Authoritative DNS Servers
Objectives
Participants should be able to configure primary and secondary name server for a given domain name and do a zone transfer between them. This should include creating, modifying, deleting RRs and incrementing Primary name server serial number. Each participant name servers should be visible from other name servers since we will use the lab root and GTLD server. A custom lab root hint will be used.
Steps
- In our lab you should approach the instructor for domain registration. Instructor will also act as a GTLD server for this exercise. He will be creating the delegation of .net subdomains to every pc in the lab.
In real life register your domain name and its name server’s FQDN (master & slave) together with their IP addresses to the domain name registry. - Create a new working directory for your master server under /var/cache/bind
mkdir /var/cache/bind/master chown -R bind:bind /var/cache/bind/master
- Create a zone file for your domain under
/var/cache/bind/masterand add necessary resource records like NS record, A record, TXT record, MX record that will determine which host is receiving mail for your domain.
For example, if you have groupX.net as your domain(where X is your group number), you must create db.groupX.net, with the following base contents:$TTL 1d @ SOA NS.GROUPX.NET. email.GROUPX.net. ( 20130823 ;serial no. 30m ;refresh 15m ;retry 1d ;expire 30m ;negative cache ttl ) NS ns.groupX.net. ns A 192.168.30.X www A 192.168.11.100 groupX.net. MX 10 mail01.groupX.net. MX 20 mail02.groupX.net. mail01 A 192.168.11.200 mail02 A 192.168.11.201 - Modify the configuration file (named.conf.local). Please note that the primary zone is of
type masterwhile a secondary zone is oftype slave.
zone “groupX.net” { type master; file “/var/cache/master/db.groupX.net”; };
By default most authoritative servers are also recursive/caching servers for their own networks. If this is not the case, also remove or comment out the zones defined in the file/etc/bind/named.conf.default-zones.
zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; - Check if bind configuration is working and see if it's running properly. Error messages will give you hints where the error is.
named-checkconf /etc/bind/named.conf
- Once BIND is running, you can do some basic test using DNS tools like
dig
To test your name server to display the SOA records for your domain.
dig @192.168.30.X groupX.net SOA
To test your name server to display NS records
dig @192.168.30.X groupX.net NS
To test your name server to display other resource records (A, MX, or TXT). You can also use the-toption to set the query type.
dig @192.168.30.X ns1.groupX.net A dig –t MX @192.168.30.X groupX.net
- Setup your server as the secondary server for your neighbour. Create a folder called slave. Your primary server’s zonefile will be copied to this folder.
mkdir /var/cache/bind/slave chown -R bind:bind /var/cache/bind/slave
In yournamed.conf.local, add the following:
zone “neighbour-zone.net” { type slave; file “/var/cache/bind/slave/db.neighbour-zone.net”; masters { <ip-of-primary-server>; }; }; - Secure your zones by restricting who can get the zone file. You can test this by trying zone transfer from another nameserver in the lab.
dig @<ip-address> GROUPX.NET AXFR
Where GROUPX is any other group other than yours.
If successful, you will see all the resource records as an output.
Now, add the following line in yournamed.conf.localfor the zones where you are primary and restart bindservice bind9 restart:
zone “groupX.net” { type master; file “/var/cache/bind/db.groupX.net”; allow-transfer { <ip-of-secondary-server>; }; };
Execute the same dig command again. If successful, the status in the dig output should sayTransfer Failed.