[CoursDNS/TP-ServeurDNS/TP_eng.html] juin 2006
pascal Hennequin
DNS LAB
Search first in Documents and Links, before
asking any questions to the "local DNS guru".
Part 1: Exploring the Domain Name System with DIG tool
Objectives:
- Growing familiar with the worldwide DNS, exploring zone informations,
delegation of zones, iterative and recursive resolution,
caching of DNS data,...
- Testing capabilities of DIG command to be able to use it
as a debugging and testing tool when setting up a DNS service.
- Looking at "Everything you always wanted to know about" DNS ...
Hints:
- Look at local file /etc/resolv.conf (configuration of
local recursive DNS servers)
- Don't forget to end domain name with a dot (FQDN)
- Some useful options of dig:
- @server, -x, +trace, +norecurse, +nssearch, +multiline (for SOA) ...
- and query types: AXFR, ANY, NS, SOA ...
- see also dig(1) man page
- Some useful informations in dig results: flags aa ra, status, Query time, SERVER ...
- Some DNS servers (authoritative and/or recursive):
- diamant.int-evry.fr. master for int-evry.fr. and 159.157.in-addr.arpa.
- zeratul.ipv6.int-evry.fr. master for ipv6.int-evry.fr. and 3.0.2.3.0.6.6.0.1.0.0.2.ip6.arpa.
- alambix.int-evry.fr. master for DNSSEC zone
int-evry.caddisc.enst.idsa.prd.fr.
- bonemine.int-evry.fr. Cache-only, DNSSEC-aware (trust se. and int-evry.caddisc.enst.idsa.prd.fr.)
- hugo.int-evry.fr. slave for previous zones
- NB : alambix, bonemine and zeratul are IPv4/IPv6 and truly manage
dig +dnssec option.
Some questions to motivate your imagination:
- Who are the DNS root?
- How many solutions (choice between DNS servers) in iterative
resolution of IP (v4/v6) addresses for host alambix.ipv6.int-evry.fr.?
Is it different for resolution by a general host or by an INT host?
- What about correctness of delegation for following zones :
xorg.org.,
fleximage.fr.,
u-bordeaux2.fr.,
enst.fr.,
transilien.com.,
every1.net.,
ibank.co.uk.,
115.108.192.in-addr.arpa.,
231.80.in-addr.arpa.
- Try to construct DNS tree under int-evry.fr. (domains? , zones?).
Same with enst-bretagne.fr. tree. Same if someone speak about dedale.ipv6.rennes.enst-bretagne.fr..
- How many entries in zone int-evry.fr.? which Record Types? ..
- Find IP address of a distant host using only dig +norecurse requests. Link with dig +trace option?
- Where goes a mail with address xxx@int-evry.fr ? Same question with xxx@foobar.int-evry.fr, xxx@mailfax.int-evry.fr, xxx@hugo.int-evry.fr ? In last case, Is there any change if sender host use a line
nameserver 157.159.100.81 in file /etc/resolv.conf?
- What is the motivation for "dig +nssearch" option?
- http://www.squish.net/dnscheck?
- ...
"Bonus" IPv6
- Is IPv6 active on your host?
- What is the difference between the following requests:
dig @ipv6-1.int-evry.fr. ...,
dig @ipv6-1.ipv6.int-evry.fr. ... and
dig @zeratul.ipv6.int-evry.fr. ...? It depends on previous question, why?
"Super Bonus" Demo
Zone for testing RR types and wildcard (source file in docs):
dig @ipv6-1.int-evry.fr zone.test. AXFR
"Extra Bonus" DNSSEC
How to "dump" a DNSSEC signed zone (and sub tree) without AXFR? try with zone
enst.idsa.prd.fr., or
ipv6.rennes.enst-bretagne.fr. or
int-evry.caddisc.enst.idsa.prd.fr.
Part 2: Setting up a DNS Server
Objective:
The work consists here in installing a DNS server using ISC BIND software.
To verify the good behaviour of various DNS services, useful tests must be
defined and applied on this DNS server.
Successive steps could be:
- a Forward-Only server: caching, none authoritative zone,
no iterative resolution, accepting recursive requests relaying them
to another recursive DNS server.
- a Cache-Only server: caching, none authoritative zone,
accepting recursive requests using iterative resolution.
- a Master Authoritative server: caching, master server for a local zone
XXX.test., iterative resolution. Create a zone data base with some RR
choosing names as you want but using operational informations (IP address,...).
- Variations:
- Modify to an Authoritative-Only server : no iterative resolution, no forwarding, only iterative response. (cache ?)
- Create sub-domains AAA.XXX.test. and a sub-zone BBB.XXX.test. in the same server.
- Find an administrator for a zone YYY.test. and suggest him
to become a Slave Authoritative server for the zone.
As he reads the same text, he will offer you to become a slave
server for your zone XXX.test. . Test here the behaviour
of DNS zone update (notify, SOA TTLs, modification of serial number..)
- Become a Stealth Slave Authoritative server for zone int-evry.fr. (and/or ipv6.int-evry.fr., 159.157.in-addr.arpa., ...)
- Find the administrator for the domain ipv6.int-evry.fr. and
obtain a delegation XXX.ipv6.int-evry.fr. to attach your zone in
the "worldwide" DNS.
Operational hints:
- Don't forget informations in Documents and Links
- File ./conf0 gives a starting configuration file for named
deamon. Remane this file as you want (MY_CONFIG) and adapt it
at each step.
- Start your server with:
./named -g -p MY_DNS_PORT -c MY_CONFIG
Choose MY_DNS_PORT as an unpriviliged port number.
Kill deamon with Ctrl-C.
- Test your server using dig (in another window):
./dig @localhost -p MY_DNS_PORT ....
(or @::1 instead of @localhost !)
- Before loading a configuration or a zone file, you can verify syntax with:
./named-checkconf MY_CONFIG
./named-checkzone ZONE_NAME ZONE_FILE
- Activate quickly the "remote" control of named deamon using rndc tool. For this, generate configuration data (authentification key,..) with:
./rndc-confgen -p MY_RNDC_PORT > MY_RNDC_CONFIG
Look the generated file MY_RNDC_CONFIG and modify the file MY_CONFIG as described.
After restarting ./named server, control now the deamon using:
./rndc -c MY_RNDC_CONFIG command
Without command, you obtain the command list: reload, status, querylog ...
- At each step, you can examine the contents of your zone using
dig AXFR,
and the contents of the DNS cache using rndc dumpdb.
Cache is cleared using rndc flush.
- For the last steps, port 53 is required. Find a super-user
on your host to start named on privileged port 53. It needs
rndc and "logging in file" to be well configured. NB : Use
"tail -f LOG_FILE" for continuously view a log file (kill with ctrl-C).
Part 3: DNSSEC transition
Objectif :
Signing a DNS zone with respect to DNSSEC (RFC4033, 4034, 4035) and publishing
the signed zone with a master authoritative server.
Hints :
- From a DNS zone file, dnssec-signzone tool creates the signed
version of the zone. The tool computes and inserts in zone file the
RRSIG and NSEC Records required by data authentication
in DNSSEC. The resulting zone file can be used as usual zone file
for publishing in the DNS.
- Before signing, cryptograpic keys need to be created and inserted
(only the public key) in zone file using DNSKEY Records.
dnssec-keygen tool is used to generate keys.
- ... Look at dnssec-* Manual pages and commented example in
directory ./CONFIG/DNSSEC ...
Part 3 bis: Securing DNS server transactions
Secured configuration of zone transfer and/or dynamic update
using transaction signing with TSIG mechanism.
(NB: BIND 9.3.1 only partially supports SIG(0) mechanism)
.. To be done ... self-formation !