CIS 192 Lesson 9 Lesson Module Status Slides
- Slides: 98
CIS 192 – Lesson 9 Lesson Module Status • • • Slides – draft Properties - done Flashcards 1 st minute quiz – done Web Calendar summary – Web book pages – Commands – done Howtos – Skills pacing Lab – done Depot (VMs) – na 1
CIS 192 - Lesson 9 Quiz Please take out a blank piece of paper, switch off your monitor, close your books, put away your notes and answer these questions: • ? No Quiz today since we are having a test
CIS 192 – Lesson 9 The Domain Name System Objectives Agenda • Install DNS • No quiz today! • Configure a primary and secondary nameserver • Questions on previous material • Enable periodic zone transfers • Housekeeping • DNS Overview • dig command • host command • Forward zone database • Reverse zone database • named. conf • Zone transfer • Troubleshooting • Lab 7 • Wrap • Test 2 3
Questions on previous material 4
CIS 192 - Lesson 9 Questions? • Previous lesson material • Lab assignment 5
Housekeeping 6
CIS 192 - Lesson 9 • No labs due today! • No class next week - Spring break! • There are two extra credits labs available: • X 1 (permanent NIC configuration) • X 2 (PPP). 7
DNS 8
CIS 192 - Lesson 9 Who has this IP address? Solution: Use ARP to get MAC address What is the IP address for this hostname? Solution: Use DNS to resolve hostname 9
CIS 192 - Lesson 9 What is DNS used for? To resolve "friendly" host names into "hard to remember" IP addresses to reach remote hosts on the Internet Either www. cabrillo. edu or 207. 62. 187. 7 will work to reach Cabrillo's web server 10
CIS 192 - Lesson 9 First, Frodo needs the MAC address of the router. This is necessary information for any packets to be sent outside the local subnet. ARP is used for this. 11
CIS 192 - Lesson 9 Next, Frodo sends a DNS request to the server specified in /etc/resolv. conf to resolve the name www. cabrillo. edu. The answer comes back as 207. 62. 187. 7. 12
CIS 192 - Lesson 9 Finally , Frodo does a three-way handshake to start a connection with the web server 13
CIS 192 - Lesson 9 And away we go getting the web page …. . Note that request uses UDP and port 53 on the DNS server 14
CIS 192 - Lesson 9 http: //www. tldp. org/HOWTO/DNS-HOWTO. html Very good DNS reference by Nicolai Langfeldt 15
DNS Overview 16
CIS 192 - Lesson 9 Paul worked at the Information Sciences Institute of the University of Southern California An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 17
CIS 192 - Lesson 9 Can you imagine trying An Overview of Domain Name System to keep these files Created in 1984 from the work led by Paul Mockapetris updated on every single Improves the deficiencies of the /etc/hosts file host in the world? DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 18
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver In reality, the DNS is a huge, The Server global distributed database spread across all the DNS servers Primary in the world. Secondary Caching Each DNS server is authoritative Database files (db. domain-name) for its own domain and maintains Supports two type of queries: these forward and reverse lookup Recursive zones. Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 19
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: The client side of DNS. It initiates Resolver and sequences the queries that lead to the resolution of a name The Server into an IP address Primary Secondary Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 20
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Also known as the master server. This server Resolver maintains a database of hostname/IP pairs for The Server the systems it serves. This server also Primary provides authoritative answers for these same Secondary systems. Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 21
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver Also known as a slave server. This server is identical to The Server the primary server except it does not maintain its own Primary database. It's data is obtained instead from the primary server. Used as backup when the primary server is Secondary down and for load balancing. Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 22
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver Has no database of its own and does not obtain one The Server from another server. Caching servers make queries on Primary behalf of clients and cache the answers. Caching servers are used for performance reasons. Secondary Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 23
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver Contain the database resource records such as A records The Server that map a hostname to a IP address, PTR records that Primary map IP addresses to hostnames, NS records for name Secondary servers, and CNAME records for aliases. Caching Database files (db. domain-name) Supports two type of queries: Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 24
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) Provide either an answer or an Supports two type of queries: error message Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 25
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) Supports two type of queries: Provide either an answer or a referral Recursive to another DNS server Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 26
CIS 192 - Lesson 9 An Overview of Domain Name System Created in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones) Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names Three components to DNS: Resolver The Server Primary Secondary Caching Database files (db. domain-name) This is what we will install and Supports two type of queries: configure in Lab 7 Recursive Iterative Most popular implementation of DNS is Berkely Internet Name Daemon (BIND) Maintained by the Internet Software Consortium: www. ics. org 27
CIS 192 - Lesson 9 The DNS Namespace • Top most domain in the namespace hierarchy is ". " • Top-level domains: . com, . net, . gov, . edu, . org. us, . . . • Special domain for reverse lookups: in-addr. arpa • Fully Qualified Domain Names read from right to left • Name registration was handled by Inter. NIC; now belongs to companies for profit. Inter. NIC - Internet Network Information Center. Handled domain names and IP addresses prior to 1988 before getting turned over to ICANN - Internet Corporation for Assigned Names and Numbers. ICANN accredits the domain name registrars (the companies that compete with other and register domain names) 28
CIS 192 - Lesson 9 Nameless root domain referred to via ". " Generic TLD's - Top Level Domains (com, edu, net, org, mil, etc. ) Next level domains (e. g. hp. com, cabrillo. edu, yahoo. com, webhalks. org, etc. source: http: //en. wikipedia. org/wiki/File: Domain_name_space. svg 29
CIS 192 - Lesson 9 source: http: //en. wikipedia. org/wiki/File: An_example_of_theoretical_DNS_recursion. svg 30
CIS 192 - Lesson 9 DNS Database Resource Record types: SOA - Start of Authority NS - Nameserver A - Address PTR - Pointer (for reverse lookups) CNAME - Aliases 31
CIS 192 - Lesson 9 DNS Installation and Configuration Package names: bind, caching-nameserver Daemon name: /usr/sbin/named Startup script: /etc/rc. d/init. d/named start or service named start Database files: /var/named. ca IP address of root servers /var/named/db. in-addr. arpa reverse lookups /var/named/db. domain name forward lookups Configuration files: /etc/named. conf Overall configuration file /etc/resolv. conf DNS server to use /etc/nsswitch. conf Lookup order definition To reload configuration files: rndc reload 32
CIS 192 - Lesson 9 Troubleshooting Tools for DNS nslookup - being phased out host dig 33
dig 34
CIS 192 - Lesson 9 dig (domain information groper) command • Tool to interrogate DNS servers • Performs DNS lookups and displays the answers from the DNS server queried. • Will use name server specified in /etc/resolv. conf unless another is specified query options name server to query dig +norec +noques +nostats +nocmd simms-teach. com @ns 1. dreamhost. com name to lookup Some query options +[no]recurse - [do not] use recursive queries +[no]question - [do not] print question section when an answer is returned +[no]stats - [do not] print query statistics +[no]cmd - [do not] print dig version information … for more, use man dig 35
CIS 192 - Lesson 9 An example of what life is like as a resolver doing a forward lookup using the dig command 36
CIS 192 - Lesson 9 dig opus. cabrillo. edu (start with root ". " servers) [root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus. cabrillo. edu ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19571 ; ; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13 ; ; AUTHORITY SECTION: . . . ; ; ADDITIONAL SECTION: B. ROOT-SERVERS. NET. C. ROOT-SERVERS. NET. E. ROOT-SERVERS. NET. F. ROOT-SERVERS. NET. G. ROOT-SERVERS. NET. I. ROOT-SERVERS. NET. J. ROOT-SERVERS. NET. K. ROOT-SERVERS. NET. L. ROOT-SERVERS. NET. M. ROOT-SERVERS. NET. 604794 604761 604794 604794 604791 [root@elrond ~]# IN IN IN IN 3600000 3600000 3600000 3600000 A A A A AAAA A AAAA IN IN IN IN 192. 228. 79. 201 192. 33. 4. 12 192. 203. 230. 10 192. 5. 5. 241 2001: 500: 2 f: : f 192. 112. 36. 4 192. 36. 148. 17 192. 58. 128. 30 193. 0. 14. 129 2001: 7 fd: : 1 2001: 500: 3: : 42 202. 12. 27. 33 2001: dc 3: : 35 NS NS NS NS A. ROOT-SERVERS. NET. L. ROOT-SERVERS. NET. I. ROOT-SERVERS. NET. E. ROOT-SERVERS. NET. D. ROOT-SERVERS. NET. F. ROOT-SERVERS. NET. B. ROOT-SERVERS. NET. M. ROOT-SERVERS. NET. J. ROOT-SERVERS. NET. G. ROOT-SERVERS. NET. K. ROOT-SERVERS. NET. H. ROOT-SERVERS. NET. C. ROOT-SERVERS. NET. We don't get an answer but we do get referred to a long list of root name servers we can ask. Pick one at random to continue IP addresses for these servers 37
CIS 192 - Lesson 9 dig opus. cabrillo. edu (edu. servers) [root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus. cabrillo. edu @J. ROOT-SERVERS. NET. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53616 Still no answer ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 8 ; ; AUTHORITY SECTION: edu. ; ; ADDITIONAL SECTION: A. GTLD-SERVERS. NET. C. GTLD-SERVERS. NET. D. GTLD-SERVERS. NET. E. GTLD-SERVERS. NET. F. GTLD-SERVERS. NET. G. GTLD-SERVERS. NET. L. GTLD-SERVERS. NET. 172800 172800 172800 172800 IN IN IN IN NS NS A AAAA A A A E. GTLD-SERVERS. NET. F. GTLD-SERVERS. NET. G. GTLD-SERVERS. NET. L. GTLD-SERVERS. NET. A. GTLD-SERVERS. NET. C. GTLD-SERVERS. NET. D. GTLD-SERVERS. NET. but we get referred to a list of generic top level domain name servers for the edu domain Pick one at random to continue 192. 5. 6. 30 2001: 503: a 83 e: : 2: 30 192. 26. 92. 30 192. 31. 80. 30 192. 12. 94. 30 192. 35. 51. 30 IP addresses for the edu 192. 42. 93. 30 domain nameservers 192. 41. 162. 30 [root@elrond ~]# 38
CIS 192 - Lesson 9 dig opus. cabrillo. edu (cabrillo. edu. servers) [root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus. cabrillo. edu @F. GTLD-SERVERS. NET. ; ; Got answer: Still no answer ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17333 ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 but we get ; ; AUTHORITY SECTION: cabrillo. edu. 172800 IN IN IN NS NS NS buttercup. cabrillo. edu. ns 1. csu. net. ns 2. csu. net. ; ; ADDITIONAL SECTION: buttercup. cabrillo. edu. 172800 ns 1. csu. net. 172800 ns 2. csu. net. 172800 IN IN IN A A A 207. 62. 187. 54 130. 150. 102. 100 130. 150. 102. 20 [root@elrond ~]# IP addresses for the Cabrillo name servers referred to a list of cabrillo name servers for the cabrillo. edu domain Pick one at random to continue 39
CIS 192 - Lesson 9 dig opus. cabrillo. edu (resolved) [root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus. cabrillo. edu @ns 1. csu. net. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6591 ; ; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ; ; ANSWER SECTION: opus. cabrillo. edu. 300 IN A 207. 62. 186. 9 ; ; AUTHORITY SECTION: cabrillo. edu. 300 300 IN IN IN NS NS NS ns 1. csu. net. ns 2. csu. net. buttercup. cabrillo. edu. IN IN IN A A A 130. 150. 102. 100 130. 150. 102. 20 207. 62. 187. 54 ; ; ADDITIONAL SECTION: ns 1. csu. net. 15219 ns 2. csu. net. 15324 buttercup. cabrillo. edu. 300 [root@elrond ~]# Hooray! It worked …. we got an answer! 40
host command 41
CIS 192 - Lesson 9 host command Forward lookup [root@elrond named]# www. google. com is an www. l. google. com has host www. google. com alias for www. l. google. com. address 74. 125. 127. 99 address 74. 125. 127. 103 address 74. 125. 127. 104 address 74. 125. 127. 147 Reverse lookup [root@elrond named]# host 74. 125. 127. 99 99. 127. 125. 74. in-addr. arpa domain name pointer pz-in-f 99. google. com. [root@elrond named]# Note the structure of the IP address "hostname" (reverse order with top of tree on the right and leaves to the left) 42
forward lookup zone database 43
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# TTL = Time to live. How long a DNS record from this zone should be cached. The longer the TTL value the faster domain resolution time periods will be. Examples: $TTL 86400 1440 m 24 h 1 d 44
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Primary domain name 45
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Class of the zone IN = Internet 46
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Record type SOA = Start of Authority 47
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# The primary DNS server for this zone 48
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# The email address of the person/authority in charge. Note the "@" is replaced by a ". " 49
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Serial number, typically YYYYMMDDNN. Must be updated to a larger number whenever zone file is updated or the changes will be ignored by BIND 50
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Refresh rate How often the secondary server should poll the primary to refresh it data It is set to only 60 seconds for Lab 7 so we can see zone transfers happen quickly. 51
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Retry A value typically an hour or less that the secondary server should repeat an update request if the primary failed to respond. 52
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Expire In the case where the secondary server can no longer reach the primary, this is the amount of time the zone information can be used. secondarys servers will stop responding to requests for this zone once the data has expired. A successful refresh (a zone update) will reset the timers and the cycle will begin again. 53
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# Minimum How long a nonauthoritative server should cache an entry in case of failed lookups 54
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 elrond IN A 192. 168. 2. 107 galadriel IN A 192. 168. 2. 108 william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# NS (Name Server) records indicate the authoritative name servers for this zone. Public domains are required to have at least two name servers. Private domains may have just one. 55
CIS 192 - Lesson 9 Zone file [root@elrond ~]# cat /var/named/db. rivendell $TTL 604800 ; Rivendell Zone Definition ; ; Rivendell. IN SOA elrond. rivendell. root. rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds ; ; Name Server Records Rivendell. IN NS elrond. rivendell. ; ; Address Records localhost IN A 127. 0. 0. 1 legolas IN A 192. 168. 2. 105 Each A records matches elrond IN A 192. 168. 2. 107 a hostname with an galadriel IN A 192. 168. 2. 108 IPv 4 address. william IN A 192. 168. 2. 114 ; ; CNAME records [root@elrond ~]# 56
reverse lookup zone datbase 57
CIS 192 - Lesson 9 Zone file [root@elrond named]# cat db. 2. 168. 192 $TTL 86400 ; 192. 168. 2. * Reverse Zone Definition ; 2. 168. 192. in-addr. arpa. IN SOA elrond. rivendell. root. rivendell. 2009040311 ; Serial 60 ; Refresh 15 ; Retry 3600000 ; Expire 86400 ) ; Minimum ; ; Name Server Records ; 2. 168. 192. in-addr. arpa. IN NS elrond. rivendell. ; ; Address Records 105 IN PTR legolas. rivendell. 107 IN PTR elrond. rivendell. 108 IN PTR galadriel. rivendell. 114 IN PTR william. rivendell. [root@elrond named]# ( Note the use of PTR records to match the final portion of the IP address to a host name 58
named. conf 59
CIS 192 - Lesson 9 [root@elrond named]# cat /etc/named. conf This is where the zone options { database files reside directory "/var/named"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8. 1 uses an unprivileged * port by default. */ // query-source address * port 53; }; // // a caching only nameserver config // controls { inet 127. 0. 0. 1 allow { localhost; } keys { rndckey; }; }; zone ". " IN { type hint; file "named. ca"; }; The hints are really the IP addresses of all the top level root name servers 60
CIS 192 - Lesson 9 zone "localhost" IN { type master; file "localhost. zone"; allow-update { none; }; }; zone "0. 0. 127. in-addr. arpa" IN { type master; file "named. local"; allow-update { none; }; }; zone "rivendell" IN { type master; file "db. rivendell"; allow-update { none; }; }; zone "2. 168. 192. in-addr. arpa" IN { type master; file "db. 2. 168. 192"; allow-update { none; }; }; In Lab 7 you will setup forward and reverse zones for the Rivendell domain // A key file needs to be referenced for use by rndc. include "/etc/rndc. key"; [root@elrond named]# 61
zone transfer 62
CIS 192 - Lesson 9 Zone transfer The secondary server does this to obtain the zone databases from the primary server 63
CIS 192 - Lesson 9 A successful zone transfer Request from secondary Response from primary zone records /var/log/messages: Apr 6 07: 30: 59 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 07: 30: 59 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: connected using 192. 168. 2. 105#46736 Apr 6 07: 30: 59 legolas named[16429]: zone rivendell/IN: transferred serial 2009040309 Apr 6 07: 30: 59 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer 64
DNS Troubleshooting 65
CIS 192 - Lesson 9 Lab 7 Troubleshooting Problem: primary to secondary transfer failing From /var/log/messages: Apr 6 06: 39: 33 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: connected using 192. 168. 2. 105#54165 Apr 6 06: 39: 33 legolas named[16429]: dumping primary file: tmp. Uj. D 7 J 9 k. Llr: open: permission denied Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: failed while receiving responses: permission denied Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer Solution: Enable named to create new files on secondary: 1. Run lokkit on secondary and change SELinux setting from Enforcing to Permissive 2. Use chmod 770 /var/named on secondary 66
CIS 192 - Lesson 9 Lab 7 Troubleshooting Problem: primary to secondary transfer failing From /var/log/messages: Apr 6 07: 01: 15 legolas named[16429]: zone rivendell/IN: refresh: retry limit for master 192. 168. 2. 107#53 exceeded (source 0. 0#0) Apr 6 07: 01: 15 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 07: 01: 15 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: failed to connect: host unreachable Apr 6 07: 01: 15 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer Solution: Firewall on master is blocking connection by secondary for transfer 1. Run lokkit on primary and disable firewall or 2. Open port UDP port 53 on primary 67
CIS 192 - Lesson 9 Zone transfer failing when blocked by firewall on primary 68
Lab 7 69
CIS 192 - Lesson 9 Lab 7 http: //simms-teach. com/docs/cis 192 lab 07. pdf 70
Wrap 71
CIS 192 - Lesson 9 New commands, daemons: named host dig nslookup rndc reload DNS daemon For testing DNS information Being phased out Reload DNS configuration files Configuration files /etc/named. conf /var/named/* /etc/resolv. conf /etc/nsswitch. conf /etc/hosts 72
CIS 192 – Lesson 9 Next Class (after Spring Break) Assignment: Check Calendar Page http: //simms-teach. com/cis 192 calendar. php b a L 7 e u d Quiz questions for next class: • What two packages must be installed to setup a name server with caching? • What is the purpose of a PTR record? • How does the serial number effect zone transfers? 73
Test 2 Open book, notes, computer 74
Backup 75
CIS 192 - Lesson 9 Classroom Static IP addresses for VM's Station IP Static 1 Instructor 172. 30. 1. 100 172. 30. 1. 125 Station-01 172. 30. 1. 101 Station-02 Station IP Static 1 172. 30. 1. 126 Station-13 172. 30. 1. 138 172. 30. 1. 102 172. 30. 1. 127 Station-14 172. 30. 1. 139 Station-03 172. 30. 1. 128 Station-15 172. 30. 1. 140 Station-04 172. 30. 1. 129 Station-16 172. 30. 1. 141 Station-05 172. 30. 1. 130 Station-17 172. 30. 1. 142 Station-06 172. 30. 1. 131 Station-18 172. 30. 1. 143 Station-07 172. 30. 1. 132 Station-19 172. 30. 1. 144 Station-08 172. 30. 1. 133 Station-20 172. 30. 1. 145 Station-09 172. 30. 1. 134 Station-21 172. 30. 1. 146 Station-10 172. 30. 1. 135 Station-22 172. 30. 1. 147 Station-11 172. 30. 1. 136 Station-23 172. 30. 1. 148 Station-12 172. 30. 1. 137 Station-24 172. 30. 1. 149 Note the static IP address for your station to use in the next class exercise
CIS 192 - Lesson 9 Classroom DHCP IP allocation pools table by station number Station IP Start End 01 172. 30. 1. 101 172. 30. 1. 50 172. 30. 1. 54 13 172. 30. 1. 101 172. 30. 1. 210 172. 30. 1. 214 02 172. 30. 1. 102 172. 30. 1. 55 172. 30. 1. 59 14 172. 30. 1. 102 172. 30. 1. 215 172. 30. 1. 219 03 172. 30. 1. 103 172. 30. 1. 60 172. 30. 1. 64 15 172. 30. 1. 103 172. 30. 1. 220 172. 30. 1. 224 04 172. 30. 1. 104 172. 30. 1. 65 172. 30. 1. 69 16 172. 30. 1. 104 172. 30. 1. 225 172. 30. 1. 229 05 172. 30. 1. 105 172. 30. 1. 70 172. 30. 1. 74 17 172. 30. 1. 105 172. 30. 1. 230 172. 30. 1. 234 06 172. 30. 1. 106 172. 30. 1. 75 172. 30. 1. 79 18 172. 30. 1. 106 172. 30. 1. 235 172. 30. 1. 239 07 172. 30. 1. 107 172. 30. 1. 80 172. 30. 1. 84 19 172. 30. 1. 107 172. 30. 1. 240 172. 30. 1. 244 08 172. 30. 1. 108 172. 30. 1. 85 172. 30. 1. 89 20 172. 30. 1. 108 172. 30. 1. 245 172. 30. 1. 249 09 172. 30. 1. 109 172. 30. 1. 90 172. 30. 1. 94 21 172. 30. 1. 109 172. 30. 1. 250 172. 30. 1. 254 10 172. 30. 1. 110 172. 30. 1. 95 172. 30. 1. 99 22 172. 30. 1. 110 172. 30. 1. 34 11 172. 30. 1. 111 172. 30. 1. 200 172. 30. 1. 204 23 172. 30. 1. 111 172. 30. 1. 35 172. 30. 1. 39 12 172. 30. 1. 112 172. 30. 1. 205 172. 30. 1. 209 24 172. 30. 1. 112 172. 30. 1. 20 172. 30. 1. 44 Instruct 172. 30. 1. 100 172. 30. 1. 45 172. 30. 1. 49 Use these pools of addresses based on your station number to avoid conflicts on the classroom network
Shire (Outside) Rivendell (Inside) 172. 30. 4. 0/24 eth 0 192. 168. 2. 8/30 dhcp Frodo eth 0 . 10 . 9 Arwen Elrond Gateway Client Internet eth 1 eth 2. 1 xx. 1 xy Server (Inside) (Outside) 172. 30. 4. 0/24 192. 168. 2. 8/30 eth 1 eth 2. 108 . 10 Jin Gateway eth 0. 9 Sun Client 78
CIS 192 - Lesson 9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Client Server IP: Port: 79
snickers DHCP DNS buttercup 207. 62. 187. 54 nosmo . 10 Internet . 1 client frodo client william sauron DHCP Server eth 0 dhcp eth 0 elrond eth 0. 1 XX DHCP dhcp DHCP Relay Agent legolas eth 1 eth 0 eth 1 . 1 XX . 150 172. 30. N. 0 /24 192. 168. 2. 0 /24 Shire Rivendell DHCP Reservation eth 0 dhcp 192. 168. 3. 0 /24 Mordor 80
CIS 192 - Lesson 9 dig simms-teach. com (com. servers) [root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach. com ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16548 ; ; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ; ; AUTHORITY SECTION: com. 172798 172798 172798 172798 IN IN IN IN NS NS NS NS G. GTLD-SERVERS. NET. M. GTLD-SERVERS. NET. K. GTLD-SERVERS. NET. A. GTLD-SERVERS. NET. C. GTLD-SERVERS. NET. L. GTLD-SERVERS. NET. J. GTLD-SERVERS. NET. H. GTLD-SERVERS. NET. B. GTLD-SERVERS. NET. I. GTLD-SERVERS. NET. E. GTLD-SERVERS. NET. F. GTLD-SERVERS. NET. D. GTLD-SERVERS. NET. NS = Authoritative Name Server record IN = Internet Domain Names 81
CIS 192 - Lesson 9 dig simms-teach. com (simms-teach. com. servers) [root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach. com @A. GTLD-SERVERS. NET. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40276 ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 ; ; AUTHORITY SECTION: simms-teach. com. 172800 IN IN IN NS NS NS ns 1. dreamhost. com. ns 2. dreamhost. com. ns 3. dreamhost. com. ; ; ADDITIONAL SECTION: ns 1. dreamhost. com. ns 2. dreamhost. com. ns 3. dreamhost. com. 172800 IN IN IN A A A 66. 33. 206 208. 96. 10. 221 66. 33. 216 [root@elrond ~]# 82
CIS 192 - Lesson 9 dig simms-teach. com (ANSWER section received) [root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach. com @ns 1. dreamhost. com ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60986 ; ; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ; ; ANSWER SECTION: simms-teach. com. 14400 IN A 208. 113. 161. 13 [root@elrond ~]# ping -c 2 simms-teach. com PING simms-teach. com (208. 113. 161. 13) 56(84) bytes of data. 64 bytes from apache 2 -zoo. nehi. dreamhost. com (208. 113. 161. 13): icmp_seq=1 ttl=56 time=26. 1 ms 64 bytes from apache 2 -zoo. nehi. dreamhost. com (208. 113. 161. 13): icmp_seq=2 ttl=56 time=25. 9 ms --- simms-teach. com ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 1000 ms rtt min/avg/max/mdev = 25. 973/26. 078/26. 184/0. 192 ms [root@elrond ~]# 83
CIS 192 - Lesson 9 An example of what it is like to be a resolver doing a reverse lookup using the dig command 84
CIS 192 - Lesson 9 dig 9. 186. 62. 207. in-addr. arpa [root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9. 186. 62. 207. in-addr. arpa ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26350 ; ; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 5 ; ; AUTHORITY SECTION: . . . 518387 518387 518387 518387 IN IN IN IN NS NS NS NS I. ROOT-SERVERS. NET. C. ROOT-SERVERS. NET. E. ROOT-SERVERS. NET. F. ROOT-SERVERS. NET. K. ROOT-SERVERS. NET. A. ROOT-SERVERS. NET. L. ROOT-SERVERS. NET. H. ROOT-SERVERS. NET. M. ROOT-SERVERS. NET. B. ROOT-SERVERS. NET. G. ROOT-SERVERS. NET. D. ROOT-SERVERS. NET. J. ROOT-SERVERS. NET. ; ; ADDITIONAL SECTION: A. ROOT-SERVERS. NET. E. ROOT-SERVERS. NET. M. ROOT-SERVERS. NET. 604782 604787 604782 IN IN IN A AAAA A A AAAA 198. 41. 0. 4 2001: 503: ba 3 e: : 2: 30 192. 203. 230. 10 202. 12. 27. 33 2001: dc 3: : 35 [root@elrond ~]# 85
CIS 192 - Lesson 9 dig 9. 186. 62. 207. in-addr. arpa [root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9. 186. 62. 207. in-addr. arpa @A. ROOTSERVERS. NET. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12044 ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0 ; ; AUTHORITY SECTION: 207. in-addr. arpa. 86400 86400 IN IN NS NS X. ARIN. NET. BASIL. ARIN. NET. HENNA. ARIN. NET. Y. ARIN. NET. CHIA. ARIN. NET. DILL. ARIN. NET. Z. ARIN. NET. INDIGO. ARIN. NET. [root@elrond ~]# 86
CIS 192 - Lesson 9 dig 9. 186. 62. 207. in-addr. arpa [root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9. 186. 62. 207. in-addr. arpa @BASIL. ARIN. NET. ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56550 ; ; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ; ; AUTHORITY SECTION: 62. 207. in-addr. arpa. 86400 IN IN NS NS ns 2. csu. net. ns 1. csu. net. [root@elrond ~]# 87
CIS 192 - Lesson 9 dig 9. 186. 62. 207. in-addr. arpa [root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9. 186. 62. 207. in-addr. arpa @ns 1. csu. net ; ; Got answer: ; ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58855 ; ; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ; ; AUTHORITY SECTION: 186. 62. 207. in-addr. arpa. 28800 IN SOA buttercup. cabrillo. edu. hostmaster. cabrillo. edu. 2004062137 3600 1800 604800 28800 [root@elrond ~]# 88
Firewall and DNS port 89
CIS 192 - Lesson 9 Default firewall on Cent. OS (Red Hat) does not allow DNS requests [root@elrond ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source RH-Firewall-1 -INPUT all -- anywhere destination anywhere Chain FORWARD (policy ACCEPT) target prot opt source RH-Firewall-1 -INPUT all -- anywhere destination anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1 -INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere ACCEPT icmp -- anywhere ACCEPT esp -- anywhere ACCEPT ah -- anywhere ACCEPT udp -- anywhere 224. 0. 0. 251 ACCEPT udp -- anywhere ACCEPT tcp -- anywhere ACCEPT all -- anywhere ACCEPT tcp -- anywhere REJECT all -- anywhere [root@elrond ~]# icmp any udp dpt: mdns udp dpt: ipp tcp dpt: ipp state RELATED, ESTABLISHED state NEW tcp dpt: ssh reject-with icmp-host-prohibited UDP port 53 is not open 90
CIS 192 - Lesson 9 Default firewall on Cent. OS (Red Hat) does not allow DNS requests [root@elrond ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter : INPUT ACCEPT [0: 0] : FORWARD ACCEPT [0: 0] : OUTPUT ACCEPT [0: 0] : RH-Firewall-1 -INPUT - [0: 0] -A INPUT -j RH-Firewall-1 -INPUT -A FORWARD -j RH-Firewall-1 -INPUT -A RH-Firewall-1 -INPUT -i lo -j ACCEPT -A RH-Firewall-1 -INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1 -INPUT -p 50 -j ACCEPT -A RH-Firewall-1 -INPUT -p 51 -j ACCEPT -A RH-Firewall-1 -INPUT -p udp --dport 5353 -d 224. 0. 0. 251 -j ACCEPT -A RH-Firewall-1 -INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1 -INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1 -INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT -A RH-Firewall-1 -INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1 -INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT [root@elrond ~]# UDP port 53 is not open 91
CIS 192 - Lesson 9 This command inserts a new rule on the custom firewall chain on the primary to allow new UDP port 53 requests line number to insert before Name of chain [root@elrond ~]# iptables -I RH-Firewall-1 -INPUT 9 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -m -p -I --state NEW --dport specifies match modules to use specified protocol to match to insert a new rule for new (not yet established) connections for the destination port 92
CIS 192 - Lesson 9 Modified firewall on Cent. OS (Red Hat) now allows DNS requests [root@elrond ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source RH-Firewall-1 -INPUT all -- anywhere destination anywhere Chain FORWARD (policy ACCEPT) target prot opt source RH-Firewall-1 -INPUT all -- anywhere destination anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1 -INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere ACCEPT icmp -- anywhere ACCEPT esp -- anywhere ACCEPT ah -- anywhere ACCEPT udp -- anywhere 224. 0. 0. 251 ACCEPT udp -- anywhere ACCEPT tcp -- anywhere ACCEPT all -- anywhere ACCEPT udp -- anywhere ACCEPT tcp -- anywhere REJECT all -- anywhere [root@elrond ~]# UDP port 53 is open icmp any udp dpt: mdns udp dpt: ipp tcp dpt: ipp state RELATED, ESTABLISHED state NEW udp dpt: domain state NEW tcp dpt: ssh reject-with icmp-host-prohibited 93
CIS 192 - Lesson 9 Modified firewall on Cent. OS (Red Hat) primary now allows DNS requests UDP port 53 is open 94
DNS Trobleshooting 95
CIS 192 - Lesson 9 Lab 7 Troubleshooting Problem: primary to secondary transfer failing From /var/log/messages: Apr 6 06: 39: 33 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: connected using 192. 168. 2. 105#54165 Apr 6 06: 39: 33 legolas named[16429]: dumping primary file: tmp. Uj. D 7 J 9 k. Llr: open: permission denied Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: failed while receiving responses: permission denied Apr 6 06: 39: 33 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer Solution: Enable named to create new files on secondary: 1. Run lokkit on secondary and change SELinux setting from Enforcing to Permissive 2. Use chmod 770 /var/named on secondary 96
CIS 192 - Lesson 9 Lab 7 Troubleshooting Problem: primary to secondary transfer failing From /var/log/messages: Apr 6 07: 01: 15 legolas named[16429]: zone rivendell/IN: refresh: retry limit for primary 192. 168. 2. 107#53 exceeded (source 0. 0#0) Apr 6 07: 01: 15 legolas named[16429]: zone rivendell/IN: Transfer started. Apr 6 07: 01: 15 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: failed to connect: host unreachable Apr 6 07: 01: 15 legolas named[16429]: transfer of 'rivendell/IN' from 192. 168. 2. 107#53: end of transfer Solution: Firewall on primary is blocking connection by secondary for transfer 1. Run lokkit on primary and disable firewall or 2. Open port UDP port 53 on primary 97
CIS 192 - Lesson 9 Zone transfer failing when blocked by firewall on primary 98
- Cis192
- A small child slides down the four frictionless slides
- John pushes hector on a plastic toboggan
- C device module module 1
- 192+150
- 192 in binary code
- Ping 168
- 192-168-
- 192 168 1 112
- Tt 192
- Analogi ip address
- /16 subnet mask
- 192-168-178-22
- 192 px
- 192 168 1 25
- Decreto ley 192 de 1999
- 192-168-0-3
- Ip network kelas c
- 192 168
- 192 168
- //192/168/105
- Http 192
- 192 168 33 1
- 192.q68.q.q
- 192 168 1 127
- Mousai msd192
- Cisco ucs certifications
- Binary 192
- 192 168
- Moa-2007-blg-192 lb
- Table nat
- Http //192.
- Me 192
- 168 192
- Switch definition informatik
- 192 168 101 8888
- (7 − 13) · (192 − 184).
- Antonine baroque
- 192,168,0,202
- 192,168,0,202
- 192,168,1,108
- 1921680
- 192 dot 168 dot 1 dot 1
- 192-168-1-20
- 192-168-20-1
- Lesson 6 employee health status
- Hardship and suffering lesson 2
- Module 5 lesson 5
- Grade 6, module 1: unit 2 answer key
- Module 1 lesson 1 family relationships
- Eureka math grade 6 module 1 lesson 1
- Module eleven lesson one self check quiz
- Eureka math algebra 1 module 1 lesson 15
- Grade 5 module 1 lesson 1
- Segment relationships in circles lesson 15-4
- Enthalpy of formation hess law
- Cit 590 upenn
- Cis 2168
- Decalin newman projection
- Types of unsaturated hydrocarbons
- Consulta certificado ctc
- Cis 548
- Pasangan tangga nada enharmonis bes, adalah
- Cis trans isomeria
- Biochemistry utoronto
- Dextrorotatory and levorotatory
- 1 3 dimethylcyclohexane cis trans
- Ssp e attestation portal
- Organic chemistry william h brown
- E z cis trans
- Lpk cakrawala indonesia sejahtera
- Kwas trans-but-2-enowy
- Krebsov ciklus
- Ana terzic
- Cis courses upenn
- 3 metilciclopentanolo
- Trans izomeri
- Octahedral cis trans
- Cyclopentane newman projection
- E z cis trans
- Cis90
- Cis 700
- Cis 581
- Cis 521
- Cis 519 upenn
- Upenn cis 419
- Cis 419 upenn
- Cis460
- Cis 4004
- Cis 4004
- Cis 4004 ucf
- Cis 371
- Intel 4004 transistor count
- Cis 3360
- Cliff zou
- Cis 262
- Cis shortcut
- Cis 110 upenn
- Cis 1 4 dimetilcicloesano