DNS Flashcards

Question 1

Q

What is name resolution

Answer

A

The process of translating names to IP address

Question 2

Q

At the top of the domain structure is the root domain (or “null”) This is typically written in documentation using which two notations

Answer

A

either ‘’ (that’s two single quotes) or

a single dot (.)

Question 3

Q

What is a TLD?

Answer

A

A top level domain, the level immediately below the root domain.  Examples of TLD's are 
.com
.co.uk
.org
etc.

Question 4

Q

What is a first-level domain?

Answer

A

that is the part of the domain name that preceedes the TLD. For example in
mydomain.com
“mydomain” is the first level domain.

A FQDN is usually made up of:
hostname.first-level-domain.TLD

Question 5

Q

What is a FQDN?

Answer

A

A fully qualified domain name, consists of hostname, domain name and top-level domain.

A FQDN is usually made up of:
hostname.first-level-domain.TLD

Technically, it should end with a period therefore:

forums. opensuse.org should be written as
forums. opensuse.org.

Question 6

Q

How many designated DNS managers manage to DNS root zone?

Question 7

Q

What is an authoritative data file?

Answer

A

It’s either a zone file or zone database. A zone define what the domain server has authority over.

Question 8

Q

What is a resolver?

Answer

A

a program or routine that forms a dns query

Question 9

Q

What is a Primary (Master) DNS Server?

Answer

A

A dns server that is considered authoritative as it has authority over one or more domains. The information it holds is known as authoritative information.

Question 10

Q

What is a secondary (Slave) DNS Server

Answer

A

a dns server that is optional (but recommended for all but the smallest of implementations). It is used to support the primary server and take some of the burden.

Question 11

Q

What is a caching DNS Server?

Answer

A

a dns server that receives information from an authoritative dns erver and caches the results to improve performance. Often used by ISPs

Question 12

Q

What is a Forwarding DNS server, how does it differ from a caching dns server?

Answer

A

Like a caching dns server, this doesn’t have authoritative domain data but caches requests for performance. In addition, if it doesn’t have the answer for a dns query, it will forward the request to another dns server.

Question 13

Q

What is a hybrid dns server?

Answer

A

a dns server that performs more than one role, for example a secondary slave server that is also a caching server

Question 14

Q

What is a stealth dns server?

Answer

A

a dns server that is not queried directly or is hidden behind a firewall. Stealth servers are often also hybrid dns servers.

Question 15

Q

What is a recursive Name Server?

Answer

A

a dns server that will answer queries from local cache. If the answer is not cached, the recursive server will start the process of resolving the query.

First by querying a root server for a dns server for the TLD.
Then querying the TLD server for a dns server for the first-level domain.
Then querying the zone server for the host IP.

So a single DNS request can spawn a number of DNS requests by the recursive dns server

Question 16

Q

BIND is popular name server on Linux, what does BIND stand for?

Answer

A

Berkeley Internet Name Domain

Question 17

Q

Apart from BIND, the LPIC exam requires awareness for 4 other dns alternatives - what are they?

Answer

A

djddns - collection of dns apps, including tinydns
dnsmasq - lightweight dns and DHCP server
pdnsd - dns utility, not a full dns server
PowerDNS - full dns

Question 18

Q

what is bindutils

Answer

A

package of dns tools useful for testing and troubleshooting dns

Question 19

Q

What packages for BIND would you on an RPM distro like Centos

Answer

A

yum install bind bind-utils

Question 20

Q

What packages for BIND would you on an deb distro like Ubuntu

Answer

A

apt-get install bind9 bind9utils

Question 21

Q

Where is the bind documentation likely to be?

Answer

A

/usr/share/doc/bind9

Question 22

Q

Where are the config files likely to be in

a) Centos and
b) Ubuntu?

Answer

A

a) /etc/named.conf

b) /etc/bind/named.conf or /etc/bind9/named.conf

Question 23

Q

Here is an example options section of a named.conf file
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { localhost; };

    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key"; };

Which interfaces is this server listening on?
Who is allowed to query the server?
Is the server caching queries?

Answer

A

The server is only listening on it’s local loopback network address (listen-on directive)

The server only allows queries from itself (allow-query directive)

The server is caching (Recursion yes; directive)

Question 24

Q

This is a snippet from named.conf - what is it and what does it do?

zone “.” IN {
type hint;
file “named.ca”;
};

Answer

A

This defines the root zone. The file named.ca contains the root server addresses. This allows our dns server to start revolving names for queries that are not cached.

This directive is often called “hint for root level servers”

Question 25

Q

What does the include directive do in named.conf?

Answer

A

Allows you to include separate files in the configuration so, the config can be split into multiple files to ease admin.

for example, bind9 on Ubuntu has a short named.conf file by default:

cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;

Question 26

Q

Which utility can be used to check the syntax of named.conf after making amendments?

Answer

A

named-checkconf

Question 27

Q

Where are the zone files likely to be in

a) Centos and
b) Ubuntu?

Answer

A

a) /var/named/

b) /etc/bind or /etc/bind9

Question 28

Q

To obtain the benefits of a caching server - it should be setup physically close the the network it is serving. How would you use an access control list (acl) to setup a caching dns server?

Answer

A

acl trustednet {
  192.168.51.0/24;
  localhost;
  localnets;
};

allow-query { trutednet; };
listen-on port 53 { trustednet; };
recursion yes;

Question 29

Q

How would you test your local bind server with nslookup?

Answer

A

nslookup www.brainscape.com 192.168.51.2

Question 30

Q

How would you test your local bind server with dig?

Answer

A

dig www.brainscape.com @192.168.51.2
or
dig +short +identify www.brainscape.com @192.168.51.2

Question 31

Q

To configure other linux systems to use your new dns server on older distros you would edit resolve.conf. However, many distros now overwrite that file on boot.

To make the change permanent, which files would you edit on recent Centos and Ubuntu distros?

Answer

A

On Centos:
/etc/sysconfig/network-scripts/[interface-name]
change or add entry for DNS1 or DNS2
e.g. DNS1 = 192.168.51.2

On Ubuntu:
/etc/network/interfaces
add/amend entry for dns-nameservers
e.g dns-nameservers 192.168.51.2 192.168.0.1

Question 32

Q

Using rndc, how do you stop, start and restart bind?

Answer

A

stop: rndc stop
restart: rndc restart
start: can’t be done with rndc currently

Question 33

Q

Using ststemctl, how do you stop, start and restart bind?

Answer

A

systemctl start named (or bind)
systemctl reload named
systemctl stop named

Question 34

Q

How would you stop bind using signal interrupt or signal hangup?

Answer

A

kill -s SIGHUP $(cat /run/named/named.pid)
kill -s SIGINT $(cat /run/named/named.pid)

Although…. best method for controlling bind is now rndc

Question 35

Q

How would you reload binds config files using rndc?

Answer

A

rndc reload

Question 36

Q

How would you reload a single zone using rndc?

Answer

A

rndc reload [zonename]

Question 37

Q

How would you stop bing saving any pending updates using rndc?

Answer

A

rndc stop

Question 38

Q

How would you stop bing without saving any pending updates using rndc?

Answer

A

rndc halt

Question 39

Q

How would you flush binds cache using rndc?

Answer

A

rndc flush

Question 40

Q

How would you flush binds cache for a single domain using rndc?

Answer

A

rndc flushname [domainname]

Question 41

Q

How would you check the status of bind using rndc?

Answer

A

rndc status

Question 42

Q

What does a bind logging channel do?

Answer

A

Control WHERE messages are logged

Question 43

Q

What does a bind logging category directive do?

Answer

A

Controls WHAT types of messages are logged

Question 44

Q

What are the 4pre-defined logging channels in bind?

Answer

A

default_debug (writes to named.run)
default_syslog (writes to syslog or rsyslog)
default_stderr (writes to stderr)
null (Doesn’t log)

Question 45

Q

Bind logging severity levels go from dynamic to critical what’s in between?

Answer

A

dynamic
debug [#]   (level number  0, 1, 2, 3..)
info
notice 
warning
error
critical

Question 46

Q

Who are the current maintainers of bind?

Answer

A

ISC www.isc.org

Question 47

Q

What is a dns zone?

Answer

A

A zone defines what a nameserver has authority over. It includes maintaining the zone’s authoritative data files (zone files or zone databases)

Question 48

Q

You see this in named.conf, what is it?

zone “localhost” {
type master;
file “/etc/bind/db.local”;
};

Answer

A

This is the zone directive for local host. The authoritative data is in /etc/bind/db.local

Question 49

Q

There are a number of zone types, including master and slave can you name another 6?

Answer

A

Master
slave

forward
hint
redirect
stub
static-stub
delegation-only

Question 50

Q

This is an example slave zone directive. Explain what each part means

zone "secondary.example.com" IN {
  type slave;
  file "/etc/secondary.example.com";
  masters { 192.168.0.104; };
  allow-notify {192.168.0.104; };
};

Answer

A

First lines defines INternet zone secondary.example.com
type slave = this is a secondary, slave nameserver for this zone.
file = local copy of the zone data
masters = list of the master authoritative domains for the zone
allow-notify = only allow list to update the zone

Question 51

Q

Under what circumstances do zone transfers occur?

Answer

A

Secondary (slave) server is started or restarted
Zone data refresh time has expired
The master has sent slave zone change notification
A manual request via rndc

Question 52

Q

Authoritative zone data comes in two forms, DIRECTIVE and RESOURCE RECORDS. 3 common directives are $ORIGIN, $INCLUDE, $TTL what are they used for?

Answer

A

$ORIGIN - sets the domain name for the zone file
$INCLUDE - includes the contents of external files
$TTL - Sets the default time to live

Question 53

Q

A DNS resource record provides the zones authoritative name resolution info, what is the function of a “A” record type?

Answer

A

a host address record for ipv4

Question 54

Q

A DNS resource record provides the zones authoritative name resolution info, what is the function of a “AAAA” record type?

Answer

A

a host address record for ipv6

Question 55

Q

A DNS resource record provides the zones authoritative name resolution info, what is the function of a “CNAME” record type?

Answer

A

A canonical name record maps an alias to a host name

Question 56

Q

A DNS resource record provides the zones authoritative name resolution info, what is the function of a “MX” record type?

Answer

A

A mail exchange record declares a preference value followed by mail hostname(s)

Question 57

Q

A DNS resource record provides the zones authoritative name resolution info, what is the function of a “NS” record type?

Answer

A

A name server record - specifies the zone’s authoritative name server.

Question 58

Q

A DNS resource record provides the zones authoritative name resolution info, what is the function of a “PTR” record type?

Answer

A

A pointer record points to another domain namespace location and is typically used in reverse lookups

Question 59

Q

A DNS resource record provides the zones authoritative name resolution info, what is the function of a “SOA” record type?

Answer

A

a Start of Authority record identifies the authority for a zone and includes the zones authoritative data. ONLY one SOA record for a zone should be created.

Question 60

Q

A DNS resource record provides the zones authoritative name resolution info, what is the function of a “TXT” record type?

Answer

A

A text record holds free-form text enclosed in quotation marks, which can serve various purposes.

Question 61

Q

What zone naming convention is often used in reverse zones?

Answer

A

The first 3 octets of the ipv4 address reversed, followed by the text in-addr.arpa

For example for the IP address 192.168.20.20
20.168.192.in-addr.arpa

Question 62

Q

What zone name would you use for the reverse lookup of LPIC2.example.com at iP address 192.168.10.10

Answer

A

10.168.192.in-addr.arpa

Question 63

Q

What utility can you use to check the syntax of your named config files prior to starting or restarting the named service?

Answer

A

named-checkzone
by default will check named.conf or use
named-checkzoe [filename] to check another file

Question 64

Q

What is delegating a zone?

Answer

A

A zones authoritative data is put on another name server(s) and authorty is given to that name server.

Answer 64

A

a glue record provides a pointer to a new DNS server where that dns server has been delegated authority. It looks something like this:

@ IN NS LPIC2.example.com.
LPIC2 IN A 192.168.64.120

Answer 65

A

host
dig
nslookup
rndc

Answer 66

A

dig @[nameserver] [domain]
e.g.
dig @8.8.8.8 cnn.com

Answer 67

A

The name server believes the domain name doesn’t exist

Answer 68

A

dig -x 192.168.10.10

Answer 69

A

dig mx example.com

or
dig mx +short example.com

Answer 70

A

host -t mx example.com

Answer 71

A

named-compilezone

Answer 72

A

nslookup -query=ns example.com

Answer 73

A

You will be in nslookup’s interactive mode

Answer 74

A

named-checkconfig

named-checkzone

Answer 75

A

the version directive

e.g.

version “null”

Answer 76

A

Hide the bind version number (version directive)
disable recursion (recurion no)
disable queries from external (allow-query none)
disallow access to the DNS cache (allow-query-cache none)

Answer 77

A

is one or more DNS servers serving different DNS purposes. This can be accomplished using views fo internal and external clients or by using separate servers - one private and one public.

Answer 78

A

No. Generally it is advised torun only bind to reduce the potential “attack surface” on the server.

AND - run bind as a non-root user

Answer 79

A

Install bind and bindutils.
Configure and test the bind configuration
stop the bind service
install the bind-chroot package
do an rpm -ql bind-chroot and look for the name and location of the shell script.
Run the shell script
Change the /etc/default/bind file, and append -t /chroot/path
While you are these, make sure named is running as a non-root user (-u named or the like)
start bind-chroot
make sure bind is running in chroot:
ps aux |grep bind

Answer 80

A

Create a new directory, e.g. /chroot/named
create new subdirectories under the new directory:
etc/bind
home/named
proc
var/run
var/log
copy files into these directories
copy bind config files into chroot etc
copy zone configs and database files into chroot
modify bind user account so home directory now points to chroot
change ownership and permission of files and directories
change bind start options to start as bind or named user and in /chrot/named directory

Answer 81

A

No! it uses asymmetric encryption to provide digital signatures. That is, it verifies the server, but doesn’t encrypt traffic.

Answer 82

A

its a bind security extension

Answer 83

A

DNSKEY - Public Key

RRSIG- Digital Signature

Answer 84

A

A dns resolver that executes DSSEC validation

Answer 85

A

a DNSKEY record on a validating resolver

Answer 86

A

Zones signed with higher/lower zones

Answer 87

A

The encryption key used to sign zone records

Answer 88

A

The key used to sign the zones ZSK

Answer 89

A

Data validation occurs on validating resolver when it reraces the chain of trust & verifies answers authenticiity.

Answer 90

A

A validating resolver response when the DNSSEC data validation fails.

Answer 91

A

dnssec-enable yes;
dnssec-validation yes;
trusted-keys
managed-keys
bindkeys-file

Answer 92

A

because of the chain of trust DNSSEC validation will not work if zones higher in the chain are not signed. DLV allows the dns server to provide a trust anchor even if higher zones are unsigned.

This should be used as a temp measure until all the servers in the chain are signed.

Answer 93

A

dig +dnssec 127.0.0.1

Answer 94

A

dnssec-keygen

This utility creates a zone.private file and a zone.key file

Answer 95

A

TSIG stands for Transaction Signature, it signs a DNS message with a digital signature providing point-to-point authentication.

Answer 96

A

TSIG uses a timestamp in the symmetric encryption process so it is important clients and servers keep the same time. Using the timestamp helps avoid the use of replay attacks on DNS servers.

Answer 97

A

DNS-based Authentication of named entities.

Answer 98

A

DANE associates certificate or public key with a servers domain name using a DNS query. This query is secured via DNSSEC. This association is called certificate association which is stored in a DNS record called a TLSA record.

Answer 99

A

A DNS record used by DANE to associate a certificate or pblic key with a server.

Brainscape's Knowledge GenomeTM

DNS Flashcards

Understand DNS and how to configure it on Linux

Brainscape's Knowledge Genome^TM