DNS

Question 1

What is name resolution

Answer 1

The process of translating names to IP address

Question 2

At the top of the domain structure is the root domain (or “null”) This is typically written in documentation using which two notations

Answer 2

either ‘’ (that’s two single quotes) or

a single dot (.)

Question 3

What is a TLD?

Answer 3

A top level domain, the level immediately below the root domain.  Examples of TLD's are 
.com
.co.uk
.org
etc.

Question 4

What is a first-level domain?

Answer 4

that is the part of the domain name that preceedes the TLD. For example in
mydomain.com
“mydomain” is the first level domain.

A FQDN is usually made up of:
hostname.first-level-domain.TLD

Question 5

What is a FQDN?

Answer 5

A fully qualified domain name, consists of hostname, domain name and top-level domain.

A FQDN is usually made up of:
hostname.first-level-domain.TLD

Technically, it should end with a period therefore:

forums. opensuse.org should be written as
forums. opensuse.org.

Question 6

How many designated DNS managers manage to DNS root zone?

Answer 6

13

Question 7

What is an authoritative data file?

Answer 7

It’s either a zone file or zone database. A zone define what the domain server has authority over.

Question 8

What is a resolver?

Answer 8

a program or routine that forms a dns query

Question 9

What is a Primary (Master) DNS Server?

Answer 9

A dns server that is considered authoritative as it has authority over one or more domains. The information it holds is known as authoritative information.

Question 10

What is a secondary (Slave) DNS Server

Answer 10

a dns server that is optional (but recommended for all but the smallest of implementations). It is used to support the primary server and take some of the burden.

Question 11

What is a caching DNS Server?

Answer 11

a dns server that receives information from an authoritative dns erver and caches the results to improve performance. Often used by ISPs

Question 12

What is a Forwarding DNS server, how does it differ from a caching dns server?

Answer 12

Like a caching dns server, this doesn’t have authoritative domain data but caches requests for performance. In addition, if it doesn’t have the answer for a dns query, it will forward the request to another dns server.

Question 13

What is a hybrid dns server?

Answer 13

a dns server that performs more than one role, for example a secondary slave server that is also a caching server

Question 14

What is a stealth dns server?

Answer 14

a dns server that is not queried directly or is hidden behind a firewall. Stealth servers are often also hybrid dns servers.

Question 15

What is a recursive Name Server?

Answer 15

a dns server that will answer queries from local cache. If the answer is not cached, the recursive server will start the process of resolving the query.

First by querying a root server for a dns server for the TLD.
Then querying the TLD server for a dns server for the first-level domain.
Then querying the zone server for the host IP.

So a single DNS request can spawn a number of DNS requests by the recursive dns server

Question 16

BIND is popular name server on Linux, what does BIND stand for?

Answer 16

Berkeley Internet Name Domain

Question 17

Apart from BIND, the LPIC exam requires awareness for 4 other dns alternatives - what are they?

Answer 17

djddns - collection of dns apps, including tinydns
dnsmasq - lightweight dns and DHCP server
pdnsd - dns utility, not a full dns server
PowerDNS - full dns

Question 18

what is bindutils

Answer 18

package of dns tools useful for testing and troubleshooting dns

Question 19

What packages for BIND would you on an RPM distro like Centos

Answer 19

yum install bind bind-utils

Question 20

What packages for BIND would you on an deb distro like Ubuntu

Answer 20

apt-get install bind9 bind9utils

Question 21

Where is the bind documentation likely to be?

Answer 21

/usr/share/doc/bind9

Question 22

Where are the config files likely to be in

a) Centos and
b) Ubuntu?

Answer 22

a) /etc/named.conf

b) /etc/bind/named.conf or /etc/bind9/named.conf

Question 23

Here is an example options section of a named.conf file
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { localhost; };

    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key"; };

Which interfaces is this server listening on?
Who is allowed to query the server?
Is the server caching queries?

Answer 23

The server is only listening on it’s local loopback network address (listen-on directive)

The server only allows queries from itself (allow-query directive)

The server is caching (Recursion yes; directive)

Question 24

This is a snippet from named.conf - what is it and what does it do?

zone “.” IN {
type hint;
file “named.ca”;
};

Answer 24

This defines the root zone. The file named.ca contains the root server addresses. This allows our dns server to start revolving names for queries that are not cached.

This directive is often called “hint for root level servers”

Question 25

What does the include directive do in named.conf?

Answer 25

Allows you to include separate files in the configuration so, the config can be split into multiple files to ease admin. for example, bind9 on Ubuntu has a short named.conf file by default: ``` cat named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local ``` include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";

Question 26

Which utility can be used to check the syntax of named.conf after making amendments?

Answer 26

named-checkconf

Question 27

Where are the zone files likely to be in a) Centos and b) Ubuntu?

Answer 27

a) /var/named/ | b) /etc/bind or /etc/bind9

Question 28

To obtain the benefits of a caching server - it should be setup physically close the the network it is serving. How would you use an access control list (acl) to setup a caching dns server?

Answer 28

``` acl trustednet { 192.168.51.0/24; localhost; localnets; }; ``` allow-query { trutednet; }; listen-on port 53 { trustednet; }; recursion yes;

Question 29

How would you test your local bind server with nslookup?

Answer 29

nslookup www.brainscape.com 192.168.51.2

Question 30

How would you test your local bind server with dig?

Answer 30

dig www.brainscape.com @192.168.51.2 or dig +short +identify www.brainscape.com @192.168.51.2

Question 31

To configure other linux systems to use your new dns server on older distros you would edit resolve.conf. However, many distros now overwrite that file on boot. To make the change permanent, which files would you edit on recent Centos and Ubuntu distros?

Answer 31

On Centos: /etc/sysconfig/network-scripts/[interface-name] change or add entry for DNS1 or DNS2 e.g. DNS1 = 192.168.51.2 On Ubuntu: /etc/network/interfaces add/amend entry for dns-nameservers e.g dns-nameservers 192.168.51.2 192.168.0.1

Question 32

Using rndc, how do you stop, start and restart bind?

Answer 32

stop: rndc stop restart: rndc restart start: can't be done with rndc currently

Question 33

Using ststemctl, how do you stop, start and restart bind?

Answer 33

systemctl start named (or bind) systemctl reload named systemctl stop named

Question 34

How would you stop bind using signal interrupt or signal hangup?

Answer 34

kill -s SIGHUP $(cat /run/named/named.pid) kill -s SIGINT $(cat /run/named/named.pid) Although.... best method for controlling bind is now rndc

Question 35

How would you reload binds config files using rndc?

Answer 35

rndc reload

Question 36

How would you reload a single zone using rndc?

Answer 36

rndc reload [zonename]

Question 37

How would you stop bing saving any pending updates using rndc?

Answer 37

rndc stop

Question 38

How would you stop bing without saving any pending updates using rndc?

Answer 38

rndc halt

Question 39

How would you flush binds cache using rndc?

Answer 39

rndc flush

Question 40

How would you flush binds cache for a single domain using rndc?

Answer 40

rndc flushname [domainname]

Question 41

How would you check the status of bind using rndc?

Answer 41

rndc status

Question 42

What does a bind logging channel do?

Answer 42

Control WHERE messages are logged

Question 43

What does a bind logging category directive do?

Answer 43

Controls WHAT types of messages are logged

Question 44

What are the 4pre-defined logging channels in bind?

Answer 44

default_debug (writes to named.run) default_syslog (writes to syslog or rsyslog) default_stderr (writes to stderr) null (Doesn't log)

Question 45

Bind logging severity levels go from dynamic to critical what's in between?

Answer 45

``` dynamic debug [#] (level number 0, 1, 2, 3..) info notice warning error critical ```

Question 46

Who are the current maintainers of bind?

Answer 46

ISC www.isc.org

Question 47

What is a dns zone?

Answer 47

A zone defines what a nameserver has authority over. It includes maintaining the zone's authoritative data files (zone files or zone databases)

Question 48

You see this in named.conf, what is it? zone "localhost" { type master; file "/etc/bind/db.local"; };

Answer 48

This is the zone directive for local host. The authoritative data is in /etc/bind/db.local

Question 49

There are a number of zone types, including master and slave can you name another 6?

Answer 49

Master slave ``` forward hint redirect stub static-stub delegation-only ```

Question 50

This is an example slave zone directive. Explain what each part means ``` zone "secondary.example.com" IN { type slave; file "/etc/secondary.example.com"; masters { 192.168.0.104; }; allow-notify {192.168.0.104; }; }; ```

Answer 50

First lines defines INternet zone secondary.example.com type slave = this is a secondary, slave nameserver for this zone. file = local copy of the zone data masters = list of the master authoritative domains for the zone allow-notify = only allow list to update the zone

Question 51

Under what circumstances do zone transfers occur?

Answer 51

Secondary (slave) server is started or restarted Zone data refresh time has expired The master has sent slave zone change notification A manual request via rndc

Question 52

Authoritative zone data comes in two forms, DIRECTIVE and RESOURCE RECORDS. 3 common directives are $ORIGIN, $INCLUDE, $TTL what are they used for?

Answer 52

$ORIGIN - sets the domain name for the zone file $INCLUDE - includes the contents of external files $TTL - Sets the default time to live

Question 53

A DNS resource record provides the zones authoritative name resolution info, what is the function of a "A" record type?

Answer 53

a host address record for ipv4

Question 54

A DNS resource record provides the zones authoritative name resolution info, what is the function of a "AAAA" record type?

Answer 54

a host address record for ipv6

Question 55

A DNS resource record provides the zones authoritative name resolution info, what is the function of a "CNAME" record type?

Answer 55

A canonical name record maps an alias to a host name

Question 56

A DNS resource record provides the zones authoritative name resolution info, what is the function of a "MX" record type?

Answer 56

A mail exchange record declares a preference value followed by mail hostname(s)

Question 57

A DNS resource record provides the zones authoritative name resolution info, what is the function of a "NS" record type?

Answer 57

A name server record - specifies the zone's authoritative name server.

Question 58

A DNS resource record provides the zones authoritative name resolution info, what is the function of a "PTR" record type?

Answer 58

A pointer record points to another domain namespace location and is typically used in reverse lookups

Question 59

A DNS resource record provides the zones authoritative name resolution info, what is the function of a "SOA" record type?

Answer 59

a Start of Authority record identifies the authority for a zone and includes the zones authoritative data. ONLY one SOA record for a zone should be created.

Question 60

A DNS resource record provides the zones authoritative name resolution info, what is the function of a "TXT" record type?

Answer 60

A text record holds free-form text enclosed in quotation marks, which can serve various purposes.

Question 61

What zone naming convention is often used in reverse zones?

Answer 61

The first 3 octets of the ipv4 address reversed, followed by the text in-addr.arpa For example for the IP address 192.168.20.20 20.168.192.in-addr.arpa

Question 62

What zone name would you use for the reverse lookup of LPIC2.example.com at iP address 192.168.10.10

Answer 62

10.168.192.in-addr.arpa

Question 63

What utility can you use to check the syntax of your named config files prior to starting or restarting the named service?

Answer 63

named-checkzone by default will check named.conf or use named-checkzoe [filename] to check another file

Question 64

What is delegating a zone?

Answer 64

A zones authoritative data is put on another name server(s) and authorty is given to that name server.

Question 65

What is a "glue" record

Answer 65

a glue record provides a pointer to a new DNS server where that dns server has been delegated authority. It looks something like this: @ IN NS LPIC2.example.com. LPIC2 IN A 192.168.64.120

Question 66

What tools are available to troublshoot bind?

Answer 66

host dig nslookup rndc

Question 67

How would you use dig to query a domain using a domain name server that isn't listed in your resolv.conf?

Answer 67

dig @[nameserver] [domain] e.g. dig @8.8.8.8 cnn.com

Question 68

What does the dig result NXDOMAIN indicate?

Answer 68

The name server believes the domain name doesn't exist

Question 69

How would you do a reverse lookup with dig on the IP address 192.168.10.10?

Answer 69

dig -x 192.168.10.10

Question 70

How would you use dig to check the mx records for a domain?

Answer 70

dig mx example.com or dig mx +short example.com

Question 71

How would you use the host utility to check mx records in a domain?

Answer 71

host -t mx example.com

Question 72

When trouble shooting bind, there is a utility to convert binary zone files back to text and text files to binary What is is called?

Answer 72

named-compilezone

Question 73

How would you use nslookup to find the authoritative IP address for the domain example.com?

Answer 73

nslookup -query=ns example.com

Question 74

What happens if you enter the command nslookup on its own (i.e. without parameters)?

Answer 74

You will be in nslookup's interactive mode

Question 75

Named (bind) has two tools to check local config files. What are they?

Answer 75

named-checkconfig named-checkzone

Question 76

For security it may be wise o hide the version number on public facing dns servers. Which directive in the config will achieve that?

Answer 76

the version directive e.g. version "null"

Question 77

For security, ou may want to setup different views of the DNS server for internal and external clients. What types of directive might you want to change for external clients?

Answer 77

``` Hide the bind version number (version directive) disable recursion (recurion no) disable queries from external (allow-query none) disallow access to the DNS cache (allow-query-cache none) ```

Question 78

What is a split DNS configuration? (also called dual horizon or split horizon)

Answer 78

is one or more DNS servers serving different DNS purposes. This can be accomplished using views fo internal and external clients or by using separate servers - one private and one public.

Question 79

Is it a good idea to run bind along with other services on your public server?

Answer 79

No. Generally it is advised torun only bind to reduce the potential "attack surface" on the server. AND - run bind as a non-root user

Question 80

Describe the process of chrooting bind using the bind-chroot package available on some distros.

Answer 80

Install bind and bindutils. Configure and test the bind configuration stop the bind service install the bind-chroot package do an rpm -ql bind-chroot and look for the name and location of the shell script. Run the shell script Change the /etc/default/bind file, and append -t /chroot/path While you are these, make sure named is running as a non-root user (-u named or the like) start bind-chroot make sure bind is running in chroot: ps aux |grep bind

Question 81

Describe th process of manually setting up bind in a chroot environment.

Answer 81

Create a new directory, e.g. /chroot/named create new subdirectories under the new directory: etc/bind home/named proc var/run var/log copy files into these directories copy bind config files into chroot etc copy zone configs and database files into chroot modify bind user account so home directory now points to chroot change ownership and permission of files and directories change bind start options to start as bind or named user and in /chrot/named directory

Question 82

Does DNSSEC encrypt dns queries between the client and the server?

Answer 82

No! it uses asymmetric encryption to provide digital signatures. That is, it verifies the server, but doesn't encrypt traffic.

Question 83

What is DNSSEC?

Answer 83

its a bind security extension

Question 84

A couple of important DNSSEC resource record types are DNSKEY and RRSIG. What ar these record types used for?

Answer 84

DNSKEY - Public Key | RRSIG- Digital Signature

Question 85

What is a DNSSEC validating resolver?

Answer 85

A dns resolver that executes DSSEC validation

Question 86

What is a DNSSEC trust anchor?

Answer 86

a DNSKEY record on a validating resolver

Question 87

What is a DNSSEC chain of trust?

Answer 87

Zones signed with higher/lower zones

Question 88

What is a DNSSEC Zone signing Key (ZSK)?

Answer 88

The encryption key used to sign zone records

Question 89

What is a DNSSEC Key Signing Key (KSK)?

Answer 89

The key used to sign the zones ZSK

Question 90

What is DNSSEC Data Validation?

Answer 90

Data validation occurs on validating resolver when it reraces the chain of trust & verifies answers authenticiity.

Question 91

What is a DNSSEC SERFAIL?

Answer 91

A validating resolver response when the DNSSEC data validation fails.

Question 92

5 Key named.conf settings for DNSSEC?

Answer 92

``` dnssec-enable yes; dnssec-validation yes; trusted-keys managed-keys bindkeys-file ```

Question 93

What is DNSSEC Lookaside validation?

Answer 93

because of the chain of trust DNSSEC validation will not work if zones higher in the chain are not signed. DLV allows the dns server to provide a trust anchor even if higher zones are unsigned. This should be used as a temp measure until all the servers in the chain are signed.

Question 94

How can you use dig to check for dnssec on a name server?

Answer 94

dig +dnssec 127.0.0.1

Question 95

What utility can we use to generate dnssec keys?

Answer 95

dnssec-keygen This utility creates a zone.private file and a zone.key file

Question 96

What does TSIG stand for and what does it do?

Answer 96

TSIG stands for Transaction Signature, it signs a DNS message with a digital signature providing point-to-point authentication.

Question 97

Why might you consider using NTP when using TSIG?

Answer 97

TSIG uses a timestamp in the symmetric encryption process so it is important clients and servers keep the same time. Using the timestamp helps avoid the use of replay attacks on DNS servers.

Question 98

What does DANE stand for?

Answer 98

DNS-based Authentication of named entities.

Question 99

What does DANE do?

Answer 99

DANE associates certificate or public key with a servers domain name using a DNS query. This query is secured via DNSSEC. This association is called certificate association which is stored in a DNS record called a TLSA record.

Question 100

What is a TLSA record?

Answer 100

A DNS record used by DANE to associate a certificate or pblic key with a server.