Notes for Week 11

1. Terms
   • domain - part of the Internet namespace tree; "." (the root domain), "edu", "uc.edu" and "rwc.uc.edu" are all domains; linux265.rwc.uc.edu is a domain name but not a domain:

     

     Here is a list of the top-level country domains.

   • domain names are bound to IP addresses; such an association is a binding; IP addresses are a list, domain names form a tree and DNS provides the bindings from a leaf on the tree to an address in the list
   • Fully Qualified Domain Name (FQDN) - name of a host on the Internet, ending with a period
   • zone - that part of name space which has been delegated to a particular server; that server is authoritative for that zone
   • Queries are answered by responses, which contain resource records. Queries can be
     • recursive, in which case a single query should return the required response, and the server is responsible for asking other servers if necessary; or
     • not recursive, in which case the resolver (the client-side DNS software which queries servers) must find out which server is authoritative and then ask it.

     Responses can be authoritative, coming from an authoritative server, or not, coming from a caching server.
     They can also be truncated, which means that not all of the information available from the server fits in the 512 byte limit.

     Resource records can be

     • A or address records, providing the IP address of an FQDN;
     • NS records, which describe name servers to go to for more information;
     • PTR or "pointer" records, which provide the FQDN associated with an IP address; or
     • CNAME records, which provide "canonical names", or aliases.

     Responses also provide a time for which the data is to be trusted (the Time-To-Live). If a domain name does not exist, the response is NXDOMAIN: non-existant domain.

   • Name servers can be:
     • root, have responsibility for the root zone;
     • primary (or master), having authoritative responsibility for a zone;
     • secondary (or slave), having backup responsibility for a zone; and
     • caching, having no authority, but relaying DNS data from authoritative servers.

     Primary and secondary servers can also be caching servers for zones for which they are not authoritative.

2. A lookup for anything less than an FQDN results in multiple queries until one (or none) is successful. The first query is for the name as requested. Each subsequent query is for that name followed by "search domains" (as specified in resolv.conf - see below), and finally by the local domain.

   For instance, if the local domain is "lab265" and the search domains are "rwc.uc.edu" and "uc.edu", the lookup of "mickey.mouse" would involve queries for:

   1. mickey.mouse
   2. mickey.mouse.rwc.uc.edu
   3. mickey.mouse.uc.edu
   4. mickey.mouse.lab265

   Note that a search for "mickey.mouse." would only involve the first lookup.

   The use of search domains is discouraged, since it can result in excessive waits for DNS lookups.

3. Reverse queries (or pointer queries) are formed by reversing the octets of the IP address and appending the domain "in-addr.arpa". Hence a reverse query for 129.137.122.97 would be:

   97.122.137.129.in-addr.arpa

   You can also perform this query using dig -x 129.137.122.97 (dig is a souped-up version of NSLOOKUP in Windows).
4. DNS uses UDP port 53, except for zone transfers from a primary to a secondary server, in which case it uses TCP port 53.
5. Configuration files for client resolver:
   • /etc/hosts - specifies known hosts in a static file
   • /etc/resolv.conf - specifies one or more name servers, and search domains
   • /etc/host.conf - specifies lookup order on older systems
   • /etc/nsswitch.conf - specifies lookup order, and whether NIS is used

6. named is the DNS daemon (Bind is the package, named is the program). named has been installed in a chroot jail located in /srv/named. The directories and files installed in /srv/named permit named to be run with /srv/named as its root directory; during operation, nothing in the filesystem above /srv/named is visible to the server software. This means that if named is compromised, the hacker has no access to any other directory or file on the system.
7. EXERCISES for Week 11:
   1. Start named using /etc/rc.d/init.d/bind start. Examine the tail of the system log file using tail -n200 /var/log/sys.log.
   2. Test your server using dig @127.0.0.1 www.uc.edu. Examine the resource records.
   3. Using the information in the week 10 notes, add firewall rules to permit access to your DNS server from other PCs in the lab, for both TCP and UDP (DNS is port 53). Re-run your firewall script and test access to your server from other stations:
      • dig @your-partner's-IP-address www.uc.edu
      • dig @your-partner's-IP-address mickey.mouseoutfit.com
      • dig @your-partner's-IP-address amazon.com +trace

        Do the last one from multiple PCs and cross check the results. What do you notice about the order of the resource records in the answer and authority sections? (See question 3 in the Question and Answer chapter of the DNS HOWTO.)

      dig @server-ip -t AXFR domain can be used to test access through TCP after we reconfigure named.

   4. Modify your /etc/resolv.conf file to only use your name server.
   5. Modify your /etc/inittab file so that runlevel 4 is the default. This will cause named (as well as apache and samba) to be started each time you boot.

      Recall from our discussion in weeks 1, 2 and 5 that in our distribution, there are two copies of inittab: one on the root filesystem, and one on the /var filesystem, and that these two must agree. Changing the one in /var is easy; to change the one on /:

      1. mount --bind / /mnt
      2. mount -wo remount /mnt
      3. sed -i /mnt/etc/inittab -e 's/3:initdef/4:initdef/'
      4. umount /mnt

      The first mount allows you to access the partition containing the root partition at /mnt, without the links to /var. The second mount allows you to write to the root partition at /mnt (it does not affect the read-only mount at /). The sed changes the default runlevel from 3 to 4, and the final umount removes our access to the root partition through /mnt.

©2015, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.

Please send comments or suggestions to the author.