BIND in a jiffy

I'm coaching a new engineer on Linux- and systems administration-related tasks. Here's a set of exercises I did for DNS.

  1. Install BIND. By default, what packages does Red Hat (RH) install? How would you find out? Hint: `man rpm`.

  2. View the configuration file in /etc/named.conf. Describe what each section is for:
    1. options { }

    2. controls { }

    3. key "rndc_key" { }

    4. zone "." { }

    5. zone "0.0.127.in-addr.arpa" { }

  3. What is the /var/named/named.ca file? How do you update this file? Hint: `dig` it up.

  4. Describe the function of each record in /var/named/named.local:
    1. SOA

    2. NS

    3. PTR

    Notice the '.' at the end of the domain name? What is it for? What will happen if you take it out?

  5. Configure your box to use your recently installed DNS server.
    1. Edit /etc/resolv.conf. Add your nameserver. (Don't forget to restart the networking service.)

    2. Start BIND. How? What would you check to see if BIND starts at boot?

    3. Test your nameserver. Hint: `man dig`.

    4. Do a DNS lookup for an external domain:

      $ dig google.com.
      $ dig google.com


      What's the difference between the two commands above? Hint: It has something to do with the way DNS works.

  6. Create your own domain.How will you do that? Hint: Copy, edit and rename named.local.
    1. Create a new zone in named.conf.

    2. Edit the zone file. It should contain something like this:


      ; Zone - iandexter.net
      $TTL 3D
      @   IN   SOA   hiraya.iandexter.net. hostname.iandexter.net. (
         20060901   ; serial
         8H      ; refresh
         2H      ; retry
         4W      ; expire
         1D)      ; minimum
      ;
         NS   hiraya.   ; name server
         MX   5 padme.iandexter.net
         MX   10 arwen.iandexter.net.
         MX   15 eowyn.iandexter.net
         MX   20 mail.
      ;
      localhost   A   127.0.0.1
      hiraya   A   192.168.1.101
      ns   CNAME   hiraya
      mail   CNAME   hiraya
      pop   CNAME   hiraya
      www   CNAME   hiraya
      proxy   CNAME   hiraya
      ftp   CNAME   hiraya
      padme   A   192.168.1.51
      arwen   A   192.168.1.150
      eowyn   A   192.168.1.153


      Explain what the following means:
      1. A

      2. MX What about the number beside it?

      3. CNAME

      4. serial

      5. refresh

      6. retry

      7. expire

      8. minimum

      9. TTL

    3. Restart BIND.

      # rndc reload


  7. Test your new domain.

    $ dig any your.domain


    What do you notice? Hint: Something's awfully wrong. (Look at step 4 above.) Correct it, then test your domain again.

    # rndc reload; dig axfr your.domain


  8. Create a reverse zone. Why do you need it? You should have something like this:


    ; Reverse zone - 1.168.192
    $TTL 3d
    @   IN   SOA   hiraya.iandexter.net. hostmaster.iandexter.net. (
       20060901   ; serial
       8H      ; refresh
       2H      ; retry
       4W      ; expire
       1D)      ; minimum
    ;
       NS   hiraya.iandexter.net.
    ;
    101   PTR   hiraya.iandexter.net.
    102   PTR   mithi.iandexter.net.
    150   PTR   arwen.iandexter.net
    151   PTR   padme.iandexter.net
    152   PTR   mathilda.iandexter.net.
    153   PTR   eowyn.iandexter.net.
    154   PTR   evey.iandexter.net.
    155   PTR   galadriel.


    Notice the last line above: it's just another way of writing it -- saves typing, too. Test your reverse zone.


    # rndc reload; dig -x your.server.ip
    # dig axfr your.reverse.zone


  9. Test your new domain on another machine.
    1. In Windows, add your nameserver in the DNS list. Try to look up records in your domain.


      C:\> nslookup
      > server your.nameserver.ip
      > set type=all
      > your.domain


    2. Ping your nameserver (or hosts you have added to that zone) using fully qualified domain names.

  10. Secure your nameserver.
    1. Disable queries from domains you don't own, except from your servers or subnet.

    2. Disable recursive queries, except internally.

    3. By default, RH runs BIND in a chroot jail. Why?


Bonus question:
Why go through all this trouble when you can have Linux (even Windows, actually) resolve hostnames to their IP addresses locally? How do you do that?

Comments

Post a Comment

Popular posts from this blog

Pull files off Android phone

Image
This assumes you have Android Debug Bridge (ADB) installed. This will pull all files from a directory in an Android phone. cd /path/to/destination/directory adb pull /path/to/source . As Julian says, "Easy-peasy, lemon squeezy." (I use this, by the way, since the Nexus 5 and OS X Mavericks refuse to work together in USB mode.)
Read more