2 2.113.4 Properly manage the NFS, smb, and nmb daemons

1.113.5 Setup and conﬁgure basic DNS services Weight 4
Linux Professional Institute Certiﬁcation — 102

2.113.5 Setup and conﬁgure basic DNS services [] 2.113.7 Set up secure shell (OpenSSH) Setup and Conﬁgure basic DNS services Candidate should be able to conﬁgure hostname lookups and troubleshoot problems with local caching-only name server. Requires an understanding of the domain registration and DNS translation process. Requires understanding key differences in conﬁguration ﬁles for bind 4 and bind 8. Setup and Conﬁgure basic DNS services /etc/hosts /etc/resolv.conf /etc/nsswitch.conf /etc/named.boot (v.4) or /etc/named.conf (v.8) named DNS - DOMAIN NAME SERVICE 1The internet works with numbers not names. • www.abc.gov.au is really 203.2.218.61 2 – DNS namespace is made up of a tree of domain names. 3 – At the top is root (.) 4 – Below this is the Top Level Domain (TLD) 5 – Below the TLD is the Second Level Domain. 6 – The Second level domain is handled by whoever ’owns’ that domain 7 – Third & lower level domains are handled by the domain owner.

Geoffrey Robertson ge@ffrey.com Nick Urbanik nicku@nicku.org 2005 July
Description of Objective

Candidate should be able to conﬁgure hostname lookups and troubleshoot problems with local caching-only name server. Requires an understanding of the domain registration and DNS translation process. Requires understanding key differences in conﬁguration ﬁles for bind 4 and bind 8.

Key ﬁles, terms, and utilities include:

/etc/hosts /etc/resolv.conf /etc/nsswitch.conf /etc/named.boot (v.4) or /etc/named.conf (v.8) named
Shells, Scripting, Programming & Compiling 2.113.1 Conﬁgure and manage inetd, xinetd, and related services 2.113.2 Operate and perform basic conﬁguration of sendmail 2.113.3 Operate and perform basic conﬁguration of Apache

3 DNS - DOMAIN NAME SERVICE 1Example: • node1.office.my-domain.com ^ ^ ^ ^ | | | | | | | -- Top level domain | | -- Second level domain | - Subdomain -- Hostname 2 • Domain names are fully qualiﬁed (FQDN) when a name is speciﬁed all the way down to the hostname. RESOLVING A NAME 1A name is resolved using the following steps:2 • – /etc/nsswitch.conf is checked to see what resolution method to use (eg: read /etc/hosts, use dns, use nis...) 3 – nsswitch says USE DNS: 4Read resolv.conf to see what nameserver to use 5 Send request to nameserver and wait for response 6 – nsswitch says USE HOSTS ∗ 7Lookup /etc/hosts for a matching hostname The nsswitch.conf ﬁle 1This is a ﬁle that determines what mechanisms are used by the hostname library calls to resolve names. 2 The ﬁle contains lines with an identiﬁer followed by a list of methods to use for name lookups. 3 An example: • passwd: ﬁles nisplus nis ∗ shadow: ﬁles nisplus nis group: ﬁles nisplus nis hosts: db ﬁles dns 4 • Note that the other entries like passwd, shadow and group are used for other applications like login and have nothing to do with DNS. • The nsswitch.conf ﬁle

4

1In the hosts line, we see that any hostname to be looked up will be done in the following order: 1. Use local databases ﬁle (.db ﬁles in /var/db) 2. Read /etc/hosts 3. Search DNS 2 • The Search options can be one of: nisplus (or nis+) nis (or yp) dns files db compat [NOTFOUND=return] An example nsswitch ﬁle:
nisplus (or nis passwd: db files nisplus nis shadow: nisplus group db files nisplus nis hosts: db files nis dns

-

Consult NIS+ (Yellow Pages) Consult NIS Use a DNS server Use local files like /etc/hosts Use local database files Use NIS in compat mode Stop searching and return host notfound

# Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: netmasks: networks: protocols: rpc: services: netgroup: publickey: automount: aliases: files files files nis files nisplus files files nisplus files nisplus nisplus files nisplus files nisplus

5 The resolv.conf ﬁle 1This ﬁle conﬁgures how the system uses DNS. An example: • search aes nameserver 10.27.1.10 nameserver 10.27.1.254 2 • The ’search’ line says what to append to a non-fully qualiﬁed name: eg: ping node10 –> ping node10.aes 3 • The nameserver lines tell the hostname routines which dns server to send requests to. (If ﬁrst lookup fails, use the second, third etc) BIND - Berkley Internet Name Domain 1Bind is just one implementation of a DNS. Bind is to DNS what Apache is to http. 2 Bind is conﬁgured with: • /etc/named.conf /etc/named.boot 3 • Know that there is a difference between V4 & V8. 4 • Know how to conﬁgure V8 but not V4. (Different syntax) BIND Conﬁguration • The conﬁguration ﬁle contains subsections as follows: 1Options → How named will operate 2 logging → What/how named will log information 3 Access Lists → Who can use named & what they can do 4 Remote Servers → Characteristics of remote servers 5 zones → Information about our deﬁned domains An Example Conﬁg ﬁle: –
options { directory "/var/named/"; forward only; forwarders { 203.2.75.132; 203.2.75.108; }; query-source address * port 53; }; listen-on { 10.27.1.10; 127.0.0.1; }; notify no;

6

#### The root zone ### zone "." { type hint; file "named.ca"; }; #### A zone for localhost ### zone "0.0.127.in-addr.arpa" { type master; file "0.0.127.in-addr.arpa.zone"; }; zone }; "localhost" { type master; file "localhost.zone";

- For BIND V8 - For BIND V4

### A local domain ### zone "1.27.10.in-addr.arpa" { type master; file "1.27.10.in-addr.arpa.zone"; }; zone }; "aes" { type master; file "aes.zone";

key "key" { algorithm hmac-md5; secret "JoqlFqtncqurkhMOrrbQLYRcxSYXoNROvNTZBqWJFumleNkzOvEvTAbqpbMV"; };

Zone ﬁles: 1Each zone uses a ﬁle for:2 • 4 • The names can be anything, but usually: 5Forward ﬁle –> <domain>.zone 6 Reverse ﬁle –> <Net-IP>.in-addr.arpa 7 • Where the Net-IP is the network part of the IP address. – – Hostname to IP address translations (Forward lookups) 3 – IP to Hostname translatoins (Reverse lookups)

7 Zone Records: 1Marks the start of a zone. 2 Deﬁnes the name server for a zone or subdomain 3 Deﬁne mail servers for domain 4 Deﬁnes an alias for a hostname 5 Deﬁnes the physical location of the server 6 Deﬁnes what services are found where (eg ftp, http etc) 7 Deﬁnes hostname to IP address translations (forward ﬁle) 8 Deﬁnes IP address to hostname translations (reverse ﬁle) Example Forward ﬁle /var/named/aes.zone SOA record MX record NS record CNAME record record record LOC SRV A record record PTR
2 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttl ) @ IN SOA node10.aes.

8 Conﬁguring a Caching only Nameserver 1A caching only nameserver is simple to setup. The ﬁrst time a name is needed, a normal lookup occurs (Authorative) The next time that name is needed, it is returned from cache (Non-authorative) 2 Under /etc/named.conf in the options section, just make sure you have the following directives set: • options { directory "/var/named/"; forward only; forwarders { root.localhost ( <First DNS to query>; <Second DNS to query>; }; listen-on { <Your local IP address>; 127.0.0.1; }; 3 • Leave the root zone (.) and localhost entries as they are. Testing DNS 1To test DNS, use one of the following tools:2 • – nslookup (deprecated) 3 – dig 4 – host 5 • To use in their simplest form, just add the hostname you wish to query as the ﬁrst option to the command: nslookup node16.c222 dig node16.c222 host node16.c222 nslookup 1Usage: nslookup [option] host-to-find [-name-server] Example: • $ nslookup node2.aes -10.27.1.10 ← 2

@ node5 node6 node4 node2 node10 gw node10 node2 node4 node5 node6 cds gw ns mail node-4

IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN

NS MX MX MX MX MX MX A A A A A A A CNAME CNAME CNAME

node10.aes. 10 10 10 10 10 10 mail mail mail mail mail mail

10.27.1.10 10.27.1.2 10.27.1.4 10.27.1.5 10.27.1.6 10.27.1.99 10.27.1.254 node10 node10 node4

Example reverse ﬁle /var/named/1.27.10.in-addr.arpa.zone
@ IN SOA @ root.localhost ( 2 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttk ) ns.aes. node2.aes. node4.aes. node5.aes. node6.aes. node10.aes. cds.aes. gw.aes.

@ 2 4 5 6 10 99 254

IN IN IN IN IN IN IN IN

NS PTR PTR PTR PTR PTR PTR PTR

9 • Note: nslookup is deprecated and may be removed from future releases. Consider using the ‘dig’ or ‘host’ programs instead. Run nslookup with the -sil[ent] option to prevent this message from appearing. Server: Address: 10.27.1.10 10.27.1.10#53

10 3. Make changes to resolv.conf & nsswitch.conf as required (Default domain to use is c222) 3 4. Start the named. # service named start 4 5. Test it out with the host node16.c222 using:

Name: node2.aes Address: 10.27.1.2 dig •

1Usage: dig [@name-server] host-to-find [query-type] 2 Example:
$ dig @10.27.1.10 node2.aes ← ; «» DiG 9.2.0 «» @10.27.1.10 node2.aes ;; global options: printcmd ;; Got answer: ;; -»HEADER«- opcode: QUERY, status: NOERROR, id: 43860 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;node2.aes. ;; ANSWER SECTION: node2.aes. ;; AUTHORITY SECTION: aes. ;; ADDITIONAL SECTION: node10.aes. ;; ;; ;; ;; 86400 86400 86400 IN IN IN IN A A NS A 10.27.1.2 node10.aes. 10.27.1.10

• nslookup • dig • host 5 6. Test again this time with the host box16 6 7. (For those who want a DNS challenge) (a) Setup a set of zones for the .c222 domain. (b) Insert the new zone into the main conﬁguration ﬁle (c) Restart the named and test it. DNS Name Lookup Procedure  ' $ IP addr. for google.com?  IP addr.for & Local DNS
google.com?

Query time: 5 msec SERVER: 10.27.1.10#53(10.27.1.10) WHEN: Mon Sep 2 13:48:38 2002 MSG SIZE rcvd: 80

host 1Usage: host [option] host-to-find [name-server] 2 Example: • $ host node2.aes ← node2.aes has address 10.27.1.2 Exercise: 1Install bind on your machine: 1. # rpm -Uvh bind-9*.rpm 2 2. Conﬁgure a Caching only nameserver on your machine. (Make all queries forward to 192.168.222.254)

?

%

¨ ©

12 blah

11

12

DNS NAME LOOKUP PROCEDURE
 9 6    

DNS NAME LOOKUP PROCEDURE
  Don’t know, but here is the IP for  the .com Nameserver. Go ask them ¢ ¡ -

What is IP for www.abc.com?for www.abc.com? © 8 ¨ ©   

9 ¨

What is IP addr

£   What is IP for www.abc.com? ¢ ¡ 6£ 7 £   - What is IP for www.abc.com? ¢ ¡ £

. (root) DNS

8

What is IP addr for www.abc.com?
?

Don’t know, but here is the IP for ?  LOCAL the .com Nameserver. Go ask them DNS
0 ¨ © ? 1

. (root) DNS

7

IP addr is 1.2.3.4

(

LOCAL DNS
9? 8

   6 7

      

What is IP for www.abc.com?

) ¨

-

£   What is IP for www.abc.com? ¢ ¡ £    The IP for www.abc.com ¢

¢

Don’t know, but here is the IP for  the abc.com Nameserver. Go ask them
¡

 

-

.com DNS

-

Don’t know, but here is the IP for  3 the abc.com Nameserver. Go ask them

is 1.2.3.4

.com

DNS

¡

abc.com DNS

IP addr is 1.2.3.4

What is IP for www.abc.com? The IP for www.abc.com is 1.2.3.4
©

© £   - What is IP for www.abc.com? ¢ ¡  ' $£ Don’t know, but here is the IP for  What is IP addr ¢the .com Nameserver. Go ask them ¡ ¨ for www.abc.com? & % ? £   - What is IP for www.abc.com? LOCAL  © ¢ ¡ £   ¨ DNS  Don’t know, but here is the IP for  the abc.com Nameserver. Go ask them  ? ¢ ¡ 
DNS NAME LOOKUP PROCEDURE

. (root) DNS

abc.com DNS

.com DNS

1.2.3.4 

IP addr is

2

The End

£   - What is IP for www.abc.com? ¢ £  ¡  The IP for www.abc.com ¢ is 1.2.3.4 ¡

-

abc.com DNS

License Of This Document