=Introduction=
In this lab you will create and modify some basic BASH scripts.
=Lab Procedure=
== Prerequisites ==
# Have completed the reading on BASH scripting. If you haven't done this you will almost certainly have difficulty completing the lab!
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account

== Creating Simple BASH Scripts ==
At their core BASH scripts are really just lists of commands which could have been entered directly into the command line but have been pre-entered into a file to be run later instead. We can see how this works by creating a couple of very simple BASH scripts which each just run a single command. Your ability to write BASH scripts that do something useful is really only limited by how well you know Linux commands and utilities which could be included in the script. The '''echo''' command can be used on your system to print information out to the standard output.
<ol>
<li> Lets try running a command echo on your computer:</li>
<code>echo Hello World!</code>
<ul>You should see the text "Hello World!" printed out on the screen below your command.</ul>
<li> Create a new text file named ''hello.sh'' with the following text:</li>
* In order to turn that command into a script we just need to put the command into a text file and add one more line, called a ''sha-bang'' because it is made up of a hash (pound) sign and a bang (exclamation) sign. This line tells the system what program to use to interpret the commands in the script. In this case we're going to be writing BASH scripts so we'll set it for the BASH program.
<pre>#!/bin/bash
echo Hello World!</pre>
* Set the ''hello.sh'' file to be executable by all users on the system so that we will be able to run it.
* ''NOTE: As a safety precaution against mistakenly executing something you don't really want to the shell will not allow you to run a file by just typing the filename, even if you are in the correct directory. The location of the file must either be included in your system's PATH, you must specify the full path to the file (such as '''/home/jsmith/hello.sh'''), or if you are in the correct directory already you can put in a relative path like '''./hello.sh'''. Remember, a single period is a shortcut which means the current directory so ./ means a file in the current working directory. Try running your ''hello.sh'' script now. If your system outputs ''Hello World!'' just like when you ran the '''echo''' command from the command line directly you have successfully written your first BASH script!''
<li> Now try using what you have learned to create and test another script named ''simple-backup.sh'' which executes the command '''tar -czf /var/jsmith-backup.tar.gz /home/jsmith/''' when the script is run.</li>
</ol>

== Using Variables and Conditionals in BASH Scripts ==
<ol>
<li> Variables are a key part of turning a simple list of instructions you could type into a command line into something much more powerful by allowing you to reuse code and do something very similar (remember programmers are lazy!) but with a little tweak each time without re-writing the whole thing. Variables can be defined in the script itself but there are also special variables which are part of the BASH environment we can use. Variables can be identified in bash scripts as starting with a ''$''. One type of these variables allows us to access arguments which have been supplied as part of the command line calling the script. Sometimes we only want to run certain sections of the script or we want to modify the script depending on the outcome of some test, called a conditional. This is often used in combination with variables as we'll see in the example below.</li>
<li> In BASH the script filename is assigned to the ''$0'' variable, the first argument to ''$1'' and so on. Let's see how we can modify our ''hello.sh'' script to make it a bit more personable by including a name. Try adjusting your ''hello.sh'' script to look like this:
<pre>
#!/bin/bash
echo Hello $1!
</pre></li>
<li> What do you think will happen if you run the script like this '''./hello yourfirstname'''? Try it and find out if you were correct in your hypothesis!</li>
<li> Wait, what if someone doesn't know they are supposed to include their name as an argument though? Try just running '''./hello.sh''' again and see what happens. It might be the case that we want to go back to the simple ''Hello World!'' and maybe add some instructions if they don't specify an argument. Try updating your ''hello.sh'' script again and adding a conditional like this:
<pre>
#!/bin/bash
if [ -n "$1" ]; then
echo Hello $1!
else
echo Hello World!
echo Try running $0 yourfirstnamehere to get a personal greeting!
fi
</pre></li>
<li> See if you can predict what these changes will do when the script is run and then try it out to see if you are correct.</li>
<li> It's also possible to capture the standard output of a command executed by the script and put that into a variable for later use. For example, try running the '''date +%Y%m%d''' command. We can use the output of this command in a variable to make our backup script a little bit nicer. Save this script as ''better-backup.sh'' with the appropriate permissions to run it as a script.
<pre>
#!/bin/bash
USER="jsmith"
TODAY=$(date +%Y%m%d)
BACKUPFILE="/var/"$USER"-backup-"$TODAY".tar.gz"
echo Beginning backup for $USER on $TODAY
tar -czf $BACKUPFILE /home/$USER/
echo Backup completed for $USER saved to $BACKUPFILE
</pre></li>
<li> See if you can predict what this script will do and then try it out to see if you are correct. Once you have figured out how this script works see if you can modify it so you can specify a username as an argument instead of as a fixed variable. Can you do this with a change to only one line?</li>
<li> After successfully doing that try modifying the script so that it gives instructions about how to use the script if you forget to give a username as an argument.</li>
<li> It is important to note that while this script works, it's just a simple example and not well written because it is easily broken by giving a username which doesn't actually exist on the system, or trying to backup files you don't have permission to access, etc. A better script could be written to check for all of these things as well as other errors. If the script is to be used by more people than the original author (and in the best cases, even then) it is important for usability and security purposes to do these sorts of checks, particularly if the script accepts user input such as an argument.</li>
</ol>

== Using Loops and Reading User Input ==
<ol>
<li> Sometimes you want a program to do something over and over again several times. This is typically done using a loop. Let's say you wanted to create a bunch of sample files to do some further practice with in the current directory named ''sample-fileX.extension'' where ''X'' was a number that would keep incrementing by 1 each time and you could specify any extension you wanted. We could certainly use arguments to capture that user input but it is also possible to accept input from the user directly while the script is running. This would create what we call an "interactive" script because the user is interacting with it while it runs.</li>
<li> Create a ''file-generator.sh'' script on your system like the one below and see if you can figure out how it works before testing it:
<pre>
#!/bin/bash
BASENAME=sample-file
echo "Welcome to the sample file generation utility!"
echo "Files will be created using the filename format "$BASENAME"X.extension"
echo "Enter the number of files you wish to create, then press Enter:"
read NUM
echo "Enter the extension (without the leading period) to put on the files"
read EXTENSION
for CURNUM in `seq 1 $NUM`; do
touch $BASENAME$CURNUM.$EXTENSION
done
echo "Created "$NUM" file(s)."
</pre>
There are a few things to note about this script. First, we have used one type of loop, a FOR loop, but there are others and other ways to make this work. Second you can see several more examples of calling another program inside your script. In this case we have used the '''read''', '''seq''', and '''touch''' programs to accomplish our goal. The '''seq''' program is especially useful while writing scripts. It can be used to generate a series of numbers from a starting number (1 in this case) to a stopping number (''$NUM'' in this case). There are many other helpful programs you can use while writing scripts including some you know about already such as '''grep''' and '''find''', and others you don't such as '''sed''' and '''awk'''. You can even use programs like '''wget''' to get information from the Internet and process it for use in a script instead of using it for just downloading a file. For example, if you know of a web site that lists the sunrise and sunset times you can use a combination of '''wget''' and '''grep'''/'''awk'''/'''sed''' to pull that time out of the webpage and use it as part of a script. The possibilities are almost endless, time spent learning about the ins and outs of these little utilities is time well spent if you will be writing shell scripts!</li>
<li> Try running the script and see if you were correct about what it does and how it works.</li>
<li> Also, it is important to note that while this script works, it's just a simple example and not well written because it is easily broken by the user entering something other than a number for the number of files to be created, etc. A better script could be written to check for all of these things as well as other errors. If the script is to be used by more people than the original author (and in the best cases, even then) it is important for usability and security purposes to do these sorts of checks, particularly if the script accepts user input! This is how security bugs are born.</li>
<li> See if you can modify the script so you can specify a starting and an ending number for the files rather than just a number of files to be created.</li>
<li> See if you can add a check to the script which will display an example of a filename that will be created and asking the user if that looks correct before actually creating all the files. If the user enters ''N'' then do not create the files.</li>
</ol>

== Functions and Experimenting ==
<ol>
<li> One final programming structure we should discuss is the function. In shell scripting you can think of a function like something you could have put into a separate script so that you could call it to do something multiple times from inside of your script but instead of making it a completely separate file you decided to include it in a single script. Here is a simple sample:
<pre>
#!/bin/bash
function helloname {
echo "Type your name, followed by enter:"
read NAME
echo "Hello "$NAME"!"
}
echo "This program will welcome you twice to be extra nice!"
helloname
echo "At this point we could be doing lots of other stuff in our script or be in a loop, etc."
helloname
echo "Thanks for playing!"
</pre>
See if you can figure out what will happen when you run it, then try it out and see if you were correct. Note that functions need to be declared (listed) before you use them in your script so it would be common to see them at the beginning of the file as in this example. Also, it's possible to pass information to a function using arguments just like you would with a separate script.</li>
<li> Now that you have a grasp on the fundamentals of BASH scripting see if you can write a script which can be used to modify the name of all files in the current directory which share the same extension such as those created by ''file-generator.sh''. The goals for your script should be:
* The user has a choice to enter the original and the new extension for the files either using command line arguments or interactively by answering questions your script asks.
* The script should display each old file name and then the new file name next to it so you can see what is going on
* You will want to use conditionals to figure out if the user entered arguments to use as the old and new extensions or should be prompted for them interactively.
* You should use functions and loops in order to make the most efficient script possible. Hints: The actual renaming of the files and displaying old and new names would be a good thing to put in a function because you will be calling it over and over again. Also, loops can be used to operate on a list of things such as a list of filenames.
Don't be afraid to try using search engines for help with this. The goal of this lab is not to make you into a professional programmer but to introduce you enough to shell scripting so that you can create useful scripts with resources such as search engines available to you.
</li>
</ol>

File:Bind named conf.png

2021-02-13T03:08:45Z

KreidKolo: KreidKolo uploaded a new version of File:Bind named conf.png

Lab 8 mnjk

2021-02-13T03:06:21Z

KreidKolo: /* Install BIND & Enable Caching */

=Introduction=
In this lab you will perform the following tasks:
*Install BIND and configure as caching plus zones for a local domain
*Learn how to create domains using Webmin
*Learn how to manually edit using a zone file
You will use the following commands:
*'''[https://linux.die.net/man/1/dig dig]'''
*'''[https://linux.die.net/man/1/nslookup nslookup]'''
*'''[https://linux.die.net/man/8/shutdown shutdown]'''
*'''[https://linux.die.net/man/8/sudo sudo]'''
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''

=Lab Procedure=
== Prerequisites ==
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.
# Make sure that Webmin is installed on your system.
== Install BIND & Enable Caching ==
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]''''' 
<ol>
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li>
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul>
<li>You will also want to install the '''dnsutils''' package.</li>
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul>
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li>
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul>
<ul>
* You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:
: [[File:Bind_named_conf.png | 500px]]
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul>
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul>
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li>
<code>sudo service bind9 restart</code>
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li>
<ul>
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul>
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul>
<li>Run the command:</li>
<code>nslookup inverhills.edu</code>
<ul>If BIND is working, you should now see the following output:</ul>
: [[File:Nslookup_inverhillsedu.png | 500px]]
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li>
<li>Run:</li>
<code>dig inverhills.edu</code>
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul>
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li>
<code>sudo shutdown -r now</code>
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li>
</ol>

== Create a Domain using Webmin ==
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]''''' 
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.
<ol>
<li>Open up your '''Webmin panel''' and sign in.</li>
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul>
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li>
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul>
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: debserv-*.test
Records file: Automatic
Master server: Leave as your hostname
Email address: root@debserv-*.test</pre></li>
<li>Click the ''create'' button to add the domain.</li>
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul>
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li>
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li>
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li>
<code>nslookup debserv-*.test</code>
<code>dig debserv-*.test</code>
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li>
</ol>

== Additional DNS Record Types ==
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]''''' 
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.
<ol>
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li>
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li>
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li>
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul>
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li>
<code>nslookup -type=MX debserv-*.test</code>
<ul>or</ul>
<code>dig debserv-*.test MX</code>
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li>
<li>Again return to the domain zone overview page.</li>
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul>
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li>
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run: 
<code>nslookup blog.debserv-*.test</code>
or the equivalent '''dig''' command. 
You should get a response similar to:</li>
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

blog.debserv-*.test canonical name = debserv-*.test.
Name: debserv-*.test
Address: 172.17.50.XXX
</pre>
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul>
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:
<pre>Handle Connections to Address: any address
Port: 80
Document Root: /var/www/html/blog/
Server Name: blog.debserv-*.test
Add virtual server to file: new file under virtual servers directory
Copy directives from: nowhere
</pre>
When done, press ''Create Now''.
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li>
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li>
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul>
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li>
</ol>

== Adding a AAAA record ==
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]''''' 
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.
<ol>
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li>
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul>
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li>
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul>
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li>
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try: 
<code>nslookup -type=AAAA debserv-*.test</code> 
and 
<code>dig debserv-*.test AAAA</code> 
to see the output from AAAA records.</li>
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li>
</ol>

== Adding a Delegated Domain ==
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]''''' 
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.
<ol>
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: *.itc2480.campus.ihitc.net
Records file: Automatic
Master server: *.itc2480.campus.ihitc.net.
Email address: root@ *.itc2480.campus.ihitc.net</pre>
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li>
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li>
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul>
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li>
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul>
<li> Test your setup using a web browser on your local computer</li>
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li>
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul>
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li>
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
</ol>

== Manually editing a zone file ==
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]''''' 
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.
<ol>
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li>
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain. 
It should look similar to this:
<pre>$ttl 38400
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (
1519434495
10800
3600
604800
38400 )
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.
debserv-Z.test. IN A 172.17.50.36
debserv-Z.test. IN MX 10 mail.debserv-Z.test.
mail.debserv-Z.test. IN A 172.17.50.36
blog.debserv-Z.test. IN CNAME debserv-z.test.
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li>
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul>
<li>Using your text editor change the MX record settings priority from 10 to 15.</li>
<li>When you are done, '''restart''' the bind9 service to reload the changes. 
<code>sudo systemctl restart bind9</code>
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li>
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debserv-z.test. IN MX

;; ANSWER SECTION:
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.

;; AUTHORITY SECTION:
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.

;; ADDITIONAL SECTION:
mail.debserv-Z.test. 38400 IN A 172.17.50.36
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 23 20:15:48 CST 2018
;; MSG SIZE rcvd: 163</pre></li>
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul>
<li>Congratulations, you have now setup a functional DNS server.</li>

Lab 8 mnjk

2021-02-12T22:03:32Z

KreidKolo: /* Install BIND & Enable Caching */

=Introduction=
In this lab you will perform the following tasks:
*Install BIND and configure as caching plus zones for a local domain
*Learn how to create domains using Webmin
*Learn how to manually edit using a zone file
You will use the following commands:
*'''[https://linux.die.net/man/1/dig dig]'''
*'''[https://linux.die.net/man/1/nslookup nslookup]'''
*'''[https://linux.die.net/man/8/shutdown shutdown]'''
*'''[https://linux.die.net/man/8/sudo sudo]'''
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''

=Lab Procedure=
== Prerequisites ==
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.
# Make sure that Webmin is installed on your system.
== Install BIND & Enable Caching ==
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]''''' 
<ol>
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li>
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul>
<li>You will also want to install the '''dnsutils''' package.</li>
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul>
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li>
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul>
<ul>You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:
: [[File:Bind_named_conf.png | 500px]]
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul>
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul>
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li>
<code>sudo service bind9 restart</code>
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li>
<ul>Change the dns server for the primary network interface to ''127.0.0.1''.</ul>
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul>
<li>Run the command:</li>
<code>nslookup inverhills.edu</code>
<ul>If BIND is working, you should now see the following output:</ul>
: [[File:Nslookup_inverhillsedu.png | 500px]]
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li>
<li>Run:</li>
<code>dig inverhills.edu</code>
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul>
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li>
<code>sudo shutdown -r now</code>
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li>
</ol>

== Create a Domain using Webmin ==
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]''''' 
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.
<ol>
<li>Open up your '''Webmin panel''' and sign in.</li>
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul>
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li>
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul>
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: debserv-*.test
Records file: Automatic
Master server: Leave as your hostname
Email address: root@debserv-*.test</pre></li>
<li>Click the ''create'' button to add the domain.</li>
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul>
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li>
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li>
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li>
<code>nslookup debserv-*.test</code>
<code>dig debserv-*.test</code>
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li>
</ol>

== Additional DNS Record Types ==
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]''''' 
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.
<ol>
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li>
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li>
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li>
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul>
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li>
<code>nslookup -type=MX debserv-*.test</code>
<ul>or</ul>
<code>dig debserv-*.test MX</code>
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li>
<li>Again return to the domain zone overview page.</li>
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul>
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li>
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run: 
<code>nslookup blog.debserv-*.test</code>
or the equivalent '''dig''' command. 
You should get a response similar to:</li>
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

blog.debserv-*.test canonical name = debserv-*.test.
Name: debserv-*.test
Address: 172.17.50.XXX
</pre>
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul>
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:
<pre>Handle Connections to Address: any address
Port: 80
Document Root: /var/www/html/blog/
Server Name: blog.debserv-*.test
Add virtual server to file: new file under virtual servers directory
Copy directives from: nowhere
</pre>
When done, press ''Create Now''.
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li>
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li>
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul>
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li>
</ol>

== Adding a AAAA record ==
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]''''' 
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.
<ol>
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li>
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul>
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li>
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul>
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li>
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try: 
<code>nslookup -type=AAAA debserv-*.test</code> 
and 
<code>dig debserv-*.test AAAA</code> 
to see the output from AAAA records.</li>
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li>
</ol>

== Adding a Delegated Domain ==
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]''''' 
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.
<ol>
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: *.itc2480.campus.ihitc.net
Records file: Automatic
Master server: *.itc2480.campus.ihitc.net.
Email address: root@ *.itc2480.campus.ihitc.net</pre>
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li>
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li>
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul>
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li>
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul>
<li> Test your setup using a web browser on your local computer</li>
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li>
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul>
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li>
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
</ol>

== Manually editing a zone file ==
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]''''' 
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.
<ol>
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li>
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain. 
It should look similar to this:
<pre>$ttl 38400
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (
1519434495
10800
3600
604800
38400 )
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.
debserv-Z.test. IN A 172.17.50.36
debserv-Z.test. IN MX 10 mail.debserv-Z.test.
mail.debserv-Z.test. IN A 172.17.50.36
blog.debserv-Z.test. IN CNAME debserv-z.test.
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li>
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul>
<li>Using your text editor change the MX record settings priority from 10 to 15.</li>
<li>When you are done, '''restart''' the bind9 service to reload the changes. 
<code>sudo systemctl restart bind9</code>
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li>
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debserv-z.test. IN MX

;; ANSWER SECTION:
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.

;; AUTHORITY SECTION:
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.

;; ADDITIONAL SECTION:
mail.debserv-Z.test. 38400 IN A 172.17.50.36
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 23 20:15:48 CST 2018
;; MSG SIZE rcvd: 163</pre></li>
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul>
<li>Congratulations, you have now setup a functional DNS server.</li>

Lab 8 mnjk

2021-02-12T22:03:20Z

KreidKolo: /* Install BIND & Enable Caching */

=Introduction=
In this lab you will perform the following tasks:
*Install BIND and configure as caching plus zones for a local domain
*Learn how to create domains using Webmin
*Learn how to manually edit using a zone file
You will use the following commands:
*'''[https://linux.die.net/man/1/dig dig]'''
*'''[https://linux.die.net/man/1/nslookup nslookup]'''
*'''[https://linux.die.net/man/8/shutdown shutdown]'''
*'''[https://linux.die.net/man/8/sudo sudo]'''
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''

=Lab Procedure=
== Prerequisites ==
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.
# Make sure that Webmin is installed on your system.
== Install BIND & Enable Caching ==
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]''''' 
<ol>
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li>
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul>
<li>You will also want to install the '''dnsutils''' package.</li>
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul>
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li>
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul>
<ul>You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:
: [[File:Bind_named_conf.png | 500px]]
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul>
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul>
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li>
<code>sudo service bind9 restart</code>
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li>
<ul>Change the dns server for the primary network interface to ''127.0.0.1''.</ul>
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul>
<li>Run the command:</li>
<code>nslookup inverhills.edu</code>
<ul>If BIND is working, you should now see the following output:</ul>
: [[File:Nslookup_inverhillsedu.png | 500px]]
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: inverhills.edu
Address: 134.29.182.42
</pre>
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li>
<li>Run:</li>
<code>dig inverhills.edu</code>
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul>
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li>
<code>sudo shutdown -r now</code>
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li>
</ol>

== Create a Domain using Webmin ==
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]''''' 
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.
<ol>
<li>Open up your '''Webmin panel''' and sign in.</li>
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul>
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li>
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul>
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: debserv-*.test
Records file: Automatic
Master server: Leave as your hostname
Email address: root@debserv-*.test</pre></li>
<li>Click the ''create'' button to add the domain.</li>
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul>
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li>
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li>
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li>
<code>nslookup debserv-*.test</code>
<code>dig debserv-*.test</code>
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li>
</ol>

== Additional DNS Record Types ==
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]''''' 
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.
<ol>
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li>
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li>
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li>
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul>
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li>
<code>nslookup -type=MX debserv-*.test</code>
<ul>or</ul>
<code>dig debserv-*.test MX</code>
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li>
<li>Again return to the domain zone overview page.</li>
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul>
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li>
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run: 
<code>nslookup blog.debserv-*.test</code>
or the equivalent '''dig''' command. 
You should get a response similar to:</li>
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

blog.debserv-*.test canonical name = debserv-*.test.
Name: debserv-*.test
Address: 172.17.50.XXX
</pre>
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul>
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:
<pre>Handle Connections to Address: any address
Port: 80
Document Root: /var/www/html/blog/
Server Name: blog.debserv-*.test
Add virtual server to file: new file under virtual servers directory
Copy directives from: nowhere
</pre>
When done, press ''Create Now''.
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li>
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li>
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul>
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li>
</ol>

== Adding a AAAA record ==
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]''''' 
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.
<ol>
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li>
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul>
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li>
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul>
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li>
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try: 
<code>nslookup -type=AAAA debserv-*.test</code> 
and 
<code>dig debserv-*.test AAAA</code> 
to see the output from AAAA records.</li>
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li>
</ol>

== Adding a Delegated Domain ==
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]''''' 
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.
<ol>
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: *.itc2480.campus.ihitc.net
Records file: Automatic
Master server: *.itc2480.campus.ihitc.net.
Email address: root@ *.itc2480.campus.ihitc.net</pre>
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li>
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li>
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul>
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li>
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul>
<li> Test your setup using a web browser on your local computer</li>
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li>
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul>
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li>
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
</ol>

== Manually editing a zone file ==
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]''''' 
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.
<ol>
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li>
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain. 
It should look similar to this:
<pre>$ttl 38400
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (
1519434495
10800
3600
604800
38400 )
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.
debserv-Z.test. IN A 172.17.50.36
debserv-Z.test. IN MX 10 mail.debserv-Z.test.
mail.debserv-Z.test. IN A 172.17.50.36
blog.debserv-Z.test. IN CNAME debserv-z.test.
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li>
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul>
<li>Using your text editor change the MX record settings priority from 10 to 15.</li>
<li>When you are done, '''restart''' the bind9 service to reload the changes. 
<code>sudo systemctl restart bind9</code>
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li>
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debserv-z.test. IN MX

;; ANSWER SECTION:
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.

;; AUTHORITY SECTION:
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.

;; ADDITIONAL SECTION:
mail.debserv-Z.test. 38400 IN A 172.17.50.36
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 23 20:15:48 CST 2018
;; MSG SIZE rcvd: 163</pre></li>
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul>
<li>Congratulations, you have now setup a functional DNS server.</li>

Lab 8 mnjk

2021-02-12T22:02:57Z

KreidKolo: /* Install BIND & Enable Caching */

=Introduction=
In this lab you will perform the following tasks:
*Install BIND and configure as caching plus zones for a local domain
*Learn how to create domains using Webmin
*Learn how to manually edit using a zone file
You will use the following commands:
*'''[https://linux.die.net/man/1/dig dig]'''
*'''[https://linux.die.net/man/1/nslookup nslookup]'''
*'''[https://linux.die.net/man/8/shutdown shutdown]'''
*'''[https://linux.die.net/man/8/sudo sudo]'''
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''

=Lab Procedure=
== Prerequisites ==
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.
# Make sure that Webmin is installed on your system.
== Install BIND & Enable Caching ==
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]''''' 
<ol>
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li>
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul>
<li>You will also want to install the '''dnsutils''' package.</li>
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul>
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li>
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul>
<ul>You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:
: [[File:Bind_named_conf.png | 500px]]
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul>
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul>
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li>
<code>sudo service bind9 restart</code>
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li>
<ul>Change the dns server for the primary network interface to ''127.0.0.1''.</ul>
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul>
<li>Run the command:</li>
<code>nslookup inverhills.edu</code>
<ul>If BIND is working, you should now see the following output:</ul>
: [[Nslookup_inverhillsedu.png | 500px]]
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: inverhills.edu
Address: 134.29.182.42
</pre>
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li>
<li>Run:</li>
<code>dig inverhills.edu</code>
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul>
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li>
<code>sudo shutdown -r now</code>
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li>
</ol>

== Create a Domain using Webmin ==
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]''''' 
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.
<ol>
<li>Open up your '''Webmin panel''' and sign in.</li>
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul>
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li>
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul>
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: debserv-*.test
Records file: Automatic
Master server: Leave as your hostname
Email address: root@debserv-*.test</pre></li>
<li>Click the ''create'' button to add the domain.</li>
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul>
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li>
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li>
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li>
<code>nslookup debserv-*.test</code>
<code>dig debserv-*.test</code>
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li>
</ol>

== Additional DNS Record Types ==
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]''''' 
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.
<ol>
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li>
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li>
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li>
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul>
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li>
<code>nslookup -type=MX debserv-*.test</code>
<ul>or</ul>
<code>dig debserv-*.test MX</code>
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li>
<li>Again return to the domain zone overview page.</li>
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul>
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li>
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run: 
<code>nslookup blog.debserv-*.test</code>
or the equivalent '''dig''' command. 
You should get a response similar to:</li>
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

blog.debserv-*.test canonical name = debserv-*.test.
Name: debserv-*.test
Address: 172.17.50.XXX
</pre>
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul>
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:
<pre>Handle Connections to Address: any address
Port: 80
Document Root: /var/www/html/blog/
Server Name: blog.debserv-*.test
Add virtual server to file: new file under virtual servers directory
Copy directives from: nowhere
</pre>
When done, press ''Create Now''.
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li>
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li>
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul>
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li>
</ol>

== Adding a AAAA record ==
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]''''' 
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.
<ol>
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li>
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul>
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li>
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul>
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li>
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try: 
<code>nslookup -type=AAAA debserv-*.test</code> 
and 
<code>dig debserv-*.test AAAA</code> 
to see the output from AAAA records.</li>
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li>
</ol>

== Adding a Delegated Domain ==
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]''''' 
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.
<ol>
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: *.itc2480.campus.ihitc.net
Records file: Automatic
Master server: *.itc2480.campus.ihitc.net.
Email address: root@ *.itc2480.campus.ihitc.net</pre>
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li>
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li>
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul>
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li>
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul>
<li> Test your setup using a web browser on your local computer</li>
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li>
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul>
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li>
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
</ol>

== Manually editing a zone file ==
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]''''' 
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.
<ol>
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li>
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain. 
It should look similar to this:
<pre>$ttl 38400
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (
1519434495
10800
3600
604800
38400 )
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.
debserv-Z.test. IN A 172.17.50.36
debserv-Z.test. IN MX 10 mail.debserv-Z.test.
mail.debserv-Z.test. IN A 172.17.50.36
blog.debserv-Z.test. IN CNAME debserv-z.test.
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li>
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul>
<li>Using your text editor change the MX record settings priority from 10 to 15.</li>
<li>When you are done, '''restart''' the bind9 service to reload the changes. 
<code>sudo systemctl restart bind9</code>
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li>
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debserv-z.test. IN MX

;; ANSWER SECTION:
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.

;; AUTHORITY SECTION:
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.

;; ADDITIONAL SECTION:
mail.debserv-Z.test. 38400 IN A 172.17.50.36
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 23 20:15:48 CST 2018
;; MSG SIZE rcvd: 163</pre></li>
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul>
<li>Congratulations, you have now setup a functional DNS server.</li>

File:Nslookup inverhillsedu.png

2021-02-12T22:02:31Z

KreidKolo:

Lab 8 mnjk

2021-02-12T22:00:55Z

KreidKolo: /* Install BIND & Enable Caching */

=Introduction=
In this lab you will perform the following tasks:
*Install BIND and configure as caching plus zones for a local domain
*Learn how to create domains using Webmin
*Learn how to manually edit using a zone file
You will use the following commands:
*'''[https://linux.die.net/man/1/dig dig]'''
*'''[https://linux.die.net/man/1/nslookup nslookup]'''
*'''[https://linux.die.net/man/8/shutdown shutdown]'''
*'''[https://linux.die.net/man/8/sudo sudo]'''
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''

=Lab Procedure=
== Prerequisites ==
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.
# Make sure that Webmin is installed on your system.
== Install BIND & Enable Caching ==
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]''''' 
<ol>
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li>
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul>
<li>You will also want to install the '''dnsutils''' package.</li>
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul>
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li>
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul>
<ul>You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:
: [[File:Bind_named_conf.png | 500px]]
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul>
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul>
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li>
<code>sudo service bind9 restart</code>
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li>
<ul>Change the dns server for the primary network interface to ''127.0.0.1''.</ul>
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul>
<li>Run the command:</li>
<code>nslookup inverhills.edu</code>
<ul>If BIND is working, you should now see the following output:</ul>
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: inverhills.edu
Address: 134.29.182.42
</pre>
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li>
<li>Run:</li>
<code>dig inverhills.edu</code>
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul>
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li>
<code>sudo shutdown -r now</code>
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li>
</ol>

== Create a Domain using Webmin ==
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]''''' 
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.
<ol>
<li>Open up your '''Webmin panel''' and sign in.</li>
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul>
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li>
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul>
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: debserv-*.test
Records file: Automatic
Master server: Leave as your hostname
Email address: root@debserv-*.test</pre></li>
<li>Click the ''create'' button to add the domain.</li>
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul>
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li>
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li>
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li>
<code>nslookup debserv-*.test</code>
<code>dig debserv-*.test</code>
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li>
</ol>

== Additional DNS Record Types ==
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]''''' 
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.
<ol>
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li>
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li>
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li>
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul>
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li>
<code>nslookup -type=MX debserv-*.test</code>
<ul>or</ul>
<code>dig debserv-*.test MX</code>
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li>
<li>Again return to the domain zone overview page.</li>
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul>
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li>
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run: 
<code>nslookup blog.debserv-*.test</code>
or the equivalent '''dig''' command. 
You should get a response similar to:</li>
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

blog.debserv-*.test canonical name = debserv-*.test.
Name: debserv-*.test
Address: 172.17.50.XXX
</pre>
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul>
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:
<pre>Handle Connections to Address: any address
Port: 80
Document Root: /var/www/html/blog/
Server Name: blog.debserv-*.test
Add virtual server to file: new file under virtual servers directory
Copy directives from: nowhere
</pre>
When done, press ''Create Now''.
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li>
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li>
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul>
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li>
</ol>

== Adding a AAAA record ==
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]''''' 
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.
<ol>
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li>
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul>
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li>
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul>
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li>
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try: 
<code>nslookup -type=AAAA debserv-*.test</code> 
and 
<code>dig debserv-*.test AAAA</code> 
to see the output from AAAA records.</li>
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li>
</ol>

== Adding a Delegated Domain ==
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]''''' 
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.
<ol>
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: *.itc2480.campus.ihitc.net
Records file: Automatic
Master server: *.itc2480.campus.ihitc.net.
Email address: root@ *.itc2480.campus.ihitc.net</pre>
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li>
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li>
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul>
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li>
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul>
<li> Test your setup using a web browser on your local computer</li>
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li>
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul>
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li>
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
</ol>

== Manually editing a zone file ==
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]''''' 
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.
<ol>
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li>
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain. 
It should look similar to this:
<pre>$ttl 38400
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (
1519434495
10800
3600
604800
38400 )
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.
debserv-Z.test. IN A 172.17.50.36
debserv-Z.test. IN MX 10 mail.debserv-Z.test.
mail.debserv-Z.test. IN A 172.17.50.36
blog.debserv-Z.test. IN CNAME debserv-z.test.
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li>
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul>
<li>Using your text editor change the MX record settings priority from 10 to 15.</li>
<li>When you are done, '''restart''' the bind9 service to reload the changes. 
<code>sudo systemctl restart bind9</code>
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li>
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debserv-z.test. IN MX

;; ANSWER SECTION:
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.

;; AUTHORITY SECTION:
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.

;; ADDITIONAL SECTION:
mail.debserv-Z.test. 38400 IN A 172.17.50.36
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 23 20:15:48 CST 2018
;; MSG SIZE rcvd: 163</pre></li>
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul>
<li>Congratulations, you have now setup a functional DNS server.</li>

Lab 8 mnjk

2021-02-12T22:00:03Z

KreidKolo: /* Install BIND & Enable Caching */

=Introduction=
In this lab you will perform the following tasks:
*Install BIND and configure as caching plus zones for a local domain
*Learn how to create domains using Webmin
*Learn how to manually edit using a zone file
You will use the following commands:
*'''[https://linux.die.net/man/1/dig dig]'''
*'''[https://linux.die.net/man/1/nslookup nslookup]'''
*'''[https://linux.die.net/man/8/shutdown shutdown]'''
*'''[https://linux.die.net/man/8/sudo sudo]'''
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''

=Lab Procedure=
== Prerequisites ==
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.
# Make sure that Webmin is installed on your system.
== Install BIND & Enable Caching ==
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]''''' 
<ol>
<li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li>
<ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul>
<li>You will also want to install the '''dnsutils''' package.</li>
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul>
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li>
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul>
<ul>You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:
: [[File:Bind_named_conf.png | 500px]]
<pre>// forwarders {
// 0.0.0.0;
// };</pre>
* '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul>
<ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul>
<li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li>
<code>sudo service bind9 restart</code>
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li>
<ul>Change the dns server for the primary network interface to ''127.0.0.1''.</ul>
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul>
<li>Run the command:</li>
<code>nslookup inverhills.edu</code>
<ul>If BIND is working, you should now see the following output:</ul>
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: inverhills.edu
Address: 134.29.182.42
</pre>
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li>
<li>Run:</li>
<code>dig inverhills.edu</code>
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul>
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li>
<code>sudo shutdown -r now</code>
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li>
</ol>

== Create a Domain using Webmin ==
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]''''' 
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.
<ol>
<li>Open up your '''Webmin panel''' and sign in.</li>
<ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul>
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li>
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul>
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A").
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: debserv-*.test
Records file: Automatic
Master server: Leave as your hostname
Email address: root@debserv-*.test</pre></li>
<li>Click the ''create'' button to add the domain.</li>
<ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul>
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li>
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end).
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''.
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li>
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li>
<code>nslookup debserv-*.test</code>
<code>dig debserv-*.test</code>
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li>
</ol>

== Additional DNS Record Types ==
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]''''' 
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.
<ol>
<li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li>
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc.
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li>
<li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li>
<ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul>
* Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li>
<code>nslookup -type=MX debserv-*.test</code>
<ul>or</ul>
<code>dig debserv-*.test MX</code>
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li>
<li>Again return to the domain zone overview page.</li>
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul>
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li>
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run: 
<code>nslookup blog.debserv-*.test</code>
or the equivalent '''dig''' command. 
You should get a response similar to:</li>
<pre>Server: 127.0.0.1
Address: 127.0.0.1#53

blog.debserv-*.test canonical name = debserv-*.test.
Name: debserv-*.test
Address: 172.17.50.XXX
</pre>
<ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul>
<li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration:
<pre>Handle Connections to Address: any address
Port: 80
Document Root: /var/www/html/blog/
Server Name: blog.debserv-*.test
Add virtual server to file: new file under virtual servers directory
Copy directives from: nowhere
</pre>
When done, press ''Create Now''.
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li>
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li>
<ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul>
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li>
</ol>

== Adding a AAAA record ==
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]''''' 
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.
<ol>
<li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li>
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul>
<li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li>
<ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul>
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li>
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try: 
<code>nslookup -type=AAAA debserv-*.test</code> 
and 
<code>dig debserv-*.test AAAA</code> 
to see the output from AAAA records.</li>
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li>
</ol>

== Adding a Delegated Domain ==
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]''''' 
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain.
<ol>
<li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings:
<pre>Zone type: Forward (Names to Addresses)
Domain name / Network: *.itc2480.campus.ihitc.net
Records file: Automatic
Master server: *.itc2480.campus.ihitc.net.
Email address: root@ *.itc2480.campus.ihitc.net</pre>
* '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li>
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li>
<ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul>
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li>
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul>
<li> Test your setup using a web browser on your local computer</li>
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li>
<ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul>
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li>
<ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul>
</ol>

== Manually editing a zone file ==
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]''''' 
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.
<ol>
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li>
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain. 
It should look similar to this:
<pre>$ttl 38400
debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. (
1519434495
10800
3600
604800
38400 )
debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net.
debserv-Z.test. IN A 172.17.50.36
debserv-Z.test. IN MX 10 mail.debserv-Z.test.
mail.debserv-Z.test. IN A 172.17.50.36
blog.debserv-Z.test. IN CNAME debserv-z.test.
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li>
<ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul>
<li>Using your text editor change the MX record settings priority from 10 to 15.</li>
<li>When you are done, '''restart''' the bind9 service to reload the changes. 
<code>sudo systemctl restart bind9</code>
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li>
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response:
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debserv-z.test. IN MX

;; ANSWER SECTION:
debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test.

;; AUTHORITY SECTION:
debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net.

;; ADDITIONAL SECTION:
mail.debserv-Z.test. 38400 IN A 172.17.50.36
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 23 20:15:48 CST 2018
;; MSG SIZE rcvd: 163</pre></li>
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul>
<li>Congratulations, you have now setup a functional DNS server.</li>

2021-02-12T01:17:02Z

KreidKolo: /* Monitoring Services and Graphing System Statistics with Zabbix */

=Introduction=
In this lab you will learn about several Linux utilities which can be used for monitoring Linux and other systems for security and service uptime purposes.

In this lab you will perform the following tasks:
* Monitor connections with [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat netstat]
* Scan for open ports using [https://nmap.org/ nmap]
* Monitor services with [https://www.zabbix.com/ zabbix]

You will use the following commands:
*'''[https://linux.die.net/man/8/netstat netstat]'''
*'''[https://linux.die.net/man/1/ps ps]'''
*'''[https://linux.die.net/man/1/grep grep]'''
*'''[https://linux.die.net/man/1/nmap namp]'''
*'''[https://linux.die.net/man/8/service service]'''
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]'''

=Lab Procedure=
== Prerequisites ==
# Open an SSH console to your Linux system using the PuTTY software, login with your standard user account
# The IP address of a partner's system which you have permission to portscan

== Monitoring connections with netstat ==
'''''[https://www.youtube.com/watch?v=51eo20xbSxs Video Tutorial - Monitoring Connections with Netstat]''''' 
One common activity you would want to do when evaluating the security of a system is to find out what ports the system is accepting connections on. For this reason most operating systems have some kind of utility to display active network connections and open ports, Linux is no exception. The netstat utility can show you currently active network connections as well as open ports on your local system. Take a look at the man page for the [https://linux.die.net/man/1/nmap '''netstat'''] command. Specifically, figure out what the ''-n -a -t -p'' and ''-u'' options do.
<ol>
<li> Run the '''netstat''' command on your system and observe the output.</li>
<code>sudo netstat -natup</code>
* Try to identify what the purpose of each open port on your system is. There are many online guides to common uses for ports.
<li> Use the '''sudo ps aux''' command (along with '''grep''') to match the PID (process ID) numbers of open ports shown in '''netstat -natup''' with specific processes on your system.</li>
<li> Connect to the IP address or domain name of your system through your web browser and re-run the '''netstat -natup''' command to see the TCP session established by your browser to download the website.</li>
<ul> You'll find that there are a number of ports open on your system. Some of these we have opened to provide a specific service such as SMTP, DNS, Webserver, etc. but some such as the sunrpc port are open simply by default on a fresh install. There are a number of different strategies you can use to secure your system including disabling a service, binding it to an internal-only IP address, or blocking access with a firewall rule. If your firewall is setup with an implicit (or explicit) reject any rule at the bottom of the input chain and you have not specifically opened a port it should not be accessible from other systems. How can we test that though? The '''netstat''' utility is useful at making a list of ports somehow open on the system but it does not show us how those ports react if someone outside actually tries to connect.</ul>
</ol>

== Scanning ports using nmap ==
'''''[https://www.youtube.com/watch?v=DzxpMPtGsGM Video Tutorial - Scanning Ports with nmap]''''' 
The nmap Network Mapper utility is a very powerful security scanning utility available on Linux. While netstat uses information from the Linux kernel about what ports and connections are in use by what processes nmap actively probes and tests ports on your system or another system to determine whether the port is open or not as well as additional information about the port in some cases. Unlike netstat, nmap is not part of the default Debian installation so you will need to install the nmap package before proceeding. nmap is complex and powerful. Entire [http://nmap.org/book/toc.html books] and [http://nmap.org/book/man.html extensive documentation] are available which you may want to reference but we'll only be exploring some of the more basic features in this introduction.
: ''NOTE: Before we begin this section of the lab it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!''
<ol>
<li> Make sure '''nmap''' is installed</li>
<code>sudo apt install nmap</code>
<li>'''nmap''' provides a system on the Internet which they allow you to scan for testing purposes so let's try a verbose scan which gives additional diagnostic detail.</li>
<code>nmap -v scanme.nmap.org</code>
* Review the output and then run the same command without the ''-v'' verbose option and compare the output you receive.
<ul> When scanning your own system there are a few different ways to go about it. You could either scan the localhost address 127.0.0.1 or the actual outside IP address of your system. You could also setup a separate system or VM and do the scanning from that system. In each case you might see somewhat different results, can you guess why?</ul>
* The answer is related to how you have firewall rules setup and what addresses you have services bound to. For example by default on Debian systems the mySQL/MariaDB server daemon only listens for connections on the localhost address (127.0.0.1) and not on outside interfaces. Try running the '''nmap 127.0.0.1''' command and then compare output with the '''nmap <your outside ip address here>''' command. Do you see some network services listening only on the localhost address. These services are not accessible from outside your computer even though the ports are open and you would see them as open with '''netstat'''. This shows us some of the additional value of using '''nmap'''.
<li> The most realistic use of '''nmap''' though is to scan like an attacker would using a system outside of the one you're testing. Use '''nmap''' to scan a partner's IP address in the class and take a look at some of the '''nmap''' documentation to try a few different types scans on that system. If you would like you can also try scanning the entire ITC-2480 subnet (172.17.50.0/24) if you want to try some subnet scanning capabilities.</li>
<ul> Remember that in our case these systems are secure from the outside world because we have an upstream firewall which you have bypassed by connecting to our VPN and these systems are using unroutable private IPv4 addresses.</ul>
<li> '''nmap''' also supports scanning IPv6 addresses. Note that a running service is not necessarily listening on both IPv4 and IPv6 addresses just because you have them both active on your machine. Figure out how to scan IPv6 addresses with '''nmap''' and try scanning both an IPv4 and IPv6 address of your machine and compare the results. Use the same type of address (i.e. both IPv4 and Ipv6 addresses should be the localhost addresses or should both be outside addresses) Are the same services open on both IPv4 and IPv6 on your system?</li>
</ol>

== Monitoring Services and Graphing System Statistics with Zabbix==
'''''[https://www.youtube.com/watch?v=fF5NNRJwLjg Video Tutorial - Monitoring with Zabbix]''''' 
In this section we will be following the instruction on how to install zabbix using [https://www.zabbix.com/download?zabbix=5.0&os_distribution=debian&os_version=10_buster&db=mysql&ws=apache these instructions on the Zabbix site].
<ol>
<li> Go to the instructions link above and scroll down to '''part 2'''. Start by installing the zabbix repository.</li>
<code>wget https://repo.zabbix.com/zabbix/5.0/debian/pool/main/z/zabbix-release/zabbix-release_5.0-1+buster_all.deb</code> 
<code>dpkg -i zabbix-release_5.0-1+buster_all.deb</code> 
<code>apt update</code>
<li>Install Zabbix server, frontend, agent</li>
<code>apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent</code>
<li>Create a database, a user, and schema following the instructions on the same website.
: ''NOTE: These instructions use the MySQL/MariaDB command line, if you prefer you can create the same database, user, and schema using the Webmin software but you'll have to translate the command line instructions into the actions required in Webmin.''
<code>mysql -uroot -p</code> 
<code>create database zabbix character set utf8 collate utf8_bin;</code> 
<code>create user zabbix@localhost identified by 'password';</code> 
* Replace password with a password you want to use. (Command needs the quotes so don't remove them).
<code>grant all privileges on zabbix.* to zabbix@localhost;</code> 
<code>quit;</code> 
<li>On Zabbix server host import initial schema and data. You will be prompted to enter your newly created password used when setting up the mysql database.</li>
<code>zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix</code>
<li>Edit the server configuration file ( ''/etc/zabbix/zabbix_server.conf'' ) to include the correct database password used when you setup the database above. ( ''DBPassword=<password>'' )
: [[File:DBPassword.png | 500px]]
<li>Edit the server configuration file ( ''/etc/zabbix/apache.conf'' ) to include the correct timezone. [https://www.php.net/manual/en/timezones.php A list of valid PHP timezones can be found here.] We will be using ''America/Chicago''.</li>
: [[File:Apache_timezone.png | 500px]]
<li>Restart the server. Then set it to auto start on startup:</li>
<code>systemctl restart zabbix-server zabbix-agent apache2</code> 
<code>systemctl enable zabbix-server zabbix-agent apache2</code>
<li>Access the Zabbix web application at http://yourserver/zabbix/ and complete the setup wizard. [https://www.zabbix.com/documentation/5.0/manual/installation/frontend Detailed instructions for completing the setup wizard can be found here on the Zabbix site.]</li>
<ul> At the end of the setup wizard you may need to download a ''zabbix.conf.php'' and save it to ''/etc/zabbix/zabbix.conf.php'' on your system.</ul>
<li> Login to http://yourserver/zabbix/ (where yourserver is the IP address or DNS name for your system) with the username and password found [https://www.zabbix.com/documentation/5.0/manual/quickstart/login on the Zabbix site login instructions].</li>
: [[File:Enable_monitoring_zabbix.png | 500px]]
<ul>The default superuser credentials are user name '''Admin''' with password '''zabbix'''.</ul>
<li> Enable monitoring of your Zabbix server host (''Configuration'' -> ''Hosts'')</li>
: [[File:Enable_monitoring_zabbix.png | 500px]]
: ''NOTE: [https://www.zabbix.com/documentation/5.0/manual The Zabbix manual] may be helpful in completing these monitoring setup tasks.''
* Add the templates to the host appropriate for the services we are running on the server (HTTP, IMAP, MySQL, SMTP, SSH)
: [[File:Zabbix_templates.png | 500px]]
* Explore some of the data available through Zabbix such as various graphs (''Monitoring'' -> ''Graphs''), Latest Data (''Monitoring'' -> ''Latest Data''), Screens (''Monitoring'' -> ''Screens''), and Events (''Monitoring'' -> ''Events'')
* Try temporarily stopping some of the services on your system (to simulate a problem) such as the Postfix SMTP server, ''courier-imap'' server, etc. using the command line '''service''' command.
* Re-check the data in Zabbix with the services turned off, are you alerted of the problems? Make sure to turn the services back on when you're done.
: ''NOTE: Most services will not instantaneously show as down, the templates for the service probably check it once per minute or less so you may need to leave things down for a bit to see it in the Web UI.''
* If you have additional time see if you can get email notifications of failed services working (see ''Administration'' -> ''Media Types'' -> ''Email and Configuration'' -> ''Actions'')
</ol>

File:Zabbix templates.png

2021-02-12T01:16:54Z

KreidKolo:

File:Zabbix wizard.png

2021-02-12T00:56:27Z

KreidKolo:

File:Enable monitoring zabbix.png

2021-02-12T00:55:23Z

KreidKolo:

File:Apache timezone.png

2021-02-12T00:52:56Z

KreidKolo:

File:DBPassword.png

2021-02-12T00:51:27Z

KreidKolo: