1 | Exercise 2.3: Building a DNS cache |
---|
2 | ================================== |
---|
3 | |
---|
4 | 1. Check the version of BIND which is installed |
---|
5 | ----------------------------------------------- |
---|
6 | |
---|
7 | $ named -v |
---|
8 | BIND 9.6.2-P2 |
---|
9 | |
---|
10 | |
---|
11 | 2. Configure your cache to accept queries from neighbors |
---|
12 | -------------------------------------------------------- |
---|
13 | |
---|
14 | Edit the file /etc/namedb/named.conf (using vi or ee) |
---|
15 | |
---|
16 | Then find the line: |
---|
17 | |
---|
18 | listen-on { 127.0.0.1; }; |
---|
19 | |
---|
20 | ... and REMOVE IT. |
---|
21 | |
---|
22 | Instead, add another line: |
---|
23 | |
---|
24 | allow-recursion { 127.0.0.1; 119.2.100.0/24; }; |
---|
25 | |
---|
26 | Be careful about the semicolons ';' and braces { } - BIND |
---|
27 | will complain if they are not placed correctly |
---|
28 | |
---|
29 | By removing the line "listen-on ..." and adding the line |
---|
30 | "allow-recursion", we are telling BIND: |
---|
31 | |
---|
32 | - please listen to the network for queries, not only on |
---|
33 | the local interface "127.0.0.1"; |
---|
34 | |
---|
35 | - please allow clients in the 119.2.100.0/24 to send queries |
---|
36 | to me, as well as myself; |
---|
37 | |
---|
38 | 3. Start the cache and check it is running |
---|
39 | ------------------------------------------ |
---|
40 | |
---|
41 | Now, edit `/etc/rc.conf` and add a line saying `named_enable="YES"` |
---|
42 | |
---|
43 | Then run these commands: |
---|
44 | # cd /etc/namedb/master |
---|
45 | # /etc/rc.d/named start |
---|
46 | # ps auxwww | grep named |
---|
47 | # tail /var/log/messages |
---|
48 | |
---|
49 | Check for successful startup with no error messages (you can ignore errors |
---|
50 | about missing `master/localhost.rev` and `master/localhost-v6.rev` for now) |
---|
51 | |
---|
52 | 4. Reconfigure your resolver to use your own cache only |
---|
53 | ------------------------------------------------------- |
---|
54 | |
---|
55 | Edit `/etc/resolv.conf` as follows: |
---|
56 | |
---|
57 | Remove any existing 'nameserver' lines, or comment them out by inserting '#' |
---|
58 | at the front. 127.0.0.1 is the loopback address; that is, an IP address |
---|
59 | which means 'send the packet to myself', and we'll use it as our nameserver: |
---|
60 | |
---|
61 | search ws3.conference.sanog.org |
---|
62 | nameserver 127.0.0.1 |
---|
63 | |
---|
64 | 5. Send some queries |
---|
65 | -------------------- |
---|
66 | |
---|
67 | Issue a query. Make a note of whether the response has the 'aa' flag set. |
---|
68 | Look at the answer section and note the TTL of the answer. Also note how long |
---|
69 | the query took to process. |
---|
70 | |
---|
71 | Then repeat the _exact same_ query, and note the information again. |
---|
72 | |
---|
73 | $ dig www.tiscali.co.uk. Does it have the 'aa' flag? ______ |
---|
74 | What is the TTL of the answer? ______ seconds |
---|
75 | How long is the Query Time? ______ |
---|
76 | milliseconds |
---|
77 | |
---|
78 | $ dig www.tiscali.co.uk. Does it have the 'aa' flag? ______ |
---|
79 | What is the TTL of the answer? ______ seconds |
---|
80 | How long is the Query Time? ______ |
---|
81 | milliseconds |
---|
82 | |
---|
83 | Repeat it a third time. Can you explain the differences? |
---|
84 | |
---|
85 | If your neighbour has got their cache working, then try sending some queries |
---|
86 | to their cache (remember `dig @119.2.100.XXX somedomain.name`) |
---|
87 | |
---|
88 | ... where XXX is the IP of the PC in the class you want to send the |
---|
89 | query to, and "somedomain.name" is the query you would like to perform. |
---|
90 | |
---|
91 | 6. Watch the cache in operation |
---|
92 | ------------------------------- |
---|
93 | |
---|
94 | You can take a snapshot of the cache contents like this: |
---|
95 | |
---|
96 | # /usr/sbin/rndc dumpdb |
---|
97 | # less /var/named/var/dump/named_dump.db |
---|
98 | |
---|
99 | (Don't do this on a busy cache - you will generate a huge dump file!) |
---|
100 | |
---|
101 | You can watch the cache making queries to the outside world using |
---|
102 | `tcpdump` in a different window or screen (ALT-F1, ALT-F2, etc...): |
---|
103 | |
---|
104 | # tcpdump -n -s1500 -i xyz0 udp port 53 |
---|
105 | |
---|
106 | Replace `xyz0` with the name of your ethernet interface - e.g. `em0` or |
---|
107 | `bge0` - run "ifconfig" to find out what your interface is. |
---|
108 | |
---|
109 | While tcpdump is running, in the first window flush your cache (so it forgets |
---|
110 | all existing data) and then issue some queries. |
---|
111 | |
---|
112 | # rndc flush |
---|
113 | # dig www.tiscali.co.uk. -- and watch tcpdump output. What do you see? |
---|
114 | |
---|
115 | # dig www.tiscali.co.uk. -- watch tcpdump again. This time? |
---|
116 | |
---|
117 | 7. Tightening up the configuration (optional) |
---|
118 | --------------------------------------------- |
---|
119 | |
---|
120 | Following the examples on the presentation, create zonefiles which map |
---|
121 | localhost to 127.0.0.1 and 127.0.0.1 to localhost, and test. |
---|
122 | |
---|
123 | Following the examples on the presentation, create an ACL which restricts |
---|
124 | access to your cache to your machine only. Get someone else to try to |
---|
125 | resolve names using your cache. Remember: |
---|
126 | |
---|
127 | rndc reload # to make your modified configuration active |
---|
128 | tail /var/log/messages # to check for errors in your configuration |
---|
129 | |
---|