932
edits
Changes
m
Undo revision 134038 by Peter.callaghan (talk)
[[Category:OPS535]][[Category:rchan]]
= Overview =
In this lab, you are going to build a primary name server for your assigned DNS domain using the BIND package on your VM1 running CentOS 7,x. Primary name server does not depend upon having access to other name servers in order to function.
== Forward lookup zone file ==
* File name: my-zone.txt
* Directory: /var/named (or /var/named/chroot/var/named with CHROOT"chroot" activated)
* Sample contents:
<pre>
</pre>
Please note that you must have the SOA record, NS record, and one A record for each of your VM in the forward lookup zone file. and
* the SOA record should contain the FQDN of your primary DNS server and the email address of the person responsible for managing the DNS domain name space.
* the NS record(s) should contain the FQDN for your authoritative DNS server(s).
* each A record (address record) should contain the FQDN (or host name) of each VM and its corresponding IP address.
== Reverse lookup zone file ==
* File name: rev-zone.txt
* Directory: /var/named (or /var/named/chroot/var/named with "chroot" activated)
*Sample contents:
<pre>
$TTL 86400
@ IN SOA vm1.mydomain.net. root.mydomain.com. (42 3H 15M 1W 1D)
@ IN NS vm1.mydomain.net.
2.99.168.192.in-addr.arpa. IN PTR vm1.mydomain.net.
3.99.168.192.in-addr.arpa. IN PTR vm2.mydomain.net.
4.99.168.192.in-addr.arpa. IN PTR vm3.mydomain.net.
...
</pre>
* echo PTR record should contain the FQDN and the corresponding IP address in reverse dotted-decimal notation format (e.g. use 53.99.168.192.in-addr.arpa. for IP address 192.168.99.53)
== Reverse BIND configuration file ==File name: named.confDirectory: /etc (or in /var/named/chroot/etc with "chroot" activated) Configure the following major options:* listen-on: port 53 and all network interface* directory: /var/named* allow-query: any* recursion: no* dnssec-enable: yes* dnssec-validation: no* dnssec-lookaside: auto Add two zone statements: one points to the forward lookup zone file "my-zone.txt", and the other points to the reverse lookup zone file "rev-zone.txt". <pre>zone "mydomain.net" IN { type master; file "my-zone.txt"; allow-update { none; };}; zone "99.168.192.in-addr.arpa" { type master; file "rev-zone.txt"; allow-update { none; };};</pre> = Running and testing the DNS server =* Make sure that you have "named-chroot.service" enabled.* Start the "named" service: systemctl start named-chroot.service * Check the status of the "named" service: systemctl status named-chroot.service. Make sure the "named-chroot" service is active and running. If the "named" service failed to start, check for typo or syntax error in the BIND configuration file /etc/named.conf and your forward and reverse lookup zone files. There are two utilities provided by the "bind" package. They are called "named-checkconf" and "named-checkzone", and both are in the /usr/sbin directory. ** named-checkconf can be used to check for typo or syntax errors in named.conf.** named-checkzone can be used to check for type or syntax errors in your zone files.Please check out the man page for details.== Verify that your DNS server is running ==* use the "ss" command or the netstat command - what information should you look for?== Test the correctness of your DNS server's responses ==* Create the directory "/root/lab2" for storing lab2 files.* <font color='blue'><b>use the nslookup DNS client command line utility to query your DNS server for SOA, NS, A, and PTR resource records.</b></font> Capture the DNS query commands and their corresponding outputs to a file named "/root/lab2/[student-id]-lab2-test-output.txt" * Review the output of each DNS query result and compare it with the expected value as derived from the corresponding DNS resource record in the zone file. If there is any mismatch, employ your troubleshooting skill to fix it. As an example, if an authoritative DNS server with IP address 192.168.99.53 has the cp.net zone file:<pre>$TTL 300@ IN SOA pri.cp.net. root.cp.net. ( 20151111 ; serial 1h ; refresh 15m ; retry 3d ; expire 10m) ; minimum IN NS pri.cp.net.pri IN A 192.168.99.53www IN A 192.168.99.80mail IN A 192.168.99.25co IN A 192.168.99.153rns IN A 192.168.99.253</pre>* The query for the SOA record using the nslookup command "nslookup -query=SOA cp.net 192.168.99.53" should yield the following result:<pre>[root@pri named]# nslookup -query=SOA cp.net 192.168.99.53Server: 192.168.99.53Address: 192.168.99.53#53 cp.net origin = pri.cp.net mail addr = root.cp.net serial = 20151111 refresh = 3600 retry = 900 expire = 259200 minimum = 600 </pre> * The query for the NS record using the nslookup command "nslookup -query=NS cp.net 192.168.99.53" should yield the following result:<pre>[root@pri named]# nslookup -query=NS cp.net 192.168.99.53Server: 192.168.99.53Address: 192.168.99.53#53 cp.net nameserver =pri.cp.net.</pre> * The query for the A record for mail.cp.net using the nslookup command "nslookup -query=A mail.cp.net. 192.168.99.53" should yeild the following result:<pre>[root@pri named]# nslookup -query=A mail.cp.net 192.168.99.53Server: 192.168.99.53Address: 192.168.99.53#53 Name: mail.cp.netAddress: 192.168.99.25</pre> == Capture and study the DNS query traffic ==* Run the appropriate "tcpdump" command on your DNS server to capture all DNS query and response packets to a file and name the tcpdump packet file as [student-id]-lab2-dns-packet. While tcpdump is running on your DNS server, repeat all the DNS queries (SOA, NS, A, PTR) on your host. If you have firewall (iptables or firewalld) running on your DNS server, make sure that the port for DNS are opened on the firewall. * Possible tcpdump command: "tcpdump -i eth0 host 192.168.99.53 and port 53 -w rchan-lab2-dns-packet"* Please read the tcpdump file with the "-r" flag to verify that the targeted packets were captured to the file. = Completing the Lab =* You should have the directory /root/lab2 on your DNS server.* Make a copy of the DNS server configuration file "named.conf" in the /root/lab2 directory and named it as "[student-id]-named.conf.txt" * Copy your forward lookup zone file "my-zone.txt" to the /root/lab2 directory as [student-id]-my-zone.txt.* Copy your reverse lookup zone file "rev-zone.txt" to the /root/lab2 directory as [student-id]-rev-zone.txt.* Upload the following files in the "/root/lab2" directory to blackboard by the due date:** /root/lab2/[student-id]-named.conf.txt** /root/lab2/[student-id]-my-zone.txt** /root/lab2/[student-id]-rev-zone.txt** /root/lab2/[student-id]-lab2-test-output.txt** /root/lab2/[student-id]-lab2-dns-packet