Open main menu

CDOT Wiki β

Changes

OPS535-online-L8

2,040 bytes removed, 14:57, 30 March 2021
OPS535 Lab 8
=OPS535 Lab 8=
==Objectives==
* Study the responses of DNSSEC DNSSec enabled DNS queries* Configure an authoritative DNS server to provide DNS responses authenticated with DNSSECDNSSec.
==Pre-Requisites==
==Investigation 2: Configuring DNSSec on a Recursive Server==
Perform the following steps as root on your VM1co-nfs VM at home:
<ol>
<li>Now that you can spot the differences between authenticated and non-authenticated data, it is time to configure your local recursive DNS server to perform authentication when your client machines request it.</li>
<li>Simply set the dnssec-validation parameter in your /etc/named.conf file to yes (it is already set this way if you didn’t change it in an earlier lab).
*Note that this relies on your server also having the initial key it will use to authenticate the root name servers it communicates with.
*This can be found in /etc/named.iscdlv.key and /etc/named.root.key.
*These too are included by default when you first install bind. If they are not there, add the following lines to your options statement and restart your service:
<source>
bindkeys-file "/etc/named.iscdlv.key";
include "/etc/named.root.key";
</source>
</li>
<li>Make sure your dns recursive DNS server is configured to be provide recursive answers to other machines in your network, and that it will allow traffic to udp/tcp port 53.
*All of this should have already been done, so long as you followed the instructions in previous labs, and didn’t deliberately break anything.
</li>
<li>Run the following command from one of your other VMs (making sure to use the ip address of your own DNS server):
<source>>dig +tcp +dnssec @192.168.83.1 www.isc.org</source>
*You should get output similar to the following:
<source>
[rchan@pri-dns labs]$ dig +tcp +dnssec @192.168.49.3 www.isc.org  ; <<>> DiG 9.911.420-RedHat-9.911.420-615.el7_5el8_3.1 <<>> +tcp +dnssec @192.168.8349.1 3 www.isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1351236010;; flags: qr rd ra ad; QUERY: 1, ANSWER: 23, AUTHORITY: 54, ADDITIONAL: 135
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: b1f53c789d90ba0859c27899606380f06b6af5f84015fff0 (good)
;; QUESTION SECTION:
;www.isc.org. IN A
;; ANSWER SECTION:
www.isc.org. 60 IN A 149CNAME dualstack.osff2.map.20fastly.64net.69www.isc.org. 60 IN RRSIG A 5 CNAME 13 3 60 2018112823333420181029233334 19923 20210411023511 20210312021301 27566 isc.org.EzPGoD0DDKUONuWUhXsNqW0xt1q3l8Nwg8Ec3SW9QZafwyQDYj9aFeIoEG41LGZbImJRBoefQpEWLab52AZ5YwvzWDrRhdQlTVVxyVOiRcT fnaq1mZluXtGjMhSwn/dZ/FBbtg1varpQw==d4ch3UIQ1oKfHYUtAsev7aVjwbisM5HgHSjGtBMWZngzY/mBTmy+uVogyBKuXHawR13il4fY6Z68qTZpaq8gH9jKqpPJYomruSxYFZVAI8Ct+tBB 0SE=dualstack.osff2.map.fastly.net. 30 IN A 151.101.126.217
;; AUTHORITY SECTION:
iscfastly.orgnet. 6575 172800 IN NS ordns3.sns-pbfastly.isc.orgnet.iscfastly.orgnet. 6575 172800 IN NS sfba.sns-pbns4.iscfastly.orgnet.iscfastly.orgnet. 6575 172800 IN NS ams.sns-pbns1.iscfastly.orgnet.iscfastly.orgnet. 6575 172800 IN NS ns.isc.afilias-nst.infons2.iscfastly.orgnet. 6575 IN RRSIG NS 5 2 7200 2018112823333420181029233334 19923 isc.org.IzXvpUxVCC15yG74ChGSlUgNOAPtvb6688zZm97SYSB6772gzS09VhmRWfpdOx5IJFwhhIl87bB49yiEHP4SimMrAfoAmGIpe5G4hI8uirhGlWNMRh6SVIMSXdPMCKF8pSqe387ERK9ZcEPfVVTxeA+/C0Ajyg+KhrwbS4A6 3wU=
;; ADDITIONAL SECTION:
amsns1.sns-pbfastly.iscnet.org. 85775 172800 IN A 19923.6235.132.3032amsns2.sns-pbfastly.iscnet.org. 85775 172800 IN AAAA 2001:500:60::30ord.sns-pb.isc.org. 85775 IN A 199104.6156.080.3032ord.sns-pbns3.iscfastly.orgnet. 85775 172800 IN AAAA 2001:500:71::30sfba.sns-pb.isc.org. 85775 IN A 149.20.64.3sfba23.sns-pb235.isc36.org. 85775 IN AAAA 2001:4f8:0:2::1932amsns4.sns-pbfastly.iscnet.org. 7200 172800 IN RRSIG A 5 4 7200 2018112823333420181029233334 19923 isc.org.fN6lhMQKcNsl889c8e0n7b0xBLWHnp9oLUn8ji4T7sNykobHObfihcvLLpX2DGqVKUW/9kIe5hvikVNfiDxjZx89V6jMnhyavSsJdchyv3zuEedxpFa8Kq9y28Na+/7v+3eCVp/L0SRx1na88bxiFpLpIk1aIV5pAthgtQSH 9hY=ams104.sns-pb156.isc84.org. 7200 IN RRSIG AAAA 5 4 7200 201811282333343220181029233334 19923 isc.org.mvlEcSyHnq/O1B8+awGkUPp3+G+QOHf5Vdeq+vhReo+um8Jg8aks3uYyCMZjC/NAtFPNUzjTyDtirn79/lDan3GgwpICHvWq2DHCslp7hbZC7qRscFQjstONnLcprPS5q8T1TRFs97SuqTS7OK4B3f0Lf0ilC+ohOYQR/1bW Fg8=ord.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 2018112823333420181029233334 19923 isc.org. ZPsHODiOXBRsXN3K1Al/Nq++dkx0HMaUpSdEMLXwlcASrC8FWjKETiRSNhgXq1u+JiBkXTEWVsR81CSk2uFEAxMlWOfoIKKVnc9Hp7ZNjdHlgIWebLWGweMoCwGa6o6yuRqMjCrceDqTKQSq1RTvQRL3As9J1V4vMY5i+KQy IhY=ord.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 2018112823333420181029233334 19923 isc.org.usTQJB2VfLzzfA3TPWTUXiSKM3w7bfK6zGQf1t+LXdJBDLLrjvhmwWTp5DjLDIxIvd77mudcFQsXq7oVvmiJHmnA6zaJhF6cFAIKI7dJm5rGhGFsZkX7OD4x5LxDH1knah7AYTPdme+QDxcLzIsmY5iozQeMh3UKd+gfpork RqI=sfba.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 2018112823333420181029233334 19923 isc.org.ryZ18IlvB7q/qPwIFHgLU7LSjnTBx3JpzpV2BQtb/2jdDM7zBQ/bnQ28/H+MSWoAAKmPEiND2XWqtvdCPwOv4kcQexcTnLoIfieq6HgraO8//AILwMmwUBgZc51tZ1e+k9krCvNlLKZXe92KgGYWwGNxp3Gp1TkdlywRtMUM Y9w=sfba.sns-pb.isc.org. 7106 IN RRSIG AAAA 5 4 7200 2018112823333420181029233334 19923 isc.org.betjxdRZREj3fMHm7TsE7kn8vrZHRdpzrkJ3mxIe4jdhyUbQytxcIfnJaTOz5JT5ESF5n7k/pq+UK05ApZFc5b5slX0g5S/ahYm7ynLzz/Uw8/sWUrPFePNdAxS00mX91rRYG7tVLHq79VOvIt18C69ac+oVGVfIBN/OJzan /gE=;;;;Query time: 85 1259 msec;;SERVER: 192.168.8349.13#53(192.168.8349.13);;WHEN: Sun Nov 04 18Tue Mar 30 15:1850:23 EST 201808 EDT 2021;;MSG SIZE rcvd: 1623367 
</source>
*Again, note the do and ad flags, along with the RRSIG record (and similar data for the nameservers in the isc.org domain).
1,760
edits