Beruflich Dokumente
Kultur Dokumente
DNS
Introduction
In this 6th assignment you’re going to learn to setup DNS in a NAT network.
In this assignment we are going to setup a DNS server and define our own
private DNS zone and reverse zone such that we can access hosts by URL
instead of IP numbers. We will do this in a Netkit environment.
Recommended literature:
Introduction to DNS records:
https://www.linode.com/docs/networking/dns/introduction-to-dns-records#domain-
names.
DNS Zone File:
http://en.wikipedia.org/wiki/Zone_file
Example: Imagine you want to configure network interfaces for the node PC1. On an Ubuntu
system you can do this in the /etc/network/interfaces file. In the Netkit lab environment you
can put the corresponding interfaces file in the <netkit_lab_dir>/PC1/etc/network. This file
will be then used to configure the network interfaces during the automatic startup of PC1
node.
For this week’s assignment a small network is being created in the lab:
1. LANA : PC1, PC2 and Router represent a home network and are connected to
LANA. They use private IP addresses from the range 192.168.1.x. The Router uses
interface 192.168.1.254.
2. Roles: The Router does NAT and additionally has the following roles
a. DHCP server
b. DNS server
One of the options in this file is the range of the DHCP IP addresses that the server will
distribute. Change this range to your own values in such a way that DHCP is allowed to
assign 10 IP addresses starting with the IP address 192.168.1.x where x is your assignment
number given to you at lesson 1.
Before you start your Netkit lab, provide /etc/resolv.conf file for both PC1 and PC2 where you
specify the IP address of the server they are going to use (you can reuse already provided in
<netkit_lab>/Router/etc/resolv.conf file).
Startup the Netkit lab. To startup the Netkit lab you issue the following command in the lab
root directory:
lstart –f
Option –f means that all nodes are started in parallel, so not one after another. It is important
to do this for this exercise, as the nodes will need the DHCP server from the Router to be
able to startup.
Once your network is startup, inspect the configuration of your IP interfaces. The ranges
defined in dnsmasq.conf file should be used for PC1 and PC2.
You will be asked for a password when the Router starts. This is due to the tap interfaces that
are being configured and superuser privileges are required to add the tap interface to your
Ubuntu linux host.
Create a screenshot from the PC1 and PC2 interface configuration and make your network
drawing.
Make sure that the lab is stopped. Check the introduction to DNS records link at the
first page before you continue. Also check the DNS Zone File link.
We are now going to create our own dns zone for our own private network.
Provide screenshots of all steps you have done and explain what you did. Also mention
how you tested your changes.
In Task 2 we changed the IP range of LANA to our own IP range values. We will build
a network using this IP range such that we are also able to use hostnames by DNS
lookups.
Create your own DNS zone by following the examples in files you have investigated
in task 3.
Note: Your dig command will only be successful only if you get some answers, so the
ANSWERS section of the response of the command should be bigger than 0.
2. The command dig –x <ip address> can be used to test your reverse IP to
hostname mappings.
DNS is often abused for DDOS attacks. That’s why it is important that when you
configure your DNS server, you also think about correct configuration from the
security point of view.
In the following task we are going to protect our newly configured server so that it
can’t be abused from outside.
A DNS amplification attack is one way that malicious users try to take down servers
or sites on the internet. To do so, they try to find public DNS servers that will resolve
recursive queries. They spoof the victim's IP address and send a query that will return
a large response to the DNS server. In doing so, the DNS server responds to a small
request with a large payload directed at the victims server, effectively amplifying the
available bandwidth of the attacker.
Hosting a public, recursive DNS server requires a great deal of special configuration
and administration. To avoid the possibility of your server being used for malicious
purposes, you will configure a list of IP addresses or network ranges that you trust.
You can do that by using the named.conf.options file in /etc/bind directory of the
Router. To do this you can use an example named.conf.options file from one of your
nodes’ /etc/bind directory and adjust it in such a way, that only the nodes from your
private network (192.168.1.0/24) can use it. Find on the internet how you can do it
and configure it.
To be able to prove your configuration is correct, you’re going to create another node
outside of your private network and try DNS queries from it.
Here are the steps to be done.
1. Adjust your lab.conf file so that Router will have 3 interfaces instead of 2
2. Adjust your lab.conf file so that one more node Attacker will be created. This
node will be connected to the extra Router interface. Don’t forget to create
Attacker directory with the configuration for Attacker node and all the
necessary files for Attacker.
3. Configure IP addresses for both extra Router interface and Attacker (they will
be part of the same subnet which is different to the subnet of 192.168.1.0/24).
4. Take care that your newly created node is going to use your newly created
DNS server on address 192.168.1.254 (Tip: You can adjust standard
/etc/resolv.conf file for that)
5. Check your configuration : if all your IP addresses and routing are OK, you
should be able to
a) ping between Attacker and PC1
b) execute dig commands from Attacker.
6. On the Attacker node provide screenshot of dig command to your john node.
Before your change to named.conf.options file it should be successful.