Franske ITC-2480 DNS Lab: Difference between revisions
BenFranske (talk | contribs) |
BenFranske (talk | contribs) (Update to mjnk version) |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Introduction= | =Introduction= | ||
In this lab you will perform the following tasks: | |||
*Install BIND and configure as caching plus zones for a local domain | |||
*Learn how to create domains using Webmin | |||
*Learn how to manually edit using a zone file | |||
You will be introduced to the following commands: | |||
*'''[https://linux.die.net/man/1/dig dig]''' | |||
*'''[https://linux.die.net/man/1/nslookup nslookup]''' | |||
*'''[https://www.man7.org/linux/man-pages/man1/systemctl.1.html systemctl]''' | |||
=Lab Procedure= | =Lab Procedure= | ||
Line 6: | Line 14: | ||
# Make sure that Webmin is installed on your system. | # Make sure that Webmin is installed on your system. | ||
== Install BIND & Enable Caching == | == Install BIND & Enable Caching == | ||
'''''[https://www.youtube.com/watch?v=frZ7FrJyjME Video Tutorial - Installing BIND and Enabling Caching]'''''<br> | |||
<ol> | <ol> | ||
<li>First you will need to install BIND. BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet. | <li>First you will need to install BIND. to install it, use the package manager to install '''bind9'''</li> | ||
< | <ul>BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.</ul> | ||
< | <li>You will also want to install the '''dnsutils''' package.</li> | ||
<ul>In order to use the '''nslookup''' and '''dig''' programs for DNS testing and troubleshooting you'll need dnsutils</ul> | |||
<li>Open up ''/etc/bind/named.conf.options'' with your favorite text editor.</li> | |||
<ul>Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.</ul> | |||
* | <ul> | ||
< | * You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines: | ||
<li>To apply | : [[File:Bind_named_conf.png | 500px]] | ||
<li>Next, | * '''NOTE:''' You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.</ul> | ||
< | <ul>The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.</ul> | ||
<li> | <li>To apply these changes, you will need to restart the BIND server with administrative permissions.</li> | ||
< | <code>sudo service bind9 restart</code> | ||
<li>Next, open up your interfaces file (''/etc/network/interfaces'') with your favorite file editor.</li> | |||
<ul> | |||
* Change the dns server for the primary network interface to ''127.0.0.1''.</ul> | |||
<ul>The change to ''/etc/network/interfaces'' will take effect if you restart your system. To avoid doing that right now you can edit the ''/etc/resolv.conf'' file so that it has only one nameserver line like ''nameserver 127.0.0.1'' Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.</ul> | |||
<li>Run the command:</li> | |||
<code>nslookup inverhills.edu</code> | |||
<ul>If BIND is working, you should now see the following output:</ul> | |||
: [[File:Nslookup_inverhillsedu.png | 500px]] | |||
* Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li> | * Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.</li> | ||
<li> | <li>Run:</li> | ||
<code>dig inverhills.edu</code> | |||
<ul>See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.</ul> | |||
<li>Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.</li> | |||
<code>sudo shutdown -r now</code> | |||
<li>Once the system reboots log back in and use '''nslookup''' or '''dig''' to verify the default nameserver being used is ''127.0.0.1''.</li> | |||
</ol> | </ol> | ||
== Create a Domain using Webmin == | == Create a Domain using Webmin == | ||
'''''[https://www.youtube.com/watch?v=53aK9FeYz68 Video Tutorial - Create a Domain Using Webmin]'''''<br> | |||
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records. | |||
<ol> | <ol> | ||
<li> | <li>Open up your '''Webmin panel''' and sign in.</li> | ||
< | <ul>Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the ''Servers'' tab.</ul> | ||
<li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''. From here we will create a new domain name for our server to respond to DNS queries for.</ | <li>Under the ''Servers'' tab, open up ''BIND DNS Server'', under ''Existing DNS Zones'' click ''Create master zone''.</li> | ||
<ul>From here we will create a new domain name for our server to respond to DNS queries for.</ul> | |||
<li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A"). | <li>Use the following options, '''where * is replaced by your System ID''' that was defined in [[Franske ITC-2480 Lab 5|Lab 5]] (just the letter of your system, for example the domain name would be ''debserv-A.test'' if you had System ID "A"). | ||
<pre>Zone type: Forward (Names to Addresses) | <pre>Zone type: Forward (Names to Addresses) | ||
Line 40: | Line 60: | ||
Master server: Leave as your hostname | Master server: Leave as your hostname | ||
Email address: root@debserv-*.test</pre></li> | Email address: root@debserv-*.test</pre></li> | ||
<li>Click the ''create'' button to add the domain. As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ | <li>Click the ''create'' button to add the domain.</li> | ||
<li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button. For the ''Name'' enter ''@''. The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end). In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''. Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link in the top right corner.</li> | <ul> As this point you should now be on the ''Edit Master Zone'' page. From here you can add and edit domain records for this domain name.</ul> | ||
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created | <li>To create our ''A record'' which points your domain to an IP address, click the ''Address'' button.</li> | ||
* For the ''Name'' enter ''@''. Note: The ''@'' symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain ''debserv-*.test.'' with the period at the end). | |||
* In the ''address'' field enter your VM's static IP set in [[Franske ITC-2480 Lab 5|Lab 5]] and click ''Create''. | |||
<li> Return to the main BIND DNS Server page. Click the ''Apply Configuration'' link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.</li> | |||
<li> To test the record use '''nslookup''' or '''dig''' to lookup the domain you just created (Replace the * with your letter.)</li> | |||
<code>nslookup debserv-*.test</code> | |||
<code>dig debserv-*.test</code> | |||
* If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li> | * If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your ''/etc/resolv.conf'' file.</li> | ||
</ol> | </ol> | ||
== Additional DNS Record Types == | == Additional DNS Record Types == | ||
'''''[https://www.youtube.com/watch?v=dC6RsYYMk4w Video Tutorial - Additional DNS Record Types]'''''<br> | |||
Now we are going to add a few more record types to our Domain. This will include an ''MX'' (Mail Exchange) and ''CNAME'' (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain. | |||
<ol> | <ol> | ||
<li> | <li>In Webmin on the '''BIND DNS Server''' page, click the domain on the bottom named ''debserv-*.test'' and then click the '''Mail Server''' button. Under ''name'', enter ''@'' again, and for ''mail server'' enter ''mail.debserv-*.test.'' (with the period at the end). For ''Priority'', enter ''10''.</li> | ||
* This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc. | * This entry has said we want other servers trying to send mail to ''users@debserv-*.test'' to actually send it to the server at ''mail.debserv-*.test'' which allows us to use a different server for email than we use fore web serving, etc. | ||
* The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li> | * The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.</li> | ||
<li>Go back to the domain zone overview page. Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered. | <li>Go back to the domain zone overview page. Add an ''A'' record for ''mail.debserv-*.test'' which points to the IP of your system.</li> | ||
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like | <ul>Because we don't currently have an "A" (address) record for ''mail.debserv-*.test'' the mail would currently go undelivered.</ul> | ||
<li>Again return to the domain zone overview page. We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ | * Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle. | ||
<li> To test an ''MX'' record we need to make multiple queries and ask '''nslookup''' or '''dig''' to fist check for MX records for the domain like:</li> | |||
<code>nslookup -type=MX debserv-*.test</code> | |||
<ul>or</ul> | |||
<code>dig debserv-*.test MX</code> | |||
which will return the names of the mail servers for that domain. We then need to do a regular '''nslookup''' or '''dig''' on those names to determine what IP addresses those are pointed to. Of course, for mail to actually work we'd also need to insure mail server software is installed and configured on that server as well.</li> | |||
<li>Again return to the domain zone overview page.</li> | |||
<ul>We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.</ul> | |||
<li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li> | <li>On the ''Edit Master Zone'' page for your domain, click the ''Name Alias'' button. For the ''Name'', enter ''blog'' and for the ''Real Name'', enter your domain ''debserv-*.test.'' but remember to put a period at the end of the domain as this is an ''absolute name''. Press ''create'' to add the record.</li> | ||
<li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run | <li>Click the ''Apply Configuration'' link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run:<br> | ||
<code>nslookup blog.debserv-*.test</code> | |||
or the equivalent '''dig''' command.<br> | |||
You should get a response similar to:</li> | |||
<pre>Server: 127.0.0.1 | <pre>Server: 127.0.0.1 | ||
Address: 127.0.0.1#53 | Address: 127.0.0.1#53 | ||
Line 63: | Line 100: | ||
Name: debserv-*.test | Name: debserv-*.test | ||
Address: 172.17.50.XXX | Address: 172.17.50.XXX | ||
</pre | </pre> | ||
< | <ul>One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page. </ul> | ||
<li>In Webmin under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration: | <li>In '''Webmin''' under the ''Servers'' tab, select ''Apache Webserver''. Then on the top, click the ''Create virtual host'' button and use the following configuration: | ||
<pre>Handle Connections to Address: any address | <pre>Handle Connections to Address: any address | ||
Port: 80 | Port: 80 | ||
Line 75: | Line 112: | ||
When done, press ''Create Now''. | When done, press ''Create Now''. | ||
<li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li> | <li> When you are back at the ''Apache Webserver'' page, then click ''Apply Changes'' in the top right.</li> | ||
<li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test''. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed. | <li>Now in a SSH session, open up your favorite command line web browser like '''links''' and visit ''blog.debserv-*.test.'' make special note that when you enter the URL in Links you need to include the extra period at the end.</li> | ||
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ | <ul> This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed. | ||
* Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.</ul> | |||
<li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li> | <li>Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.</li> | ||
</ol> | </ol> | ||
== Adding a AAAA record == | == Adding a AAAA record == | ||
'''''[https://www.youtube.com/watch?v=sql0Wlo8F5g Video Tutorial - Adding an AAAA Record]'''''<br> | |||
Now we are going to add an ''AAAA'' (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine. | |||
<ol> | <ol> | ||
<li> | <li> Use <code>ip address show</code> to check the ''inet6'' address (IPv6 Address) on the primary network interface.</li> | ||
<ul> You should have an address starting with ''2607:f930:1c00:50:''. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.</ul> | |||
<li> Back in Webmin, under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end). It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ | <li> Back in '''Webmin''', under the ''BIND DNS Server'' tab, select your ''debserv-*.test'' domain from the bottom and then click the ''IPv6 Address'' button. For the name, enter ''@'' and for the ''address'' enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).</li> | ||
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes. In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try | <ul> It should look similar to this: ''2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx''.</ul> | ||
<li>When done click ''create''. Remember to click the ''apply configuration'' link in the top right to apply the changes.</li> | |||
<li> In order to verify the AAAA record is working we need to modify the '''nslookup''' or '''dig''' command to check for AAAA records instead of the default of A records. Try:<br> | |||
<code>nslookup -type=AAAA debserv-*.test</code><br> | |||
and<br> | |||
<code>dig debserv-*.test AAAA</code><br> | |||
to see the output from AAAA records.</li> | |||
<li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li> | <li>Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).</li> | ||
</ol> | </ol> | ||
== Adding a Delegated Domain == | == Adding a Delegated Domain == | ||
'''''[https://www.youtube.com/watch?v=Qn45Vv7vuZY Video Tutorial - Adding a Delegated Domain]'''''<br> | |||
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is ''delegated'' to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of ''itc2480.campus.ihitc.net''. Luckily we can add this to BIND the same way we added our original domain. | |||
<ol> | <ol> | ||
<li> | <li>In '''Webmin''', go to ''Servers'', then ''BIND DNS Server''. Under ''Existing DNS Zones'' click on ''Create Master Zone'' and use the following settings: | ||
<pre>Zone type: Forward (Names to Addresses) | <pre>Zone type: Forward (Names to Addresses) | ||
Domain name / Network: *.itc2480.campus.ihitc.net | Domain name / Network: *.itc2480.campus.ihitc.net | ||
Line 98: | Line 145: | ||
Master server: *.itc2480.campus.ihitc.net. | Master server: *.itc2480.campus.ihitc.net. | ||
Email address: root@ *.itc2480.campus.ihitc.net</pre> | Email address: root@ *.itc2480.campus.ihitc.net</pre> | ||
* '''NOTE: the * stands for your System ID letter, the same as you used for the previous domain we created. | * '''NOTE:''' the * stands for your System ID letter, the same as you used for the previous domain we created.</li> | ||
<li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain. If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ | <li> Using webmin, create an ''A'' record for ''@'' the same way as we did for the last domain.</li> | ||
<li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ | <ul> If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.</ul> | ||
<li> Test your setup using a web browser on your local computer | <li>Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!</li> | ||
<ul> Windows does not include the '''dig''' command so you'll need to use '''nslookup''' on ''*.itc2480.campus.ihitc.net'' (replace the * with your System ID). Does the correct address come back?</ul> | |||
<li> Test your setup using a web browser on your local computer</li> | |||
<ul> can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul> | |||
<li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li> | <li>Create an ''MX'' record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for ''mail.*.itc2480.campus.ihitc.net'' as well).</li> | ||
< | <ul>Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the '''dig''' command so you'll need to use '''nslookup'''. Does the correct mail server name and address come back?</ul> | ||
<li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li> | <li>Create a ''CNAME'' record for the blog just like in the previous example (''blog.*.itc2480.campus.ihitc.net''' though) and create a new Apache virtual server just like in the previous example as well.</li> | ||
< | <ul>Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?</ul> | ||
</ol> | </ol> | ||
== Manually editing a zone file == | == Manually editing a zone file == | ||
'''''[https://www.youtube.com/watch?v=3T7TkE9cRVE Video Tutorial - Manually Editing a Zone File]'''''<br> | |||
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain. | |||
<ol> | |||
<li>By default, the location for these records on Debian will be in ''/var/lib/bind'', so go to that directory and list the contents.</li> | |||
<li>Now, with your favorite text editor, open up the file which corresponds to the ''debserv-*.test'' domain.<br> | |||
It should look similar to this: | |||
<pre>$ttl 38400 | <pre>$ttl 38400 | ||
debserv- | debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. ( | ||
1519434495 | |||
10800 | |||
3600 | |||
604800 | |||
38400 ) | |||
debserv- | debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net. | ||
debserv- | debserv-Z.test. IN A 172.17.50.36 | ||
debserv- | debserv-Z.test. IN MX 10 mail.debserv-Z.test. | ||
mail.debserv-Z.test. IN A 172.17.50.36 | |||
blog.debserv-Z.test. IN CNAME debserv-z.test. | |||
debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756 | |||
mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756</pre></li> | |||
* Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra. | <ul>Notice the formatting for domain records. Each record is defined by the domain or subdomain name, ''IN'', then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.</ul> | ||
<li>Using your text editor change the MX record settings priority from 10 to 15.</li> | |||
<li>When you are done, '''restart''' the bind9 service to reload the changes.<br> | |||
<code>sudo systemctl restart bind9</code> | |||
<pre>; <<>> DiG 9. | * Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.</li> | ||
<li>Use the '''dig''' tool to check the MX record and see that the new priority is active. You should see something similar to the following response: | |||
<pre>; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX | |||
;; global options: +cmd | ;; global options: +cmd | ||
;; Got answer: | ;; Got answer: | ||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128 | ||
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: | ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 | ||
;; OPT PSEUDOSECTION: | |||
; EDNS: version: 0, flags:; udp: 4096 | |||
;; QUESTION SECTION: | ;; QUESTION SECTION: | ||
;debserv- | ;debserv-z.test. IN MX | ||
;; ANSWER SECTION: | ;; ANSWER SECTION: | ||
debserv- | debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test. | ||
;; AUTHORITY SECTION: | ;; AUTHORITY SECTION: | ||
debserv- | debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net. | ||
;; ADDITIONAL SECTION: | |||
mail.debserv-Z.test. 38400 IN A 172.17.50.36 | |||
mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756 | |||
;; Query time: | ;; Query time: 0 msec | ||
;; SERVER: 127.0.0.1#53(127.0.0.1) | ;; SERVER: 127.0.0.1#53(127.0.0.1) | ||
;; WHEN: | ;; WHEN: Fri Feb 23 20:15:48 CST 2018 | ||
;; MSG SIZE rcvd: | ;; MSG SIZE rcvd: 163</pre></li> | ||
<ul>Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.</ul> | |||
<li>Congratulations, you have now setup a functional DNS server.</li> | |||
==Checking Your Work== | |||
<ol> | |||
<li> Check the directories and files:</li> | |||
# <code>/etc/bind/named.conf.options</code> should have the ip address 172.17.139.11 saved. | |||
# <code>/etc/network/interfaces</code> should have the ip address 127.0.0.1 saved. | |||
# Your <code>/var/lib/bind/*.hosts</code> file should have a MX, CNAME, and AAAA record. | |||
<br><br> | |||
<li> Automatically check your results by running this command:</li> | |||
<code><nowiki> | |||
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_08_test.py | python3 | |||
</nowiki></code> | |||
</ol> | |||
=Web App= | |||
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br> | |||
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br> | |||
You must be logged into the campus VPN to use this application. |
Latest revision as of 19:59, 3 December 2021
Introduction
In this lab you will perform the following tasks:
- Install BIND and configure as caching plus zones for a local domain
- Learn how to create domains using Webmin
- Learn how to manually edit using a zone file
You will be introduced to the following commands:
Lab Procedure
Prerequisites
- Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.
- Make sure that Webmin is installed on your system.
Install BIND & Enable Caching
Video Tutorial - Installing BIND and Enabling Caching
- First you will need to install BIND. to install it, use the package manager to install bind9
- You will also want to install the dnsutils package.
- Open up /etc/bind/named.conf.options with your favorite text editor.
- You are now in the local options file for BIND. You will need to uncomment (remove the // from the front of) the following lines:
- NOTE: You will also need to replace 0.0.0.0 with 172.17.139.11 for outside DNS lookups to function correctly.
- To apply these changes, you will need to restart the BIND server with administrative permissions.
- Next, open up your interfaces file (/etc/network/interfaces) with your favorite file editor.
- Change the dns server for the primary network interface to 127.0.0.1.
- Run the command:
- Notice how it shows it is using 127.0.0.1 as the server. If you do not see this, then your interface file or resolv.conf file is not set to use the local machine for DNS lookups. Note also that the IP address returned for this domain may vary from the one shown in the output above.
- Run:
- Now would be a good time to reboot your server to ensure the DNS server network interface configuration changes remain permanent.
- Once the system reboots log back in and use nslookup or dig to verify the default nameserver being used is 127.0.0.1.
- BIND (Berkeley Internet Name Domain) is one of the available DNS server applications for Linux and the most well known and used nameserver on the Internet.
- In order to use the nslookup and dig programs for DNS testing and troubleshooting you'll need dnsutils
- Now we will need to enable DNS caching and forwarding on the BIND server. This will allow us to use it for DNS resolving locally, as well as speed up frequent DNS requests.
- The reason we setup a forwarder address is so that domain requests that are not on our system are passed to another DNS server instead of being searched against the root nameservers. You may want to do this in domain or enterprise environments as most large networks have internal domain names setup that only redirect inside of a local LAN. By using a forwarder, as long as the DNS server you push requests to is able to access those internal records, you will be able to access local content from internal domain names instead of needing to rely on IP addresses.
sudo service bind9 restart
- The change to /etc/network/interfaces will take effect if you restart your system. To avoid doing that right now you can edit the /etc/resolv.conf file so that it has only one nameserver line like nameserver 127.0.0.1 Note that unless you reboot the system it will eventually get reset back to it's prior setting by a background system process so at some point you will want to reboot your system to make the change permanent.
nslookup inverhills.edu
- If BIND is working, you should now see the following output:
dig inverhills.edu
- See if you can find where the IP address for the domain is reported in the output as well as where the server IP address is reported in the output.
sudo shutdown -r now
Create a Domain using Webmin
Video Tutorial - Create a Domain Using Webmin
Now we are going to use Webmin to create a few different type of domain records and have our system serve as a DNS server for a domain. We will utilize A (Host), AAAA (IPv6 host), MX (Mail Exchange), and CNAME (Canonical Name) records.
- Open up your Webmin panel and sign in.
- Under the Servers tab, open up BIND DNS Server, under Existing DNS Zones click Create master zone.
- Use the following options, where * is replaced by your System ID that was defined in Lab 5 (just the letter of your system, for example the domain name would be debserv-A.test if you had System ID "A").
Zone type: Forward (Names to Addresses) Domain name / Network: debserv-*.test Records file: Automatic Master server: Leave as your hostname Email address: root@debserv-*.test
- Click the create button to add the domain.
- To create our A record which points your domain to an IP address, click the Address button.
- For the Name enter @. Note: The @ symbol in DNS Zones defines the parent domain (alternatively you could re-enter the parent domain debserv-*.test. with the period at the end).
- In the address field enter your VM's static IP set in Lab 5 and click Create.
- Return to the main BIND DNS Server page. Click the Apply Configuration link (which looks like two arrows chasing each other) in the top right corner. You'll see the "Apply Configuration" text if you hover your mouse over the button.
- To test the record use nslookup or dig to lookup the domain you just created (Replace the * with your letter.)
- If you have issues looking up the domain, make sure that the system is still using 127.0.0.1 as the DNS server. If not, check your /etc/resolv.conf file.
- Now that we have BIND installed, you will need to click the Refresh Modules option on the left sidebar to have Webmin recheck the system for installed packages and services so that it will show up as an option in the Servers tab.
- From here we will create a new domain name for our server to respond to DNS queries for.
- As this point you should now be on the Edit Master Zone page. From here you can add and edit domain records for this domain name.
nslookup debserv-*.test
dig debserv-*.test
Additional DNS Record Types
Video Tutorial - Additional DNS Record Types
Now we are going to add a few more record types to our Domain. This will include an MX (Mail Exchange) and CNAME (Canonical Name) record. We will start with the MX record. MX records are used by email servers to look up where to forward email for a specific domain.
- In Webmin on the BIND DNS Server page, click the domain on the bottom named debserv-*.test and then click the Mail Server button. Under name, enter @ again, and for mail server enter mail.debserv-*.test. (with the period at the end). For Priority, enter 10.
- This entry has said we want other servers trying to send mail to users@debserv-*.test to actually send it to the server at mail.debserv-*.test which allows us to use a different server for email than we use fore web serving, etc.
- The Priority entry allows people to define more than one MX record for a name, and the order which the sending service will try to use for contacting the various mail servers at your domain.
- Go back to the domain zone overview page. Add an A record for mail.debserv-*.test which points to the IP of your system.
- Reapply configuration settings like you did in the last section of this lab using the button with the two arrows in a circle.
- To test an MX record we need to make multiple queries and ask nslookup or dig to fist check for MX records for the domain like:
- Again return to the domain zone overview page.
- On the Edit Master Zone page for your domain, click the Name Alias button. For the Name, enter blog and for the Real Name, enter your domain debserv-*.test. but remember to put a period at the end of the domain as this is an absolute name. Press create to add the record.
- Click the Apply Configuration link at the top right of the page again. This will apply the records you have created. Now back in PuTTY, run:
nslookup blog.debserv-*.test
or the equivalent dig command.
You should get a response similar to: - In Webmin under the Servers tab, select Apache Webserver. Then on the top, click the Create virtual host button and use the following configuration:
Handle Connections to Address: any address Port: 80 Document Root: /var/www/html/blog/ Server Name: blog.debserv-*.test Add virtual server to file: new file under virtual servers directory Copy directives from: nowhere
When done, press Create Now.
- When you are back at the Apache Webserver page, then click Apply Changes in the top right.
- Now in a SSH session, open up your favorite command line web browser like links and visit blog.debserv-*.test. make special note that when you enter the URL in Links you need to include the extra period at the end.
- Note that you will not be able to use this URL to access the blog from your local PC yet because your local PC isn't using your Linux server as it's DNS server and the .test domain isn't registered to your DNS server.
- Congrats, at this point you have a basic domain working with a MX, CNAME, and A record.
- Because we don't currently have an "A" (address) record for mail.debserv-*.test the mail would currently go undelivered.
nslookup -type=MX debserv-*.test
- or
dig debserv-*.test MX
- We are now going to create a CNAME record. CNAME records are useful as they allow you to create virtual A records (aliases), but point them to another domain or host name instead of to a specific IP address. This allows you to have many hostnames all pointed to the same A record which contains the actual IP address so if the IP address changes you only need to change a single A record and all the hostnames will change. It can also be used to redirect a hostname at one domain to an entirely different domain.
Server: 127.0.0.1 Address: 127.0.0.1#53 blog.debserv-*.test canonical name = debserv-*.test. Name: debserv-*.test Address: 172.17.50.XXX
- One thing we can use CNAMEs for is to create virtual web hosts in Apache that listens for the domain blog.debserv-*.test, and then forwards you directly to your blog folder instead of to our main web page.
- This is because the .test domain is not a regular TLD like .com .org etc. and the Links browser doesn't know how to handle it unless we force it as a domain name by adding the period at the end. This is not related to it being a CNAME or our Apache configuration and with a regular domain name would not be required. Notice how you are now visiting the blog directly, instead of your modified index.html file. This is because we setup a virtual host in Apache that listens for requests to the CNAME we created and points to the document root where the Wordpress software is installed.
Adding a AAAA record
Video Tutorial - Adding an AAAA Record
Now we are going to add an AAAA (IPv6 host) record to our domain. To do this, we will first need to make sure that IPv6 networking is setup in our virtual machine.
- Use
ip address show
to check the inet6 address (IPv6 Address) on the primary network interface. - Back in Webmin, under the BIND DNS Server tab, select your debserv-*.test domain from the bottom and then click the IPv6 Address button. For the name, enter @ and for the address enter your IPv6 address WITHOUT the subnet prefix (No /64 on the end).
- When done click create. Remember to click the apply configuration link in the top right to apply the changes.
- In order to verify the AAAA record is working we need to modify the nslookup or dig command to check for AAAA records instead of the default of A records. Try:
nslookup -type=AAAA debserv-*.test
and
dig debserv-*.test AAAA
to see the output from AAAA records. - Congratulations, you have now setup a dual-stack DNS records for your Debian server. This means your server is accessible from both IPv4 and IPv6 at the same name because both the A and AAAA records we created have the same host name).
- You should have an address starting with 2607:f930:1c00:50:. If you do not please check with your instructor. You will need to write down or remember this full address as we will use it in Webmin to create our AAAA record.
- It should look similar to this: 2607:f930:1c00:50:xxxx:xxxx:xxxx:xxxx.
Adding a Delegated Domain
Video Tutorial - Adding a Delegated Domain
The problem with the name we have been using so far is that it only works on the DNS server itself. This is because we didn't purchase the name and so no other nameservers know to send requests for it to our server. Normally if you purchase a domain or someone else gives you control of a subdomain it is delegated to your server meaning that other DNS servers will query your server for addresses related to that name. In order to practice this we are going to add another domain to the system, but this domain will be a delegated domain which is a subdomain of itc2480.campus.ihitc.net. Luckily we can add this to BIND the same way we added our original domain.
- In Webmin, go to Servers, then BIND DNS Server. Under Existing DNS Zones click on Create Master Zone and use the following settings:
Zone type: Forward (Names to Addresses) Domain name / Network: *.itc2480.campus.ihitc.net Records file: Automatic Master server: *.itc2480.campus.ihitc.net. Email address: root@ *.itc2480.campus.ihitc.net
- NOTE: the * stands for your System ID letter, the same as you used for the previous domain we created.
- Using webmin, create an A record for @ the same way as we did for the last domain.
- Test that the record and delegation are working correctly. This time you should be able to check from your host computer too!
- Test your setup using a web browser on your local computer
- Create an MX record for the domain which directs mail for your delegated domain to your system as well just like we did with the test domain (this will involve creating another A record for mail.*.itc2480.campus.ihitc.net as well).
- Create a CNAME record for the blog just like in the previous example (blog.*.itc2480.campus.ihitc.net' though) and create a new Apache virtual server just like in the previous example as well.
- If you need help with this step, you can review the process we did earlier. Make sure to apply your changes after adding the record.
- Windows does not include the dig command so you'll need to use nslookup on *.itc2480.campus.ihitc.net (replace the * with your System ID). Does the correct address come back?
- can you access your webserver by going to http://*.itc2480.campus.ihitc.net (where * is your hostname letter)?
- Test that the MX record and associated A record are working correctly. This time you should be able to check from your host computer too! Windows does not include the dig command so you'll need to use nslookup. Does the correct mail server name and address come back?
- Test your setup using a web browser on your local computer, can you access your blog directly by going to http://blog.*.itc2480.campus.ihitc.net (where * is your hostname letter)?
Manually editing a zone file
Video Tutorial - Manually Editing a Zone File
Lastly we are going to look at the domain zone file. While Webmin provides a nice interface to add records, all it is doing is manually adding our records to our text based zone file. When you use BIND for DNS, every domain created gets its own record file which is called the zone file. In this file all subdomains and records are stored for said domain.
- By default, the location for these records on Debian will be in /var/lib/bind, so go to that directory and list the contents.
- Now, with your favorite text editor, open up the file which corresponds to the debserv-*.test domain.
It should look similar to this:$ttl 38400 debserv-Z.test. IN SOA 2480-Z.itc2480.campus.ihitc.net. root.debserv-Z.test. ( 1519434495 10800 3600 604800 38400 ) debserv-Z.test. IN NS 2480-Z.itc2480.campus.ihitc.net. debserv-Z.test. IN A 172.17.50.36 debserv-Z.test. IN MX 10 mail.debserv-Z.test. mail.debserv-Z.test. IN A 172.17.50.36 blog.debserv-Z.test. IN CNAME debserv-z.test. debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756 mail.debserv-Z.test. IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756
- Using your text editor change the MX record settings priority from 10 to 15.
- When you are done, restart the bind9 service to reload the changes.
sudo systemctl restart bind9
- Note: when restarting bind, if you have any errors restarting the service this normally means you have a typo in one of your zone files. If this is the case, go through the file again in a text editor to make sure you did not add anything extra or remove anything else.
- Use the dig tool to check the MX record and see that the new priority is active. You should see something similar to the following response:
; <<>> DiG 9.10.3-P4-Debian <<>> debserv-z.test MX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40128 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;debserv-z.test. IN MX ;; ANSWER SECTION: debserv-Z.test. 38400 IN MX 15 mail.debserv-Z.test. ;; AUTHORITY SECTION: debserv-Z.test. 38400 IN NS 2480-Z.itc2480.campus.ihitc.net. ;; ADDITIONAL SECTION: mail.debserv-Z.test. 38400 IN A 172.17.50.36 mail.debserv-Z.test. 38400 IN AAAA 2607:f930:1c00:50:250:56ff:feb1:8756 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Feb 23 20:15:48 CST 2018 ;; MSG SIZE rcvd: 163
- Congratulations, you have now setup a functional DNS server.
- Check the directories and files:
/etc/bind/named.conf.options
should have the ip address 172.17.139.11 saved./etc/network/interfaces
should have the ip address 127.0.0.1 saved.- Your
/var/lib/bind/*.hosts
file should have a MX, CNAME, and AAAA record. - Automatically check your results by running this command:
- Notice the formatting for domain records. Each record is defined by the domain or subdomain name, IN, then the record type (like A, AAAA, NS, or MX), followed by what the record is pointed to. For this example, we want to change the MX priority from 10 to 15.
- Notice how the Answer Section shows the MX record is pointed to the IP of the domain, and that the priority is set to 15.
Checking Your Work
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_08_test.py | python3
Web App
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link:
webcheck.itc2480.campus.ihitc.net
You must be logged into the campus VPN to use this application.