DNS and HTTP Flashcards
What is the name of the service that runs for the bind package?
Where is the configuration file located?
named
/etc/named.conf
Ask your local DNS server and 1.1.1.1 for the ips to google.com
dig -t a @localhost google.com
dig -t a @1.1.1.1 google.com
-t a <- type address
What are the two different DNS queries types
Recursive - DNS server that receives will do all the work to get you query back to you. Might query other DNS servers for the answer. Recursive query is when your DNS asks another.
Iterative - Will not get complete answer for you, but gives referral to other DNS servers. Now you go query those servers, something YOU have to do.
Basically this just means it’s non-recursive and it will try its own database for the entry, if it doesn’t have it, it tells you it doesn’t know it, end of story
What is a DNS Forwarder
Set DNS server forwarders for your DNS server
DNS server that will be queried recursively by our server.
in options {
forward only;
forwarders {
8.8.8.8; };
allow-query { any; };
recursion yes;
};
If you leave the forward only off and allow others to query then it will use these servers when it’s looking for records.
What is caching?
Configure your DNS server, allow only certain ips to query it, allow recursive queries to come from your network, add forwarders that you can forward queries to, check context, allow ports, start service.
Caching stores resolved (successful and failed) DNS lookups.
SPECIFY YOUR SERVER AS THE DNS SERVER under options
listen-on port 53 { 127.0.0.1; 192.0.2.1; };
listen-on-v6 port 53 { ::1; 2001:db8:1::1; };
YOU COULD TECHNICALLY
listen-on port 53 { any; };
ALLOW ONLY CERTAIN IPS TO QUERY
allow-query { localhost; 192.0.2.0/24; 2001:db8:1::/64; };
ALLOW RECURSIVE QUERIES TO COME FROM THE BELOW IPS (NO PUBLIC IPS! THIS IS RIPE FOR ATTACK!)
allow-recursion { localhost; 192.0.2.0/24; 2001:db8:1::/64; };
ADD FORWARDERS, IF YOU WISH, THAT YOU CAN FORWARD QUERIES TO
forwarders { 8.8.8.8; 1.1.1.1;};
CHECK IF THE CONTEXT IS CORRECT FOR THE FILE
named-checkconf - no output means correct
ALLOW THROUGH FIREWALL
firewall-cmd –permanent –add-service=dns
firewall-cmd –reload
systemctl start named
SELINUX WILL GIVE YOU GRIEF HERE, SO WE WILL HAVE TO:
dnf install policycoreutils-python-utils -y
semanage fcontext -at named_conf_t “/etc/named.conf(/.*)?”
restorecon -vR /etc/named.conf
The logging section of bind looks like the below:
logging {
channel default_debug {
file “data/named.run”;
severity dyname;
};
Explain what this means and create your own channels for levels to log:
We’ll want notify, xfer-in and xfer-out categories to use the zone_transer_log channel to log messages, there should be up to 10 files that can go up to 50 megs being sent to /var/named/log/transfer.log for this
Remember to create the directory and allow named to run it
Bind uses the default_debug channel and logs messages to the /var/named/data/named.run file,
default_debug <- only logs entries when the server debug level is non-zero. There are THREE levels of debug, 3 being the most verbose output.
logging {
…
category notify { zone_transfer_log; };
category xfer-in { zone_transfer_log; };
category xfer-out { zone_transfer_log; };
channel zone_transfer_log {
file "/var/named/log/transfer.log" versions 10 size 50m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
... };
mkdir /var/named/log/
chown named:named /var/named/log/
chmod 700 /var/named/log/
named-checkconf
systemctl restart named
cat /var/named/log/transfer.log
BASIC LOGS ARE STORED IN /VAR/NAMED/DATA AS YOU CAN TELL FROM THE BIND CONFIGUARTION FILE. YOU CAN SEE THAT IT IS A RELATIVE PATH AS IT IS:
“DATA/NAMED.RUN”
Create an ACL, and only allow users from it in.
Remember, if your ip is in the first ip group of the ACL it will allow you access without reading the rest.
ACLs are not in the options {}; The should be above it.
acl trusted { 127.0.0.1; 192.168.10.128/30 };
allow-query { trusted };
named-checkconf
systemctl reload named
What is a DNS zone?
What is an authoritative DNS server
Where clients resolve hostnames, this is configured in a zone
It has the original zone records
What does a trailing dot mean in your DNS record name
hostmaster.example.com.
The end dot signifies this is top level, anything without the dot, like adding this.com would come out like
hostmaster.example.com.this.com
What is an SOA record
State of Authority record
Required
Shows what DNS servers are authroritative for a zone
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_networking_infrastructure_services/assembly_setting-up-and-configuring-a-bind-dns-server_networking-infrastructure-services#ref_the-soa-record-in-zone-files_assembly_configuring-zones-on-a-bind-dns-server 1.5.1
What do forward zone maps do?
Create a forward map zone for example.com
map name to ip addresses and other info.
zone “example.com” {
type master;
file “example.com.zone”;
allow-query { any; };
allow-transfer { none; };
};
type master - This server is the primary server for the example.com zone
file “example.com.zone - /var/named/example.com.zon if the zone file. This is a relative path that is dictated by the directory in the options statement which is ‘/var/named’.
Any host can query this zone.
No hosts can transfer the zone. Anly allow when you set up secondary server and only for the ip of the other server.
This replicates info on your DNS server to another that you might use as backup.
vi /var/named/example.com.zone
Give an example of what a zone file looks like
$TTL 8h
@ IN SOA ns1.example.com. hostmaster.example.com. (
2022070601 ; serial number
1d ; refresh period
3h ; retry period
3d ; expire time
3h ) ; minimum TTL
@ IN NS ns1.example.com.
@ IN MX 10 mail.example.com.
www IN A 192.0.2.30
www IN AAAA 2001:db8:1::30
ns1 IN A 192.0.2.1
ns1 IN AAAA 2001:db8:1::1
mail IN A 192.0.2.20
mail IN AAAA 2001:db8:1::20
@ <- this at the beginning refers to example.com
chown root:named /var/named/example.com.zone
chmod 640 /var/named/example.com.zone
named-checkzone example.com /var/named/example.xom/zone
systemctl reload named
ANYTHING AFTER A ; IS A COMMENT HERE
dig +short @localhost AAAA www.example.com
dig +short @localhost NS www.example.com
dig +short @localhost A ns1@example.com
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_networking_infrastructure_services/assembly_setting-up-and-configuring-a-bind-dns-server_networking-infrastructure-services#proc_setting-up-a-forward-zone-on-a-bind-primary-server_assembly_configuring-zones-on-a-bind-dns-server
1.5.2
TTL - how long DNS record should be cached by resolvers before querying again
Serial - Tracks changes, each time zone file updated this number increases so secondary servers know how to pull latest version. Best practice is to set in date format 2024103001
Refresh - seconds, time secondary servers wait before checking with primary for updates
Retry - wait time secondary server checks for updates if refresh fails
Expire - Max time (seconds) secondary servers can serv the zone without updates from primary. If exceeds zone is stale and no longer served.
Minimum TTL - Minimum TTL for negative responses (non-existent domains.)
