Track3Sec: 1.8_dns-bind-caching-setup.txt

Building a DNS cache with BIND
------------------------------

1. Check the version of BIND which is installed
-----------------------------------------------

    $ named -v
    BIND 9.x.x

    (you could also do: dig chaos txt version.bind @10.10.X.1)

2. Configure your AUTH1 host to accept queries from neighbors
-------------------------------------------------------------

Log in to your AUTH1 host if you haven't already done so
(auth1.grpX.dns.nsrc.org).

        ssh adm@10.10.X.1

Become root

        sudo bash

Edit the file /etc/namedb/named.conf (using vi or ee)

If it still exsist, find the line:

        listen-on       { 127.0.0.1; };

... and REMOVE.

Remove or comment out the line

       recursion no;

Add the following line:

        allow-recursion { 127.0.0.1; 10.10.0.0/16; };

Double check to see that there aren't any zones configured in your
DNS. For instance, if you see a line like follows:

        zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

... remove them

BUT leave

        zone "." {
             type hint;
             file "/etc/namedb/named.root";
        };

and save the file.


NOTE: Be careful about the semicolons ';' and braces { } - BIND
will complain if they are not placed correctly

By removing the line "listen-on ..." and adding the line
"allow-recursion", we are telling BIND:

- please listen to the network for queries, not only on
  the local interface "127.0.0.1";

- please allow clients in the 10.10.0.0/16 to send queries
  to me, as well as myself;

3. Restart the cache and check it is running
--------------------------------------------

If you haven't done so earlier, edit `/etc/rc.conf` and add two lines saying:

        named_chrootdir=""
        named_enable="YES"

NOTE: We would normally not turn off chroot, which is a security
      mechanism, but we need to do this here in the lab, because of
      restrictions from the virtualization environment. In a production
      environment, we wouldn't do this.

Then run these commands:

    # service named stop
    # service named start
    # ps auxwww | grep named
    # tail /var/log/messages

Check for successful startup with no error messages (you can ignore errors
about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well
as messages regarding managed-keys-zone)

4. Test resolution
------------------

Issue a query, for instance:

        $ dig @127.0.0.1 google.com NS
        $ dig @127.0.0.1 noc.ws.nsrc.org A

For each query:

1. Is the server responding ?
2. How do you know that you are talking to your OWN server ?
3. What do you notice ?

If your neighbour has got their cache working, then try sending some queries
to their cache:

    $ dig @10.10.Z.1 somedomain.name

... where ZZZ is the group number of your neighbour 
and "somedomain.name" is the query you would like to perform.

Try and make some of the same queries you did before.  
Do the nameservers of the other machines answer you ?

Are you getting answers ? What about for dns.nsrc.org ?

Why ?

Help your neighbours to get their cache working if required.

5. Watch the cache in operation
-------------------------------

You can take a snapshot of the cache contents like this:

    # ln -s /var/named/var/dump /var/dump
    # rndc dumpdb
    # less /var/named/var/dump/named_dump.db

(Don't do this on a busy cache - you will generate a huge dump file!)

You can watch the cache making queries to the outside world using
`tcpdump` in a different window (log in again via SSH):

    # tcpdump -n -s1500 -i eth0 udp port 53

If your ethernet interface isn't named `eth0`, then use the name of
your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out
what your ethernet interface is named. CTRL-C to exit tcpdump.

While tcpdump is running, in the first window flush your cache (so it forgets
all existing data) and then issue some queries from another window.

    # rndc flush
    # dig @127.0.0.1 noc.ws.nsrc.org.   -- and watch tcpdump output. What do you see?

    # dig @127.0.0.1 noc.ws.nsrc.org.   -- watch tcpdump again. This time?

NOTE: that we now have enabled BIND to be recursive! So we will want
to remember this, and maybe turn off recursion later, since we have
explained that running recursive and authoritative on the same server
is not a good idea.

From named.conf remove:

    # allow-recursion { 127.0.0.1; 10.10.0.0/16; };

and add:

    # recursion no;

close the editor and restart the server:

    # service named restart