Notes for Week 7

  1. EXERCISES for Week 7:

    1. Practice the following variants of the rndc command:

      • reload
      • flush
      • flushname
      • stats
      • dumpdb -cache

      Some of these will make the following exercises easier because you can use them (and grep) to interrogate and control the cache.

    2. Capture and examine the packets transferred when you "dig @(your partner's IP address) www.islandn". Compare them with the resource records displayed by dig.

    3. Capture and examine the packets transferred when you "dig @(your partner's IP address) mickey.mouseoutfit.com". Compare them with the resource records displayed by dig.

    4. Capture and examine the packets transferred when you "dig @(your partner's IP address) -x (your IP address)". Compare them with the resource records displayed by dig.

    5. Capture and examine the packets transferred when you "dig @(your partner's IP address) www.rwc.uc.edu". Compare them with the resource records displayed by dig.

    6. Capture and examine the packets transferred when you "dig @(your partner's IP address) amazon.com +trace". Compare them with the resource records displayed by dig. Do this from multiple PCs and cross check the results.

      What do you notice about the order of the resource records in the authority section? (See question 3 in the Question and Answer chapter of the DNS HOWTO.)

    7. Capture and examine the packets transferred when you "dig @(your partner's IP address) -t AXFR islandn". Compare them with the resource records displayed by dig.

    8. Using Ethernet as the Data Link Protocol, the length of a DNS query packet is 60 bytes greater than the length of the domain name being queried. What is the largest domain name your Bind server can serve? Remember to include possible inverse lookups.

      The largest possible domain name (see RFC 1035) is 255 bytes. Using the length firewall rule we discussed previously, implement and test two new firewall rules designed to restrict buffer overflow exploits in Bind:

      • one for hosts within your domain, who can use your DNS server as a caching server for external addresses, and
      • the other for purely external service, where you are only serving names you have authority for.

    9. Use "netstat --ip -apn" to find out which internet sockets are in use on your system, and by whom. Compare the port designations to those in /etc/services. Compare the output with that of "cat /proc/net/tcp" and "cat /proc/net/udp".

©2008, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.

Please send comments or suggestions to the author.