DNS and HTTP Flashcards

1
Q

What is the name of the service that runs for the bind package?
Where is the configuration file located?

A

named
/etc/named.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ask your local DNS server and 1.1.1.1 for the ips to google.com

A

dig -t a @localhost google.com
dig -t a @1.1.1.1 google.com

-t a <- type address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the two different DNS queries types

A

Recursive - DNS server that receives will do all the work to get you query back to you. Might query other DNS servers for the answer. Recursive query is when your DNS asks another.

Iterative - Will not get complete answer for you, but gives referral to other DNS servers. Now you go query those servers, something YOU have to do.
Basically this just means it’s non-recursive and it will try its own database for the entry, if it doesn’t have it, it tells you it doesn’t know it, end of story

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a DNS Forwarder
Set DNS server forwarders for your DNS server

A

DNS server that will be queried recursively by our server.

in options {
forward only;
forwarders {
8.8.8.8; };
allow-query { any; };
recursion yes;
};

If you leave the forward only off and allow others to query then it will use these servers when it’s looking for records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is caching?
Configure your DNS server, allow only certain ips to query it, allow recursive queries to come from your network, add forwarders that you can forward queries to, check context, allow ports, start service.

A

Caching stores resolved (successful and failed) DNS lookups.

SPECIFY YOUR SERVER AS THE DNS SERVER under options
listen-on port 53 { 127.0.0.1; 192.0.2.1; };
listen-on-v6 port 53 { ::1; 2001:db8:1::1; };

YOU COULD TECHNICALLY
listen-on port 53 { any; };

ALLOW ONLY CERTAIN IPS TO QUERY
allow-query { localhost; 192.0.2.0/24; 2001:db8:1::/64; };

ALLOW RECURSIVE QUERIES TO COME FROM THE BELOW IPS (NO PUBLIC IPS! THIS IS RIPE FOR ATTACK!)
allow-recursion { localhost; 192.0.2.0/24; 2001:db8:1::/64; };

ADD FORWARDERS, IF YOU WISH, THAT YOU CAN FORWARD QUERIES TO
forwarders { 8.8.8.8; 1.1.1.1;};

CHECK IF THE CONTEXT IS CORRECT FOR THE FILE
named-checkconf - no output means correct

ALLOW THROUGH FIREWALL
firewall-cmd –permanent –add-service=dns
firewall-cmd –reload

systemctl start named

SELINUX WILL GIVE YOU GRIEF HERE, SO WE WILL HAVE TO:
dnf install policycoreutils-python-utils -y
semanage fcontext -at named_conf_t “/etc/named.conf(/.*)?”
restorecon -vR /etc/named.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The logging section of bind looks like the below:

logging {
channel default_debug {
file “data/named.run”;
severity dyname;
};

Explain what this means and create your own channels for levels to log:
We’ll want notify, xfer-in and xfer-out categories to use the zone_transer_log channel to log messages, there should be up to 10 files that can go up to 50 megs being sent to /var/named/log/transfer.log for this

Remember to create the directory and allow named to run it

A

Bind uses the default_debug channel and logs messages to the /var/named/data/named.run file,

default_debug <- only logs entries when the server debug level is non-zero. There are THREE levels of debug, 3 being the most verbose output.

logging {

category notify { zone_transfer_log; };
category xfer-in { zone_transfer_log; };
category xfer-out { zone_transfer_log; };
channel zone_transfer_log {
    file "/var/named/log/transfer.log" versions 10 size 50m;
    print-time yes;
    print-category yes;
    print-severity yes;
    severity info;
 };

 ... };

mkdir /var/named/log/
chown named:named /var/named/log/
chmod 700 /var/named/log/

named-checkconf

systemctl restart named

cat /var/named/log/transfer.log

BASIC LOGS ARE STORED IN /VAR/NAMED/DATA AS YOU CAN TELL FROM THE BIND CONFIGUARTION FILE. YOU CAN SEE THAT IT IS A RELATIVE PATH AS IT IS:
“DATA/NAMED.RUN”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Create an ACL, and only allow users from it in.
Remember, if your ip is in the first ip group of the ACL it will allow you access without reading the rest.

A

ACLs are not in the options {}; The should be above it.
acl trusted { 127.0.0.1; 192.168.10.128/30 };

allow-query { trusted };

named-checkconf

systemctl reload named

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a DNS zone?

What is an authoritative DNS server

A

Where clients resolve hostnames, this is configured in a zone

It has the original zone records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does a trailing dot mean in your DNS record name

hostmaster.example.com.

A

The end dot signifies this is top level, anything without the dot, like adding this.com would come out like
hostmaster.example.com.this.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an SOA record

A

State of Authority record
Required
Shows what DNS servers are authroritative for a zone

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_networking_infrastructure_services/assembly_setting-up-and-configuring-a-bind-dns-server_networking-infrastructure-services#ref_the-soa-record-in-zone-files_assembly_configuring-zones-on-a-bind-dns-server 1.5.1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What do forward zone maps do?

Create a forward map zone for example.com

A

map name to ip addresses and other info.

zone “example.com” {
type master;
file “example.com.zone”;
allow-query { any; };
allow-transfer { none; };
};

type master - This server is the primary server for the example.com zone

file “example.com.zone - /var/named/example.com.zon if the zone file. This is a relative path that is dictated by the directory in the options statement which is ‘/var/named’.

Any host can query this zone.

No hosts can transfer the zone. Anly allow when you set up secondary server and only for the ip of the other server.
This replicates info on your DNS server to another that you might use as backup.

vi /var/named/example.com.zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Give an example of what a zone file looks like

A

$TTL 8h
@ IN SOA ns1.example.com. hostmaster.example.com. (
2022070601 ; serial number
1d ; refresh period
3h ; retry period
3d ; expire time
3h ) ; minimum TTL

              IN NS   ns1.example.com.
              IN MX   10 mail.example.com.

www IN A 192.0.2.30
www IN AAAA 2001:db8:1::30
ns1 IN A 192.0.2.1
ns1 IN AAAA 2001:db8:1::1
mail IN A 192.0.2.20
mail IN AAAA 2001:db8:1::20

chown root:named /var/named/example.com.zone
chmod 640 /var/named/example.com.zone
named-checkzone example.com /var/named/example.xom/zone
systemctl reload named

ANYTHING AFTER A ; IS A COMMENT HERE

dig +short @localhost AAAA www.example.com

dig +short @localhost NS www.example.com

dig +short @localhost A ns1@example.com

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_networking_infrastructure_services/assembly_setting-up-and-configuring-a-bind-dns-server_networking-infrastructure-services#proc_setting-up-a-forward-zone-on-a-bind-primary-server_assembly_configuring-zones-on-a-bind-dns-server
1.5.2

TTL - how long DNS record should be cached by resolvers before querying again

Serial - Tracks changes, each time zone file updated this number increases so secondary servers know how to pull latest version. Best practice is to set in date format 2024103001

Refresh - seconds, time secondary servers wait before checking with primary for updates

Retry - wait time secondary server checks for updates if refresh fails

Expire - Max time (seconds) secondary servers can serv the zone without updates from primary. If exceeds zone is stale and no longer served.

Minimum TTL - Minimum TTL for negative responses (non-existent domains.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly