Exercise 2.3: Building a DNS resolver ===================================== 1. Install BIND 9.10 if it's not already there ---------------------------------------------- # pkg info | grep bind (is BIND9 already installed?) $ named -v BIND 9.10.0-P1 If BIND9 is not already installed, then install it: # pkg install bind910 BIND9 uses a utility called "rndc" to control a running nameserver. We need to configure this before it will work. First delete the sample rndc configuration file: # rm /usr/local/etc/namedb/rndc.conf Then generate a fresh key for rndc to use to communicate with named: # rndc-confgen -a 2. Start the server and check it is running ------------------------------------------- Firstly, edit `/etc/rc.conf` and add a line saying `named_enable="YES"` Then run these commands: # service named start # ps auxwww | grep named # tail /var/log/messages Check for successful startup with no error messages. You can use the rndc tool to check the status of the running nameserver: # rndc status 3. Reconfigure your resolver to use your own cache only ------------------------------------------------------- Edit `/etc/resolv.conf` as follows: search sse.ws.afnog.org nameserver 127.0.0.1 Remove any existing 'nameserver' lines, or comment them out by inserting '#' at the front. 127.0.0.1 is the loopback address; that is, an IP address which means 'send the packet to myself'. 4. Opening BIND to external requests ------------------------------------- # vi /usr/local/etc/namedb/named.conf Note that the FreeBSD BIND9.10 package contains a lot of comments and is quite hard to read. You will need to be careful editing this file. Modify the following line: listen-on { 127.0.0.1; }; to listen-on { any; }; We don't want to be an open resolver to the world, so before we restart the server we will restrict access to just the SSE IPv4 subnet, 196.200.219.0/24. Add the following configuration lines at the top of the configuration file: acl afnog_sse { 127.0.0.1; 196.200.219.0/24; }; and add the following lines after the "options" line: allow-query { afnog_sse; }; recursion yes; The top of your configuration file should now look like this: acl afnog_sse { 127.0.0.1; 196.200.219.0/24; }; options { allow-query { afnog_sse; }; recursion yes; Save the file and check that the configuration file does not contain any errors: # named-checkconf If everything looks good, restart the nameserver: # service named restart 5. Send some queries -------------------- Issue a query. Make a note of whether the response has the 'aa' flag set. Look at the answer section and note the TTL of the answer. Also note how long the query took to process. Then repeat the _exact same_ query, and note the information again. $ dig www.tiscali.co.uk. Does it have the 'aa' flag? ______ What is the TTL of the answer? ______ seconds How long is the Query Time? ______ milliseconds $ dig www.tiscali.co.uk. Does it have the 'aa' flag? ______ What is the TTL of the answer? ______ seconds How long is the Query Time? ______ milliseconds Repeat it a third time. Can you explain the differences? If your neighbour has got their cache working, then try sending some queries to their cache (remember `dig @x.x.x.x ...`) 6. Watch the cache in operation ------------------------------- You can take a snapshot of the cache contents. Before this will work, you need to make sure the directory that BIND will store the dump in exists, and is writeable by the named process: # mkdir -p /var/dump # chown bind /var/dump To dump the cache: # rndc dumpdb # more /var/dump/named_dump.db (Don't do this on a busy cache - you will generate a huge dump file!) You can watch the cache making queries to the outside world using `tcpdump` in a different window # tcpdump -n -s 0 -i em0 -vv udp port 53 Replace `em0` with the name of your ethernet interface - e.g. `bge0`. While tcpdump is running, in the first window flush your cache (so it forgets all existing data) and then issue some queries. # rndc flush # dig www.tiscali.co.uk. -- and watch tcpdump output. What do you see? # dig www.tiscali.co.uk. -- watch tcpdump again. This time?