DNS Exercise 2: Setting up a domain =================================== In this exercise, you will create a new domain, _something_.cctld.pacnog2.dnsdojo.net. You might like to choose to use your ccTLD here e.g. ws.cctld.pacnog2.dnsdojo.net You will create master nameservice on your own machine, and someone else will be your slave. Then you will ask the administrator for the domain above you (cctld.pacnog2.dnsdojo.net.) to delegate your domain to you. Firstly, note that each machine in the classroom has been given a working DNS name: pcX.cctld.pacnog2.dnsdojo.net. Check that it is configured correctly by using the `hostname` command - e.g. on pc1 you should see > # hostname > pc1.cctld.pacnog2.dnsdojo.net If not, then configure your server with its name: e.g. for pc1 > # hostname pc1.cctld.pacnog2.dnsdojo.net > # vi /etc/rc.conf > ... > hostname="pc1.cctld.pacnog2.dnsdojo.net" > # vi /etc/hosts > ... > 202.4.34.65 pc1.cctld.pacnog2.dnsdojo.net You should also be able to see your machine's hostname at the login screen on the console: > FreeBSD/i386 (pc1.cctld.pacnog2.dnsdojo.net) (ttyv0) > > login: Exercise -------- * Choose a new domain, write it here: `___________________.cctld.pacnog2.dnsdojo.net` (Do not choose any of the pc names, e.g. `pc1`, as your subdomain) We recommend your cctld (e.g. ws,ki,to,vu,tv,sb) * Check that the directories you need exist. If they don't, create them: # mkdir /var/cctld/master # mkdir /var/cctld/slave # chown bind /var/cctld/slave * Find someone who will agree to be slave for your domain. You must choose someone on a DIFFERENT table to you. (Remember RFC2182: secondaries must be on remote networks). You can have more than one slave if you wish. * Create your zone file in `/var/cctld/master/xxx.cctld.pacnog2.dnsdojo.net` (where xxx is your chosen domain) > $TTL 10m > @ IN SOA pcX.cctld.pacnog2.dnsdojo.net. yourname.example.com. ( > 2006062100 ; Serial > 10m ; Refresh > 10m ; Retry > 4w ; Expire > 10m ) ; Negative > > IN NS pcX.cctld.pacnog2.dnsdojo.net. ; master > IN NS pcY.cctld.pacnog2.dnsdojo.net. ; slave > > www IN A 202.4.34.X ; your own IP Replace `yourname.example.com.` with your home E-mail address, changing "@" to "." and adding a "." to the end. We have chosen purposely low values for TTL, refresh, and retry to make it easier to fix problems in the classroom. For a production domain you would use higher values, e.g. `$TTL 1d` * Edit `/usr/local/etc/named.conf` to configure your machine as master for your domain (see slides for information how to do this) * Check that your config file and zone file are valid, and then reload the nameserver daemon: # named-checkconf # named-checkzone xxx.cctld.pacnog2.dnsdojo.net /var/cctld/master/xxx.cctld.pacnog2.dnsdojo.net *If there are any errors, correct them* # rndc reload # tail /var/log/messages *If there are any errors, correct them*. Some configuration errors can cause the daemon to die completely, in which case you may have to start it again: # named * Assist your slaves to configure themselves as slave for your domain, and configure yourself as a slave if asked to do so by another table. Again, the instructions for how to do this are on the slides. If you have changed your `named.conf` so that you are a slave for someone else, make sure there are no errors in `/var/log/messages` after you do `rndc reload`. * Check that you and your slaves are giving authoritative answers for your domain: # dig +norec @202.4.34.X xxx.cctld.pacnog2.dnsdojo.net. soa # dig +norec @202.4.34.Y xxx.cctld.pacnog2.dnsdojo.net. soa Check that you get an AA (authoritative answer) from both, and that the serial numbers match. * Now you are ready to request delegation. Bring the following form to the classroom instructor: Domain name: ___________________.cctld.pacnog2.dnsdojo.net Master nameserver: pc____.cctld.pacnog2.dnsdojo.net Slave nameserver: pc____.cctld.pacnog2.dnsdojo.net Slave nameserver: pc____.cctld.pacnog2.dnsdojo.net (optional) Slave nameserver: pc____.cctld.pacnog2.dnsdojo.net (optional) * You will not get delegation until the instructor has checked: - Your nameservers are all authoritative for your domain - They all have the same SOA serial number - The NS records within the zone match the list of servers you are requesting delegation for - The slave(s) are not on the same desk as you * Once you have delegation, try to resolve www.xxx.cctld.pacnog2.dnsdojo.net: - On your own machine - On someone else's machine (who is not slave for you) - On a machine elsewhere on the Internet, if you have access to one - try to resolve www.xxx.cctld.pacnog2.dnsdojo.net from root to your NS # dig www.xxx.cctld.pacnog2.dnsdojo.net. A +trace * Add a new resource record to your zone file. Remember to update the serial number. Check that your slaves have updated. Try resolving this new name from elsewhere. * Restrict zone transfer based on IP - as master insert "allow-transfer { 202.4.34.Y; };" in the zone declaration in /usr/local/etc/named.conf - as slave insert "allow-transfer { none; };" in the zone declaration in /usr/local/etc/named.conf - Make changes to your zone (increase serial number and reload the zone) - check if slave has transfered the zone file - try to transfer your zone from elsewhere # dig @pcX.cctld.pacnog2.dnsdojo.net xxx.cctld.pacnog2.dnsdojo.net. axfr * restrict zone transfer based on key and on IP and key to be done on thurday