CIS 192 Lesson 9 Lesson Module Status Slides

CIS 192 – Lesson 9 Lesson Module Status • • • Slides – draft Properties - done Flashcards 1 st minute quiz – done Web Calendar summary – Web book pages – Commands – done Howtos – Skills pacing Lab – done Depot (VMs) – na 1

CIS 192 - Lesson 9 Quiz Please take out a blank piece of paper, switch off your monitor, close your books, put away your notes and answer these questions: • ? No Quiz today since we are having a test

CIS 192 – Lesson 9 The Domain Name System Objectives Agenda • Install DNS • No quiz today! • Configure a primary and secondary nameserver • Questions on previous material • Enable periodic zone transfers • Housekeeping • DNS Overview • dig command • host command • Forward zone database • Reverse zone database • named. conf • Zone transfer • Troubleshooting • Lab 7 • Wrap • Test 2 3

Questions on previous material 4

CIS 192 - Lesson 9 Questions? • Previous lesson material • Lab assignment 5

Housekeeping 6

CIS 192 - Lesson 9 • No labs due today! • No class next week - Spring break! • There are two extra credits labs available: • X 1 (permanent NIC configuration) • X 2 (PPP). 7

DNS 8

CIS 192 - Lesson 9 Who has this IP address? Solution: Use ARP to get MAC address What is the IP address for this hostname? Solution: Use DNS to resolve hostname 9

CIS 192 - Lesson 9 What is DNS used for? To resolve "friendly" host names into "hard to remember" IP addresses to reach remote hosts on the Internet Either www. cabrillo. edu or 207. 62. 187. 7 will work to reach Cabrillo's web server 10

CIS 192 - Lesson 9 First, Frodo needs the MAC address of the router. This is necessary information for any packets to be sent outside the local subnet. ARP is used for this. 11

CIS 192 - Lesson 9 Next, Frodo sends a DNS request to the server specified in /etc/resolv. conf to resolve the name www. cabrillo. edu. The answer comes back as 207. 62. 187. 7. 12

CIS 192 - Lesson 9 Finally , Frodo does a three-way handshake to start a connection with the web server 13

CIS 192 - Lesson 9 And away we go getting the web page …. . Note that request uses UDP and port 53 on the DNS server 14

CIS 192 - Lesson 9 http: //www. tldp. org/HOWTO/DNS-HOWTO. html Very good DNS reference by Nicolai Langfeldt 15

DNS Overview 16

CIS 192 - Lesson 9 Paul worked at the Information Sciences Institute of the University of Southern California An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 17

CIS 192 - Lesson 9 Can you imagine trying An Overview of Domain Name System to keep these files Created in 1984 from the work led by Paul Mockapetris updated on every single Improves the deficiencies of the /etc/hosts file host in the world? DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 18

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver In reality, the DNS is a huge, The Server global distributed database spread across all the DNS servers Primary in the world. Secondary Caching Each DNS server is authoritative Database files (db. domain-name) for its own domain and maintains Supports two type of queries: these forward and reverse lookup Recursive zones. Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 19

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: The client side of DNS. It initiates Resolver and sequences the queries that lead to the resolution of a name The Server into an IP address Primary Secondary Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 20

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Also known as the master server. This server Resolver maintains a database of hostname/IP pairs for The Server the systems it serves. This server also Primary provides authoritative answers for these same Secondary systems. Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 21

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver Also known as a slave server. This server is identical to The Server the primary server except it does not maintain its own Primary database. It's data is obtained instead from the primary server. Used as backup when the primary server is Secondary down and for load balancing. Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 22

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver Has no database of its own and does not obtain one The Server from another server. Caching servers make queries on Primary behalf of clients and cache the answers. Caching servers are used for performance reasons. Secondary Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 23

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver Contain the database resource records such as A records The Server that map a hostname to a IP address, PTR records that Primary map IP addresses to hostnames, NS records for name Secondary servers, and CNAME records for aliases. Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 24

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) Provide either an answer or an Supports two type of queries: error message Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 25

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) Supports two type of queries: Provide either an answer or a referral Recursive to another DNS server Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 26

CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) This is what we will install and Supports two type of queries: configure in Lab 7 Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 27

CIS 192 - Lesson 9 The DNS Namespace • Top most domain in the namespace hierarchy is ". " • Top-level domains: . com, . net, . gov, . edu, . org. us, . . . • Special domain for reverse lookups: in-addr. arpa • Fully Qualified Domain Names read from right to left • Name registration was handled by Inter. NIC; now belongs to companies for profit. Inter. NIC - Internet Network Information Center. Handled domain names and IP addresses prior to 1988 before getting turned over to ICANN - Internet Corporation for Assigned Names and Numbers. ICANN accredits the domain name registrars (the companies that compete with other and register domain names) 28

CIS 192 - Lesson 9 Nameless root domain referred to via ". " Generic TLD's - Top Level Domains (com, edu, net, org, mil, etc. ) Next level domains (e. g. hp. com, cabrillo. edu, yahoo. com, webhalks. org, etc. source: http: //en. wikipedia. org/wiki/File: Domain_name_space. svg 29

CIS 192 - Lesson 9 source: http: //en. wikipedia. org/wiki/File: An_example_of_theoretical_DNS_recursion. svg 30

CIS 192 - Lesson 9 DNS Database Resource Record types: SOA - Start of Authority NS - Nameserver A - Address PTR - Pointer (for reverse lookups) CNAME - Aliases 31

CIS 192 - Lesson 9 DNS Installation and Configuration Package names: bind, caching-nameserver Daemon name: /usr/sbin/named Startup script: /etc/rc. d/init. d/named start or service named start Database files: /var/named. ca IP address of root servers /var/named/db. in-addr. arpa reverse lookups /var/named/db. domain name forward lookups Configuration files: /etc/named. conf Overall configuration file /etc/resolv. conf DNS server to use /etc/nsswitch. conf Lookup order definition To reload configuration files: rndc reload 32

CIS 192 - Lesson 9 Troubleshooting Tools for DNS nslookup - being phased out host dig 33

dig 34

CIS 192 - Lesson 9 dig (domain information groper) command • Tool to interrogate DNS servers • Performs DNS lookups and displays the answers from the DNS server queried. • Will use name server specified in /etc/resolv. conf unless another is specified query options name server to query dig +norec +noques +nostats +nocmd simms-teach. com @ns 1. dreamhost. com name to lookup Some query options +[no]recurse - [do not] use recursive queries +[no]question - [do not] print question section when an answer is returned +[no]stats - [do not] print query statistics +[no]cmd - [do not] print dig version information … for more, use man dig 35

CIS 192 - Lesson 9 An example of what life is like as a resolver doing a forward lookup using the dig command 36

CIS 192 - Lesson 9 dig opus. cabrillo. edu (start with root ". " servers) [root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus. cabrillo. edu ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19571 ; ; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13 ; ; AUTHORITY SECTION: . . . ; ; ADDITIONAL SECTION: B. ROOT-SERVERS. NET. C. ROOT-SERVERS. NET. E. ROOT-SERVERS. NET. F. ROOT-SERVERS. NET. G. ROOT-SERVERS. NET. I. ROOT-SERVERS. NET. J. ROOT-SERVERS. NET. K. ROOT-SERVERS. NET. L. ROOT-SERVERS. NET. M. ROOT-SERVERS. NET. 604794 604761 604794 604794 604791 [root@elrond ~]# IN IN IN IN 3600000 3600000 3600000 3600000 A A A A AAAA A AAAA IN IN IN IN 192. 228. 79. 201 192. 33. 4. 12 192. 203. 230. 10 192. 5. 5. 241 2001: 500: 2 f: : f 192. 112. 36. 4 192. 36. 148. 17 192. 58. 128. 30 193. 0. 14. 129 2001: 7 fd: : 1 2001: 500: 3: : 42 202. 12. 27. 33 2001: dc 3: : 35 NS NS NS NS A. ROOT-SERVERS. NET. L. ROOT-SERVERS. NET. I. ROOT-SERVERS. NET. E. ROOT-SERVERS. NET. D. ROOT-SERVERS. NET. F. ROOT-SERVERS. NET. B. ROOT-SERVERS. NET. M. ROOT-SERVERS. NET. J. ROOT-SERVERS. NET. G. ROOT-SERVERS. NET. K. ROOT-SERVERS. NET. H. ROOT-SERVERS. NET. C. ROOT-SERVERS. NET. We don't get an answer but we do get referred to a long list of root name servers we can ask. Pick one at random to continue IP addresses for these servers 37

CIS 192 - Lesson 9 dig opus. cabrillo. edu (edu. servers) [root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus. cabrillo. edu @J. ROOT-SERVERS. NET. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53616 Still no answer ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 8 ; ; AUTHORITY SECTION: edu. ; ; ADDITIONAL SECTION: A. GTLD-SERVERS. NET. C. GTLD-SERVERS. NET. D. GTLD-SERVERS. NET. E. GTLD-SERVERS. NET. F. GTLD-SERVERS. NET. G. GTLD-SERVERS. NET. L. GTLD-SERVERS. NET. 172800 172800 172800 172800 IN IN IN IN NS NS A AAAA A A A E. GTLD-SERVERS. NET. F. GTLD-SERVERS. NET. G. GTLD-SERVERS. NET. L. GTLD-SERVERS. NET. A. GTLD-SERVERS. NET. C. GTLD-SERVERS. NET. D. GTLD-SERVERS. NET. but we get referred to a list of generic top level domain name servers for the edu domain Pick one at random to continue 192. 5. 6. 30 2001: 503: a 83 e: : 2: 30 192. 26. 92. 30 192. 31. 80. 30 192. 12. 94. 30 192. 35. 51. 30 IP addresses for the edu 192. 42. 93. 30 domain nameservers 192. 41. 162. 30 [root@elrond ~]# 38

CIS 192 - Lesson 9 dig opus. cabrillo. edu (cabrillo. edu. servers) [root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus. cabrillo. edu @F. GTLD-SERVERS. NET. ; ; Got answer: Still no answer ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17333 ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 but we get ; ; AUTHORITY SECTION: cabrillo. edu. 172800 IN IN IN NS NS NS buttercup. cabrillo. edu. ns 1. csu. net. ns 2. csu. net. ; ; ADDITIONAL SECTION: buttercup. cabrillo. edu. 172800 ns 1. csu. net. 172800 ns 2. csu. net. 172800 IN IN IN A A A 207. 62. 187. 54 130. 150. 102. 100 130. 150. 102. 20 [root@elrond ~]# IP addresses for the Cabrillo name servers referred to a list of cabrillo name servers for the cabrillo. edu domain Pick one at random to continue 39

CIS 192 - Lesson 9 dig opus. cabrillo. edu (resolved) [root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus. cabrillo. edu @ns 1. csu. net. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6591 ; ; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ; ; ANSWER SECTION: opus. cabrillo. edu. 300 IN A 207. 62. 186. 9 ; ; AUTHORITY SECTION: cabrillo. edu. 300 300 IN IN IN NS NS NS ns 1. csu. net. ns 2. csu. net. buttercup. cabrillo. edu. IN IN IN A A A 130. 150. 102. 100 130. 150. 102. 20 207. 62. 187. 54 ; ; ADDITIONAL SECTION: ns 1. csu. net. 15219 ns 2. csu. net. 15324 buttercup. cabrillo. edu. 300 [root@elrond ~]# Hooray! It worked …. we got an answer! 40

host command 41

CIS 192 - Lesson 9 host command Forward lookup [root@elrond named]# www. google. com is an www. l. google. com has host www. google. com alias for www. l. google. com. address 74. 125. 127. 99 address 74. 125. 127. 103 address 74. 125. 127. 104 address 74. 125. 127. 147 Reverse lookup [root@elrond named]# host 74. 125. 127. 99 99. 127. 125. 74. in-addr. arpa domain name pointer pz-in-f 99. google. com. [root@elrond named]# Note the structure of the IP address "hostname" (reverse order with top of tree on the right and leaves to the left) 42

forward lookup zone database 43

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# TTL = Time to live. How long a DNS record from this zone should be cached. The longer the TTL value the faster domain resolution time periods will be. Examples: $TTL 86400 1440 m 24 h 1 d 44

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Primary domain name 45

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Class of the zone IN = Internet 46

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Record type SOA = Start of Authority 47

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# The primary DNS server for this zone 48

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# The email address of the person/authority in charge. Note the "@" is replaced by a ". " 49

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Serial number, typically YYYYMMDDNN. Must be updated to a larger number whenever zone file is updated or the changes will be ignored by BIND 50

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Refresh rate How often the secondary server should poll the primary to refresh it data It is set to only 60 seconds for Lab 7 so we can see zone transfers happen quickly. 51

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Retry A value typically an hour or less that the secondary server should repeat an update request if the primary failed to respond. 52

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Expire In the case where the secondary server can no longer reach the primary, this is the amount of time the zone information can be used. secondarys servers will stop responding to requests for this zone once the data has expired. A successful refresh (a zone update) will reset the timers and the cycle will begin again. 53

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Minimum How long a nonauthoritative server should cache an entry in case of failed lookups 54

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# NS (Name Server) records indicate the authoritative name servers for this zone. Public domains are required to have at least two name servers. Private domains may have just one. 55

CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 Each A records matches elrond IN A 192. 168. 2. 107 a hostname with an galadriel IN A 192. 168. 2. 108 IPv 4 address. william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# 56

reverse lookup zone datbase 57

CIS 192 - Lesson 9 Zone file [root@elrond named]# cat db. 2. 168. 192 $TTL 86400 ; 192. 168. 2. * Reverse Zone Definition ; 2. 168. 192. in-addr. arpa. IN SOA elrond. rivendell. root. rivendell. 2009040311 ; Serial 60 ; Refresh 15 ; Retry 3600000 ; Expire 86400 ) ; Minimum ; ; Name Server Records ; 2. 168. 192. in-addr. arpa. IN NS elrond. rivendell. ; ; Address Records 105 IN PTR legolas. rivendell. 107 IN PTR elrond. rivendell. 108 IN PTR galadriel. rivendell. 114 IN PTR william. rivendell. [root@elrond named]# ( Note the use of PTR records to match the final portion of the IP address to a host name 58

named. conf 59

CIS 192 - Lesson 9 [root@elrond named]# cat /etc/named. conf This is where the zone options { database files reside directory "/var/named"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8. 1 uses an unprivileged * port by default. */ // query-source address * port 53; }; // // a caching only nameserver config // controls { inet 127. 0. 0. 1 allow { localhost; } keys { rndckey; }; }; zone ". " IN { type hint; file "named. ca"; }; The hints are really the IP addresses of all the top level root name servers 60

CIS 192 - Lesson 9 zone "localhost" IN { type master; file "localhost. zone"; allow-update { none; }; }; zone "0. 0. 127. in-addr. arpa" IN { type master; file "named. local"; allow-update { none; }; }; zone "rivendell" IN { type master; file "db. rivendell"; allow-update { none; }; }; zone "2. 168. 192. in-addr. arpa" IN { type master; file "db. 2. 168. 192"; allow-update { none; }; }; In Lab 7 you will setup forward and reverse zones for the Rivendell domain // A key file needs to be referenced for use by rndc. include "/etc/rndc. key"; [root@elrond named]# 61

zone transfer 62

CIS 192 - Lesson 9 Zone transfer The secondary server does this to obtain the zone databases from the primary server 63

CIS 192 - Lesson 9 A successful zone transfer Request from secondary Response from primary zone records /var/log/messages: Apr 6 07: 30: 59 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 07: 30: 59 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: connected using 192. 168. 2. 105#46736 Apr 6 07: 30: 59 legolas named[16429]: zone rivendell/IN: transferred serial 2009040309 Apr 6 07: 30: 59 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer 64

DNS Troubleshooting 65

CIS 192 - Lesson 9 Lab 7 Troubleshooting Problem: primary to secondary transfer failing From /var/log/messages: Apr 6 06: 39: 33 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: connected using 192. 168. 2. 105#54165 Apr 6 06: 39: 33 legolas named[16429]: dumping primary file: tmp. Uj. D 7 J 9 k. Llr: open: permission denied Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: failed while receiving responses: permission denied Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer Solution: Enable named to create new files on secondary: 1. Run lokkit on secondary and change SELinux setting from Enforcing to Permissive 2. Use chmod 770 /var/named on secondary 66

CIS 192 - Lesson 9 Lab 7 Troubleshooting Problem: primary to secondary transfer failing From /var/log/messages: Apr 6 07: 01: 15 legolas named[16429]: zone rivendell/IN: refresh: retry limit for master 192. 168. 2. 107#53 exceeded (source 0. 0#0) Apr 6 07: 01: 15 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 07: 01: 15 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: failed to connect: host unreachable Apr 6 07: 01: 15 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer Solution: Firewall on master is blocking connection by secondary for transfer 1. Run lokkit on primary and disable firewall or 2. Open port UDP port 53 on primary 67

CIS 192 - Lesson 9 Zone transfer failing when blocked by firewall on primary 68

Lab 7 69

CIS 192 - Lesson 9 Lab 7 http: //simms-teach. com/docs/cis 192 lab 07. pdf 70

Wrap 71

CIS 192 - Lesson 9 New commands, daemons: named host dig nslookup rndc reload DNS daemon For testing DNS information Being phased out Reload DNS configuration files Configuration files /etc/named. conf /var/named/* /etc/resolv. conf /etc/nsswitch. conf /etc/hosts 72

CIS 192 – Lesson 9 Next Class (after Spring Break) Assignment: Check Calendar Page http: //simms-teach. com/cis 192 calendar. php b a L 7 e u d Quiz questions for next class: • What two packages must be installed to setup a name server with caching? • What is the purpose of a PTR record? • How does the serial number effect zone transfers? 73

Test 2 Open book, notes, computer 74

Backup 75

CIS 192 - Lesson 9 Classroom Static IP addresses for VM's Station IP Static 1 Instructor 172. 30. 1. 100 172. 30. 1. 125 Station-01 172. 30. 1. 101 Station-02 Station IP Static 1 172. 30. 1. 126 Station-13 172. 30. 1. 138 172. 30. 1. 102 172. 30. 1. 127 Station-14 172. 30. 1. 139 Station-03 172. 30. 1. 128 Station-15 172. 30. 1. 140 Station-04 172. 30. 1. 129 Station-16 172. 30. 1. 141 Station-05 172. 30. 1. 130 Station-17 172. 30. 1. 142 Station-06 172. 30. 1. 131 Station-18 172. 30. 1. 143 Station-07 172. 30. 1. 132 Station-19 172. 30. 1. 144 Station-08 172. 30. 1. 133 Station-20 172. 30. 1. 145 Station-09 172. 30. 1. 134 Station-21 172. 30. 1. 146 Station-10 172. 30. 1. 135 Station-22 172. 30. 1. 147 Station-11 172. 30. 1. 136 Station-23 172. 30. 1. 148 Station-12 172. 30. 1. 137 Station-24 172. 30. 1. 149 Note the static IP address for your station to use in the next class exercise

CIS 192 - Lesson 9 Classroom DHCP IP allocation pools table by station number Station IP Start End 01 172. 30. 1. 101 172. 30. 1. 50 172. 30. 1. 54 13 172. 30. 1. 101 172. 30. 1. 210 172. 30. 1. 214 02 172. 30. 1. 102 172. 30. 1. 55 172. 30. 1. 59 14 172. 30. 1. 102 172. 30. 1. 215 172. 30. 1. 219 03 172. 30. 1. 103 172. 30. 1. 60 172. 30. 1. 64 15 172. 30. 1. 103 172. 30. 1. 220 172. 30. 1. 224 04 172. 30. 1. 104 172. 30. 1. 65 172. 30. 1. 69 16 172. 30. 1. 104 172. 30. 1. 225 172. 30. 1. 229 05 172. 30. 1. 105 172. 30. 1. 70 172. 30. 1. 74 17 172. 30. 1. 105 172. 30. 1. 230 172. 30. 1. 234 06 172. 30. 1. 106 172. 30. 1. 75 172. 30. 1. 79 18 172. 30. 1. 106 172. 30. 1. 235 172. 30. 1. 239 07 172. 30. 1. 107 172. 30. 1. 80 172. 30. 1. 84 19 172. 30. 1. 107 172. 30. 1. 240 172. 30. 1. 244 08 172. 30. 1. 108 172. 30. 1. 85 172. 30. 1. 89 20 172. 30. 1. 108 172. 30. 1. 245 172. 30. 1. 249 09 172. 30. 1. 109 172. 30. 1. 90 172. 30. 1. 94 21 172. 30. 1. 109 172. 30. 1. 250 172. 30. 1. 254 10 172. 30. 1. 110 172. 30. 1. 95 172. 30. 1. 99 22 172. 30. 1. 110 172. 30. 1. 34 11 172. 30. 1. 111 172. 30. 1. 200 172. 30. 1. 204 23 172. 30. 1. 111 172. 30. 1. 35 172. 30. 1. 39 12 172. 30. 1. 112 172. 30. 1. 205 172. 30. 1. 209 24 172. 30. 1. 112 172. 30. 1. 20 172. 30. 1. 44 Instruct 172. 30. 1. 100 172. 30. 1. 45 172. 30. 1. 49 Use these pools of addresses based on your station number to avoid conflicts on the classroom network

Shire (Outside) Rivendell (Inside) 172. 30. 4. 0/24 eth 0 192. 168. 2. 8/30 dhcp Frodo eth 0 . 10 . 9 Arwen Elrond Gateway Client Internet eth 1 eth 2. 1 xx. 1 xy Server (Inside) (Outside) 172. 30. 4. 0/24 192. 168. 2. 8/30 eth 1 eth 2. 108 . 10 Jin Gateway eth 0. 9 Sun Client 78

CIS 192 - Lesson 9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Client Server IP: Port: 79

snickers DHCP DNS buttercup 207. 62. 187. 54 nosmo . 10 Internet . 1 client frodo client william sauron DHCP Server eth 0 dhcp eth 0 elrond eth 0. 1 XX DHCP dhcp DHCP Relay Agent legolas eth 1 eth 0 eth 1 . 1 XX . 150 172. 30. N. 0 /24 192. 168. 2. 0 /24 Shire Rivendell DHCP Reservation eth 0 dhcp 192. 168. 3. 0 /24 Mordor 80

CIS 192 - Lesson 9 dig simms-teach. com (com. servers) [root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach. com ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16548 ; ; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ; ; AUTHORITY SECTION: com. 172798 172798 172798 172798 IN IN IN IN NS NS NS NS G. GTLD-SERVERS. NET. M. GTLD-SERVERS. NET. K. GTLD-SERVERS. NET. A. GTLD-SERVERS. NET. C. GTLD-SERVERS. NET. L. GTLD-SERVERS. NET. J. GTLD-SERVERS. NET. H. GTLD-SERVERS. NET. B. GTLD-SERVERS. NET. I. GTLD-SERVERS. NET. E. GTLD-SERVERS. NET. F. GTLD-SERVERS. NET. D. GTLD-SERVERS. NET. NS = Authoritative Name Server record IN = Internet Domain Names 81

CIS 192 - Lesson 9 dig simms-teach. com (simms-teach. com. servers) [root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach. com @A. GTLD-SERVERS. NET. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40276 ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 ; ; AUTHORITY SECTION: simms-teach. com. 172800 IN IN IN NS NS NS ns 1. dreamhost. com. ns 2. dreamhost. com. ns 3. dreamhost. com. ; ; ADDITIONAL SECTION: ns 1. dreamhost. com. ns 2. dreamhost. com. ns 3. dreamhost. com. 172800 IN IN IN A A A 66. 33. 206 208. 96. 10. 221 66. 33. 216 [root@elrond ~]# 82

CIS 192 - Lesson 9 dig simms-teach. com (ANSWER section received) [root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach. com @ns 1. dreamhost. com ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60986 ; ; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ; ; ANSWER SECTION: simms-teach. com. 14400 IN A 208. 113. 161. 13 [root@elrond ~]# ping -c 2 simms-teach. com PING simms-teach. com (208. 113. 161. 13) 56(84) bytes of data. 64 bytes from apache 2 -zoo. nehi. dreamhost. com (208. 113. 161. 13): icmp_seq=1 ttl=56 time=26. 1 ms 64 bytes from apache 2 -zoo. nehi. dreamhost. com (208. 113. 161. 13): icmp_seq=2 ttl=56 time=25. 9 ms --- simms-teach. com ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 1000 ms rtt min/avg/max/mdev = 25. 973/26. 078/26. 184/0. 192 ms [root@elrond ~]# 83

CIS 192 - Lesson 9 An example of what it is like to be a resolver doing a reverse lookup using the dig command 84

CIS 192 - Lesson 9 dig 9. 186. 62. 207. in-addr. arpa [root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9. 186. 62. 207. in-addr. arpa ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26350 ; ; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 5 ; ; AUTHORITY SECTION: . . . 518387 518387 518387 518387 IN IN IN IN NS NS NS NS I. ROOT-SERVERS. NET. C. ROOT-SERVERS. NET. E. ROOT-SERVERS. NET. F. ROOT-SERVERS. NET. K. ROOT-SERVERS. NET. A. ROOT-SERVERS. NET. L. ROOT-SERVERS. NET. H. ROOT-SERVERS. NET. M. ROOT-SERVERS. NET. B. ROOT-SERVERS. NET. G. ROOT-SERVERS. NET. D. ROOT-SERVERS. NET. J. ROOT-SERVERS. NET. ; ; ADDITIONAL SECTION: A. ROOT-SERVERS. NET. E. ROOT-SERVERS. NET. M. ROOT-SERVERS. NET. 604782 604787 604782 IN IN IN A AAAA A A AAAA 198. 41. 0. 4 2001: 503: ba 3 e: : 2: 30 192. 203. 230. 10 202. 12. 27. 33 2001: dc 3: : 35 [root@elrond ~]# 85

CIS 192 - Lesson 9 dig 9. 186. 62. 207. in-addr. arpa [root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9. 186. 62. 207. in-addr. arpa @A. ROOTSERVERS. NET. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12044 ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0 ; ; AUTHORITY SECTION: 207. in-addr. arpa. 86400 86400 IN IN NS NS X. ARIN. NET. BASIL. ARIN. NET. HENNA. ARIN. NET. Y. ARIN. NET. CHIA. ARIN. NET. DILL. ARIN. NET. Z. ARIN. NET. INDIGO. ARIN. NET. [root@elrond ~]# 86

CIS 192 - Lesson 9 dig 9. 186. 62. 207. in-addr. arpa [root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9. 186. 62. 207. in-addr. arpa @BASIL. ARIN. NET. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56550 ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ; ; AUTHORITY SECTION: 62. 207. in-addr. arpa. 86400 IN IN NS NS ns 2. csu. net. ns 1. csu. net. [root@elrond ~]# 87

CIS 192 - Lesson 9 dig 9. 186. 62. 207. in-addr. arpa [root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9. 186. 62. 207. in-addr. arpa @ns 1. csu. net ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58855 ; ; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ; ; AUTHORITY SECTION: 186. 62. 207. in-addr. arpa. 28800 IN SOA buttercup. cabrillo. edu. hostmaster. cabrillo. edu. 2004062137 3600 1800 604800 28800 [root@elrond ~]# 88

Firewall and DNS port 89

CIS 192 - Lesson 9 Default firewall on Cent. OS (Red Hat) does not allow DNS requests [root@elrond ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source RH-Firewall-1 -INPUT all -- anywhere destination anywhere Chain FORWARD (policy ACCEPT) target prot opt source RH-Firewall-1 -INPUT all -- anywhere destination anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1 -INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere ACCEPT icmp -- anywhere ACCEPT esp -- anywhere ACCEPT ah -- anywhere ACCEPT udp -- anywhere 224. 0. 0. 251 ACCEPT udp -- anywhere ACCEPT tcp -- anywhere ACCEPT all -- anywhere ACCEPT tcp -- anywhere REJECT all -- anywhere [root@elrond ~]# icmp any udp dpt: mdns udp dpt: ipp tcp dpt: ipp state RELATED, ESTABLISHED state NEW tcp dpt: ssh reject-with icmp-host-prohibited UDP port 53 is not open 90

CIS 192 - Lesson 9 Default firewall on Cent. OS (Red Hat) does not allow DNS requests [root@elrond ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter : INPUT ACCEPT [0: 0] : FORWARD ACCEPT [0: 0] : OUTPUT ACCEPT [0: 0] : RH-Firewall-1 -INPUT - [0: 0] -A INPUT -j RH-Firewall-1 -INPUT -A FORWARD -j RH-Firewall-1 -INPUT -A RH-Firewall-1 -INPUT -i lo -j ACCEPT -A RH-Firewall-1 -INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1 -INPUT -p 50 -j ACCEPT -A RH-Firewall-1 -INPUT -p 51 -j ACCEPT -A RH-Firewall-1 -INPUT -p udp --dport 5353 -d 224. 0. 0. 251 -j ACCEPT -A RH-Firewall-1 -INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1 -INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1 -INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT -A RH-Firewall-1 -INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1 -INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT [root@elrond ~]# UDP port 53 is not open 91

CIS 192 - Lesson 9 This command inserts a new rule on the custom firewall chain on the primary to allow new UDP port 53 requests line number to insert before Name of chain [root@elrond ~]# iptables -I RH-Firewall-1 -INPUT 9 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -m -p -I --state NEW --dport specifies match modules to use specified protocol to match to insert a new rule for new (not yet established) connections for the destination port 92

CIS 192 - Lesson 9 Modified firewall on Cent. OS (Red Hat) now allows DNS requests [root@elrond ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source RH-Firewall-1 -INPUT all -- anywhere destination anywhere Chain FORWARD (policy ACCEPT) target prot opt source RH-Firewall-1 -INPUT all -- anywhere destination anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1 -INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere ACCEPT icmp -- anywhere ACCEPT esp -- anywhere ACCEPT ah -- anywhere ACCEPT udp -- anywhere 224. 0. 0. 251 ACCEPT udp -- anywhere ACCEPT tcp -- anywhere ACCEPT all -- anywhere ACCEPT udp -- anywhere ACCEPT tcp -- anywhere REJECT all -- anywhere [root@elrond ~]# UDP port 53 is open icmp any udp dpt: mdns udp dpt: ipp tcp dpt: ipp state RELATED, ESTABLISHED state NEW udp dpt: domain state NEW tcp dpt: ssh reject-with icmp-host-prohibited 93

CIS 192 - Lesson 9 Modified firewall on Cent. OS (Red Hat) primary now allows DNS requests UDP port 53 is open 94

DNS Trobleshooting 95

CIS 192 - Lesson 9 Lab 7 Troubleshooting Problem: primary to secondary transfer failing From /var/log/messages: Apr 6 06: 39: 33 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: connected using 192. 168. 2. 105#54165 Apr 6 06: 39: 33 legolas named[16429]: dumping primary file: tmp. Uj. D 7 J 9 k. Llr: open: permission denied Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: failed while receiving responses: permission denied Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer Solution: Enable named to create new files on secondary: 1. Run lokkit on secondary and change SELinux setting from Enforcing to Permissive 2. Use chmod 770 /var/named on secondary 96

CIS 192 - Lesson 9 Lab 7 Troubleshooting Problem: primary to secondary transfer failing From /var/log/messages: Apr 6 07: 01: 15 legolas named[16429]: zone rivendell/IN: refresh: retry limit for primary 192. 168. 2. 107#53 exceeded (source 0. 0#0) Apr 6 07: 01: 15 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 07: 01: 15 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: failed to connect: host unreachable Apr 6 07: 01: 15 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer Solution: Firewall on primary is blocking connection by secondary for transfer 1. Run lokkit on primary and disable firewall or 2. Open port UDP port 53 on primary 97

CIS 192 - Lesson 9 Zone transfer failing when blocked by firewall on primary 98