DNS Exercise 1 -------------- =========== Preparation =========== 1. Log in using SSH/Putty/... to your RESOLVER machine: (i.e. for group 1, you would use resolv.grp1.dns.nsrc.org) $ ssh sysadm@resolv.grpXX.dns.nsrc.org *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'RESOLV' MACHINE, AND *** *** NOT IN YOUR 'AUTH1' or 'AUTH2' *** 2. On your RESOLVER machine, modify /etc/resolv.conf temporarily to point 10.10.0.241 for this exercise $ sudo ee /etc/resolv.conf or $ sudo vi /etc/resolv.conf ---- Before search dns.nsrc.org nameserver 10.10.0.230 ---- After search dns.nsrc.org #nameserver 10.10.0.230 nameserver 10.10.0.241 === DIG === 1. Issue DNS queries using 'dig': 1a. Run each command, look for the ANSWER section and write down the result. Make a note the TTL as well. Repeat the command. Is the TTL the same? Are the responses Authoritative? RESULT 1 RESULT 2 -------- -------- $ dig your-favorite-domain a $ dig www.google.com. a $ dig afnog.org. mx $ dig NonExistentDomain.sometld any $ dig tiscali.co.uk. txt $ dig www.afrinic.net aaaa $ dig ipv6.google.com aaaa 1b. Now send some queries to another caching server. (Run each of the following twice, and note the time in ms for each attempt) $ dig @8.8.8.8 news.bbc.co.uk. a $ dig @resolver1.opendns.com yahoo.com. a $ dig @ a How long did it take each answer to be received? (on the first, and on the second lookup) 2. Reverse DNS lookups Now try some reverse DNS lookups. $ dig -x 10.10.X.1 $ dig -x 10.10.X.2 $ dig -x 10.10.X.3 ... where X is an IP address in the range 1-25 Repeat for an IP address of your choice, on the Internet Now try to lookup: $ dig 1.X.10.10.in-addr.arpa. PTR ... where X is in the range 1-25. What do you notice ? Let's try IPv6 now: $ dig -x 2001:42d0::200:2:1 What are the differences you can observe in the results, between reverse DNS for IPv6 and IPv4 addresses ? 3. DNSSEC & EDNS0 Try some of the queries above, this time add the "+noedns" option. (From dig 9.9, EDNS0 is set by default) For example: $ dig www.icann.org +noedns Notice the absence of OPT PSEUDOSECTION, at the top of the output ? What do you notice about the flags: section in the OPT section ? Let's explicitly enable the BUFSIZE option, but not EDNS0: $ dig www.icann.org +bufsize=1024 Notice that EDNS is set automatically, and notice the udp: size section in the OPT pseudosection. Now, let's try and retrieve DNSSEC records: $ dig isoc.org DNSKEY $ dig www.isoc.org RRSIG And finally, let's ask the DNS servers to perform DNSSEC validation: $ dig www.isoc.org A +dnssec $ dig isoc.org NS +dnssec Do you notice a new field in the "flags:" section of the answer ? $ dig www.isoc.org A $ dig isoc.org NS Compare with doing dig WITHOUT the +dnssec option: === DOC === 1. Install doc-2.2.3 package $ sudo pkg install doc Updating FreeBSD repository catalog... (wait for a moment) (pkg itself needs to be updated, so just answer 'y') (answer 'y' again to install doc-2.2.3) 2. Using 'doc' to validate domain structure: Run each command and note "Summary:" part of the output. Did you find any domains with "Warning" or "Error" ? NOTE: Each of these commands creates log.domainname in the current working directory, so please make sure you are under your home directory. $ doc domain-of-your-org $ doc some-subdomain-of-above $ doc ees.kyushu-u.ac.jp (an example with error) If you find warning or error, check the content of the log file: $ less log.domainname Try to find what is the problem of the domain. ======== Clean-up ======== 1. Revert the modification of /etc/resolv.conf $ sudo ee /etc/resolv.conf or $ sudo vi /etc/resolv.conf ---- Before search dns.nsrc.org #nameserver 10.10.0.230 nameserver 10.10.0.241 ---- After search dns.nsrc.org nameserver 10.10.0.230 #nameserver 10.10.0.241