Newer
Older
<chapter annotations="slide" version="5.1" xml:id="sdiDns"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:ns="http://docbook.org/ns/transclusion"
xmlns:m="http://www.w3.org/1998/Math/MathML"
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook">
<section xml:id="sdiDnsPrelim">
<title>Preliminaries</title>
<figure xml:id="sdiDnsLinks">
<title>Documentation links</title>
<listitem>
<para><link
xlink:href="https://www.cloudflare.com/learning/dns/what-is-dns">What
Is DNS? | How DNS Works</link></para>
</listitem>
<listitem>
<para><link
xlink:href="http://www.htmlgoodies.com/beyond/webmaster/article.php/3473261/An-Introduction-to-DNS.htm">An
Introduction to DNS</link></para>
</listitem>
<listitem>
<para><link xlink:href="http://www.zytrax.com/books/dns">DNS for
Rocket Scientists</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-14-04">How
To Configure BIND as a Private Network DNS Server on
Ubuntu</link></para>
</listitem>
<para><link xlink:href="https://bind9.readthedocs.io/en/latest">BIND
9 Administrator Reference Manual</link></para>
<figure xml:id="sdiDnsQueryCommands">
<title><xref linkend="glo_DNS"/> query commands</title>
<para><command
xlink:href="https://manpages.debian.org/buster/dnsutils/dig.1.en.html">dig</command>
(<emphasis role="red">d</emphasis>omain <emphasis
role="red">i</emphasis>nformation <emphasis
role="red">g</emphasis>roper)</para>
<para><command
xlink:href="https://manpages.debian.org/buster/dnsutils/nslookup.1.en.html">nslookup</command></para>
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
</figure>
<figure xml:id="sdiDnsForwardLookup">
<title><xref linkend="glo_DNS"/> forward lookup</title>
<screen>> dig <emphasis role="red">learn.mi.hdm-stuttgart.de</emphasis>
; <<>> DiG 9.16.1-Ubuntu <<>> learn.mi.hdm-stuttgart.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63891
...
;; ANSWER SECTION:
learn.mi.hdm-stuttgart.de. 6593 IN A <emphasis role="red">141.62.64.28</emphasis>
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) ...</screen>
</figure>
<figure xml:id="sdiDnsResultOnly">
<title>Display A-record result only</title>
<screen>> dig <emphasis role="red">+noall +answer</emphasis> <emphasis>www.hdm-stuttgart.de</emphasis>
www.hdm-stuttgart.de. 3600 IN A 141.62.1.53
www.hdm-stuttgart.de. 3600 IN A 141.62.1.59</screen>
</figure>
<figure xml:id="sdiDnsImportantRecordTypes">
<title>Important record types</title>
<informaltable border="1">
<tr>
<th>Record</th>
<th>Explanation</th>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/a-records">A</link></td>
<td valign="top">IPV4 Host address</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/aaaa-records">AAAA</link></td>
<td valign="top">IPv6 host address</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/alias-records">ALIAS</link></td>
<td valign="top">Auto resolved alias</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/cname-records">CNAME</link></td>
<td valign="top">Canonical name for an alias</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/mx-records">MX</link></td>
<td valign="top">Mail eXchange</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/ns-records">NS</link></td>
<td valign="top">Name Server</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/ptr-records">PTR</link></td>
<td valign="top">Pointer</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/soa-records">SOA</link></td>
<td valign="top">Start Of Authority</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/srv-records">SRV</link></td>
<td valign="top">location of service</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/txt-records">TXT</link></td>
<td valign="top">Descriptive text</td>
</tr>
</informaltable>
</figure>
<figure xml:id="sdiDnsQueryNs">
<title>Name Servers: Query type <code>NS</code></title>
<screen>dig +noall +answer <emphasis role="red">-t NS</emphasis> hdm-stuttgart.de
hdm-stuttgart.de. 3600 IN NS iz-net-4.hdm-stuttgart.de.
hdm-stuttgart.de. 3600 IN NS dns3.belwue.de.
hdm-stuttgart.de. 3600 IN NS iz-net-3.hdm-stuttgart.de.
hdm-stuttgart.de. 3600 IN NS dns1.belwue.de.
hdm-stuttgart.de. 3600 IN NS iz-net-2.hdm-stuttgart.de.</screen>
</figure>
</section>
<section xml:id="sdiDnsExercises">
<title>Exercises</title>
<section xml:id="sdiDnsUseDig">
<title>Querying <xref linkend="glo_DNS"/> data.</title>
<para>Use the <command>dig</command> command to query <code>A</code> /
<code>CNAME</code> / <code>MX</code> / <code>NS</code> records from
various machines / domains of your choice. Then execute reverse lookups
as well.</para>
</section>
<section xml:id="sdiBindInstall">
<title>Installing <xref linkend="glo_Soft_Bind"/></title>
<para>You may follow:</para>
<itemizedlist>
<listitem>
<para><link
xlink:href="https://www.linuxbabe.com/debian/authoritative-dns-server-debian-10-buster-bind9">Set
Up BIND Authoritative DNS Server on Debian</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://cloudinfrastructureservices.co.uk/how-to-install-bind-dns-on-debian-11-server-setup-configure">How
to Install Bind DNS on Debian 11 Server</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://www.zytrax.com/books/dns/ch8/soa.html">Start of
Authority Resource Record</link></para>
</listitem>
</itemizedlist>
<para>Install the <productname>bind9</productname> server package on
your <quote>a</quote> virtual machine. The MI department has already set
up a <xref linkend="glo_DNS"/> service for
<code>mi.hdm-stuttgart.de</code>. But regarding upcoming exercises we
want to be able configuring private host aliases.</para>
<code>sdi04a.mi.hdm-stuttgart.de / 141.62.75.104</code> hosting a <xref
linkend="glo_DNS"/> server. Create a complete new zone describing a
domain sdi4<code>.mi.hdm-stuttgart.de</code> containing both your
machine's <code>sdi04a.sdi4.mi.hdm-stuttgart.de</code> and
<code>sdi04b.sdi4.mi.hdm-stuttgart.de</code> address records. Your <xref
linkend="glo_DNS"/> server should provide at least the following
<glossterm>Your sdi4.mi.hdm-stuttgart.de domain's primary
nameserver</glossterm>
<glossterm>sdi04b.sdi4.mi.hdm-stuttgart.de</glossterm>
<glossdef>
</glossdef>
</glossentry>
<glossentry>
<glossterm>www4.sdi4.mi.hdm-stuttgart.de and
<para>An (<code>CNAME</code>) alias to
sdi04a.sdi4.mi.hdm-stuttgart.de.</para>
<para>All host names (albeit not yet existing) should point to your
virtual machine's IP. This requires setting up a forward zone
file.</para>
<tip>
<orderedlist>
<listitem>
<para>The <command>named-checkzone</command> command helps you to
check for your two zone files' correctness</para>
</listitem>
<listitem>
<para>The <command>named-checkconf</command> command checks for
your configuration's overall correctness.</para>
</listitem>
<listitem>
<para>You may use the <command>nslookup</command> command to query
your <xref linkend="glo_DNS"/> server. The <option>set
type=ns</option> option allows to query for the domain's primary
name server.</para>
</listitem>
</orderedlist>
</tip>
<itemizedlist>
<listitem>
<para><code>ns</code> (Nameserver)</para>
</listitem>
<listitem>
linkend="sdiApache"/>).</para>
</listitem>
</itemizedlist>
<para>Test your configuration using <code>dig</code> <option>@<your
host-IP></option> <option>...</option> . You should be able to
resolve e.g. <code>www4.sdi4.mi.hdm-stuttgart.de</code> to your local
host's IP address.</para>
</section>
<section xml:id="sdiDnsReverse">
<title>Reverse lookups</title>
<para>Define a reverse zone file to answer queries asking for an IP
address' machine name <abbrev>i.e.</abbrev> resolving
<code>141.62.75.104</code> to
</section>
<section xml:id="sdiDnsForwarder">
<title>Forwarders</title>
<para>Enable recursive queries to parent name servers enabling your name
server to resolve external machines like <code>www.w3.org</code> by
<tip>
<para>You may have to disable <code>DNSSEC</code> in order to allow
for recursive queries.</para>
</tip>
</section>
<section xml:id="sdiBindMx">
<title>Mail exchange record</title>
<para>Provide a mail exchange record pointing to mx1.hdm-stuttgart.de.
<para>Caveat: Configuring a client machine using your name server and
sending a mail to <code>xy123@sdi04.mi.hdm-stuttgart.de</code> won't
work since <code>mail.hdm-stuttgart.de</code> will reject mails being
sent to any domain other than <code>hdm-stuttgart.de</code>.</para>
<section xml:id="sdiDnsProjectNameServer">
<title>SDI exercises related <xref linkend="glo_DNS"/> server</title>
<para>This section explains how to define two publicly visible <xref
linkend="glo_DNS"/> A records to your VMs. The objective is defining two
<code>A</code> records <code>sdi1</code> and <code>sdi2</code> within
your respective <xref linkend="glo_DNS"/> domain.</para>
<para>With respect to upcoming <link
xlink:href="sdiApacheVirtualHosts">virtual host exercises</link> the MI
department provides a public <xref linkend="glo_DNS"/> integrated <xref
linkend="glo_Soft_Bind"/> based server
<code>nssdi.mi.hdm-stuttgart.de</code> allowing for <xref
linkend="glo_CLI"/> updates. This works as follows:</para>
<itemizedlist>
<listitem>
<para>Each working group being registered below <link
xlink:href="https://learn.mi.hdm-stuttgart.de/ilias/goto.php?target=crs_12398&client_id=iliasclient1">113475
Software defined Infrastructure</link> has access to a respective
zone file defining a subdomain of
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
<itemizedlist>
<listitem>
<para>Assuming you belong to <emphasis role="red">group
3</emphasis> your corresponding subdomain is <emphasis
role="red"><code>g3</code></emphasis>.<code>sdi.mi.hdm-stuttgart.de</code>.</para>
</listitem>
<listitem>
<para>You'll find a <filename>dnsupdate.sec</filename> file
containing the secret for authorizing your individual zone's
management:</para>
<screen>hmac-sha256:mykey.<emphasis role="red">g3</emphasis>:I5sDDS3L1BUHNGWU2n7LEmkWJfNq/giDuXb1u076VjQ=</screen>
<note>
<para>The per zone secrets are being created using <link
xlink:href="https://manpages.ubuntu.com/manpages/jammy/man8/ddns-confgen.8.html">tsig-keygen</link>.
The value appearing here does not reflect a production
setting.</para>
</note>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><link
xlink:href="https://linux.die.net/man/8/nsupdate">nsupdate</link>
allows for zone management as being explained below.</para>
</listitem>
</itemizedlist>
<para>Adding an <code>A</code> record for <acronym>e.g.</acronym> your
second <code>sdi2</code> VM requires:</para>
<programlisting language="bash">HMAC=hmac-sha256:mykey.<emphasis
role="red">g3</emphasis>:I5sDDS3L1BUHNGWU2n7LEmkWJfNq/giDuXb1u076VjQ=
goik>nsupdate -y $HMAC
> server nssdi.mi.hdm-stuttgart.de
> update add sdi2.<emphasis role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de 86400 A 172.16.1.1
> send
> quit
goik>dig +noall +answer @nssdi.mi.hdm-stuttgart.de sdi2.<emphasis
role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de
sdi2.<emphasis role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de. 86400 IN A 172.16.1.1</programlisting>
<para>This entry will be globally visible:</para>
<programlisting language="none">goik>dig +noall +answer sdi2.<emphasis
role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de
sdi2.<emphasis role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de. 7069 IN A 172.16.1.1</programlisting>
<para>You should now be able to use your VMs <xref linkend="glo_DNS"/>
<programlisting language="none">>ssh ...@sdi2.<emphasis role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de</programlisting>
<para>Deleting this <xref linkend="glo_DNS"/> record works
accordingly:</para>
<programlisting language="none">goik>nsupdate -y $HMAC
> server nssdi.mi.hdm-stuttgart.de
>
> update del sdi2.<emphasis role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de A
> send
> quit
goik>
goik>dig +noall +answer @nssdi.mi.hdm-stuttgart.de sdi2.<emphasis
role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de</programlisting>
<para>Due to caching it'll however take up to you <abbrev>SOA</abbrev>
or record specific settings for this deletion to be reflected globally.
The subsequent query result indicates another 7069 seconds to go before
issuing the next query:</para>
<programlisting language="none">goik>dig +noall +answer sdi2.<emphasis
role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de
sdi2.<emphasis role="red">g3</emphasis>.sdi.mi.hdm-stuttgart.de. 7069 IN A 172.16.1.1</programlisting>
</section>