Notes for Week 12

Configuration files for Bind

"server" is the name of the name server, and "lab265" is the name of the zone.

The color scheme used in this section is designed to make it easier to connect things which correspond to each other. For instance, the server IP address in the example files below is 192.168.1.150; when you change it for your server, every red 150 should be changed to the last octet of your IP address.
All punctuation is required, and SOA (Start of Authority) and PTR resource records start in column 1.

  1. /srv/named/etc/named.conf - where to find zone files and cache hints
    The named.conf file installed on your system configures named as a caching server, with only a reverse lookup for 127.0.0.1 (defined in /srv/named/etc/namedb/pz/127.0.0). That reverse zone is mandatory for system operation, and should not be altered, except as follows:

    • the string "ns" must be changed to "server";
    • the string "local.domain" must be changed to "lab265".

    The statistics file is /var/run/named.stats, and the hints file (containing IP addresses for the root DNS servers) is /srv/named/etc/namedb/root.hints.

    The following files are sample zone files, which you will create (modified as per the exercises below):

  2. /srv/named/etc/namedb/lab265 - zone file for name to ip address lookups on hosts 
    @      86400    IN      SOA     server.lab265. root.server.lab265. ( 1 8H 2H 1W 1D)
;
; Start of Authority record begins each zone file
;
; 86400 is the time to live (in client resolver cache) in seconds
; 
; "root.server.lab265" means "root@server.lab265", e-mail address for questions
;
; 1 = serial #, used by secondary server to check if updates have been made
; 8H = 8 hours, how often secondary server attempts to refresh data from primary
; 2H = 2 hours, how long to wait before retrying failed refresh
; 1W = 1 week, how long to wait before flushing data if no refreshes have been successful
; 1D = 1 day, how long answers from this server can be trusted without checking again
;
                NS      server.lab265.
;
; NS record specifies name of name server (present in each zone file)
;
localhost       A       127.0.0.1
linux265        A       192.168.1.1
server          A       192.168.1.150
c150            CNAME   server
;
; server A record describes host "server.lab265" (lab265 from named.conf)
;
; need one A record for each host + localhost (mandatory)
; need one CNAME record for each alias (optional)
;

  3. /srv/named/etc/namedb/192.168.1 - zone file for reverse (ip address to name) lookups on hosts 
    @      86400    IN      SOA     server.lab265. root.server.lab265. ( 1 8H 2H 1W 1D)
                NS      server.lab265.
1               PTR     linux265.lab265.
150             PTR     server.lab265.
;
; this pointer record is for 192.168.1.150 - can have one per host
;
    In general it is bad practice to serve reverse lookups for any address other than 127.0.0.1 unless they are needed for authentication.

  4. In general, to establish an authoritative binding for a name "x.y" to an IP address "a.b.c.d", you need to:

    1. add a master zone stanza for "y" to named.conf; and
    2. create the corresponding zone file with an A resource record binding "x" to "a.b.c.d".

    In the examples above, the A record for server is such a binding in the zone lab265.

  5. kill -S SIGHUP named-pid will cause named to re-read its configuration files. Alternatively, you can /etc/rc.d/init.d/bind restart.

  6. EXERCISES for Week 12:

    1. Add the following zone stanza to your named.conf file, changing the zone from "lab265" to island#, where # is 1, 2, 3 or 4: 
      zone "lab265" {
        allow-transfer { 192.168.1.150; };
        notify no;
        type master;
        file "lab265";
};

    2. Create the zone file using the example in note 2 above. Change the zone from "lab265" to island#, where # is 1, 2, 3 or 4, and change the IP address from 192.168.1.150 to your IP address. Add resource records for the PCs on your island, for forward lookups only.

    3. Restart named. Test your configuration with both forward and reverse lookups for each PC you added. Be sure to check the system log after each time you restart (or SIGHUP) named.

    4. Add an authoritative binding for my.instructor to 192.168.1.150 (note that "my" is the host name and "instructor" is the domain/zone). Restart named and dig my.instructor

    5. Practice the following variants of the rndc command:

      • rndc reload
      • rndc flush
      • rndc flushname domain-name
      • rndc stats
      • rndc dumpdb -cache

      Do an ls -R /srv/named/ before and after each of the last two commands to see where the data is stored. Examine the data.

    6. Using Ethernet as the Data Link Protocol, the length of a DNS query packet is 71 bytes (probably! - check with wireshark to be sure) greater than the length of the domain name being queried. What is the largest domain name your DNS server can serve? Remember to include possible inverse lookups.

      Using the length firewall rule we discussed previously, implement and test a new firewall rule designed to restrict buffer overflow exploits in Bind by dropping any query packets which are too long.

      Remember to subtract 14 bytes for the Ethernet header when you create the firewall rules.
      The largest possible domain name (see RFC 1035) is 255 bytes. For hosts within your domain, who can use your DNS server as a caching server for external addresses, you would need to allow lookups up to the maximum length.

    7. Read about the DNSChanger Trojan exploit in this guide from the FBI.

©2015, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.

Please send comments or suggestions to the author.