Exercise 2.3: Building a DNS cache ================================== 1. Check the version of BIND which is installed ----------------------------------------------- $ named -v BIND 9.6.2-P2 2. Configure your cache to accept queries from neighbors -------------------------------------------------------- Edit the file /etc/namedb/named.conf (using vi or ee) Then find the line: listen-on { 127.0.0.1; }; ... and REMOVE IT. Instead, add another line: allow-recursion { 127.0.0.1; 119.2.100.0/24; }; Be careful about the semicolons ';' and braces { } - BIND will complain if they are not placed correctly By removing the line "listen-on ..." and adding the line "allow-recursion", we are telling BIND: - please listen to the network for queries, not only on the local interface "127.0.0.1"; - please allow clients in the 119.2.100.0/24 to send queries to me, as well as myself; 3. Start the cache and check it is running ------------------------------------------ Now, edit `/etc/rc.conf` and add a line saying `named_enable="YES"` Then run these commands: # cd /etc/namedb/master # /etc/rc.d/named start # ps auxwww | grep named # tail /var/log/messages Check for successful startup with no error messages (you can ignore errors about missing `master/localhost.rev` and `master/localhost-v6.rev` for now) 4. Reconfigure your resolver to use your own cache only ------------------------------------------------------- Edit `/etc/resolv.conf` as follows: Remove any existing 'nameserver' lines, or comment them out by inserting '#' at the front. 127.0.0.1 is the loopback address; that is, an IP address which means 'send the packet to myself', and we'll use it as our nameserver: search ws3.conference.sanog.org nameserver 127.0.0.1 5. Send some queries -------------------- Issue a query. Make a note of whether the response has the 'aa' flag set. Look at the answer section and note the TTL of the answer. Also note how long the query took to process. Then repeat the _exact same_ query, and note the information again. $ dig www.tiscali.co.uk. Does it have the 'aa' flag? ______ What is the TTL of the answer? ______ seconds How long is the Query Time? ______ milliseconds $ dig www.tiscali.co.uk. Does it have the 'aa' flag? ______ What is the TTL of the answer? ______ seconds How long is the Query Time? ______ milliseconds Repeat it a third time. Can you explain the differences? If your neighbour has got their cache working, then try sending some queries to their cache (remember `dig @119.2.100.XXX somedomain.name`) ... where XXX is the IP of the PC in the class you want to send the query to, and "somedomain.name" is the query you would like to perform. 6. Watch the cache in operation ------------------------------- You can take a snapshot of the cache contents like this: # /usr/sbin/rndc dumpdb # less /var/named/var/dump/named_dump.db (Don't do this on a busy cache - you will generate a huge dump file!) You can watch the cache making queries to the outside world using `tcpdump` in a different window or screen (ALT-F1, ALT-F2, etc...): # tcpdump -n -s1500 -i xyz0 udp port 53 Replace `xyz0` with the name of your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out what your interface is. While tcpdump is running, in the first window flush your cache (so it forgets all existing data) and then issue some queries. # rndc flush # dig www.tiscali.co.uk. -- and watch tcpdump output. What do you see? # dig www.tiscali.co.uk. -- watch tcpdump again. This time? 7. Tightening up the configuration (optional) --------------------------------------------- Following the examples on the presentation, create zonefiles which map localhost to 127.0.0.1 and 127.0.0.1 to localhost, and test. Following the examples on the presentation, create an ACL which restricts access to your cache to your machine only. Get someone else to try to resolve names using your cache. Remember: rndc reload # to make your modified configuration active tail /var/log/messages # to check for errors in your configuration