Lab 6a DNS Server Configuration

Aim

1. To design a DNS configuration

2. To configure a DNS server using the BIND software for forward lookups - hostname to IP address mapping

3. To configure a DNS server using the BIND software for reverse lookups - IP address to hostname mapping

Task 1: Design DNS configuration

The first step before starting DNS servers is to make several design decisions.

On Windows, choose whether to set up static (or standard) zones or centrally controlled zones via Microsoft Active Directory (called an “Integrated Zone”).

Since we aren’t primarily using Active Directory, we will use the “Standard Zone” configuration

We will set up 2 domain name servers for our network.

- For this exercise, the primary DNS will be the Windows Server and
- The secondary (backup) server will be the Linux server.
- We will also set up a sub-domain, with the Linux server as the primary DNS and Windows as the secondary.
- Both servers will forward requests appropriately – the Linux DNS will forward all unknown requests to the primary server (Windows), which will then forward to the university server (ns.uts.edu.au) and thence the internet

3. We need to decide which names, types and IP addresses are to be allocated to which server.

Find Default DNS Server IP address / Configuration

Windows: ipconfig /all

Linux: cat /etc/resolv.conf

Task 2: Set up a DNS zone - forward lookup

2.1 Configuring DNS role on Windows

2.1.1 Set up Ethernet1 adapter to a STATIC address 10.0.2.2.

2.1.2 Install the DNS role from the server manager

Step 1

Step 2

Step 3

Step 4

Step 5

While DNS feature installation in progress we check our current DNS IP address

# ipconfig /all

1^st one is DNS IP server assigned

2^nd one is our local DNS server IP address

2.1.3 Set up a zone for the DNS server

We will use the “standard” (static) zones for the DNS server.

Once the installation is complete, in the “Tools” menu of Server Manager, find DNS:

open the Manager to find Forward Lookup Zones and Reserve Lookup Zones

Start > Windows Administrative Tools > DNS

Look for the server name on the left. Right-click on the server name

> Right-click on the server name

> “Configure a DNS Server…”.

> choose “Create a forward lookup zone”.

> zone name: netserv.edu.au.

> Create a new zone file for this zone: netserv.edu.au.dns

> Next

> don’t allow dynamic updates.

Finally, when prompted for forwarders, enter the IP address of your default DNS server (e.g. 192.168.70.2 in the lab, but it will be different if you are at home.

Use ipconfig /all to determine your default DNS server on Ethernet0.

To find the configuration of our DNS go to directory:

This will create a file called “netserv.edu.au.dns” in our

C:\Windows\System32\dns directory

2.1.4 Set up DNS server properties

When the Properties window opens, find the Interfaces tab (it’s usually the default). You can see that the DNS server is configured by default to listen on all network interfaces. Since we only want our DNS server to answer queries on our private network, turn off the Ethernet0 interface (e.g. 192.168.3.xxx) and just keep 10.0.2.2.

In the DNS Manager window > right-click on the server name > Properties.

On the Interface select > Only the following IP address e.g. > Check 10.0.2.2 and uncheck the rest.

> Apply

> Ok

2.1.5 Create the Forward Lookup zone file

Expand Forward Lookup Zones and then right-click on the netserv.edu.au entry. The context menu allows to add new Hosts, Aliases etc.

Modify the NS record to match our configuration. Notice that it names the name server to the machines name. According to our design, this server should be called ns with an IP address of 10.0.2.2

Change the record by double-clicking it (the “(Same as parent folder) Name Server (NS))…”

> Name Servers > name server: ns

> click here to add an IP address > 10.0.2.2

> Transfer tab > "Allow zone transfer to: Any server" selected

> exit

2.1.6 Add more entries to the Zone file

Right click netserv.edu.au > New Host (A or AAAA)..

New host (A): ns with IP address 10.0.2.2

New host (A): mail with IP address 10.0.2.2

New host (A): site with IP address 10.0.2.2

New Mail Exchanger (MX): leave host blank and the FQDN should be mail

On fully qualified domain name (FQDN) of mail server (do not type mail) Browse and locate to mail

New Alias (CNAME): www and FQDN site

Create a Delegation

We will also create a delegation for the it.netserv.edu.au domain .

New Delegation: it

Add a new server record: FQDN = ns.it.netserv.edu.au

and add the IP address of this record as 10.0.2.3

(assuming this is the IP address of the Linux machine)

Update Server Data Files

Right-click on your server name and choose “Update Server Data Files” to make sure these changes are written to the filesystem.

CHECK THE FILE CONTENTS: Look in C:\Windows\System32\dns\netserv.edu.au.dns and review netserv.edu.au.dns file (hint: use type or notepad commands)

2.2 Testing the configuration

Using the nslookup tool on Windows

From a command prompt, type

# nslookup

//use the help command to see what commands can be executed.

server 10.0.2.2 (use our local machine as the default server to test)

set type=A (only look up A records)

set domain=netserv.edu.au. (set our default domain to netserv.edu.au ** note the trailing dot)

site.netserv.edu.au. (lookup site.netserv.edu.au ** note the trailing dot)

www (lookup the IP address of www.netserv.edu.au)

www.uts.edu.au. (lookup UTS main web server ** note the trailing dot)

Try running the nslookup command in debug mode:

set debug (run in debug mode)

ls netserv.edu.au

2.3 Configuring DNS server (BIND) on Linux

2.3.1 Enable STATIC networking

First, make sure you have STATIC networking enabled on ens37.

Terminal

# vim/etc/sysconfig/network-scripts/ifcfg-ens37

BOOTPROTO=none

IPADDR-10.0.2.3

PREFIX=24

ONBOOT=yes

:wq

Reload and enable the network adapter

# nmcli con reload ens37

# nmcli con up ens37

Check the ip address

# ifconfig ens37

2.3.2 Install name server

We will install the Berkley Internet Name Domain name server (BIND). User dnf bind and accept all the extra libraries to install.

Terminal# dnf install bind

2.3.3 Update the name server configuration file

# vim /etc/named.conf

1. In the “options” paragraph,

find “listen-on port 53 {127.0.0.1; };

Replace “127.0.0.1 with the word “any”.

2. In the same options paragraph,

find “allow-query { localhost; };”.

Replace “localhost” with “any”.

3. Add the following paragraph (preferably near the existing “zone” paragraph):

zone "it.netserv.edu.au" IN {

type master;

file "it.netserv.edu.au.zone"; };

2.3.4 Create Zone File

Terminal:

# cd /var/named

# ls -ls

# cp named.localhost it.netserv.edu.au.zone

# vim /var/named/it.netserv.edu.au.zone

Edit the file

In SOA ns.it.netserv.edu.au root.it.netserv.edu.au. (

Add the following record as depicted on the screenshot.

Explanation 2.3.4

Note that in the above configuration, we have specified a filename (it.netserv.edu.au.zone in the example above, but we can choose our own name). Now we need to create this file (the zone file) for our domain.

On our system, the zone files are located in the /var/named/ directory.

Change to this directory.

Create a new zone file for your zone in this directory.

Remember that the name of the zone file must be the same as the name we specified in your named.conf file!.

Copy the named.localhost as a template. Just make sure the SOA record is correct. See the Windows sample.

Hint: The SOA record entry called “rname.invalid.” is actually an email address in a weird format. This translates to “rname@invalid”, so you can change this to something like “root.netserv.edu.au.” or something more useful. Also note the trailing dot – it is important.

Secondly, the serial is currently 0. This should be incremented each time you change the DNS records

2.3.5 Change group ownership of file (file permissions)

Terminal > /var/named :

# ls -ls

# chgrp named it.netserv.edu.au.au.zone

# ls -ls

Explanation

After we finished editing the file, we’ll need to change the file permissions so that the name server process can read it. Unfortunately the default permissions will not allow the name server to read it. Specifically we need to change the group ownership of the zone file.

Use the chgrp command to change the file’s group to be the ‘named’ group,

chgrp named it.netserv.edu.au.zone

Use ls –l to check that the ownership and file permissions on your newly created file are the same as the other files in that directory.

2.4 Starting the DNS server on Linux

2.4.1 Check configuration

Check your configuration with:

# named-checkconf /etc/named.conf

Check your zone file with:

# named-checkzone it.netserv.edu.au /var/named/it.netserv.edu.au.zone

2.4.2 Start named service

To start your named service now: systemctl start named

# systemctl start named

Also enable the named service so that it starts at boot.

# systemctl enable named

2.5. Testing the DNS server on Linux

2.5.1 Check system log

After starting named,

check the end of the /var/log/messages file (e.g. with the tail command) for errors.

# cat /var/log/messages

Look for a line that says “zone it.netserv.edu.au/IN” and look for the word “loaded”.

There may be some other errors about “network unreachable”. Don’t worry about these.

2.5.2 Test server

After startup is successful, run some test queries using the dig command, e.g.

Look up an A record: dig @localhost site.it.netserv.edu.au a (use with hostname)

# dig @localhost site.it.netserv.edu.au a

Look up an SOA record: dig @localhost it.netserv.edu.au soa (use with domain name)

# dig @localhost it.netserv.edu.au soa

Look up an NS record: dig @localhost it.netserv.edu.au ns (use with domain name)

# dig @localhost it.netserv.edu.au ns

Look up “any” records: dig @localhost site.it.netserv.edu.au any (use with host or domain)

# dig @localhost site.it.netserv.edu.au any

We make sure to check the “ANSWER SECTION” of the dig output. If the answer section is empty, then the query returned no results! If this is the case, we go back and check the log file for errors.

Now we also reboot the machine and test that the DNS server starts up automatically. If not, we need to check the settings we made with systemctl.

Note: we can also use the nslookup command like in task 1

2.5.3 Add forwarding record

Terminal:

# vim /etc/named.conf

//add the following line to the option block:

forwarders{

10.0.2.2

};

dnssec-enable no;

dnssec-validation no;

:wq

Restart named

# systemctl restart named

Test if working

# dig @localhost www.uts.edu.au

Explanation 2.5.3

Note: We won’t be able to find the address of www.netserv.edu.au: This is because your default name server will not forward requests anywhere else.

We can change this by updating the /etc/named.conf file and adding the following line to the options block:

forwarders {

10.0.2.2;

};

But this alone isn’t enough. DNSSEC (DNS security extensions) is enabled by default. This checks whether the information from the forwarder has a digitally signed zone file to verify its authenticity. In our case, although we could sign the zone file on Windows Server (DNS Manager right-click on zone name DNSSEC Sign the zone), that alone isn’t enough because the zone would be self-signed, plus there are additional “DS” records needed. DNSSEC is an advanced topic which is not cover in this introductory subject, but is worth researching if we need to configure DNS on an enterprise network.

So in the meantime, for our forward to work we need to disable our Linux bind server from checking DNSSEC data. In the /etc/named.conf file, look for the following lines, and update “yes” to “no” as shown below:

dnssec-enable no; dnssec-validation no;

Don’t forget to restart named!

And test!

3 Set up reverse lookup zone file

Linux Firewall allow dns

On Linux dns is not enabled by default. We need to enable the service as we can see from the screenshot on Windows subnet IP address is not validating.

Terminal:

# firewall-config

Public > service > dns (check)

3.1 Explantion

Earlier we set up a zone file for forward lookup, i.e. to map from hostnames into IP addresses. While that is the most common need on the Internet, there are times when services need to perform a reverse lookup, i.e. given an IP address as input, find out what hostname corresponds to that IP address.

Although you might think the DNS server could use the forward lookup information to answer these queries, it doesn’t. For reverse lookups to work, you need to set up another zone file with the reverse lookup information. That is what we will do now.

Reverse lookups are based on subnets, i.e. ranges of IP addresses. So in our case, we will configure the reverse lookup information for the 10.0.2.0 subnet. There is a special DNS suffix of “in-addr.arpa”, which is used for reverse lookup information. Also, the order of octets in the subnet address are reversed. So to set up a reverse lookup domain for the 10.0.2.0 subnet, we need to set up a DNS zone named “2.0.10.in-addr.arpa”. Note that this name is totally arbitrary, but the aforementioned name illustrates the most commonly used convention.