Difference between revisions of "OPS535-L2"
(→Running and testing the DNS server) |
|||
Line 98: | Line 98: | ||
** named-checkzone can be used to check for type or syntax errors in your zone files. | ** named-checkzone can be used to check for type or syntax errors in your zone files. | ||
Please check out the man page for details. | Please check out the man page for details. | ||
+ | == Verify that your DNS server is running == | ||
+ | * use the "ss" command or the netstat command - what information should you look for? | ||
+ | == Test the correctness of your DNS server's responses == | ||
+ | * use the nslookup DNS client command line utility to query your DNS server for SOA, NS, A, and PTR resource records. | ||
+ | For example, if an authoritative DNS server with IP address 192.168.99,53 has the cp.net zone file: | ||
+ | <pre> | ||
+ | $TTL 300 | ||
+ | @ IN SOA pri.cp.net. root.cp.net. ( | ||
+ | 20151111 ; serial | ||
+ | 1h ; refresh | ||
+ | 15m ; retry | ||
+ | 3d ; expire | ||
+ | 10m) ; minimum | ||
+ | IN NS pri.cp.net. | ||
+ | pri IN A 192.168.99.53 | ||
+ | www IN A 192.168.99.80 | ||
+ | mail IN A 192.168.99.25 | ||
+ | co IN A 192.168.99.153 | ||
+ | rns IN A 192.168.99.253 | ||
+ | </pre> | ||
+ | * To query the SOA record using the nslookup command "nslookup -query=SOA cp.net 192.168.99.53" will yield the following result: | ||
+ | <pre> | ||
+ | [root@pri named]# nslookup -query=SOA cp.net 192.168.99.53 | ||
+ | Server: 192.168.99.53 | ||
+ | Address: 192.168.99.53#53 | ||
+ | |||
+ | cp.net | ||
+ | origin = pri.cp.net | ||
+ | mail addr = root.cp.net | ||
+ | serial = 20151111 | ||
+ | refresh = 3600 | ||
+ | retry = 900 | ||
+ | expire = 259200 | ||
+ | minimum = 600 | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | * To query the NS record using the nslookup command "nslookup -query=NS cp.net 192.168.99.53" will yield the following result: | ||
+ | <pre> | ||
+ | [root@pri named]# nslookup -query=NS cp.net 192.168.99.53 | ||
+ | Server: 192.168.99.53 | ||
+ | Address: 192.168.99.53#53 | ||
+ | |||
+ | cp.net nameserver = pri.cp.net. | ||
+ | </pre> | ||
+ | |||
+ | * To query the A record for mail.cp.net using the nslookup command "nslookup -query=A mail.cp.net. 192.168.99.53" will yeild the following result: | ||
+ | <pre> | ||
+ | [root@pri named]# nslookup -query=A mail.cp.net 192.168.99.53 | ||
+ | Server: 192.168.99.53 | ||
+ | Address: 192.168.99.53#53 | ||
+ | |||
+ | Name: mail.cp.net | ||
+ | Address: 192.168.99.25 | ||
+ | </pre> |
Revision as of 02:35, 19 September 2016
Contents
Overview
In this lab, you are going to build a primary name server for your assigned DNS domain using the BIND package on your VM1 running CentOS 7,x. Primary name server does not depend upon having access to other name servers in order to function.
Once you have your primary name server running, use command line DNS client tool(s) to test the correctness of your Primary DNS server.
Please check the variable $ROOTDIR in /etc/sysconfig/named file. It sets the "root" directory for the running BIND process. Make sure that you have the bind-chroot package installed. Once you have the bind-chroot package installed, the variable $ROOTDIR will be set to /var/named/chroot after activation. If the variable $ROOTDIR is set to /var/named/chroot, the manin configuration for BIND "named.conf" should be in the "/var/named/chroot/etc" directory and all the other zone files should be in the "/var/named/chroot/var/named" directory.
Reference
- Text book: Chapter 16 - DNS
- BIND 9 Administrator Reference Manual
Tasks
- Set up an authoritative primary DNS server for your assigned domain and assigned virtual network (i.e. forward lookup zone and reverse lookup zone).
- Test the correctness of your DNS server operation.
- Study the DNS traffic and the DNS query and response packets.
Setup an Authoritative Primary DNS server
- Use the "rpm" command to check the version of the the following packages installed on your system. If any of the following packages is not installed, install it now:
- bind-libs-lite
- bind-chroot
- bind
- bind-utils
- bind-license
- bind-libs
- Locate the file called "named.conf", it should either be in /etc or /var/named/chroot/etc directory. If you don't have this file, copy and modify the sample file provided with the bind package (for bind version 9.9.4, the full path of the sample file is at /usr/share/doc/bind-9.9.4/sample/etc/named.conf).
- Check out your assigned DNS domain name and assigned network number in Blackboard.
- Create two zone files: forward lookup zone file (for your assigned domain) and reverse lookup zone file (for your assigned network).
Forward lookup zone file
- File name: my-zone.txt
- Directory: /var/named (or /var/named/chroot/var/named with "chroot" activated)
- Sample contents:
$TTL 86400 @ IN SOA vm1.mydomain.net. root.mydomain.com. (42 3H 15M 1W 1D) @ IN NS vm1.mydomain.net. vm1.mydomain.net. IN A 192.168.99.2 vm2.mydomain.net. IN A 192.168.99.3 vm3.mydomain.net. IN A 192.168.99.4 ...
Please note that you must have the SOA record, NS record, and one A record for each of your VM in the forward lookup zone file. and
- the SOA record should contain the FQDN of your primary DNS server and the email address of the person responsible for managing the DNS domain name space.
- the NS record(s) should contain the FQDN for your authoritative DNS server(s).
- each A record (address record) should contain the FQDN (or host name) of each VM and its corresponding IP address.
Reverse lookup zone file
- File name: rev-zone.txt
- Directory: /var/named (or /var/named/chroot/var/named with "chroot" activated)
- Sample contents:
$TTL 86400 @ IN SOA vm1.mydomain.net. root.mydomain.com. (42 3H 15M 1W 1D) @ IN NS vm1.mydomain.net. 2.99.168.192.in-addr.arpa. IN PTR vm1.mydomain.net. 3.99.168.192.in-addr.arpa. IN PTR vm2.mydomain.net. 4.99.168.192.in-addr.arpa. IN PTR vm3.mydomain.net. ...
- echo PTR record should contain the FQDN and the corresponding IP address in reverse dotted-decimal notation format (e.g. use 53.99.168.192.in-addr.arpa. for IP address 192.168.99.53)
BIND configuration file
File name: named.conf Directory: /etc (or in /var/named/chroot/etc with "chroot" activated)
Configure the following major options:
- listen-on: port 53 and all network interface
- directory: /var/named
- allow-query: any
- recursion: no
- dnssec-enable: yes
- dnssec-validation: no
- dnssec-lookaside: auto
Add two zone statements: one points to the forward lookup zone file "my-zone.txt", and the other points to the reverse lookup zone file "rev-zone.txt".
zone "mydomain.net" IN { type master; file "my-zone.txt"; allow-update { none; }; }; zone "99.168.192.in-addr.arpa" { type master; file "rev-zone.txt"; allow-update { none; }; };
Running and testing the DNS server
- Make sure that you have "named.service" enable.
- Start the "named" service: systemctl start named.service
- Check the status of the "named" service: systemctl status named.service. Make sure the "named" service is active and running. If the "named" service failed to start, check for typo or syntax error in the BIND configuration file /etc/named.conf and your forward and reverse lookup zone files. There are two utilities provided by the "bind" package. They are called "named-checkconf" and "named-checkzone", and both are in the /usr/sbin directory.
- named-checkconf can be used to check for typo or syntax errors in named.conf.
- named-checkzone can be used to check for type or syntax errors in your zone files.
Please check out the man page for details.
Verify that your DNS server is running
- use the "ss" command or the netstat command - what information should you look for?
Test the correctness of your DNS server's responses
- use the nslookup DNS client command line utility to query your DNS server for SOA, NS, A, and PTR resource records.
For example, if an authoritative DNS server with IP address 192.168.99,53 has the cp.net zone file:
$TTL 300 @ IN SOA pri.cp.net. root.cp.net. ( 20151111 ; serial 1h ; refresh 15m ; retry 3d ; expire 10m) ; minimum IN NS pri.cp.net. pri IN A 192.168.99.53 www IN A 192.168.99.80 mail IN A 192.168.99.25 co IN A 192.168.99.153 rns IN A 192.168.99.253
- To query the SOA record using the nslookup command "nslookup -query=SOA cp.net 192.168.99.53" will yield the following result:
[root@pri named]# nslookup -query=SOA cp.net 192.168.99.53 Server: 192.168.99.53 Address: 192.168.99.53#53 cp.net origin = pri.cp.net mail addr = root.cp.net serial = 20151111 refresh = 3600 retry = 900 expire = 259200 minimum = 600
- To query the NS record using the nslookup command "nslookup -query=NS cp.net 192.168.99.53" will yield the following result:
[root@pri named]# nslookup -query=NS cp.net 192.168.99.53 Server: 192.168.99.53 Address: 192.168.99.53#53 cp.net nameserver = pri.cp.net.
- To query the A record for mail.cp.net using the nslookup command "nslookup -query=A mail.cp.net. 192.168.99.53" will yeild the following result:
[root@pri named]# nslookup -query=A mail.cp.net 192.168.99.53 Server: 192.168.99.53 Address: 192.168.99.53#53 Name: mail.cp.net Address: 192.168.99.25