Notes for Week 5

1. Terms
   • domain - part of the Internet namespace tree; "." (the root domain), "edu", "uc.edu" and "rwc.uc.edu" are all domains; linux265.rwc.uc.edu is a domain name but not a domain
   • domain names are bound to IP addresses; such an association is a binding; IP addresses are a list, domain names form a tree and DNS provides the bindings from a leaf on the tree to an address in the list
   • Fully Qualified Domain Name (FQDN) - name of a host on the Internet, ending with a period
   • zone - that part of name space which has been delegated to a particular server; that server is authoritative for that zone
   • Queries are answered by responses, which contain resource records. Queries can be recursive, in which case a single query should return the required response, and the server is responsible for asking other servers if necessary; or not recursive, in which case the resolver (the client-side DNS software which queries servers) must find out which server is authoritative and then ask it.

     Responses can be authoritative, coming from an authoritative server, or not, coming from a caching server. They can also be truncated, which means that not all of the information available from the server fit in the 512 byte limit.

     Resource records can be A or address records, providing the IP address of an FQDN; NS records, which describe name servers to go to for more information; PTR or "pointer" records, which provide the FQDN associated with an IP address; or CNAME records, which provide "canonical names", or aliases. Responses also provide a time for which the data is to be trusted. If a domain name does not exist, the response is NXDOMAIN: non-existant domain.

   • Name servers can be:
     • root, have responsibility for the root zone;
     • primary (or master), having authoritative responsibility for a zone;
     • secondary (or slave), having backup responsibility for a zone; and
     • caching, having no authority, but relaying DNS data from authoritative servers.

     Primary and secondary servers can also be caching servers for zones for which they are not authoritative.

2. A lookup for anything less than an FQDN results in multiple queries until one (or none) is successful. The first query is for the name as requested. Each subsequent query is for that name follwed by "search domains" (as specified in resolv.conf - see below), and finally by the local domain.

   For instance, if the local domain is "lab265" and the search domains are "rwc.uc.edu" and "uc.edu", the lookup of "mickey.mouse" would involve queries for:

   1. mickey.mouse
   2. mickey.mouse.rwc.uc.edu
   3. mickey.mouse.uc.edu
   4. mickey.mouse.lab265

   Note that a search for "mickey.mouse." would only involve the first lookup.

   The use of search domains is discouraged, since it can result in excessive waits for DNS lookups.

3. Reverse or pointer queries are formed by reversing the octets of the IP address and appending the domain "in-addr.arpa". Hence a reverse query for 129.137.122.97 would be:

   97.122.137.129.in-addr.arpa

   You can also perform this query using "dig -x 129.137.122.97".
4. DNS uses UDP port 53, except for zone transfers from a primary to a secondary server, in which case it uses TCP port 53.
5. Configuration files for client resolver:
   • /etc/hosts - specifies known hosts in a static file
   • /etc/resolv.conf - specifies one or more name servers, and search domains
   • /etc/host.conf - specifies lookup order on older systems
   • /etc/nsswitch.conf - specifies lookup order, and whether NIS is used

6. The following commands will install named, the DNS daemon:

   mount -wo remount /
   cd /usr/src
   tar -xzf bind-9.3.2.tar.gz
   cd bind-9.3.2
   
   sed -i -e '247a #undef SO_BSDCOMPAT\n' lib/isc/unix/socket.c
   (./configure --prefix=/usr --sysconfdir=/etc --enable-threads --with-libtool) 2>&1 | tee -a ../bind.out
   (make) 2>&1 | tee -a ../bind.out
   
   bin/tests/system/ifconfig.sh up
   (make check) 2>&1 | tee -a ../bind.out
   bin/tests/system/ifconfig.sh down
   grep "R:PASS" ../bind.out | wc -l       # should return 144
   
   (make install) 2>&1 | tee -a ../bind.out
   
   chmod 755 /usr/lib/{lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.?}
   cd doc
   install -d -m755 /usr/share/doc/bind-9.3.2/{arm,draft,misc,rfc}
   install -m644 arm/*.html /usr/share/doc/bind-9.3.2/arm
   install -m644 draft/*.txt /usr/share/doc/bind-9.3.2/draft
   install -m644 rfc/* /usr/share/doc/bind-9.3.2/rfc
   install -m644 misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} /usr/share/doc/bind-9.3.2/misc
   
   groupadd -g 20 named
   useradd -c "BIND Owner" -g named -s /bin/false -u 20 named
   install -d -m770 -o named -g named /srv/named
   cd /srv/named
   mkdir -p dev etc/namedb/slave var/run
   mknod /srv/named/dev/null c 1 3
   mknod /srv/named/dev/random c 1 8
   chmod 666 /srv/named/dev/{null,random}
   mkdir /srv/named/etc/namedb/pz
   cp /etc/localtime /srv/named/etc
   rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2      #"
   
   cat > /etc/rndc.conf << "EOF"
   key rndc_key {
   algorithm "hmac-md5";
       secret
       "< Insert secret from rndc-confgen's output here >";
       };
   options {
       default-server localhost;
       default-key    rndc_key;
   };
   EOF
   
   chown -R named.named /srv/named
   
   cd /sources/blfs-bootscripts-20060624
   make install-bind
   cd
   
   mount -ro remount /
   

   This installation method installs named in a "chroot jail" located in /srv/named. The directories and files installed in /srv/named permit named to be run with /srv/named as its root directory. This means that if named is compromised, the hacker has no access to any other directory or file on the system.
7. EXERCISES for Week 5:
   1. Download the configuration files /srv/named/etc/named.conf, /srv/named/etc/namedb/127.0.0, /srv/named/etc/namedb/192.168.1 and /srv/named/etc/namedb/lab265 and /srv/named/etc/namedb/named.ca.

      Some browsers will create lab265 as "lab265.htm". If this happens, rename it.

      Edit named.conf to insert the rndc key into the line

      secret "< Insert secret from rndc-confgen's output here >";

   2. Start named using "/etc/rc.d/init.d/bind start". Examine the tail of the system log file using "tail -n40 /var/log/messages".
   3. Test your server using "dig @127.0.0.1 www.lab265". Compare the resource records with those in the file /srv/named/etc/namedb/lab265.
   4. Test your server using "dig @127.0.0.1 -x 192.168.1.1". This performs a reverse lookup (1.1.168.192.in-addr.arpa). Compare the resource records with those in the file /srv/named/etc/namedb/192.168.1.
   5. Test your server using "dig @127.0.0.1 www.rwc.uc.edu". Examine the resource records.
   6. Using the information in the Week 1 notes, add firewall rules to permit access to your DNS server from other PCs in the lab, for both TCP and UDP. Re-run your firewall script and test access to your server from other stations.

      "dig @(host) AXFR lab265" can be used to test access through TCP. Until we reconfigure named, this can only be done from the instructor's PC.

   7. Modify your /etc/resolv.conf file to only use your name server.

©2007, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.

Please send comments or suggestions to the author.