Agenda: dns-bind-caching-setup.txt

File dns-bind-caching-setup.txt, 4.6 KB (added by admin, 6 years ago)
Line 
1Building a DNS cache with BIND
2------------------------------
3
41. Check the version of BIND which is installed
5-----------------------------------------------
6
7    $ named -v
8    BIND 9.8.1
9
10
112. Configure your MASTER host to accept queries from neighbors
12--------------------------------------------------------------
13
14Log in to your MASTER host if you haven't already done so
15(auth1.grpX.ws.nsrc.org).
16
17Edit the file /etc/namedb/named.conf (using vi or ee)
18
19If it still exsist, find the line:
20
21        listen-on       { 127.0.0.1; };
22
23... and REMOVE it.
24
25Add the following line:
26
27        allow-recursion { 127.0.0.1; 10.10.0.0/16; };
28
29Double check to see that there aren't any zones configured in your
30DNS. For instance, if you see a line like follows:
31
32        zone "10.in-addr.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
33
34... remove it, and save the file.
35
36
37NOTE: Be careful about the semicolons ';' and braces { } - BIND
38will complain if they are not placed correctly
39
40By removing the line "listen-on ..." and adding the line
41"allow-recursion", we are telling BIND:
42
43- please listen to the network for queries, not only on
44  the local interface "127.0.0.1";
45
46- please allow clients in the 10.10.0.0/16 to send queries
47  to me, as well as myself;
48
493. Restart the cache and check it is running
50--------------------------------------------
51
52If you haven't done so earlier, edit `/etc/rc.conf` and add two lines saying:
53
54        named_chrootdir=""
55        named_enable="YES"
56
57NOTE: We would normally not turn off chroot, which is a security
58      mechanism, but we need to do this here in the lab, because of
59      restrictions from the virtualization environment. In a production
60      environment, we wouldn't do this.
61
62Then run these commands:
63
64    $ sudo service named stop
65    $ sudo service named start
66    # ps auxwww | grep named
67    # tail /var/log/messages
68
69Check for successful startup with no error messages (you can ignore errors
70about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well
71as messages regarding managed-keys-zone)
72
73
744. Reconfigure your resolver to use your own cache only
75-------------------------------------------------------
76
77If you haven't done so earlier, edit `/etc/resolv.conf` as follows
78(remember to use sudo !)
79
80Remove any existing 'nameserver' lines, or comment them out by inserting '#'
81at the front. 127.0.0.1 is the loopback address; that is, an IP address
82which means 'send the packet to myself', and we'll use it as our nameserver:
83
84    search ws.nsrc.org
85    nameserver 127.0.0.1
86
87Now save and exit.
88
895. Test resolution
90------------------
91
92Issue a query, for instance:
93
94        $ dig google.com NS
95        $ dig noc.ws.nsrc.org A
96
97For each query:
98
991. Is the server responding ?
1002. How do you know that you are talking to your OWN server ?
1013. What do you notice ?
102
103If your neighbour has got their cache working, then try sending some queries
104to their cache:
105
106    $ dig @10.10.X.1 somedomain.name
107
108... where XXX is the IP of the machine in the class you want to send the
109query to, and "somedomain.name" is the query you would like to perform.
110
111Try and make some of the same queries you did before.  Do the nameservers
112of the other machines answer you ?
113
114Are you getting answers ? What about for ws.nsrc.org ?
115
116Why ?
117
118Help your neighbours to get their cache working if required.
119
1206. Make sure you can resolve hostnames in the class
121---------------------------------------------------
122
123Ping other PCs in the room, where X is 1-32:
124
125    $ ping auth1.grpX.ws.nsrc.org
126    $ ping resolv.grpX.ws.nsrc.org
127    $ ping auth2.grpX.ws.nsrc.org
128
129
1307. Watch the cache in operation
131-------------------------------
132
133You can take a snapshot of the cache contents like this:
134
135    $ sudo ln -s /var/named/var/dump /var/dump
136    $ sudo /usr/sbin/rndc dumpdb
137    $ sudo less /var/named/var/dump/named_dump.db
138
139(Don't do this on a busy cache - you will generate a huge dump file!)
140
141You can watch the cache making queries to the outside world using
142`tcpdump` in a different window (log in again via SSH):
143
144    # tcpdump -n -s1500 -i eth0 udp port 53
145
146If your ethernet interface isn't named `eth0`, then use the name of
147your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out
148what your ethernet interface is named.
149
150While tcpdump is running, in the first window flush your cache (so it forgets
151all existing data) and then issue some queries.
152
153    # rndc flush
154    # dig noc.ws.nsrc.org.   -- and watch tcpdump output. What do you see?
155
156    # dig noc.ws.nsrc.org.   -- watch tcpdump again. This time?
157
158NOTE: that we now have enabled BIND to be recursive! So we will want
159to remember this, and maybe turn off recursion later, since we have
160explained that running recursive and authoritative on the same server
161is not a good idea.