1. Context 9 1.113.5 2 8 8 9 9 10 10 11 11 12 13 1.113.5 Setup and configure basic DNS services Weight 4 Linux Professional Institute Certification — 102 Zone Files 9.1 Zone Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.2 Example forward zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.3 Example reverse zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Caching Only name server 11 Testing DNS 11.1 nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 dig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 License Of This Document Andrew Eager andrew.eager@aes-pl.com.au Geoffrey Robertson ge@ffrey.com Nick Urbanik nicku@nicku.org This document Licensed under GPL—see section 12 1 Context Topic 113 Networking Services [24] 1.113.1 Configure and manage inetd, xinetd, and related services [4] 1.113.2 Operate and perform basic configuration of sendmail [4] 2005 July Outline 1.113.3 Operate and perform basic configuration of Apache [4] 1.113.4 Properly manage the NFS, smb, and nmb daemons [4] Contents 1 2 3 4 5 6 7 8 Context Objective DNS — Domain Name Service Resolving a Name /etc/nsswitch.conf /etc/resolv.conf BIND BIND configuration 2 2 3 4 4 6 6 6 1.113.5 Setup and configure basic DNS services [4] 1.113.7 Set up secure shell (OpenSSH) [4] 2 Objective Description of Objective Candidate should be able to configure hostname lookups and troubleshoot problems with local caching-only name server. Requires an understanding of the domain registration and DNS translation process. Requires understanding key differences in configuration files for bind 4 and bind 8. Key files, terms, and utilities include: /etc/hosts — file that maps host names ↔ IP addresses /etc/resolv.conf — configuration file used to determine which name server(s) to consult 3. DNS — Domain Name Service 1.113.5 3 4. Resolving a Name 1.113.5 4 /etc/nsswitch.conf — tells system which order to consult various sources of naming information /etc/named.boot (v.4) or /etc/named.conf (v.8) — configuration file for named. named — the name server executable 4 Resolving a Name • A name is resolved using the following steps: – /etc/nsswitch.conf is checked to see what resolution method to use (eg: read /etc/hosts, use dns, use nis...) – nsswitch says “use dns”: ∗ Read resolv.conf to see what name server to use ∗ Send request to name server and wait for response – nsswitch says “use hosts” ∗ Lookup /etc/hosts for a matching hostname Resolving A Name 3 DNS — Domain Name Service • The internet works with numbers not names. www.abc.gov.au is really 203.2.218.61 • DNS namespace is made up of a tree of domain names. • At the top is root (.) • Below this is the Top Level Domain (TLD) • Below the TLD is the Second Level Domain. • The Second level domain is handled by whoever ’owns’ that domain • Third & lower level domains are handled by the domain owner. DNS - Domain Name Service 5 /etc/nsswitch.conf • This is a file that determines what mechanisms are used by the hostname library calls to resolve names. • The file contains lines with an identifier followed by a list of methods to use for name lookups. • An example: passwd: files nisplus nis shadow: files nisplus nis group: files nisplus nis hosts: db files dns • Note that the other entries like passwd, shadow and group are used for other applications like login and have nothing to do with DNS. The nsswitch.conf file DNS - Domain Name Service • Example: node1.office.my-domain.com ^ ^ ^ ^ | | | | | | | -- Top level domain | -- Second level domain | | - Subdomain -- Hostname • Domain names are fully qualified (FQDN) when a name is specified all the way down to the hostname. The nsswitch.conf file • In the hosts line, we see that any hostname to be looked up will be done in the following order: 1. Use local databases file (.db files in /var/db) 2. Read /etc/hosts 5. /etc/nsswitch.conf 3. Search DNS • The Search options can be one of: nisplus (or nis+) nis (or yp) dns files db compat [NOTFOUND=return] An example nsswitch file: passwd: shadow: group hosts: — — — — — — — 1.113.5 5 6. /etc/resolv.conf automount: aliases: files nisplus files nisplus 1.113.5 6 Consult NIS+ (Yellow Pages) Consult NIS Use a DNS server Use local files like /etc/hosts Use local database files Use NIS in compat mode Stop searching and return host notfound 6 /etc/resolv.conf • This file configures how the system uses DNS. An example: search aes nameserver 10.27.1.10 nameserver 10.27.1.254 • The ’search’ line says what to append to a non-fully qualified name: eg: ping node10 → ping node10.aes • The nameserver lines tell the hostname routines which dns server to send requests to. (If first lookup fails, use the second, third) The /etc/resolv.conf file db files nisplus nis nisplus db files nisplus nis db files nis dns 7 BIND • Bind is just one implementation of a DNS. Bind is to DNS what Apache is to http. • Bind is configured with: /etc/named.conf — For BIND V8 /etc/named.boot — For BIND V4 • Know that there is a difference between V4 & V8. • Know how to configure V8 but not V4. (Different syntax) BIND - Berkley Internet Name Domain # Example - obey only what nisplus tells us... nisplus [NOTFOUND=return] files #services: #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: netmasks: networks: protocols: rpc: services: netgroup: publickey: files files files nis files nisplus files files nisplus files nisplus nisplus 8 BIND configuration • The configuration file contains subsections as follows: – – – – – Options → How named will operate logging → What/how named will log information Access Lists → Who can use named & what they can do Remote Servers → Characteristics of remote servers zones → Information about our defined domains BIND Configuration 8. BIND configuration An Example Config file: 1.113.5 7 9. Zone Files type master; file "aes.zone"; }; 1.113.5 8 options { directory "/var/named/"; forward only; forwarders { 203.2.75.132; 203.2.75.108; }; query-source address * port 53; listen-on { 10.27.1.10; 127.0.0.1; }; notify no; }; #### The root zone ### zone "." { type hint; file "named.ca"; }; An Example Config file — continued #### A zone for localhost ### zone "0.0.127.in-addr.arpa" { type master; file "0.0.127.in-addr.arpa.zone"; }; zone "localhost" { type master; file "localhost.zone"; key "key" { algorithm hmac-md5; secret "JoqlFqtncqurkhMOrrbQLYRcxSYXoNROvNTZBqWJFumleNkzOv }; 9 Zone Files • Each zone uses a file for: – Hostname to IP address translations (Forward lookups) – IP to Hostname translatoins (Reverse lookups) • The names can be anything, but usually: – Forward file → domain .zone – Reverse file → Net-IP .in-addr.arpa • . . . where the Net-IP is the network part of the IP address. Zone files: 9.1 Zone Records Zone Records: SOA record Marks the start of a zone, indicating which name server is the primary name server NS record Defines the name server for a zone or subdomain MX record Define mail servers for domain CNAME record Defines an alias for a hostname LOC record Defines the physical location of the server SRV record Defines what services are found where (eg ftp, http etc) A record Defines hostname to IP address translations (forward file) PTR record Defines IP address to hostname translations (reverse file) }; ### A local domain ### zone "1.27.10.in-addr.arpa" { type master; file "1.27.10.in-addr.arpa.zone"; }; zone "aes" { 9.2 Example forward zone 1.113.5 9 10. Caching Only name server 99 254 IN IN PTR PTR 1.113.5 cds.aes. gw.aes. 10 9.2 Example forward zone Example Forward file /var/named/aes.zone @ IN SOA node10.aes. root.localhost ( 2 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttl ) node10.aes. 10 10 10 10 10 10 mail mail mail mail mail mail 10 Caching Only name server Configuring a Caching only Nameserver • A caching only nameserver is simple to setup. The first time a name is needed, a normal lookup occurs (Authorative) The next time that name is needed, it is returned from cache (Non-authorative) • Under /etc/named.conf in the options section, just make sure you have the following directives set: options { directory "/var/named/"; forward only; forwarders { First DNS to query ; Second DNS to query ; }; listen-on { Your local IP address ; 127.0.0.1; }; • Leave the root zone (.) and localhost entries as they are. @ node5 node6 node4 node2 node10 gw node10 node2 node4 node5 node6 cds gw ns mail node-4 IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN NS MX MX MX MX MX MX A A A A A A A CNAME CNAME CNAME 10.27.1.10 10.27.1.2 10.27.1.4 10.27.1.5 10.27.1.6 10.27.1.99 10.27.1.254 node10 node10 node4 9.3 Example reverse zone Example reverse file /var/named/1.27.10.in-addr.arpa.zone @ IN SOA @ root.localhost ( 2 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttk ) 11 Testing DNS Testing DNS • To test DNS, use one of the following tools: – nslookup (deprecated) – dig – host • To use in their simplest form, just add the hostname you wish to query as the first option to the command: $ nslookup node16.c223 ← $ dig node16.c223 ← $ host node16.c223 ← @ 2 4 5 6 10 IN IN IN IN IN IN NS PTR PTR PTR PTR PTR ns.aes. node2.aes. node4.aes. node5.aes. node6.aes. node10.aes. 11.1 nslookup 1.113.5 11 11.3 host node10.aes. ;; ;; ;; ;; 1.113.5 86400 IN A 12 10.27.1.10 11.1 nslookup nslookup • Usage: Example: nslookup [option] host-to-find [-name-server] $ nslookup node2.aes -10.27.1.10 ← • Note: nslookup is deprecated and may be removed from future releases. Consider using the ‘dig’ or ‘host’ programs instead. Run nslookup with the -sil[ent] option to prevent this message from appearing. Server: Address: 10.27.1.10 10.27.1.10#53 Query time: 5 msec SERVER: 10.27.1.10#53(10.27.1.10) WHEN: Mon Sep 2 13:48:38 2002 MSG SIZE rcvd: 80 11.3 host host • Usage: host [option] host-to-find [name-server] • Example: $ host node2.aes ← node2.aes has address 10.27.1.2 Exercise: 1. Install bind on your machine: $ sudo rpm -Uvh bind-9*.rpm ← 2. Configure a Caching only nameserver on your machine. (Make all queries forward to 192.168.223.254) 3. Make changes to resolv.conf & nsswitch.conf as required (Default domain to use is c223) Name: node2.aes Address: 10.27.1.2 11.2 dig dig • Usage: dig [@name-server] host-to-find [query-type] • Example: $ dig @10.27.1.10 node2.aes ← 4. Start the named. ; «» DiG 9.2.0 «» @10.27.1.10 node2.aes ;; global options: printcmd $ sudo service named start ← ;; Got answer: 5. Test it out with the host node16.c223 using: ;; -»HEADER«- opcode: QUERY, status: NOERROR, id: 43860 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 • nslookup ;; QUESTION SECTION: ;node2.aes. ;; ANSWER SECTION: node2.aes. ;; AUTHORITY SECTION: aes. ;; ADDITIONAL SECTION: • dig IN A • host 6. Test again this time with the host box16 86400 IN A 10.27.1.2 7. (For those who want a DNS challenge) (a) Setup a set of zones for the .c223 domain. 86400 IN NS node10.aes. (b) Insert the new zone into the main configuration file (c) Restart the named and test it. 12. License Of This Document DNS Name Lookup Procedure 1.113.5 13 ' & ? What is IP addr for www.abc.com?   £ - What is IP for www.abc.com? ¢ ¡ $£ %   £ - What is IP for www.abc.com? ¡ ¢ £ ¢   Don’t know, but here is the IP for  ¢the .com Nameserver. Go ask them ¡ - . (root) DNS 1.2.3.4     ?  LOCAL DNS IP addr is Don’t know, but here is the IP for the abc.com Nameserver. Go ask them   £ - What is IP for www.abc.com? ¢ £  ¡ The IP for www.abc.com  ¢ is 1.2.3.4 ¡    ¡ - .com DNS abc.com DNS 12 License Of This Document License Of This Document Copyright c 2005, 2003 Andrew Eager , Geoffrey Robertson and Nick Urbanik . Permission is granted to make and distribute verbatim copies or modified versions of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation—either version 2 of the License or (at your option) any later version.