Description:
Need to install DNS on server with the following configuration:
- It must respond authoritatively to all non-recursive queries for names in the zones it is authoritative for.
- It must respond to all recursive queries from the hosts on its own network.
- It must not respond to any recursive queries from any outside host (i.e. host not on its own network).
- Apart from the queries in (1), it should not respond to any queries from any outside host.
- It must contain valid zone data for its zone(s).
- The cache parameters must be chosen sensibly
- It must not be susceptible to the standard cache poisoning attacks. See http://www.kb.cert.org/vuls/id/800113 for details. Test its DNS server using porttest.dns-oarc.net (see http://www.dns-oarc.net/oarc/services/porttest).
It should have the following normal zone:
- zone d4.systinst.ida.liu.se
- D4-router.lab-2 should have IP 130.236.179.89 and FQDN gw.d4.sysinst.ida.liu.se
- D4-server.lab-2 should have IP 130.236.179.90 and FQDN server.d4.sysinst.ida.liu.se
- D4-client-1.lab-2 should have IP 130.236.179.91 and FQDN client-1.d4.sysinst.ida.liu.se
- D4-client-2.lab-2 should have IP 130.236.179.92 and FQDN client-2.d4.sysinst.ida.liu.se
Implementation:
Login with the root account
Run aptitude
Update package list
Locate and install bind9 and dnsutils
Copy /etc/bind/named.conf.local to /etc/bind/named.conf.local.change.0009
Add data to /etc/bind/named.conf.local:
zone "d4.sysinst.ida.liu.se" {
type master;
file "/etc/bind/db.d4.sysinst.ida.liu.se";
};
zone "88-29.179.236.130.in-addr.arpa" {
type master;
file "/etc/bind/db.88-29.179.236.130.in-addr.arpa";
};
- Create /etc/bind/db.d4.sysinst.ida.liu.se with the following data:
$TTL 1H
@ IN SOA server.d4.sysinst.ida.liu.se.
hostmaster.d4.sysinst.ida.liu.se. (
2015092301
1H
10M
1D
1H )
;
@ IN NS server.d4.sysinst.ida.liu.se.
gw IN A 130.236.179.89
server IN A 130.236.179.90
client-1 IN A 130.236.179.91
client-2 IN A 130.236.179.92
- Create /etc/bind/db.88-29.179.236.130.in-addr.arpa with the following data:
$TTL 1H
@ IN SOA server.d4.sysinst.ida.liu.se.
hostmaster.d4.sysinst.ida.liu.se. (
2015092301
1H
10M
1D
1H)
;
@ IN NS server.d4.sysinst.ida.liu.se.
89 IN PTR gw.d4.sysinst.ida.liu.se.
90 IN PTR server.d4.sysinst.ida.liu.se.
91 IN PTR client-1.d4.sysinst.ida.liu.se.
92 IN PTR client-2.d4.sysinst.ida.liu.se.
- Move /etc/bind/named.conf.options to /etc/bind/named.conf.options.change.0009
- Create /etc/bind/named.conf.options with following data:
acl lan { 127.0.0.1; 130.236.179.88/29; };
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
forwarders { 130.236.178.1; };
allow-transfer { none; };
allow-query { any; };
allow-recursion { lan; };
dnssec-validation yes;
};
include "/etc/bind/bind.keys";
- Run
server bind reload - Send an email to your provider and ask them to add the following to their DNS:
d4.sysinst.ida.liu.se. IN NS server.d4.sysinst.ida.liu.se.
server.d4.sysinst.ida.liu.se. IN A 130.236.179.90
88-29.179.236.130.in-addr.arpa. IN NS server.d4.sysinst.ida.liu.se.
88.179.236.130.in-addr.arpa. IN CNAME 88.88-29.179.236.130.in-addr.arpa.
89.179.236.130.in-addr.arpa. IN CNAME 89.88-29.179.236.130.in-addr.arpa.
90.179.236.130.in-addr.arpa. IN CNAME 90.88-29.179.236.130.in-addr.arpa.
91.179.236.130.in-addr.arpa. IN CNAME 91.88-29.179.236.130.in-addr.arpa.
92.179.236.130.in-addr.arpa. IN CNAME 92.88-29.179.236.130.in-addr.arpa.
93.179.236.130.in-addr.arpa. IN CNAME 93.88-29.179.236.130.in-addr.arpa.
94.179.236.130.in-addr.arpa. IN CNAME 94.88-29.179.236.130.in-addr.arpa.
95.179.236.130.in-addr.arpa. IN CNAME 95.88-29.179.236.130.in-addr.arpa.
Verification:
Run
named-checkzone d4.sysinst.ida.liu.se /etc/bind/db.d4.sysinst.ida.liu.seand verify there is an OKRun
dig org. SOA +dnssec @localhost.It should resolve and have an ‘ad’ flag.Run
dig google.com @localhost.It should resolve
Backout:
Uninstall bind9 through aptitude