Agenda: dns2-exercise3.txt

File dns2-exercise3.txt, 4.1 KB (added by regnauld, 8 years ago)

DNS setting up bind for caching

Line 
1Exercise 2.3: Building a DNS cache
2==================================
3
41. Check the version of BIND which is installed
5-----------------------------------------------
6
7    $ named -v
8    BIND 9.7.2-P3
9
10
112. Configure your cache to accept queries from neighbors
12--------------------------------------------------------
13
14Edit the file /etc/namedb/named.conf (using vi or ee)
15
16Then find the line:
17
18        listen-on       { 127.0.0.1; };
19
20... and REMOVE IT.
21
22Instead, add another line:
23
24        allow-recursion { 127.0.0.1; 10.10.0.0/16; };
25
26Finally, find the line:
27
28        zone "10.in-addr.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
29
30... and REMOVE IT.
31
32
33Be careful about the semicolons ';' and braces { } - BIND
34will complain if they are not placed correctly
35
36By removing the line "listen-on ..." and adding the line
37"allow-recursion", we are telling BIND:
38
39- please listen to the network for queries, not only on
40  the local interface "127.0.0.1";
41
42- please allow clients in the 10.10.0.0/16 to send queries
43  to me, as well as myself;
44
453. Restart the cache and check it is running
46--------------------------------------------
47
48If you haven't done so earlier, edit `/etc/rc.conf` and add two lines saying:
49
50        named_chrootdir=""
51        named_enable="YES"
52
53Then run these commands:
54
55    # /etc/rc.d/named stop
56    # /etc/rc.d/named start
57    # ps auxwww | grep named
58    # tail /var/log/messages
59
60Check for successful startup with no error messages (you can ignore errors
61about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well
62as messages regarding managed-keys-zone)
63
64
654. Reconfigure your resolver to use your own cache only
66-------------------------------------------------------
67
68If you haven't done so earlier, edit `/etc/resolv.conf` as follows:
69
70Remove any existing 'nameserver' lines, or comment them out by inserting '#'
71at the front. 127.0.0.1 is the loopback address; that is, an IP address
72which means 'send the packet to myself', and we'll use it as our nameserver:
73
74    search ws.nsrc.org
75    nameserver 127.0.0.1
76
775. Test resolution
78------------------
79
80Issue a query, for instance:
81
82        $ dig google.com NS
83        $ dig noc.ws.nsrc.org A
84
85For each query:
86
871. Is the server responding ?
882. How do you know that you are talking to your OWN server ?
893. What do you notice ?
90
91If your neighbour has got their cache working, then try sending some queries
92to their cache (remember `dig @10.10.X.1 somedomain.name`)
93
94... where XXX is the IP of the PC in the class you want to send the
95query to, and "somedomain.name" is the query you would like to perform.
96
97Help your neighbours to get their cache working if required.
98
996. Watch the cache in operation
100-------------------------------
101
102You can take a snapshot of the cache contents like this:
103
104        # ln -s /var/named/var/dump /var/dump
105    # /usr/sbin/rndc dumpdb
106    # less /var/named/var/dump/named_dump.db
107
108(Don't do this on a busy cache - you will generate a huge dump file!)
109
110You can watch the cache making queries to the outside world using
111`tcpdump` in a different window or screen (ALT-F1, ALT-F2, etc...):
112
113    # tcpdump -n -s1500 -i eth0 udp port 53
114
115If your ethernet interface isn't named `eth0`, then use the name of
116your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out
117what your interface is.
118
119While tcpdump is running, in the first window flush your cache (so it forgets
120all existing data) and then issue some queries.
121
122    # rndc flush
123    # dig www.tiscali.co.uk.   -- and watch tcpdump output. What do you see?
124
125    # dig www.tiscali.co.uk.   -- watch tcpdump again. This time?
126
1277. Tightening up the configuration (optional)
128---------------------------------------------
129
130Following the examples on the presentation, how would you create zonefiles
131which map localhost to 127.0.0.1 and 127.0.0.1 to localhost ?
132
133Following the examples on the presentation, how would you create an ACL
134which restricts access to your cache to your machine only ? Get someone else
135to try to resolve names using your cache. Remember:
136
137    rndc reload                 # to make your modified configuration active
138    tail /var/log/messages      # to check for errors in your configuration
139