OPS535 Lab 5. Dynamic DNS. RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE)

Transcription

1 OPS535 Lab 5 Dynamic DNS Overview In this lab, you add a forward lookup zone and a reverse lookup zone to your primary DNS server and configure both zones to support dynamic updates. Dynamic DNS zone accepts updates from the command line utility nsupdate. This lab does not configure the DNS server to use secure channel for the updates. Prerequisite Complete DNS lab Reference BIND 9 Administrator Reference Manual RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE) Man page of nsupdate (BIND 9.9) Tasks Add a new zone ddns.net to your primary DNS's /etc/named.conf and configure this zone to allow updates. Add a new zone in-addr.arpa to your primary DNS's /etc/named.conf and configure this zone to allow updates. Create the initial zone files for the ddns.net and in-addr.arpa zones. Perform dynamic DNS updates using the nsupdate command. Preparation/Background Information You must have your primary DNS server for your registered domain (e.g. ops535.net) and your

2 assigned network ( x.0/24) up and running. Your primary DNS server IP address should be x.53. In this lab, the new hosts that we are going to added to the ddns.net zone are all in the /16 network. Part 1 Add 2 new zones to your Primary DNS server 1. The following example assume that the Primary DNS server is already authoritative for the zone cp.net and in-addr.arpa. 2. Edit the main BIND configuration file /etc/named.conf to be the authoritative for the two new zones ddns.net and in-addr.arpa. Part 2 Update /etc/named.conf to allow DNS update The zone file for the new zone ddns.net is zone-ddns.net and the zone file for inaddr.arpa is zone rev. Edit the file /etc/named.conf (or /var/named/chroot/etc/named.conf if named is running under chroot). Here is the final contents: // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // updated on Nov 10, 2015 to make it a primary dns server // for spr500.net // options { listen-on port 53 { ; ; listen-on-v6 port 53 { ::1; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion no; Created by: Raymond Chan Page 2 of 12

3 dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; logging { channel default_debug { file "data/named.run"; severity dynamic; zone "cp.net" IN { type master; file "zone-cp.net"; zone "ddns.net" IN { type master; file "zone-ddns.net"; allow-update { localhost; zone " in-addr.arpa" { type master; file "zone rev"; zone " in-addr.arpa" { type master; file "zone rev"; allow-update { localhost; #include "/etc/named.rfc1912.zones"; #include "/etc/named.root.key"; Part 3 - Create the initial zone files for DNS updates Create the initial zone file zone-ddns.net and zone rev in the /var/named (or /var/named/chroot/var/named if BIND is running under chroot) directory. Both zone files are the same with the following contents: Created by: Raymond Chan Page 3 of 12

4 $TTL IN SOA pri.cp.net. root.cp.net. ( ; serial 1h ; refresh 15m ; retry 3d ; expire 10m) ; minimum IN NS pri.cp.net. Replace pri.cp.net with your Primary DNS server actual FQDN. Verify the file user owner, group owner, permission, and SELinux contexts: [root@localhost named]# ls -lz zone* -rw-r--r--. named named unconfined_u:object_r:named_zone_t:s0 zone rev -rw-r--r--. named named system_u:object_r:named_zone_t:s0 zone-ddns.net Please note that the SELinux context type for both zone files should be named_zone_t. If it is not, you can fixed it by the command chcon -t named_zone_t zone.ddns.net. Do the same for zone rev. The directory /var/named should be writable by named as shown below: [root@localhost named]# ls -ld /var/named drwxrwx root named 4096 Nov 10 23:18 /var/named Start the named service ( service named restart or systemctl restart named.service ). If it does not complain, go to part 4, otherwise check the system log file /var/log/messages for error messages. In addition to the debugging messages you may find in the system log file, you can also use the two utilities named-checkconf and named-checkzone to check for typos or syntax errors in named.conf or your zone files. Please consult the man page for named-checkconf and named-checkzone for details. Part 4 Perform dynamic DNS update with nsupdate Please study the man page for nsupdate before perform the following task. The following instruction assume the network number X is 99. Replace X with the network number assigned to you. If you have SELinux running in enforcing mode, you should check the SELinux runtime setting for named. Run the following command to get a list of SELinux boolean for named: [root@localhost named]# getsebool -a grep named named_tcp_bind_http_port --> off named_write_master_zones --> on Created by: Raymond Chan Page 4 of 12

5 If the named_write_master_zones is not on, named will not be able to create the journal file to update the master zone file. If named_write_master_zones is off, run the following command to turn it on for good: named]# setsebool -P named_write_master_zones on named]# The -P flag make the change permanent and will stay on after a system reboot. DNS Update 1: Add an A record using nsupdate. FQDN: myhost.ddns.net, IP: , TTL=300 seconds Running the following command on your Primary DNS server ( x.53): [root@localhost named]# nsupdate -d > server localhost > update add myhost.ddns.net 300 A > send Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;myhost.ddns.net. IN SOA ;; AUTHORITY SECTION: ddns.net. 0 IN SOA pri.cp.net. root.cp.net Found zone name: ddns.net The master is: pri.cp.net Sending update to ::1#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: myhost.ddns.net. 300 IN A Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;ddns.net. IN SOA The above Reply from update query section indicate that the update was successful with a NOERROR status. All changes made to a zone using dynamic update are stored in the zone's journal file, in this case, the file will be in the /var/named directory and is called zone-ddns.net.jnl. This file is automatically Created by: Raymond Chan Page 5 of 12

6 created by the DNS server when the first dynamic update is received. Please note that the name of the journal file is formed by appending the extension.jnl to the name of the corresponding zone file. The journal file is in a binary format and can not be edited using a text editor. The server will occasionally write the updates found in the journal file to its zone file or when a server is restarted after a shutdown. Go to the /var/named directory and run the command to list the zone file and its journal file: [root@localhost named]# ls -l zone-ddns.net* -rw-r--r--. 1 named named 306 Nov 10 23:59 zone-ddns.net -rw-r--r--. 1 named named 697 Nov 10 23:47 zone-ddns.net.jnl Use the file command to check the content type of the zone file and its journal file: [root@localhost named]# file zone-ddns.net* zone-ddns.net: ASCII text zone-ddns.net.jnl: data You can cat the contents of zone-ddns.net [root@localhost named]# cat zone-ddns.net $ORIGIN. $TTL 300 ; 5 minutes ddns.net IN SOA pri.cp.net. root.cp.net. ( ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) ; expire (3 days) 600 ; minimum (10 minutes) ) NS pri.cp.net. $ORIGIN ddns.net. myhost A Compare and study the updated version and the original version of the zone-ddns.net file. Although you can not view the contents of the journal file using the cat command, the command line utility named-journalprint from the bind package can be used to print the contents of the journal file: [root@localhost named]# named-journalprint zone-ddns.net.jnl del ddns.net. 300 IN SOA pri.cp.net. root.cp.net add ddns.net. 300 IN SOA pri.cp.net. root.cp.net add myhost.ddns.net. 300 IN A Created by: Raymond Chan Page 6 of 12

7 DNS Update 2: Add an incorrect PTR record using nsupdate IP address: FQDN: myhost.ddns.net TTL: 7200 second Running the following command on your Primary DNS server ( x.53): named]# nsupdate -d > server > update add in-addr.arpa PTR myhost.ddns.net. > send Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; in-addr.arpa. IN SOA ;; AUTHORITY SECTION: in-addr.arpa. 0 IN SOA pri.cp.net. root.cp.net Found zone name: in-addr.arpa The master is: pri.cp.net Sending update to #53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: in-addr.arpa IN PTR myhost.ddns.net. Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ; in-addr.arpa. IN SOA Check the contents of the files zone rev and zone rev.jnl. Please note that the last octet of the IP address was missed type as 100 instead of 10. If the contents of the zone file zone rev didn't get updated, restart the named service. The contents of the zone rev' should be similar to: [root@localhost named]# cat zone rev $ORIGIN. $TTL 300 ; 5 minutes in-addr.arpa IN SOA pri.cp.net. root.cp.net. ( ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) ; expire (3 days) Created by: Raymond Chan Page 7 of 12

8 600 ; minimum (10 minutes) ) NS pri.cp.net. $ORIGIN in-addr.arpa. $TTL 7200 ; 2 hours PTR myhost.ddns.net. DNS Update 3: Delete a non-existence PTR record using nsupdate IP address: FQDN: myhost.ddns.net TTL: 7200 second [root@localhost named]# nsupdate -d > server > update delete in-addr.arpa. > send Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; in-addr.arpa. IN SOA ;; AUTHORITY SECTION: in-addr.arpa. 0 IN SOA pri.cp.net. root.cp.net Found zone name: in-addr.arpa The master is: pri.cp.net Sending update to #53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: in-addr.arpa. 0 ANY ANY Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ; in-addr.arpa. IN SOA There is no complain from the update query. Check the contents of the journal file. Did the delete record got in to the journal file? [root@localhost named]# named-journalprint zone rev.jnl del in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net add in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net add in-addr.arpa IN PTR myhost.ddns.net. Created by: Raymond Chan Page 8 of 12

9 DNS Update 4: Delete an PTR record using nsupdate IP address: FQDN: myhost.ddns.net TTL: 7200 second named]# nsupdate -d > server localhost > update delete in-addr.arpa. > send Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; in-addr.arpa. IN SOA ;; AUTHORITY SECTION: in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net Found zone name: in-addr.arpa The master is: pri.cp.net Sending update to ::1#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: in-addr.arpa. 0 ANY ANY Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ; in-addr.arpa. IN SOA Check the contents of the zone file and the journal file. Do not restart the DNS server. The contents of the journal file should look like the following: [root@localhost named]# named-journalprint zone rev.jnl del in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net add in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net add in-addr.arpa IN PTR myhost.ddns.net. del in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net del in-addr.arpa IN PTR myhost.ddns.net. add in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net Study the contents of the journal file carefully. Created by: Raymond Chan Page 9 of 12

10 DNS Update 5: Add a correct PTR record using nsupdate IP address: FQDN: myhost.ddns.net TTL: 7200 second [root@localhost named]# nsupdate -d > server localhost > update add in-addr.arpa. 300 PTR myhost.ddns.net. > send Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; in-addr.arpa. IN SOA ;; AUTHORITY SECTION: in-addr.arpa. 0 IN SOA pri.cp.net. root.cp.net Found zone name: in-addr.arpa The master is: pri.cp.net Sending update to ::1#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: in-addr.arpa. 300 IN PTR myhost.ddns.net. Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ; in-addr.arpa. IN SOA Check the contents of the zone file and its journal file. If the zone file zone rev did not get updated, restart named and check again. The contents of the zone file zone rev should look similar to: [root@localhost named]# cat zone rev $ORIGIN. $TTL 300 ; 5 minutes in-addr.arpa IN SOA pri.cp.net. root.cp.net. ( ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) ; expire (3 days) 600 ; minimum (10 minutes) ) NS pri.cp.net. $ORIGIN in-addr.arpa PTR myhost.ddns.net. Created by: Raymond Chan Page 10 of 12

11 The contents of the journal file zone rev.jnl should look similar to: named]# named-journalprint zone rev.jnl del in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net add in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net add in-addr.arpa IN PTR myhost.ddns.net. del in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net del in-addr.arpa IN PTR myhost.ddns.net. add in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net del in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net add in-addr.arpa. 300 IN SOA pri.cp.net. root.cp.net add in-addr.arpa. 300 IN PTR myhost.ddns.net. Part 5 verify the update with nslookup The following outputs are to be expected: [root@localhost named]# nslookup -q=a myhost.ddns.net Server: Address: #53 Name: myhost.ddns.net Address: [root@localhost named]# nslookup -q=ptr Server: Address: # in-addr.arpa Study Questions name = myhost.ddns.net. Study Questions 1. Which rpm package provides the nsupdate command line utility? 2. What does the -d option do for the nsupdate command? 3. Which RFC document defines the Dynamic DNS update protocol? 4. Could nsupdate send a dynamic DNS update to a DNS server using a non-standard port? (port 53 is DNS standard port number.) 5. What are the steps using nsupdate to add an A record for a host with FQDN linux.ddns.net IP address with a TTL of 60 seconds? 6. What are the steps using nsupdate to add a 'PTR record for the host in question 5? Created by: Raymond Chan Page 11 of 12

12 7. What are the steps using nsupdate to add a CNAME record for gnu.ddns.net that points to linux.ddns.net? 8. What are the steps using nsupdate to delete the A record created in question 5? 9. What are the steps using nsupdate to delete the PTR record created in question 6? 10. What are the steps using nsupdate to delete the CNAME record created in question 7? 11. What would happen if you try to delete a non-existence resource record (PTR, A, CNAME, MX, etc) from a dynamic DNS zone using nsupdate? 12. What would happen if you ry to add a duplicate resource record to a dynamic zone using nsupdate? Completing the Lab Copy the following script to your Primary DNS server and save it as lab5.bash. Run the script on your Primary DNS server, redirect the output to lab5-[seneca-id].txt and upload the file to blackboard by the due date. Replace [seneca-id] with your actual MySeneca name. #! /usr/bin/bash hostname date ip addr show ls -lz /var/named cat /etc/named.conf cat /var/named/zone-ddns.netnamed-journalprint /var/named/zone-ddns.net.jnl cat /var/named/zone rev named-journalprint /var/named/zone rev.jnl lab5.bash > lab5.[seneca-id].txt Created by: Raymond Chan Page 12 of 12