Track2Agenda: 01-dns-dig-hands-on-v2.txt

File 01-dns-dig-hands-on-v2.txt, 4.2 KB (added by Yoshiaki Kasahara, 7 years ago)
Line 
1DNS Exercise 1
2--------------
3
4===========
5Preparation
6===========
7
81. Log in using SSH/Putty/... to your RESOLVER machine:
9
10  (i.e. for group 1, you would use resolv.grp1.dns.nsrc.org)
11
12    $ ssh sysadm@resolv.grpXX.dns.nsrc.org
13
14    *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'RESOLV' MACHINE, AND ***
15                  *** NOT IN YOUR 'AUTH1' or 'AUTH2' ***
16                                 
172. On your RESOLVER machine, modify /etc/resolv.conf temporarily
18   to point 10.10.0.241 for this exercise
19   
20    $ sudo ee /etc/resolv.conf
21or
22    $ sudo vi /etc/resolv.conf
23
24---- Before
25search dns.nsrc.org
26nameserver 10.10.0.230
27
28---- After
29search dns.nsrc.org
30#nameserver 10.10.0.230
31nameserver 10.10.0.241
32
33===
34DIG
35===
36
371. Issue DNS queries using 'dig':
38
391a. Run each command, look for the ANSWER section and write down the result.
40    Make a note the TTL as well.
41
42Repeat the command. Is the TTL the same? Are the responses Authoritative?
43
44                                        RESULT 1            RESULT 2
45                                        --------            --------
46    $ dig your-favorite-domain a
47    $ dig www.google.com. a
48    $ dig afnog.org. mx
49    $ dig NonExistentDomain.sometld any
50    $ dig tiscali.co.uk. txt
51    $ dig www.afrinic.net aaaa
52    $ dig ipv6.google.com aaaa
53
541b. Now send some queries to another caching server.
55
56    (Run each of the following twice, and note the time in ms for each attempt)
57
58    $ dig @8.8.8.8 news.bbc.co.uk. a
59    $ dig @resolver1.opendns.com yahoo.com. a
60    $ dig @<a server of your choice> <domain of your choice> a
61
62    How long did it take each answer to be received? (on the first, and
63    on the second lookup)
64
652. Reverse DNS lookups
66
67    Now try some reverse DNS lookups.
68
69    $ dig -x 10.10.X.1
70    $ dig -x 10.10.X.2
71    $ dig -x 10.10.X.3
72
73    ... where X is an IP address in the range 1-25
74
75    Repeat for an IP address of your choice, on the Internet
76
77    Now try to lookup:
78
79    $ dig 1.X.10.10.in-addr.arpa. PTR
80
81    ... where X is in the range 1-25.
82
83    What do you notice ?
84
85    Let's try IPv6 now:
86
87    $ dig -x 2001:42d0::200:2:1
88
89    What are the differences you can observe in the results, between reverse
90    DNS for IPv6 and IPv4 addresses ?
91
923. DNSSEC & EDNS0
93
94    Try some of the queries above, this time add the "+noedns" option.
95    (From dig 9.9, EDNS0 is set by default)
96
97    For example:
98
99    $ dig www.icann.org +noedns
100
101    Notice the absence of OPT PSEUDOSECTION, at the top of the output ?
102
103    What do you notice about the flags: section in the OPT section ?
104
105    Let's explicitly enable the BUFSIZE option, but not EDNS0:
106
107    $ dig www.icann.org +bufsize=1024
108
109    Notice that EDNS is set automatically, and notice the udp: size section
110    in the OPT pseudosection.
111
112    Now, let's try and retrieve DNSSEC records:
113
114    $ dig isoc.org DNSKEY
115    $ dig www.isoc.org RRSIG
116
117    And finally, let's ask the DNS servers to perform DNSSEC validation:
118
119    $ dig www.isoc.org A +dnssec
120    $ dig isoc.org NS +dnssec
121
122    Do you notice a new field in the "flags:" section of the answer ?
123
124    $ dig www.isoc.org A
125    $ dig isoc.org NS
126
127    Compare with doing dig WITHOUT the +dnssec option:
128
129===
130DOC
131===
132
1331. Install doc-2.2.3 package
134
135    $ sudo pkg install doc
136    Updating FreeBSD repository catalog...
137    (wait for a moment)
138
139    (pkg itself needs to be updated, so just answer 'y')
140
141    (answer 'y' again to install doc-2.2.3)
142
1432. Using 'doc' to validate domain structure:
144
145   Run each command and note "Summary:" part of the output.
146   Did you find any domains with "Warning" or "Error" ?
147
148   NOTE: Each of these commands creates log.domainname in the current working
149   directory, so please make sure you are under your home directory.
150
151   $ doc domain-of-your-org
152   $ doc some-subdomain-of-above
153   $ doc ees.kyushu-u.ac.jp  (an example with error)
154
155   If you find warning or error, check the content of the log file:
156
157   $ less log.domainname
158
159   Try to find what is the problem of the domain.
160
161========
162Clean-up
163========
164
1651. Revert the modification of /etc/resolv.conf
166   
167    $ sudo ee /etc/resolv.conf
168or
169    $ sudo vi /etc/resolv.conf
170
171---- Before
172search dns.nsrc.org
173#nameserver 10.10.0.230
174nameserver 10.10.0.241
175
176---- After
177search dns.nsrc.org
178nameserver 10.10.0.230
179#nameserver 10.10.0.241
180