Difference between revisions of "SRT210 Lab 4"
(→Zone file) |
(→Zone file) |
||
Line 108: | Line 108: | ||
1D ; Negative Cache TTL | 1D ; Negative Cache TTL | ||
); | ); | ||
− | @ IN NS | + | @ IN NS lin2.yoursenecaid.ops. |
c7host IN A 192.168.210.1 | c7host IN A 192.168.210.1 | ||
</pre> | </pre> |
Revision as of 01:01, 29 January 2019
Contents
Objectives
- Understand the principles of how DNS works.
PART 1: PREREQUISITES
You should have completed all the previous labs to date. That means before starting this lab you'll have:
- c7host set up and running, with the default firewall modified to allow incoming SSH connections from the 192.168.210.0/24 network.
- lin1 with a static IP address, running a web server, and the default firewall modified to allow access to that web server.
- lin2 with a static IP address.
- All your machines should have iptables services installed and firewalld uninstaled (or at least disabled and stopped).
If any of that is not working for you already - you will struggle more than needed while debugging configuration issues in this lab.
PART 2: DNS OVERVIEW
DNS is technically not a required part of the internet, but effectively it's indispensable for nearly all services of every sort on the internet. We'll spend a couple of weeks on topics related to DNS.
Read sections 1-3 from the Wikibooks DNS page.
PART 3: YOUR OWN DNS SERVER
Each of you will set up your own DNS server. We'll set up Bind on lin2 to do the work. The domains you configure will work for you or anyone who explicitly sets up their systems to use your DNS server. They will not work on the internet, because you'd have to pay a registrar to have your domain/server globally registered.
Installation
Install Bind on your lin2.
Configuration
An authoritative Bind server has a global configuration file (named.conf) and at least one zone file for the zone it's authoritative for.
/etc/named.conf
When you install Bind you'll get a default /etc/named.conf. Copy this file over to a backup location and empty the original (do not delete or move it as that will cause SELinux not to trust it). We will be writing one from scratch with only the following contents, but use your own X value where applicable.
options { directory "/var/named/"; allow-query {any;}; forwarders { 208.67.222.222; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; channel my_queries_channel { file "queries/log.txt"; severity info; }; category queries { my_queries_channel; }; }; zone "localhost" { type master; file "named.localhost"; }; zone "yoursenecaid.ops" { type master; file "mydb-for-yoursenecaid-ops"; };
You need to understand all the options in this file except the localhost zone, so that in the future (for example in a test) you can quickly set up a DNS server for a new zone. So look up in the reference these things and write down what they do:
- directory
- allow-query
- forwarders
- type
- file
Create the directory and the log file for logging queries:
mkdir /var/named/queries
touch /var/named/queries/log.txt
chown root:named /var/named/queries
chown named:named /var/named/queries/log.txt
chmod 770 /var/named/queries
chmod 644 /var/named/queries/log.txt
If you have SELinux enabled, you need to set the proper file context for the direcotry and the log file using the following two commands:
chcon system_u:object_r:named_cache_t:s0 /var/named/queries
chcon system_u:object_r:named_cache_t:s0 /var/named/queries/log.txt
The "ls -lZ" command lists the file context.
Zone file
Now edit /var/named/mydb-for-yoursenecaid-ops and enter the following:
$TTL 3D @ IN SOA host.yoursenecaid.ops. hostmaster.yoursenecaid.ops.( 2018042901 ; Serial 8H ; Refresh 2H Retry 1W ; Expire 1D ; Negative Cache TTL ); @ IN NS lin2.yoursenecaid.ops. c7host IN A 192.168.210.1
Again, here's the reference documentation for records in this file. Specifically pay attention to:
- A records
- NS records
- SOA records
Now that your DNS server (bind, a.k.a. named) is configured:
- Start the named service with the systemctl command.
- Check that the named service is running using the ps ax command (perhaps combined with grep), and separately, the systemctl command (if necessary), or check the /var/log/messages file for troubleshooting purposes.
- Once you are certain that the named service had started and runs without errors, then set it to start automatically (i.e. enable the named service) when this virtual machine boots.
- Now that you know the service works, add the resource records necessary for it to provide forward lookups of the other machines in your virtual network (hint: You should only need two more records) and restart the service.
DNS Client Configuration
- Configure c7host to use lin2 as the DNS server. You can always change that back if you need internet access and your DNS server is broken:
- Edit the ifcfg file for your interface on c7host (/etc/sysconfig/network-scripts/ifcfg-ens33) and add
PEERDNS=NO
andDNS1=192.168.210.12
- Bring your interface down and back up using the ifdown and ifup commands.
- Edit the ifcfg file for your interface on c7host (/etc/sysconfig/network-scripts/ifcfg-ens33) and add
- Try this to verify that you set-up your DNS server correctly:
host c7host.yoursenecaid.ops host lin1.yoursenecaid.ops host lin2.yoursenecaid.ops host google.ca
Lab completion
- Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.
- Have notes in your labbook from this lab.
- Show your work to the professor and have them sign your labbook.