Agenda: dns-bind-caching-setup.txt

File dns-bind-caching-setup.txt, 4.6 KB (added by admin, 6 years ago)
Line 
1Building a DNS cache with BIND
2------------------------------
3
41. Check the version of BIND which is installed
5-----------------------------------------------
6
7    $ named -v
8    BIND 9.x.x
9
10
11
122. Configure your AUTH1 host to accept queries from neighbors
13-------------------------------------------------------------
14
15Log in to your AUTH1 host if you haven't already done so
16(auth1.grpX.ws.nsrc.org).
17
18Edit the file /etc/namedb/named.conf (using vi or ee)
19
20If it still exsist, find the line:
21
22        listen-on       { 127.0.0.1; };
23
24... and REMOVE it.
25
26Add the following line:
27
28        allow-recursion { 127.0.0.1; 10.10.0.0/16; };
29
30Double check to see that there aren't any zones configured in your
31DNS. For instance, if you see a line like follows:
32
33        zone "10.in-addr.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
34
35... remove it, and save the file.
36
37
38NOTE: Be careful about the semicolons ';' and braces { } - BIND
39will complain if they are not placed correctly
40
41By removing the line "listen-on ..." and adding the line
42"allow-recursion", we are telling BIND:
43
44- please listen to the network for queries, not only on
45  the local interface "127.0.0.1";
46
47- please allow clients in the 10.10.0.0/16 to send queries
48  to me, as well as myself;
49
503. Restart the cache and check it is running
51--------------------------------------------
52
53If you haven't done so earlier, edit `/etc/rc.conf` and add two lines saying:
54
55        named_chrootdir=""
56        named_enable="YES"
57
58NOTE: We would normally not turn off chroot, which is a security
59      mechanism, but we need to do this here in the lab, because of
60      restrictions from the virtualization environment. In a production
61      environment, we wouldn't do this.
62
63Then run these commands:
64
65    $ sudo service named stop
66    $ sudo service named start
67    # ps auxwww | grep named
68    # tail /var/log/messages
69
70Check for successful startup with no error messages (you can ignore errors
71about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well
72as messages regarding managed-keys-zone)
73
74
754. Reconfigure your resolver to use your own cache only
76-------------------------------------------------------
77
78If you haven't done so earlier, edit `/etc/resolv.conf` as follows
79(remember to use sudo !)
80
81Remove any existing 'nameserver' lines, or comment them out by inserting '#'
82at the front. 127.0.0.1 is the loopback address; that is, an IP address
83which means 'send the packet to myself', and we'll use it as our nameserver:
84
85    search ws.nsrc.org
86    nameserver 127.0.0.1
87
88Now save and exit.
89
905. Test resolution
91------------------
92
93Issue a query, for instance:
94
95        $ dig google.com NS
96        $ dig noc.ws.nsrc.org A
97
98For each query:
99
1001. Is the server responding ?
1012. How do you know that you are talking to your OWN server ?
1023. What do you notice ?
103
104If your neighbour has got their cache working, then try sending some queries
105to their cache:
106
107    $ dig @10.10.X.1 somedomain.name
108
109... where XXX is the IP of the machine in the class you want to send the
110query to, and "somedomain.name" is the query you would like to perform.
111
112Try and make some of the same queries you did before.  Do the nameservers
113of the other machines answer you ?
114
115Are you getting answers ? What about for ws.nsrc.org ?
116
117Why ?
118
119Help your neighbours to get their cache working if required.
120
1216. Make sure you can resolve hostnames in the class
122---------------------------------------------------
123
124Ping other PCs in the room, where X is 1-32:
125
126    $ ping auth1.grpX.ws.nsrc.org
127    $ ping resolv.grpX.ws.nsrc.org
128    $ ping auth2.grpX.ws.nsrc.org
129
130
1317. Watch the cache in operation
132-------------------------------
133
134You can take a snapshot of the cache contents like this:
135
136    $ sudo ln -s /var/named/var/dump /var/dump
137    $ sudo /usr/sbin/rndc dumpdb
138    $ sudo less /var/named/var/dump/named_dump.db
139
140(Don't do this on a busy cache - you will generate a huge dump file!)
141
142You can watch the cache making queries to the outside world using
143`tcpdump` in a different window (log in again via SSH):
144
145    # tcpdump -n -s1500 -i eth0 udp port 53
146
147If your ethernet interface isn't named `eth0`, then use the name of
148your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out
149what your ethernet interface is named.
150
151While tcpdump is running, in the first window flush your cache (so it forgets
152all existing data) and then issue some queries.
153
154    # rndc flush
155    # dig noc.ws.nsrc.org.   -- and watch tcpdump output. What do you see?
156
157    # dig noc.ws.nsrc.org.   -- watch tcpdump again. This time?
158
159NOTE: that we now have enabled BIND to be recursive! So we will want
160to remember this, and maybe turn off recursion later, since we have
161explained that running recursive and authoritative on the same server
162is not a good idea.