DNS: dns4-exercise2.2.txt

DNS Exercise 4.2: Setting up Reverse DNS (in-addr.arpa.) for a /24 IP Block
===========================================================================

Since we don't have an entire /24 for the class, we'll pretend we have
one for each student.

We'll use 192.168.0.0/16 for reverse DNS (in-addr.arpa.) exercises
in this workshop.

Each student will be allocated a /24 for this exercise. Each student will
setup reverse DNS for the /24 allocated to them. The allocation will be
done based on the students PCs number so if your PC is `ws1.ws3.conference.sanog.org`,
and your IP address is `119.2.100.1`, then the /24 assigned to you will be
`192.168.1.0/24`.

In this exercise, you will setup reverse DNS for 192.168.X.0/24, where X
is your PCs number. You will create master nameservice on your own machine,
and someone else will setup their machine to be a slave server for your
X.222.196.in-addr.arpa. domain. Then you will ask the administrator for the
domain (your RIR in real life) above you (222.196.in-addr.arpa) to delegate
the /24 to you.

Please refer to DNS Exercise 3.1 on Setting up a domain


Exercise
--------

*   Write the domain allocated to you here:  `____.222.196.in-addr.arpa.`
    (e.g. ws12 will write 12.222.196.in-addr.arpa.)

*   Find someone who will agree to be slave for your domain. You must choose
    someone on a DIFFERENT table to you. (Remember RFC2182: secondaries must
    be on remote networks). You can have more than one slave if you wish.

*   Create your zone file in `/var/named/etc/namedb/master/X.222.196.in-addr.arpa`
    (where X is your PCs number)

    >     $TTL 10m
    >     @             IN      SOA     wsX.ws3.conference.sanog.org.  yourname.example.com. (
    >                                           2006051000    ; Serial
    >                                           10m           ; Refresh
    >                                           10m           ; Retry
    >                                           4w            ; Expire
    >                                           10m )         ; Negative
    >
    >                   IN      NS      wsX.ws3.conference.sanog.org.   ; master
    >                   IN      NS      wsY.ws3.conference.sanog.org.   ; slave
    >
    >     1             IN      PTR     dhcp1.xxxxx.ws3.conference.sanog.org.
    >
    >     $GENERATE 11-254 $    IN      PTR     ppp$.xxxxx.ws3.conference.sanog.org.

    Replace `yourname.example.com.` with your home E-mail address, changing
    "@" to "." and adding a "." to the end.

    Replace xxxxx.ws3.conference.sanog.org with the domain you setup in
    DNS Exercise 3.1: Setting up a domain

    We have chosen purposely low values for TTL, refresh, and retry to make
    it easier to fix problems in the classroom. For a production domain you
    would use higher values, e.g. `$TTL 1d`

*   Edit `/var/named/etc/namedb/named.conf` to configure your machine as
    master for your domain (see slides for information how to do this)

*   Check that your config file and zone file are valid, and then reload the
    nameserver daemon:

        # named-checkconf
        # named-checkzone X.222.196.in-addr.arpa \
                  /var/named/etc/namedb/master/X.222.196.in-addr.arpa

    *If there are any errors, correct them*

        # rndc reload
        # tail /var/log/messages

    *If there are any errors, correct them*. Some configuration errors can
    cause the daemon to die completely, in which case you may have to
    start it again:

        # /etc/rc.d/named restart

*   Assist your slaves to configure themselves as slave for your domain, and
    configure yourself as a slave if asked to do so by another table.
    Again, the instructions for how to do this are on the slides. If you
    have changed your `named.conf` so that you are a slave for someone
    else, make sure there are no errors in `/var/log/messages` after you
    do `rndc reload`.

*   Check that you and your slaves are giving authoritative answers for
    your domain:

        # dig +norec @119.2.100.X X.222.196.in-addr.arpa. soa
        # dig +norec @192.200.219.Y X.222.196.in-addr.arpa. soa

    Check that you get an AA (authoritative answer) from both, and that
    the serial numbers match.

*   Now you are ready to request delegation. Bring the following form to the
    classroom instructor:

        Domain name:          __.222.196.in-addr.arpa.

        Master nameserver:    ws____.ws3.conference.sanog.org

        Slave nameserver:     ws____.ws3.conference.sanog.org

        Slave nameserver:     ws____.ws3.conference.sanog.org (optional)

        Slave nameserver:     ws____.ws3.conference.sanog.org (optional)

*   You will not get delegation until the instructor has checked:

    - Your nameservers are all authoritative for your domain
    - They all have the same SOA serial number
    - The NS records within the zone match the list of servers you are
      requesting delegation for
    - The slave(s) are not on the same desk as you

*   Once you have delegation, find the names associated with
    192.168.X.1 and 192.168.X.12:

    Try this:
    - On your own machine

        # dig +norec @119.2.100.X -x 192.168.X.1
        # dig +norec @119.2.100.X -x 192.168.X.12

    - On someone else's machine (who is not slave for you)
    - On a machine elsewhere on the Internet, if you have access to one
      (www.dnsstuff.com)

*   Ensure that the forward and reverse DNS entries match. You will have to
    edit your xxxxx.ws3.conference.sanog.org zonefiles and add the following records. Don't
    forget to increase the serial number in the zone file.

>       dhcp1           IN      A       192.168.X.1
>
>       $GENERATE 11-254 ppp$   IN      A       192.168.X.$