User Tools

Site Tools


bdnog11:netsec:bind-reverse

This is an old revision of the document!


Lab Exercise 4 – Reverse DNS

Objectives

Participants should be able to create a reverse zone for their 192.168.1XX.0/24 and create the corresponding PTR records for it. Secondary name server should be configured to get the copy of that reverse zone. Participants will also familiarize with classless reverse DNS by configuring your primary name server (192.168.30.X) for /24 and your secondary for /26 assignment.

The IP block assignments are as follows:

192.168.101.0/24 	group1 
192.168.102.0/24 	group2  
192.168.103.0/24 	group3  
…  
192.168.1XX.0/24 	groupXX 

Steps

  1. Create a reverse zone for your 192.168.1XX.0/24 IP block under /etc/bind/master. Create the corresponding `PTR` record based on the `A` records of your forward zone. Update your `named.conf` for this reverse zone and make sure zone transfer happens between master & slave. Use dig to test your name servers if you’re getting the correct `A` record or `PTR` record from both name servers.
    1. Configure the /24 reverse zone in `named.conf.default-zone` of master and slave name server.
      Primary name server `named.conf.default-zone`.
      		//Primary name server named.conf
      		zone "1XX.168.192.in-addr.arpa." {
      			type master;
      			file "db.192.168.1XX";
      			allow-transfer { 192.168.1YY.1; };
      		};


      Secondary name server `named.conf.default-zone`

      		//Secondary name server named.conf
      		zone "1XX.168.192.in-addr.arpa." {
      			type slave;
      			file "db.192.168.1XX.bak";
      			allow-transfer { none; };
      			masters { 192.168.1XX.1; };
      		};
    2. Configure the /24 reverse zone (`db.192.168.1XX`) file in master name server. No need to create this in the slave since it will load the zone file from the master.
      		$ORIGIN 130.168.192.in-addr.arpa.
      		$TTL 1d
      		@     SOA   ns.group30.net. email.group30.net. (
                      2016010101
                      1h
                      30m
                      1w
                      24h
      		)
      			NS    ns.groupXX.net.
      		1	PTR   ns.groupXX.net.
  2. Reload the `named` service and check the reverse DNS entry
    		dig -x 192.168.1XX.1
  3. Configure your master name server for classless reverse delegation. Let's assume you're assigning 2 * /26 from your IP block 192.168.1XX.0/24, thus
    192.168.1XX.0/26 (192.168.1XX.0 - 192.168.1XX.63) - you're currently using this so no need to delegate
    192.168.1XX.64/26 (192.168.1XX.64- 192.168.1XX.127)- delegate to customer 1
  4. Update your existing 192.168.1XX.0/24 reverse zone to include delegation of /26 subdomain for your customer. The server on your right will act as your customer so they will configure /26 zone. This should be done in the master name server. You should use the CNAME and glue records to accomplish the classless delegation.\\
    		;Existing /24 zone file
    		$ORIGIN 1XX.168.192.in-addr.arpa.
    		$TTL 1d
    		@	SOA		ns.groupXX.net.	email.groupXX.net.   (
    					2016010101
    					1h
    					30m
    					1w
    					24h )
    
    			NS	ns.groupXX.net.
    
    		1	PTR		ns.groupXX.net.
    
    		;Inserting the /26 delegation
    		64-127	NS	ns.groupYY.net. 	; This is the customer name server.
                                  
    		65	CNAME 65.64-127
    		66	CNAME 66.64-127
    		67	CNAME 67.64-127     ; it goes up to 126, use $GENERATE to automate


    Note that the “.” was intentionally omitted for the origin (1XX.168.192.in-addr.arpa) to be appended to it.

  5. In your customer’s name server, (`/etc/bind/master`) create the /26 subdomain. Update your customer’s `named.conf.default-zone` to load this /26 subdomain thus acting as primary for this /26 subdomain.
    1. Updating customer’s named.conf.default-zone to reflect the /26 subdomain.
      		//customer’s name server named.conf
      		zone "1XX.168.192.in-addr.arpa." {
      			type slave;
      			file "db.192.168.1XX.bak";
      			allow-transfer { none; };
      			masters { 192.168.1XX.1; };
      		};
      
      		zone "64-127.1XX.168.192.in-addr.arpa." {
      			type master;
      			file "db.192.168.1XX.64";
      		};
    2. Create the /26 zone (`db.192.168.1XX.64`) file in the customer name server
      		$ORIGIN 64-127.1XX.168.192.in-addr.arpa.
      		@	SOA ns.groupYY.net.  root.groupYY.net. (
      						20121026
      						1h
      						30m
      						1w
      						24h
      		)
      
      			NS	ns.groupYY.net.
      			
      		65	PTR   www.groupYY.net.
      		66	PTR   ftp.groupYY.net.
      		67	PTR   mail.groupYY.net.
  6. Use dig to check if delegation works. This command will use dig to look for a PTR record.
    		dig @192.168.30.XX -x 192.168.1XX.66


    This command uses dig to look for an A record.

    dig @server hostname.domain-name.net
bdnog11/netsec/bind-reverse.1578743499.txt.gz · Last modified: 2020/01/11 17:51 by Muhammad Moinur Rahman