CIA Lab 3 - Domain Name System (DNS)

###### tags: `finished` :::success # CIA Lab 3 - Domain Name System (DNS) ::: ## Task 1 - Downloading and Installing a Caching Name Server ### 1.1. - Validating the Download I immediately decided to work in AWS, so after all the basic settings, I connected to it via ssh. <center> ![](https://i.imgur.com/vI6XIKD.png) </center> :::info 1. Why is it wise to verify your download? ::: The check is necessary so that there are no problems with KSK. Without updates of validating resolvers, even a new KSK can issue an error for all DNS queries. Or, if we are talking about checking the signature of the installer files, then this is necessary to confirm that it has not been changed by someone, does not contain viruses, for example. :::info 2. Download the BIND tarball (also if you are doing the Unbound+NSD part) and check its validity using one of the signatures. ::: My point of view is that it is best to use already compiled `apt` packages for installing programs, because it takes less time and is generally safe (unless we are talking about the Gentoo distribution, where everything is installed from source files). Therefore, to answer this task, I downloaded "Unbound 1.13.2" and "pgp sig" from the official website. And with the help of the command, I checked whether the file was signed with the correct key (the signature matches the file and guarantees that it was not changed after it was signed): ``` gpg --verify unbound-1.13.2.tar.gz.asc unbound-1.13.2.tar.gz ``` <center> ![](https://i.imgur.com/ru9Yr5b.png) Figure 2 - Attempt to verify the signature </center> But unfortunately, I didn't find their public key on the company's website. :::info 3. Which mechanism is the best one to use (signatures or hashes)? Why? ::: It is better to use signatures because they confirm the integrity of the message and its authenticity (that is, the sender is a known source). The hash only confirms the integrity, that is, when the message changes, the hash will also be changed. ### 1.2 - Documentation & Compiling :::info First, make sure your installation does not contain a previous version of the servers, as that can really mess things up (show how to check). ::: I honestly don't know how to check this, since I used a completely clean machine on which no packages were previously pre-installed. In the future, I plan to monitor what I install in my system so that I don't need such checks. But, if in theory I have to check it somehow, then I will first run a command to check the status of the service and see what state it is in. Or I will try to delete the service with its entire configuration, for example, using `purge` or `apt remove`. Or you meant command `unbound -v` to check version? So, after installing Unbound, I checked its activity with the command: ``` systemctl status unbound ``` <center> ![](https://i.imgur.com/n3hEZlI.png) Figure 3 - Checking the Unbound status </center> :::info What is the difference between /etc, /usr/etc, /usr/local/etc? ::: `/etc`- used by the OS for config files; `/usr/etc` - according to the standard, prohibited storage location for user program configs [[2](https://www.pathname.com/fhs/pub/fhs-2.3.html#THEUSRHIERARCHY)]. It also contains configuration files shared by different hosts, but should still refer to /etc. `/usr/local/etc` - stores configs of local software, programs and data can be shared between multiple hosts. I like that most of the moments in the installation of Unbound occur automatically and I do not need to configure it manually. I left the /etc path as the main location of the Unbound and NSD server files, because I think that this is not critical for a virtual machine, unlike my local station. <center> ![](https://i.imgur.com/ENIclZB.png) Figure 4 - Storage location for NSD and Unbound configs </center> ## Task 2 - Configuring Caching Name Server :::info Why are caching-only name servers still useful? ::: They are useful because they store the results of recursive queries in the cache for some time, which speeds up the conversion process and reduces the amount of network traffic transmitted. Download the addresses of the servers that serve the root zones: <center> ![](https://i.imgur.com/M7CLNVX.png) Figure 5 - Downloading root.hints </center> :::info Why access control is important for recursive server? ::: We use access control so that recursive requests can only be sent from allowed addresses. Since we use a caching name server, this means that even without lookups requests, it stores data until the zone expires. This can allow attackers to substitute the IP address for the domain name (a flaw in the resolution algorithm) and send traffic to any place he needs. And since the changed data will get into the cache and will be used by the recursive server without lookups requests, this can lead to sad consequences, for example, domain name servers can be used for distributed DoS attacks. This is the latest version of the config file where remote control to the server is created. <center> ![](https://i.imgur.com/cP8KJsA.png) Figure 5 - The last version of the Unbound config </center> ``` unbound-checkconf ``` <center> ![](https://i.imgur.com/l2vMm0G.png) Figure 6 - Checkconf </center> As it is said in the manual: "The unbound-checkconf program exits with status code 1 on error, 0 for a correct config file". I tried to find an explanation, but judging by the code of this program, is it just some kind of flag? I do not know, I checked most of the laboratory work with a sequence of `systemctl reload` and `journalctl-xe` commands to understand exactly at what stage the error occurred. ## Task 3 - Running Caching Name Server :::info Show the changes you made to your configuration to allow remote control ::: You can see the remote access control settings above (Fig.5) ``` #Create control keys to authenticate the server and to encrypt the transmitted data: sudo unbound-control-setup ``` <center> ![](https://i.imgur.com/JnMYfnE.png) Figure 7 - Result of set up unbound-control </center> :::info What other commands/functions does rndc/unbound-control provide? ::: In addition to directly administering the server, this command also checks the config file and communicates with the unbound server over SSL. :::info What is the difference between stop -> start and reload? ::: When we use the unbound-control reload command, we do not stop Unbound, but apply changes to the configuration settings. Here I disabled other services that listened to port 53 and interfered with the work of Unbound. NSD can be configured to use <external IP>: 53, and Unbound on localhost:53. <center> ![](https://i.imgur.com/zIwmt5g.png) Figure 8 - A little mistake with 53 port </center> :::info What do you need to put in resolv.conf (and/or other files) to use your own name server? ::: When trying to lookup, the server says that it is waiting for a response from the address 127.0.0.53, but instead it sends responses to some 127.0.0.1. Therefore, in the resolv.conf file, we change the address of the name server <center> ![](https://i.imgur.com/WGen6k6.png) Figure 10 - Failure </center> <center> ![](https://i.imgur.com/YCqK5jK.png) Figure 10 - Defult resolv.conf ![](https://i.imgur.com/2xw3NBr.png) Figure 11 - New resolv.conf </center> <center> ![](https://i.imgur.com/fkMebbD.png) Figure 12 - Success result of nslookup </center> :::info Show that your queries are successfully resolved and cached by also inspecting the server’s log file (Hint: configure log verbosity level). ::: After this screenshot, I had a lot of problems when installing NSD, because Unbound took everything with verbosity = 5 <center> ![](https://i.imgur.com/zcxZbS4.jpg) Figure 13 - Queries are successfully resolved and cached </center> ## Task 4 - Authoritative Name Server Basic commands for installing an SSD and tools for its administration: ``` apt install nsd nsd-control-setup ``` Here I unpacked and moved the sample configuration file to the correct directory: ``` zcat /usr/share/doc/nsd/examples/nsd.conf.sample.gz > /etc/nsd/nsd.conf ``` In the example, there are a lot of possible parameters for configuring the server, I have removed comments only on some of them. ``` server: ip-address 172.31.10.227 server-count: 1 verbosity: 3 database: "" remote-control: control-enable: yes zone: name: st7.sne21.ru zone-file: /etc/nsd/st7 ``` <center> ![](https://i.imgur.com/k1pLbQT.png) Figure - Example of my nsd.conf ![](https://i.imgur.com/v89d9jX.png) Figure - NSD status </center> After that, we create a zone file /etc/nsd/st7 and write the following lines to it: <center> ![](https://i.imgur.com/HhByOKf.png) Figure - St7 config with records ![](https://i.imgur.com/H1ENwHP.png) Figure - Result of dig MX </center> :::info What is a private DNS zone? Is stX.sne21.ru private? ::: I understand that a private DNS zone is a solution for a virtual network in which the administrator can use his own domain names, and not only those issued by the provider. And, yes, my zone is private. :::info What information was needed by TAs so they can implement the delegation? ::: I think that after all this time the answer here will be - my public IP-address and DS record from KSK. ## References: 1. [Updating of DNS Validating Resolvers](https://www.icann.org/resources/pages/dns-resolvers-updating-latest-trust-anchor-2018-06-27-ru) 2. [Filesystem Hierarchy Standard](https://www.pathname.com/fhs/pub/fhs-2.3.html#THEUSRHIERARCHY) 3. [Usefulness of Caching-only Name Servers](https://www.distributednetworks.com/unix-network-admin/module2/dns-caching-only.php) 4. [Set Up Unbound DNS Resolver on Ubuntu 20.04 Server](https://www.linuxbabe.com/ubuntu/set-up-unbound-dns-resolver-on-ubuntu-20-04-server/amp) 5. [DNS Labs](https://bangkok.lol/slides.html) 6. [DNS Unbound Config](https://nsrc.org/workshops/2014/caren-nsrc-dante/raw-attachment/wiki/Agenda/dns-unbound-config.pdf) 7. [Unbound-control](https://www.nlnetlabs.nl/documentation/unbound/unbound-control/)