[Lab] DNS Server

Preparation

  1. Create a container:
    1. apt install bind9 openssh-server vim sudo
    2. apt install inetutils-ping
    3. apt install traceroute
    4. apt install dnsutils # host, nslookup,dig
    5. apt install net-tools # netstat
    6. useradd -g pearl -G sudo -s /bin/bash host -m
    7. echo r..t | passwd --stdin host
  2. docker commit -m "Bind9 w/ sshd" -a Solomon 175c2245322f solomon_bind
  3. To Keep SSH running, vi Dockerfile
     
    FROM solomon_dns1
    CMD ["/usr/sbin/sshd", "-D"]
  4. docker build -t solomon_dns2 .
  5. docker run -itd --name Instructor2 solomon_dns2
  6. ssh host@2001:470:1f04:1ac:1225:242:ac11:2
  7. vi /etc/resolv.conf
  8. In zone "ncnu.org", add a resource record:
  9. On jumphost.ncnu.org,
  10. Assign a public IP address to jumphost
  11. Allocate IPv6 Prefix /64 from HE.net
    1. Create a Tunnel with HE.net
      • Server IPv4 Address: 72.52.104.74
      • Server IPv6 Address: 2001:470:1f04:1ac::1/64
      • Client IPv4 Address: 163.22.20.102
      • Client IPv6 Address: 2001:470:1f04:1ac::2/64
    2. Routed IPv6 Prefix
      • 2001:470:1f05:1ac::/64
    3. DNS
      • Anycast IPv6 Caching Nameserver:2001:470:20::2
      • Anycast IPv4 Caching Nameserver:74.82.42.42
      • DNS over HTTPS / DNS over TLS:ordns.he.net
  12. Establish a tunnel with the tunnel endpoint in Fermont, CA:
  13. Create a tunnel between jumphost (ns42) and Xen07 (docker3):
    1. On ns42 (163.22.20.102, 2001:470:1f04:1ac:3056::2)
      • ifconfig gif23 create
      • ifconfig gif23 tunnel 163.22.20.102 10.20.20.205
      • ifconfig gif23 inet6 2001:470:1f04:1ac:3056::2/127
      • route -n add -inet6 2001:470:1f04:1ac:1225::/80 2001:470:1f04:1ac:3056::3
    2. On Docker3 (10.20.20.205, 2001:470:1f04:1ac::3/127)
      • ip tunnel add sit1 mode sit remote 163.22.20.102 local 10.20.20.205 ttl 30
      • ip link set sit1 up
      • ip addr add 2001:470:1f04:1ac:3056::3/127 dev sit1
    3. On Docker3:
      • ip6tables -F; ip6tables -X; ip6tables -Z
      • ip6tables -P INPUT ACCEPT; ip6tables -P OUTPUT ACCEPT; ip6tables -P FORWARD ACCEPT
      • Now I can ping 2001:470:1f04:1ac:1225::2 from ns42
      • docker exec -it Student3 /bin/bash
      • ping6 ns42.ipv6.club.tw
  14. Create 8 containers for students:

Instructor

  1. On DNS server of ncnu.org:
    1. Delegate zone "dnslab.ncnu.org":
      • dnslab.ncnu.org. 360 IN NS ns1.dnslab.ncnu.org.
      • ns1.dnslab.ncnu.org. 360 IN AAAA 2001:470:1f04:1ac:1225:242:ac11:2
    2. named-checkzone ncnu.org ncnu.org
    3. rndc reload ncnu.org
  2. On 2001:470:1f04:1ac:1225:242:ac11:2,
    1. cd /etc/bind
    2. sudo mkdir primary; cd primary
    3. sudo vi dnslab.ncnu.org
      $TTL 360
      @   SOA NS1.DNSLAB.NCNU.ORG.  admin.dnslab.ncnu.org. (
                              2024122501 ;serial no.
                              30m ;refresh - 2nd wait before checking for updates
                              15m ;retry - 2nd wait before retrying
                              1d ;expire - zone on 2nd server becomes invalid
                              5m ;negative cache (not found) on resolver
                              );
      @   IN  NS  ns1.dnslab.ncnu.org.
      
      ns1     AAAA     2001:470:1f04:1ac:1225:242:ac11:2
          
    4. named-checkzone dnslab.ncnu.org dnslab.ncnu.org
    5. cd ..
    6. sudo vi named.conf.local
       
      zone "dnslab.ncnu.org" {
          type primary;
          file "/etc/bind/primary/dnslab.ncnu.org";
      };
    7. named-checkconf named.conf
    8. sudo service named status
    9. sudo service named start
    10. host ns1.dnslab.ncnu.org ::1
  3. Delegate Zones to students:
    student3        NS      ns1.student3
    ns1.student3    AAAA    2001:470:1f04:1ac:1225:242:ac11:3

Student

Step 1: Verify DNS

  1. ssh host@jumphost.ncnu.org -p 1225
  2. ssh host@2001:470:1f04:1ac:1225:242:ac11:X (X = 3~A)
  3. which named
  4. named -v
  5. service named status
  6. ls -l /etc/bind/named.conf*
  7. service named start

Step 2: Authoritative Zone

  1. mkdir /etc/bind/primary
  2. cd /etc/bind/primary
  3. vi studentX.dnslab.ncnu.org (X = 3~A)
     
    $TTL 360
    @   SOA ns1.studentX.dnslab.ncnu.org.  admin.studentX.dnslab.ncnu.org. (
                            2024122501 ;serial no.
                            30m ;refresh - 2nd wait before checking for updates
                            15m ;retry - 2nd wait before retrying
                            1d ;expire - zone on 2nd server becomes invalid
                            5m ;negative cache (not found) on resolver 
                            );
    @   IN  NS  ns1.studentX.dnslab.ncnu.org.
    ns1     AAAA   2001:470:1f04:1ac:1225:242:ac11:X 
  4. vi /etc/bind/named.conf.local
     
    zone "studentX.dnslab.ncnu.org" {
        type primary;
        file "/etc/bind/primary/studentX.dnslab.ncnu.org";
    };
  5. named-checkzone studentX.dnslab.ncnu.org studentX.dnslab.ncnu.org
  6. named-checkconf
  7. service named stop
  8. /usr/sbin/named -u bind -g
  9. If you see a message "zone studentX.dnslab.ncnu.org/IN: loaded serial 2024122501", your zone should be successfully loaded.
  10. Your host name can be queried from the Internet. Try the following commands on a host with IPv6 (lilina can reach your DNS server via IPv6):

Step 3: Resource Records HINFO, TXT, etc.

  1. Try to add entries under your domain.
  2. You may try resoruce records A, AAAA, HINFO, TXT, and so on.
  3. The host need not really exist. Whatever you write in the zone file, people can look up via DNS.
  4. For example, try to add
    WWW     A       198.51.100.1
            AAAA    2001:db8::1
            HINFO   "FreeBSD 14.2" "CPU:3.4GHz*2 RAM:16GB"
            TXT     "A fake machine"
  5. Then look up the records of www.studentX.dnslab.ncnu.org. (DNS lookup is case-insensitive.)

Step 4: A6 Record

  1. host1   A6 64   ::1             isp1
    host2   A6 64   ::2             isp1
    isp1    A6 0    2001:db8::
  2. [https://bind9.readthedocs.io/en/stable/chapter6.html] For forward lookups, BIND 9 supports only AAAA records. RFC 3363 deprecated the use of A6 records (RFC 2874), and client-side support for A6 records was accordingly removed from BIND 9.
  3. However, authoritative BIND 9 name servers still load zone files containing A6 records correctly, answer queries for A6 records.
  4. host -t A6 host1.studentX.dnslab.ncnu.org

Step 5: Reverse Lookup

  1. vi 2001:470:1f04:1ac
    $ORIGIN c.a.1.0.4.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.
    $TTL 5m
    @ SOA localhost. nobody.localhost. 2024122501 1d 12h 1w 5m
            ; Serial, Refresh, Retry, Expire, Neg. cache TTL
    
            NS      localhost.
    X.0.0.0.1.1.c.a.2.4.2.0.5.2.2.1 300 IN PTR ns1.studentX.dnslab.ncnu.org.
  2. named-checkzone c.a.1.0.4.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 2001\:470\:1f04\:1ac
  3. vi ../named.conf.local
    zone "c.a.1.0.4.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" {
        type primary;
        file "/etc/bind/primary/2001:470:1f04:1ac";
    };
  4. service named restart
  5. host 2001:470:1f04:1ac:1225:242:ac11:X ::1
  6. dig -x 2001:470:1f04:1ac:1225:242:ac11:X ::1
  7. Note that this reverse lookup is only effective on your DNS server. The "upstream" does not delegate it to you. (We have many students, but only one subnet. Whom should we delegate it to?)

Delegate a Zone

  1. Subdomain:
    1. vi Test.StudentX.dnslab.ncnu.org
      @   IN  NS  ns1.Test.studentX.dnslab.ncnu.org.
      ns1     AAAA   2001:470:1f04:1ac:1225:242:ac11:X
    2. vi ../named.conf.local zone "test.studentX.dnslab.ncnu.org" { type primary; file "/etc/bind/primary/test.studentX.dnslab.ncnu.org"; };
  2. service named restart
  3. You should be able to look up the entry "host ns1.test.studentX.dnslab.ncnu.org ::1".
  4. Zone Delegator:
    1. vi StudnetX.dnslab.ncnu.org
      test   IN  NS  ns1.Test.studentX.dnslab.ncnu.org.
      ns1.test     AAAA   2001:470:1f04:1ac:1225:242:ac11:X
  5. service named restart
  6. "host ns1.test.studentX.dnslab.ncnu.org" should return the corresponding IPv6 address.