Agenda: dns-bind-caching-setup.2.txt

File dns-bind-caching-setup.2.txt, 4.3 KB (added by admin, 7 years ago)
Line 
1Building a DNS cache with BIND
2------------------------------
3
41. Check the version of BIND which is installed
5-----------------------------------------------
6
7    $ named -v
8    BIND 9.8.1
9
10
112. Configure your cache to accept queries from neighbors
12--------------------------------------------------------
13
14Edit the file /etc/namedb/named.conf (using vi or ee)
15
16Then find the line:
17
18        listen-on       { 127.0.0.1; };
19
20... and REMOVE it, replacing it with this line instead:
21
22        allow-recursion { 127.0.0.1; 10.10.0.0/16; };
23
24Double check to see that there aren't any zones configured in your
25DNS. For instance, if you see a line like follows:
26
27        zone "10.in-addr.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
28
29... remove it, and save the file.
30
31
32NOTE: Be careful about the semicolons ';' and braces { } - BIND
33will complain if they are not placed correctly
34
35By removing the line "listen-on ..." and adding the line
36"allow-recursion", we are telling BIND:
37
38- please listen to the network for queries, not only on
39  the local interface "127.0.0.1";
40
41- please allow clients in the 10.10.0.0/16 to send queries
42  to me, as well as myself;
43
443. Restart the cache and check it is running
45--------------------------------------------
46
47If you haven't done so earlier, edit `/etc/rc.conf` and add two lines saying:
48
49        named_chrootdir=""
50        named_enable="YES"
51
52Then run these commands:
53
54    $ sudo service named stop
55    $ sudo service named start
56    # ps auxwww | grep named
57    # tail /var/log/messages
58
59Check for successful startup with no error messages (you can ignore errors
60about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well
61as messages regarding managed-keys-zone)
62
63
644. Reconfigure your resolver to use your own cache only
65-------------------------------------------------------
66
67If you haven't done so earlier, edit `/etc/resolv.conf` as follows
68(remember to use sudo !)
69
70Remove any existing 'nameserver' lines, or comment them out by inserting '#'
71at the front. 127.0.0.1 is the loopback address; that is, an IP address
72which means 'send the packet to myself', and we'll use it as our nameserver:
73
74    search ws.nsrc.org
75    nameserver 127.0.0.1
76
77Now save and exit.
78
795. Test resolution
80------------------
81
82Issue a query, for instance:
83
84        $ dig google.com NS
85        $ dig noc.ws.nsrc.org A
86
87For each query:
88
891. Is the server responding ?
902. How do you know that you are talking to your OWN server ?
913. What do you notice ?
92
93If your neighbour has got their cache working, then try sending some queries
94to their cache:
95
96    $ dig @10.10.X.1 somedomain.name
97
98... where XXX is the IP of the machine in the class you want to send the
99query to, and "somedomain.name" is the query you would like to perform.
100
101Try and make some of the same queries you did before.  Do the nameservers
102of the other machines answer you ?
103
104Are you getting answers ? What about for ws.nsrc.org ?
105
106Why ?
107
108Help your neighbours to get their cache working if required.
109
1106. Make sure you can resolve hostnames in the class
111---------------------------------------------------
112
113Ping other PCs in the room, where X is 1-32:
114
115    $ ping master.grpX.ws.nsrc.org
116    $ ping cache.grpX.ws.nsrc.org
117    $ ping auth.grpX.ws.nsrc.org
118
119
1207. Watch the cache in operation
121-------------------------------
122
123You can take a snapshot of the cache contents like this:
124
125    $ sudo ln -s /var/named/var/dump /var/dump
126    $ sudo /usr/sbin/rndc dumpdb
127    $ sudo less /var/named/var/dump/named_dump.db
128
129(Don't do this on a busy cache - you will generate a huge dump file!)
130
131You can watch the cache making queries to the outside world using
132`tcpdump` in a different window (log in again via SSH):
133
134    # tcpdump -n -s1500 -i eth0 udp port 53
135
136If your ethernet interface isn't named `eth0`, then use the name of
137your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out
138what your ethernet interface is named.
139
140While tcpdump is running, in the first window flush your cache (so it forgets
141all existing data) and then issue some queries.
142
143    # rndc flush
144    # dig noc.ws.nsrc.org.   -- and watch tcpdump output. What do you see?
145
146    # dig noc.ws.nsrc.org.   -- watch tcpdump again. This time?
147
148NOTE: that we now have enabled BIND to be recursive! So we will want
149to remember this, and maybe turn off recursion later, since we have
150explained that running recursive and authoritative on the same server
151is not a good idea.