DNS Exercise Page 1

Creative Training Solutions

Salix Training Limited

This page will describe how configure DNS on Solaris 10

DNS using BIND 9 on Solaris 10

Solaris 10 comes with BIND (Berkeley Internet Naming Daemon) version 9 and lots of useful new utilities to make DNS configuration much easier.

These instructions will walk through the configuration of a primary and secondary DNS server to support forward and reverse lookup and a hint to a root server.

In this example the domain is chocolate.com, the primary server is called twix and the secondary is called bounty. The IP network is 192.168.1.0/24.

Task One

Select a host to be your DNS primary server. The primary server requires a /etc/named.conf file, in which the supported zones are defined. Create a file like this one:

options

{

directory "/var/named";

};

zone "chocolate.com"

{

type master;

file "db.chocolate.com";

};

Check the file with the named-checkconf command. If there is no output, the file is file. You should see an error about the absence of the /var/named directory:

# named-checkconf

Make the directory for the zone files:

# mkdir /var/named

Create the zone file (/var/named/db.chocolate.com) for forward lookup in your domain:

$TTL 86400

@ IN SOA twix.chocolate.com. root.twix.chocolate.com. (

1 ; Serial

3600 ; Refresh (1 Hour)

1800 ; Retry (30 Minutes)

6048000 ; Expire (1 Week)

86400 ) ; Minimum (24 Hours)

IN NS twix.chocolate.com.

twix IN A 192.168.1.1

bounty IN A 192.168.1.2

mars IN A 192.168.1.3

topic IN A 192.168.1.4

localhost IN A 127.0.0.1

Check the zone file for errors with the named-checkzone script. The following example shows a correct file:

# named-checkzone chocolate.com db.chocolate.com

zone chocolate.com/IN: loaded serial 1

That is all the configuration required for the server.

The following actions will make the host a client to it's own server.

Copy the dns template of the name-service switch file over the default:

# cp /etc/nsswitch.dns /etc/nsswitch.conf

Create a /etc/resolv.conf file specifying the domain this host is in and where the name server is:

domain chocolate.com.

nameserver 192.168.1.1

Remove all lines from your /etc/hosts file, except the localhost and the IP addresses of any local interfaces.

# Internet host table

127.0.0.1 localhost loghost

192.168.1.1 twix

Check the dependencies of the DNS server service are running:

# svcs -d dns/server

STATE STIME FMRI

online 7:42:27 svc:/network/loopback:default

online 7:42:28 svc:/milestone/network:default

online 7:42:31 svc:/system/filesystem/minimal:default

Start the DNS server service:

# svcadm enable dns/server

# svcs dns/server

STATE STIME FMRI

online 20:43:22 svc:/network/dns/server:default

# pgrep -lf named

712 /usr/sbin/named

Check for errors reported in the /var/adm/messages file. The ::1#953 error relates to security keys and can be ignored:

# tail /var/adm/messages

borrelly named[712]: [daemon.notice] starting BIND 9.2.4

borrelly named[712]: [ID 873579 daemon.notice] command channel listening on 127.0.0.1#953

borrelly named[712]: [daemon.notice] couldn't add command channel ::1#953: address not available

borrelly named[712]: [daemon.notice] running

Test forward name resolution:

# ping bounty.chocolate.com

bounty.chocolate.com is alive

Task Two - Configuring The Clients

Configure all the other hosts in your network to use the DNS server you have configured on twix. Copy the dns template of the name-service switch file over the default:

# cp /etc/nsswitch.dns /etc/nsswitch.conf

Create a /etc/resolv.conf file specifying the domain this host is in and where the name server is. The following example uses the keyword domain which is deprecated:

domain chocolate.com.

nameserver 192.168.1.1

The preferred way of defining domains is with a search keyword. This allows multiple domains to be defined and the domains will be used in order when resolving unqualified hostnames (those without the full domain name):

search chocolate.com.

nameserver 192.168.1.1

Remove all lines from your /etc/hosts file, except the localhost and the IP addresses of any local interfaces.

# Internet host table

127.0.0.1 localhost loghost

192.168.1.2 bounty

Enable the DNS client SMF service. This does not start any processes or do anything other than check that you have a /etc/resolv.conf file, filesystems are mounted and you have networking enabled.

# svcadm enable dns/client

Test forward name resolution:

# ping twix.chocolate.com

twix.chocolate.com is alive

Task Three - Reverse Lookup

The DNS server is only able to resolve forward lookups (name to number). Any requests from clients to resolve IP addresses to hostnames (reverse lookups) will fail.

Running a snoop will display the IP addresses from the packets and the snoop command will attempt to resolve names for the addresses. This will show many errors:

# snoop

Using device /dev/hme (promiscuous mode)

192.168.1.3 -> host2 TELNET C port=1136

host2 -> 192.168.1.1 DNS C 3.1.168.192.in-addr.arpa. Internet PTR?

192.168.0.14 -> host2 DNS R Error: 3(Name Error)

host2 -> 192.168.1.1 DNS C 3.1.168.192.in-addr.arpa. Internet PTR?

192.168.0.14 -> host2 DNS R Error: 3(Name Error)

Add support for reverse lookup of the IP network to the /etc/named.conf file:

zone "1.168.192.in-addr.arpa"

{

type master;

file "db.192.168.1";

};

Also add reverse lookup support for the 127.0.0.0/8 loopback network:

zone "0.0.127.in-addr.arpa" in

{

type master;

file "db.127.0.0";

};

Check the file with the named-checkconf command. If there is no output, the file is fine:

# named-checkconf

Create the reverse lookup zone file in /var/named:

$TTL 86400

@ IN SOA twix.chocolate.com. root.twix.chocolate.com. (

1 ; Serial

3600 ; Refresh (1 Hour)

1800 ; Retry (30 Minutes)

6048000 ; Expire (1 Week)

86400 ) ; Minimum (24 Hours)

IN NS twix.chocolate.com.

1 IN PTR twix.chocolate.com.

2 IN PTR bounty.chocolate.com.

3 IN PTR mars.chocolate.com.

4 IN PTR topic.chocolate.com.

And the loopback network reverse lookup file:

$TTL 86400

@ IN SOA twix.chocolate.com. root.twix.chocolate.com. (

1 ; Serial

3600 ; Refresh (1 Hour)

1800 ; Retry (30 Minutes)

6048000 ; Expire (1 Week)

86400 ) ; Minimum (24 Hours)

IN NS twix.chocolate.com.

1 IN PTR localhost.

Check the new zone files with the named-checkzone command:

# named-checkzone chocolate.com db.192.168.1

zone chocolate.com/IN: loaded serial 1

# named-checkzone chocolate.com db.127.0.0

zone chocolate.com/IN: loaded serial 1

Sending a HUP signal to the named daemon will cause it to re-read it's configuration files.

# pkill -HUP named

Check the /var/adm/messages file for any errors:

# tail /var/adm/messages

borrelly named[712]: [daemon.notice] couldn't add command channel ::1#953: address not available

Use the dig command to check reverse lookup resolution is working:

# dig -x 192.168.1.4

;; QUESTION SECTION:

;4.1.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:

4.1.168.192.in-addr.arpa. 86400 IN PTR topic.chocolate.com.

;; AUTHORITY SECTION:

1.168.192.in-addr.arpa. 86400 IN NS twix.chocolate.com.

;; ADDITIONAL SECTION:

twix.chocolate.com. 86400 IN A 192.168.1.1

;; Query time: 1 msec

;; SERVER: 192.168.1.1#53(192.168.1.1)

;; WHEN: Mon Feb 6 21:20:49 2006

;; MSG SIZE rcvd: 114

The older nslookup command could also be used:

# nslookup 192.168.1.4

Server: 192.168.1.1

Address: 192.168.1.1#53

4.1.168.192.in-addr.arpa name = topic.chocolate.com.

Snoop output should now show successful DNS lookups:

# snoop

Using device /dev/hme (promiscuous mode)

192.168.1.20 -> bounty TELNET C port=1136

bounty -> twix.chocolate.com DNS C 20.1.168.192.in-addr.arpa. Internet PTR ?

twix.chocolate.com -> host2 DNS R 20.1.168.192.in-addr.arpa. Internet PTR caramel.chocolate.com.

http://www.isc.org/index.pl?/sw/bind/

Phone: +44 (0)20 8144 6944

Fax: +44 (0)870 913 0007

DNS Exercise—Page 1