Agenda: dns-reverse.txt

File dns-reverse.txt, 4.7 KB (added by trac, 5 years ago)
Line 
1DNS Exercise 4.2: Setting up Reverse DNS (in-addr.arpa.) for a /24 IP Block
2===========================================================================
3
4We are going to delegate the reverse /24 for your group to your
5nameservers.
6
7The allocation will be done based on your group number so if your Group
8is 1, that group will be responsible for 10.20.1.0/24, Group2 will be
9responsible for 10.20.2.0/24, etc...
10
11You will therefore setup reverse DNS for 10.20.X.0/24, where X is your
12Group number. You will create master nameservice on your own machine,
13for the X.20.10.in-addr.arpa zone, and someone else will setup their machine
14to be a slave server for X.20.10.in-addr.arpa.
15
16Then you will ask the administrator for the domain (your RIR in real life)
17above you (10.in-addr.arpa) to delegate the /24 to you.
18
19Please refer to the previous DNS exercise for setting up a domain
20
21
22Exercise
23--------
24
25*   Write the domain allocated to you here:  `____.20.10.in-addr.arpa.`
26    (e.g. Grp12 will write 12.20.10.in-addr.arpa.)
27
28*   Find someone who will agree to be slave for your domain. You must choose
29    someone on a DIFFERENT table to you. (Remember RFC2182: secondaries must
30    be on remote networks). You can have more than one slave if you wish.
31
32*   Create your zone file in `/etc/namedb/master/X.20.10.in-addr.arpa`
33    (where X is your Group number)
34
35
36- - - - - - - - - - - - - - - - - cut below - - - - - - - - - - - - - - -
37$TTL 10m
38@       IN      SOA     auth1.grpXXX.dns.nsrc.org.  yourname.example.com. (
39                                    2011021601    ; Serial
40                                    10m           ; Refresh
41                                    10m           ; Retry
42                                    4w            ; Expire
43                                    10m )         ; Negative
44
45    NS      auth1.grpXXX.dns.nsrc.org. ; master
46    NS      auth1.grpYYY.dns.nsrc.org. ; slave
47
481       IN  PTR auth1.grpX.dns.nsrc.org.
49
50$GENERATE 11-254 $  IN  PTR server$.MYTLD.
51
52- - - - - - - - - - - - - - - - - cut below - - - - - - - - - - - - - - -
53
54    Replace `yourname.example.com.` with your home E-mail address, changing
55    "@" to "." and adding a "." to the end.
56
57    Replace MYTLD with the new domain you picked in the previous DNS
58    delegation exercise.
59
60    We have chosen purposely low values for TTL, refresh, and retry to make
61    it easier to fix problems in the classroom. For a production domain you
62    would use higher values, e.g. `$TTL 1d`
63
64*   Edit `/etc/namedb/named.conf` to configure your machine as
65    master for your domain (see slides for information how to do this)
66
67*   Check that your config file and zone file are valid, and then reload the
68    nameserver daemon:
69
70        # named-checkconf
71        # named-checkzone X.20.10.in-addr.arpa \
72                  /etc/namedb/master/X.20.10.in-addr.arpa
73
74    *If there are any errors, correct them*
75
76        # rndc reload
77        # tail /var/log/messages
78
79    *If there are any errors, correct them*. Some configuration errors can
80    cause the daemon to die completely, in which case you may have to
81    start it again:
82
83        # /etc/rc.d/named restart
84
85*   Assist your slaves to configure themselves as slave for your domain, and
86    configure yourself as a slave if asked to do so by another table.
87    Again, the instructions for how to do this are on the slides. If you
88    have changed your `named.conf` so that you are a slave for someone
89    else, make sure there are no errors in `/var/log/messages` after you
90    do `rndc reload`.
91
92*   Check that you and your slaves are giving authoritative answers for
93    your domain:
94
95        # dig +norec @10.20.X.1  X.20.10.in-addr.arpa. soa
96        # dig +norec @10.20.Y.1  X.20.10.in-addr.arpa. soa
97
98    Check that you get an AA (authoritative answer) from both, and that
99    the serial numbers match.
100
101*   Now you are ready to request delegation. Bring the following form to the
102    classroom instructor:
103
104        Domain name:          __.20.10.in-addr.arpa.
105
106        Master nameserver:    auth1.grp___.dns.nsrc.org
107
108        Slave nameserver:     auth1.grp___.dns.nsrc.org.    (optional)
109
110*   You will not get delegation until the instructor has checked:
111
112    - Your nameservers are all authoritative for your domain
113    - They all have the same SOA serial number
114    - The NS records within the zone match the list of servers you are
115      requesting delegation for
116    - The slave(s) are not on the same desk as you
117
118*   Once you have delegation, find the names associated with
119    10.20.X.1 and 10.20.X.12
120
121    Try this:
122    - On your own machine
123
124        # dig +norec @10.20.X.1 -x 10.20.X.1
125        # dig +norec @10.20.X.1 -x 10.20.X.12
126
127    - On someone else's machine (who is not slave for you)
128    - On a machine elsewhere on the Internet, if you have access to one
129      (www.dnsstuff.com)
130