DNS using BIND 9

Table of Contents

1. Using Dig
2. Basic Configuration
3. The Master Bind Configuration File
4. Forward Zones
5. Reverse Zones
5.1. Assessment
6. Affecting the Changes
6.1. Controlling the Server During Runtime
7. Testing
8. Assessment
9. [Optional] Fixing that Mess with IPv6
10. [Optional] Fun with Hexadecimal
11. Last Words

Today we will learn the basics of setting up and maintaining a Domain Name Server using the popular BIND 9 package.

DNS can be fraught with difficulty for the unsuspecting newbie. To help keep this lab manageable, it will be a very basic introduction to setting up a DNS server, for a small LAN for IPv4 and IPv6. You will be given a template to work from.

Because DNS is such a crucial part of a network, and pretty much every service makes use of it, you will use the knowledge gained in this lab throughout the rest of this paper. You will be required to make changes to your DNS server in some of the labs that follow.

Important

Please ensure that you read the entire lab before coming to class, otherwise it’s very likely you will not complete it during the lab.

1. Using Dig

dig is the Domain Information Groper, and is the successor to a tool called nslookup. There is also a simplified version of dig called host, but we won’t cover that. So without further ado, here are some ways you can use dig. You should be able to try all these on your server or client.

You will get more information by not using the +short option. The answer will be found in the Answer section. You’ll also get some supplementary information, as well as result codes. Using the +short option is a good way of getting DNS information in shell scripts.

  • What is the IP address of www.isc.org? This is querying for an A record. The domain is that of the Internet Software Consortium, the organisation behind software such as BIND.

    $ dig isc.org
    ; <<>> DiG 9.6.1-P2 <<>> isc.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13764
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
    
    ;; QUESTION SECTION:
    ;isc.org.                       IN      A
    
    ;; ANSWER SECTION:
    isc.org.                43200   IN      A       149.20.64.42
    
    ;; AUTHORITY SECTION:
    isc.org.                40039   IN      NS      ord.SNS-PB.isc.org.
    isc.org.                40039   IN      NS      ams.SNS-PB.isc.org.
    isc.org.                40039   IN      NS      ns.isc.afilias-nst.info.
    isc.org.                40039   IN      NS      sfba.SNS-PB.isc.org.
    
    ;; ADDITIONAL SECTION:
    ns.isc.afilias-nst.info. 83240  IN      A       199.254.63.254
    ams.SNS-PB.isc.org.     16723   IN      A       199.6.1.30
    ord.SNS-PB.isc.org.     16723   IN      A       199.6.0.30
    sfba.SNS-PB.isc.org.    16723   IN      A       149.20.64.3
    
    ;; Query time: 230 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Tue Apr 27 16:40:32 2010
    ;; MSG SIZE  rcvd: 204
  • The same query, but this time in short format.

    $ dig +short www.isc.org
    204.152.184.88   Don’t panic if yours is different
  • Same as above, -t A is the default behaviour. -t A asks for resource records of type A, which maps a hostname to an IPv4 address.

    $ dig +short -t A www.isc.org
    204.152.184.88
  • You can use dig without specifying a fully qualified hostname. Note that dig will not use the default search path (in /etc/resolv.conf) by default; we can change this behaviour and use the search path using +search

    $ dig gallardo
    
    ; <<>> DiG 9.7.0-P1 <<>> gallardo
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38969            FAILED!
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;gallardo.         IN      A            Because it wasn’t searching in our domain.$ dig +search +short gallardo
    139.80.206.169
  • What’s the (canonical) hostname for 139.80.206.169?

    $ dig +short -x 139.80.206.169
    gallardo.otago.ac.nz.
  • Note that the above inverse query is equivalent to this:

    $ dig +short -t PTR 169.206.80.139.in-addr.arpa
    gallardo.otago.ac.nz.

For the following exercises you will use dig to explore your local network enviroment a little. Take a screenshot showing the results.

  • Who are the name servers for otago.ac.nz?

    $ dig +short -t NS otago.ac.nz
  • Which of the nameservers (each domain should have at least two) is the master server? You can find this out by looking at the SOA for the domain.

    $ dig -t SOA otago.ac.nz
  • You can query a particular name server using the @ character before the nameserver’s DNS name or IP address. Select one of the nameservers you discovered in the previous step.

    $ dig @nameserver +short www.otago.ac.nz
  • Who are the mail exchangers for otago.ac.nz?

    $ dig +short -t MX otago.ac.nz

    Note

    Like web servers, which are also high-traffic, e-mail services can be designed in various ways for high availability of for load balancing. So if you get a single result, it may be that there are multiple servers behind one address and a device called a load balancer is acting as the entry point to a cluster of e-mail servers.

  • You can use dig to perform a zone transfer, which is to get a listing of all the data in a particular zone (domain).

    Warning

    Do not request this from a machine you do not administer, as it will be considered rude or hostile activity. You will have a chance to do the following later in the lab to your own network.

    $ dig @127.0.0.1 -t AXFR domain
    
  • Once you have your DNS server up and running, you can try to find out which version of BIND is running on the server. Servers are often configured to give a different result instead, to make it harder for an attacker to know what software version you are using. Don’t use +search.

    Note

    You can do this in your virtual machine later.

    $ dig @localhost -t TXT -c chaos +short version.bind
    "9.7.0-P1"

    The chaos “class” (like the “inet” class) refers to a historical networking system called Chaosnet that you don’t need to know anything about. Just know that this it was around when the Internet was still referred to as the ARPAnet, and that the only reason we use it today is as a way to determine the version of the software running on a DNS server running BIND.