Browse Source

Adds DNS Lab

Jared Dunbar 9 months ago
parent
commit
1730a6d968
2 changed files with 595 additions and 1 deletions
  1. 594
    0
      DNS.md
  2. 1
    1
      net.md

+ 594
- 0
DNS.md View File

@@ -0,0 +1,594 @@
1
+# DNS Lab
2
+
3
+The purpose of this lab is to create a [DNS](https://www.ietf.org/rfc/rfc1035.txt) server. A DNS server serves out names for IP addresses, and occasionally, converts IP addresses to reverse lookup domain names. The latter is less common, and not usually needed except for specific kinds of domain verification (for example, email servers).
4
+
5
+This lab will teach you the in's and out's of setting up the DNS server, but that is not a complete replacement for understanding DNS at the protocol level. That will be covered after you set up the server (TODO: Consider writing that).
6
+
7
+## Table of Contents
8
+
9
+* [Table of Contents](DNS.md#table-of-contents)
10
+* [Pre-Lab Setup](DNS.md#pre-lab-setup)
11
+    * [Add delegation records to DNS](DNS.md#add-delegation-records-to-dns)
12
+    * [Verify the delegated DNS records](DNS.md#verify-the-delegated-dns-records)
13
+* [Installing your DNS server](DNS.md#installing-your-dns-server)
14
+    * [Add firewall rules for DNS access](DNS.md#add-firewall-rules-for-dns-access)
15
+    * [Install the operating system](DNS.md#install-the-operating-system)
16
+    * [Configure the Bind service](DNS.md#configure-the-bind-service)
17
+    * [Boilerplate DNS configuration files](DNS.md#boilerplate-dns-configuration-files)
18
+    * [User-configured DNS configuration files](DNS.md#user-configured-dns-configuration-files)
19
+    * [named.conf](DNS.md#namedconf)
20
+    * [Configure the Forward DNS Zones](DNS.md#configure-the-forward-dns-zones)
21
+    * [Configure the Reverse DNS Zones](DNS.md#configure-the-reverse-dns-zones)
22
+* [Verify your DNS server](DNS.md#verify-your-dns-server)
23
+* [Further research](DNS.md#further-research)
24
+
25
+## Pre-Lab Setup
26
+
27
+There are some important steps that must be carried out before you can stand up your DNS server. Namely, you need to add your DNS server's records into your DNS hosting provider's DNS.
28
+
29
+If you are using a tool like an external DNS registrar, they often provide you with their root level DNS servers for serving things like `mywebsite.com` and `www.mywebsite.com`. These will be A records directly on their nameservers.
30
+
31
+There are two ways you can go about setting up for this lab. The easier option is to add some `NS` and `A` records, so that their server delegates a subdomain of your domain down to your system. The other method is to add your DNS servers directly as the domain name servers in the glue records, and then do all of the DNS for your domain. Note that if you want to go this route, you *must* have two DNS servers (or more).
32
+
33
+This lab will assume that you are using a subdomain delegation, since that is easier to do, but you can very well repeat all of the steps of this lab with a full domain name. It doesn't really change much, except for adding the subdomain. A subdomain DNS server can also delegate to any subdomain it wants, so you can have multiple chains of DNS servers.
34
+
35
+For instance, the COSI DNS server is delegated the `@.cslabs.clarkson.edu` and `@.cosi.clarkson.edu` subdomains from Clarkson's nameservers. If one wanted, you could even configure your DNS servers in COSI's DNS so that you could have `@.yoursubsubdomain.cslabs.clarkson.edu`.
36
+
37
+Alright, enough talk. Let's do this.
38
+
39
+### Add delegation records to DNS
40
+
41
+Add the following records into your DNS:
42
+
43
+```
44
+<dns server 1>.<domain name>.     IN A    <nameserver's IPv4 address>
45
+<dns server 2>.<domain name>.     IN A    <nameserver's IPv4 address>
46
+<service>.<domain name>.        IN NS   <first part of the above A record for dns server 1>
47
+<service>.<domain name>.        IN NS   <first part of the above A record for dns server 2>
48
+```
49
+
50
+So, for instance:
51
+
52
+```
53
+ns1-cam.ja4.org.	IN	A	128.153.145.111
54
+ns2-cam.ja4.org.	IN	A	128.153.145.112
55
+cam.ja4.org.		IN	NS	ns1-cam.ja4.org.
56
+cam.ja4.org.		IN	NS	ns2-cam.ja4.org.
57
+```
58
+
59
+This may look different depending on your DNS registrar, and if you're doing this on COSI's infrastructure, do not forget to follow the instructions and update the serial. The serial needs to be updated, because that informs upstream DNS servers that the zone has been changed and to evict the cached name information that it has on that zone. If you don't change the serial in the zone, the DNS server is likely to use cached information and not bother to update, even if it reads the `SOA` records of your DNS server to check for updates.
60
+
61
+### Verify the delegated DNS records
62
+
63
+To verify that you have added the records correctly, you can use the `dig` command. It is recommended that you do ***not*** use `nslookup`, as this program does not work as well as it says on the label. It's really only good at reading `A`, `AAAA`, and `CNAME` records, and only sometimes.
64
+
65
+First, verify that you have added the NS records correctly. Presumably, only one of the DNS servers will show up, but that is OK. You can replace `8.8.8.8` with your favorite upstream DNS server (eg, `1.1`, `9.9.9.9`, etc.)
66
+
67
+```sh
68
+dig @8.8.8.8 NS <subdomain>.<domain>.
69
+```
70
+
71
+So, for example:
72
+
73
+```sh
74
+dig @8.8.8.8 NS cam.ja4.org.
75
+```
76
+
77
+The response should look something like this; it will share with you the DNS at which to find the nameserver(s). It may only show one DNS server, as shown below:
78
+
79
+```
80
+; <<>> DiG 9.16.4 <<>> NS cam.ja4.org
81
+;; global options: +cmd
82
+;; Got answer:
83
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47353
84
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
85
+
86
+;; OPT PSEUDOSECTION:
87
+; EDNS: version: 0, flags:; udp: 512
88
+;; QUESTION SECTION:
89
+;cam.ja4.org.			IN	NS
90
+
91
+;; ANSWER SECTION:
92
+cam.ja4.org.		21599	IN	NS	ns1-cam.ja4.org.
93
+
94
+;; Query time: 60 msec
95
+;; SERVER: 8.8.8.8#53(8.8.8.8)
96
+;; WHEN: Sat Jul 18 09:33:40 EDT 2020
97
+;; MSG SIZE  rcvd: 62
98
+```
99
+
100
+You can then verify that your `A` records are good by doing the following:
101
+
102
+```sh
103
+dig @8.8.8.8 A <server>.<domain name>.
104
+```
105
+
106
+So, for example:
107
+
108
+```sh
109
+dig @8.8.8.8 A ns1-cam.ja4.org
110
+```
111
+
112
+The response should look something like this:
113
+
114
+```
115
+; <<>> DiG 9.16.4 <<>> A ns1-cam.ja4.org.
116
+;; global options: +cmd
117
+;; Got answer:
118
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21306
119
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
120
+
121
+;; OPT PSEUDOSECTION:
122
+; EDNS: version: 0, flags:; udp: 512
123
+;; QUESTION SECTION:
124
+;ns1-cam.ja4.org.		IN	A
125
+
126
+;; ANSWER SECTION:
127
+ns1-cam.ja4.org.	59	IN	A	128.153.145.111
128
+
129
+;; Query time: 26 msec
130
+;; SERVER: 8.8.8.8#53(8.8.8.8)
131
+;; WHEN: Sat Jul 18 09:41:31 EDT 2020
132
+;; MSG SIZE  rcvd: 60
133
+```
134
+
135
+If those records look correct and you get IP addresses back, you have completed this step successfully, and can move onto the next step. If you do not get these results (or something similar), then you will *not* be able to continue until you have fixed this. Your DNS records would be unavailable on the public internet.
136
+
137
+## Installing your DNS server
138
+
139
+These instructions are mostly OS-agnostic, but we will be using NixOS for the purpose of these instructions. There are easy parallels to make to this in RHEL and Debian based systems, but the paths and configuration files may be different depending on the system. Package names you may need may include `dnsutils`, `bind9` or `named`, and perhaps one or two other programs. `dnsutils` provides the `dig` command, and `bind9` or `named` provide the DNS server.
140
+
141
+First, you need to select some public IP addresses, and make some firewall exceptions. I'm not going to detail things such as SSH into those boxes, but you may want to consider that as you make the firewall rules.
142
+
143
+### Add firewall rules for DNS access
144
+
145
+The following ports need to be opened to the public internet for the DNS service:
146
+
147
+| Protocol | Port Number | Reason |
148
+| --- | --- | --- |
149
+| UDP | 53 | DNS typically uses UDP first to communicate with the server |
150
+| TCP | 53 | DNS will fall back on TCP on poor connections or for large records. Not required, but good practice |
151
+
152
+**SECURITY NOTICE:**
153
+
154
+DNS servers are inadvertently one of the worst DDoS tools out there, so if you are not confident your DNS server prohibits recursive DNS queries, do *not* run it for an extended period, or do not make firewall exceptions. Please note that if you do not make the firewall exceptions, your DNS will not be publicly resolvable, which may make this lab harder to complete.
155
+
156
+Because DNS was designed before malicious actors were a common problem, it is very easy to cause [DNS amplification attacks](https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/), where a malicious actor sends small packets to the service that cause a larger packet to leave the server.
157
+
158
+### Install the operating system
159
+
160
+The basic process is to install your OS, configure the static IP and the host-based firewall, and then install the [BIND DNS server](https://www.isc.org/bind/). We will configure it in the next step.
161
+
162
+Nothing particularly fancy is required for this step. I'll even give you a config for NixOS (configuration.nix):
163
+
164
+```nix
165
+{ config, pkgs, ... }:
166
+
167
+{
168
+  imports = [
169
+    ./hardware-configuration.nix
170
+  ];
171
+
172
+  boot.loader.grub.enable = true;
173
+  boot.loader.grub.version = 2;
174
+  boot.loader.grub.device = "/dev/vda"; # Set this to your boot disk
175
+
176
+  networking = { 
177
+    hostName = "ns1"; # change the DNS name of the server if you want, not particularly important for the server to function correctly.
178
+    useDHCP = false;
179
+    firewall.allowedTCPPorts = [ 53 ];
180
+    firewall.allowedUDPPorts = [ 53 ];
181
+
182
+    defaultGateway.address = "YOUR HOST's IPv4 GATEWAY ADDRESS"; # For instance, "128.153.144.1"
183
+    defaultGateway.interface = "YOUR HOST's ETHERNET ADAPTER";
184
+    interfaces.<YOUR HOST's ETHERNET ADAPTER>.ipv4 = { # For instance, enp3s0
185
+      addresses = [{ address = "YOUR HOST IPv4 ADDRESS"; prefixLength = 23; }]; # For instance, "128.153.145.103"
186
+    };
187
+  };
188
+
189
+  time.timeZone = "US/New_York";
190
+
191
+  environment.systemPackages = with pkgs; [
192
+    wget vim dnsutils inetutils curl
193
+  ];
194
+
195
+  services.openssh = {
196
+    enable = true;
197
+    ports = [ 13699 ];
198
+  };
199
+
200
+  services.bind = {
201
+    enable = true;
202
+    configFile = "/etc/bind/named.conf";
203
+  };
204
+
205
+  users.groups.bind.members = [ "named" ];
206
+
207
+  users.users.YOURUSERHERE = {
208
+    isNormalUser = true;
209
+    extraGroups = [ "wheel" ];
210
+    openssh.authorizedKeys.keys = [ "YOUR SSH PUBLIC KEY" ];
211
+  };
212
+
213
+  system.stateVersion = "20.03";
214
+}
215
+```
216
+
217
+### Configure the Bind service
218
+
219
+This is the most important step. There are a few different files you will need, and depending on your OS distribution, you may need to modify these instructions a little, since some files may be provided to you, or import from different locations. But, in the end, just make sure the configuration files pull everything in, and check the service logs.
220
+
221
+In case you forgot how to systemd, here's some handy commands (service files may be different depending on OS, for example, `named.service`):
222
+
223
+```sh
224
+# Restart the Bind 9 service
225
+systemctl restart bind9.service
226
+# Read the logs for the Bind 9 service
227
+journalctl -eu bind9.service
228
+```
229
+
230
+There are some basic components to the configuration:
231
+
232
+* Where the DNS server is allowed to accept (recursive) queries from. This should only be a local network IF you intend to allow systems to use it as a resolver (for example, if you put this server's IP in `/etc/resolv.conf` on your network)
233
+* The DNS *zone file* that the DNS records pull from
234
+
235
+Here are some live examples for you to use to configure your service.
236
+
237
+### Boilerplate DNS configuration files
238
+
239
+`db.0`:
240
+```
241
+;
242
+; BIND reverse data file for broadcast zone
243
+;
244
+$TTL    604800
245
+@       IN      SOA     localhost. root.localhost. (
246
+                              1         ; Serial
247
+                         604800         ; Refresh
248
+                          86400         ; Retry
249
+                        2419200         ; Expire
250
+                         604800 )       ; Negative Cache TTL
251
+;
252
+@       IN      NS      localhost.
253
+```
254
+
255
+`db.127`:
256
+``` 
257
+;
258
+; BIND reverse data file for local loopback interface
259
+;
260
+$TTL    604800
261
+@       IN      SOA     localhost. root.localhost. (
262
+                              1         ; Serial
263
+                         604800         ; Refresh
264
+                          86400         ; Retry
265
+                        2419200         ; Expire
266
+                         604800 )       ; Negative Cache TTL
267
+;
268
+@       IN      NS      localhost.
269
+1.0.0   IN      PTR     localhost.
270
+```
271
+
272
+`db.255`:
273
+```
274
+;
275
+; BIND reverse data file for broadcast zone
276
+;
277
+$TTL    604800
278
+@       IN      SOA     localhost. root.localhost. (
279
+                              1         ; Serial
280
+                         604800         ; Refresh
281
+                          86400         ; Retry
282
+                        2419200         ; Expire
283
+                         604800 )       ; Negative Cache TTL
284
+;
285
+@       IN      NS      localhost.
286
+```
287
+
288
+`db.local`:
289
+``` 
290
+  ;
291
+  ; BIND data file for local loopback interface
292
+  ;
293
+  $TTL    604800
294
+  @       IN      SOA     localhost. root.localhost. (
295
+                                2         ; Serial
296
+                           604800         ; Refresh
297
+                            86400         ; Retry
298
+                          2419200         ; Expire
299
+                           604800 )       ; Negative Cache TTL
300
+  ;
301
+  @       IN      NS      localhost.
302
+  @       IN      A       127.0.0.1
303
+  @       IN      AAAA    ::1
304
+```
305
+
306
+`db.root` is the root name servers. This file is to be updated regularly if it does not do it by itself; it can be fetched from here: [https://www.internic.net/domain/named.cache](https://www.internic.net/domain/named.cache)
307
+```
308
+;       This file holds the information on root name servers needed to 
309
+;       initialize cache of Internet domain name servers
310
+;       (e.g. reference this file in the "cache  .  <file>"
311
+;       configuration file of BIND domain name servers). 
312
+; 
313
+;       This file is made available by InterNIC 
314
+;       under anonymous FTP as
315
+;           file                /domain/named.cache 
316
+;           on server           FTP.INTERNIC.NET
317
+;       -OR-                    RS.INTERNIC.NET
318
+; 
319
+;       last update:     June 08, 2020 
320
+;       related version of root zone:     2020060801
321
+; 
322
+; FORMERLY NS.INTERNIC.NET 
323
+;
324
+.                        3600000      NS    A.ROOT-SERVERS.NET.
325
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
326
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
327
+; 
328
+; FORMERLY NS1.ISI.EDU 
329
+;
330
+.                        3600000      NS    B.ROOT-SERVERS.NET.
331
+B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
332
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
333
+; 
334
+; FORMERLY C.PSI.NET 
335
+;
336
+.                        3600000      NS    C.ROOT-SERVERS.NET.
337
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
338
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
339
+; 
340
+; FORMERLY TERP.UMD.EDU 
341
+;
342
+.                        3600000      NS    D.ROOT-SERVERS.NET.
343
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
344
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
345
+; 
346
+; FORMERLY NS.NASA.GOV
347
+;
348
+.                        3600000      NS    E.ROOT-SERVERS.NET.
349
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
350
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
351
+; 
352
+; FORMERLY NS.ISC.ORG
353
+;
354
+.                        3600000      NS    F.ROOT-SERVERS.NET.
355
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
356
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
357
+; 
358
+; FORMERLY NS.NIC.DDN.MIL
359
+;
360
+.                        3600000      NS    G.ROOT-SERVERS.NET.
361
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
362
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
363
+; 
364
+; FORMERLY AOS.ARL.ARMY.MIL
365
+;
366
+.                        3600000      NS    H.ROOT-SERVERS.NET.
367
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
368
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
369
+; 
370
+; FORMERLY NIC.NORDU.NET
371
+;
372
+.                        3600000      NS    I.ROOT-SERVERS.NET.
373
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
374
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
375
+; 
376
+; OPERATED BY VERISIGN, INC.
377
+;
378
+.                        3600000      NS    J.ROOT-SERVERS.NET.
379
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
380
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
381
+; 
382
+; OPERATED BY RIPE NCC
383
+;
384
+.                        3600000      NS    K.ROOT-SERVERS.NET.
385
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
386
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
387
+; 
388
+; OPERATED BY ICANN
389
+;
390
+.                        3600000      NS    L.ROOT-SERVERS.NET.
391
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
392
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
393
+; 
394
+; OPERATED BY WIDE
395
+;
396
+.                        3600000      NS    M.ROOT-SERVERS.NET.
397
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
398
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
399
+```
400
+
401
+### User-configured DNS configuration files
402
+
403
+These files are where the magic happens. There are two important files that you have to create; `named.conf` and `db.<zonename>`. The zone's file name is not particularly important, the filename is simply imported from `named.conf`.
404
+
405
+### named.conf
406
+
407
+I'm going to split this up a bit to add comments, but anything in the code blocks is in the final file once.
408
+
409
+This first section sets the local ranges to allow recursive DNS. **DO NOT** allow external IP addresses in this range!
410
+
411
+```
412
+acl a_trusted {
413
+  128.153.0.0/16;
414
+  localhost;
415
+  localnets;
416
+};
417
+options {
418
+  directory "/var/cache/bind";
419
+```
420
+
421
+The forwarders section has public recursive DNS servers that this DNS server can use to find more DNS information from other servers.
422
+
423
+```
424
+  forwarders {
425
+    1.1.1.1;
426
+  };
427
+
428
+```
429
+
430
+This section is very important and tells the server where recursion is allowed. If you do not intend to allow people to use recursive DNS, you can change this to `no`, and remove the `a_trusted` sections.
431
+
432
+```
433
+  recursion yes;
434
+  allow-recursion {
435
+    a_trusted;
436
+  };
437
+```
438
+
439
+DNSSEC is a protocol used for DNS verification. If you have it, this will enable it.
440
+
441
+```
442
+  dnssec-validation auto;
443
+
444
+  auth-nxdomain no;
445
+  listen-on-v6 {
446
+    any;
447
+  };
448
+};
449
+```
450
+
451
+This is where the zones begin to get ingested. The first sets of records are just standard boilerplate zones.
452
+
453
+```
454
+zone "." {
455
+  type hint;
456
+  file "/etc/bind/db.root";
457
+};
458
+
459
+zone "localhost" {
460
+  type master;
461
+  file "/etc/bind/db.local";
462
+};
463
+
464
+zone "127.in-addr.arpa" {
465
+  type master;
466
+  file "/etc/bind/db.127";
467
+};
468
+
469
+zone "0.in-addr.arpa" {
470
+  type master;
471
+  file "/etc/bind/db.0";
472
+};
473
+
474
+zone "255.in-addr.arpa" {
475
+  type master;
476
+  file "/etc/bind/db.255";
477
+};
478
+```
479
+
480
+These last two zones are where the fun begins. I have left them populated, but you will want to configure these names according to your configuration.
481
+
482
+The first zone is for what is called Forward DNS, which is what most people use when they are trying to visit a website. The second section, which is less common, is the Reverse DNS. The reverse DNS requires the zones to be passed from your ISP and can be ommited for this lab. If you're in COSI, adding reverse records will not work (except maybe if you use your resolver for your servers, you can possibly inject these records if your domain is not using DNSSEC).
483
+
484
+```
485
+zone "cam.ja4.org" in {
486
+  type master;
487
+  file "/etc/bind/db.cam";
488
+};
489
+
490
+zone "145.153.128.in-addr.arpa" in {
491
+  type master;
492
+  file "/etc/bind/db.cam.rvs.145";
493
+};
494
+```
495
+
496
+### Configure the Forward DNS Zones
497
+
498
+Inside of the forward DNS zones, the configuration is relatively simple. A sample is provided below:
499
+
500
+```
501
+$TTL 3d
502
+@		IN SOA	cam.ja4.org.	cam.cam.ja4.org. (
503
+			1	; serial
504
+			1h	; refresh
505
+			1h	; retry
506
+			1w	; expire
507
+			300 )	; negative caching-ttl
508
+
509
+; Nameservers
510
+@		IN NS	ns1-cam.ja4.org.
511
+
512
+; IPv4
513
+@		IN A	128.153.145.110
514
+ns1		IN A	128.153.145.111
515
+ns2		IN A	128.153.145.112
516
+ldap1		IN A	128.153.145.113
517
+ldap2		IN A	128.153.145.114
518
+nfs1		IN A	128.153.145.115
519
+```
520
+
521
+If you have other record types, you can certainly add them, for instance, `CNAME` records, `CAA` records, and more!
522
+
523
+The general syntax used here is `<key> IN <record type> <value>`, with an exception for the `SOA` record.
524
+
525
+The `SOA` record is very important, and defines critical information about the zone. The first part of the SOA declares the subdomain, in this case `cam.ja4.org.`. After that, it defines the contact for this zone (which should be interpreted as an email address) - so here `cam.cam.ja4.org` would mean that to contact the zone maintainer, you would email `cam@cam.ja4.org`. This is more of a legacy thing, and I don't think it's used much. Then, the fun starts.
526
+
527
+* Serial: the serial number of the zone file. This can be a simple integer counter you increment manually, epoch time, or similar.
528
+* Refresh: number of seconds after which secondary name servers should query the master for the SOA record, to detect zone changes
529
+* Retry: number of seconds after which secondary name servers should retry to request the serial number from the master if the master does not respond
530
+* Expire: number of seconds after which secondary name servers should stop answering request for this zone if the master does not respond
531
+* Negative Caching TTL - This is the TTL to use for records that are invalid; for example, if you try to resolve `nonexistant.example.com`, DNS servers will cache that response for the number of seconds specified here
532
+
533
+In DNS syntax, `@` has special meaning - if you find it in the `cam.ja4.org` record (for example, `@.cam.ja4.org.`), this will resolve the root of the name. There is also `*`, which is a wildcard that will match any key record.
534
+
535
+In this example zonefile, `@` points at an IP address, wich means that all servers that contact `cam.ja4.org` will be directed at that IP address.
536
+
537
+If you have made this zone file, you are ready to start up your DNS server and proceed to validation.
538
+
539
+### Configure the Reverse DNS Zones
540
+
541
+This is only necessary if you are creating reverse records and actually get them delegated to your nameserver. Reverse records convert IP addresses back into domain names. Worth noting, you can have as many `CNAME` and `A` and `AAAA` records point at the same IP address as you would like, but only one of them can be it's reverse.
542
+
543
+```
544
+$TTL 3d
545
+@		IN SOA	cam.ja4.org.	cam.cam.ja4.org. (
546
+			1	; serial
547
+			1h	; refresh
548
+			1h	; retry
549
+			1w	; expire
550
+			300 )	; negative caching-ttl
551
+
552
+; Nameservers
553
+@		IN NS	ns1-cam.ja4.org.
554
+
555
+; IPv4 Reverse
556
+; Note: the trailing dots are VERY IMPORTANT!
557
+111		IN PTR	ns1.cam.ja4.org.
558
+112		IN PTR	ns2.cam.ja4.org.
559
+113		IN PTR	ldap1.cam.ja4.org.
560
+114		IN PTR	ldap2.cam.ja4.org.
561
+115		IN PTR	nfs1.cam.ja4.org.
562
+```
563
+
564
+## Verify your DNS server
565
+
566
+Now that you have your DNS server stood up, you probably want to verify it.
567
+
568
+The best way to do this is to query it with the `dig` command. First, you would want to make sure that your records can be resolved from the server itself (by specifying `@<Your DNS server IP>`), but then later you will want to verify that your records can be recieved from any DNS server on the public internet (such as `@8.8.8.8`).
569
+
570
+Example queries can be the following:
571
+
572
+```sh
573
+dig @8.8.8.8 google.com A
574
+dig @8.8.8.8 cslabs.clarkson.edu A
575
+dig @1.1.1.1 yahoo.com A
576
+dig @9.9.9.9 talks.cslabs.clarkson.edu CNAME
577
+dig @9.9.9.9 talks.cslabs.clarkson.edu A
578
+```
579
+
580
+You can also query for pretty much any kind of record.
581
+
582
+Reverse DNS records are a bit more interesting - you pass the IP address and `-x`:
583
+
584
+```sh
585
+dig -x 128.153.145.3 @8.8.8.8
586
+```
587
+
588
+That should be about it.
589
+
590
+TODO: Verify that your server is not doing recursive DNS on the public internet.
591
+
592
+## Further Research
593
+
594
+* `recursion.cslabs.clarkson.edu` is a custom DNS server that recurses the DNS lookup to add another `recursion` every few seconds. Hopefully it's still running.

+ 1
- 1
net.md View File

@@ -24,4 +24,4 @@ cam.ja4.org.		300	IN	NS	ns1-cam.ja4.org.
24 24
 cam.ja4.org.		300	IN	NS	ns2-cam.ja4.org.
25 25
 ```
26 26
 
27
-NOTE: Reverse DNS addresses would need to be put into the 145.rvs DNS file.
27
+NOTE: Reverse DNS addresses would need to be put into the 145.rvs DNS file on Talos and Atlas (aka, upstream COSI DNS). They are not required for the success of this lab.

Loading…
Cancel
Save