<?xml version="1.0" encoding="UTF-8"?>
<chapter annotations="slide" version="5.1" xml:id="sdiDns"
xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xila="http://www.w3.org/2001/XInclude/local-attributes"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:ns="http://docbook.org/ns/transclusion"
xmlns:m="http://www.w3.org/1998/Math/MathML"
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook">
<title><xref linkend="glo_DNS"/></title>
<section xml:id="sdiDnsPrelim">
<title>Preliminaries</title>
<figure xml:id="sdiDnsLinks">
<title>Documentation links</title>
<itemizedlist>
<listitem>
<para><link
xlink:href="https://www.cloudflare.com/learning/dns/what-is-dns">What
Is DNS? | How DNS Works</link></para>
</listitem>
<listitem>
<para><link
xlink:href="http://www.htmlgoodies.com/beyond/webmaster/article.php/3473261/An-Introduction-to-DNS.htm">An
Introduction to DNS</link></para>
</listitem>
<listitem>
<para><link xlink:href="http://www.zytrax.com/books/dns">DNS for
Rocket Scientists</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-14-04">How
To Configure BIND as a Private Network DNS Server on
Ubuntu</link></para>
</listitem>
<listitem>
<para><link xlink:href="https://bind9.readthedocs.io/en/latest">BIND
9 Administrator Reference Manual</link></para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdiDnsQueryCommands">
<title><xref linkend="glo_DNS"/> query commands</title>
<itemizedlist>
<listitem>
<para><command
xlink:href="https://manpages.debian.org/buster/dnsutils/dig.1.en.html">dig</command>
(<emphasis role="red">d</emphasis>omain <emphasis
role="red">i</emphasis>nformation <emphasis
role="red">g</emphasis>roper)</para>
</listitem>
<listitem>
<para><command
xlink:href="https://manpages.debian.org/buster/dnsutils/nslookup.1.en.html">nslookup</command></para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdiDnsForwardLookup">
<title><xref linkend="glo_DNS"/> forward lookup</title>
<screen>> dig <emphasis role="red">learn.mi.hdm-stuttgart.de</emphasis>
; <<>> DiG 9.16.1-Ubuntu <<>> learn.mi.hdm-stuttgart.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63891
...
;; ANSWER SECTION:
learn.mi.hdm-stuttgart.de. 6593 IN A <emphasis role="red">141.62.64.28</emphasis>
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) ...</screen>
</figure>
<figure xml:id="sdiDnsResultOnly">
<title>Display A-record result only</title>
<screen>> dig <emphasis role="red">+noall +answer</emphasis> <emphasis>www.hdm-stuttgart.de</emphasis>
www.hdm-stuttgart.de. 3600 IN A 141.62.1.53
www.hdm-stuttgart.de. 3600 IN A 141.62.1.59</screen>
</figure>
<figure xml:id="sdiDnsImportantRecordTypes">
<title>Important record types</title>
<informaltable border="1">
<tr>
<th>Record</th>
<th>Explanation</th>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/a-records">A</link></td>
<td valign="top">IPV4 Host address</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/aaaa-records">AAAA</link></td>
<td valign="top">IPv6 host address</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/alias-records">ALIAS</link></td>
<td valign="top">Auto resolved alias</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/cname-records">CNAME</link></td>
<td valign="top">Canonical name for an alias</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/mx-records">MX</link></td>
<td valign="top">Mail eXchange</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/ns-records">NS</link></td>
<td valign="top">Name Server</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/ptr-records">PTR</link></td>
<td valign="top">Pointer</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/soa-records">SOA</link></td>
<td valign="top">Start Of Authority</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/srv-records">SRV</link></td>
<td valign="top">location of service</td>
</tr>
<tr>
<td valign="top"><link
xlink:href="https://simpledns.plus/help/txt-records">TXT</link></td>
<td valign="top">Descriptive text</td>
</tr>
</informaltable>
</figure>
<figure xml:id="sdiDnsQueryNs">
<title>Name Servers: Query type <code>NS</code></title>
<screen>dig +noall +answer <emphasis role="red">-t NS</emphasis> hdm-stuttgart.de
hdm-stuttgart.de. 3600 IN NS iz-net-4.hdm-stuttgart.de.
hdm-stuttgart.de. 3600 IN NS dns3.belwue.de.
hdm-stuttgart.de. 3600 IN NS iz-net-3.hdm-stuttgart.de.
hdm-stuttgart.de. 3600 IN NS dns1.belwue.de.
hdm-stuttgart.de. 3600 IN NS iz-net-2.hdm-stuttgart.de.</screen>
</figure>
</section>
<section xml:id="sdiDnsExercises">
<title>Exercises</title>
<section xml:id="sdiDnsUseDig">
<title>Querying <xref linkend="glo_DNS"/> data.</title>
<para>Use the <command>dig</command> command to query <code>A</code> /
<code>CNAME</code> / <code>MX</code> / <code>NS</code> records from
various machines / domains of your choice. Then execute reverse lookups
as well.</para>
</section>
<section xml:id="sdiBindInstall">
<title>Installing and configuring <xref
linkend="glo_Soft_Bind"/></title>
<para>You may follow:</para>
<itemizedlist>
<listitem>
<para><link
xlink:href="https://www.linuxbabe.com/debian/authoritative-dns-server-debian-10-buster-bind9">Set
Up BIND Authoritative DNS Server on Debian</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://cloudinfrastructureservices.co.uk/how-to-install-bind-dns-on-debian-11-server-setup-configure">How
to Install Bind DNS on Debian 11 Server</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://www.zytrax.com/books/dns/ch8/soa.html">Start of
Authority Resource Record</link></para>
</listitem>
</itemizedlist>
<para>Install the <productname>bind9</productname> server package on
your first <quote>A</quote> virtual machine. The MI department has
already set up a <xref linkend="glo_DNS"/> service for
<code>mi.hdm-stuttgart.de</code>. But regarding upcoming exercises we
want to be able configuring private host aliases.</para>
<para>If you are a member of <abbrev>e.g.</abbrev> group 7 <code>then
sdi04a.mi.hdm-stuttgart.de </code>will host your <xref
linkend="glo_DNS"/> server. Create a complete new zone
<code>g7.sdi.mi.hdm-stuttgart.de</code> containing both your machines
<code>sdia.g7.sdi.mi.hdm-stuttgart.de</code> and
<code>sdib.g7.sdi.mi.hdm-stuttgart.de</code> address records. Your <xref
linkend="glo_DNS"/> server should provide at least the following
data:</para>
<glosslist>
<glossentry>
<glossterm>Your g7.sdi.mi.hdm-stuttgart.de domain's primary
nameserver</glossterm>
<glossdef>
<para>Primary name server for domain
<code>g7.sdi.mi.hdm-stuttgart.de</code>.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>vm1.g7.sdi.mi.hdm-stuttgart.de</glossterm>
<glossdef>
<para>Your first machine's host name.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>vm2.g7.sdi.mi.hdm-stuttgart.de</glossterm>
<glossdef>
<para>Your second machine's host name.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>www.g7.sdi.mi.hdm-stuttgart.de and
cloud.g7.sdi.mi.hdm-stuttgart.de</glossterm>
<glossdef>
<para>(<code>CNAME</code>) aliases to
<code>vm1.g7.sdi.mi.hdm-stuttgart.de</code> or
<code>vm2.g7.sdi.mi.hdm-stuttgart.de</code>.</para>
</glossdef>
</glossentry>
</glosslist>
<para>All host names (albeit not yet existing) should point to your
virtual machines' IP. This requires setting up a forward zone
file.</para>
<tip>
<orderedlist>
<listitem>
<para>The <command>named-checkzone</command> command helps you to
check for your two zone files' correctness</para>
</listitem>
<listitem>
<para>The <command>named-checkconf</command> command checks for
your configuration's overall correctness.</para>
</listitem>
<listitem>
<para>You may use the <command>nslookup</command> command to query
your <xref linkend="glo_DNS"/> server. The <option>set
type=ns</option> option allows to query for the domain's primary
name server.</para>
</listitem>
</orderedlist>
</tip>
<itemizedlist>
<listitem>
<para><code>ns</code> (Nameserver)</para>
</listitem>
<listitem>
<para><code>www</code> (Future webserver, see <xref
linkend="sdiApache"/>).</para>
</listitem>
</itemizedlist>
<para>Test your configuration using <code>dig</code> <option>@<your
host-IP></option> <option>...</option> . You should be able to
resolve e.g. <code>www.g7.sdi.mi.hdm-stuttgart.de</code> to your local
host's IP address.</para>
</section>
<section xml:id="sdiDnsReverse">
<title>Reverse lookups</title>
<para>Define a reverse zone file to answer queries asking for an IP
address' machine name <abbrev>i.e.</abbrev> resolving
<code>141.62.75.104</code> to
<code>vm1.g7.sdi.mi.hdm-stuttgart.de</code>.</para>
</section>
<section xml:id="sdiDnsForwarder">
<title>Forwarders</title>
<para>Enable recursive queries to parent name servers enabling your own
private name server to resolve external machines like
<code>www.w3.org</code> by delegation.</para>
<tip>
<para>You may have to disable <code>DNSSEC</code> in order to allow
for recursive queries.</para>
</tip>
</section>
<section xml:id="sdiBindMx">
<title>Mail exchange record</title>
<para>Provide a mail exchange record pointing to
<code>mx1.hdm-stuttgart.de</code>. Test this configuration using
<command>dig</command> accordingly.</para>
<para>Caveat: Configuring a client machine using your name server and
sending a mail to <code>xy123@g7.sdi.mi.hdm-stuttgart.de</code> won't
actually work since <code>mail.hdm-stuttgart.de</code> will reject mails
being sent to any domain other than certain subdomain of
<code>hdm-stuttgart.de</code>.</para>
</section>
<section xml:id="sdiDnsProjectNameServer">
<title>SDI exercises related <xref linkend="glo_DNS"/> server</title>
<para>In this part you'll transfer your current <xref
linkend="glo_DNS"/> configuration to a dedicated MI nameserver
<code>nssdi.mi.hdm-stuttgart.de</code>. This one being connected to the
global <xref linkend="glo_DNS"/> system allows for publishing your
records worldwide.</para>
<figure xml:id="sdiDnsSubdomainPerGroup">
<title>Subdomain per group</title>
<itemizedlist>
<listitem>
<para>Dedicated lecture related <xref linkend="glo_DNS"/> server
<code>nssdi.mi.hdm-stuttgart.de</code>.</para>
</listitem>
<listitem>
<para>One subdomain per group <acronym>e.g.</acronym> <emphasis
role="red">g7.sdi.mi.hdm-stuttgart.de</emphasis> corresponding to
<emphasis role="red">group 7</emphasis>.</para>
</listitem>
<listitem>
<para>Zone edits require a subdomain specific <code>hmac</code>
secret key being provided as <filename>dnsupdate.sec</filename>
file in your personal group entry below the <link
xlink:href="https://learn.mi.hdm-stuttgart.de/ilias/goto.php?target=crs_33735">SDI
course</link>:</para>
<screen>hmac-sha256:mykey.<emphasis role="red">g7</emphasis>:I5sDDS3L1BU...</screen>
<note>
<para>The per zone secrets are being created using <link
xlink:href="https://manpages.ubuntu.com/manpages/jammy/man8/ddns-confgen.8.html">tsig-keygen</link>.
The value appearing here does not reflect a production
setting.</para>
</note>
</listitem>
<listitem>
<para>Edits become globally visible. Mind the TTL setting: A
higher value means you'll have to wait longer until error
corrections become visible.</para>
</listitem>
</itemizedlist>
</figure>
<figure xml:id="sdiDnsQueryZone">
<title>Querying <xref linkend="glo_DNS"/> zone</title>
<screen>$ export HMAC=hmac-sha256:mykey.g7:YXWSeh3l...
$ dig @<emphasis role="red">nssdi.mi.hdm-stuttgart.de</emphasis> -y <emphasis
role="red">$HMAC</emphasis> -t AXFR <emphasis role="red">g7.sdi.mi.hdm-stuttgart.de</emphasis>
...
g7.sdi.mi.hdm-stuttgart.de. 86400 IN SOA nssdi.mi.hdm-stuttgart.de. goik.hdm-stuttgart.de. ...
docu.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
manual.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
nextcloud.g7.sdi.mi.hdm-stuttgart.de. 5000 IN CNAME www.g7.sdi.mi.hdm-stuttgart.de.
...</screen>
</figure>
<figure xml:id="sdiDnsNsupdateAddRecord">
<title>Creating an <code>A</code> record</title>
<programlisting language="bash">export HMAC=hmac-sha256:mykey.g7:YXWSeh3l...
goik>nsupdate -y $HMAC
> server nssdi.mi.hdm-stuttgart.de
> update add vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de 86400 A 141.62.75.114
> send
> quit
goik>dig +noall +answer @nssdi.mi.hdm-stuttgart.de vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 86400 IN A 141.62.75.114</programlisting>
</figure>
<para>This entry should now be globally visible:</para>
<programlisting language="none">>dig +noall +answer vm2.<emphasis
role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 7069 IN A 141.62.75.114</programlisting>
<figure xml:id="sdiDnsNsupdateDeleteRecord">
<title>Modify by delete/create</title>
<programlisting language="bash">$ nsupdate -y $HMAC
> server nssdi.mi.hdm-stuttgart.de
> update delete admin.g3.sdi.mi.hdm-stuttgart.de. <emphasis role="red">3600</emphasis> IN CNAME www.g3.sdi.mi.hdm-stuttgart.de.
> update add admin.g3.sdi.mi.hdm-stuttgart.de. <emphasis role="red">7200</emphasis> IN CNAME www.g3.sdi.mi.hdm-stuttgart.de.
> send
> quit</programlisting>
<note>
<para>Examples at <link
xlink:href="https://serverless.industries/2020/09/27/dns-nsupdate-howto.en.html">DNS
Updates with nsupdate</link></para>
</note>
</figure>
<para>Due to caching it'll however take up to you <abbrev>SOA</abbrev>
or record specific settings for this deletion to be reflected globally.
The subsequent query result indicates another 7069 seconds to go before
issuing the next update:</para>
<programlisting language="none">goik>dig +noall +answer vm2.<emphasis
role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de
vm2.<emphasis role="red">g7</emphasis>.sdi.mi.hdm-stuttgart.de. 7069 IN A 141.62.75.114</programlisting>
</section>
</section>
</chapter>