Agenda: dns-bind-caching-setup.txt

File dns-bind-caching-setup.txt, 4.4 KB (added by admin, 7 years ago)
Line 
1Building a DNS cache with BIND
2------------------------------
3
41. Check the version of BIND which is installed
5-----------------------------------------------
6
7    $ named -v
8    BIND 9.8.1
9
10
112. Configure your MASTER host to accept queries from neighbors
12--------------------------------------------------------------
13
14Log in to your MASTER host if you haven't already done so
15(master.grpX.ws.nsrc.org).
16
17Edit the file /etc/namedb/named.conf (using vi or ee)
18
19Then find the line:
20
21        listen-on       { 127.0.0.1; };
22
23... and REMOVE it, replacing it with this line instead:
24
25        allow-recursion { 127.0.0.1; 10.10.0.0/16; };
26
27Double check to see that there aren't any zones configured in your
28DNS. For instance, if you see a line like follows:
29
30        zone "10.in-addr.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
31
32... remove it, and save the file.
33
34
35NOTE: Be careful about the semicolons ';' and braces { } - BIND
36will complain if they are not placed correctly
37
38By removing the line "listen-on ..." and adding the line
39"allow-recursion", we are telling BIND:
40
41- please listen to the network for queries, not only on
42  the local interface "127.0.0.1";
43
44- please allow clients in the 10.10.0.0/16 to send queries
45  to me, as well as myself;
46
473. Restart the cache and check it is running
48--------------------------------------------
49
50If you haven't done so earlier, edit `/etc/rc.conf` and add two lines saying:
51
52        named_chrootdir=""
53        named_enable="YES"
54
55Then run these commands:
56
57    $ sudo service named stop
58    $ sudo service named start
59    # ps auxwww | grep named
60    # tail /var/log/messages
61
62Check for successful startup with no error messages (you can ignore errors
63about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well
64as messages regarding managed-keys-zone)
65
66
674. Reconfigure your resolver to use your own cache only
68-------------------------------------------------------
69
70If you haven't done so earlier, edit `/etc/resolv.conf` as follows
71(remember to use sudo !)
72
73Remove any existing 'nameserver' lines, or comment them out by inserting '#'
74at the front. 127.0.0.1 is the loopback address; that is, an IP address
75which means 'send the packet to myself', and we'll use it as our nameserver:
76
77    search ws.nsrc.org
78    nameserver 127.0.0.1
79
80Now save and exit.
81
825. Test resolution
83------------------
84
85Issue a query, for instance:
86
87        $ dig google.com NS
88        $ dig noc.ws.nsrc.org A
89
90For each query:
91
921. Is the server responding ?
932. How do you know that you are talking to your OWN server ?
943. What do you notice ?
95
96If your neighbour has got their cache working, then try sending some queries
97to their cache:
98
99    $ dig @10.10.X.1 somedomain.name
100
101... where XXX is the IP of the machine in the class you want to send the
102query to, and "somedomain.name" is the query you would like to perform.
103
104Try and make some of the same queries you did before.  Do the nameservers
105of the other machines answer you ?
106
107Are you getting answers ? What about for ws.nsrc.org ?
108
109Why ?
110
111Help your neighbours to get their cache working if required.
112
1136. Make sure you can resolve hostnames in the class
114---------------------------------------------------
115
116Ping other PCs in the room, where X is 1-32:
117
118    $ ping master.grpX.ws.nsrc.org
119    $ ping cache.grpX.ws.nsrc.org
120    $ ping auth.grpX.ws.nsrc.org
121
122
1237. Watch the cache in operation
124-------------------------------
125
126You can take a snapshot of the cache contents like this:
127
128    $ sudo ln -s /var/named/var/dump /var/dump
129    $ sudo /usr/sbin/rndc dumpdb
130    $ sudo less /var/named/var/dump/named_dump.db
131
132(Don't do this on a busy cache - you will generate a huge dump file!)
133
134You can watch the cache making queries to the outside world using
135`tcpdump` in a different window (log in again via SSH):
136
137    # tcpdump -n -s1500 -i eth0 udp port 53
138
139If your ethernet interface isn't named `eth0`, then use the name of
140your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out
141what your ethernet interface is named.
142
143While tcpdump is running, in the first window flush your cache (so it forgets
144all existing data) and then issue some queries.
145
146    # rndc flush
147    # dig noc.ws.nsrc.org.   -- and watch tcpdump output. What do you see?
148
149    # dig noc.ws.nsrc.org.   -- watch tcpdump again. This time?
150
151NOTE: that we now have enabled BIND to be recursive! So we will want
152to remember this, and maybe turn off recursion later, since we have
153explained that running recursive and authoritative on the same server
154is not a good idea.