05-dns-service.md at main · dunkirk.sh/ncae-tools

dunkirk.sh / ncae-tools
fork
this repo has no description
fork
ncae-tools / 05-dns-service.md
at main 281 lines 7.1 kB view raw view rendered
wrap content
Kieran Klukas feat: update dns section 3mo ago
afa4d5fc
  1# DNS Service (BIND)
  2
  3## Overview
  4
  5DNS translates domain names to IP addresses (forward lookup) and IP addresses to domain names (reverse lookup).
  6
  7- **Forward lookup**: `ncaecybergames.org` → `192.168.8.2`
  8- **Reverse lookup**: `192.168.8.2` → `ncaecybergames.org`
  9
 10---
 11
 12## Service Name
 13
 14- `named` (not `bind`)
 15
 16```bash
 17systemctl status named
 18sudo systemctl start named
 19sudo systemctl enable named
 20```
 21
 22---
 23
 24## Configuration Locations
 25
 26### Ubuntu
 27```
 28/etc/bind/
 29├── named.conf                 # Main config (includes other files)
 30├── named.conf.options         # Server options
 31├── named.conf.local           # Local zone definitions
 32├── named.conf.default-zones   # Default zones (localhost, etc.)
 33├── db.empty                   # Template file to copy for new zones
 34├── db.local                   # Localhost zone file
 35├── db.127                     # Localhost reverse zone
 36└── zones/                     # Your custom zone files (create this)
 37```
 38
 39### CentOS/RHEL
 40Configuration may be in a different location - check `/etc/named/` or `/var/named/`
 41
 42---
 43
 44## Key Concepts
 45
 46### Zone Files
 47- **Forward zone**: Maps domain names → IP addresses (A records)
 48- **Reverse zone**: Maps IP addresses → domain names (PTR records)
 49
 50### Include Structure
 51The main `named.conf` typically includes other config files:
 52```
 53include "/etc/bind/named.conf.options";
 54include "/etc/bind/named.conf.local";
 55include "/etc/bind/named.conf.default-zones";
 56```
 57
 58### allow-update Directive
 59
 60Controls whether dynamic DNS updates are permitted for a zone:
 61
 62```
 63zone "example.org" IN {
 64    type master;
 65    file "/etc/bind/zones/forward.example.org";
 66    allow-update { none; };   # No dynamic updates allowed
 67};
 68```
 69
 70| Value | Meaning |
 71|-------|---------|
 72| `{ none; }` | No updates allowed (static zone, manual edits only) |
 73| `{ key mykey; }` | Allow updates signed with a specific TSIG key |
 74| `{ 192.168.8.5; }` | Allow updates from a specific IP address |
 75
 76**For competition: Always use `{ none; };`** - prevents attackers from remotely modifying your DNS records.
 77
 78---
 79
 80## Setting Up DNS Zones
 81
 82### Step 1: Add Zone Definitions
 83
 84Edit the zones config file (Ubuntu: `named.conf.default-zones`):
 85```bash
 86sudo nano /etc/bind/named.conf.default-zones
 87```
 88
 89Add a **forward lookup zone**:
 90```
 91zone "ncaecybergames.org" IN {
 92    type master;
 93    file "/etc/bind/zones/forward.ncaecybergames.org";
 94    allow-update { none; };
 95};
 96```
 97
 98Add a **reverse lookup zone**:
 99```
100zone "8.168.192.in-addr.arpa" IN {
101    type master;
102    file "/etc/bind/zones/reverse.ncaecybergames.org";
103    allow-update { none; };
104};
105```
106
107**Important**: For reverse zones, write the network portion of the IP **backwards**:
108- IP: `192.168.8.x` → Zone: `8.168.192.in-addr.arpa`
109
110---
111
112### Step 2: Create Zone Files Directory
113
114```bash
115sudo mkdir /etc/bind/zones
116```
117
118---
119
120### Step 3: Copy Template Files
121
122Copy the empty template (preserves correct ownership and permissions):
123```bash
124sudo cp /etc/bind/db.empty /etc/bind/zones/forward.ncaecybergames.org
125sudo cp /etc/bind/db.empty /etc/bind/zones/reverse.ncaecybergames.org
126```
127
128**Why copy instead of create from scratch?**
129- Preserves correct ownership (`root:bind`)
130- Preserves correct permissions (`644`)
131- If permissions/ownership are wrong, bind can't read the files
132
133Check permissions:
134```bash
135ls -l /etc/bind/zones/
136```
137
138---
139
140### Step 4: Configure Forward Zone File
141
142```bash
143sudo nano /etc/bind/zones/forward.ncaecybergames.org
144```
145
146Example forward zone file:
147```
148$TTL    604800
149@       IN      SOA     ncaecybergames.org. root. (
150                              2         ; Serial (INCREMENT THIS ON EVERY CHANGE!)
151                         604800         ; Refresh
152                          86400         ; Retry
153                        2419200         ; Expire
154                         604800 )       ; Negative Cache TTL
155
156@       IN      NS      sandbox-ubuntu.
157sandbox-ubuntu  IN      A       192.168.8.2
158www             IN      A       192.168.8.2
159```
160
161**Key points:**
162- Replace `localhost` with your domain (`ncaecybergames.org.`)
163- Replace `localhost` after `NS` with your server hostname (`sandbox-ubuntu.`)
164- **Always increment the serial number** when making changes (1→2→3...)
165- Add A records for each subdomain
166
167---
168
169### Step 5: Configure Reverse Zone File
170
171```bash
172sudo nano /etc/bind/zones/reverse.ncaecybergames.org
173```
174
175Example reverse zone file:
176```
177$TTL    604800
178@       IN      SOA     ncaecybergames.org. root.ncaecybergames.org. (
179                              2         ; Serial (INCREMENT THIS ON EVERY CHANGE!)
180                         604800         ; Refresh
181                          86400         ; Retry
182                        2419200         ; Expire
183                         604800 )       ; Negative Cache TTL
184
185@       IN      NS      sandbox-ubuntu.
1862       IN      PTR     www.ncaecybergames.org.
1872       IN      PTR     sandbox-ubuntu.ncaecybergames.org.
188```
189
190**Key points:**
191- For reverse zones, domain names end with a **period** (`.`)
192- PTR record uses only the **host portion** of IP (for `192.168.8.2`, just use `2`)
193- Multiple PTR records can point to the same IP
194
195---
196
197## Start and Test DNS
198
199### Start the Service
200```bash
201sudo systemctl start named
202systemctl status named
203```
204
205If it fails to start, check for typos in your config files (missing semicolons, periods, spaces).
206
207---
208
209### Configure Client to Use Your DNS Server
210
211Edit `/etc/resolv.conf`:
212```bash
213sudo nano /etc/resolv.conf
214```
215
216Add your DNS server:
217```
218nameserver 192.168.8.2
219```
220
221Or add to netplan (`/etc/netplan/*.yaml`):
222```yaml
223nameservers:
224  addresses:
225    - 192.168.8.2
226```
227
228---
229
230## Testing DNS
231
232### Using nslookup
233
234Forward lookup:
235```bash
236nslookup www.ncaecybergames.org
237```
238
239Reverse lookup:
240```bash
241nslookup 192.168.8.2
242```
243
244### Using Browser
245Navigate to `http://www.ncaecybergames.org` - should load your web server.
246
247---
248
249## Troubleshooting
250
251### Service Won't Start
252- Check for typos in zone files (missing semicolons, periods)
253- Check file permissions (`644`) and ownership (`root:bind`)
254- Check config syntax: `named-checkconf`
255- Check zone file syntax: `named-checkzone ncaecybergames.org /etc/bind/zones/forward.ncaecybergames.org`
256
257### DNS Not Resolving
258- Verify service is running: `systemctl status named`
259- Check `/etc/resolv.conf` has your DNS server listed
260- Test with `nslookup` to isolate DNS vs other issues
261
262### Common Mistakes
263- Forgetting to increment serial number after changes
264- Missing periods at end of domain names in reverse zone files
265- Wrong file permissions/ownership
266- Typos in IP addresses or domain names
267- Missing semicolons in config files
268
269---
270
271## Quick Reference
272
273| Task | Command |
274|------|---------|
275| Check service status | `systemctl status named` |
276| Start service | `sudo systemctl start named` |
277| Restart after config change | `sudo systemctl restart named` |
278| Check config syntax | `named-checkconf` |
279| Check zone syntax | `named-checkzone DOMAIN ZONEFILE` |
280| Forward lookup | `nslookup DOMAIN` |
281| Reverse lookup | `nslookup IP` |
Configure Feed

Configure Feed
