NETW Assignment 6

DNS

Introduction
In this 6th assignment you’re going to learn to setup DNS in a NAT network.

In this assignment we are going to setup a DNS server and define our own
private DNS zone and reverse zone such that we can access hosts by URL
instead of IP numbers. We will do this in a Netkit environment.

Recommended literature:
Introduction to DNS records:
https://www.linode.com/docs/networking/dns/introduction-to-dns-records#domain-
names.
DNS Zone File:
http://en.wikipedia.org/wiki/Zone_file

Task 1: Unpack and study Netkit Lab

Copy provided dns.zip file in your Linux environment.
Unzip this file. You’ll see a directory structure used to start up a Netkit lab.

There are following important files in a Netkit lab:

1. lab.conf – configuration of the network. This file defines which nodes are to be
started and how they are interconnected through collision domains (in our case
LANs)
2. <node>.Startup files – here you can define any commands that you wish to be
executed before the node is start-up. These files are already preconfigured for this
lab.
3. <node> directory files. Each node has its own directory, which you can use to pass
information from the host Ubuntu system to the Netkit node to be started. Here you
can put for example network configuration files.

Example: Imagine you want to configure network interfaces for the node PC1. On an Ubuntu
system you can do this in the /etc/network/interfaces file. In the Netkit lab environment you
can put the corresponding interfaces file in the <netkit_lab_dir>/PC1/etc/network. This file
will be then used to configure the network interfaces during the automatic startup of PC1
node.

For this week’s assignment a small network is being created in the lab:
1. LANA : PC1, PC2 and Router represent a home network and are connected to
LANA. They use private IP addresses from the range 192.168.1.x. The Router uses
interface 192.168.1.254.
2. Roles: The Router does NAT and additionally has the following roles
a. DHCP server
 b. DNS server

Task 2: Configure DHCP and startup Netkit lab

As explained in task 1, we can pass configuration files from the lab directory structure to the
Netkit node. To startup DHCP server on the Router node, a dnsmasq.conf file is used.
This file can be found in <netkit_lab>/Router/etc directory.

One of the options in this file is the range of the DHCP IP addresses that the server will
distribute. Change this range to your own values in such a way that DHCP is allowed to
assign 10 IP addresses starting with the IP address 192.168.1.x where x is your assignment
number given to you at lesson 1.

Before you start your Netkit lab, provide /etc/resolv.conf file for both PC1 and PC2 where you
specify the IP address of the server they are going to use (you can reuse already provided in
<netkit_lab>/Router/etc/resolv.conf file).

Startup the Netkit lab. To startup the Netkit lab you issue the following command in the lab
root directory:

lstart –f

Option –f means that all nodes are started in parallel, so not one after another. It is important
to do this for this exercise, as the nodes will need the DHCP server from the Router to be
able to startup.

Once your network is startup, inspect the configuration of your IP interfaces. The ranges
defined in dnsmasq.conf file should be used for PC1 and PC2.

You will be asked for a password when the Router starts. This is due to the tap interfaces that
are being configured and superuser privileges are required to add the tap interface to your
Ubuntu linux host.

Create a screenshot from the PC1 and PC2 interface configuration and make your network
drawing.

To stop a lab issue command:

lcrash
This will thoroughly clean up your Netkit environment.
Task 3: Investigate the DNS server

Make sure that the lab is stopped. Check the introduction to DNS records link at the
first page before you continue. Also check the DNS Zone File link.

Take a look at your Router.startup file.

Which command does start the DNS server?

Next, go to the Router/etc/bind directory.

Investigate the files you find in this directory.

Answer the following questions:

1. Which file is responsible (contains the database) for doing hostname to IP

address lookups.
2. Which dns zone is being defined? Hint: look at the Start of Authority (SOA)
and $ORIGIN records.
3. Which hosts are called john and peter?
4. What is the fully qualified domain name (hostname) of john and peter?
5. Which DNS record is used to define john and peter?
6. Which file is responsible (contains the database) for doing the reverse lookup
(i.e. translate an IP address to a hostname)?

Task 4: Configure the DNS Server

We are now going to create our own dns zone for our own private network.

Provide screenshots of all steps you have done and explain what you did. Also mention
how you tested your changes.

In Task 2 we changed the IP range of LANA to our own IP range values. We will build
a network using this IP range such that we are also able to use hostnames by DNS
lookups.

Create your own DNS zone by following the examples in files you have investigated
in task 3.

Make sure that:

1. You create new files for the DNS zone. These files have filename:
db.yourdomain.studentnr and db.<first 3 octets of ip range in reverse>.
2. You change the named.conf.local to suit your needs
3. The files mentioned in item 1 have the correct contents. You can use the
existing files as an example.

Startup your lab and test your configuration.

Use the following strategies to test your configuration:

1. the command dig <hostname> can be used to check if your DNS is working.
 Example: dig nu.nl.
Also check if your private zone works by using the dig command.

Note: Your dig command will only be successful only if you get some answers, so the
ANSWERS section of the response of the command should be bigger than 0.

2. The command dig –x <ip address> can be used to test your reverse IP to
hostname mappings.

3. If something does not work check the following:

a) Did your dns server start without errors? Check using the command
less /var/log/syslog. Use q to quit the less command.
b) Do your hosts and Router use the correct DNS server? (hint: check
/etc/resolv.conf)
c) Does your DHCP server configure all configuration items correctly
for your hosts? How do you find out if this is the case?

Provide screenshot of successful dig commands.

Task 5: Security in DNS (optional)

DNS is often abused for DDOS attacks. That’s why it is important that when you
configure your DNS server, you also think about correct configuration from the
security point of view.

In the following task we are going to protect our newly configured server so that it
can’t be abused from outside.

A DNS amplification attack is one way that malicious users try to take down servers
or sites on the internet. To do so, they try to find public DNS servers that will resolve
recursive queries. They spoof the victim's IP address and send a query that will return
a large response to the DNS server. In doing so, the DNS server responds to a small
request with a large payload directed at the victims server, effectively amplifying the
available bandwidth of the attacker.

Hosting a public, recursive DNS server requires a great deal of special configuration
and administration. To avoid the possibility of your server being used for malicious
purposes, you will configure a list of IP addresses or network ranges that you trust.
You can do that by using the named.conf.options file in /etc/bind directory of the
Router. To do this you can use an example named.conf.options file from one of your
nodes’ /etc/bind directory and adjust it in such a way, that only the nodes from your
private network (192.168.1.0/24) can use it. Find on the internet how you can do it
and configure it.

Provide your adjustment to the named.conf.options file.

To be able to prove your configuration is correct, you’re going to create another node
outside of your private network and try DNS queries from it.
Here are the steps to be done.
1. Adjust your lab.conf file so that Router will have 3 interfaces instead of 2
2. Adjust your lab.conf file so that one more node Attacker will be created. This
node will be connected to the extra Router interface. Don’t forget to create
Attacker directory with the configuration for Attacker node and all the
necessary files for Attacker.
3. Configure IP addresses for both extra Router interface and Attacker (they will
be part of the same subnet which is different to the subnet of 192.168.1.0/24).
4. Take care that your newly created node is going to use your newly created
DNS server on address 192.168.1.254 (Tip: You can adjust standard
/etc/resolv.conf file for that)
5. Check your configuration : if all your IP addresses and routing are OK, you
should be able to
a) ping between Attacker and PC1
b) execute dig commands from Attacker.
6. On the Attacker node provide screenshot of dig command to your john node.
Before your change to named.conf.options file it should be successful.

Provide a screenshot of successful dig command to john node.

After your change to named.conf.options file it should be unsuccessful, as the

addresses outside of 192.168.1.0/24 subnet should not be able to use the DNS server.

Provide a screenshot of unsuccessful dig command to john node.