1 | DNS Exercise 1 |
---|
2 | -------------- |
---|
3 | |
---|
4 | =========== |
---|
5 | Preparation |
---|
6 | =========== |
---|
7 | |
---|
8 | 1. Log in using SSH/Putty/... to your RESOLVER machine: |
---|
9 | |
---|
10 | (i.e. for group 1, you would use resolv.grp1.dns.nsrc.org) |
---|
11 | |
---|
12 | $ ssh sysadm@resolv.grpXX.dns.nsrc.org |
---|
13 | |
---|
14 | *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'RESOLV' MACHINE, AND *** |
---|
15 | *** NOT IN YOUR 'AUTH1' or 'AUTH2' *** |
---|
16 | |
---|
17 | 2. On your RESOLVER machine, modify /etc/resolv.conf temporarily |
---|
18 | to point 10.10.0.241 for this exercise |
---|
19 | |
---|
20 | $ sudo ee /etc/resolv.conf |
---|
21 | or |
---|
22 | $ sudo vi /etc/resolv.conf |
---|
23 | |
---|
24 | ---- Before |
---|
25 | search dns.nsrc.org |
---|
26 | nameserver 10.10.0.230 |
---|
27 | |
---|
28 | ---- After |
---|
29 | search dns.nsrc.org |
---|
30 | #nameserver 10.10.0.230 |
---|
31 | nameserver 10.10.0.241 |
---|
32 | |
---|
33 | === |
---|
34 | DIG |
---|
35 | === |
---|
36 | |
---|
37 | 1. Issue DNS queries using 'dig': |
---|
38 | |
---|
39 | 1a. Run each command, look for the ANSWER section and write down the result. |
---|
40 | Make a note the TTL as well. |
---|
41 | |
---|
42 | Repeat the command. Is the TTL the same? Are the responses Authoritative? |
---|
43 | |
---|
44 | RESULT 1 RESULT 2 |
---|
45 | -------- -------- |
---|
46 | $ dig your-favorite-domain a |
---|
47 | $ dig www.google.com. a |
---|
48 | $ dig afnog.org. mx |
---|
49 | $ dig NonExistentDomain.sometld any |
---|
50 | $ dig tiscali.co.uk. txt |
---|
51 | $ dig www.afrinic.net aaaa |
---|
52 | $ dig ipv6.google.com aaaa |
---|
53 | |
---|
54 | 1b. Now send some queries to another caching server. |
---|
55 | |
---|
56 | (Run each of the following twice, and note the time in ms for each attempt) |
---|
57 | |
---|
58 | $ dig @8.8.8.8 news.bbc.co.uk. a |
---|
59 | $ dig @resolver1.opendns.com yahoo.com. a |
---|
60 | $ dig @<a server of your choice> <domain of your choice> a |
---|
61 | |
---|
62 | How long did it take each answer to be received? (on the first, and |
---|
63 | on the second lookup) |
---|
64 | |
---|
65 | 2. Reverse DNS lookups |
---|
66 | |
---|
67 | Now try some reverse DNS lookups. |
---|
68 | |
---|
69 | $ dig -x 10.10.X.1 |
---|
70 | $ dig -x 10.10.X.2 |
---|
71 | $ dig -x 10.10.X.3 |
---|
72 | |
---|
73 | ... where X is an IP address in the range 1-25 |
---|
74 | |
---|
75 | Repeat for an IP address of your choice, on the Internet |
---|
76 | |
---|
77 | Now try to lookup: |
---|
78 | |
---|
79 | $ dig 1.X.10.10.in-addr.arpa. PTR |
---|
80 | |
---|
81 | ... where X is in the range 1-25. |
---|
82 | |
---|
83 | What do you notice ? |
---|
84 | |
---|
85 | Let's try IPv6 now: |
---|
86 | |
---|
87 | $ dig -x 2001:42d0::200:2:1 |
---|
88 | |
---|
89 | What are the differences you can observe in the results, between reverse |
---|
90 | DNS for IPv6 and IPv4 addresses ? |
---|
91 | |
---|
92 | 3. DNSSEC & EDNS0 |
---|
93 | |
---|
94 | Try some of the queries above, this time add the "+noedns" option. |
---|
95 | (From dig 9.9, EDNS0 is set by default) |
---|
96 | |
---|
97 | For example: |
---|
98 | |
---|
99 | $ dig www.icann.org +noedns |
---|
100 | |
---|
101 | Notice the absence of OPT PSEUDOSECTION, at the top of the output ? |
---|
102 | |
---|
103 | What do you notice about the flags: section in the OPT section ? |
---|
104 | |
---|
105 | Let's explicitly enable the BUFSIZE option, but not EDNS0: |
---|
106 | |
---|
107 | $ dig www.icann.org +bufsize=1024 |
---|
108 | |
---|
109 | Notice that EDNS is set automatically, and notice the udp: size section |
---|
110 | in the OPT pseudosection. |
---|
111 | |
---|
112 | Now, let's try and retrieve DNSSEC records: |
---|
113 | |
---|
114 | $ dig isoc.org DNSKEY |
---|
115 | $ dig www.isoc.org RRSIG |
---|
116 | |
---|
117 | And finally, let's ask the DNS servers to perform DNSSEC validation: |
---|
118 | |
---|
119 | $ dig www.isoc.org A +dnssec |
---|
120 | $ dig isoc.org NS +dnssec |
---|
121 | |
---|
122 | Do you notice a new field in the "flags:" section of the answer ? |
---|
123 | |
---|
124 | $ dig www.isoc.org A |
---|
125 | $ dig isoc.org NS |
---|
126 | |
---|
127 | Compare with doing dig WITHOUT the +dnssec option: |
---|
128 | |
---|
129 | === |
---|
130 | DOC |
---|
131 | === |
---|
132 | |
---|
133 | 1. Install doc-2.2.3 package |
---|
134 | |
---|
135 | $ sudo pkg install doc |
---|
136 | Updating FreeBSD repository catalog... |
---|
137 | (wait for a moment) |
---|
138 | |
---|
139 | (pkg itself needs to be updated, so just answer 'y') |
---|
140 | |
---|
141 | (answer 'y' again to install doc-2.2.3) |
---|
142 | |
---|
143 | 2. Using 'doc' to validate domain structure: |
---|
144 | |
---|
145 | Run each command and note "Summary:" part of the output. |
---|
146 | Did you find any domains with "Warning" or "Error" ? |
---|
147 | |
---|
148 | NOTE: Each of these commands creates log.domainname in the current working |
---|
149 | directory, so please make sure you are under your home directory. |
---|
150 | |
---|
151 | $ doc domain-of-your-org |
---|
152 | $ doc some-subdomain-of-above |
---|
153 | $ doc ees.kyushu-u.ac.jp (an example with error) |
---|
154 | |
---|
155 | If you find warning or error, check the content of the log file: |
---|
156 | |
---|
157 | $ less log.domainname |
---|
158 | |
---|
159 | Try to find what is the problem of the domain. |
---|
160 | |
---|
161 | ======== |
---|
162 | Clean-up |
---|
163 | ======== |
---|
164 | |
---|
165 | 1. Revert the modification of /etc/resolv.conf |
---|
166 | |
---|
167 | $ sudo ee /etc/resolv.conf |
---|
168 | or |
---|
169 | $ sudo vi /etc/resolv.conf |
---|
170 | |
---|
171 | ---- Before |
---|
172 | search dns.nsrc.org |
---|
173 | #nameserver 10.10.0.230 |
---|
174 | nameserver 10.10.0.241 |
---|
175 | |
---|
176 | ---- After |
---|
177 | search dns.nsrc.org |
---|
178 | nameserver 10.10.0.230 |
---|
179 | #nameserver 10.10.0.241 |
---|
180 | |
---|