– General Linux 2 – []
(Linux Professional Institute Certiﬁcation)
a .˜. /V\ // \\ @._.@

by: geoffrey robertson geoffrey@zip.com.au

$Id: gl2.113.5.slides.tex,v 1.1 2003/11/05 09:03:09 geoffr Exp $

c 2002 Geoffrey Robertson. Permission is granted to make and distribute verbatim copies or modiﬁed versions of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation—either version 2 of the License or (at your option) any later version.

a Copyright

1

List of Slides

2

Shells, Scripting, Programming & Compiling
2.113.1 Conﬁgure and manage inetd, xinetd, and related services 2.113.2 Operate and perform basic conﬁguration of sendmail 2.113.3 Operate and perform basic conﬁguration of Apache 2.113.4 Properly manage the NFS, smb, and nmb daemons 2.113.5 Setup and conﬁgure basic DNS services [] 2.113.7 Set up secure shell (OpenSSH)

3

Setup and Conﬁgure basic DNS services
Objective
Candidate should be able to conﬁgure hostname lookups and troubleshoot problems with local caching-only name server. Requires an understanding of the domain registration and DNS translation process. Requires understanding key differences in conﬁguration ﬁles for bind 4 and bind 8.

4

Setup and Conﬁgure basic DNS services
Key ﬁles, terms, and utilities
/etc/hosts /etc/resolv.conf /etc/nsswitch.conf /etc/named.boot (v.4) or /etc/named.conf (v.8) named

5

DNS - DOMAIN NAME SERVICE

6

DNS - DOMAIN NAME SERVICE
• The internet works with numbers not names. www.abc.gov.au is really 203.2.218.61

6-a

DNS - DOMAIN NAME SERVICE
• The internet works with numbers not names. www.abc.gov.au is really 203.2.218.61 – DNS namespace is made up of a tree of domain names.

6-b

DNS - DOMAIN NAME SERVICE
• The internet works with numbers not names. www.abc.gov.au is really 203.2.218.61 – DNS namespace is made up of a tree of domain names. – At the top is root (.)

6-c

DNS - DOMAIN NAME SERVICE
• The internet works with numbers not names. www.abc.gov.au is really 203.2.218.61 – DNS namespace is made up of a tree of domain names. – At the top is root (.) – Below this is the Top Level Domain (TLD)

6-d

DNS - DOMAIN NAME SERVICE
• The internet works with numbers not names. www.abc.gov.au is really 203.2.218.61 – DNS namespace is made up of a tree of domain names. – At the top is root (.) – Below this is the Top Level Domain (TLD) – Below the TLD is the Second Level Domain.

6-e

DNS - DOMAIN NAME SERVICE
• The internet works with numbers not names. www.abc.gov.au is really 203.2.218.61 – DNS namespace is made up of a tree of domain names. – At the top is root (.) – Below this is the Top Level Domain (TLD) – Below the TLD is the Second Level Domain. – The Second level domain is handled by whoever ’owns’ that domain

6-f

DNS - DOMAIN NAME SERVICE
• The internet works with numbers not names. www.abc.gov.au is really 203.2.218.61 – DNS namespace is made up of a tree of domain names. – At the top is root (.) – Below this is the Top Level Domain (TLD) – Below the TLD is the Second Level Domain. – The Second level domain is handled by whoever ’owns’ that domain – Third & lower level domains are handled by the domain owner.

6-g

DNS - DOMAIN NAME SERVICE

7

DNS - DOMAIN NAME SERVICE
• Example: node1.office.my-domain.com ˆ ˆ ˆ ˆ | | | | | | | -- Top level domain | | -- Second level domain | - Subdomain -- Hostname

7-a

DNS - DOMAIN NAME SERVICE
• Example: node1.office.my-domain.com ˆ ˆ ˆ ˆ | | | | | | | -- Top level domain | | -- Second level domain | - Subdomain -- Hostname • Domain names are fully qualiﬁed (FQDN) when a name is speciﬁed all the way down to the hostname.

7-b

RESOLVING A NAME

8

RESOLVING A NAME
• A name is resolved using the following steps:

8-a

RESOLVING A NAME
• A name is resolved using the following steps: – /etc/nsswitch.conf is checked to see what resolution method to use (eg: read /etc/hosts, use dns, use nis...)

8-b

RESOLVING A NAME
• A name is resolved using the following steps: – /etc/nsswitch.conf is checked to see what resolution method to use (eg: read /etc/hosts, use dns, use nis...) – nsswitch says USE DNS:

8-c

RESOLVING A NAME
• A name is resolved using the following steps: – /etc/nsswitch.conf is checked to see what resolution method to use (eg: read /etc/hosts, use dns, use nis...) – nsswitch says USE DNS: ∗ Read resolv.conf to see what nameserver to use

8-d

RESOLVING A NAME
• A name is resolved using the following steps: – /etc/nsswitch.conf is checked to see what resolution method to use (eg: read /etc/hosts, use dns, use nis...) – nsswitch says USE DNS: ∗ Read resolv.conf to see what nameserver to use ∗ Send request to nameserver and wait for response

8-e

RESOLVING A NAME
• A name is resolved using the following steps: – /etc/nsswitch.conf is checked to see what resolution method to use (eg: read /etc/hosts, use dns, use nis...) – nsswitch says USE DNS: ∗ Read resolv.conf to see what nameserver to use ∗ Send request to nameserver and wait for response – nsswitch says USE HOSTS

8-f

RESOLVING A NAME
• A name is resolved using the following steps: – /etc/nsswitch.conf is checked to see what resolution method to use (eg: read /etc/hosts, use dns, use nis...) – nsswitch says USE DNS: ∗ Read resolv.conf to see what nameserver to use ∗ Send request to nameserver and wait for response – nsswitch says USE HOSTS ∗ Lookup /etc/hosts for a matching hostname

8-g

The nsswitch.conf ﬁle

9

The nsswitch.conf ﬁle
• This is a ﬁle that determines what mechanisms are used by the hostname library calls to resolve names.

9-a

The nsswitch.conf ﬁle
• This is a ﬁle that determines what mechanisms are used by the hostname library calls to resolve names. • The ﬁle contains lines with an identiﬁer followed by a list of methods to use for name lookups.

9-b

The nsswitch.conf ﬁle
• This is a ﬁle that determines what mechanisms are used by the hostname library calls to resolve names. • The ﬁle contains lines with an identiﬁer followed by a list of methods to use for name lookups. • An example: passwd: ﬁles nisplus nis shadow: ﬁles nisplus nis group: ﬁles nisplus nis hosts: db ﬁles dns

9-c

The nsswitch.conf ﬁle
• This is a ﬁle that determines what mechanisms are used by the hostname library calls to resolve names. • The ﬁle contains lines with an identiﬁer followed by a list of methods to use for name lookups. • An example: passwd: ﬁles nisplus nis shadow: ﬁles nisplus nis group: ﬁles nisplus nis hosts: db ﬁles dns • Note that the other entries like passwd, shadow and group are used for other applications like login and have nothing to do with DNS.
9-d

The nsswitch.conf ﬁle

10

The nsswitch.conf ﬁle
• In the hosts line, we see that any hostname to be looked up will be done in the following order: 1. Use local databases ﬁle (.db ﬁles in /var/db) 2. Read /etc/hosts 3. Search DNS

10-a

The nsswitch.conf ﬁle
• In the hosts line, we see that any hostname to be looked up will be done in the following order: 1. Use local databases ﬁle (.db ﬁles in /var/db) 2. Read /etc/hosts 3. Search DNS • The Search options can be one of: nisplus (or nis+) - Consult NIS+ (Yellow Pages) nis (or yp) - Consult NIS dns - Use a DNS server files - Use local files like /etc/hosts - Use local database files db compat - Use NIS in compat mode
10-b

[NOTFOUND=return] - Stop searching and return host notfou

11

[NOTFOUND=return] - Stop searching and return host notfou

11-a

[NOTFOUND=return] - Stop searching and return host notfou

11-b

An example nsswitch ﬁle:
nisplus (or nis passwd: db files nisplus nis shadow: nisplus group db files nisplus nis hosts: db files nis dns

# Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: netmasks: networks: files files files nis

12

protocols: rpc: services: netgroup: publickey: automount: aliases:

files nisplus files files nisplus files nisplus nisplus files nisplus files nisplus

13

The resolv.conf ﬁle

14

The resolv.conf ﬁle
• This ﬁle conﬁgures how the system uses DNS. An example: search aes nameserver 10.27.1.10 nameserver 10.27.1.254

14-a

The resolv.conf ﬁle
• This ﬁle conﬁgures how the system uses DNS. An example: search aes nameserver 10.27.1.10 nameserver 10.27.1.254 • The ’search’ line says what to append to a non-fully qualiﬁed name: eg: ping node10 –¿ ping node10.aes

14-b

The resolv.conf ﬁle
• This ﬁle conﬁgures how the system uses DNS. An example: search aes nameserver 10.27.1.10 nameserver 10.27.1.254 • The ’search’ line says what to append to a non-fully qualiﬁed name: eg: ping node10 –¿ ping node10.aes • The nameserver lines tell the hostname routines which dns server to send requests to. (If ﬁrst lookup fails, use the second, third etc)

14-c

BIND - Berkley Internet Name Domain

15

BIND - Berkley Internet Name Domain
• Bind is just one implementation of a DNS. Bind is to DNS what Apache is to http.

15-a

BIND - Berkley Internet Name Domain
• Bind is just one implementation of a DNS. Bind is to DNS what Apache is to http. • Bind is conﬁgured with: /etc/named.conf /etc/named.boot - For BIND V8 - For BIND V4

15-b

BIND - Berkley Internet Name Domain
• Bind is just one implementation of a DNS. Bind is to DNS what Apache is to http. • Bind is conﬁgured with: /etc/named.conf /etc/named.boot - For BIND V8 - For BIND V4

• Know that there is a difference between V4 & V8.

15-c

BIND - Berkley Internet Name Domain
• Bind is just one implementation of a DNS. Bind is to DNS what Apache is to http. • Bind is conﬁgured with: /etc/named.conf /etc/named.boot - For BIND V8 - For BIND V4

• Know that there is a difference between V4 & V8. • Know how to conﬁgure V8 but not V4. (Different syntax)

15-d

BIND Conﬁguration
• The conﬁguration ﬁle contains subsections as follows:

16

BIND Conﬁguration
• The conﬁguration ﬁle contains subsections as follows: – Options → How named will operate

16-a

BIND Conﬁguration
• The conﬁguration ﬁle contains subsections as follows: – Options → How named will operate – logging → What/how named will log information

16-b

BIND Conﬁguration
• The conﬁguration ﬁle contains subsections as follows: – Options → How named will operate – logging → What/how named will log information – Access Lists → Who can use named & what they can do

16-c

BIND Conﬁguration
• The conﬁguration ﬁle contains subsections as follows: – Options → How named will operate – logging → What/how named will log information – Access Lists → Who can use named & what they can do – Remote Servers → Characteristics of remote servers

16-d

BIND Conﬁguration
• The conﬁguration ﬁle contains subsections as follows: – Options → How named will operate – logging → What/how named will log information – Access Lists → Who can use named & what they can do – Remote Servers → Characteristics of remote servers – zones → Information about our deﬁned domains

16-e

An Example Conﬁg ﬁle:
options { directory "/var/named/"; forward only; forwarders { 203.2.75.132; 203.2.75.108; }; query-source address * port 53; listen-on { 10.27.1.10; 127.0.0.1; }; notify no; }; #### The root zone ### zone "." { type hint; file "named.ca"; };

17

#### A zone for localhost ### zone "0.0.127.in-addr.arpa" { type master; file "0.0.127.in-addr.arpa.zone"; }; zone "localhost" { type master; file "localhost.zone";

}; ### A local domain ### zone "1.27.10.in-addr.arpa" { type master; file "1.27.10.in-addr.arpa.zone"; }; zone "aes" { type master; file "aes.zone";

};

18

key "key" { algorithm hmac-md5; secret "JoqlFqtncqurkhMOrrbQLYRcxSYXoNROvNTZBqWJFumleNkzOvEvTAbqpbMV"; };

19

Zone ﬁles:

20

Zone ﬁles:
• Each zone uses a ﬁle for:

20-a

Zone ﬁles:
• Each zone uses a ﬁle for: – Hostname to IP address translations (Forward lookups)

20-b

Zone ﬁles:
• Each zone uses a ﬁle for: – Hostname to IP address translations (Forward lookups) – IP to Hostname translatoins (Reverse lookups)

20-c

Zone ﬁles:
• Each zone uses a ﬁle for: – Hostname to IP address translations (Forward lookups) – IP to Hostname translatoins (Reverse lookups) • The names can be anything, but usually:

20-d

Zone ﬁles:
• Each zone uses a ﬁle for: – Hostname to IP address translations (Forward lookups) – IP to Hostname translatoins (Reverse lookups) • The names can be anything, but usually: – Forward ﬁle –¿ ¡domain¿.zone

20-e

Zone ﬁles:
• Each zone uses a ﬁle for: – Hostname to IP address translations (Forward lookups) – IP to Hostname translatoins (Reverse lookups) • The names can be anything, but usually: – Forward ﬁle –¿ ¡domain¿.zone – Reverse ﬁle –¿ ¡Net-IP¿.in-addr.arpa

20-f

Zone ﬁles:
• Each zone uses a ﬁle for: – Hostname to IP address translations (Forward lookups) – IP to Hostname translatoins (Reverse lookups) • The names can be anything, but usually: – Forward ﬁle –¿ ¡domain¿.zone – Reverse ﬁle –¿ ¡Net-IP¿.in-addr.arpa • Where the Net-IP is the network part of the IP address.

20-g

Zone Records:

21

Zone Records:
SOA record Marks the start of a zone.

21-a

Zone Records:
SOA record Marks the start of a zone. NS record Deﬁnes the name server for a zone or subdomain

21-b

Zone Records:
SOA record Marks the start of a zone. NS record Deﬁnes the name server for a zone or subdomain MX record Deﬁne mail servers for domain

21-c

Zone Records:
SOA record Marks the start of a zone. NS record Deﬁnes the name server for a zone or subdomain MX record Deﬁne mail servers for domain CNAME record Deﬁnes an alias for a hostname

21-d

Zone Records:
SOA record Marks the start of a zone. NS record Deﬁnes the name server for a zone or subdomain MX record Deﬁne mail servers for domain CNAME record Deﬁnes an alias for a hostname LOC record Deﬁnes the physical location of the server

21-e

Zone Records:
SOA record Marks the start of a zone. NS record Deﬁnes the name server for a zone or subdomain MX record Deﬁne mail servers for domain CNAME record Deﬁnes an alias for a hostname LOC record Deﬁnes the physical location of the server SRV record Deﬁnes what services are found where (eg ftp, http etc)

21-f

Zone Records:
SOA record Marks the start of a zone. NS record Deﬁnes the name server for a zone or subdomain MX record Deﬁne mail servers for domain CNAME record Deﬁnes an alias for a hostname LOC record Deﬁnes the physical location of the server SRV record Deﬁnes what services are found where (eg ftp, http etc) A record Deﬁnes hostname to IP address translations (forward ﬁle)

21-g

Zone Records:
SOA record Marks the start of a zone. NS record Deﬁnes the name server for a zone or subdomain MX record Deﬁne mail servers for domain CNAME record Deﬁnes an alias for a hostname LOC record Deﬁnes the physical location of the server SRV record Deﬁnes what services are found where (eg ftp, http etc) A record Deﬁnes hostname to IP address translations (forward ﬁle) PTR record Deﬁnes IP address to hostname translations (reverse ﬁle)

21-h

Example Forward ﬁle /var/named/aes.zone
@ IN SOA node10.aes. root.localhost ( 2 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttl ) node10.aes. 10 10 10 10 10 10 mail mail mail mail mail mail

@ node5 node6 node4 node2 node10 gw node10 node2 node4

IN IN IN IN IN IN IN IN IN IN

NS MX MX MX MX MX MX A A A

10.27.1.10 10.27.1.2 10.27.1.4

22

node5 node6 cds gw ns mail node-4

IN IN IN IN IN IN IN

A A A A CNAME CNAME CNAME

10.27.1.5 10.27.1.6 10.27.1.99 10.27.1.254 node10 node10 node4

23

Example reverse ﬁle /var/named/1.27.10.in-add
@ IN SOA @ root.localhost ( 2 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttk )

@ 2 4 5 6 10 99 254

IN IN IN IN IN IN IN IN

NS PTR PTR PTR PTR PTR PTR PTR

ns.aes. node2.aes. node4.aes. node5.aes. node6.aes. node10.aes. cds.aes. gw.aes.

24

Conﬁguring a Caching only Nameserver

25

Conﬁguring a Caching only Nameserver
• A caching only nameserver is simple to setup. The ﬁrst time a name is needed, a normal lookup occurs (Authorative) The next time that name is needed, it is returned from cache (Non-authorative)

25-a

Conﬁguring a Caching only Nameserver
• A caching only nameserver is simple to setup. The ﬁrst time a name is needed, a normal lookup occurs (Authorative) The next time that name is needed, it is returned from cache (Non-authorative) • Under /etc/named.conf in the options section, just make sure you have the following directives set: options { directory "/var/named/"; forward only; forwarders { <First DNS to query>; <Second DNS to query>; };
25-b

listen-on { 127.0.0.1; };

<Your local IP address>;

26

listen-on { 127.0.0.1; };

<Your local IP address>;

26-a

listen-on { 127.0.0.1; };

<Your local IP address>;

26-b

listen-on { 127.0.0.1; };

<Your local IP address>;

• Leave the root zone (.) and localhost entries as they are.

26-c

Testing DNS

27

Testing DNS
• To test DNS, use one of the following tools:

27-a

Testing DNS
• To test DNS, use one of the following tools: – nslookup (deprecated)

27-b

Testing DNS
• To test DNS, use one of the following tools: – nslookup (deprecated) – dig

27-c

Testing DNS
• To test DNS, use one of the following tools: – nslookup (deprecated) – dig – host

27-d

Testing DNS
• To test DNS, use one of the following tools: – nslookup (deprecated) – dig – host • To use in their simplest form, just add the hostname you wish to query as the ﬁrst option to the command: nslookup node16.c222 dig node16.c222 host node16.c222

27-e

nslookup

28

nslookup
• Usage: nslookup [option] host-to-find [-name-server] Example: $ nslookup node2.aes -10.27.1.10 ←

28-a

nslookup
• Usage: nslookup [option] host-to-find [-name-server] Example: $ nslookup node2.aes -10.27.1.10 ← • Note: nslookup is deprecated and may be removed from future releases. Consider using the ‘dig’ or ‘host’ programs instead. Run nslookup with the -sil[ent] option to prevent this message from appearing. Server: Address: 10.27.1.10 10.27.1.10#53

Name: node2.aes Address: 10.27.1.2
28-b

dig

29

dig
• Usage: dig [@name-server] host-to-find [query-type]

29-a

dig
• Usage: dig [@name-server] host-to-find [query-type] • Example:
$ dig @10.27.1.10 node2.aes ← ; <<>> DiG 9.2.0 <<>> @10.27.1.10 node2.aes ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43860 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;node2.aes. ;; ANSWER SECTION: node2.aes. ;; AUTHORITY SECTION: aes.

IN

A

86400

IN

A

10.27.1.2

86400

IN

NS

node10.aes.

29-b

;; ADDITIONAL SECTION: node10.aes. ;; ;; ;; ;;

86400

IN

A

10.27.1.10

Query time: 5 msec SERVER: 10.27.1.10#53(10.27.1.10) WHEN: Mon Sep 2 13:48:38 2002 MSG SIZE rcvd: 80

30

;; ADDITIONAL SECTION: node10.aes. ;; ;; ;; ;;

86400

IN

A

10.27.1.10

Query time: 5 msec SERVER: 10.27.1.10#53(10.27.1.10) WHEN: Mon Sep 2 13:48:38 2002 MSG SIZE rcvd: 80

30-a

;; ADDITIONAL SECTION: node10.aes. ;; ;; ;; ;;

86400

IN

A

10.27.1.10

Query time: 5 msec SERVER: 10.27.1.10#53(10.27.1.10) WHEN: Mon Sep 2 13:48:38 2002 MSG SIZE rcvd: 80

30-b

host

31

host
• Usage: host [option] host-to-find [name-server]

31-a

host
• Usage: host [option] host-to-find [name-server] • Example: $ host node2.aes ← node2.aes has address 10.27.1.2

31-b

Exercise:

32

Exercise:
1. Install bind on your machine: # rpm -Uvh bind-9*.rpm

32-a

Exercise:
1. Install bind on your machine: # rpm -Uvh bind-9*.rpm 2. Conﬁgure a Caching only nameserver on your machine. (Make all queries forward to 192.168.222.254) 3. Make changes to resolv.conf & nsswitch.conf as required (Default domain to use is c222)

32-b

Exercise:
1. Install bind on your machine: # rpm -Uvh bind-9*.rpm 2. Conﬁgure a Caching only nameserver on your machine. (Make all queries forward to 192.168.222.254) 3. Make changes to resolv.conf & nsswitch.conf as required (Default domain to use is c222) 4. Start the named. # service named start

32-c

Exercise:
1. Install bind on your machine: # rpm -Uvh bind-9*.rpm 2. Conﬁgure a Caching only nameserver on your machine. (Make all queries forward to 192.168.222.254) 3. Make changes to resolv.conf & nsswitch.conf as required (Default domain to use is c222) 4. Start the named. # service named start 5. Test it out with the host node16.c222 using: • nslookup • dig
32-d

• host

33

• host

33-a

• host

33-b

• host

33-c

• host

33-d

• host 6. Test again this time with the host box16

33-e

• host 6. Test again this time with the host box16 7. (For those who want a DNS challenge) (a) Setup a set of zones for the .c222 domain. (b) Insert the new zone into the main conﬁguration ﬁle (c) Restart the named and test it.

33-f

DNS Name Lookup Procedure

Local DNS

blah

34

DNS Name Lookup Procedure
' &
IP addr.for google.com?

$

?

%

Local DNS

blah

34-a

DNS Name Lookup Procedure
' &
IP addr.for google.com?

$

?

%

 IP addr. for google.com? 

¨ ©

Local DNS

blah

34-b

35

DNS NAME LO
 9 6    

What is IP for www

8

What is IP addr for www.abc.com?
?

Don’t know, but he the .com Nameserv

7

LOCAL DNS

  
36

 

What is IP for www

Don’t know, but he

2

37

DNS NAME LOOKUP PROCEDURE
9 8 £   What is IP for www.abc.com? ¢ ¡ 6£ 7 £   - What is IP for www.abc.com? ¢ ¡ £ £   What is IP for www.abc.com? ¢ ¡ £    The IP for www.abc.com ¢ ¢   Don’t know, but here is the IP for  the .com Nameserver. Go ask them ¢ ¡   ¡ -

What is IP addr for www.abc.com?
?   

. (roo DN

? 1 0

LOCAL DNS

-

IP addr is 1.2.3.4

(

Don’t know, but here is the IP for  the abc.com Nameserver. Go ask them

.com DN

)

-

is 1.2.3.4 38

¡

abc.c DN

3
£   - What is IP for www.abc.com? ¢ ¡  $£ ' Don’t know, but here is the IP for  the .com Nameserver. Go ask them What is IP addr ¢ ¡ for www.abc.com? & % ? £    - What is IP for www.abc.com? LOCAL  ¢ ¡ £   DNS  Don’t know, but here is the IP for  the abc.com Nameserver. Go ask them ? ¢ ¡  
IP addr is 1.2.3.4 DNS NAME LOOKUP PROCEDURE . (root) DNS

.com DNS



£   - What is IP for www.abc.com? ¢ £  ¡  The IP for www.abc.com ¢ is 1.2.3.4 ¡
39

-

abc.com DNS

The End

40