Lab 03 - DNS

In this lab, you will set up a DNS server populated with domains useful for the rest of the semester. You will also practice configuring your server to use a private DNS server in addition to the default server(s) on the network. This lab exercise requires that you have completed Lab 2 - Network Configuration before starting Lab 3. If you have not completed Lab 2, it may not be possible to accomplish various tasks in this lab.

Please make sure to back up your server before and after completing this lab, and make sure to keep your backups safe.

For your DNS server configuration and contents of configuration files, refer to the Ubuntu Server Guide under the header Domain Name Service (DNS). In this lab, we are configuring a primary server. Before you begin, please read the documentation to understand what the default included configurations under /etc/bind do.

Overview of Tasks

If you understand and follow the procedures provided in the Ubuntu Server Guide and implement the required configuration outlined in this lab, by the end of this lab, you will have done the following:

Modify your /etc/bind/named.conf.options to configure forwarders (your upstream DNS servers)
Modify your /etc/bind/named.conf.local to add one forward and 3 reverse lookup zones
Create your forward and reverse lookup zone files
- db.lastname45678.mytld
- db.172.16.3
- db.172.16.4
- db.172.16.5

DNS Service Configuration

Install Software

Install the bind9, dnsutils, and nscd packages.

Your DNS Configurations

Make a note of the following for your DNS server configurations and properties.

Set your domain name to your last name + the last 5 digits of your student ID. Use mytld as your top-level domain (TLD).
- For example, a last name of chan and a student number of 012345678 would make the domain name chan45678.mytld.
- For all examples in this lab, replace lastname45678 with your actual last name and the last 5 digits of your student ID.
The zone origin will be ns1.lastname45678.mytld, as your nameserver. For all our DNS activity in this course, the zone names are the same as the domain names.
The zone should have the following hostnames configured:
- router3 as 172.16.3.1
- ns1 as 172.16.3.2
- www as 172.16.4.2
- mail as 172.16.5.2
- pop as an alias for mail

Set Up Caching Nameserver

Add Google's and CloudFlair's DNS nameservers caching and forwarding. We do this because your network provider or ISP may block recursive DNS, as they may be trying to stop you from running your own DNS server. Your server will forward external DNS lookups while your own private domain names continue to be looked up locally.

Add the following line to your /etc/bind/named.conf.options file, immediately after the currently commented-out forwarders line. You can leave the // commented lines in place so that you know what settings you have changed or modified.

     forwarders {
         8.8.8.8;
         1.1.1.1;
     };

     forwarders {
         8.8.8.8;
         1.1.1.1;
     };

Forward Zone Configuration

Modify your /etc/bind/named.conf.local file to define your forward zone lookup files. Name your files so that they contain your domain name.
Here is an example:

zone "lastname45678.mytld" {
    type primary;
    file "/etc/bind/db.lastname45678.mytld";
};

zone "lastname45678.mytld" {
    type primary;
    file "/etc/bind/db.lastname45678.mytld";
};

Create your /etc/bind/db.lastname45678.mytld file. This is an example zone file:

;
; Data file for lastname45678.mytld
;
$TTL	604800
@	IN	SOA	ns1.lastname45678.mytld. hostmaster.lastname45678.mytld. (
      202501010		; Serial, increment with every change
         604800		; Refresh
          86400		; Retry
        2419200		; Expire
         604800 )	; Negative Cache TTL
;
@	IN	NS	ns1
ns1	IN	A	172.16.3.2
router3	IN	A	172.16.3.1
www	IN	A	172.16.4.2
mail	IN	A	172.16.5.2
pop	IN	CNAME	mail

;
; Data file for lastname45678.mytld
;
$TTL	604800
@	IN	SOA	ns1.lastname45678.mytld. hostmaster.lastname45678.mytld. (
      202501010		; Serial, increment with every change
         604800		; Refresh
          86400		; Retry
        2419200		; Expire
         604800 )	; Negative Cache TTL
;
@	IN	NS	ns1
ns1	IN	A	172.16.3.2
router3	IN	A	172.16.3.1
www	IN	A	172.16.4.2
mail	IN	A	172.16.5.2
pop	IN	CNAME	mail

Verify your zones are syntactically correct using named-checkzone <domainname> <zonefile>. Here is an example command and output:

firstname@pc12345678:~$ named-checkzone lastname45678.mytld /etc/bind/db.lastname45678.mytld
zone lastname45678.mytld/IN: loaded serial 202501010
OK

firstname@pc12345678:~$ named-checkzone lastname45678.mytld /etc/bind/db.lastname45678.mytld
zone lastname45678.mytld/IN: loaded serial 202501010
OK

Reverse Zone Configurations

Modify your /etc/bind/named.conf.local file again to define your reverse lookup zone files. These configurations allow an IP address to be resolved to a name.

zone "3.16.172.in-addr.arpa" {
    type primary;
    file "/etc/bind/db.172.16.3";
};

zone "3.16.172.in-addr.arpa" {
    type primary;
    file "/etc/bind/db.172.16.3";
};

Add a zone for 172.16.3.0/24 (i.e. 3.16.172.in-addr.arpa.). The zone should have the following addresses configured:

172.16.3.1 as router3.lastname45678.mytld.
172.16.3.2 as ns1.lastname45678.mytld.

This is an example of contents for /etc/bind/db.172.16.3 file:

;
; Data file for 172.16.3.0/24 (3.16.172.in-addr.arpa)
;
$TTL	604800
@	IN	SOA	ns1.lastname45678.mytld. hostmaster.lastname45678.mytld. (
             1		; Serial
             604800		; Refresh
              86400		; Retry
            2419200		; Expire
             604800 )	; Negative Cache TTL
;
@	IN	NS	ns1.lastname45678.mytld.
1	IN	PTR	router3.lastname45678.mytld.
2	IN	PTR	ns1.lastname45678.mytld.

;
; Data file for 172.16.3.0/24 (3.16.172.in-addr.arpa)
;
$TTL	604800
@	IN	SOA	ns1.lastname45678.mytld. hostmaster.lastname45678.mytld. (
             1		; Serial
             604800		; Refresh
              86400		; Retry
            2419200		; Expire
             604800 )	; Negative Cache TTL
;
@	IN	NS	ns1.lastname45678.mytld.
1	IN	PTR	router3.lastname45678.mytld.
2	IN	PTR	ns1.lastname45678.mytld.

Repeat the above steps for zone 172.16.4.0/24 (i.e. 4.16.172.in-addr.arpa.) and configure the following address:

2 IN	PTR	www.lastname45678.mytld.

2 IN	PTR	www.lastname45678.mytld.

Repeat the above steps a second time for zone 172.16.5.0/24 (i.e. 5.16.172.in-addr.arpa.) and configure the following address:

2 IN	PTR	mail.lastname45678.mytld.

2 IN	PTR	mail.lastname45678.mytld.

Verify all your zones are syntactically correct using named-checkzone <domainname> <zonefile>. For example:

named-checkzone 3.16.172.in-addr.arpa /etc/bind/db.172.16.3 
named-checkzone 4.16.172.in-addr.arpa /etc/bind/db.172.16.4
named-checkzone 5.16.172.in-addr.arpa /etc/bind/db.172.16.5

named-checkzone 3.16.172.in-addr.arpa /etc/bind/db.172.16.3 
named-checkzone 4.16.172.in-addr.arpa /etc/bind/db.172.16.4
named-checkzone 5.16.172.in-addr.arpa /etc/bind/db.172.16.5

Verify that your /etc/bind/named.con.local is syntactically correct using the named-checkconf utility:

sudo named-checkconf named.conf.local

sudo named-checkconf named.conf.local

Set up `ufw` Firewall Rules for DNS

Add a ufw rule to allow DNS service (ufw allow domain) through your firewall.

Reload the DNS Service to Start Serving Your Domain

Reload bind using rndc reload.
Verify you can use nslookup successfully for ns1.lastname45678.mytld using your new name server as the query server:

nslookup ns1.lastname45678.mytld 172.16.3.2

nslookup ns1.lastname45678.mytld 172.16.3.2

What happens when you try nslookup ns1.lastname45678.mytld? Why? (Hint: notice the server that answered your query! We will address this issue later.)

Troubleshooting

Check your zone file and configuration files for any syntax errors using the named-checkzone and named-checkconf utilities. Make sure there are no spelling errors and that the information you have entered is exact and correct.

If there are any more issues, one of the methods can be used to troubleshoot:

# This may display an error in logs to give you clues about why the service
# might have failed
sudo service bind9 status
# Sometimes there are many errors; you should check the logs to see if your
# zones are loaded successfully, and if not, where and what the error could
# be 
sudo grep -a named /var/log/syslog

# This may display an error in logs to give you clues about why the service
# might have failed
sudo service bind9 status
# Sometimes there are many errors; you should check the logs to see if your
# zones are loaded successfully, and if not, where and what the error could
# be 
sudo grep -a named /var/log/syslog

Persistent Use of The DNS Server Via Its Network Interface

Adding your domain name to be used for automatic searching and using your private DNS server is done using netplan. You could modify the existing /etc/netplan/80-comp1071.yaml file, or you can create an additional file with just the settings you want to add. To keep things simple, we will just modify our existing file to add the nameservers mapping lines under the interface that our nameservice runs on. So that section might now look like this example file:

    en-vl10:
      id: 10
      link: ens38
      addresses:
        - 172.16.3.2/24
      routes:
        - to: 172.16.6.0/24
          via: 172.16.3.1
      nameservers:
        addresses: [172.16.3.2]
        search: [lastname45678.mytld]

    en-vl10:
      id: 10
      link: ens38
      addresses:
        - 172.16.3.2/24
      routes:
        - to: 172.16.6.0/24
          via: 172.16.3.1
      nameservers:
        addresses: [172.16.3.2]
        search: [lastname45678.mytld]

Run netplan apply to apply the new configuration.

Configure the Local Resolver To Use the DNS Server

The systemd-resolved name resolver can be configured to use our nameserver by adding the following DNS=172.16.3.2 under [Resolve] to your /etc/systemd/resolved.conf file. The following command accomplishes that:

sudo sed -i -e 's/^#DNS=.*/DNS=172.16.3.2/' /etc/systemd/resolved.conf

sudo sed -i -e 's/^#DNS=.*/DNS=172.16.3.2/' /etc/systemd/resolved.conf

Check the status of your local resolver using the following command:

resolvectl status

resolvectl status

Check that these commands do not produce errors:

nslookup ns1.lastname45678.mytld
dig ns1.lastname45678.mytld
nslookup www.lastname45678.mytld
nslookup router3.lastname45678.mytld
nslookup mail.lastname45678.mytld
nslookup pop.lastname45678.mytld
nslookup 172.16.3.2
nslookup 172.16.4.2
nslookup 172.16.5.2
nslookup georgiancollege.ca
apt update

nslookup ns1.lastname45678.mytld
dig ns1.lastname45678.mytld
nslookup www.lastname45678.mytld
nslookup router3.lastname45678.mytld
nslookup mail.lastname45678.mytld
nslookup pop.lastname45678.mytld
nslookup 172.16.3.2
nslookup 172.16.4.2
nslookup 172.16.5.2
nslookup georgiancollege.ca
apt update

If any of these fail, ask your professor for help before proceeding with the rest of the lab.

Configure Your Host OS to Recognize the Names in Your Private Domain

Choose and implement a method for your host laptop to use the hostnames we are adding to our private DNS server. You can add that server to your DNS server list on your host laptop, or add entries to your hosts file on the host laptop. Verify that the names work by using ping or traceroute on your host laptop to the name www.lastname45678.mytld.
Ensure you have completed adding routes from your host laptop to the Linux server as described at the end of lab 2 before trying this.
For example, in Windows, run "cmd" as Administrator, then:

route add 172.16.3.0/24 192.168.xxx.99
route add 172.16.4.0/24 192.168.xxx.99
route add 172.16.5.0/24 192.168.xxx.99

nslookup www.lastname45678.mytld 192.168.xxx.99

route add 172.16.3.0/24 192.168.xxx.99
route add 172.16.4.0/24 192.168.xxx.99
route add 172.16.5.0/24 192.168.xxx.99

nslookup www.lastname45678.mytld 192.168.xxx.99

Evaluate your server

Run sudo /root/server-check.sh -l 3 firstname lastname studentnumber.
Review any problems detected and correct as necessary. Do not move on to the next labs until you have Lab 3 at 100%.
If you are having trouble getting Lab 3 to 100%, try running sudo /root/server-check.sh -l 12 firstname lastname studentnumber to make sure you haven't accidentally broken what was completed in previous labs.