DNS Exercise - Delegation ------------------------- Each of you will be assigned a group number "X" corresponding to the virtual machine you will be using for this class at IP address 10.10.X.1. You will use ssh or putty.exe (available on the classroom page) to log into your VM. In this exercise, we will create a new domain, say, MYNAME. You will create a master nameservice on your own machine, and you will get secondary service from the instructor, provided by "auth2.grpY.ws.wacren.net" (Y is the group of the instructor, which will be communicated in class). Then you will make a request to the root zone administrator to delegate your domain to you via a Web based zone manager. Note: the following should be done as the "root" superuser - use "sudo -s" Firstly, note that your hostname is configured correctly on your machine. Check that it is configured correctly by using the 'hostname' command - e.g. on auth1.grpX.ws.wacren.net, if you type: # hostname You should see: auth1.grpX.ws.wacren.net If NOT, then configure your server with its name: e.g. for auth1.grp25.ws.wacren.net, type: # hostname auth1.grp25.ws.wacren.net Remember to replace "grpX" with the the proper group number! and update the "hostname": hostnamectl set-hostname auth1.grp25.ws.wacren.net In the file /etc/hosts, you should see a line: 10.10.X.1 auth1.grpX auth1.grpX.ws.wacren.net Exercise -------- * Choose a new domain MYNAME, write it down somewhere. (Do NOT choose any of the PC names, e.g. `auth1.grpX`, as your domain) This could for example be the name of your country code, country name, company name, etc... but REMEMBER that someone might pick the same name! First come, first serve. * Register your new domain with the instructor operating the parent zone * Create your zone file in `/etc/bind/master/MYNAME` (where MYNAME is your chosen domain) -- you can pretty much "copy and paste" the section below -- but remember to update the X with your IP: *** Remember, you will need to become root to create this file, *** so, e.g. *** *** $ cd /etc/bind/master *** $ sudo vi MYNAME *** *** (feel free to use another editor instead of vi, e.g. joe, ee) - - - - - - - - - - - - - cut below - - - - - - - - - - - - $TTL 2m @ IN SOA auth1.grpX.ws.wacren.net. your.email.address. ( 1367446359 ; Serial 10m ; Refresh 5m ; Retry 4w ; Expire 2m ) ; Negative IN NS auth1.grpX.ws.wacren.net. ; master IN NS auth1.grpY.ws.wacren.net. ; slave www IN A 10.10.X.1 ; your own IP - - - - - - - - - - - - - cut above - - - - - - - - - - - - Replace `your.email.address.` with your home E-mail address, so that user@domain.name becomes user.domain.name. If your "user" has "." in it, just remove the "."s for this exercise. X and Y are the IP of your group, and your slave's, respectively. We have chosen purposely low values for TTL, refresh, and retry to make it easier to fix problems in the classroom. For a production domain you might use higher values. * Edit `/etc/bind/named.conf.options` and do the following: *** Remember, you will need to become root to edit this file, *** so, e.g. *** *** $ cd /etc/bind *** $ sudo vi named.conf.options *** *** (feel free to use another editor instead of vi, e.g. joe, ee) - If it is still there, REMOVE the following line: listen-on { 127.0.0.1; }; ... and add another line in the options section: allow-query { any; }; ... so that your nameserver will now answer queries from the network - Add a section to configure your machine as master for your domain, by adding something like this at the end (the bottom) of the file: $ cd /etc/bind $ sudo vi named.conf.local and add zone "MYNAME" { type master; file "/etc/bind/master/MYNAME"; also-notify { 10.10.0.2; }; }; Pay attention to the ';' and '}' ! If there are any other zone sections such as "zone "." { };" remove them. * Check that your config file and zone file are valid: # named-checkconf # named-checkzone MYNAME /etc/bind/master/MYNAME * If there are any errors, correct them ! * * Tell a peer running grpY and the instructor running the public secondary service that you need secondary service for your domain - tell them the domain and tell them what X you are using. For instance, if you X is 5, you should write on a piece of paper MYNAME 5 And give this to the peer managing grpY - Then start/restart named with # service named restart Check the result with # tail /var/log/messages To see if there were any startup errors. And verify with dig that MYNAME is now configured on your host: # dig @10.10.X.1 MYNAME. NS Where "X" is the address of your machine. You can also check the nameserver status using rndc: # rndc status - If there are any errors, correct them. Some configuration errors can cause the daemon to die completely, in which case you may have to start it again: # /etc/rc.d/named restart * Check that you are giving authoritative answers for your domain: # dig +norec @10.10.X.1 MYNAME. SOA Check that you get an AA (authoritative answer) in the "; flags: ..." section. * Check that you and the slave at grpY are giving authoritative answers for your domain: # dig +norec @10.10.X.1 MYNAME. SOA # dig +norec @10.10.Y.1 MYNAME. SOA # dig +norec @10.10.0.2 MYNAME. SOA Check that you get an AA (authoritative answer) from both, and that the serial numbers match. * Now you are ready to request delegation: Go to the instructor running the parent zone Give your domain name (MYNAME), the names and IPs of the NS Parent zone will do a lookup and should recognize this. If all is well, it will update the parent zone and next time, a new zone is push, your delegate will become active * Once you have delegation, try to resolve www.MYNAME: - On your own machine - On someone else's machine - will it work ? # dig @10.10.X.1 www.MYNAME * Add a new resource record to your zone file such as mail IN A 10.10.X.1 Remember to update the serial number. Then do rndc reload Check that your slaves have updated. Try resolving this new name.