trainee 118784 Dec 1 11:30 2011 drwxr-xr-x. 14 trainee trainee 102400 Dec 1 11:30 2012 drwxr-xr-x. 11 trainee trainee 86016 Dec 1 11:30 2013 drwxr-xr-x. 13 trainee trainee 81920 Dec 1 11:30 2014 drwxr-xr-x. 15 trainee trainee 118784 Dec 1 11:30 2015 drwxr-xr-x. 17 trainee trainee 159744 Dec 1 11:30 2016 drwxr-xr-x. 70 trainee trainee 126976 Dec 1 11:30 2017 drwxr-xr-x. 288 trainee trainee 8192 Dec 1 11:30 2018 drwxr-xr-x. 215 trainee trainee 8192 Dec 1 11:30 2019 drwxr-xr-x. 181 trainee trainee 8192 Dec 1 11:30 2020 drwxr-xr-x. 154 trainee trainee 8192 Dec 1 11:30 2021 drwxr-xr-x. 149 trainee trainee 4096 Dec 1 11:30 2022 drwx------. 136 trainee trainee 4096 Dec 1 11:30 2023 drwx------. 127 trainee trainee 4096 Dec 1 11:30 2024 drwx------. 132 trainee trainee 4096 Dec 1 11:30 2025 -rw-r--r--. 1 trainee trainee 2311 Dec 1 11:08 adaptbb_detect.nasl -rw-r--r--. 1 trainee trainee 1786 Dec 1 11:08 afs_version.nasl -rw-r--r--. 1 trainee trainee 2448 Dec 1 11:08 amanda_detect.nasl -rw-r--r--. 1 trainee trainee 2432 Dec 1 11:08 amanda_version.nasl -rw-r--r--. 1 trainee trainee 1492 Dec 1 11:08 aol_installed.nasl -rw-r--r--. 1 trainee trainee 2746 Dec 1 11:08 apachehttp_config_defaults.nasl -rw-r--r--. 1 trainee trainee 8186 Dec 1 11:08 apache_ofbiz_http_detect.nasl -rw-r--r--. 1 trainee trainee 5553 Dec 1 11:08 apache_prds.inc -rw-r--r--. 1 trainee trainee 4210 Dec 1 11:08 apache_server_info.nasl -rw-r--r--. 1 trainee trainee 4624 Dec 1 11:08 apache_server_status.nasl -rw-r--r--. 1 trainee trainee 6726 Dec 1 11:08 apache_SSL_complain.nasl -rw-r--r--. 1 trainee trainee 2117 Dec 1 11:08 apache_tomcat_config.nasl -rw-r--r--. 1 trainee trainee 2569 Dec 1 11:08 AproxEngine_detect.nasl -rw-r--r--. 1 trainee trainee 2496 Dec 1 11:08 arcserve_backup_detect.nasl -rw-r--r--. 1 trainee trainee 1937 Dec 1 11:08 arkoon.nasl -rw-r--r--. 1 trainee trainee 6878 Dec 1 11:08 asip-status.nasl -rw-r--r--. 1 trainee trainee 3797 Dec 1 11:08 atmail_detect.nasl drwx------. 9 trainee trainee 20480 Dec 1 11:30 attic -rw-r--r--. 1 trainee trainee 1914 Dec 1 11:08 auth_enabled.nasl -rw-r--r--. 1 trainee trainee 2016 Dec 1 11:08 aventail_asap_http_detect.nasl -rw-r--r--. 1 trainee trainee 1638960 Dec 1 11:08 bad_dsa_ssh_host_keys.txt -rw-r--r--. 1 trainee trainee 1638960 Dec 1 11:08 bad_rsa_ssh_host_keys.txt -rw-r--r--. 1 trainee trainee 54323 Dec 1 11:08 bad_ssh_host_keys.inc -rw-r--r--. 1 trainee trainee 15064 Dec 1 11:08 bad_ssh_keys.inc -rw-r--r--. 1 trainee trainee 2507 Dec 1 11:08 barracuda_im_firewall_detect.nasl -rw-r--r--. 1 trainee trainee 2827 Dec 1 11:08 base_detect.nasl -rw-r--r--. 1 trainee trainee 4464 Dec 1 11:08 basilix_detect.nasl -rw-r--r--. 1 trainee trainee 3144 Dec 1 11:08 bgp_detect.nasl -rw-r--r--. 1 trainee trainee 23162 Dec 1 11:08 bin.inc -rw-r--r--. 1 trainee trainee 2745 Dec 1 11:08 bloofoxCMS_detect.nasl -rw-r--r--. 1 trainee trainee 1531 Dec 1 11:08 bluecoat_mgnt_console.nasl -rw-r--r--. 1 trainee trainee 2576 Dec 1 11:08 boastMachine_detect.nasl -rw-r--r--. 1 trainee trainee 1359 Dec 1 11:08 brother_printers.inc -rw-r--r--. 1 trainee trainee 3450 Dec 1 11:08 bugbear.nasl -rw-r--r--. 1 trainee trainee 3639 Dec 1 11:08 bugzilla_detect.nasl -rw-r--r--. 1 trainee trainee 5301 Dec 1 11:08 byte_func.inc --More--
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
ERROR: No client certificate file of OpenVAS Manager found.
FIX: Run 'openvas-mkcert-client -n -i'
ERROR: Your OpenVAS-8 installation is not yet complete!
...
Important - Notez l'erreur ERROR: No client certificate file of OpenVAS Manager found.
Consultez la signification des options suggérées pour la commande openvas-mkcert-client :
[root@centos7 ~]# openvas-mkcert-client --help
/bin/openvas-mkcert-client: illegal option -- -
Usage:
openvas-mkcert-client [OPTION...] - Create SSL client certificates for OpenVAS.
Options:
-h Display help
-n Run non-interactively, create certificates
and register with the OpenVAS scanner
-i Install client certificates for use with OpenVAS manager
Exécutez donc la commande openvas-mkcert-client -i :
[root@centos7 ~]# openvas-mkcert-client -i This script will now ask you the relevant information to create the SSL client certificates for OpenVAS. Client certificates life time in days [365]: 3650 Your country (two letter code) [DE]: UK Your state or province name [none]: SURREY Your location (e.g. town) [Berlin]: ADDLESTONE Your organization [none]: I2TCH LIMITED Your organizational unit [none]: TRAINING ********** We are going to ask you some question for each client certificate. If some question has a default answer, you can force an empty answer by entering a single dot '.' ********* Client certificates life time in days [3650]: Country (two letter code) [UK]: State or province name [SURREY]: Location (e.g. town) [ADDLESTONE]: Organization [I2TCH LIMITED]: Organization unit [TRAINING]: e-Mail []: infos@i2tch.eu Generating RSA private key, 4096 bit long modulus ....++ .......++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Using configuration from /tmp/openvas-mkcert-client.13962/stdC.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'UK' stateOrProvinceName :ASN.1 12:'SURREY' localityName :ASN.1 12:'ADDLESTONE' organizationName :ASN.1 12:'I2TCH LIMITED' organizationalUnitName:ASN.1 12:'TRAINING' commonName :ASN.1 12:'om' emailAddress :IA5STRING:'infos@i2tch.eu' Certificate is to be certified until Jun 17 02:03:34 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated /bin/openvas-mkcert-client: line 370: [: argument expected
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db)
FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running.
WARNING: OpenVAS Scanner is NOT running!
SUGGEST: Start OpenVAS Scanner (openvassd).
ERROR: Your OpenVAS-8 installation is not yet complete!
...
Important - Notez l'erreur ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db).
Afin de générer la base de données, OpenVAS Scanner doit être en cours d'exécution. Activez et démarrez donc le service :
[root@centos7 ~]# systemctl enable openvas-scanner
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-scanner.service to /usr/lib/systemd/system/openvas-scanner.service.
[root@centos7 ~]# systemctl start openvas-scanner
[root@centos7 ~]# systemctl status openvas-scanner
● openvas-scanner.service - OpenVAS Scanner
Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2025-12-01 16:45:47 CET; 12s ago
Process: 8889 ExecStart=/usr/sbin/openvassd $SCANNER_PORT $SCANNER_LISTEN $SCANNER_SRCIP (code=exited, status=0/SUCCESS)
Main PID: 8890 (openvassd)
CGroup: /system.slice/openvas-scanner.service
├─8890 openvassd: Reloaded 1200 of 138097 NVTs (0% / ETA: 22:48)
└─8891 openvassd (Loading Handler)
Dec 01 16:45:47 centos7.fenestros.loc systemd[1]: Starting OpenVAS Scanner...
Dec 01 16:45:47 centos7.fenestros.loc systemd[1]: Started OpenVAS Scanner.
Construisez maintenant la base de données :
[root@centos7 ~]# openvasmd --rebuild --progress Rebuilding NVT cache... done.
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 45654 NVTs.
ERROR: No users found. You need to create at least one user to log in.
It is recommended to have at least one user with role Admin.
FIX: create a user by running 'openvasmd --create-user=<name> --role=Admin && openvasmd --user=<name> --new-password=<password>'
...
Important - Notez l'erreur ERROR: No users found. You need to create at least one user to log in.
Créez donc un utilisateur :
[root@centos7 ~]# openvasmd --create-user=fenestros --role=Admin User created with password 'a5b5eaa9-3600-4604-bf20-bc10d7e5455b'. [root@centos7 ~]# openvasmd --user=fenestros --new-password=fenestros
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 45654 NVTs.
OK: At least one user exists.
ERROR: No OpenVAS SCAP database found. (Tried: /var/lib/openvas/scap-data/scap.db)
FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.
ERROR: Your OpenVAS-8 installation is not yet complete!
...
Important - Notez l'erreur ERROR: No OpenVAS SCAP database found. (Tried: /var/lib/openvas/scap-data/scap.db).
La prochaine étape donc consiste à récupérer la base SCAP (Security Content Automation Protocol).
Créez le fichier greenbone-feed-sync :
[root@centos7 ~]# vi greenbone-feed-sync
[root@centos7 ~]# cat greenbone-feed-sync
#!/bin/sh
# Copyright (C) 2011-2020 Greenbone Networks GmbH
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# This script synchronizes a GVM installation with the
# feed data from either the Greenbone Security Feed (in
# case a GSF access key is present) or else from the Greenbone
# Community Feed.
log_notice () {
$LOG_CMD -p daemon.notice "$1"
}
########## SETTINGS
########## ========
# PRIVATE_SUBDIR defines a subdirectory of the feed data directory
# where files not part of the feed or database will not be deleted by rsync.
if [ -z "$PRIVATE_SUBDIR" ]
then
PRIVATE_SUBDIR="private"
fi
# RSYNC_DELETE controls whether files which are not part of the repository will
# be removed from the local directory after synchronization. The default value
# for this setting is
# "--delete --exclude feed.xml --exclude $PRIVATE_SUBDIR/",
# which means that files which are not part of the feed, feed info or private
# directory will be deleted.
RSYNC_DELETE="--delete --exclude feed.xml --exclude \"$PRIVATE_SUBDIR/\""
# RSYNC_SSH_OPTS contains options which should be passed to ssh for the rsync
# connection to the repository.
RSYNC_SSH_OPTS="-o \"UserKnownHostsFile=/dev/null\" -o \"StrictHostKeyChecking=no\""
# RSYNC_COMPRESS specifies the compression level to use for the rsync connection.
RSYNC_COMPRESS="--compress-level=9"
# PORT controls the outgoing TCP port for updates. If PAT/Port-Translation is
# not used, this should be "24". For some application layer firewalls or gates
# the value 22 (Standard SSH) is useful. Only change if you know what you are
# doing.
PORT=24
# SCRIPT_NAME is the name the scripts will use to identify itself and to mark
# log messages.
SCRIPT_NAME="greenbone-feed-sync"
# LOG_CMD defines the command to use for logging. To have logger log to stderr
# as well as syslog, add "-s" here.
LOG_CMD="logger -t $SCRIPT_NAME"
# LOCK_FILE is the name of the file used to lock the feed during sync or update.
if [ -z "$LOCK_FILE" ]
then
LOCK_FILE="@GVM_FEED_LOCK_PATH@"
fi
########## GLOBAL VARIABLES
########## ================
VERSION=@GVMD_VERSION@
[ -r "@GVM_SYSCONF_DIR@/greenbone-feed-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-feed-sync.conf"
if [ -z "$DROP_USER" ]; then
DROP_USER="@GVM_DEFAULT_DROP_USER@"
fi
ACCESSKEY="@GVM_ACCESS_KEY_DIR@/gsf-access-key"
# Note when running as root or restart as $DROP_USER if defined
if [ $(id -u) -eq 0 ]
then
if [ -z "$DROP_USER" ]
then
log_notice "Running as root"
else
log_notice "Started as root, restarting as $DROP_USER"
su --shell /bin/sh --command "$0 $*" "$DROP_USER"
exit $?
fi
fi
# Determine whether a GSF access key is present. If yes,
# then use the Greenbone Security Feed. Else use the
# Greenbone Community Feed.
if [ -e $ACCESSKEY ]
then
RESTRICTED=1
if [ -z "$FEED_VENDOR" ]; then
FEED_VENDOR="Greenbone Networks GmbH"
fi
if [ -z "$FEED_HOME" ]; then
FEED_HOME="https://www.greenbone.net/en/security-feed/"
fi
else
RESTRICTED=0
if [ -z "$FEED_VENDOR" ]; then
FEED_VENDOR="Greenbone Networks GmbH"
fi
if [ -z "$FEED_HOME" ]; then
FEED_HOME="https://community.greenbone.net/t/about-greenbone-community-feed-gcf/1224"
fi
fi
RSYNC=`command -v rsync`
# Current supported feed types (for --type parameter)
FEED_TYPES_SUPPORTED="CERT, SCAP or GVMD_DATA"
########## FUNCTIONS
########## =========
log_debug () {
$LOG_CMD -p daemon.debug "$1"
}
log_info () {
$LOG_CMD -p daemon.info "$1"
}
log_warning () {
$LOG_CMD -p daemon.warning "$1"
}
log_err () {
$LOG_CMD -p daemon.err "$1"
}
init_feed_type () {
if [ -z "$FEED_TYPE" ]
then
echo "No feed type given to --type parameter"
log_err "No feed type given to --type parameter"
exit 1
elif [ "CERT" = "$FEED_TYPE" ]
then
[ -r "@GVM_SYSCONF_DIR@/greenbone-certdata-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-certdata-sync.conf"
FEED_TYPE_LONG="CERT data"
FEED_DIR="@GVM_CERT_DATA_DIR@"
TIMESTAMP="$FEED_DIR/timestamp"
SCRIPT_ID="CERTSYNC"
if [ -z "$COMMUNITY_CERT_RSYNC_FEED" ]; then
COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/cert-data"
# An alternative syntax which might work if the above doesn't:
# COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::cert-data"
else
COMMUNITY_RSYNC_FEED="$COMMUNITY_CERT_RSYNC_FEED"
fi
GSF_RSYNC_PATH="/cert-data"
if [ -e $ACCESSKEY ]; then
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone CERT Feed"
fi
else
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone Community CERT Feed"
fi
fi
elif [ "SCAP" = "$FEED_TYPE" ]
then
[ -r "@GVM_SYSCONF_DIR@/greenbone-scapdata-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-scapdata-sync.conf"
FEED_TYPE_LONG="SCAP data"
FEED_DIR="@GVM_SCAP_DATA_DIR@"
TIMESTAMP="$FEED_DIR/timestamp"
SCRIPT_ID="SCAPSYNC"
if [ -z "$COMMUNITY_SCAP_RSYNC_FEED" ]; then
COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/scap-data"
# An alternative syntax which might work if the above doesn't:
# COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::scap-data"
else
COMMUNITY_RSYNC_FEED="$COMMUNITY_SCAP_RSYNC_FEED"
fi
GSF_RSYNC_PATH="/scap-data"
if [ -e $ACCESSKEY ]; then
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone SCAP Feed"
fi
else
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone Community SCAP Feed"
fi
fi
elif [ "GVMD_DATA" = "$FEED_TYPE" ]
then
[ -r "@GVM_SYSCONF_DIR@/greenbone-data-objects-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-data-objects-sync.conf"
FEED_TYPE_LONG="gvmd Data"
FEED_DIR="@GVMD_FEED_DIR@"
TIMESTAMP="$FEED_DIR/timestamp"
SCRIPT_ID="GVMD_DATA_SYNC"
if [ -z "$COMMUNITY_GVMD_DATA_RSYNC_FEED" ]; then
COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/data-objects/gvmd/"
# An alternative syntax which might work if the above doesn't:
# COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::data-objects/gvmd/"
else
COMMUNITY_RSYNC_FEED="$COMMUNITY_GVMD_DATA_RSYNC_FEED"
fi
GSF_RSYNC_PATH="/data-objects/gvmd/"
if [ -e $ACCESSKEY ]; then
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone gvmd Data Feed"
fi
else
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone Community gvmd Data Feed"
fi
fi
else
echo "Invalid feed type $FEED_TYPE given to --type parameter. Currently supported: $FEED_TYPES_SUPPORTED"
log_err "Invalid feed type $FEED_TYPE given to --type parameter. Currently supported: $FEED_TYPES_SUPPORTED"
exit 1
fi
}
write_feed_xml () {
if [ -r $TIMESTAMP ]
then
FEED_VERSION=`cat $TIMESTAMP`
else
FEED_VERSION=0
fi
mkdir -p $FEED_DIR
echo '<feed id="6315d194-4b6a-11e7-a570-28d24461215b">' > $FEED_DIR/feed.xml
echo "<type>$FEED_TYPE</type>" >> $FEED_DIR/feed.xml
echo "<name>$FEED_NAME</name>" >> $FEED_DIR/feed.xml
echo "<version>$FEED_VERSION</version>" >> $FEED_DIR/feed.xml
echo "<vendor>$FEED_VENDOR</vendor>" >> $FEED_DIR/feed.xml
echo "<home>$FEED_HOME</home>" >> $FEED_DIR/feed.xml
echo "<description>" >> $FEED_DIR/feed.xml
echo "This script synchronizes a $FEED_TYPE collection with the '$FEED_NAME'." >> $FEED_DIR/feed.xml
echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'." >> $FEED_DIR/feed.xml
echo "Online information about this feed: '$FEED_HOME'." >> $FEED_DIR/feed.xml
echo "</description>" >> $FEED_DIR/feed.xml
echo "</feed>" >> $FEED_DIR/feed.xml
}
create_tmp_key () {
KEYTEMPDIR=`mktemp -d`
cp "$ACCESSKEY" "$KEYTEMPDIR"
TMPACCESSKEY="$KEYTEMPDIR/gsf-access-key"
chmod 400 "$TMPACCESSKEY"
}
remove_tmp_key () {
rm -rf "$KEYTEMPDIR"
}
set_interrupt_trap () {
trap "handle_interrupt $1" 2
}
handle_interrupt () {
echo "$1:X" >&3
}
do_describe () {
echo "This script synchronizes a $FEED_TYPE collection with the '$FEED_NAME'."
echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'."
echo "Online information about this feed: '$FEED_HOME'."
}
do_feedversion () {
if [ -r $TIMESTAMP ]; then
cat $TIMESTAMP
fi
}
# This function uses gos-state-manager to get information about the settings.
# gos-state-manager is only available on a Greenbone OS.
# If gos-state-manager is missing the settings values can not be retrieved.
#
# Input: option
# Output: value as string or empty String if gos-state-manager is not installed
# or option not set
get_value ()
{
value=""
key=$1
if which gos-state-manager 1>/dev/null 2>&1
then
if gos-state-manager get "$key.value" 1>/dev/null 2>&1
then
value="$(gos-state-manager get "$key.value")"
fi
fi
echo "$value"
}
is_feed_current () {
if [ -r $TIMESTAMP ]
then
FEED_VERSION=`cat $TIMESTAMP`
fi
if [ -z "$FEED_VERSION" ]
then
log_warning "Could not determine feed version."
FEED_CURRENT=0
return $FEED_CURRENT
fi
FEED_INFO_TEMP_DIR=`mktemp -d`
if [ -e $ACCESSKEY ]
then
read feeduser < $ACCESSKEY
custid_at_host=`head -1 $ACCESSKEY | cut -d : -f 1`
if [ -z "$feeduser" ] || [ -z "$custid_at_host" ]
then
log_err "Could not determine credentials, aborting synchronization."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
syncport=$(get_value syncport)
if [ "$syncport" ]
then
PORT="$syncport"
fi
if [ -z "$gsmproxy" ] || [ "$gsmproxy" = "proxy_feed" ]
then
RSYNC_SSH_PROXY_CMD=""
else
if [ -e $GVM_SYSCONF_DIR/proxyauth ] && [ -r $GVM_SYSCONF_DIR/proxyauth ]; then
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $GVM_SYSCONF_DIR/proxyauth\""
else
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
fi
fi
create_tmp_key
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TMPACCESSKEY" -ltvrP --chmod=D+x $RSYNC_DELETE $RSYNC_COMPRESS $custid_at_host:$GSF_RSYNC_PATH/timestamp "$FEED_INFO_TEMP_DIR"
if [ $? -ne 0 ]
then
log_err "rsync failed, aborting synchronization."
rm -rf "$FEED_INFO_TEMP_DIR"
remove_tmp_key
exit 1
fi
remove_tmp_key
else
# Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
# IP blocking due to network equipment in between keeping the previous connection too long open.
sleep 5
log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
eval "$RSYNC -ltvrP \"$COMMUNITY_RSYNC_FEED/timestamp\" \"$FEED_INFO_TEMP_DIR\""
if [ $? -ne 0 ]
then
log_err "rsync failed, aborting synchronization."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
fi
FEED_VERSION_SERVER=`cat "$FEED_INFO_TEMP_DIR/timestamp"`
if [ -z "$FEED_VERSION_SERVER" ]
then
log_err "Could not determine server feed version."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
# Check against FEED_VERSION
if [ $FEED_VERSION -lt $FEED_VERSION_SERVER ]; then
FEED_CURRENT=0
else
FEED_CURRENT=1
fi
# Cleanup
rm -rf "$FEED_INFO_TEMP_DIR"
return $FEED_CURRENT
}
do_help () {
echo "$0: Sync feed data"
if [ -e $ACCESSKEY ]
then
echo "GSF access key found: Using Greenbone Security Feed"
else
echo "No GSF access key found: Using Community Feed"
fi
echo " --describe display current feed info"
echo " --feedversion display version of this feed"
echo " --help display this help"
echo " --identify display information"
echo " --selftest perform self-test"
echo " --type <TYPE> choose type of data to sync ($FEED_TYPES_SUPPORTED)"
echo " --version display version"
echo ""
exit 0
}
do_rsync_community_feed () {
if [ -z "$RSYNC" ]; then
log_err "rsync not found!"
else
# Sleep for five seconds (after is_feed_current) to prevent IP blocking due to
# network equipment in between keeping the previous connection too long open.
sleep 5
log_notice "Using rsync: $RSYNC"
log_notice "Configured $FEED_TYPE_LONG rsync feed: $COMMUNITY_RSYNC_FEED"
mkdir -p "$FEED_DIR"
eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_RSYNC_FEED\" \"$FEED_DIR\""
if [ $? -ne 0 ]; then
log_err "rsync failed. Your $FEED_TYPE_LONG might be broken now."
exit 1
fi
fi
}
do_sync_community_feed () {
if [ -z "$RSYNC" ]; then
log_err "rsync not found!"
log_err "No utility available in PATH environment variable to download Feed data"
exit 1
else
log_notice "Will use rsync"
do_rsync_community_feed
fi
}
sync_feed_data(){
if [ -e $ACCESSKEY ]
then
log_notice "Found Greenbone Security Feed subscription file, trying to synchronize with Greenbone $FEED_TYPE_LONG Repository ..."
notsynced=1
mkdir -p "$FEED_DIR"
read feeduser < $ACCESSKEY
custid_at_host=`head -1 $ACCESSKEY | cut -d : -f 1`
if [ -z "$feeduser" ] || [ -z "$custid_at_host" ]
then
log_err "Could not determine credentials, aborting synchronization."
exit 1
fi
while [ 0 -ne "$notsynced" ]
do
gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
syncport=$(get_value syncport)
if [ "$syncport" ]
then
PORT="$syncport"
fi
if [ -z "$gsmproxy" ] || [ "$gsmproxy" = "proxy_feed" ]
then
RSYNC_SSH_PROXY_CMD=""
else
if [ -e $GVM_SYSCONF_DIR/proxyauth ] && [ -r $GVM_SYSCONF_DIR/proxyauth ]; then
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $GVM_SYSCONF_DIR/proxyauth\""
else
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
fi
fi
create_tmp_key
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $ACCESSKEY" -ltvrP --chmod=D+x $RSYNC_DELETE $RSYNC_COMPRESS $custid_at_host:$GSF_RSYNC_PATH/ $FEED_DIR
if [ 0 -ne "$?" ]; then
log_err "rsync failed, aborting synchronization."
remove_tmp_key
exit 1
fi
remove_tmp_key
notsynced=0
done
log_notice "Synchronization with the Greenbone $FEED_TYPE_LONG Repository successful."
else
log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
do_sync_community_feed
fi
write_feed_xml
}
do_self_test () {
if [ -z "$SELFTEST_STDERR" ]
then
SELFTEST_STDERR=0
fi
if [ -z "$RSYNC" ]
then
if [ 0 -ne $SELFTEST_STDERR ]
then
echo "rsync not found (required)." 1>&2
fi
log_err "rsync not found (required)."
SELFTEST_FAIL=1
fi
}
########## START
########## =====
while test $# -gt 0; do
case "$1" in
"--version"|"--identify"|"--describe"|"--feedversion"|"--selftest"|"--feedcurrent")
if [ -z "$ACTION" ]; then
ACTION="$1"
fi
;;
"--help")
do_help
exit 0
;;
"--type")
FEED_TYPE=$(echo "$2" | tr '[:lower:]-' '[:upper:]_')
shift
;;
esac
shift
done
init_feed_type
write_feed_xml
case "$ACTION" in
--version)
echo $VERSION
exit 0
;;
--identify)
echo "$SCRIPT_ID|$SCRIPT_NAME|$VERSION|$FEED_NAME|$RESTRICTED|$SCRIPT_ID"
exit 0
;;
--describe)
do_describe
exit 0
;;
--feedversion)
do_feedversion
exit 0
;;
--selftest)
SELFTEST_FAIL=0
SELFTEST_STDERR=1
do_self_test
exit $SELFTEST_FAIL
;;
--feedcurrent)
is_feed_current
exit $?
;;
esac
SELFTEST_FAIL=0
do_self_test
if [ $SELFTEST_FAIL -ne 0 ]
then
exit 1
fi
is_feed_current
if [ $FEED_CURRENT -eq 1 ]
then
log_notice "Feed is already current, skipping synchronization."
exit 0
fi
(
chmod +660 $LOCK_FILE
flock -n 9
if [ $? -eq 1 ]; then
log_notice "Sync in progress, exiting."
exit 1
fi
date > $LOCK_FILE
sync_feed_data
echo -n > $LOCK_FILE
) 9>>$LOCK_FILE
exit 0
Rendez le script exécutable :
[root@centos7 ~]# chmod +x greenbone-feed-sync
Déplacez le script vers /usr/sbin/ :
[root@centos7 ~]# mv greenbone-feed-sync /usr/sbin/
Créez le répertoire /var/lib/openvas/scap-data/ :
[root@centos7 ~]# mkdir /var/lib/openvas/scap-data/
Devenez l'utilisateur trainee et mettez à jour les modules d'extensions de OpenVAS :
[root@centos7 ~]# su - trainee
Last login: Mon Dec 1 17:30:45 CET 2025 on pts/0
[trainee@centos7 ~]$ touch /var/lib/openvas/scap-data/scap.db
[trainee@centos7 ~]$ greenbone-feed-sync --type SCAP
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be temporarily blocked.
receiving incremental file list
timestamp
13 100% 12.70kB/s 0:00:00 (xfr#1, to-chk=0/1)
sent 43 bytes received 108 bytes 100.67 bytes/sec
total size is 13 speedup is 0.09
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be temporarily blocked.
receiving incremental file list
./
COPYING
1,187 100% 1.13MB/s 0:00:00 (xfr#1, to-chk=26/28)
nvdcve-2.0-2002.xml
19,533,351 100% 62.30MB/s 0:00:00 (xfr#2, to-chk=25/28)
nvdcve-2.0-2003.xml
4,744,330 100% 13.55MB/s 0:00:00 (xfr#3, to-chk=24/28)
nvdcve-2.0-2004.xml
9,416,639 100% 24.47MB/s 0:00:00 (xfr#4, to-chk=23/28)
nvdcve-2.0-2005.xml
15,701,047 100% 23.22MB/s 0:00:00 (xfr#5, to-chk=22/28)
nvdcve-2.0-2006.xml
26,320,892 100% 28.82MB/s 0:00:00 (xfr#6, to-chk=21/28)
nvdcve-2.0-2007.xml
30,567,434 100% 22.08MB/s 0:00:01 (xfr#7, to-chk=20/28)
nvdcve-2.0-2008.xml
29,775,037 100% 37.41MB/s 0:00:00 (xfr#8, to-chk=19/28)
nvdcve-2.0-2009.xml
27,996,918 100% 17.06MB/s 0:00:01 (xfr#9, to-chk=18/28)
nvdcve-2.0-2010.xml
42,684,286 100% 65.87MB/s 0:00:00 (xfr#10, to-chk=17/28)
nvdcve-2.0-2011.xml
83,905,485 100% 51.13MB/s 0:00:01 (xfr#11, to-chk=16/28)
nvdcve-2.0-2012.xml
66,859,075 100% 152.18MB/s 0:00:00 (xfr#12, to-chk=15/28)
nvdcve-2.0-2013.xml
96,064,147 100% 48.94MB/s 0:00:01 (xfr#13, to-chk=14/28)
nvdcve-2.0-2014.xml
98,694,839 100% 48.34MB/s 0:00:01 (xfr#14, to-chk=13/28)
nvdcve-2.0-2015.xml
124,671,234 100% 227.33MB/s 0:00:00 (xfr#15, to-chk=12/28)
nvdcve-2.0-2016.xml
161,692,009 100% 172.29MB/s 0:00:00 (xfr#16, to-chk=11/28)
nvdcve-2.0-2017.xml
189,948,654 100% 141.52MB/s 0:00:01 (xfr#17, to-chk=10/28)
nvdcve-2.0-2018.xml
210,761,959 100% 156.30MB/s 0:00:01 (xfr#18, to-chk=9/28)
nvdcve-2.0-2019.xml
265,685,784 100% 172.95MB/s 0:00:01 (xfr#19, to-chk=8/28)
nvdcve-2.0-2020.xml
294,835,369 100% 134.53MB/s 0:00:02 (xfr#20, to-chk=7/28)
nvdcve-2.0-2021.xml
442,673,740 100% 155.72MB/s 0:00:02 (xfr#21, to-chk=6/28)
nvdcve-2.0-2022.xml
743,192,055 100% 111.53MB/s 0:00:06 (xfr#22, to-chk=5/28)
nvdcve-2.0-2023.xml
599,785,077 100% 67.83MB/s 0:00:08 (xfr#23, to-chk=4/28)
nvdcve-2.0-2024.xml
922,757,332 100% 73.89MB/s 0:00:11 (xfr#24, to-chk=3/28)
nvdcve-2.0-2025.xml
480,360,705 100% 127.96MB/s 0:00:03 (xfr#25, to-chk=2/28)
official-cpe-dictionary_v2.2.xml
784,852,577 100% 251.59MB/s 0:00:02 (xfr#26, to-chk=1/28)
timestamp
13 100% 12.70kB/s 0:00:00 (xfr#27, to-chk=0/28)
sent 2,186,887 bytes received 11,127,079 bytes 117,303.67 bytes/sec
total size is 5,773,481,175 speedup is 433.64
[trainee@centos7 ~]$ greenbone-scapdata-sync
[trainee@centos7 ~]$ exit
Important - En cas d'erreur, relancez simplement la commande.
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 45654 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
ERROR: No OpenVAS CERT database found. (Tried: /var/lib/openvas/cert-data/cert.db)
FIX: Run a CERT synchronization script like openvas-certdata-sync or greenbone-certdata-sync.
ERROR: Your OpenVAS-8 installation is not yet complete!
...
Important - Notez l'erreur ERROR: No OpenVAS CERT database found. (Tried: /var/lib/openvas/cert-data/cert.db).
Créez le fichier /var/lib/openvas/cert-data/cert.db :
[root@centos7 ~]# touch /var/lib/openvas/cert-data/cert.db
Exécutez la commande openvas-certdata-sync :
[root@centos7 ~]# openvas-certdata-sync
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.2.12.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 138097 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 138097 files for 138097 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 138097 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.4.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
ERROR: OpenVAS Manager is NOT running!
FIX: Start OpenVAS Manager (openvasmd).
ERROR: Greenbone Security Assistant is NOT running!
FIX: Start Greenbone Security Assistant (gsad).
ERROR: Your OpenVAS-8 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Important - Notez l'erreur ERROR: Greenbone Security Assistant is NOT running!.
Activer et démarrer OpenVAS Manager :
[root@centos7 ~]# systemctl enable openvas-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-manager.service to /usr/lib/systemd/system/openvas-manager.service.
[root@centos7 ~]# systemctl start openvas-manager
[root@centos7 ~]# systemctl status openvas-manager
● openvas-manager.service - OpenVAS Manager
Loaded: loaded (/usr/lib/systemd/system/openvas-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2025-12-02 11:51:41 CET; 10s ago
Process: 12237 ExecStart=/usr/sbin/openvasmd $MANAGER_LISTEN $MANAGER_PORT $SCANNER_LISTEN $SCANNER_PORT $MANAGER_OTP (code=exited, status=0/SUCCESS)
Main PID: 12238 (openvasmd)
CGroup: /system.slice/openvas-manager.service
└─12238 openvasmd
Dec 02 11:51:41 centos7.fenestros.loc systemd[1]: Starting OpenVAS Manager...
Dec 02 11:51:41 centos7.fenestros.loc systemd[1]: Started OpenVAS Manager.
Activer et démarrer le Greenbone Security Assistant :
[root@centos7 ~]# systemctl enable openvas-gsa
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-gsa.service to /usr/lib/systemd/system/openvas-gsa.service.
[root@centos7 ~]# systemctl start openvas-gsa
[root@centos7 ~]# systemctl status openvas-gsa
● openvas-gsa.service - OpenVAS Greenbone Security Assistant
Loaded: loaded (/usr/lib/systemd/system/openvas-gsa.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2025-12-02 11:53:08 CET; 1s ago
Process: 12948 ExecStart=/usr/sbin/gsad $GSA_LISTEN $GSA_PORT $MANAGER_LISTEN $MANAGER_PORT $GNUTLSSTRING (code=exited, status=0/SUCCESS)
Main PID: 12949 (gsad)
CGroup: /system.slice/openvas-gsa.service
├─12949 /usr/sbin/gsad --port=9443 --mlisten=127.0.0.1 --mport=9390 --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
└─12950 /usr/sbin/gsad --port=9443 --mlisten=127.0.0.1 --mport=9390 --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
Dec 02 11:53:08 centos7.fenestros.loc systemd[1]: Starting OpenVAS Greenbone Security Assistant...
Dec 02 11:53:08 centos7.fenestros.loc systemd[1]: Started OpenVAS Greenbone Security Assistant.
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.2.12.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 138097 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 138097 files for 138097 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 138097 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.4.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Step 8: Checking nmap installation ...
WARNING: No nmap installation found.
SUGGEST: You should install nmap for comprehensive network scanning (see http://nmap.org)
Step 10: Checking presence of optional tools ...
WARNING: Could not find pdflatex binary, the PDF report format will not work.
SUGGEST: Install pdflatex.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work.
SUGGEST: Install alien.
WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
SUGGEST: Install nsis.
OK: SELinux is disabled.
It seems like your OpenVAS-8 installation is OK.
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Important - Notez les WARNINGS.
Installez les paquets suggérés :
[root@centos7 ~]# yum install nmap texlive-latex-bin-bin alien -y
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
SUGGEST: Install nsis.
OK: SELinux is disabled.
It seems like your OpenVAS-8 installation is OK.
...
Important - Notez la ligne WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
Pour pouvoir utiliser les rapports au format PDF, installez les paquets suivants :
[root@centos7 ~]# yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec -y
Téléchargez ensuite le fichier comment.sty vers le répertoire /usr/share/texlive/texmf-local/tex/latex/comment et exécutez la commande texhash :
[root@centos7 ~]# mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment [root@centos7 ~]# cd /usr/share/texlive/texmf-local/tex/latex/comment [root@centos7 comment]# wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty --2025-12-02 13:35:43-- http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty Resolving mirrors.ctan.org (mirrors.ctan.org)... 89.58.7.101, 2a03:4000:5e:d33::1 Connecting to mirrors.ctan.org (mirrors.ctan.org)|89.58.7.101|:80... connected. HTTP request sent, awaiting response... 307 Temporary Redirect Location: https://mirror.its.dal.ca/ctan/macros/latex/contrib/comment/comment.sty [following] --2025-12-02 13:35:43-- https://mirror.its.dal.ca/ctan/macros/latex/contrib/comment/comment.sty Resolving mirror.its.dal.ca (mirror.its.dal.ca)... 192.75.96.254 Connecting to mirror.its.dal.ca (mirror.its.dal.ca)|192.75.96.254|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10197 (10.0K) [application/octet-stream] Saving to: ‘comment.sty’ 100%[========================================================================================================================================================================>] 10,197 --.-K/s in 0s 2025-12-02 13:35:43 (175 MB/s) - ‘comment.sty’ saved [10197/10197] [root@centos7 comment]# chmod 644 comment.sty [root@centos7 comment]# texhash texhash: Updating /usr/share/texlive/texmf/ls-R... texhash: Updating /usr/share/texlive/texmf-config/ls-R... texhash: Updating /usr/share/texlive/texmf-dist/ls-R... texhash: Updating /usr/share/texlive/texmf-local///ls-R... texhash: Updating /usr/share/texlive/texmf-var/ls-R... texhash: Done
Exécutez une dernière fois la commande openvas-check-setup :
[root@centos7 comment]# openvas-check-setup
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
SUGGEST: Install nsis.
OK: SELinux is disabled.
It seems like your OpenVAS-8 installation is OK.
...
Important - Notez la ligne WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
Téléchargez et installez le fichier mingw32-nsis-3.01-1.el7.x86_64.rpm :
[root@centos7 ~]# cd ~
[root@centos7 ~]# wget ftp://ftp.icm.edu.pl/vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64/mingw32-nsis-3.01-1.el7.x86_64.rpm
--2025-12-02 13:46:26-- ftp://ftp.icm.edu.pl/vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64/mingw32-nsis-3.01-1.el7.x86_64.rpm
=> ‘mingw32-nsis-3.01-1.el7.x86_64.rpm’
Resolving ftp.icm.edu.pl (ftp.icm.edu.pl)... 193.219.28.2, 2001:6a0:0:31::2
Connecting to ftp.icm.edu.pl (ftp.icm.edu.pl)|193.219.28.2|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64 ... done.
==> SIZE mingw32-nsis-3.01-1.el7.x86_64.rpm ... 1379180
==> PASV ... done. ==> RETR mingw32-nsis-3.01-1.el7.x86_64.rpm ... done.
Length: 1379180 (1.3M) (unauthoritative)
100%[========================================================================================================================================================================>] 1,379,180 2.05MB/s in 0.6s
2025-12-02 13:46:28 (2.05 MB/s) - ‘mingw32-nsis-3.01-1.el7.x86_64.rpm’ saved [1379180]
[root@centos7 ~]# yum localinstall mingw32-nsis-3.01-1.el7.x86_64.rpm --nogpgcheck -y
Exécutez une dernière fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
OK: SELinux is disabled.
It seems like your OpenVAS-8 installation is OK.
...
2.5 - Utilisation
Retournez à l'accueil de Guacamole. Connectez-vous à la VM Gateway_10.0.2.40_VNC avec le compte trainee et le mot de passe a39dae707d.
Ouvrez un navigateur web dans la VM et saisissez l'adresse https:>//10.0.2.51:9443. Vous obtiendrez une fenêtre similaire à celle-ci :
Créez une exception pour le Self Signed Certificate. Vous obtiendrez une fenêtre similaire à celle-ci:
Entrez le nom de votre utilisateur (fenestros) ainsi que son mot de passe (fenestros) et cliquez sur le bouton Login. Vous obtiendrez une fenêtre similaire à celle-ci :
Dans la boîte Quick start, entrez l'adresse IP 10.0.2.46 et cliquez sur le bouton Start Scan. Vous obtiendrez une fenêtre similaire à celle-ci :
Important - Vous pouvez indiquer un réseau entier de la forme 10.0.2.0/24
Analyse des Résultats
A l'issu de l'analyse, il est possible de consulter les résultats :
ainsi que les détails de celui-ci :
Vous trouverez aussi une solution ainsi qu'une évaluation du niveau de risque, Risk factor.
LAB #3 - Sécuriser le Serveur DNS
3.1 - Le serveur DNS
Le principe du DNS est basé sur l'équivalence entre un FQDN ( Fully Qualified Domain Name ) et une adresse IP. Les humains retiennent plus facilement des noms tels que www.ittraining.team, tandis que les ordinateurs utilisent des chiffres.
Le DNS ( Domain Name Service ) est né peut après l'introduction des FQDN en 1981.
Lorsqu'un ordinateur souhaite communiquer avec un autre par le biais de son nom, par exemple avec www.fenestros.com, il envoie une requête à un serveur DNS. Si le serveur DNS a connaissance de la correspondance entre le nom demandé et le numéro IP, il répond directement. Si ce n'est pas le cas, il démarre un processus de Recursive Lookup.
Ce processus tente d'identifier le serveur de domaine responsable pour le SLD ( Second Level Domain ) afin de lui passer la requête. Dans notre exemple, il tenterait d'identifier le serveur de domaine responsable de ittraining.com.
Si cette tentative échoue, le serveur DNS cherche le serveur de domaine pour le TLD ( Top Level Domain ) dans son cache afin de lui demander l'adresse du serveur responsable du SLD. Dans notre cas il tenterait trouver l'enregistrement pour le serveur de domaine responsable de .com
Si cette recherche échoue, le serveur s'adresse à un Root Name Server dont il y en a peu. Si le Root Name Server ne peut pas répondre, le serveur DNS renvoie une erreur à la machine ayant formulé la demande.
Le serveur DNS sert à faire la résolution de noms. Autrement dit de traduire une adresse Internet telle que www.ittraining.com en numéro IP.
3.2 - Préparation à l'Installation
Le serveur DNS nécessite que la machine sur laquelle il est installé possède un nom FQDN et une adresse IP fixe. Il est également important de noter que le service de bind ne démarrera pas dans le cas où le fichier /etc/hosts comporte une anomalie. Trois étapes préparatoires sont donc nécessaires :
- Modification de l'adresse IP de la machine en adresse IP fixe
- Définition d'un nom FQDN (Fully Qualified Domain Name)
- Vérification du fichier /etc/hosts
Afin d'étudier ce dernier cas, nous prenons en tant qu'exemple la machine suivante :
- FQDN - debian12.ittraining.loc
- Adresse IP - 10.0.2.46
Vérifiez la configuration de la VM :
root@debian12:~# hostname
debian12
root@debian12:~# hostnamectl set-hostname debian12.ittraining.loc
root@debian12:~# hostname
debian12.ittraining.loc
root@debian12:~# nmcli c show
NAME UUID TYPE DEVICE
ip_fixe 33c26470-0968-4646-a88a-a22f10fab6da ethernet ens18
lo c4172990-a224-464f-a1de-9820ca5e83c8 loopback lo
Wired connection 1 77c569e6-3176-4c10-8008-40d7634d2504 ethernet --
root@debian12:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 56:a3:fd:18:02:6d brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 10.0.2.46/24 brd 10.0.2.255 scope global noprefixroute ens18
valid_lft forever preferred_lft forever
inet6 fe80::4b88:5cd8:60c9:6e2c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
root@debian12:~# cat /etc/hosts
127.0.0.1 localhost
10.0.2.46 debian12.ittraining.loc debian12
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Important - La configuration du serveur DNS dépend du nom de votre machine. Dans le cas où vous changeriez ce nom, vous devez reconfigurer votre serveur DNS en éditant les fichiers de configuration directement.
3.3 - Installation
Pour installer le serveur DNS, utilisez la commande APT:
root@debian12:~# apt install bind9 -y
root@debian12:~# systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
Active: active (running) since Sun 2025-12-07 11:19:19 CET; 44s ago
Docs: man:named(8)
Main PID: 32581 (named)
Status: "running"
Tasks: 26 (limit: 19123)
Memory: 116.9M
CPU: 215ms
CGroup: /system.slice/named.service
└─32581 /usr/sbin/named -f -u bind
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: network unreachable resolving '>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: managed-keys-zone: Initializing>
Dec 07 11:19:19 debian12.ittraining.loc named[32581]: managed-keys-zone: Initializing>
Options de la commande named
Les options de cette commande sont :
root@debian12:~# named help
usage: named [-4|-6] [-c conffile] [-d debuglevel] [-D comment] [-E engine]
[-f|-g] [-L logfile] [-n number_of_cpus] [-p port] [-s]
[-S sockets] [-t chrootdir] [-u username] [-U listeners]
[-X lockfile] [-m {usage|trace|record}]
[-M fill|nofill]
usage: named [-v|-V|-C]
named: extra command line arguments
3.4 - Les fichiers de configuration
Sous Debian12, les fichiers de configuration de bind9 se trouvent dans /etc/bind :
root@debian12:~# ls -l /etc/bind total 48 -rw-r--r-- 1 root root 2928 Oct 22 17:38 bind.keys -rw-r--r-- 1 root root 255 Oct 22 17:38 db.0 -rw-r--r-- 1 root root 271 Oct 22 17:38 db.127 -rw-r--r-- 1 root root 237 Oct 22 17:38 db.255 -rw-r--r-- 1 root root 353 Oct 22 17:38 db.empty -rw-r--r-- 1 root root 270 Oct 22 17:38 db.local -rw-r--r-- 1 root bind 458 Oct 22 17:38 named.conf -rw-r--r-- 1 root bind 498 Oct 22 17:38 named.conf.default-zones -rw-r--r-- 1 root bind 165 Oct 22 17:38 named.conf.local -rw-r--r-- 1 root bind 846 Oct 22 17:38 named.conf.options -rw-r----- 1 bind bind 100 Dec 7 11:19 rndc.key -rw-r--r-- 1 root root 1317 Oct 22 17:38 zones.rfc1918
named.conf
Le fichier de configuration principal du serveur DNS Bind est /etc/bind/named.conf :
root@debian12:~# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";
Les directives include, incluent les fichiers suivants dans la configuration :
root@debian12:~# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
root@debian12:~# cat /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918";
root@debian12:~# cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
Les Sections de Zone
La Valeur Type
Maintenant, étudions les sections de zones. La valeur “type” peut prendre plusieurs valeurs:
- master
- Ce type définit le serveur DNS comme serveur maître ayant autorité sur la zone concernée.
- slave
- Ce type définit le serveur DNS comme serveur esclave pour la zone concernée. Ceci implique que la zone est une réplication d'une zone maîtresse. Un type de zone esclave contiendra aussi une directive masters indiquant les adresses IP des serveurs DNS maîtres.
- stub
- Ce type définit le serveur DNS comme serveur esclave pour la zone concernée mais uniquement pour les enregistrements de type NS.
- forward
- Ce type définit le serveur DNS comme serveur de transit pour la zone concernée. Ceci implique que toute requête est retransmise vers un autre serveur.
- hint
- Ce type définit la zone concernée comme une zone racine. Ceci implique que lors du démarrage du serveur, cette zone est utilisée pour récupérer les adresses des serveurs DNS racine.
La valeur “notify” est utilisée pour indiquer si non ( no ) ou oui ( yes ) les autres serveurs DNS sont informés de changements dans la zone.
La Valeur File
La deuxième directive dans une section de zone comporte la valeur file. Il indique l'emplacement du fichier de zone.
Exemples de Sections de Zone
Chaque section de zone, à l'exception de la zone “.” est associée avec une section de zone inversée.
La zone “.” est configurée dans le fichier /usr/share/dns/root.hints :
...
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
...
La section de zone fait correspondre un nom avec une adresse IP tandis que la section de zone inversée fait l'inverse. La section inversée a un nom d'un syntaxe spécifique :
adresse_réseau_inversée.in-addr.arpa.
Par exemple dans le fichier ci-dessus nous trouvons les quatre sections suivantes :
...
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
...
Sections de Zones de votre Machine
Afin de configurer notre serveur correctement, il est necéssaire d'ajouter à ce fichier deux sections supplémentaires :
- La zone correspondante à notre domaine, ici appelée “ittraining.loc”. Celle-ci fait correspondre le nom de la machine avec son adresse IP:
...
zone "ittraining.loc" {
type master;
file "/etc/bind/zones/ittraining.loc";
forwarders { };
};
...
- La zone à notre domaine mais dans le sens inverse. A savoir le fichier db.2.0.10.hosts qui fait correspondre notre adresse IP avec le nom de la machine.
...
zone "2.0.10.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.2.0.10.hosts";
forwarders { };
};
...
Ajoutez donc ces deux sections au fichier /etc/bind/named.conf.default-zones :
root@debian12:~# vi /etc/bind/named.conf.default-zones
root@debian12:~# cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "ittraining.loc" {
type master;
file "/etc/bind/zones/ittraining.loc";
forwarders { };
};
zone "2.0.10.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.2.0.10.hosts";
forwarders { };
};
Les fichiers de zone
La fichiers de zone sont composées de lignes d'une forme:
| nom | TTL | classe | type | donnée |
où
- nom
- Le nom DNS.
- TTL
- La durée de vie en cache de cet enregistrement.
- classe
- Le réseau de transport utilisé. Dans notre cas, le réseau est du TCP. La valeur est donc IN.
- type
- Le type d'enregistrement:
- SOA - Start of Authority - se trouve au début du fichier et contient des informations générales
- NS - Name Server - le nom du serveur de nom
- A - Address - indique une résolution de nom vers une adresse IP. Ne se trouve que dans les fichiers .hosts
- PTR - PoinTeR - indique une résolution d'une adresse IP vers un nom. Ne se trouve que dans les fichiers inversés.
- MX - Mail eXchange - le nom d'un serveur de mail.
- CNAME - Canonical Name - un alias d'une machine.
- HINFO - Hardware Info - fournit des informations sur le matériel de la machine
- donnée
- La donnée de la ressource:
- Une adresse IP pour un enregistrement de type A
- Un nom de machine pour un eregistrement de type PTR
ittraining.loc
Ce fichier se trouve dans /etc/bind/zones. C'est le fichier qui définit la correspondance du nom de la machine debian12.ittraining.loc avec son numéro IP, à savoir le 10.0.2.46. On définit dans ce fichier les machines qui doivent être appelées par leur nom :
root@debian12:~# mkdir /etc/bind/zones
root@debian12:~# vi /etc/bind/zones/ittraining.loc
root@debian12:~# cat /etc/bind/zones/ittraining.loc
$TTL 3D
@ IN SOA debian12.ittraining.loc. root.debian12.ittraining.loc. (
2025120701 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
IN NS debian12.ittraining.loc.
localhost A 127.0.0.1
dnsmaster IN CNAME debian12.ittraining.loc.
debian12.ittraining.loc. IN A 10.0.2.46
ftp IN CNAME debian12.ittraining.loc.
www IN CNAME debian12.ittraining.loc.
mail IN CNAME debian12.ittraining.loc.
news IN CNAME debian12.ittraining.loc.
Important - Notez le point à la fin de chaque nom de domaine. Notez bien le remplacement du caractère @ dans l'adresse email de l'administrateur de mail par le caractère “.”
La première ligne de ce fichier commence par une ligne semblable à celle-ci:
$TTL 3D
Cette ligne indique aux autres serveurs DNS pendant combien de temps ils doivent garder en cache les enregistrements de cette zone. La durée peut s'exprimer en jours (D), en heures (H) ou en secondes (S).
La deuxième ligne définit une classe INternet, un SOA (Start Of Authority), le nom du serveur primaire et l'adresse de l'administrateur de mail :
@ IN SOA debian12.ittraining.loc. root.debian12.ittraining.loc. (
Le caractère @ correspond au nom de la zone et est une abréviation pour le nom de la zone décrit par le fichier de la zone, soit dans ce cas db.ittraining.loc.hosts, et présent dans le fichier /etc/bind/named.conf.default-zones :
zone "ittraining.loc" {
type master;
file "/etc/bind/zones/ittraining.loc";
forwarders { };
};
Le numéro de série doit être modifié chaque fois que le fichier est changé. Il faut noter que dans le cas de plusieurs changements dans la même journée il est nécessaire d'incrémenter les deux derniers chiffres du numéro de série. Par exemple, dans le cas de deux changements en date du 07/12/2025, le premier fichier comportera une ligne Serial avec la valeur 2025120701 tandis que le deuxième changement comportera le numéro de série 2025120702 :
2025120701 ; Serial
La ligne suivante indique le temps de rafraîchissement, soit 8 heures. Ce temps correspond à la durée entre les mises à jour d'un autre serveur :
8H ; Refresh
La ligne suivante indique le temps entre de nouveaux essaies de mise à jour d'un autre serveur dans le cas où la durée du Refresh a été dépassée :
2H ; Retry
La ligne suivante indique le temps d'expiration, c'est-à-dire la durée d'autorité de l'enregistrement. Cette directive est utilisée seulement par un serveur esclave :
4W ; Expire
La ligne suivante indique le temps minimum pour la valeur TTL, soit un jour:
1D) ; Minimum TTL
Cette ligne identifie notre serveur de noms :
IN NS debian12.ittraining.loc.
Dans le cas où notre serveur était également un serveur mail. Nous trouverions aussi une entrée du type SMTP (MX) :
IN MX 10 mail.ittraining.loc.
Ci-dessous on définit avec une entrée du type A, les machines que l'on souhaite appeler par leur nom, à savoir debian12.ittraining.loc et localhost :
localhost A 127.0.0.1 ... debian12.ittraining.loc. IN A 10.0.2.46
Ci-dessous on définit des Alias avec des entrées du type CNAME. Les alias servent à identifier une machine.
dnsmaster IN CNAME debian12.ittraining.loc.
Nous pourrions aussi trouver ici des entrées telles:
ftp IN CNAME debian12.ittraining.loc. www IN CNAME debian12.ittraining.loc. mail IN CNAME debian12.ittraining.loc. news IN CNAME debian12.ittraining.loc.
db.2.0.10.hosts
Ce fichier se trouve dans /etc/bind/zones/. C'est le fichier qui définit la correspondance de l'adresse IP de la machine, à savoir le 10.0.2.46 avec le nom debian12.ittraining.loc. Le chiffre 46 dans la dernière ligne correspond au 10.0.2.46:
root@debian12:~# vi /etc/bind/zones/db.2.0.10.hosts
root@debian12:~# cat /etc/bind/zones/db.2.0.10.hosts
$TTL 3D
@ IN SOA debian12.ittraining.loc. debian12.ittraining.loc. (
2025120701 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400) ; Minimum TTL
NS debian12.ittraining.loc.
46 IN PTR debian12.ittraining.loc.
Modifiez maintenant les permissions sur les fichiers de configuration :
root@debian12:~# ls -l /etc/bind/zones/* -rw-r--r-- 1 root bind 362 Dec 7 12:16 /etc/bind/zones/db.2.0.10.hosts -rw-r--r-- 1 root bind 634 Dec 7 12:06 /etc/bind/zones/ittraining.loc root@debian12:~# chmod g+w /etc/bind/zones/* root@debian12:~# ls -l /etc/bind/zones/* -rw-rw-r-- 1 root bind 362 Dec 7 12:16 /etc/bind/zones/db.2.0.10.hosts -rw-rw-r-- 1 root bind 634 Dec 7 12:06 /etc/bind/zones/ittraining.loc
3.5 - Utilisation
Modifiez maintenant le fichier /etc/resolv.conf afin d'utiliser votre propre serveur DNS :
root@debian12:~# vi /etc/resolv.conf root@debian12:~# cat /etc/resolv.conf # Generated by NetworkManager search ittraining.loc nameserver 127.0.0.1 nameserver 8.8.8.8
Dernièrement, redémarrez le service named :
root@debian12:~# systemctl restart named
root@debian12:~# systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
Active: active (running) since Sun 2025-12-07 12:19:11 CET; 7s ago
Docs: man:named(8)
Main PID: 32731 (named)
Status: "running"
Tasks: 18 (limit: 19123)
Memory: 109.1M
CPU: 86ms
CGroup: /system.slice/named.service
└─32731 /usr/sbin/named -f -u bind
Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './DNSKEY/IN': 2801:1b8:10::b#53
Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './NS/IN': 2801:1b8:10::b#53
Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Dec 07 12:19:11 debian12.ittraining.loc named[32731]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Dec 07 12:19:12 debian12.ittraining.loc named[32731]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Dec 07 12:19:12 debian12.ittraining.loc named[32731]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
Testez maintenant votre serveur :
root@debian12:/etc/bind/zones# nslookup debian12.ittraining.loc Server: 127.0.0.1 Address: 127.0.0.1#53 Name: debian12.ittraining.loc Address: 10.0.2.46 root@debian12:~# dig ittraining.loc ; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> ittraining.loc ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51890 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 74a7e4078e44bf490100000069356348f4e348254883e231 (good) ;; QUESTION SECTION: ;ittraining.loc. IN A ;; AUTHORITY SECTION: ittraining.loc. 86400 IN SOA debian12.ittraining.loc. root.debian12.ittraining.loc. 2025120701 28800 7200 2419200 86400 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Dec 07 12:21:44 CET 2025 ;; MSG SIZE rcvd: 121 root@debian12:~# dig -x 10.0.2.46 ; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> -x 10.0.2.46 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5254 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: b019ecafc27e897601000000693563584aff28c151c1bd67 (good) ;; QUESTION SECTION: ;46.2.0.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 46.2.0.10.in-addr.arpa. 259200 IN PTR debian12.ittraining.loc. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Dec 07 12:22:00 CET 2025 ;; MSG SIZE rcvd: 116
Important - Notez l'utilisation de l'option -x de la commande dig pour tester la zone à l'envers.
3.6 - Créer les Pairs de Clefs
Utilisez la commande dnssec-keygen pour créer la ZSK :
root@debian12:~# cd /etc/bind/zones/ root@debian12:/etc/bind/zones# dnssec-keygen -b 2048 -a RSASHA256 ittraining.loc Generating key pair............+.....+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+........+...+...+....+...+........+.......+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+.........+..............+....+..+...+.+......+...+..+...+..........+...+.....+...+......+.+........+.+.........+..+.........+......+...+......+.........+..........+......+.....+...+.+.........+...+.....+....+...+............+........+.+...........+...+...+...+........................+...+.......+......+.....+.+....................+....+.....+......................+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..+......+........+.......+.....+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*................+.+............+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Kittraining.loc.+008+18528
Important - L'option -a RSASHA256 force l'utilisation de l'algorithme SHA2 au lieu de SHA1.
root@debian12:/etc/bind/zones# ls -l total 24 -rw-rw-r-- 1 root bind 362 Dec 7 12:16 db.2.0.10.hosts -rw-rw-r-- 1 root bind 747 Dec 7 13:13 ittraining.loc -rw-r--r-- 1 root bind 612 Dec 7 13:28 Kittraining.loc.+008+18528.key -rw------- 1 root bind 1776 Dec 7 13:28 Kittraining.loc.+008+18528.private
Important - Dans le nom de chaque fichier, 008 indique l'utilisation de SHA2. Dans le cas de l'utilisation de SHA1, la valeur serait 005. La valeur 18528 est l'identifiant du pair de clefs.
Utilisez la commande dnssec-keygen pour créer la KSK :
root@debian12:/etc/bind/zones# dnssec-keygen -b 4096 -f KSK -a RSASHA256 ittraining.loc Generating key pair..+.....+....+......+......+.....+....+...+.....+......+......................+........+....+...+...+.........+..+...+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.....+.+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.......+......+..+......+.......+.........+..............+.........+.+..+....+.....+....+..+.......+...+..+......+..........+...........+.+....................+...+......+.........+.........+.+......+........+...+............+..........+...+...+....................+....+........+...+....+..................+..............+.........+.......+...+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..+..+....+..+.......+..+......+.........+....+..+..........+.....+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+........+.+.....+.......+........+.......+..+.+......+..............+.+......+.........+...+......+.........+...+.................+................+......+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+....+...+............+..............+..........+.................+.............+.........+..+...+.+..+.........+...+.............+...+.....+....+..+...+......+.......+...+.........+...+.....+.........+....+...........+......+.......+...........+.+.........+.....+.+.....+..................+.+..+.........+.........+.......+........+...................+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Kittraining.loc.+008+63515
Important - L'option -f indique le type de pair de clefs, soit KSK.
Constatez la présence des pairs de clefs :
root@debian12:/etc/bind/zones# ls -l total 24 -rw-rw-r-- 1 root bind 362 Dec 7 12:16 db.2.0.10.hosts -rw-rw-r-- 1 root bind 747 Dec 7 13:13 ittraining.loc -rw-r--r-- 1 root bind 612 Dec 7 13:28 Kittraining.loc.+008+18528.key -rw------- 1 root bind 1776 Dec 7 13:28 Kittraining.loc.+008+18528.private -rw-r--r-- 1 root bind 957 Dec 7 13:28 Kittraining.loc.+008+63515.key -rw------- 1 root bind 3316 Dec 7 13:28 Kittraining.loc.+008+63515.private
3.7 - Modifier la Configuration de Bind
Ajoutez les deux clefs publiques dans la configuration du fichier de zone /etc/bind/zones/ittraining.loc :
root@debian12:/etc/bind/zones# vi ittraining.loc
root@debian12:/etc/bind/zones# cat ittraining.loc
$TTL 3D
@ IN SOA debian12.ittraining.loc. root.debian12.ittraining.loc. (
2025120702 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
IN NS debian12.ittraining.loc.
localhost A 127.0.0.1
dnsmaster IN CNAME debian12.ittraining.loc.
debian12.ittraining.loc. IN A 10.0.2.46
ftp IN CNAME debian12.ittraining.loc.
www IN CNAME debian12.ittraining.loc.
mail IN CNAME debian12.ittraining.loc.
news IN CNAME debian12.ittraining.loc.
$include /etc/bind/zones/Kittraining.loc.+008+18528.key
$include /etc/bind/zones/Kittraining.loc.+008+63515.key
Important - N'oubliez pas de changer la valeur serial.
Redémarrez le service named :
root@debian12:/etc/bind/zones# systemctl restart named
root@debian12:/etc/bind/zones# systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
Active: active (running) since Sun 2025-12-07 13:32:03 CET; 7s ago
Docs: man:named(8)
Main PID: 32952 (named)
Status: "running"
Tasks: 18 (limit: 19123)
Memory: 113.1M
CPU: 83ms
CGroup: /system.slice/named.service
└─32952 /usr/sbin/named -f -u bind
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Dec 07 13:32:03 debian12.ittraining.loc named[32952]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
Intérogez le DNS local pour obtenir les clefs publiques :
root@debian12:/etc/bind/zones# dig @debian12.ittraining.loc DNSKEY ittraining.loc ; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> @debian12.ittraining.loc DNSKEY ittraining.loc ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58210 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 74f4778aedb99b4d01000000693576d3fe2e16da8329795a (good) ;; QUESTION SECTION: ;ittraining.loc. IN DNSKEY ;; ANSWER SECTION: ittraining.loc. 259200 IN DNSKEY 256 3 8 AwEAAZ+2bRM+yedcAeqUR6AdkSzyIeQg1kH4021as3WvYGlOLqeUnfbe gNewRYifndXx/b1t84A9L6IZH1ZamuSNxNi7Y0+FZbyq4DJmFnHA68Ao 5zmOhK76mrQf6SjzQHZWzwtoG0DAApTggaRxhmezzjkSr3WNadIoFg4F XU5UaV4ePU5hhPn+zi34SUYvgPTZsSWb/solo0yna80RBxI+hgRxoaPp jV/v4mEVVS9Fjpvc6SxJ/ZZbtUMJi5lTUCvko+Ny9cuXZ5auW4b2qp4u Sk6NuywMawQafxBaxZ/9KuhxqO4qp2n1pl+gBatqb/XPydE41z6ONkT2 YnDOLQVZxLM= ittraining.loc. 259200 IN DNSKEY 257 3 8 AwEAAcRrC7vljqlLFZGQbLUBpMs29NWyiJ8158xqL0GdZuRslhAqy4q2 JisfBS1gKm27J4y2s8zrDhKLAnEqWpIydvRkZd+a6oTJAomfAF9bxHAe xxEyLK7Xd4ATGiXRUv2vALQq1e6XejBhVr10gmbKdQW+SxayYnwQ0G8h 1VFJ2wtAJZdNn/exhmgxxmUwxeJWLmUf37VOkycwn4RbwWZY3rBIOi2V mCigGe1cDpZoNb2FCTKLjEj5ZRz0ieM9SXXLkZEvGd77xAvoV8+JTTX5 BjlP6Hfso+C/NZUchvoNYisqWSPzffyrsaOzumMtuIsKJX2PaADSmFg8 os/b16zqtPbd+lPhQdsR+RE9V5R0YJhNPnsoG0Vy/mfQCCcP7VIC97iB aYSz/u5KFhsS5E0AIJt8rJwGrb2eqZYTFe2Mdtth1FjgIk7DCvFm2GYM zZ0F15WqcBpJGEDof0/HWSpMfjbnc20QAojLYmuek5XE9lWlZLrk9tby q4R7dZrUdDez3oShtJ/rXTA8AxOzcftLsoCZHy+bMfy5RxThidWQYJGE dQsnk3IgJ1pgzSjdB4nXQkyxMBpRzjyxPw9k1a4oLxYrdLQnHkm5RdWA b5k6Csu2xmSKaQUy9oyLaCRrkd9BnpJPELjRmXIdmyswevjmUr9qwLtk L1W/qxN3it6Ribh3 ;; Query time: 4 msec ;; SERVER: 10.0.2.46#53(debian12.ittraining.loc) (UDP) ;; WHEN: Sun Dec 07 13:45:07 CET 2025 ;; MSG SIZE rcvd: 879
3.8 - Signer la Zone
Les clefs étant maintenant insérées dans la configuration, il convient de signer la zone en utilisant la commande dnssec-signzone. L'option -S signifie smart signing permet de trouver automatiquement les fichiers de clefs pour la zone et détermine comment ils doivent être utilisés :
root@debian12:/etc/bind/zones# dnssec-signzone -S ittraining.loc
Verifying the zone using the following algorithms:
- RSASHA256
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
ittraining.loc.signed
root@debian12:/etc/bind/zones# ls -l | grep signed
-rw-r--r-- 1 root bind 12407 Dec 7 13:39 ittraining.loc.signed
Consultez le fichier ittraining.loc.signed :
root@debian12:/etc/bind/zones# more ittraining.loc.signed
; File written on Sun Dec 7 13:39:03 2025
; dnssec_signzone version 9.18.41-1~deb12u1-Debian
ittraining.loc. 259200 IN SOA debian12.ittraining.loc. root.debian12.ittraining.loc. (
2025120703 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
259200 RRSIG SOA 8 2 259200 (
20260106113903 20251207113903 18528 ittraining.loc.
ANlboBzlffzcYC1G10cQuxvRP3XC5bvDP1+v
Baxfh/B4BxgYGeQoDih2uGqLxzDExRWix2a2
B95uAkDGClaGdlFkYtU4voIQJWuAx0Goo6Xa
omEyrIdLGqoj9e2vdn6j2lVpJik9YgCTxP2G
ShVYc632XsAFPXN6SJrR3QdKo1x6KM1uPYdd
OxAX9fGNYj59ZXG84slUxreDejoqn2k8Rx68
gxuzkIY3oM5aUtbvL8bwjflk121mWxQ4vVhW
R/KNk9SEc6AbZSqJXwmlY/vReOA+pvPCdLYJ
7Wf+S9kr1i1xT1y078Iqz2twASWBjBnP/adG
QtKpn9SvKUEzICTaNA== )
259200 NS debian12.ittraining.loc.
259200 RRSIG NS 8 2 259200 (
20260106113903 20251207113903 18528 ittraining.loc.
CGtE8nZ2F0JQLAmbyPgrqKLDXjyWg2hZmEcf
22h2zAxJZWjNWB7k5aLHA6weKkvo7mTnH7sS
pEazWPhaDzmW2BLfdBjeaSZzj+mMWUiXVnUq
LYAMLRXGD1NAPcuSQlyzDpN0JZXwWfQFTpzT
DJttJyChcQgyJmvaJEhIhQK5gRFMaT+Ww1zg
pvAke0HlkSEz9mQxIhff5FqSL00Zyn5mnLBB
N6X1XKQXL/mUJ8nb9X70n9b/qsYqAQdFFxzS
6lz+kMr/D1AhzabDGkeD/+xlXSPMygYc4I6b
eYZKmEsD8HOdYJb5JlWicP7cheeKonPXxjrZ
TQqLDJFaRETE+IDnLQ== )
86400 NSEC debian12.ittraining.loc. NS SOA RRSIG NSEC DNSKEY
86400 RRSIG NSEC 8 2 86400 (
20260106113903 20251207113903 18528 ittraining.loc.
dDLcoBI/agA+tHni16R8aWdWHBqPPfBjbFRZ
775fNQI/d20d47vFx/u2rx+WzenCSZBOpU/J
2b8Q2Dm26f218L1KYF7NF7dew2s5OUIkfM+V
iZIqBSAFYyAbLYRCfbQA6DxsIgDT6T/x7jLf
+jYHNeASGauWunufrSLvbqdsIE0z+JH+3AVE
JaLTeXYL6I+/U4vn+EwVOiOuVv3eOt8d1d5a
0lqDK8qRlcbhFF1ngOJHe+Fa5ect9kqnbjCa
7mwOOmp4v4JA6Myvvut7OEDI5mQItd9HApPl
eM0kvui7mioUEUCM2EXRPtJYXVAELUnqGz1S
hn6EYefpcWvUDo8veg== )
259200 DNSKEY 256 3 8 (
AwEAAZ+2bRM+yedcAeqUR6AdkSzyIeQg1kH4
021as3WvYGlOLqeUnfbegNewRYifndXx/b1t
84A9L6IZH1ZamuSNxNi7Y0+FZbyq4DJmFnHA
68Ao5zmOhK76mrQf6SjzQHZWzwtoG0DAApTg
gaRxhmezzjkSr3WNadIoFg4FXU5UaV4ePU5h
hPn+zi34SUYvgPTZsSWb/solo0yna80RBxI+
hgRxoaPpjV/v4mEVVS9Fjpvc6SxJ/ZZbtUMJ
--More--(18%)
Consultez la section RRSIG du SOA :
<file> …
259200 RRSIG SOA 8 2 259200 (
20260106113903 20251207113903 18528 ittraining.loc.
ANlboBzlffzcYC1G10cQuxvRP3XC5bvDP1+v
Baxfh/B4BxgYGeQoDih2uGqLxzDExRWix2a2
B95uAkDGClaGdlFkYtU4voIQJWuAx0Goo6Xa
omEyrIdLGqoj9e2vdn6j2lVpJik9YgCTxP2G
ShVYc632XsAFPXN6SJrR3QdKo1x6KM1uPYdd
OxAX9fGNYj59ZXG84slUxreDejoqn2k8Rx68
gxuzkIY3oM5aUtbvL8bwjflk121mWxQ4vVhW
R/KNk9SEc6AbZSqJXwmlY/vReOA+pvPCdLYJ
7Wf+S9kr1i1xT1y078Iqz2twASWBjBnP/adG
QtKpn9SvKUEzICTaNA== )
… </code>
Dans cette section on constate :
- L'ID de la clef 18528 utilisée pour la signature, soit la ZSK
- La date et l'heure de la signature 20251207113903
- La date et l'heure de l'expiration de la signature 20260106113903
Configurez Bind pour qu'il utilise le fichier signé :
root@debian12:/etc/bind/zones# vi ../named.conf.default-zones
root@debian12:/etc/bind/zones# cat ../named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "ittraining.loc" {
type master;
file "/etc/bind/zones/ittraining.loc.signed";
forwarders { };
};
zone "2.0.10.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.2.0.10.hosts";
forwarders { };
};
Redémarrez le service named :
root@debian12:/etc/bind/zones# systemctl restart named
root@debian12:/etc/bind/zones# systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; preset: enabled)
Active: active (running) since Sun 2025-12-07 14:02:52 CET; 7s ago
Docs: man:named(8)
Main PID: 33227 (named)
Status: "running"
Tasks: 18 (limit: 19123)
Memory: 109.0M
CPU: 88ms
CGroup: /system.slice/named.service
└─33227 /usr/sbin/named -f -u bind
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './DNSKEY>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './NS/IN'>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './DNSKEY>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './NS/IN'>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './DNSKEY>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './NS/IN'>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './DNSKEY>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: network unreachable resolving './NS/IN'>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: managed-keys-zone: Key 20326 for zone .>
Dec 07 14:02:52 debian12.ittraining.loc named[33227]: managed-keys-zone: Key 38696 for zone .>
Demandez l'enregistrement SOA du DNS local :
root@debian12:/etc/bind/zones# dig @debian12.ittraining.loc ittraining.loc SOA ; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> @debian12.ittraining.loc ittraining.loc SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42848 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a42dbdb3e931b5b40100000069357b611d705b9c213bca01 (good) ;; QUESTION SECTION: ;ittraining.loc. IN SOA ;; ANSWER SECTION: ittraining.loc. 259200 IN SOA debian12.ittraining.loc. root.debian12.ittraining.loc. 2025120703 28800 7200 2419200 86400 ;; Query time: 0 msec ;; SERVER: 10.0.2.46#53(debian12.ittraining.loc) (UDP) ;; WHEN: Sun Dec 07 14:04:33 CET 2025 ;; MSG SIZE rcvd: 121
Demandez l'enregistrement SOA et sa signature du DNS local :
root@debian12:/etc/bind/zones# dig @debian12.ittraining.loc ittraining.loc SOA +dnssec ; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> @debian12.ittraining.loc ittraining.loc SOA +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56632 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 14cfa09283a1f4980100000069357b95d90b040d04f37247 (good) ;; QUESTION SECTION: ;ittraining.loc. IN SOA ;; ANSWER SECTION: ittraining.loc. 259200 IN SOA debian12.ittraining.loc. root.debian12.ittraining.loc. 2025120703 28800 7200 2419200 86400 ittraining.loc. 259200 IN RRSIG SOA 8 2 259200 20260106113903 20251207113903 18528 ittraining.loc. ANlboBzlffzcYC1G10cQuxvRP3XC5bvDP1+vBaxfh/B4BxgYGeQoDih2 uGqLxzDExRWix2a2B95uAkDGClaGdlFkYtU4voIQJWuAx0Goo6XaomEy rIdLGqoj9e2vdn6j2lVpJik9YgCTxP2GShVYc632XsAFPXN6SJrR3QdK o1x6KM1uPYddOxAX9fGNYj59ZXG84slUxreDejoqn2k8Rx68gxuzkIY3 oM5aUtbvL8bwjflk121mWxQ4vVhWR/KNk9SEc6AbZSqJXwmlY/vReOA+ pvPCdLYJ7Wf+S9kr1i1xT1y078Iqz2twASWBjBnP/adGQtKpn9SvKUEz ICTaNA== ;; Query time: 0 msec ;; SERVER: 10.0.2.46#53(debian12.ittraining.loc) (UDP) ;; WHEN: Sun Dec 07 14:05:25 CET 2025 ;; MSG SIZE rcvd: 423
3.9 - La chaîne de confiance DNS
Créez le DSSet à partir de la clef publique KSK :
root@debian12:/etc/bind/zones# dnssec-dsfromkey -2 Kittraining.loc.+008+63515.key ittraining.loc. IN DS 63515 8 2 909F3FC8A2B34083B1268C0FE7FDAA851252626CDCDF4D8B51D97CB98C62FDA4 root@debian12:/etc/bind/zones# ls -l | grep dsset -rw-r--r-- 1 root bind 99 Dec 7 13:39 dsset-ittraining.loc. root@debian12:/etc/bind/zones# cat dsset-ittraining.loc. ittraining.loc. IN DS 63515 8 2 909F3FC8A2B34083B1268C0FE7FDAA851252626CDCDF4D8B51D97CB9 8C62FDA4
Il conviendrait maintenant d'insérer un enregistrement DSSet dans le DNS du domaine parent, dans notre cas .loc. Cet enregistrement comportera l'ID de la clef, soit 63515, ainsi que le hash 909F3FC8A2B34083B1268C0FE7FDAA851252626CDCDF4D8B51D97CB98C62FDA4
Quand DNSSEC ne peut pas être validé, le résultat routorné par la commande dig est SERVFAIL :
root@debian12:/etc/bind/zones# dig www.dnssec-failed.org +dnssec ; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> www.dnssec-failed.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42077 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 5321c94da922f6ca010000006935867f45a42de06e00bfa1 (good) ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 140 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Dec 07 14:51:59 CET 2025 ;; MSG SIZE rcvd: 78
Copyright © 2025 Hugh Norris.
