Lab 6a DNS Server Configuration
Aim
1. To design a DNS configuration
2. To configure a DNS server using the BIND software for forward lookups - hostname to IP address mapping
3. To configure a DNS server using the BIND software for reverse lookups - IP address to hostname mapping
Task 1: Design DNS configuration
The first step before starting DNS servers is to make several design decisions.
On Windows, choose whether to set up static (or standard) zones or centrally controlled zones via Microsoft Active Directory (called an “Integrated Zone”).
Since we aren’t primarily using Active Directory, we will use the “Standard Zone” configuration
We will set up 2 domain name servers for our network.
For this exercise, the primary DNS will be the Windows Server and
The secondary (backup) server will be the Linux server.
We will also set up a sub-domain, with the Linux server as the primary DNS and Windows as the secondary.
Both servers will forward requests appropriately – the Linux DNS will forward all unknown requests to the primary server (Windows), which will then forward to the university server (ns.uts.edu.au) and thence the internet
3. We need to decide which names, types and IP addresses are to be allocated to which server.
Find Default DNS Server IP address / Configuration
Windows: ipconfig /all
Linux: cat /etc/resolv.conf
Task 2: Set up a DNS zone - forward lookup
2.1 Configuring DNS role on Windows
2.1.1 Set up Ethernet1 adapter to a STATIC address 10.0.2.2.
2.1.2 Install the DNS role from the server manager
Step 1
Step 2
Step 3
Step 4
Step 5
While DNS feature installation in progress we check our current DNS IP address
# ipconfig /all
1st one is DNS IP server assigned
2nd one is our local DNS server IP address
2.1.3 Set up a zone for the DNS server
We will use the “standard” (static) zones for the DNS server.
Once the installation is complete, in the “Tools” menu of Server Manager, find DNS:
open the Manager to find Forward Lookup Zones and Reserve Lookup Zones
Start > Windows Administrative Tools > DNS
Look for the server name on the left. Right-click on the server name
> Right-click on the server name
> “Configure a DNS Server…”.
> choose “Create a forward lookup zone”.
> zone name: netserv.edu.au.
> Create a new zone file for this zone: netserv.edu.au.dns
> Next
> don’t allow dynamic updates.
Finally, when prompted for forwarders, enter the IP address of your default DNS server (e.g. 192.168.70.2 in the lab, but it will be different if you are at home.
Use ipconfig /all to determine your default DNS server on Ethernet0.
To find the configuration of our DNS go to directory:
This will create a file called “netserv.edu.au.dns” in our
C:\Windows\System32\dns directory
2.1.4 Set up DNS server properties
When the Properties window opens, find the Interfaces tab (it’s usually the default). You can see that the DNS server is configured by default to listen on all network interfaces. Since we only want our DNS server to answer queries on our private network, turn off the Ethernet0 interface (e.g. 192.168.3.xxx) and just keep 10.0.2.2.
In the DNS Manager window > right-click on the server name > Properties.
On the Interface select > Only the following IP address e.g. > Check 10.0.2.2 and uncheck the rest.
> Apply
> Ok
2.1.5 Create the Forward Lookup zone file
Expand Forward Lookup Zones and then right-click on the netserv.edu.au entry. The context menu allows to add new Hosts, Aliases etc.
Modify the NS record to match our configuration. Notice that it names the name server to the machines name. According to our design, this server should be called ns with an IP address of 10.0.2.2
Change the record by double-clicking it (the “(Same as parent folder) Name Server (NS))…”
> Name Servers > name server: ns
> click here to add an IP address > 10.0.2.2
> Transfer tab > "Allow zone transfer to: Any server" selected
> exit
2.1.6 Add more entries to the Zone file
Right click netserv.edu.au > New Host (A or AAAA)..
New host (A): ns with IP address 10.0.2.2
New host (A): mail with IP address 10.0.2.2
New host (A): site with IP address 10.0.2.2
New Mail Exchanger (MX): leave host blank and the FQDN should be mail
On fully qualified domain name (FQDN) of mail server (do not type mail) Browse and locate to mail
New Alias (CNAME): www and FQDN site
Create a Delegation
We will also create a delegation for the it.netserv.edu.au domain .
New Delegation: it
Add a new server record: FQDN = ns.it.netserv.edu.au
and add the IP address of this record as 10.0.2.3
(assuming this is the IP address of the Linux machine)
Update Server Data Files
Right-click on your server name and choose “Update Server Data Files” to make sure these changes are written to the filesystem.
CHECK THE FILE CONTENTS: Look in C:\Windows\System32\dns\netserv.edu.au.dns and review netserv.edu.au.dns file (hint: use type or notepad commands)
2.2 Testing the configuration
Using the nslookup tool on Windows
From a command prompt, type
# nslookup
//use the help command to see what commands can be executed.
server 10.0.2.2 (use our local machine as the default server to test)
set type=A (only look up A records)
set domain=netserv.edu.au. (set our default domain to netserv.edu.au ** note the trailing dot)
site.netserv.edu.au. (lookup site.netserv.edu.au ** note the trailing dot)
www (lookup the IP address of www.netserv.edu.au)
www.uts.edu.au. (lookup UTS main web server ** note the trailing dot)
Try running the nslookup command in debug mode:
set debug (run in debug mode)
ls netserv.edu.au
2.3 Configuring DNS server (BIND) on Linux
2.3.1 Enable STATIC networking
First, make sure you have STATIC networking enabled on ens37.
Terminal
# vim/etc/sysconfig/network-scripts/ifcfg-ens37
BOOTPROTO=none
IPADDR-10.0.2.3
PREFIX=24
ONBOOT=yes
:wq
Reload and enable the network adapter
# nmcli con reload ens37
# nmcli con up ens37
Check the ip address
# ifconfig ens37
2.3.2 Install name server
We will install the Berkley Internet Name Domain name server (BIND). User dnf bind and accept all the extra libraries to install.
Terminal# dnf install bind
2.3.3 Update the name server configuration file
# vim /etc/named.conf
1. In the “options” paragraph,
find “listen-on port 53 {127.0.0.1; };
Replace “127.0.0.1 with the word “any”.
2. In the same options paragraph,
find “allow-query { localhost; };”.
Replace “localhost” with “any”.
3. Add the following paragraph (preferably near the existing “zone” paragraph):
zone "it.netserv.edu.au" IN {
type master;
file "it.netserv.edu.au.zone"; };
2.3.4 Create Zone File
Terminal:
# cd /var/named
# ls -ls
# cp named.localhost it.netserv.edu.au.zone
# vim /var/named/it.netserv.edu.au.zone
Edit the file
In SOA ns.it.netserv.edu.au root.it.netserv.edu.au. (
Add the following record as depicted on the screenshot.
Explanation 2.3.4
Note that in the above configuration, we have specified a filename (it.netserv.edu.au.zone in the example above, but we can choose our own name). Now we need to create this file (the zone file) for our domain.
On our system, the zone files are located in the /var/named/ directory.
Change to this directory.
Create a new zone file for your zone in this directory.
Remember that the name of the zone file must be the same as the name we specified in your named.conf file!.
Copy the named.localhost as a template. Just make sure the SOA record is correct. See the Windows sample.
Hint: The SOA record entry called “rname.invalid.” is actually an email address in a weird format. This translates to “rname@invalid”, so you can change this to something like “root.netserv.edu.au.” or something more useful. Also note the trailing dot – it is important.
Secondly, the serial is currently 0. This should be incremented each time you change the DNS records
2.3.5 Change group ownership of file (file permissions)
Terminal > /var/named :
# ls -ls
# chgrp named it.netserv.edu.au.au.zone
# ls -ls
Explanation
After we finished editing the file, we’ll need to change the file permissions so that the name server process can read it. Unfortunately the default permissions will not allow the name server to read it. Specifically we need to change the group ownership of the zone file.
Use the chgrp command to change the file’s group to be the ‘named’ group,
chgrp named it.netserv.edu.au.zone
Use ls –l to check that the ownership and file permissions on your newly created file are the same as the other files in that directory.
2.4 Starting the DNS server on Linux
2.4.1 Check configuration
Check your configuration with:
# named-checkconf /etc/named.conf
Check your zone file with:
# named-checkzone it.netserv.edu.au /var/named/it.netserv.edu.au.zone
2.4.2 Start named service
To start your named service now: systemctl start named
# systemctl start named
Also enable the named service so that it starts at boot.
# systemctl enable named
2.5. Testing the DNS server on Linux
2.5.1 Check system log
After starting named,
check the end of the /var/log/messages file (e.g. with the tail command) for errors.
# cat /var/log/messages
Look for a line that says “zone it.netserv.edu.au/IN” and look for the word “loaded”.
There may be some other errors about “network unreachable”. Don’t worry about these.
2.5.2 Test server
After startup is successful, run some test queries using the dig command, e.g.
Look up an A record: dig @localhost site.it.netserv.edu.au a (use with hostname)
# dig @localhost site.it.netserv.edu.au a
Look up an SOA record: dig @localhost it.netserv.edu.au soa (use with domain name)
# dig @localhost it.netserv.edu.au soa
Look up an NS record: dig @localhost it.netserv.edu.au ns (use with domain name)
# dig @localhost it.netserv.edu.au ns
Look up “any” records: dig @localhost site.it.netserv.edu.au any (use with host or domain)
# dig @localhost site.it.netserv.edu.au any
We make sure to check the “ANSWER SECTION” of the dig output. If the answer section is empty, then the query returned no results! If this is the case, we go back and check the log file for errors.
Now we also reboot the machine and test that the DNS server starts up automatically. If not, we need to check the settings we made with systemctl.
Note: we can also use the nslookup command like in task 1
2.5.3 Add forwarding record
Terminal:
# vim /etc/named.conf
//add the following line to the option block:
forwarders{
10.0.2.2
};
dnssec-enable no;
dnssec-validation no;
:wq
Restart named
# systemctl restart named
Test if working
# dig @localhost www.uts.edu.au
Explanation 2.5.3
Note: We won’t be able to find the address of www.netserv.edu.au: This is because your default name server will not forward requests anywhere else.
We can change this by updating the /etc/named.conf file and adding the following line to the options block:
forwarders {
10.0.2.2;
};
But this alone isn’t enough. DNSSEC (DNS security extensions) is enabled by default. This checks whether the information from the forwarder has a digitally signed zone file to verify its authenticity. In our case, although we could sign the zone file on Windows Server (DNS Manager right-click on zone name DNSSEC Sign the zone), that alone isn’t enough because the zone would be self-signed, plus there are additional “DS” records needed. DNSSEC is an advanced topic which is not cover in this introductory subject, but is worth researching if we need to configure DNS on an enterprise network.
So in the meantime, for our forward to work we need to disable our Linux bind server from checking DNSSEC data. In the /etc/named.conf file, look for the following lines, and update “yes” to “no” as shown below:
dnssec-enable no; dnssec-validation no;
Don’t forget to restart named!
And test!
3 Set up reverse lookup zone file
Linux Firewall allow dns
On Linux dns is not enabled by default. We need to enable the service as we can see from the screenshot on Windows subnet IP address is not validating.
Terminal:
# firewall-config
Public > service > dns (check)
3.1 Explantion
Earlier we set up a zone file for forward lookup, i.e. to map from hostnames into IP addresses. While that is the most common need on the Internet, there are times when services need to perform a reverse lookup, i.e. given an IP address as input, find out what hostname corresponds to that IP address.
Although you might think the DNS server could use the forward lookup information to answer these queries, it doesn’t. For reverse lookups to work, you need to set up another zone file with the reverse lookup information. That is what we will do now.
Reverse lookups are based on subnets, i.e. ranges of IP addresses. So in our case, we will configure the reverse lookup information for the 10.0.2.0 subnet. There is a special DNS suffix of “in-addr.arpa”, which is used for reverse lookup information. Also, the order of octets in the subnet address are reversed. So to set up a reverse lookup domain for the 10.0.2.0 subnet, we need to set up a DNS zone named “2.0.10.in-addr.arpa”. Note that this name is totally arbitrary, but the aforementioned name illustrates the most commonly used convention.
3.1.1 Use the DNS manager to create a new Reverse Lookup Zone
On Windows
Click on Reverse Lookup Zones > Right-click > New Zone
> Primary Zone
> IPv4 Reverse Lookup Zone
> Network ID: 10.0.2
Our network id is: 10.0.2 (do not add the trailing zero)
The wizard chooses the correct filename for us: 2.0.10.in-addr.arpa.dns
Make sure you update the correct SOA and NS entries (recall this should be ns. with IP address 10.0.2.2 ?)
Don’t forget to enable Zone Transfers to ANY servers in the Properties of this new zone!
3.1.2 Create Pointer records
Create new PTR records as per our design, e.g.
Host IP address:: 10.0.2.2
Hostname: site
3.1.3 Testing
We can now test it – try using nslookup again. We need to set the server and query type as before:
server 10.0.2.2 (use our local machine as the default server to test) set type=PTR (only look up PTR records)
2.2.0.10.in-addr.arpa. (reverse lookup query ** note the trailing dot)
From Linux we can try: dig @10.0.2.2 –x 10.0.2.2