CTS-2333 (Unix/Linux Networking) Project #5
DNS Server Configuration

 

Due: by the start of class on the date shown on the syllabus

Description:

In this project you will build and use your own name servers (DNS).  After configuring a name server you then configure the resolver to use the name server and no longer use the /etc/hosts file.  (This project is a continuation of the Building a Caching-only DNS server from the CTS-2322 course.)

This project has two parts.  In the first part you will build a primary name server.  In the second part you will build a secondary name server on your second host.

Perform the following tasks and answer the following questions:

Part IMaster name server:

For this part you will construct and run a primary DNS (BIND) name server.  This name server will be authoritative for our fictitious kaos.coop domain.  You will configure the resolver to uses this DNS name server only, and use DNS before files.

  1. Edit the named.conf to add the needed sections that declares this name server is the master name server for the two zones (the kaos.coop zone and the 80.142.10.in-addr.arpa zone) needed to support our class network.  The additional entries should look something like this (you should choose your own file names):
        zone "kaos.coop" {
           type master;
           file "kaos.coop.zone";
       };
    
       zone "80.142.10.in-addr.arpa" {
           type master;
           file "10.142.255.zone";
       };
    

    Next, adjust any options you see fit.  (As an authoritative server, normally you wouldn't allow recursive queries.  In our case, you should allow them.  You can limit (recursive or all) queries to only those from the local LAN, to prevent abuse.)  You should configure any security options you see fit, logging, etc.

    What changes did you make to this file?  (You should show the changes by providing diff output.)

  2. Create the new zone data files in with the same file names as used in the zone sections above.  Where should you put zone files?  Where in the named.conf file says this?

    A sample kaos.coop.zone file might look something like this (Add the correct entries for our class, from your existing /etc/hosts file (if created in a previous project), or from the Networking Class Host Name List found on the class wiki:

    kaos.coop.zone

    $TTL    1D
    $ORIGIN kaos.coop.
    @                  IN SOA  ns.kaos.coop. root.moe.kaos.coop.  (
                               2009112400 ; serial
                               3H         ; refresh
                               15M        ; retry
                               1W         ; expire
                               1D )       ; minimum
    @                  IN  NS  ns.kaos.coop.
    gateway            IN  A 10.142.255.1
    ns                 IN  A 10.142.255.2
    moe                IN  A 10.142.255.10
    larry              IN  A 10.142.255.11
    curly              IN  A 10.142.255.12
    shemp              IN  A 10.142.255.13
    

    and a sample 10.142.255.zone might look like this:

    10.142.255.zone

    $TTL    86400
    $ORIGIN 80.142.10.in-addr.arpa.
    @       IN      SOA     ns.kaos.coop. root.moe.kaos.coop.  (
                            2009112401 ; Serial
                            3H         ; Refresh
                            15M        ; Retry
                            1W         ; Expire
                            1D )       ; Minimum
                  IN      NS      localhost.
    
    1       IN  PTR  gateway.kaos.coop.
    2       IN  PTR  ns.kaos.coop.
    10      IN  PTR  moe.kaos.coop.
    11      IN  PTR  larry.kaos.coop.
    12      IN  PTR  curly.kaos.coop.
    13      IN  PTR  shemp.kaos.coop.
    

    What are the contents of the zone files you created?

  3. Test your configuration and zone files using the commands named-checkconf and named-checkzoneWhat are the exact command you ran?  What was the results? If any errors are found, fix them and then retest until no errors remain. 
  4. Start the name server (named) from the command line.  This can be done by the normal method of init.d/named start, or by using the rndc start command.  (See the man page for more information about rndc.)  Examine the system log files for any errors.
  5. Update the resolver to use the local name server.  This is done by editing the file /etc/resolv.conf to include the line
    nameserver 0.0.0.0

    before any other name server lines.  Then verify (and edit if necessary) nsswitch.conf will use DNS before /etc/hosts, when resolving host names.  What is the correct line in nsswitch.conf for this?

  6. To support legacy applications using an old version of the resolver libraries, you should also update the /etc/host.conf file as well. What is the correct contents of host.conf to have the resolver use DNS before /etc/hosts?
  7. To ensure you're using the name server and not the hosts file, you should copy the hosts file to a safe location and then edit the original file by removing all entries except the two for your system (localhost and the line for your static IP address).
  8. Test the name server.  What is the output of the following:
    dig www.hccfl.edu
    getent hosts www.hccfl.edu
    dig wpserver.kaos.coop
    getent hosts wpserver.kaos.coop

    How does dig and getent differ in their operation?

  9. If all is working, make the changes permanent by configuring named to start automatically at boot time.  What steps did you take to do this?  Be sure to restore the /etc/hosts file, if you later plan on running your server but not use your DNS server.
  10. Test your setup by rebooting, then ping some names such as wpserver.kaos.coop, wpserver, yborstudent.hccfl.edu, and yborstudentWhat are the results?  If any names fail to resolve, what was the problem?

Part IISlave name server:

For this part you will construct and run a secondary DNS (BIND) name server, on a second host.  However the default configuration on the primary server is to block external access to the name server.  Before you can setup the secondary server, you must make a few changes on the primary server:

  1. Make sure SE Linux is off or running in permissive mode.
  2. Edit the named.conf file on the master (primary), by changing this line (in the options section):
       listen-on port 53 { 127.0.0.1; };

    to:

       listen-on port 53 { any; };
  3. Optionally, you can allow remote hosts to query your name server.  By default only queries coming from localhost are permitted.  If you want to allow other hosts to list your name server in their resolv.conf file, or to run tools such as dig using your name server, then change this line (in the options section):
       allow-query { localhost; };

    to:

       allow-query { any; };

    Now check for any errors, then restart the server.  Examine the log files for any problems.

  4. Finally, you need to make a hole in the firewall so you slave server can contact your master name server.  This means allowing new TCP connections from the slave server, to port 53 on the master server.  Additionally, to allow general queries from the outside world, you need to allow UDP incoming connections.  Make the following changes to /etc/sysconfig/iptables.
    From this:
    -A INPUT -i lo -j ACCEPT

    to this:

    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -s slave-IP --dport 53 -j ACCEPT
    -A INPUT -p udp --dport 53 -j ACCEPT

    (Where slave-IP is the IP address of your slave server.)  Then restart the iptables service.

  5. Examine the log files for any errors.  Then make journal entries of all the changes you made.

    Now you're ready to configure the secondary server!  Follow these steps:

  6. Configure the resolver on the secondary host exactly the same as for the first host (running the primary name server).  This will include having the resolver use the name server running on the localhost, and removing all extra entries from /etc/hosts.  Record the changes you made.
  7. Edit the named.conf file, to make it a slave for the kaos.coop and the 0.80.142.10.in-addr.arpa zones.  Do not change the other zones (e.g., for localhost).  What changes did you make to the default (caching-only) name server's configuration file, to have it become a secondary (slave) name server?  You should show the differences with diff.  (Hint:  Compare the sample named.conf files I've provided and note the differences.)
  8. Test your configuration file using the command named-checkconfWhat is the exact command you ran?  What was the result?  If any errors are found, fix them and then retest until no errors remain. 
  9. Start the name server (named) from the command line.  Wait a while, then examine the system log files for any errors.
  10. Test the name server.  What is the output of the following:
    dig www.hccfl.edu
    getent hosts www.hccfl.edu
    dig wpserver.kaos.coop
    getent hosts wpserver.kaos.coop
  11. If all is working, make the changes permanent by configuring named to start automatically at boot time.

Additional Notes:

It is always a good idea to make a copy of any files before making any changes.  You can also use RCS.  Then you can see the differences easily using diff or rcsdiff.  If you fail to make a copy first, you can look at the file on an unchanged different host.  Or you can move the modified file, and re-install the original using the rpm (or other package management) tool.

If either of your hosts is using DHCP rather than a static IP setup, the changes you made to your resolver will vanish the next time you boot.  You should be running a IP setup, but if not you can configure dhclient to not mess up your resolv.conf entries.

Sample DNS files for various configurations can be found in the resources section of our class web page.  These files are for a different network scenario but you should be able to use them as models for your setup.

What additional changes to the resolver configuration would be needed to use DHCP or PPP instead of static IP addresses?

If you want some other host in our class to use your name server you must adjust the firewall rules to allow other hosts access to your DNS server.

To be turned in:

Submit your journal entries showing the steps you have taken and the answers to the questions asked.  You can send as email to (preferred).  If email is a problem for some reason, you may turn in a hard-copy.  In this case the pages should be readable, dated, and stapled together.  Your name should appear on the first page. 

Don't turn in your whole journal, you will need to add to it every day in class!  It is common in fact to keep the journal as a text file on the system (with a paper backup of course).

Please see your syllabus for more information about submitting projects.