[Lab] Domain Name System

Goal

Each student builds a server to resolve DNS queries for his/her own domain.

Procedure

  1. Every student should prepare a GNU/Linux host with IPv4/IPv6 connectivity, on which he/she has root permission to add new services. In this lab guide, an example of configuration on CentOS 6.5 is demonstrated, but it could be applied to other versions.
  2. Install the DNS daemon by the command "yum install bind".
  3. Each student chooses a domain name (e.g. "Utopia"). Please note that domain names are case-insensitive.
  4. Create a zone file "/var/named/data/utopia.ncnu.org". 
    
$ORIGIN .
$TTL 360        ; 6 minutes
utopia.ncnu.org         IN SOA  ns1.utopia.ncnu.org.  solomon.utopia.ncnu.org. (
                                2014051400 ; serial
                                7200       ; refresh (2 hours)
                                3600       ; retry (1 hour)
                                1209600    ; expire (2 weeks)
                                10800      ; minimum (3 hours)
                                )
                        NS      ns1.utopia.ncnu.org.

$ORIGIN utopia.ncnu.org.
ns1     A       10.19.10.160
        AAAA    2001:e10:6840:19:250:56ff:febe:4f77
  5. Run the command "named-checkzone utopia.ncnu.org utopia.ncnu.org". If the syntax of the zone file is correct, the command should respond something like 
    
zone utopia.ncnu.org/IN: loaded serial 2014051400
OK
  6. Edit "/etc/named.conf"
    1. Change the line listen-on-v6 port 53 { ::1; }; to listen-on-v6 port 53 { any; }; . Don't forget the semicolon inside the braces.
    2. Specify the location of your zone file: 
          
    zone "utopia.ncnu.org." {
	    type master;
	    file "named/utopia.ncnu.org";
	    allow-query     { any; };
	    };
    3. Run the command "named-checkconf /etc/named.conf". If it shows nothing, this implies everything is all right. You are ready to start the DNS daemon.
  7. Start your DNS daemon in foreground mode: "named -u named -g". You can see lots of debugging messages, among which please identify this line: 
    
14-May-2014 16:12:17.861 zone utopia.ncnu.org/IN: loaded serial 2014051400
  8. On your own host, try to query this DNS server "host ns1.utopia.ncnu.org ::1" or "host ns1.utopia.ncnu.org 127.0.0.1". You should be able to see the following result correctly: 
    
Using domain server:
Name: ::1
Address: ::1#53
Aliases:

ns1.utopia.ncnu.org has address 10.19.10.160
ns1.utopia.ncnu.org has IPv6 address 2001:e10:6840:19:250:56ff:febe:4f77
  9. Now your DNS server is up and running. You may press Ctrl-C to stop it from running in foreground, and type the command "named -u named" (without the option "-g") to run it in background.
  10. However, to allow other hosts to query your server, there are some "security" configurations you need to modify:
    1. Modify "/etc/named.conf", add "//" in front of the line "listen-on port 53 { 127.0.0.1; };" to remark it. This will allow other IPv4 hosts to query your server. Besides, change the line "allow-query { localhost; };" to "allow-query { any; };".
    2. Restart your DNS daemon with the command "kill -HUP `cat /var/run/named/named.pid`".
  11. Your firewall may still prohibit DNS queries from other hosts. To verify this, you may try to disable your IPv4 firewall by "service iptables stop" or disable your IPv6 firewall by "service ip6tables stop". Then ask your friend to send a query from their hosts by "host ns1.utopia.ncnu.org 10.19.10.160" or "host ns1.utopia.ncnu.org 2001:e10:6840:19:250:56ff:febe:4f77". If the connection timed out before you disable the firewall, but succeeded after you disable it, then the issue is on the firewall rules. Please run "service iptables start" and "service ip6tables start" to keep your firewall running, because you certainly need good protection on your server. The rules below will tell you how to instruct your firewall to allow DNS queries.
  12. Edit /etc/sysconfig/iptables. After the rule for SSH (--dport 22), add the following line 
    
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
    and run the command "service iptables restart".
  13. Edit /etc/sysconfig/ip6tables. After the rule for SSH (--dport 22), add the following line 
    
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
    and run the command "service ip6tables restart".
  14. Now other hosts can query your DNS server directly by "host ns1.utopia.ncnu.org 10.19.10.160" or "host ns1.utopia.ncnu.org 2001:e10:6840:19:250:56ff:febe:4f77".

    Request a DNS server to delegate a domain to you

  15. Generally other people won't know the IP address of your DNS server and send queries directly to you. They will simply send queries to the root servers and iteratively walk down the DNS tree to find out the right DNS server to answer the query. Therefore, after you configure your DNS server to respond to queries for the domain ".utopia.ncnu.org.", you must notify your parent server to forward corresponding queries to you.
  16. Run "ifconfig eth0" and write down the IPv4/IPv6 address of your server.
  17. Mail the DNS administrator of "ncnu.org" about the information of your DNS server, according to the format of the following three lines:
    utopia NS ns1.utopia
    ns1.utopia A 10.19.10.160
    AAAA 2001:e10:6840:19:250:56ff:febe:4f77
  18. After these entries are added into the DNS server for "ncnu.org", every host on the Internet can issue the command "host ns1.utopia.ncnu.org" to look up DNS entries under your own domain "utopia.ncnu.org.".
  19. You can even show the iterative query process by "dig ns1.utopia.ncnu.org +trace".
  20. If you can successfully perform a pure-IPv6 query by "dig -6 ns1.utopia.ncnu.org. +trace", you have successfully completed this step.
  21. Try to add some entries in your zone file such as "www AAAA 2002:a0b:c0d::a0b:c0d", and query by "host www.utopia.ncnu.org".

    Two students in a team

  22. Pair students into teams. One student tries to delegate a domain to the other student, while the other student creates a zone file and notify his/her "parent" domain the IP address of his/her server.
  23. Exchange the roles of the two students, and repeat the same process.
  24. Capture all DNS messages, both on the querying clients and the DNS servers. Submit the captured files to Moodle and describe what you learned from this hands-on exercise.

    Reverse Lookup

  25. You may also create a zone file to perform reverse lookups from IP addresses to domain names. However, please remember that, unless you get the official delegation (e.g. 163.22.0.0/16 has delegated 163.22.20.0/24 to you), the global DNS system will not forward queries to your DNS server. To get response from your server, people must send their queries directly to your server by "host 163.22.20.1 your_server_ip_address".
  26. Create a zone file "/var/named/data/10.19.10" 
    
$TTL 3h
@ SOA ns1.utopia.ncnu.edu.tw. nobody.utopia.ncnu.edu.tw. 20140514 1d 12h 1w 3h
        ; Serial, Refresh, Retry, Expire, Neg. cache TTL

        NS      ns1.utopia.ncnu.org.

160	PTR	ns1.utopia.ncnu.org.
  27. Check the zone file by "named-checkzone 10.19.10.in-addr.arpa 10.19.10" (named-checkzone subdomain zone_file).
  28. Edit "/etc/named.conf" to specify the location of your zone file: 
    
zone "10.19.10.in-addr.arpa." {
        type master;
        file "data/10.19.10";
        allow-query     { any; };
        };
  29. Restart your DNS server by "kill -HUP `cat /var/run/named/named.pid`". Now people should be able to perform the reverse lookup by "host -t PTR 160.10.19.10.in-addr.arpa ns1.utopia.ncnu.org" or "host 10.19.10.160 ns1.utopia.ncnu.org".
  30. Create a zone file "20010E106840-reverse.db" for IPv6 address reverse lookup: 
    
$TTL 6m
@ SOA ns1.utopia.ncnu.edu.tw. nobody.utopia.ncnu.edu.tw. 20140514 1d 12h 1w 3h
        ; Serial, Refresh, Retry, Expire, Neg. cache TTL

        NS      ns1.utopia.ncnu.org.

7.7.f.4.e.b.e.f.f.f.6.5.0.5.2.0.9.1.0.0 PTR     ns1.utopia.ncnu.org.
  31. Check the zone file by "named-checkzone 0.4.8.6.0.1.e.0.1.0.0.2.ip6.arpa. 20010E106840-reverse.db".
  32. Edit "/etc/named.conf" to specify the location of your zone file: 
    
zone "0.4.8.6.0.1.e.0.1.0.0.2.ip6.arpa." {
        type master;
        file "data/20010E106840-reverse.db";
        allow-query     { any; };
        };
  33. Check in your named.conf file with RCS.
  34. Restart your DNS server by "kill -HUP `cat /var/run/named/named.pid`". Now people should be able to perform the reverse lookup by "host -t PTR 7.7.f.4.e.b.e.f.f.f.6.5.0.5.2.0.9.1.0.0.0.4.8.6.0.1.e.0.1.0.0.2.ip6.arpa ns1.utopia.ncnu.org" or "host 2001:e10:6840:19:250:56ff:febe:4f77 ns1.utopia.ncnu.org".
  35. You may even modify your "/etc/resolve.conf", and set the first nameserver to be ::1 (by adding a line "nameserver ::1"). Before this modification, your traceroute6 will only display in IPv6 address like 
    
traceroute to ns1.utopia.ncnu.org (2001:e10:6840:19:250:56ff:febe:4f77), 30 hops max, 80 byte packets
 1  2001:e10:6840:19:250:56ff:febe:4f77 (2001:e10:6840:19:250:56ff:febe:4f77)  0.032 ms 0.013 ms  0.012 ms
    Now it will show the domain name: 
    
traceroute to ns1.utopia.ncnu.org (2001:e10:6840:19:250:56ff:febe:4f77), 30 hops max, 80 byte packets
 1  ns1.utopia.ncnu.org (2001:e10:6840:19:250:56ff:febe:4f77)  0.019 ms  0.015 ms  0.011 ms