Newer
Older
<chapter annotations="slide" version="5.1" xml:id="sdiDns"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:ns="http://docbook.org/ns/transclusion"
xmlns:m="http://www.w3.org/1998/Math/MathML"
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook">
<section xml:id="sdiDnsPrelim">
<title>Preliminaries</title>
<figure xml:id="sdiDnsLinks">
<title>Documentation links</title>
<listitem>
<para><link
xlink:href="https://www.cloudflare.com/learning/dns/what-is-dns">What
Is DNS? | How DNS Works</link></para>
</listitem>
<listitem>
<para><link
xlink:href="http://www.htmlgoodies.com/beyond/webmaster/article.php/3473261/An-Introduction-to-DNS.htm">An
Introduction to DNS</link></para>
</listitem>
<listitem>
<para><link xlink:href="http://www.zytrax.com/books/dns">DNS for
Rocket Scientists</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-14-04">How
To Configure BIND as a Private Network DNS Server on
Ubuntu</link></para>
</listitem>
<para><link xlink:href="https://bind9.readthedocs.io/en/latest">BIND
9 Administrator Reference Manual</link></para>
<figure xml:id="sdiDnsQueryCommands">
<title><xref linkend="glo_DNS"/> query commands</title>
<para><command
xlink:href="https://manpages.debian.org/buster/dnsutils/dig.1.en.html">dig</command>
(<emphasis role="red">d</emphasis>omain <emphasis
role="red">i</emphasis>nformation <emphasis
role="red">g</emphasis>roper)</para>
<para><command
xlink:href="https://manpages.debian.org/buster/dnsutils/nslookup.1.en.html">nslookup</command></para>
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
</figure>
<figure xml:id="sdiDnsForwardLookup">
<title><xref linkend="glo_DNS"/> forward lookup</title>
<screen>> dig <emphasis role="red">learn.mi.hdm-stuttgart.de</emphasis>
; <<>> DiG 9.16.1-Ubuntu <<>> learn.mi.hdm-stuttgart.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63891
...
;; ANSWER SECTION:
learn.mi.hdm-stuttgart.de. 6593 IN A <emphasis role="red">141.62.64.28</emphasis>
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) ...</screen>
</figure>
<figure xml:id="sdiDnsResultOnly">
<title>Display A-record result only</title>
<screen>> dig <emphasis role="red">+noall +answer</emphasis> <emphasis>www.hdm-stuttgart.de</emphasis>
www.hdm-stuttgart.de. 3600 IN A 141.62.1.53
www.hdm-stuttgart.de. 3600 IN A 141.62.1.59</screen>
</figure>
<figure xml:id="sdiDnsImportantRecordTypes">
<title>Important record types</title>
<informaltable border="1">
<tr>
<th>Record</th>
<th>Explanation</th>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/a-records">A</link></td>
<td valign="top">IPV4 Host address</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/aaaa-records">AAAA</link></td>
<td valign="top">IPv6 host address</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/alias-records">ALIAS</link></td>
<td valign="top">Auto resolved alias</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/cname-records">CNAME</link></td>
<td valign="top">Canonical name for an alias</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/mx-records">MX</link></td>
<td valign="top">Mail eXchange</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/ns-records">NS</link></td>
<td valign="top">Name Server</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/ptr-records">PTR</link></td>
<td valign="top">Pointer</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/soa-records">SOA</link></td>
<td valign="top">Start Of Authority</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/srv-records">SRV</link></td>
<td valign="top">location of service</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/txt-records">TXT</link></td>
<td valign="top">Descriptive text</td>
</tr>
</informaltable>
</figure>
<figure xml:id="sdiDnsQueryNs">
<title>Name Servers: Query type <code>NS</code></title>
<screen>dig +noall +answer <emphasis role="red">-t NS</emphasis> hdm-stuttgart.de
hdm-stuttgart.de. 3600 IN NS iz-net-4.hdm-stuttgart.de.
hdm-stuttgart.de. 3600 IN NS dns3.belwue.de.
hdm-stuttgart.de. 3600 IN NS iz-net-3.hdm-stuttgart.de.
hdm-stuttgart.de. 3600 IN NS dns1.belwue.de.
hdm-stuttgart.de. 3600 IN NS iz-net-2.hdm-stuttgart.de.</screen>
</figure>
</section>
<section xml:id="sdiDnsExercises">
<title>Exercises</title>
<section xml:id="sdiDnsUseDig">
<title>Querying <xref linkend="glo_DNS"/> data.</title>
<para>Use the <command>dig</command> command to query <code>A</code> /
<code>CNAME</code> / <code>MX</code> / <code>NS</code> records from
various machines / domains of your choice. Then execute reverse lookups
as well.</para>
</section>
<section xml:id="sdiBindInstall">
<title>Installing and configuring <xref
linkend="glo_Soft_Bind"/></title>
<para>You may follow:</para>
<itemizedlist>
<listitem>
<para><link
xlink:href="https://www.linuxbabe.com/debian/authoritative-dns-server-debian-10-buster-bind9">Set
Up BIND Authoritative DNS Server on Debian</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://cloudinfrastructureservices.co.uk/how-to-install-bind-dns-on-debian-11-server-setup-configure">How
to Install Bind DNS on Debian 11 Server</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://www.zytrax.com/books/dns/ch8/soa.html">Start of
Authority Resource Record</link></para>
</listitem>
</itemizedlist>
<para>Install the <productname>bind9</productname> server package on
your first <quote>A</quote> virtual machine. The MI department has
already set up a <xref linkend="glo_DNS"/> service for
<code>mi.hdm-stuttgart.de</code>. But regarding upcoming exercises we
want to be able configuring private host aliases.</para>
<para>If you are a member of <abbrev>e.g.</abbrev> group 7 <code>then
sdi04a.mi.hdm-stuttgart.de </code>will host your <xref
linkend="glo_DNS"/> server. Create a complete new zone
<code>g7.sdi.mi.hdm-stuttgart.de</code> containing both your machines
<code>sdia.g7.sdi.mi.hdm-stuttgart.de</code> and
<code>sdib.g7.sdi.mi.hdm-stuttgart.de</code> address records. Your <xref
linkend="glo_DNS"/> server should provide at least the following
<glossterm>Your g7.sdi.mi.hdm-stuttgart.de domain's primary
<glossterm>www.g7.sdi.mi.hdm-stuttgart.de and
cloud.g7.sdi.mi.hdm-stuttgart.de</glossterm>
<para>(<code>CNAME</code>) aliases to
<code>vm1.g7.sdi.mi.hdm-stuttgart.de</code> or
<code>vm2.g7.sdi.mi.hdm-stuttgart.de</code>.</para>
<para>All host names (albeit not yet existing) should point to your
virtual machines' IP. This requires setting up a forward zone
<tip>
<orderedlist>
<listitem>
<para>The <command>named-checkzone</command> command helps you to
check for your two zone files' correctness</para>
</listitem>
<listitem>
<para>The <command>named-checkconf</command> command checks for
your configuration's overall correctness.</para>
</listitem>
<listitem>
<para>You may use the <command>nslookup</command> command to query
your <xref linkend="glo_DNS"/> server. The <option>set
type=ns</option> option allows to query for the domain's primary
name server.</para>
</listitem>
</orderedlist>
</tip>
<itemizedlist>
<listitem>
<para><code>ns</code> (Nameserver)</para>
</listitem>
<listitem>
linkend="sdiApache"/>).</para>
</listitem>
</itemizedlist>
<para>Test your configuration using <code>dig</code> <option>@<your
host-IP></option> <option>...</option> . You should be able to
resolve e.g. <code>www.g7.sdi.mi.hdm-stuttgart.de</code> to your local
</section>
<section xml:id="sdiDnsReverse">
<title>Reverse lookups</title>
<para>Define a reverse zone file to answer queries asking for an IP
address' machine name <abbrev>i.e.</abbrev> resolving
<code>141.62.75.104</code> to
</section>
<section xml:id="sdiDnsForwarder">
<title>Forwarders</title>
<para>Enable recursive queries to parent name servers enabling your own
private name server to resolve external machines like
<code>www.w3.org</code> by delegation.</para>
<tip>
<para>You may have to disable <code>DNSSEC</code> in order to allow
for recursive queries.</para>
</tip>
</section>
<section xml:id="sdiBindMx">
<title>Mail exchange record</title>
<para>Provide a mail exchange record pointing to
<code>mx1.hdm-stuttgart.de</code>. Test this configuration using
<command>dig</command> accordingly.</para>
<para>Caveat: Configuring a client machine using your name server and
sending a mail to <code>xy123@g7.sdi.mi.hdm-stuttgart.de</code> won't
actually work since <code>mail.hdm-stuttgart.de</code> will reject mails
being sent to any domain other than certain subdomain of
<code>hdm-stuttgart.de</code>.</para>
<section xml:id="sdiDnsProjectNameServer">
<title>SDI exercises related <xref linkend="glo_DNS"/> server</title>
<para>In this part you'll transfer your current <xref
linkend="glo_DNS"/> configuration to a dedicated MI nameserver
<code>nssdi.mi.hdm-stuttgart.de</code>. This one being connected to the
global <xref linkend="glo_DNS"/> system allows for publishing your
records worldwide.</para>
<figure xml:id="sdiDnsSubdomainPerGroup">
<title>Subdomain per group</title>
<itemizedlist>
<listitem>
<para>Dedicated lecture related <xref linkend="glo_DNS"/> server
<code>nssdi.mi.hdm-stuttgart.de</code>.</para>
</listitem>
<listitem>
<para>One subdomain per group <acronym>e.g.</acronym> <emphasis
role="red">g7.sdi.mi.hdm-stuttgart.de</emphasis> corresponding to
<emphasis role="red">group 7</emphasis>.</para>
</listitem>
<listitem>
<para>Zone edits require a subdomain specific <code>hmac</code>
secret key being provided as <filename>dnsupdate.sec</filename>
file in your personal group entry below the <link
xlink:href="https://learn.mi.hdm-stuttgart.de/ilias/goto.php?target=crs_33735">SDI
course</link>:</para>
<screen>hmac-sha256:mykey.<emphasis role="red">g7</emphasis>:I5sDDS3L1BU...</screen>
<note>
<para>The per zone secrets are being created using <link
xlink:href="https://manpages.ubuntu.com/manpages/jammy/man8/ddns-confgen.8.html">tsig-keygen</link>.
The value appearing here does not reflect a production
setting.</para>
</note>
</listitem>
<para>Edits become globally visible. Mind the TTL setting: A
higher value means you'll have to wait longer until error
corrections become visible.</para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdiDnsQueryZone">
<title>Querying <xref linkend="glo_DNS"/> zone</title>
<screen>$ export HMAC=hmac-sha256:mykey.g7:YXWSeh3l...
$ dig @<emphasis role="red">nssdi.mi.hdm-stuttgart.de</emphasis> -y <emphasis
role="red">$HMAC</emphasis> -t AXFR <emphasis role="red">g7.sdi.mi.hdm-stuttgart.de</emphasis>
...
g7.sdi.mi.hdm-stuttgart.de. 86400 IN SOA nssdi.mi.hdm-stuttgart.de. goik.hdm-stuttgart.de. ...
docu.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
manual.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
nextcloud.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
...</screen>
</figure>
<figure xml:id="sdiDnsNsupdateAddRecord">
<title>Creating an <code>A</code> record</title>
<programlisting language="bash">export HMAC=hmac-sha256:mykey.g7:YXWSeh3l...
goik>nsupdate -y $HMAC
> server nssdi.mi.hdm-stuttgart.de
> update add vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de 86400 A 141.62.75.114
goik>dig +noall +answer @nssdi.mi.hdm-stuttgart.de vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 86400 IN A 141.62.75.114</programlisting>
<programlisting language="none">>dig +noall +answer vm2.<emphasis
role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 7069 IN A 141.62.75.114</programlisting>
<figure xml:id="sdiDnsNsupdateDeleteRecord">
<title>Modify by delete/create</title>
<programlisting language="bash">$ nsupdate -y $HMAC
> update delete admin.g3.sdi.mi.hdm-stuttgart.de. <emphasis role="red">3600</emphasis> IN CNAME www.g3.sdi.mi.hdm-stuttgart.de.
> update add admin.g3.sdi.mi.hdm-stuttgart.de. <emphasis role="red">7200</emphasis> IN CNAME www.g3.sdi.mi.hdm-stuttgart.de.
<note>
<para>Examples at <link
xlink:href="https://serverless.industries/2020/09/27/dns-nsupdate-howto.en.html">DNS
Updates with nsupdate</link></para>
</note>
<para>Due to caching it'll however take up to you <abbrev>SOA</abbrev>
or record specific settings for this deletion to be reflected globally.
The subsequent query result indicates another 7069 seconds to go before
<programlisting language="none">goik>dig +noall +answer vm2.<emphasis
role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 7069 IN A 141.62.75.114</programlisting>