ST2412 Linux Administration and Security Lesson 6 DNS

Lesson 6
Domain Name System (DNS)

Content
1. Setting up a basic caching-only DNS Server with bind........................................................................................2
2. Connecting a client to a specific DNS server........................................................................................................5
3. Setting up Forward Lookup Zone..........................................................................................................................6
4. Setting up Reverse Lookup Zone........................................................................................................................10
5. Perform a Zone transfer.......................................................................................................................................12
6. Reset and restore /etc/resolv.conf.......................................................................................................................14

AY2223 Page 1 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

1. Setting up a basic caching-only DNS Server with bind

On server:
1. Install the bind and bind-utils packages.

dnf -y install bind bind-utils

(At the above, pipe (|) the output to tail -10 is to skip the long installation output line. Only
want to see the last 10 lines of the outcome.)

2. Check that the group owner of the config file /etc/named.conf is "named".

ls –l /etc/named.conf

3. To prepare for the forward lookup zone exercise, first set your host name to server.las.org
by using the hostnamectl command:

hostnamectl set-hostname server.las.org

4. Find the IP address of your original local DNS Server by checking the contents of
/etc/resolv.conf. Note the IP address of the nameserver (e.g. 192.168.148.2). You shall
observe that the search option has been changed to las.org too.

As shown at the above, the server is using 192.168.30.2 as its DNS.

AY2223 Page 2 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

5. Setting up a cache only , forwarder only Local DNS in your server:

A forwarder only DNS provides DNS service to itself and other clients, but it only forward
the DNS requests to another DNS to obtain the answer.

Edit /etc/named.conf and change the following options settings in bold to allow your
client’s subnet to make queries. Set the forwarders value to the IP address of the original
local DNS Server. Change this to the
listen-on port 53 { any; }; subnet of your server
allow-query { localhost; 192.168.30.0/24; }; Change this to the original nameserver IP in
forwarders { 192.168.30.2; }; /etc/resolv.conf (add this line if it does not exist)
forward only;

6. As your original local DNS Server may not be able to support DNSSEC, disable the DNSSEC
validation by changing the following lines.

dnssec-enable no;
dnssec-validation no;

7. Enable and start the named services now.

systemctl enable --now named

AY2223 Page 3 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

8. Check /var/log/messages if there are any errors with your named service.

9. Edit /etc/resolv.conf and comment out the original nameserver entry. Add your server IP as
the nameserver.
nameserver <serverIP>

10. Perform a DNS query using dig. Look for the ANSWER section which contains the result of
the IP address. Note that the SERVER should be your server IP.
dig sp.edu.sg

(Refer to https://blog.dnsimple.com/2015/03/whats-in-a-dns-response/ to find out the detail

interpretation of the entries shown at the ANSWER SECTIN. E.g., What does the '5' mean?)

11. The update of the /etc/resolv.conf (at step 10) is not yet permanent. The NetworkManager

AY2223 Page 4 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

process will re-generate this file at the next boot time. To disable the regeneration, you
need to :
Modify /etc/NetworkManager/NetworkManager.conf :
a. Under the [main] section, modify or add in the dns setting entry to set it to 'none'.

b. Restart the NetworkManager process:

systemctl restart NetworkManager

c. Repeat step 11 to ensure you are still using your own server as the DNS.

2. Connecting a client to a specific DNS server

To verify your server is providing DNS service to other clients in the same subnet, start your
client and configure it to use your server as its only DNS:

On Client: (login as root)

1. Modify /etc/NetworkManager/NetworkManager.conf :
a. Under the [main] section, modify or add in the dns setting entry to set it to 'none'.

(Take note that, the above is client system.)

b. Edit /etc/resolv.conf and comment all lines in it. Add your server IP as the nameserver.
nameserver <serverIP>

AY2223 Page 5 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

You may see a different value showing at the search domain settings. It does not
matter.

2. Perform a DNS query using host -a. Note that the results come from your LAS server IP.
host -a sp.edu.sg

[Note: You need to open the dns service at the firewall of your server to enable the client
to access to the server's DNS service]
On server:

3. Perform a reverse lookup DNS query for 35.201.83.130, or the IP that you have found using
host -a sp.edu.sg earlier.

dig -x 35.201.83.130
host -a 35.201.83.130

3. Setting up Forward Lookup Zone

In this exercise, we are setting up a local domain at our own local DNS for internal usage.
With forward lookup zone configuration, DNS queries that associate with the defined domain
will be answered immediately by the DNS server.

AY2223 Page 6 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

On server:
1. You are going to make your DNS Server responsible for the zone (domain) "las.org".
Before we proceed, we do an initial checking of the las.org, type:
dig las.org

To verify if las.org has been registered by someone.

As shown, las.org domain is resolved to the IP of 40.84.33.106. This is the IP of the real
world las.org domain.
At below, we will define las.org as if it is our own domain.

2. Edit /etc/named.conf and declare your zone. Add the following lines in bold.
zone "." IN {
type hint;
file "named.ca";
};
zone "las.org" IN {
type master;
file "las.org.zone";
};

The above configuration indicates the zone file name for las.org is las.org.zone.

3. Zone files are stored in the /var/named directory. Create a new file

AY2223 Page 7 of 15
 ST2412 Linux Administration and Security Lesson 6 DNS

/var/named/las.org.zone with the following content:

designates the start of this zone file in the

Here are more details: namespace
Change this to your server’s
$ORIGIN las.org. hostname (you can leave out the
domain part of las.org.)
$TTL 86400
las.org. IN SOA server root.server.las.org. (
42 ; serial
3H ; refresh The administrator's email
15M ; retry address. It is equivalent of
1W ; expiry [email protected].
1D ) ; minimum
IPv4 address of the domain
las.org. IN NS server las.org
las.org. IN A 192.168.30.88
Change this to server IN A 192.168.30.88 Change these to the IP addresses
your client’s of your server and client
client IN A 192.168.30.129
hostname
testpc IN A 192.168.30.111 This is a fictitious PC

4. Change the group owner of /var/named/las.org.zone to "named".

chgrp named /var/named/las.org.zone

5. Restart the named service.

systemctl restart named

AY2223 Page 8 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

6. Check /var/log/messages if there are any errors with your named service.

On Client and Server:

7. Perform a DNS query for server, client and testpc.
dig las.org
dig server.las.org
host –a server.las.org
dig client.las.org
host testpc.las.org
Note: You will see the query result is an Authoritative answer.

Take note that 192.68.30.111 (testpc.las.org) does not exist in the system.

4. Setting up Reverse Lookup Zone

AY2223 Page 9 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

Reverse Lookup Zone provides the data to answer the possible DNS reverse lookup. For reverse
lookup, the query will seek for the host/domain name of a given IP address. Domain owner
may define proper reverse lookup entries in the reverse lookup zone file selectively.

On server:
1. Edit /etc/named.conf and declare your reverse lookup zone.
zone "." IN {
type hint;
file "named.ca";
};

zone "las.org" IN {
type master;
file "las.org.zone";
}; Change to the first three reverse octets of your
subnet
zone "30.168.192.in-addr.arpa" IN {
type master;
file "192.168.30.zone";
};

Change to your subnet

2. Zone files are stored in /var/named. Create a new reverse zone file
/var/named/192.168.30.zone (the actual file name should be based on your own subnet)
and add the following content.
You are declaring a zone with three pointer records f or your server, your client and one
more for the IP address "192.168.30.111". Note the dot-terminated hostnames.

The administrator's email

$TTL 86400 address. It is equivalent of
@ IN SOA server.las.org. [email protected]. ( root.server.las.org.
42 ; serial
28800 ; refresh
14400 ; retry

AY2223 Page 10 of 15
 ST2412 Linux Administration and Security Lesson 6 DNS

3600000 ; expiry
Change these to the 86400) ; minimum
last octet of your IN NS server.las.org.
server and client

129 IN PTR client.las.org.

88 IN PTR server.las.org. Need to provide
FQDN
111 IN PTR testpc.las.org.

3. Change the group owner of the reverse zone file to "named".

4. Restart the named service.
5. Perform reverse DNS queries for your fictitious, client and server pc from both of your
Client and Server.
dig –x 192.168.30.111
host 192.168.30.111
dig –x 192.168.30.88 Change these to the IP addresses
dig –x 192.168.30.129 of your pcs.

AY2223 Page 11 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

5. Perform a Zone transfer

Zone transfer allows the requester to copy the entire zone file from a DNS server. Zone transfer
operation is usually completed by using TCP port 53. (Normal DNS query is completed via the
default UDP port 53.).

On client:
1. Run the following commands (dig and host) to do a couple of zone transfers (a complete
dump of the all the zone content (forward zone and reverse zone = 2) ) of the las.org
domain from your DNS Server. You will see a list of the hosts and their IP addresses.
dig -t axfr las.org
host -l 30.168.192.in-addr.arpa

[Zone transfer with dig command. Need to use -t axfr option.]

[Zone transfer with host command. Need to use -l option.]

Note: Zone transfer applies to both forward lookup zones and reverse lookup zones.

As Zone transfer operation may leak out the overall infrastructure layout of your network,
you may want to restrict this operation.

On server:

You will now restrict the systems that can do a zone transfer from your server.
2. Edit /etc/named.conf and add a line to specify allow-transfer only from localhost.
allow-query { localhost; 192.168.30.0/24; };
allow-transfer { localhost; 192.168.30.111; };
Change to an IP address that is
AY2223 Page 12 of 15 not your client
ST2412 Linux Administration and Security Lesson 6 DNS

3. Reload or Restart the DNS service.

systemctl reload named

On client:
4. Try to do a zone transfer of the las.org domain from your DNS Server again. This time, it
should not be successful.

[Neither host -l nor dig -t axfr can work now.]

On server:
5. Check the log file /var/log/messages to see the logged entries for the successful and
unsuccessful zone transfers (do a search for AXFR).

6. Do a zone transfer at the server, it can still work.

AY2223 Page 13 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

[It still works because the allow-transfer option list include localhost.]
6. Reset and restore /etc/resolv.conf

On both server and client:

7. Ensure the dns=none entry is not set in the /etc/NetworkManager/NetworkManager.conf.

8. Restart the NetworkManager, it will reset the resolv.conf.

systemctl restart NetworkManager

9. Verify the contents of /etc/resolv.conf so that it points back to the original DNS Server.
nameserver 192.168.30.2
This IP address should be
updated accordingly.

[Verified the client system has been restored.]

AY2223 Page 14 of 15
ST2412 Linux Administration and Security Lesson 6 DNS

[Verified the server system has been restored.]

On server:

10. Disable and Stop the DNS service

systemctl disable --now named

Additional Reference:

- https://en.wikipedia.org/wiki/Zone_file#Example_file
- https://www.infoblox.com/dns-security-resource-center/dns-security-faq/is-dns-tcp-or-
udp-port-53/

~End of Practical~

AY2223 Page 15 of 15