Lab 05 - DNS

'Twas midnight, and the UNIX hacks
Did gyre and gimble in their cave
All mimsy was the CS-VAX
And Cory raths outgrave.

"Beware the software rot, my son!
The faults that bite, the jobs that thrash!
Beware the broken pipe, and shun
The frumious system crash!"

Overview

You will be installing and configuring a DNS server using the BIND utility. Below are the requirements for this lab.

For your reading, you can take a look at this great How-To to initially setup your own zone: http://www.tldp.org/HOWTO/DNS-HOWTO.html. You can then follow-up with this How-To which describes how to change your configuration to CHROOT your DNS server (in section '10 DNS Server'): http://www.howtoforge.com/perfect_setup_ubuntu_6.10_p4.

Tasks and Grading

This lab is due at 9:30am, Tuesday March 3rd, 2008.

You must complete all the following tasks for this lab.

  1. Install the 'bind9' package. The files for BIND under Ubuntu exist under /etc/bind. Your config file exists with that directory, /etc/bind/named.conf.
  2. Create firewall rules to allow incoming queries to destination UDP and TCP port 53.
  3. Create an access control list (ACL) called CSELnet which contains the localhost ip address (127.0.0.1), as well as the entire 128.138.202.0/24 subnet.
  4. Create two views with the 'view' statement. Call the first one classview and the second one worldview. Have the classview match all clients in the CSELnet ACL you created earlier and the worldview match all other clients in the world.
  5. Create a master forward zone for your machine name. For example, if I were to create a master zone for my test machine, it would be called 'coolname.cs.colorado.edu'.
    • This zone must occur in both views, but the views must be hosted by separate files!
    • For your different views, use a filename convention as: 'classview-[machinename].cs.colorado.edu.forward', and 'worldview-[machinename].cs.colorado.edu.forward'
  6. Use the following values for your Start of Authority (SOA) record in both views:
    • $TTL: 12 hours
    • Serial Number: current day plus index in YYYYMMDDxx format, where 'xx' is an index into the current day.
    • Refresh: 8 hours
    • Retry: 30 minutes
    • Expire: 14 days
    • Minimum TTL: 30 minutes
  7. When modifying the top domain (@), be sure to add the following information:
    • A - [IP address of your machine]
    • NS - @
    • TXT - "This is the master nameserver for [machinename].cs.colorado.edu" - (where [machinename] is the name of your machine)
  8. In the classview zone, add the following Resource Records (RRs) below.
    • csel - A - 128.138.202.19
    • myself - A - [IP address of your machine]
    • google - CNAME - www.google.com.
    • www - CNAME - @
    • dns-backup - A - 128.138.202.180
  9. In the worldview zone, add the following Resource Records (RRs) below.
    • csel - A - 128.138.202.19
    • dontmesswiththe - A - [IP address of your machine]
    • google - CNAME - myfakegoogle
    • myfakegoogle - CNAME - @
    • www - CNAME - @
    • shorttimeout - A - 128.138.202.1 - 5 minute time-to-live set
  10. Change your '/etc/resolv.conf' file and add a new 'nameserver' line at the top of your other 'nameserver' entries to point to the localhost IP 127.0.0.1.
  11. Change your configuration in /etc/bind/named.conf to notify a backup nameserver at IP address 128.138.202.180 for your worldview.
  12. Change your configuration to CHROOT your BIND server to exist only under /etc/bind. Follow the How-To at the top of the lab to do this.

Clarifications

How to Debug Problems

Syslog already logs all BIND log entries to '/var/log/syslog'. This file contains any potential error messages that can help you debug problems you may be having, such as 'rndc: connection refused', or the server not running at all due to file referencing errors with your chroot, etc.

Getting Started

I would recommend that you simply try to get a zone hosted for your computer first before trying to move into views OR the chrooted jail. Once you have a working zone file that answers properly with your machine name's A record (ip address), then you can copy the file into two places and start to mess with views. Once you have views working, you can then move onto the chrooted jail. Be sure to backup your files once they are in working condition! Do not try to do all of these tasks at the same time, as you will become easily confused with random errors.

How to test the different views

In grading your machine, I will be running all tests FROM your machine directly. In class I have demonstrated the use of 'dig', and have used dig to query specific nameservers. To test your views, you query your own IP address for the 'internal' view, and then query a campus DNS server (128.138.130.30) for your 'worldview'. From your own machine, run these two commands (where <machinename> is the name of your server):

dig @<your ip> google.<machinename>.cs.colorado.edu any
--should see CNAME www.google.com. from the classview
dig @128.138.240.1 google.<machinename>.cs.colorado.edu any
--should see CNAME myfakegoogle, from the worldview

One important note about views is that once you create views, you CANNOT mix configurations outside of views outside of views with configurations inside views. The default named.conf file that is put in your /etc/bind directory has configuration outside of views. You cannot leave these configuration lines in place, or bad things will happen!

How to check if your configuration or zone files are syntactically correct

If you have a syntax error in your config files anywhere, things will break and you won't really know why. Fortunately, with bind9 comes a two utilities to check if your config or zone file syntax is correct.. If you are seeing that your zone files are not updating after a restart of your bind9 server, you can run the following commands:

chris@coolname:~$ named-checkconf
chris@coolname:~$ named-checkzone coolname.cs.colorado.edu /etc/bind/classview-coolname.cs.colorado.edu.forward

No output means no errors. If errors occur, it will tell you the line number. However, beware of includes from the named.conf file! Your line number may not be what you think!

How to test your server

I really like to use dig for my testing as I've used it in class. With dig you can easily specify which server you want to query. Unless you have already edited your /etc/resolv.conf file to point to your server at 127.0.0.1, then you can use dig with the @ option:

chris@coolname:~$ dig @127.0.0.1 thisisa.coolname.cs.colorado.edu a

; <<>> DiG 9.3.2 <<>> @127.0.0.1 thisisa.coolname.cs.colorado.edu a
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51076
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;thisisa.coolname.cs.colorado.edu. IN   A

;; ANSWER SECTION:
thisisa.coolname.cs.colorado.edu. 7200 IN A     128.138.202.101

;; AUTHORITY SECTION:
coolname.cs.colorado.edu. 7200  IN      NS      coolname.cs.colorado.edu.

;; ADDITIONAL SECTION:
coolname.cs.colorado.edu. 7200  IN      A       128.138.202.101

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar  8 07:35:42 2007
;; MSG SIZE  rcvd: 96

Your machine name does not resolve in DNS

I have delegated your domain to you so you are authoritative. If you cannot ping your machine with the name:

chris@coolname:~$ ping coolname.cs.colorado.edu
ping: unknown host coolname.cs.colorado.edu

...then you have not setup your master zone file correctly! You MUST setup an A record that modifies the domain @ that is the IP address of your machine. If you don't know what this means, then send me email quickly.

Serial Numbers

It is very important to increase the value of the serial number every single time you change the zone file. Otherwise slaves will not be able to update from your master information properly. Always start with the current day and use indexes into the current day if you're editing more than once.

Overriding the default TTL

I ask you to set the timeout of the worldview entry 'shorttimeout' to 5 minutes. One thing to note about overriding the default TTL is:

  1. You can only use integers as seconds instead of the nice human-readable '5M'
  2. A TTL is set for the domain, and NOT an individual Resource Record, meaning if you override the TTL to 5 minutes, you must override the TTL on ALL resource records for that domain entry in your zone file.

'CHROOTing' your server

You are not chrooting your server to '/var/lib/named' as is described in the how-to at the top of this lab! You are chrooting your existing directory /etc/bind instead. Be sure you change the paths in the how-to appropriately for the directory we're using in this lab.

The /etc/init.d/bind9 startup script actually sources the file /etc/default/bind9 which contains options for how the daemon is started. You want to edit this file (as is described in the How-To linked at the top of the lab) to chroot your server. Beware that when you chroot your server, all of the file references in your named.conf config file will change as if the directory /etc/bind looked exactly like the root directory, '/'!