Notes for Week 5

1. Terms
   • Fully Qualified Domain Name (FQDN) - name of a host on the Internet, ending with a period
   • domain - part of the Internet; ie., "." (the root domain), "edu", "uc.edu" and "rwc.uc.edu" are all domains
   • zone - that part of name space which has been delegated to a particular server; that server is authoritative for that zone
   • Queries are answered by responses, which contain resource records. Queries can be recursive, in which case a single query should return the required response, and the server is responsible for asking other servers if necessary; or not recursive, in which case the resolver (the client-side DNS software which queries servers) must find out which server is authoritative and then ask it.

     Responses can be authoritative, coming from an authoritative server, or not, coming from a caching server. They can also be truncated, which means that not all of the information available from the server fit in the 512 byte limit.

     Resource records can be A or address records, providing the IP address of an FQDN; NS records, which describe name servers to go to for more information; PTR or "pointer" records, which provide the FQDN associated with an IP address; or CNAME records, which provide "canonical names", or aliases. Responses also provide a time for which the data is to be trusted. If a domain name does not exist, the response is NXDOMAIN: non-existant domain.

   • Name servers can be:
     • root, have responsibility for the root zone;
     • primary (or master), having authoritative responsibility for a zone;
     • secondary (or slave), having backup responsibility for a zone; and
     • caching, having no authority, but relaying DNS data from authoritative servers.

     Primary and secondary servers can also be caching servers for zones for which they are not authoritative.

2. A lookup for anything less than an FQDN results in multiple queries until one (or none) is successful. The first query is for the name as requested. Each subsequent query is for that name follwed by "search domains" (as specified in resolv.conf - see below), and finally by the local domain.

   For instance, if the local domain is "lab265" and the search domains are "rwc.uc.edu" and "uc.edu", the lookup of "mickey.mouse" would involve queries for:

   1. mickey.mouse
   2. mickey.mouse.rwc.uc.edu
   3. mickey.mouse.uc.edu
   4. mickey.mouse.lab265

   Note that a search for "mickey.mouse." would only involve the first lookup.

   The use of search domains is discouraged, since it can result in excessive waits for DNS lookups.

3. Reverse or pointer queries are formed by reversing the octets of the IP address and appending the domain "in-addr.arpa". Hence a reverse query for 129.137.122.97 would be:

   97.122.137.129.in-addr.arpa

   You can also perform this query using "dig -x 129.137.122.97".
4. DNS uses UDP port 53, except for zone transfers from a primary to a secondary server, in which case it uses TCP port 53.
5. Configuration files for client resolver:
   • /etc/hosts - specifies known hosts in a static file
   • /etc/resolv.conf - specifies one or more name servers, and search domains
   • /etc/host.conf - specifies lookup order on older systems
   • /etc/nsswitch.conf - specifies lookup order, and whether NIS is used

6. The following commands will install named, the DNS daemon:

   mount -wo remount /
   cd /usr/src
   tar -xjf bind-9.2.3.tar.bz2
   cd bind-9.2.3
   
   ./configure --prefix=/usr --sysconfdir=/etc &&
   make &&
   make install
   
   groupadd named &&
   useradd -m -g named -s /bin/false named
   
   cd /home/named &&
   mkdir -p dev etc/namedb var/run &&
   mknod /home/named/dev/null c 1 3 &&
   mknod /home/named/dev/random c 1 8 &&
   chmod 666 /home/named/dev/{null,random} &&
   cp /etc/localtime /home/named/etc
   cd
   
   chown -R named.named /home/named
   
   cat > /etc/rc.d/init.d/bind << "EOF"
   #!/bin/sh
   . /etc/sysconfig/rc
   . $rc_functions
   case "$1" in
           start)
                   logecho "Starting named..."
                   loadproc /usr/sbin/named -u named -t /home/named -c \
                           /etc/named.conf
                   ;;
           stop)
                   logecho "Stopping named..."
                   killproc /usr/sbin/named
                   ;;
           restart)
                   $0 stop
                   sleep 1
                   $0 start
                   ;;
           reload)
                   logecho "Reloading named..."
                   /usr/sbin/rndc -c /etc/rndc.conf reload
                   ;;
           status)
                   statusproc /usr/sbin/named
                   ;;
           *)
                   echo "Usage: $0 {start|stop|restart|status}"
                   exit 1
                   ;;
   esac
   EOF
   chmod 754 /etc/rc.d/init.d/bind
   
   mount -ro remount /
   

   This installation method installs named in a "chroot jail" located in /home/named. The directories and files installed in /home/named permit named to be run with /home/named as its root directory. This means that if named is compromised, the hacker has no access to any other directory or file on the system.
7. EXERCISES for Week 5:
   1. Download the configuration files /home/named/etc/named.conf, /home/named/etc/namedb/127.0.0, /home/named/etc/namedb/192.168.1 and /home/named/etc/namedb/lab265 and /home/named/etc/namedb/named.ca.
   2. Start named using "/etc/rc.d/init.d/bind start". Examine the tail of the system log file using "tail -n40 /var/log/messages".
   3. Test your server using "dig @127.0.0.1 www.lab265". Compare the resource records with those in the file /home/named/etc/namedb/lab265.
   4. Test your server using "dig @127.0.0.1 -x 192.168.1.1". This performs a reverse lookup (1.1.168.192.in-addr.arpa). Compare the resource records with those in the file /home/named/etc/namedb/192.168.1.
   5. Test your server using "dig @127.0.0.1 www.rwc.uc.edu". Examine the resource records.
   6. Using the information in the Week 1 notes, add firewall rules to permit access to your DNS server from other PCs in the lab, for both TCP and UDP. Re-run your firewall script and test access to your server from other stations.

      "dig @(host) AXFR lab265" can be used to test access through TCP.

   7. Modify your /etc/resolv.conf file to use your name server. Remember to start your name server whenever you use your system!

      This can be accomplished automatically using the following command:

      ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S22bind

©2005, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.

Please send comments or suggestions to the author.