Part 1 - Recursive DNS
Part 2 - Authoritative DNS
Part 3 - Reverse DNS
Part 4 - Secure Zone Transfer and RNDC
DNS Diagram
For reference, these are the IP address assignments for the servers:
Both will be configured as recursive and authoritative DNS servers as part of this lab.
Part 1 - Recursive DNS
A Recursive DNS server, also known simply as Resolver, answers DNS queries by sending iterative queries until it receives an answer or an error. In this lab, you will setup a resolver using BIND 9.
There are 2 steps in this part:
- Step 1 - Install and Verify BIND
- Step 2 - Configure Recursive DNS Server
- Step 3 - Resolving Domains
Step 1 - Install and verify DNS
For this lab, BIND 9 has already been installed, so this step only requires you to verify it is running and be familiar with BIND commands
1. Select primary dns and login to the machine
username : username
password : password
2.The following steps will install BIND and other utilities using APT, Ubuntu's package manager. This part is already completed
3. Check where BIND is installed and note the version.
4. It should show that named is located in /usr/sbin/named and running BIND version 9.18.30 for Ubuntu 22.04.
5. Check if BIND is running.
Check the you see the bind process running.
You may use bind9 instead of named as follows. This is an alias defined in the service file /lib/systemd/system/named.service.
If the service is not currently running, start as follows:
Confirm that you see the status as active (running).
6. Check the configuration file.
The main config folder used by BIND is /etc/bind.
Check the contents of this folder. It already contains default configuration and zone files from the installation.
Check the config file.
The main configuration file is named.conf which includes a few files:
- named.conf.options - contains global configuration options
- named.conf.local - add custom zones and zone-specific config
- named.conf.default-zones - zone statements for localhost, forward and reverse zones per RFC1912
7. Check the logs and notice if there are any errors. Open a new tab in the Terminal, and run the command:
The zone files should load correctly with no issues.
8. Open secondarydns and do the same steps above. Make sure to confirm that BIND is running without errors. Note that the configuration file may be in a subfolder in /etc/bind.
From the secondarydns:
Step 2 - Configure Recursive DNS Server
Now that you are familiar with the lab setup and BIND9 is running, we can proceed with configuring the server as a resolver.
1. Open primarydns. Go to the BIND directory, open a new tab in the terminal window and type the following command:
For this version of BIND, a copy of the root hints file can be found in /usr/share/dns/root.hints.
Check the contents of this file. It should have NS, A, AAAA records for each rootserver.
For example, the records for a.root-servers.net is shown as follows:
To download a fresh copy of the hints file manually, go to https://www.internic.net/domain/named.root or check the IANA website for all root files https://www.iana.org/domains/root/files.
3. Update the BIND configuration file. First, open named.conf.options and check the directory path and update as needed.
The options statement defines global settings and parameters used by the nameserver. Update or add the line starting with "directory" within the options clause, and point to the /var/cache/bind folder. This is the default location of relative filenames defined in the config.
4. Still in named.conf.options config file, add the following line to set recursion.
Note that this is also the default, so this line may be ommitted. However, it is recommended to add so you can quickly disable if needed by setting to no.
5. Still in named.conf.options config file, create an access-list clause to allow queries only from the local network.
From the options clause, add the following
After the last 3 instructions, the config file should looks as follows:
Exit and save the file using :wq
6. Next, open named.conf.default-zones and update the recursive name server configuration.
Press i to insert text.
A zone statement is used to define a zone. We will use this further to define default and authoritative zones later. For this part, update the zone statement that explicitly defines the hints file. As explained previously, this is optional since most DNS software will load the hints automatically.
To save and exit, press ESC key and type :wq
7. In the same named.conf.default-zones file, check that the localhost forward and reverse zones are added. This indicates that the server is authoritative for localhost forward and reverse zones.
Also check that the broadcast zones are added:
8. Check the zone files in the same directory.
Confirm that the corresponding zone files (db.local, db.127, db.0 and db.255) referenced in the zone statements in previous step can be found in /etc/bind folder. These were automatically created during BIND install.
Let's check one of the zone files.
(Optional) Update the serial and the timing parameters as below. Press i to insert text.
To save and exit, press ESC key and type :wq
9. Open named.conf.options and check that the logging option has been configured.
If not added yet, add the following logging statement at the end of the file (outside of the options statement).
This tells DNS to save the logs into bind.log folder instead of the default syslog. You may also create multiple channels and add the categories to separate channels.
10. Confirm that the configuration file has no error.
If successful, there should be no output and it will just show the next prompt.
11. We can now run BIND with the new or updated configuration.
Verify that there are no errors in the log file:
12. (OPTIONAL) Configure the secondary DNS as recursive. Open secondarydns and do the same steps as above.
First update named.conf.options to add directory and set recursion to yes.
Update named.conf.options to update logging.
If not added yet, add the following logging statement at the end of the file (outside of the options statement).
Check that there are no syntax errors in the config file.
Then restart the BIND service.
Download a copy of the root hints file.
Then update named.conf.default-zones to add the zone statement for hints.
Type :wq to exit.
Then restart BIND.
Step 3 - Resolving domains
1. Open primarydns. Test the recursive name server to get an A and AAAA record for any domain.
Let's try to resolve wwww.academy.apnic.net. What is the IP address?
2. (Optional) Update the nameserver configuration.
In Linux systems that use systemd, /etc/resolv.conf points to the local stub resolver 127.0.0.53.
To update, open /etc/systemd/resolved.conf and update the line starting with DNS=
If this is not updated yet, set DNS to use the local ip of the primary server
Restart systemd-resolved
3. Now that the machine is using your resolver, you may simply run dig without the @ parameter.
4. Try to resolve other domains on the Internet.
To find an A record:
To find the nameservers of a domain:
5. Since we are logging queries, you can also see these in the logs.
6. Login to secondarydns and try to resolve domains.
Part 2 - Authoritative DNS
An Authoritative DNS server answers user queries for the zones that they have authority for. It can be configured to be authoritative for one or more zones.
There are 2 steps in this part:
- Step 1 - Configure the Primary DNS Server
- Step 2 - Configure the Secondary DNS Server
Step 1 - Configure the Primary DNS Server
1. Open primarydns. Go to the master directory where our custom zonefiles will be added.
If the directory doesn't exist, you can create it with this command
2. For this lab, we will use the domain herdiansah-lab.xyz.
Create a zone file for your domain in the directory. Add the necessary resource recourds like NS, A, TXT and MX records.
Add the following content to the zonefile db.herdiansah-lab for the SOA record and NS record.
Press i to insert text
3. Add a few more resource records.
To do this, open the file db.herdiansah-lab again to add the following lines. Be creative and add records for typical services that you find in a network, such as mail, authentication, file server etc.
To save and exit, press ESC key and type :wq
Check for any errors.
If successful, the output shows
If the output shows an error, check the db file again and fix.
4. Update the configuration file and add a zone statement for the new zone. Please note that the primary zone is of type "master" while a secondary zone is of type "slave".
Press i to insert text
Add the following content:
To save and exit, press ESC key and type :wq
Check for errors and fix if needed.
5. Run the BIND service.
Then check the log file
If successful, you should see the following lines in the log. Make sure it shows the latest serial.
6. Once BIND is running, open another terminal and do some basic test using DNS tools like dig.
Check the A record for the webserver. Notice that by default, the query looks for the A record.
Check the SOA record and note the serial is correct.
Check the mail servers for the domain. Here we use -t argument to specify the resource record type.
As in previous part, you should be able to run the dig command without specifying the resolver IP.
Step 2 - Configure the Secondary DNS Server
1. Open secondarydns. Add the same zone. The secondary DNS will also be authoritative for this zone.
First, create a folder in the working directory where the zone files will be dumped from the master.
Then update the configuration file to add the zone statement for herdiansah-lab.xyz.
Make sure the type is slave. Also specify the IP address of the primary server.
2. Restart BIND to reload the updated config.
Also open another tab to check the logs.
Confirm that the log shows Transfer status: success
3. Open primarydns and update the authoritative servers in the zonefile.
Press i to insert text
Add the secondary DNS in the next line after the primary.
The record should look as follows:
Then add an A record for ns2.
Increment the serial to signify that the content of this zone file has been updated. The secondary DNS will compare this value with his local copy before pulling the new zone file.
To save and exit, press ESC key and type :wq
Check for any errors and fix.
4. Restart BIND
5. Check the logs on both primary and secondary if zone transfer starts and is successful.
The output looks like this from primarydns:
The output looks like this from secondarydns:
Notice that it should show the transfer has started and completed.
6. Fom the secondarydns, check that the zonefile has been copied.
There should be a file called db.dnslab in this folder. Named dumps the zone content in raw or binary format during zone transfer instead of text format.
7. Use dig to query for authoritative answers from either the primary or secondary DNS.
Apart from the answer, notice the flags in the dig response.
Since the response is directly from the authoritative server, the AA flag is set.
Also check the nameservers for this domain
There should be two nameservers listed (pri and sec).
Their IP addresses are listed in the additional section.
Part 3 - Reverse DNS
So far in Parts 1 & 2, you are working on Forward DNS. This part focuses on Reverse DNS, which is the mapping from IP addresses to domain names.
There are 1 steps in this part:
- Step 1 - Reverse Zone for IPv4
Step 1 - Reverse Zone for IPv4
1. Create the domain for the IPv4 address assigned. We have two /24 blocks. The fully-qualified domain (FQDN) for these reverse zones are shown below:
2. Configure the server to add the reverse zone for the IP block 85.209.163.0/24.
From the primarydns, add:
At the end of the file, press o and insert the following in a new line.
To save and exit, press ESC key and type :wq
Check for any syntax error and fix.
From the secondarydns, add:
Press i to insert text
To save and exit, press ESC key and type :wq
3. Create the zonefile for db.192.168.1 in the primary DNS.
From the primarydns.
Then add the following content.
Press i to insert text
If you created A records in Part 2, you must also add the corresponding PTR records here.
To save and exit, press ESC key and type :wq
Check for any errors and fix.
4. Restart BIND on both servers.
From primarydns.
From secondarydns.
Like before, always check the logs for errors and make sure the zone has loaded.
5. Check that zone transfer is successful.
Check the logs to see if transfer is successful.
From secondarydns, the zone file should be copied in this directory.
6. Test and execute some dig commands. The -x option is used for reverse lookup.
The answer is a PTR record pointing to ns1.herdiansah-lab.xyz.
You can also query using the FQDN of the IP address.
7. Now create a zone statement for IP address block 192.168.2.0/24. Let's switch roles and make the secondary server as primary for this zone.
From the secondarydns, add:
Press i to insert text
To save and exit, press ESC key and type :wq
From the primarydns, add:
Press i to insert text
To save and exit, press ESC key and type :wq
Check for any errors and fix.
8. Create the zonefile for db.109.105.194 in the secondary DNS.
From the secondarydns.
Then add the following content.
Press i to insert text
To save and exit, press ESC key and type :wq
Check for errors and fix.
9. Restart BIND on both servers.
From primarydns.
From secondarydns.
Like before, check that the zonefile loaded successfully and there are no errors.
10. Check that zone transfers occured.
Check the logs to confirm that transfer is successful.
From the primarydns, the file should be copied in this directory.
11. Test and execute some dig commands. The -x option is used for reverse lookup.
From either the primary or secondary DNS, execute the following dig command.
Comments
Post a Comment