| 1 | DNS Exercise 1 |
|---|
| 2 | -------------- |
|---|
| 3 | |
|---|
| 4 | =========== |
|---|
| 5 | Preparation |
|---|
| 6 | =========== |
|---|
| 7 | |
|---|
| 8 | 1. Log in using SSH/Putty/... to your RESOLVER machine: |
|---|
| 9 | |
|---|
| 10 | (i.e. for group 1, you would use resolv.grp1.dns.nsrc.org) |
|---|
| 11 | |
|---|
| 12 | $ ssh sysadm@resolv.grpXX.dns.nsrc.org |
|---|
| 13 | |
|---|
| 14 | *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'RESOLV' MACHINE, AND *** |
|---|
| 15 | *** NOT IN YOUR 'AUTH1' or 'AUTH2' *** |
|---|
| 16 | |
|---|
| 17 | 2. On your RESOLVER machine, modify /etc/resolv.conf temporarily |
|---|
| 18 | to point 10.10.0.241 for this exercise |
|---|
| 19 | |
|---|
| 20 | $ sudo ee /etc/resolv.conf |
|---|
| 21 | or |
|---|
| 22 | $ sudo vi /etc/resolv.conf |
|---|
| 23 | |
|---|
| 24 | ---- Before |
|---|
| 25 | search dns.nsrc.org |
|---|
| 26 | nameserver 10.10.0.230 |
|---|
| 27 | |
|---|
| 28 | ---- After |
|---|
| 29 | search dns.nsrc.org |
|---|
| 30 | #nameserver 10.10.0.230 |
|---|
| 31 | nameserver 10.10.0.241 |
|---|
| 32 | |
|---|
| 33 | === |
|---|
| 34 | DIG |
|---|
| 35 | === |
|---|
| 36 | |
|---|
| 37 | 1. Issue DNS queries using 'dig': |
|---|
| 38 | |
|---|
| 39 | 1a. Run each command, look for the ANSWER section and write down the result. |
|---|
| 40 | Make a note the TTL as well. |
|---|
| 41 | |
|---|
| 42 | Repeat the command. Is the TTL the same? Are the responses Authoritative? |
|---|
| 43 | |
|---|
| 44 | RESULT 1 RESULT 2 |
|---|
| 45 | -------- -------- |
|---|
| 46 | $ dig your-favorite-domain a |
|---|
| 47 | $ dig www.google.com. a |
|---|
| 48 | $ dig afnog.org. mx |
|---|
| 49 | $ dig NonExistentDomain.sometld any |
|---|
| 50 | $ dig tiscali.co.uk. txt |
|---|
| 51 | $ dig www.afrinic.net aaaa |
|---|
| 52 | $ dig ipv6.google.com aaaa |
|---|
| 53 | |
|---|
| 54 | 1b. Now send some queries to another caching server. |
|---|
| 55 | |
|---|
| 56 | (Run each of the following twice, and note the time in ms for each attempt) |
|---|
| 57 | |
|---|
| 58 | $ dig @8.8.8.8 news.bbc.co.uk. a |
|---|
| 59 | $ dig @resolver1.opendns.com yahoo.com. a |
|---|
| 60 | $ dig @<a server of your choice> <domain of your choice> a |
|---|
| 61 | |
|---|
| 62 | How long did it take each answer to be received? (on the first, and |
|---|
| 63 | on the second lookup) |
|---|
| 64 | |
|---|
| 65 | 2. Reverse DNS lookups |
|---|
| 66 | |
|---|
| 67 | Now try some reverse DNS lookups. |
|---|
| 68 | |
|---|
| 69 | $ dig -x 10.10.X.1 |
|---|
| 70 | $ dig -x 10.10.X.2 |
|---|
| 71 | $ dig -x 10.10.X.3 |
|---|
| 72 | |
|---|
| 73 | ... where X is an IP address in the range 1-25 |
|---|
| 74 | |
|---|
| 75 | Repeat for an IP address of your choice, on the Internet |
|---|
| 76 | |
|---|
| 77 | Now try to lookup: |
|---|
| 78 | |
|---|
| 79 | $ dig 1.X.10.10.in-addr.arpa. PTR |
|---|
| 80 | |
|---|
| 81 | ... where X is in the range 1-25. |
|---|
| 82 | |
|---|
| 83 | What do you notice ? |
|---|
| 84 | |
|---|
| 85 | Let's try IPv6 now: |
|---|
| 86 | |
|---|
| 87 | $ dig -x 2001:42d0::200:2:1 |
|---|
| 88 | |
|---|
| 89 | What are the differences you can observe in the results, between reverse |
|---|
| 90 | DNS for IPv6 and IPv4 addresses ? |
|---|
| 91 | |
|---|
| 92 | 3. DNSSEC & EDNS0 |
|---|
| 93 | |
|---|
| 94 | Try some of the queries above, this time add the "+noedns" option. |
|---|
| 95 | (From dig 9.9, EDNS0 is set by default) |
|---|
| 96 | |
|---|
| 97 | For example: |
|---|
| 98 | |
|---|
| 99 | $ dig www.icann.org +noedns |
|---|
| 100 | |
|---|
| 101 | Notice the absence of OPT PSEUDOSECTION, at the top of the output ? |
|---|
| 102 | |
|---|
| 103 | What do you notice about the flags: section in the OPT section ? |
|---|
| 104 | |
|---|
| 105 | Let's explicitly enable the BUFSIZE option, but not EDNS0: |
|---|
| 106 | |
|---|
| 107 | $ dig www.icann.org +bufsize=1024 |
|---|
| 108 | |
|---|
| 109 | Notice that EDNS is set automatically, and notice the udp: size section |
|---|
| 110 | in the OPT pseudosection. |
|---|
| 111 | |
|---|
| 112 | Now, let's try and retrieve DNSSEC records: |
|---|
| 113 | |
|---|
| 114 | $ dig isoc.org DNSKEY |
|---|
| 115 | $ dig www.isoc.org RRSIG |
|---|
| 116 | |
|---|
| 117 | And finally, let's ask the DNS servers to perform DNSSEC validation: |
|---|
| 118 | |
|---|
| 119 | $ dig www.isoc.org A +dnssec |
|---|
| 120 | $ dig isoc.org NS +dnssec |
|---|
| 121 | |
|---|
| 122 | Do you notice a new field in the "flags:" section of the answer ? |
|---|
| 123 | |
|---|
| 124 | $ dig www.isoc.org A |
|---|
| 125 | $ dig isoc.org NS |
|---|
| 126 | |
|---|
| 127 | Compare with doing dig WITHOUT the +dnssec option: |
|---|
| 128 | |
|---|
| 129 | === |
|---|
| 130 | DOC |
|---|
| 131 | === |
|---|
| 132 | |
|---|
| 133 | 1. Install doc-2.2.3 package |
|---|
| 134 | |
|---|
| 135 | $ sudo pkg install doc |
|---|
| 136 | Updating FreeBSD repository catalog... |
|---|
| 137 | (wait for a moment) |
|---|
| 138 | |
|---|
| 139 | (pkg itself needs to be updated, so just answer 'y') |
|---|
| 140 | |
|---|
| 141 | (answer 'y' again to install doc-2.2.3) |
|---|
| 142 | |
|---|
| 143 | 2. Using 'doc' to validate domain structure: |
|---|
| 144 | |
|---|
| 145 | Run each command and note "Summary:" part of the output. |
|---|
| 146 | Did you find any domains with "Warning" or "Error" ? |
|---|
| 147 | |
|---|
| 148 | NOTE: Each of these commands creates log.domainname in the current working |
|---|
| 149 | directory, so please make sure you are under your home directory. |
|---|
| 150 | |
|---|
| 151 | $ doc domain-of-your-org |
|---|
| 152 | $ doc some-subdomain-of-above |
|---|
| 153 | $ doc ees.kyushu-u.ac.jp (an example with error) |
|---|
| 154 | |
|---|
| 155 | If you find warning or error, check the content of the log file: |
|---|
| 156 | |
|---|
| 157 | $ less log.domainname |
|---|
| 158 | |
|---|
| 159 | Try to find what is the problem of the domain. |
|---|
| 160 | |
|---|
| 161 | ======== |
|---|
| 162 | Clean-up |
|---|
| 163 | ======== |
|---|
| 164 | |
|---|
| 165 | 1. Revert the modification of /etc/resolv.conf |
|---|
| 166 | |
|---|
| 167 | $ sudo ee /etc/resolv.conf |
|---|
| 168 | or |
|---|
| 169 | $ sudo vi /etc/resolv.conf |
|---|
| 170 | |
|---|
| 171 | ---- Before |
|---|
| 172 | search dns.nsrc.org |
|---|
| 173 | #nameserver 10.10.0.230 |
|---|
| 174 | nameserver 10.10.0.241 |
|---|
| 175 | |
|---|
| 176 | ---- After |
|---|
| 177 | search dns.nsrc.org |
|---|
| 178 | nameserver 10.10.0.230 |
|---|
| 179 | #nameserver 10.10.0.241 |
|---|
| 180 | |
|---|