[Lab] DNS Server

Preparation

1. Create a container:
   1. apt install bind9 openssh-server vim sudo
   2. apt install inetutils-ping
   3. apt install traceroute
   4. apt install dnsutils # host, nslookup,dig
   5. apt install net-tools # netstat
   6. useradd -g pearl -G sudo -s /bin/bash host -m
   7. echo r..t | passwd --stdin host
2. docker commit -m "Bind9 w/ sshd" -a Solomon 175c2245322f solomon_bind
3. To Keep SSH running, vi Dockerfile

    
   FROM solomon_dns1
   CMD ["/usr/sbin/sshd", "-D"]

4. docker build -t solomon_dns2 .
5. docker run -itd --name Instructor2 solomon_dns2
   • -d: detach
6. ssh host@2001:470:1f04:1ac:1225:242:ac11:2
7. vi /etc/resolv.conf
   • nameserver fd00::242:ac11:2
   • nameserver ::1
   • Delete "domain ncnu.edu.tw"
8. In zone "ncnu.org", add a resource record:
   • jumphost A 10.20.21.122
   • jumphost AAAA 2001:e10:6840:20:216:3eff:fe00:42
9. On jumphost.ncnu.org,
   • pw useradd host -g ncnu -d /home/host -m
   • With the account "host":
     1. mkdir $HOME/bin
     2. cp /usr/bin/ssh $HOME/bin
     3. vi ~/.bash_profile

        PATH=$HOME/bin
        PS1="\! \h:\W> "
        HISTFILESIZE=1000
        HISTSIZE=1000
        HISTTIMEFORMAT='%Y-%m-%d %T  '
        alias h='history 20'

     4. chsh to "/usr/local/bin/rbash"
10. Assign a public IP address to jumphost
    • ifconfig xn0 inet 163.22.20.102/24 alias
11. Allocate IPv6 Prefix /64 from HE.net
    1. Create a Tunnel with HE.net
       • Server IPv4 Address: 72.52.104.74
       • Server IPv6 Address: 2001:470:1f04:1ac::1/64
       • Client IPv4 Address: 163.22.20.102
       • Client IPv6 Address: 2001:470:1f04:1ac::2/64
    2. Routed IPv6 Prefix
       • 2001:470:1f05:1ac::/64
    3. DNS
       • Anycast IPv6 Caching Nameserver:2001:470:20::2
       • Anycast IPv4 Caching Nameserver:74.82.42.42
       • DNS over HTTPS / DNS over TLS:ordns.he.net
12. Establish a tunnel with the tunnel endpoint in Fermont, CA:
    • On ns42 (163.22.20.102, 2001:470:1f04:1ac:3056::2)
      • ifconfig gif1225 create
      • ifconfig gif1225 tunnel 163.22.20.102 72.52.104.74
      • ifconfig gif1225 inet6 2001:470:1f04:1ac::2/64
      • # sysctl net.inet6.ip6.forwarding=1 # already done
13. Create a tunnel between jumphost (ns42) and Xen07 (docker3):
    1. On ns42 (163.22.20.102, 2001:470:1f04:1ac:3056::2)
       • ifconfig gif23 create
       • ifconfig gif23 tunnel 163.22.20.102 10.20.20.205
       • ifconfig gif23 inet6 2001:470:1f04:1ac:3056::2/127
       • route -n add -inet6 2001:470:1f04:1ac:1225::/80 2001:470:1f04:1ac:3056::3
    2. On Docker3 (10.20.20.205, 2001:470:1f04:1ac::3/127)
       • ip tunnel add sit1 mode sit remote 163.22.20.102 local 10.20.20.205 ttl 30
       • ip link set sit1 up
       • ip addr add 2001:470:1f04:1ac:3056::3/127 dev sit1
    3. On Docker3:
       • ip6tables -F; ip6tables -X; ip6tables -Z
       • ip6tables -P INPUT ACCEPT; ip6tables -P OUTPUT ACCEPT; ip6tables -P FORWARD ACCEPT
       • Now I can ping 2001:470:1f04:1ac:1225::2 from ns42
       • docker exec -it Student3 /bin/bash
       • ping6 ns42.ipv6.club.tw
14. Create 8 containers for students:
    • for ((i=3; i<=10; ++i); do docker run -itd --name Student$i solomon_dns2; done

Instructor

1. On DNS server of ncnu.org:
   1. Delegate zone "dnslab.ncnu.org":
      • dnslab.ncnu.org. 360 IN NS ns1.dnslab.ncnu.org.
      • ns1.dnslab.ncnu.org. 360 IN AAAA 2001:470:1f04:1ac:1225:242:ac11:2
   2. named-checkzone ncnu.org ncnu.org
   3. rndc reload ncnu.org
2. On 2001:470:1f04:1ac:1225:242:ac11:2,
   1. cd /etc/bind
   2. sudo mkdir primary; cd primary
   3. sudo vi dnslab.ncnu.org

      $TTL 360
      @   SOA NS1.DNSLAB.NCNU.ORG.  admin.dnslab.ncnu.org. (
                              2024122501 ;serial no.
                              30m ;refresh - 2nd wait before checking for updates
                              15m ;retry - 2nd wait before retrying
                              1d ;expire - zone on 2nd server becomes invalid
                              5m ;negative cache (not found) on resolver
                              );
      @   IN  NS  ns1.dnslab.ncnu.org.
      
      ns1     AAAA     2001:470:1f04:1ac:1225:242:ac11:2
          

   4. named-checkzone dnslab.ncnu.org dnslab.ncnu.org
   5. cd ..
   6. sudo vi named.conf.local

       
      zone "dnslab.ncnu.org" {
          type primary;
          file "/etc/bind/primary/dnslab.ncnu.org";
      };

   7. named-checkconf named.conf
   8. sudo service named status
   9. sudo service named start
   10. host ns1.dnslab.ncnu.org ::1
3. Delegate Zones to students:

   student3        NS      ns1.student3
   ns1.student3    AAAA    2001:470:1f04:1ac:1225:242:ac11:3

Student

Step 1: Verify DNS

1. ssh host@jumphost.ncnu.org -p 1225
2. ssh host@2001:470:1f04:1ac:1225:242:ac11:X (X = 3~A)
3. which named
4. named -v
5. service named status
6. ls -l /etc/bind/named.conf*
7. service named start

Step 2: Authoritative Zone

1. mkdir /etc/bind/primary
2. cd /etc/bind/primary
3. vi studentX.dnslab.ncnu.org (X = 3~A)

    
   $TTL 360
   @   SOA ns1.studentX.dnslab.ncnu.org.  admin.studentX.dnslab.ncnu.org. (
                           2024122501 ;serial no.
                           30m ;refresh - 2nd wait before checking for updates
                           15m ;retry - 2nd wait before retrying
                           1d ;expire - zone on 2nd server becomes invalid
                           5m ;negative cache (not found) on resolver 
                           );
   @   IN  NS  ns1.studentX.dnslab.ncnu.org.
   ns1     AAAA   2001:470:1f04:1ac:1225:242:ac11:X 

4. vi /etc/bind/named.conf.local

    
   zone "studentX.dnslab.ncnu.org" {
       type primary;
       file "/etc/bind/primary/studentX.dnslab.ncnu.org";
   };

5. named-checkzone studentX.dnslab.ncnu.org studentX.dnslab.ncnu.org
6. named-checkconf
7. service named stop
8. /usr/sbin/named -u bind -g
9. If you see a message "zone studentX.dnslab.ncnu.org/IN: loaded serial 2024122501", your zone should be successfully loaded.
10. Your host name can be queried from the Internet. Try the following commands on a host with IPv6 (lilina can reach your DNS server via IPv6):
    • nslookup -query=AAAA ns1.studentX.dnslab.ncnu.org
    • host -t AAAA ns1.student3.dnslab.ncnu.org
    • dig ns1.student3.dnslab.ncnu.org AAAA
      • Note: You cannot type only "dig ns1.student3.dnslab.ncnu.org", because by default "dig" will query type A, but your DNS server only has an IPv6 address.

Step 3: Resource Records HINFO, TXT, etc.

1. Try to add entries under your domain.
2. You may try resoruce records A, AAAA, HINFO, TXT, and so on.
3. The host need not really exist. Whatever you write in the zone file, people can look up via DNS.
4. For example, try to add

   WWW     A       198.51.100.1
           AAAA    2001:db8::1
           HINFO   "FreeBSD 14.2" "CPU:3.4GHz*2 RAM:16GB"
           TXT     "A fake machine"

5. Then look up the records of www.studentX.dnslab.ncnu.org. (DNS lookup is case-insensitive.)

Step 4: A6 Record

1. host1   A6 64   ::1             isp1
   host2   A6 64   ::2             isp1
   isp1    A6 0    2001:db8::

2. [https://bind9.readthedocs.io/en/stable/chapter6.html] For forward lookups, BIND 9 supports only AAAA records. RFC 3363 deprecated the use of A6 records (RFC 2874), and client-side support for A6 records was accordingly removed from BIND 9.
3. However, authoritative BIND 9 name servers still load zone files containing A6 records correctly, answer queries for A6 records.
4. host -t A6 host1.studentX.dnslab.ncnu.org

Step 5: Reverse Lookup

1. vi 2001:470:1f04:1ac

   $ORIGIN c.a.1.0.4.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.
   $TTL 5m
   @ SOA localhost. nobody.localhost. 2024122501 1d 12h 1w 5m
           ; Serial, Refresh, Retry, Expire, Neg. cache TTL
   
           NS      localhost.
   X.0.0.0.1.1.c.a.2.4.2.0.5.2.2.1 300 IN PTR ns1.studentX.dnslab.ncnu.org.

2. named-checkzone c.a.1.0.4.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 2001\:470\:1f04\:1ac
   • Zone Filename
3. vi ../named.conf.local

   zone "c.a.1.0.4.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" {
       type primary;
       file "/etc/bind/primary/2001:470:1f04:1ac";
   };

4. service named restart
5. host 2001:470:1f04:1ac:1225:242:ac11:X ::1
6. dig -x 2001:470:1f04:1ac:1225:242:ac11:X ::1
7. Note that this reverse lookup is only effective on your DNS server. The "upstream" does not delegate it to you. (We have many students, but only one subnet. Whom should we delegate it to?)

Delegate a Zone

1. Subdomain:
   1. vi Test.StudentX.dnslab.ncnu.org

      @   IN  NS  ns1.Test.studentX.dnslab.ncnu.org.
      ns1     AAAA   2001:470:1f04:1ac:1225:242:ac11:X

   2. vi ../named.conf.local zone "test.studentX.dnslab.ncnu.org" { type primary; file "/etc/bind/primary/test.studentX.dnslab.ncnu.org"; };
2. service named restart
3. You should be able to look up the entry "host ns1.test.studentX.dnslab.ncnu.org ::1".
4. Zone Delegator:
   1. vi StudnetX.dnslab.ncnu.org

      test   IN  NS  ns1.Test.studentX.dnslab.ncnu.org.
      ns1.test     AAAA   2001:470:1f04:1ac:1225:242:ac11:X

5. service named restart
6. "host ns1.test.studentX.dnslab.ncnu.org" should return the corresponding IPv6 address.