1,576
edits
Changes
→Firewall rules update
After you have completed this lab, your '''vm1host''' VM will be running a full-featured DNS server (which is how you're going to get the '''yoursenecaid.ops''' domain without paying for it). Unfortunately, you will be the only one using your DNS server so no-one else will be able to resolve hosts under '''yoursenecaid.ops'''
=== How DNS resolution works ===
We will now be '''installing, configuring and running a DNS server on our host'''. In most networks, the gateway would '''not''' also be a DNS server,
but if we places placed ours on a separate virtual machine we would need that VM to always be running in order for the other VMs to retrieve updates, install software, or even communicate with each other.
== Preparation ==
directory "/var/named/";
allow-query {127.0.0.1; 192.168.X.0/24;};
forwarders { 192.168.4840.2; };
};
zone "localhost" {
# Check that the ''named'' service is running using the '''ps ax''' command (perhaps combined with '''grep'''), and separately, the '''systemctl''' command (if necessary), or check the '''/var/log/messages''' file for troubleshooting purposes.
# Once you are certain that the ''named'' service had started and runs without errors, then set it to '''start automatically''' (i.e. enable the named service) when this virtual machine boots.
# You also need to set '''host''' as the primary domain name server ('''DNS1''') for your '''host''' machine to your '''host machine's ifcfg file'''<br /># If your host's external facing interface (ens33) is on DHCP, you will need to also add PEERDNS=NO to ifcfg file to prevent DHCP server from assigning the original DNS server (i.e. 192.168.40.2 which is used as forwarder instead by the DNS server you are setting up) <br /><br />'''NOTE:''' You should know how to do that, but if you forgot the procedure, refer to [http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_1#Making_Persistent_.28Permanent.29_Network_Setting_Changes Lab 1].<br><br>
# Now that you know the service works, '''add the resource records necessary for it to provide forward lookups of the other machines in your virtual network''' (hint: You should only need three more records) and restart the service.
== Firewall rules update ==
Remember that you are supposed to have a working firewall on your '''host''' (and every other machine), but we will focus on our vm1 '''host''' machine for now. A <u>working</u> firewall will block requests to ports that you didn't explicitly allow. This means that at this point, your DNS server, even though it's perfectly configured, is <u>'''inaccessible'''</u> to any other machine because iptables won't allow the requests to come in (the machine can communicate with itself using the rule that allows all traffic on the '''lo''' interface).
'''Perform the Following Steps:'''
# You will need to update the firewall on '''host''' to allow <u>incoming</u> connections to '''port 53 for both UDP and TCP''' (i.e. the protocol and port that DNS uses).
# After you have updated your firewall, save your iptables rules.
# <b>Once you rules are saved, restart libvirtd to ensure NAT and forwarding rules are re-added.</b>
'''NOTE:''' You could just disable the firewall '''but that is a poor workaround!''' You are expected to be able to handle configuration (such as this) at this point in this course.
{{Admon/important |Host Command Doesn't Work|Your machines do not know what domain to automatically add to the end of hostnames (or believe they are still in the seneca domain). The '''SEARCH''' (or DOMAIN) parameter in the '''ifcfg-eth0''' file is used to specify your own domain (eg. '''yoursenecaid.ops''' ).<br><br>}}
<li> Add the '''SEARCH''' (or DOMAIN) parameter for your '''ifcfg-eth0''' file as shown above for your '''vm1host''' machine.</li>
<li> Issue the host command for all vm names and host name to make certain that is works.</li>
<li>Also on all of the VMs, install and use a text-based browser called '''lynx''' to access the Web, and test-out to see if it works by issuing the command '''lynx''' with the URL as an argument.</li><li>Experiment with the following commands:<br>
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::<span style="color:green;font-size:1.5em;">✓</span>Comment out the hostname resolution (/etc/hosts) files for ALL vms, and use '''host''' command to query from a VM, the IPADDR for:<br><blockquote>'''host.yoursenecaid.ops''' , '''vm1.yoursenecaid.ops''' , '''vm2.yoursenecaid.ops''' , and '''vm3.yoursenecaid.ops'''<br/blockquote>::<span style="color:green;font-size:1.5em;">✓</span>'''nslookup''' information ('''A''', '''NS''', '''MX''' records) for :<br><blockquote>'''host.yoursenecaid.ops''' , '''vm1.yoursenecaid.ops''' , '''vm2.yoursenecaid.ops''' , '''vm3.yoursenecaid.ops'''.</blockquote>::<span style="color:green;font-size:1.5em;">✓</span>'''dig +trace''' for :<br><blockquote>'''host.yoursenecaid.ops''' , '''vm1.yoursenecaid.ops''' , '''vm2.yoursenecaid.ops''' , '''vm3.yoursenecaid.ops'''.</blockquote>
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck3.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck3.bash'''<br><br>set execute permission and run the shell script on your '''host''' machine.
::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.