User Tools
This is an old revision of the document!
Lab Exercise 2 – Authoritative DNS Servers
Objectives
Participants should be able to configure primary and secondary name server for a given domain name and do a zone transfer between them. This should include creating, modifying, deleting RRs and incrementing Primary name server serial number. Each participant name servers should be visible from other name servers since we will use the lab root and GTLD server. A custom lab root hint will be used.
Note: Configure your VM to be the primary (also called master) of your own domain and also a slave for VMs in your right side. VM in your left will act as slave for your own domain.
Steps
- Everyone will use groupXX as their domain name. Instructor will also act as a GTLD server for this exercise. S/he will be creating the delegation of .net subdomains to every vm in the lab.
- Create a new working directory for your master server under
/etc/bindmkdir -p /etc/bind/master
- Create a zone file for your domain under `/etc/bind/master` and add necessary resource records like NS record, A record, txt record, MX record that will determine which host is receiving mail for your domain. For example, if you have `groupXX.net` as your domain, you must create `db.groupXX.net`, with the following base contents (sample configuraiton for server01):
$TTL 1d @ SOA ns.groupXX.net. email.groupXX.net. ( 2016010101 ;serial no. 30m ;refresh 15m ;retry 1d ;expire 30m ;negative cache ttl ) IN NS ns.groupXX.net. ns IN A 192.168.30.X www IN A 192.168.30.X mail01 IN A 192.168.1XX.200 mail02 IN A 192.168.1XX.201 groupXX.net. MX 10 mail01.groupXX.net. groupXX.net. MX 20 mail02.groupXX.net. groupXX.net. IN TXT "groupXX Authoritative DNS Server" - Modify the configuration file (
/etc/bind/named.conf.local). Please note that the primary zone is of “type master” while a secondary zone is of “type slave.” Specify your nameserver’s working directory.
zone "groupXX.net" { type master; file "/etc/bind/master/db.groupXX.net"; }; - Reload bind configuration
systemctl reload named systemctl status named
- Once BIND is running, you can do some basic test using DNS tools like
dig. To test your name server to display the SOA records for your domain.dig @192.168.30.XX groupXX.net SOA
To test your name server to display NS records
dig @192.168.30.XX groupXX.net NS
To test your name server to display other resource records (A, MX, or TXT). You can also use the-toption to set the query type.
dig @192.168.30.XX ns.groupXX.net A
dig -t MX @192.168.30.XX groupXX.net
- Setup your server as the secondary server for your neighbour. Create a folder called slave. Your primary server’s zonefile will be copied to this folder.
mkdir -p /etc/bind/slave
- In your
named.conf.localadd the following (group98.net is the neighbour zone):\\zone "groupYY.net" { type slave; file "/var/named/slave/db.groupYY.net"; masters { 192.168.30.YY; }; }; - Secure your zones by restricting who can get the zone file. You can test this by trying zone transfer from another nameserver in the lab.
dig @localhost groupYY.net AXFR
If successful, you will see all the resource records as an output. - Now, add the following line in your
named.conf.localfor the zones where you are primary:
zone "groupXX.net" { type master; file "/etc/named/master/db.groupXX.net"; allow-transfer { 192.168.30.YY; }; };
Execute the same dig command again. If successful, the status in the dig output should say Transfer Failed. - You can make `groupYY.net` (the secondary/slave server) as authorative server. For that add another NS record in the `db.groupXX.net` file:
$TTL 1d @ SOA ns.groupXX.net. email.groupXX.net. ( 2016010101 ;serial no. <config sniff...........> IN NS ns.groupXX.net. IN NS ns.groupYY.net. <config sniff..........>
