Archive for September 1st, 2006
BIND in a jiffy
I’m coaching a new engineer on Linux- and systems administration-related tasks. Here’s a set of exercises I did for DNS.
- Install BIND. By default, what packages does Red Hat (RH) install? How would you find out? Hint:
`man rpm`. - View the configuration file in
/etc/named.conf. Describe what each section is for:options { }controls { }key "rndc_key" { }zone "." { }zone "0.0.127.in-addr.arpa" { }
- What is the
/var/named/named.cafile? How do you update this file? Hint:`dig`it up. - Describe the function of each record in
/var/named/named.local:SOANSPTR
Notice the ‘
.‘ at the end of the domain name? What is it for? What will happen if you take it out? - Configure your box to use your recently installed DNS server.
- Edit
/etc/resolv.conf. Add your nameserver. (Don’t forget to restart the networking service.) - Start BIND. How? What would you check to see if BIND starts at boot?
- Test your nameserver. Hint:
`man dig`. - Do a DNS lookup for an external domain:
$ dig google.com $ dig google.com
What’s the difference between the two commands above? Hint: It has something to do with the way DNS works.
- Edit
- Create your own domain.How will you do that? Hint: Copy, edit and rename
named.local.- Create a new zone in
named.conf. - Edit the zone file. It should contain something like this:
; Zone - iandexter.net $TTL 3D @ IN SOA hiraya.iandexter.net. hostname.iandexter.net. ( 20060901 ; serial 8H ; refresh 2H ; retry 4W ; expire 1D) ; minimum ; NS hiraya. ; name server MX 5 padme.iandexter.net MX 10 arwen.iandexter.net. MX 15 eowyn.iandexter.net. MX 20 mail. ; localhost A 127.0.0.1 hiraya A 192.168.1.101 ns CNAME hiraya mail CNAME hiraya pop CNAME hiraya www CNAME hiraya proxy CNAME hiraya ftp CNAME hiraya padme A 192.168.1.51 arwen A 192.168.1.150 eowyn A 192.168.1.153
Explain what the following means:
AMXWhat about the number beside it?CNAMEserialrefreshretryexpireminimumTTL
- Restart BIND.
# rndc reload
- Create a new zone in
- Test your new domain.
$ dig any your.domain
What do you notice? Hint: Something’s awfully wrong. (Look at step 4 above.) Correct it, then test your domain again.
# rndc reload; dig axfr your.domain
- Create a reverse zone. Why do you need it? You should have something like this:
; Reverse zone - 1.168.192 $TTL 3d @ IN SOA hiraya.iandexter.net. hostmaster.iandexter.net. ( 20060901 ; serial 8H ; refresh 2H ; retry 4W ; expire 1D) ; minimum ; NS hiraya.iandexter.net. ; 101 PTR hiraya.iandexter.net. 102 PTR mithi.iandexter.net. 150 PTR arwen.iandexter.net. 151 PTR padme.iandexter.net. 152 PTR mathilda.iandexter.net. 153 PTR eowyn.iandexter.net. 154 PTR evey.iandexter.net. 155 PTR galadriel.
Notice the last line above: it’s just another way of writing it — saves typing, too. Test your reverse zone.
# rndc reload; dig -x your.server.ip # dig axfr your.reverse.zone
- Test your new domain on another machine.
- In Windows, add your nameserver in the DNS list. Try to look up records in your domain.
C:\> nslookup > server your.nameserver.ip > set type=all > your.domain
- Ping your nameserver (or hosts you have added to that zone) using fully qualified domain names.
- In Windows, add your nameserver in the DNS list. Try to look up records in your domain.
- Secure your nameserver.
- Disable queries from domains you don’t own, except from your servers or subnet.
- Disable recursive queries, except internally.
- By default, RH runs BIND in a
chrootjail. Why?
Bonus question:
Why go through all this trouble when you can have Linux (even Windows, actually) resolve hostnames to their IP addresses? How do you do that?
