Show page
Recent changes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

scgc:laboratoare:01 [2018/02/27 17:27]
victor.ciurel [Lab Setup] 		scgc:laboratoare:01 [2021/10/27 14:07] (current)
maria.mihailescu
Line 1: Line 1:
-====== ​Laboratory 01. DNS ======+====== ​Naming Services: ​DNS ======
 ===== Lab Setup ===== ===== Lab Setup =====
  
-  * We will be using two virtual machines in the [[http://​cloud.curs.pub.ro/​|faculty'​s cloud]]. +  * We will be using two virtual machines in the [[http://​cloud.grid.pub.ro/​|faculty'​s cloud]].
-  * When creating a virtual machine follow the steps in this [[https://​cloud.curs.pub.ro/​about/​tutorial-for-students/​|tutorial]].+
   * Create two VMs (one will be our DNS master server and one will be our DNS slave server)   * Create two VMs (one will be our DNS master server and one will be our DNS slave server)
   * When creating a virtual machine in the Launch Instance window:   * When creating a virtual machine in the Launch Instance window:
     * Select **Boot from image** in **Instance Boot Source** section     * Select **Boot from image** in **Instance Boot Source** section
-    * For the master VM select **Debian ​8.6** in **Image Name** section+    * For the master VM select **Debian ​10.3** in **Image Name** section
     * For the slave VM select **Centos 7** in **Image Name** section     * For the slave VM select **Centos 7** in **Image Name** section
 +    * Select the **m1.small** flavor for both VMs.
 +  * The usernames for connecting to the VMs are:
 +    * ''​debian''​ for **Debian 10.3**
 +    * ''​student''​ for **CentOS 7**
   * For ease of use we recommend adding entries in the ''/​etc/​hosts''​ file corresponding to the slave and master VMs   * For ease of use we recommend adding entries in the ''/​etc/​hosts''​ file corresponding to the slave and master VMs
     * ''<​ip_master>​ master''​     * ''<​ip_master>​ master''​
Line 14: Line 17:
     * These two lines will allow using ''​master''​ instead of the IP address of the master VM for clarity. Likewise, we can use ''​slave''​ instead of the IP address of the slave VM.     * These two lines will allow using ''​master''​ instead of the IP address of the master VM for clarity. Likewise, we can use ''​slave''​ instead of the IP address of the slave VM.
 ===== Tasks ====== ===== Tasks ======
-==== 1. DNS resolvers ====+==== 1. [15p] DNS resolvers ====
 In this task we will examine how we ca use two DNS resolvers to query DNS servers. The two DNS resolvers we will use are **host** and **dig**. However before we use them, we first have to install them. In this task we will examine how we ca use two DNS resolvers to query DNS servers. The two DNS resolvers we will use are **host** and **dig**. However before we use them, we first have to install them.
  
Line 23: Line 26:
 [...] [...]
 </​code>​ </​code>​
-=== 1.1 host ===+=== 1.1 [5p] host ===
 Next, we find out the IP address of a website using **host**. Next, we find out the IP address of a website using **host**.
 <​code>​ <​code>​
Line 116: Line 119:
 </​code>​ </​code>​
  
-=== 1.2 dig ===+=== 1.2 [10p] dig ===
 Now use **dig** to get the detailed information,​ the IP address and specific records for a website. Also, use dig to query the Google DNS server ''​8.8.8.8''​ Now use **dig** to get the detailed information,​ the IP address and specific records for a website. Also, use dig to query the Google DNS server ''​8.8.8.8''​
  
Line 122: Line 125:
 It is noteworthy, that dig and host do not use ''/​etc/​nsswitch.conf''​ for querying DNS servers and they do not use the system'​s DNS resolver, which is usually a library. We can see this from the following commands: It is noteworthy, that dig and host do not use ''/​etc/​nsswitch.conf''​ for querying DNS servers and they do not use the system'​s DNS resolver, which is usually a library. We can see this from the following commands:
 <​code>​ <​code>​
-root@master:​~#​ strace -e open host acs.pub.ro+root@master:​~#​ strace -e openat ​host acs.pub.ro
 [...] [...]
-open("/​etc/​resolv.conf",​ O_RDONLY) ​     = 6+openat(AT_FDCWD, ​"/​etc/​resolv.conf",​ O_RDONLY) ​     = 6
 acs.pub.ro has address 141.85.227.151 acs.pub.ro has address 141.85.227.151
 acs.pub.ro mail is handled by 10 mx.acs.pub.ro. acs.pub.ro mail is handled by 10 mx.acs.pub.ro.
 [...] [...]
-root@master:​~#​ strace -e open ping -c 1 acs.pub.ro+root@master:​~#​ strace -e openat ​ping -c 1 acs.pub.ro
 [...] [...]
-open("/​etc/​resolv.conf",​ O_RDONLY|O_CLOEXEC) = 4 +openat(AT_FDCWD, ​"/​etc/​resolv.conf",​ O_RDONLY|O_CLOEXEC) = 4 
-open("/​etc/​resolv.conf",​ O_RDONLY|O_CLOEXEC) = 4 +openat(AT_FDCWD, ​"/​etc/​resolv.conf",​ O_RDONLY|O_CLOEXEC) = 4 
-open("/​etc/​nsswitch.conf",​ O_RDONLY|O_CLOEXEC) = 4+openat(AT_FDCWD, ​"/​etc/​nsswitch.conf",​ O_RDONLY|O_CLOEXEC) = 4
 [...] [...]
-open("/​etc/​host.conf",​ O_RDONLY|O_CLOEXEC) = 4 +openat(AT_FDCWD, ​"/​etc/​host.conf",​ O_RDONLY|O_CLOEXEC) = 4 
-open("/​etc/​hosts",​ O_RDONLY|O_CLOEXEC) ​ = 4 +openat(AT_FDCWD, ​"/​etc/​hosts",​ O_RDONLY|O_CLOEXEC) ​ = 4 
-open("/​etc/​ld.so.cache",​ O_RDONLY|O_CLOEXEC) = 4 +openat(AT_FDCWD, ​"/​etc/​ld.so.cache",​ O_RDONLY|O_CLOEXEC) = 4 
-open("/​lib/​x86_64-linux-gnu/​libnss_dns.so.2",​ O_RDONLY|O_CLOEXEC) = 4 +openat(AT_FDCWD, ​"/​lib/​x86_64-linux-gnu/​libnss_dns.so.2",​ O_RDONLY|O_CLOEXEC) = 4 
-open("/​lib/​x86_64-linux-gnu/​libresolv.so.2",​ O_RDONLY|O_CLOEXEC) = 4+openat(AT_FDCWD, ​"/​lib/​x86_64-linux-gnu/​libresolv.so.2",​ O_RDONLY|O_CLOEXEC) = 4
 PING acs.pub.ro (141.85.227.151) 56(84) bytes of data. PING acs.pub.ro (141.85.227.151) 56(84) bytes of data.
-open("/​etc/​hosts",​ O_RDONLY|O_CLOEXEC) ​ = 4+openat(AT_FDCWD, ​"/​etc/​hosts",​ O_RDONLY|O_CLOEXEC) ​ = 4
 64 bytes from acs.pub.ro (141.85.227.151):​ icmp_seq=1 ttl=62 time=0.688 ms 64 bytes from acs.pub.ro (141.85.227.151):​ icmp_seq=1 ttl=62 time=0.688 ms
  
Line 149: Line 152:
 We can see that host will use the ''/​etc/​resolv.conf''​ file directly, while the ping command reads the resolver configuration first: the ''/​etc/​nsswitch.conf''​ and the ''/​etc/​resolv.conf''​ file are opened and then calls are made to the resolving library (libresolv.so.2). We can see that host will use the ''/​etc/​resolv.conf''​ file directly, while the ping command reads the resolver configuration first: the ''/​etc/​nsswitch.conf''​ and the ''/​etc/​resolv.conf''​ file are opened and then calls are made to the resolving library (libresolv.so.2).
 </​note>​ </​note>​
-==== 2. DNS server ====+==== 2. [30p] DNS server ====
  
 Now that we have seen how we can query DNS servers, let's configure our very own DNS server on the master VM using **bind**. Now that we have seen how we can query DNS servers, let's configure our very own DNS server on the master VM using **bind**.
Line 165: Line 168:
 We will set up the master VM to respond to queries about our very own domain. Use ''<​your_last_name>​.ro''​ as your very own domain name. In the following examples we will be using ''​scgc.ro''​ as our domain. We will set up the master VM to respond to queries about our very own domain. Use ''<​your_last_name>​.ro''​ as your very own domain name. In the following examples we will be using ''​scgc.ro''​ as our domain.
  
-=== 2.1 Simple DNS configuration ===+=== 2.1 [10p] Simple DNS configuration ===
  
 First, we will configure our DNS server to listen for queries received from outside the server. For this we have to add the following line to the ''/​etc/​bind/​named.conf.options''​ file: First, we will configure our DNS server to listen for queries received from outside the server. For this we have to add the following line to the ''/​etc/​bind/​named.conf.options''​ file:
Line 196: Line 199:
  type master;  type master;
  file "/​etc/​bind/​db.scgc.ro";​ # zone file path  file "/​etc/​bind/​db.scgc.ro";​ # zone file path
-}+};
 </​file>​ </​file>​
  
Line 266: Line 269:
 </​file>​ </​file>​
  
-=== 2.2 Testing our configuration ===+=== 2.2 [10p] Testing our configuration ===
  
 Now that we have the a minimal configuration,​ let us check that it works. Run the following command to check the syntax of the named.conf* files: Now that we have the a minimal configuration,​ let us check that it works. Run the following command to check the syntax of the named.conf* files:
Line 290: Line 293:
 Now we should be able to test our DNS server. We will be using //host//, however feel free to use //dig// or any other command to test your server: Now we should be able to test our DNS server. We will be using //host//, however feel free to use //dig// or any other command to test your server:
 <​code>​ <​code>​
-root@master:​~#​ host www.scgc.ro ​10.9.107.151+root@master:​~#​ host www.scgc.ro ​localhost
 Using domain server: Using domain server:
 Name: 10.9.107.151 Name: 10.9.107.151
Line 297: Line 300:
  
 www.scgc.ro has address 10.9.107.151 www.scgc.ro has address 10.9.107.151
-root@master:​~#​ host -t ns scgc.ro ​10.9.107.151+root@master:​~#​ host -t ns scgc.ro ​localhost
 Using domain server: Using domain server:
 Name: 10.9.107.151 Name: 10.9.107.151
Line 304: Line 307:
  
 scgc.ro name server ns1.scgc.ro. scgc.ro name server ns1.scgc.ro.
-root@master:​~#​ host ns1.scgc.ro ​10.9.107.151+root@master:​~#​ host ns1.scgc.ro ​localhost
 Using domain server: Using domain server:
 Name: 10.9.107.151 Name: 10.9.107.151
Line 315: Line 318:
 Now let's try to query from outside the server. We will test that the **slave** VM will receive the same response(replace with the appropriate name and IP address): Now let's try to query from outside the server. We will test that the **slave** VM will receive the same response(replace with the appropriate name and IP address):
 <​code>​ <​code>​
-[root@slave ~]# host www.scgc.ro ​10.9.107.151+[root@slave ~]# host www.scgc.ro ​master
 Using domain server: Using domain server:
 Name: 10.9.107.151 Name: 10.9.107.151
Line 330: Line 333:
 </​note>​ </​note>​
  
-=== 2.3 Additional records ===+=== 2.3 [10p] Additional records ===
  
 Add another NS record to the zone corresponding to the slave IP address and two MX records(one for the master with priority 10 and one for the slave with priority 20). Restart your BIND server and test your configurations. Add another NS record to the zone corresponding to the slave IP address and two MX records(one for the master with priority 10 and one for the slave with priority 20). Restart your BIND server and test your configurations.
  
-==== 3. Fine tuning DNS servers ====+==== 3. [15p] Fine tuning DNS servers ====
  
-=== 3.1 Allow only local recursive queries ===+=== 3.1 [10p] Allow only local recursive queries ===
  
 By default, bind will make recursive queries for any unknown query received. Recursive queries are quite costly, therefore they should only be allowed explicitly. We can check this by quering for ''​google.com''​ from the master and slave VMs: By default, bind will make recursive queries for any unknown query received. Recursive queries are quite costly, therefore they should only be allowed explicitly. We can check this by quering for ''​google.com''​ from the master and slave VMs:
  
 <​code>​ <​code>​
-root@master:​~#​ host google.com ​10.9.107.151+root@master:​~#​ host google.com ​localhost
 Using domain server: Using domain server:
 Name: 10.9.107.151 Name: 10.9.107.151
Line 355: Line 358:
 google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com.
  
-[root@slave ~]# host google.com ​10.9.107.151+[root@slave ~]# host google.com ​master
 Using domain server: Using domain server:
 Name: 10.9.107.151 Name: 10.9.107.151
Line 386: Line 389:
  
 <​code>​ <​code>​
-[root@slave ~]# host google.com ​10.9.107.151+[root@slave ~]# host google.com ​master
 Using domain server: Using domain server:
 Name: 10.9.107.151 Name: 10.9.107.151
Line 395: Line 398:
 </​code>​ </​code>​
  
-=== 3.2 Allow slave recursive queries ===+=== 3.2 [5p] Allow slave recursive queries ===
  
 Change the ''/​etc/​bind/​named.conf.options file''​ on the master VM to allow recursive queries from the slave VM. Change the ''/​etc/​bind/​named.conf.options file''​ on the master VM to allow recursive queries from the slave VM.
  
-==== 4. DNS zone transfer ====+==== 4. [20p] DNS zone transfer ====
  
 We now want to configure the ''​lab1.scgc.ro''​ on the slave DNS server(replace with your last name instead of scgc). This domain will be transfered from the master to the slave(DNS zone transfer). In order to correctly configure a zone transfer, we must follow these steps: We now want to configure the ''​lab1.scgc.ro''​ on the slave DNS server(replace with your last name instead of scgc). This domain will be transfered from the master to the slave(DNS zone transfer). In order to correctly configure a zone transfer, we must follow these steps:
Line 406: Line 409:
   - We transfer the ''​lab1.scgc.ro''​ domain from the master VM to the slave VM   - We transfer the ''​lab1.scgc.ro''​ domain from the master VM to the slave VM
  
-=== 4.1 Setup master DNS server ===+=== 4.1 [10p] Setup master DNS server ===
  
-Configure a DNS server ​on the client ​VM similarly to the master VM server, which will answer for queries about ''​lab1.scgc.ro''​. Your DNS zone must have at least an A record and a NS record for this exercise.+Configure a new DNS zone on the master ​VM similarly to the previous one, which will answer for queries about ''​lab1.scgc.ro''​. Your DNS zone must have at least an A record and a NS record for this exercise.
  
-=== 4.2 Zone transfer ===+=== 4.2 [10p] Zone transfer ===
  
 The slave VM has a Centos 7 operating system, which has some differences in the setup of the DNS server. The slave VM has a Centos 7 operating system, which has some differences in the setup of the DNS server.
  
-To install ​the *bind* use the following command:+To install **BIND** use the following command:
 <​code>​ <​code>​
 yum install bind yum install bind
Line 421: Line 424:
 On Red-Hat-based distributions bind will have the following characteristics:​ On Red-Hat-based distributions bind will have the following characteristics:​
  
-  * Service name: ''​named''​ +  * Service name: **named** 
-  * Main configuration and zone names file: ''​/​etc/​named.conf''​ +  * Main configuration and zone names file: **/​etc/​named.conf** 
-  * Default zone file location: ​''​/var/named/''​+  * Default zone file location: ​**/var/named/**
  
 In order to transfer the zone from the master server, we need to make the following configurations:​ In order to transfer the zone from the master server, we need to make the following configurations:​
Line 526: Line 529:
  
 The command has to produce similar output when run on the master VM. The command has to produce similar output when run on the master VM.
-==== 5. DNSSEC ====+ 
 +==== 5. [20p] Paired DNS zone transfer ==== 
 +Pair up with one of your peers. Each student will make the necessary changes in order for his master DNS server to be delegated the DNS zone of his colleague'​s master DNS server. You should be able to answer for queries about each others DNS domains. 
 + 
 +==== 6. [BONUS - 20p] DNSSEC ==== 
 + 
 +DNS is vulnerable to MITM attacks. An attacker can pretend to be a DNS server and supply an unsuspecting victim with the wrong IP address for a URL. In order to combat this, DNSSEC can be used and configured to validate the identity of the DNS server. Using the instructions from [[https://​www.digitalocean.com/​community/​tutorials/​how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2|here]],​ setup DNSSEC between the master and slave VM.

Resources

Laboratories

scgc/laboratoare/01.1519745269.txt.gz · Last modified: 2018/02/27 17:27 by victor.ciurel
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0