<?xml version="1.0" encoding="UTF-8"?>
<chapter annotations="slide" version="5.1" xml:id="sdiDns"
xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xila="http://www.w3.org/2001/XInclude/local-attributes"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:ns="http://docbook.org/ns/transclusion"
xmlns:m="http://www.w3.org/1998/Math/MathML"
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook">
<title><xref linkend="glo_DNS"/></title>
<section xml:id="sdiDnsPrelim">
<title>Preliminaries</title>
<figure xml:id="sdiDnsLinks">
<title>Documentation links</title>
<itemizedlist>
<listitem>
<para><link
xlink:href="https://www.cloudflare.com/learning/dns/what-is-dns">What
Is DNS? | How DNS Works</link></para>
</listitem>
<listitem>
<para><link
xlink:href="http://www.htmlgoodies.com/beyond/webmaster/article.php/3473261/An-Introduction-to-DNS.htm">An
Introduction to DNS</link></para>
</listitem>
<listitem>
<para><link xlink:href="http://www.zytrax.com/books/dns">DNS for
Rocket Scientists</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-14-04">How
To Configure BIND as a Private Network DNS Server on
Ubuntu</link></para>
</listitem>
<listitem>
<para><link xlink:href="https://bind9.readthedocs.io/en/latest">BIND
9 Administrator Reference Manual</link></para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdiDnsQueryCommands">
<title><xref linkend="glo_DNS"/> query commands</title>
<itemizedlist>
<listitem>
<para><command
xlink:href="https://manpages.debian.org/buster/dnsutils/dig.1.en.html">dig</command>
(<emphasis role="red">d</emphasis>omain <emphasis
role="red">i</emphasis>nformation <emphasis
role="red">g</emphasis>roper)</para>
</listitem>
<listitem>
<para><command
xlink:href="https://manpages.debian.org/buster/dnsutils/nslookup.1.en.html">nslookup</command></para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdiDnsForwardLookup">
<title><xref linkend="glo_DNS"/> forward lookup</title>
<screen>> dig <emphasis role="red">learn.mi.hdm-stuttgart.de</emphasis>
; <<>> DiG 9.16.1-Ubuntu <<>> learn.mi.hdm-stuttgart.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63891
...
;; ANSWER SECTION:
learn.mi.hdm-stuttgart.de. 6593 IN A <emphasis role="red">141.62.64.28</emphasis>
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) ...</screen>
</figure>
<figure xml:id="sdiDnsResultOnly">
<title>Display A-record result only</title>
<screen>> dig <emphasis role="red">+noall +answer</emphasis> <emphasis>www.hdm-stuttgart.de</emphasis>
www.hdm-stuttgart.de. 3600 IN A 141.62.1.53
www.hdm-stuttgart.de. 3600 IN A 141.62.1.59</screen>
</figure>
<figure xml:id="sdiDnsImportantRecordTypes">
<title>Important record types</title>
<informaltable border="1">
<tr>
<th>Record</th>
<th>Explanation</th>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/a-records">A</link></td>
<td valign="top">IPV4 Host address</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/aaaa-records">AAAA</link></td>
<td valign="top">IPv6 host address</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/alias-records">ALIAS</link></td>
<td valign="top">Auto resolved alias</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/cname-records">CNAME</link></td>
<td valign="top">Canonical name for an alias</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/mx-records">MX</link></td>
<td valign="top">Mail eXchange</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/ns-records">NS</link></td>
<td valign="top">Name Server</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/ptr-records">PTR</link></td>
<td valign="top">Pointer</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/soa-records">SOA</link></td>
<td valign="top">Start Of Authority</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/srv-records">SRV</link></td>
<td valign="top">location of service</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/txt-records">TXT</link></td>
<td valign="top">Descriptive text</td>
</tr>
</informaltable>
</figure>
<figure xml:id="sdiDnsQueryNs">
<title>Name Servers: Query type <code>NS</code></title>
<screen>dig +noall +answer <emphasis role="red">-t NS</emphasis> hdm-stuttgart.de
hdm-stuttgart.de. 3600 IN NS iz-net-4.hdm-stuttgart.de.
hdm-stuttgart.de. 3600 IN NS dns3.belwue.de.
hdm-stuttgart.de. 3600 IN NS iz-net-3.hdm-stuttgart.de.
hdm-stuttgart.de. 3600 IN NS dns1.belwue.de.
hdm-stuttgart.de. 3600 IN NS iz-net-2.hdm-stuttgart.de.</screen>
</figure>
</section>
<section xml:id="sdiDnsExercises">
<title>Exercises</title>
<section xml:id="sdiDnsUseDig">
<title>Querying <xref linkend="glo_DNS"/> data.</title>
<para>Use the <command>dig</command> command to query <code>A</code> /
<code>CNAME</code> / <code>MX</code> / <code>NS</code> records from
various machines / domains of your choice. Then execute reverse lookups
as well.</para>
</section>
<section xml:id="sdiBindInstall">
<title>Installing <xref linkend="glo_Soft_Bind"/></title>
<para>You may follow:</para>
<itemizedlist>
<listitem>
<para><link
xlink:href="https://www.linuxbabe.com/debian/authoritative-dns-server-debian-10-buster-bind9">Set
Up BIND Authoritative DNS Server on Debian</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://cloudinfrastructureservices.co.uk/how-to-install-bind-dns-on-debian-11-server-setup-configure">How
to Install Bind DNS on Debian 11 Server</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://www.zytrax.com/books/dns/ch8/soa.html">Start of
Authority Resource Record</link></para>
</listitem>
</itemizedlist>
<para>Install the <productname>bind9</productname> server package on
your <quote>a</quote> virtual machine. The MI department has already set
up a <xref linkend="glo_DNS"/> service for
<code>mi.hdm-stuttgart.de</code>. But regarding upcoming exercises we
want to be able configuring private host aliases.</para>
<para>Consider the example virtual machine
<code>sdi04a.mi.hdm-stuttgart.de / 141.62.75.104</code> hosting a <xref
linkend="glo_DNS"/> server. Create a complete new zone describing a
domain sdi4<code>.mi.hdm-stuttgart.de</code> containing both your
machine's <code>sdi04a.sdi4.mi.hdm-stuttgart.de</code> and
<code>sdi04b.sdi4.mi.hdm-stuttgart.de</code> address records. Your <xref
linkend="glo_DNS"/> server should provide at least the following
data:</para>
<glosslist>
<glossentry>
<glossterm>Your sdi4.mi.hdm-stuttgart.de domain's primary
nameserver</glossterm>
<glossdef>
<para>Primary name server for domain
<code>sdi4.mi.hdm-stuttgart.de</code>.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>sdi04a.sdi4.mi.hdm-stuttgart.de</glossterm>
<glossdef>
<para>Your first machine's host name.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>sdi04b.sdi4.mi.hdm-stuttgart.de</glossterm>
<glossdef>
<para>Your second machine's host name.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>www4.sdi4.mi.hdm-stuttgart.de and
www4-2.sdi4.mi.hdm-stuttgart.de</glossterm>
<glossdef>
<para>An (<code>CNAME</code>) alias to
sdi04a.sdi4.mi.hdm-stuttgart.de.</para>
</glossdef>
</glossentry>
</glosslist>
<para>All host names (albeit not yet existing) should point to your
virtual machine's IP. This requires setting up a forward zone
file.</para>
<tip>
<orderedlist>
<listitem>
<para>The <command>named-checkzone</command> command helps you to
check for your two zone files' correctness</para>
</listitem>
<listitem>
<para>The <command>named-checkconf</command> command checks for
your configuration's overall correctness.</para>
</listitem>
<listitem>
<para>You may use the <command>nslookup</command> command to query
your <xref linkend="glo_DNS"/> server. The <option>set
type=ns</option> option allows to query for the domain's primary
name server.</para>
</listitem>
</orderedlist>
</tip>
<itemizedlist>
<listitem>
<para><code>ns</code> (Nameserver)</para>
</listitem>
<listitem>
<para><code>www</code>4 (Future webserver, see <xref
linkend="sdiApache"/>).</para>
</listitem>
</itemizedlist>
<para>Test your configuration using <code>dig</code> <option>@<your
host-IP></option> <option>...</option> . You should be able to
resolve e.g. <code>www4.sdi4.mi.hdm-stuttgart.de</code> to your local
host's IP address.</para>
</section>
<section xml:id="sdiDnsReverse">
<title>Reverse lookups</title>
<para>Define a reverse zone file to answer queries asking for an IP
address' machine name <abbrev>i.e.</abbrev> resolving
<code>141.62.75.104</code> to
<code>sdi04a.mi.hdm-stuttgart.de</code>.</para>
</section>
<section xml:id="sdiDnsForwarder">
<title>Forwarders</title>
<para>Enable recursive queries to parent name servers enabling your name
server to resolve external machines like <code>www.w3.org</code> by
delegation.</para>
<tip>
<para>You may have to disable <code>DNSSEC</code> in order to allow
for recursive queries.</para>
</tip>
</section>
<section xml:id="sdiBindMx">
<title>Mail exchange record</title>
<para>Provide a mail exchange record pointing to mx1.hdm-stuttgart.de.
Test this configuration using dig accordingly.</para>
<para>Caveat: Configuring a client machine using your name server and
sending a mail to <code>xy123@sdi04.mi.hdm-stuttgart.de</code> won't
work since <code>mail.hdm-stuttgart.de</code> will reject mails being
sent to any domain other than <code>hdm-stuttgart.de</code>.</para>
</section>
<section xml:id="sdiDnsProjectNameServer">
<title>SDI exercises related <xref linkend="glo_DNS"/> server</title>
<figure xml:id="sdiDnsSubdomainPerGroup">
<title>Subdomain per group</title>
<itemizedlist>
<listitem>
<para>Dedicated lecture related <xref linkend="glo_DNS"/> server
<code>nssdi.mi.hdm-stuttgart.de</code>.</para>
</listitem>
<listitem>
<para>One subdomain per group <acronym>e.g.</acronym> <emphasis
role="red">g7.sdi.mi.hdm-stuttgart.de</emphasis> corresponding to
<emphasis role="red">group 7</emphasis>.</para>
</listitem>
<listitem>
<para>Zone edits require a subdomain specific <code>hmac</code>
secret key being provided as <filename>dnsupdate.sec</filename>
file in your course group:</para>
<screen>hmac-sha256:mykey.<emphasis role="red">g7</emphasis>:I5sDDS3L1BU...</screen>
<note>
<para>The per zone secrets are being created using <link
xlink:href="https://manpages.ubuntu.com/manpages/jammy/man8/ddns-confgen.8.html">tsig-keygen</link>.
The value appearing here does not reflect a production
setting.</para>
</note>
</listitem>
<listitem>
<para>Edits become globally visible.</para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdiDnsQueryZone">
<title>Querying <xref linkend="glo_DNS"/> zone</title>
<screen>$ export HMAC=hmac-sha256:mykey.g7:YXWSeh3l...
$ dig @<emphasis role="red">nssdi.mi.hdm-stuttgart.de</emphasis> -y <emphasis
role="red">$HMAC</emphasis> -t AXFR <emphasis role="red">g7.sdi.mi.hdm-stuttgart.de</emphasis>
...
g7.sdi.mi.hdm-stuttgart.de. 86400 IN SOA nssdi.mi.hdm-stuttgart.de. goik.hdm-stuttgart.de. ...
docu.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
manual.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
nextcloud.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
...</screen>
</figure>
<figure xml:id="sdiDnsNsupdateAddRecord">
<title>Creating an <code>A</code> record</title>
<programlisting language="bash">export HMAC=hmac-sha256:mykey.g7:YXWSeh3l...
goik>nsupdate -y $HMAC
> server nssdi.mi.hdm-stuttgart.de
> update add sdi2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de 86400 A 172.16.1.1
> send
> quit
goik>dig +noall +answer @nssdi.mi.hdm-stuttgart.de sdi2.<emphasis
role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
sdi2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 86400 IN A 172.16.1.1</programlisting>
</figure>
<para>This entry will be globally visible:</para>
<programlisting language="none">>dig +noall +answer sdi2.<emphasis
role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
sdi2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 7069 IN A 172.16.1.1</programlisting>
<figure xml:id="sdiDnsNsupdateDeleteRecord">
<title>Modify by delete/create</title>
<programlisting language="bash">$ nsupdate -y $HMAC
> server nssdi.mi.hdm-stuttgart.de
> update delete admin.g3.sdi.mi.hdm-stuttgart.de. <emphasis role="red">3600</emphasis> IN CNAME www.g3.sdi.mi.hdm-stuttgart.de.
> update add admin.g3.sdi.mi.hdm-stuttgart.de. <emphasis role="red">7200</emphasis> IN CNAME www.g3.sdi.mi.hdm-stuttgart.de.
> send
> quit</programlisting>
<note>
<para>Examples at <link
xlink:href="https://serverless.industries/2020/09/27/dns-nsupdate-howto.en.html">DNS
Updates with nsupdate</link></para>
</note>
</figure>
<para>Due to caching it'll however take up to you <abbrev>SOA</abbrev>
or record specific settings for this deletion to be reflected globally.
The subsequent query result indicates another 7069 seconds to go before
issuing the next query:</para>
<programlisting language="none">goik>dig +noall +answer sdi2.<emphasis
role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
sdi2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 7069 IN A 172.16.1.1</programlisting>
</section>
</section>
</chapter>