Track3Sec: 1.8_dns-bind-caching-setup.txt

File 1.8_dns-bind-caching-setup.txt, 4.3 KB (added by Fakrul Alam, 6 years ago)
Line 
1Building a DNS cache with BIND
2------------------------------
3
41. Check the version of BIND which is installed
5-----------------------------------------------
6
7    $ named -v
8    BIND 9.x.x
9
10    (you could also do: dig chaos txt version.bind @10.10.X.1)
11
122. Configure your AUTH1 host to accept queries from neighbors
13-------------------------------------------------------------
14
15Log in to your AUTH1 host if you haven't already done so
16(auth1.grpX.dns.nsrc.org).
17
18        ssh adm@10.10.X.1
19
20Become root
21
22        sudo bash
23
24Edit the file /etc/namedb/named.conf (using vi or ee)
25
26If it still exsist, find the line:
27
28        listen-on       { 127.0.0.1; };
29
30... and REMOVE.
31
32Remove or comment out the line
33
34       recursion no;
35
36Add the following line:
37
38        allow-recursion { 127.0.0.1; 10.10.0.0/16; };
39
40Double check to see that there aren't any zones configured in your
41DNS. For instance, if you see a line like follows:
42
43        zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
44
45... remove them
46
47BUT leave
48
49        zone "." {
50             type hint;
51             file "/etc/namedb/named.root";
52        };
53
54and save the file.
55
56
57NOTE: Be careful about the semicolons ';' and braces { } - BIND
58will complain if they are not placed correctly
59
60By removing the line "listen-on ..." and adding the line
61"allow-recursion", we are telling BIND:
62
63- please listen to the network for queries, not only on
64  the local interface "127.0.0.1";
65
66- please allow clients in the 10.10.0.0/16 to send queries
67  to me, as well as myself;
68
693. Restart the cache and check it is running
70--------------------------------------------
71
72If you haven't done so earlier, edit `/etc/rc.conf` and add two lines saying:
73
74        named_chrootdir=""
75        named_enable="YES"
76
77NOTE: We would normally not turn off chroot, which is a security
78      mechanism, but we need to do this here in the lab, because of
79      restrictions from the virtualization environment. In a production
80      environment, we wouldn't do this.
81
82Then run these commands:
83
84    # service named stop
85    # service named start
86    # ps auxwww | grep named
87    # tail /var/log/messages
88
89Check for successful startup with no error messages (you can ignore errors
90about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well
91as messages regarding managed-keys-zone)
92
934. Test resolution
94------------------
95
96Issue a query, for instance:
97
98        $ dig @127.0.0.1 google.com NS
99        $ dig @127.0.0.1 noc.ws.nsrc.org A
100
101For each query:
102
1031. Is the server responding ?
1042. How do you know that you are talking to your OWN server ?
1053. What do you notice ?
106
107If your neighbour has got their cache working, then try sending some queries
108to their cache:
109
110    $ dig @10.10.Z.1 somedomain.name
111
112... where ZZZ is the group number of your neighbour
113and "somedomain.name" is the query you would like to perform.
114
115Try and make some of the same queries you did before. 
116Do the nameservers of the other machines answer you ?
117
118Are you getting answers ? What about for dns.nsrc.org ?
119
120Why ?
121
122Help your neighbours to get their cache working if required.
123
1245. Watch the cache in operation
125-------------------------------
126
127You can take a snapshot of the cache contents like this:
128
129    # ln -s /var/named/var/dump /var/dump
130    # rndc dumpdb
131    # less /var/named/var/dump/named_dump.db
132
133(Don't do this on a busy cache - you will generate a huge dump file!)
134
135You can watch the cache making queries to the outside world using
136`tcpdump` in a different window (log in again via SSH):
137
138    # tcpdump -n -s1500 -i eth0 udp port 53
139
140If your ethernet interface isn't named `eth0`, then use the name of
141your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out
142what your ethernet interface is named. CTRL-C to exit tcpdump.
143
144While tcpdump is running, in the first window flush your cache (so it forgets
145all existing data) and then issue some queries from another window.
146
147    # rndc flush
148    # dig @127.0.0.1 noc.ws.nsrc.org.   -- and watch tcpdump output. What do you see?
149
150    # dig @127.0.0.1 noc.ws.nsrc.org.   -- watch tcpdump again. This time?
151
152NOTE: that we now have enabled BIND to be recursive! So we will want
153to remember this, and maybe turn off recursion later, since we have
154explained that running recursive and authoritative on the same server
155is not a good idea.
156
157From named.conf remove:
158
159    # allow-recursion { 127.0.0.1; 10.10.0.0/16; };
160
161and add:
162
163    # recursion no;
164
165close the editor and restart the server:
166
167    # service named restart
168