DNS Workshop handout

Caching named

named (bind) is part of the FreeBSD base system contrib packages, as a result it is already installed on your machine.

bind stores it's in:

/var/named/

the config (named.conf) and zone files are in /var/named/etc/namedb/

In order to get the caching named working we need to edit the named.conf

note that the directory structure is laid out at the top of the file.

Because we want out customers to use this, we need to be able to be able to query the name server remotely:

following the instructions in the file comment out the line:

listen-on { 127.0.0.1; };

Note the bind tends to use c style comments // rather than hash # style:

For the moment we don't need a resolver listening on an ipv6 address (which doesn't mean we can't answer queries about ipv6 hosts)

Scroll down. you'll see the named.root zone file referenced:

zone "." {

type hint;

file "named.root";

};

Below the root zone, which is a hint, it tells the names server where to query for the root zone, are the reverse for ipv4 and ipv6 localhost. below that are examples of zones referred to in the named.conf.

Because this is part of the base system the instructions for what to put in the /etc/rc.conf will be in /etc/defaults/rc.conf

Just search for named inside the file and you should be able to find it.

add the appropriate line at the bottom of /etc/rc.conf and it should run at startup.

In the meantime once it is enabled you can start it by running:

/etc/rc.d/named start

does it work? Run the following command:

dig @localhost yahoo.com

what did you get back?

If it worked, you can edit your /etc/resolv.conf to use your local caching name server instead of the one it's currently configured for. Note, that once you do this, you have to keep your name server working if you want DNS resolution to work.

Preventing inappropriate recursion

These days it has become common practice for people to abuse recursive name servers to amplify DOS attacks against the DNS infrastructure. As a result it is a good idea to only perform recursive queries for your customers .

edit the named.conf

Before the options section we are going to add an acl (access control list), later we will apply policy to that acl:

acl mynetwork {

127.0.0.1;

202.4.34.64/26;

};

Note that you can add as many network blocks or individual ip's as you want so long as they are separated by semi-colons

Then in the options section we can add:

allow-recursion { mynetwork; };

After doing that you can restart the nameserver and you should be less likely to have your nameserver be an inadvertant participant in a DOS attack.

Setting up a domain

In this exercise, you will create a new domain, _something_.pacnog2.dnsdojo.net. You will create master nameservice on your own machine, and someone else will setup their machine to be a slave server for your domain. Then you will ask the administrator for the domain above you (pacnog2.dnsdojo.net) to delegate your domain to you.

Firstly, note that each machine in the classroom has been given a working DNS name: pcX.pacnog2.dnsdojo.net. Check that it is configured correctly by using the `hostname` command - e.g. on pc23 you should see

# hostname

pc23.pacnog2.dnsdojo.net

You should also be able to see your machine's hostname at the login screen on the console:

> FreeBSD/i386 (pc23.pacnog2.dnsdojo.net) (ttyv0)

>

> login:

Exercise

Choose a new domain,

(Do not choose any of the pc names, e.g. `pc23`, as your subdomain)

Check that the directories you need exist. If they don't, create them:

# mkdir /var/named/etc/namedb/master

# mkdir /var/named/etc/namedb/slave

# chown bind /var/named/etc/namedb/slave

* Find someone who will agree to be slave for your domain. You should choose someone not immediately adjacent to you. (Remember RFC2182: secondaries must be on remote networks). You can have more than one slave if you wish.

Create your zone file in `/var/named/etc/namedb/master/xxxxx.pacnog2.dnsdojo.net.zone` (where xxxxxx is your chosen domain)

$TTL 10m

@ IN SOA XXXXXX.pacnog2.dnsdojo.net. yourname.example.com. (

2006050800 ; Serial

10m ; Refresh

10m ; Retry

4w ; Expire

10m ) ; Negative

IN NS pcX.pacnog2.dnsdojo.net. ; master

IN NS pcY.pacnog2.dnsdojo.net. ; slave

www IN A 202.4.34.X ; your own IP

Replace `yourname.example.com.` with your home E-mail address, changing "@" to "." and adding a "." to the end.

Note, we have chosen purposely low values for TTL, refresh, and retry to make it easier to fix problems in the classroom. For a production domain you would use higher values, e.g. `$TTL 1d`

Edit `/var/named/etc/namedb/named.conf` to configure your machine as master for your domain (see slides for information how to do this)

(hint) like the zones we looked at before it's going to look something like:

zone "example.pacnog2.dnsdojo.net" {

type master;

file "master/example.pacnog2.dnsdojo.net.zone";

allow-transfer { 202.4.34.x;

202.4.34.x; };

};

Check that your config file and zone file are valid, and then reload the nameserver daemon:

named-checkconf

named-checkzone xxxxx.pacnog2.dnsdojo.net \ /var/named/etc/namedb/master/xxxxx.pacnog2.dnsdojo.net

If there are any errors, correct them

# rndc reload

# tail /var/log/messages

If there are any errors, correct them. Some configuration errors can cause the daemon to die completely, in which case you may have to start it again:

# /etc/rc.d/named restart

Assist your slaves to configure themselves as slave for your domain, and configure yourself as a slave if asked to do so by another table. Again, the instructions for how to do this are on the slides. If you have changed your `named.conf` so that you are a slave for someone else, make sure there are no errors in `/var/log/messages` after you do `rndc reload`.

Check that you and your slaves are giving authoritative answers for your domain:

dig +norec @202.4.34.X xxxxx.pacnog2.dnsdojo.net. soa

dig +norec @202.4.34.Y xxxxx.pacnog2.dnsdojo.net. soa

Check that you get an AA (authoritative answer) from both, and that the serial numbers match.

Now you are ready to request delegation. Bring the following information to the classroom instructor:

Domain name: ___________________.pacnog2.dnsdojo.net

Master nameserver: pc____.pacnog2.dnsdojo.net

Slave nameserver: pc____.pacnog2.dnsdjo.net

Slave nameserver: pc____.pacnog2.dnsdojo.net (optional)

Slave nameserver: pc____.pacnog2.dnsdojo.net (optional)

* You will not get delegation until the instructor has checked:

- Your nameservers are all authoritative for your domain

- They all have the same SOA serial number

- The NS records within the zone match the list of servers you are

requesting delegation for

Once you have delegation, try to resolve www.xxxxx.pacnog2.dnsdojo.net:

- On your own machine

- On someone else's machine (who is not slave for you)

- On a machine elsewhere on the Internet, if you have access to one

Add a new resource record to your zone file. Remember to update the

serial number. Check that your slaves have updated. Try resolving this

new name from elsewhere.

Reverse

It's generally that case for address space smaller than a /24 that you ask your upstream to perform reverse for you. Why?

For some applications like mail servers it is highly desirable these days for the name on the PTR record to match the name the machine gives out when connecting to other hosts, This generally means you have a symmetrical relationship between the A record associated with the machine and the PTR record. Other machines may not be willing to accept mail from you if your machine announces itself as smtp.huge-company.com but a reverse lookup reveals it to be dyn151.cust5.cable-company.net.

Two tasks:

RFC1918 reverse zones

Your name servers should not be forwarding in-addr.arpa queries for rfc1918 space to the root zone. If you are you're considered a bad citizen.

The solution is to answer authoritatively for ip space used for private addressing.

edit your named.conf. The zones will all be able use the same actual zone file.

zone "168.192.in-addr.arpa" {

type master;

file "master/null.zone";

};

zone "10.in-addr.arpa" {

type master;

file "master/null.zone";

};

Also create zones for:

172.16.0.0/16
172.17.0.0/16
172.18.0.0/16
172.19.0.0/16
172.20.0.0/16
172.21.0.0/16
172.22.0.0/16
172.23.0.0/16
172.24.0.0/16
172.25.0.0/16
172.26.0.0/16
172.27.0.0/16
172.28.0.0/16
172.29.0.0/16
172.30.0.0/16
172.31.0.0/16

create master/null.zone

@ SOA localhost. root.localhost. (

2004022800 ; serial

8h ; refresh

1h ; retry

4w ; expire

1h ) ; negative TTL

NS localhost.

Do an rndc reload.

Second task.

Within the domain you created, add an A record for mail.yourdomain.pacnog2.dnsdojo.net. Ask your upstream provider who has authority over the reverse zone for your machine to change the PTR record pointing at your machine to mail.yourdomain.pacnog2.dnsdojo.net.