Enabling DNS for IPv6 CSD Fall 2011

Similar documents
Creating a master/slave DNS server combination for your Grid Infrastructure

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

Domain Name System (DNS) Fundamentals

DNS. Computer Networks. Seminar 12

DNS Service on Linux. Supawit Wannapila CCNA, RHCE

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Set up and run your own Cesidian Root DNS server

Domain Name System Security

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

Copyright

How-to: DNS Enumeration

Internet-Praktikum I Lab 3: DNS

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10

CSE 127: Computer Security. Network Security. Kirill Levchenko

DNS at NLnet Labs. Matthijs Mekking

what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

DNS using BIND 9. TELE301 Laboratory Manual. 1 Using Dig Basic Configuration The Master Bind Configuration File...

DNS Pharming Attack Lab

How to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection.

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

CONSUL AS A MONITORING SERVICE

DNS : Domain Name System

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

DNS + DHCP. Michael Tsai 2015/04/27

How to Add Domains and DNS Records

DNS zone transfers from FreeIPA to non-freeipa slave servers

DNS Conformance Test Specification For Client

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

DNS SECURITY TROUBLESHOOTING GUIDE

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

DNS Resolving using nslookup

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Unbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)

Red Hat system-config-bind BIND (Berkeley Internet Name Domain) DNS ( Domain Name System)

Securing an Internet Name Server

CSIS 3230 Computer Networking Principles, Spring 2012 Lab 7 Domain Name System (DNS)

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION. Mohammad Fakrul Alam. bdhub. SANOG 21 January 27 - Feb 4, 2013 Cox's Bazar, Bangladesh

- Domain Name System -

The role of JANET CSIRT

The Domain Name System

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Forouzan: Chapter 17. Domain Name System (DNS)

Windows 2008 Server. Domain Name System Administración SSII

DNS. DNS Fundamentals. Goals of this lab: Prerequisites: LXB, NET

DNS Session 4: Delegation and reverse DNS. Joe Abley AfNOG 2006 workshop

Description: Objective: Attending students will learn:

How to Configure Split DNS

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

ECE 4321 Computer Networks. Network Programming

Networking Domain Name System

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

Configuring DNS on Cisco Routers

Use Domain Name System and IP Version 6

Domain Name Server. Training Division National Informatics Centre New Delhi

IPV6 SERVICES DEPLOYMENT

Using Webmin and Bind9 to Setup DNS Sever on Linux

Remote DNS Cache Poisoning Attack Lab

Configuring the BIND name server (named) Configuring the BIND resolver Constructing the name server database files

How To Guide Edge Network Appliance How To Guide:

Installing and Setting up Microsoft DNS Server

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

Zimbra :: The Leader in Open Source Collaboration. Administrator's PowerTip #3: June 21, 2007 Zimbra Forums - Zimbra wiki - Zimbra Blog

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION

THE DOMAIN NAME SYSTEM DNS

How to Configure the Windows DNS Server

The Domain Name System

NetIQ Advanced Authentication Framework - MacOS Client

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Table of Contents. Confidential and Proprietary

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

DNS SRV Usage June 22, 2011

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

The Domain Name System: An Integral Part of the Internet. By Keiko Ishioka

Switchvox. Technical Application Notes

Section 1 Overview Section 2 Home... 5

1 DNS Packet Structure

Deploying & Configuring a DNS Server on OpenServer 6 or UnixWare 7. Kirk Farquhar

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Infoblox CSV Import Reference. NIOS 6.5 for Infoblox Core Network Services Appliances

Domain Name System (DNS) RFC 1034 RFC

netkit lab Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version 1.

walkthrough Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version 1.

Lecture 2 CS An example of a middleware service: DNS Domain Name System

2 HDE Controller X DNS Server Manual

IERG 4080 Building Scalable Internet-based Services

APNIC IPv6 Deployment

DNS Cache Snooping. Snooping the Cache for Fun and Profit

Motivation. Users can t remember IP addresses. Implemented by library functions & servers. - Need to map symbolic names (

Teldat Router. DNS Client

Transcription:

Enabling DNS for IPv6 CSD Fall 2011 Team members: Bowei Dai daib@kth.se 15 credits Elis Kullberg elisk@kth.se 18 credits Hannes Junnila haju@kth.se 15 credits Nur Mohammad Rashed nmrashed@kth.se 15 credits Siddharth Madan smadan@kth.se 15 credits Vasily Prokopov prokopov@kth.se 18 credits 2- Dec- 11

TABLE OF CONTENTS: 1 VERSION HISTORY.. 3 2 INTRODUCTION 4 Purpose of the document. 4 Scope of the document.. 4 Audience of the document.. 4 3 REGULAR ZONE IPv6 CONFIGURATION 5 4 REVERSE ZONE IPv6 CONFIGURATION. 6 5 TROUBLESHOOTING.. 7 6 REFERENCES.. 8 APPENDIX A 9 APPENDIX B. 11 APPENDIX C. 12 2

1 VERSION HISTORY Version number Release date Changes Author(s) 1.1 December 2, 2011 Troubleshooting section added Vasily Prokopov 1.0 November 29, 2011 Document created Vasily Prokopov 3

2 INTRODUCTION Purpose of the document The purpose of the document is to describe the configuration of Domain Name System (DNS) server in CareNet in a specific part related to IPv6. Scope of the document The document deals with the CareNet network infrastructure, namely with the DNS server. Audience of the document Project owner, coaches and CareNet teams members form potential audience of the docu- ment. 4

3 REGULAR ZONE IPv6 CONFIGURATION The goal was to enable the DNS server of CareNet to answer IPv6 queries and provide IPv6 ad- dresses in response to those queries. For that purpose configuration of existing external care- net- se.se domain zone [1] was modified by adding IPv6 entries for each domain member. Below you will find an example for the Log server: vprokopov@domain:/$ sudo nano /etc/bind/zones/external/carenet-se.se.db log IN A 192.16.126.94 log IN AAAA 2001:6b0:32::94 Every other member of the domain was configured in the same manner. Full configuration is listed in Appendix A. Entries of the external carenet- se.se domain zone are synchronized with DNS servers of SSVL. To check if DNS is providing IPv6 information for CareNet following command could be used: n141-p63:~ vprokopov$ dig AAAA sip.carenet-se.se ; <<>> DiG 9.7.3-P3 <<>> AAAA sip.carenet-se.se ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58509 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sip.carenet-se.se. IN AAAA ;; ANSWER SECTION: sip.carenet-se.se. 600 IN AAAA 2001:6b0:32::69 ;; Query time: 99 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Nov 29 11:54:13 2011 ;; MSG SIZE rcvd: 63 5

4 REVERSE ZONE IPv6 CONFIGURATION Although regular domain zone IPv6 configuration was quite straightforward, reverse domain zone configuration is far more tricky. It starts with creating a zone file with a specific name. In our case since CareNet owns the 2001:6b0:32::/49 network the name is 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. Then reverse PTR entries were specified for every IPv6 enabled domain member. An example for Log server which has an address of 2001:6b0:32::94 could be found below: vprokopov@domain:/$ sudo nano /etc/bind/zones/2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa $ORIGIN 0.0.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 4.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR log.carenet-se.se. $ORIGIN is a standard directive described in RFC 1035. Full listing of the 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa file could be found in Appendix B. After reverse domain zone file was created it should be referenced in the /etc/bind/named.conf.local file (Appendix C): vprokopov@domain:/$ sudo nano /etc/bind/named.conf.local zone "2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa" { file "/etc/bind/zones/2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa"; // also-notify { ssvl-ns; ssvl-ns2; gaia; also-notify { 192.16.124.50; 192.16.125.100; 130.237.212.6; // allow-transfer { ssvl-ns; ssvl-ns2; gaia; allow-transfer { 192.16.124.50; 192.16.125.100; 130.237.212.6; allow-query { any; In order to test the reverse DNS for IPv6 the following command might be used: macbook-pro:$ dig -x 2001:6b0:32::85 @192.16.126.66 ; <<>> DiG 9.7.3-P3 <<>> -x 2001:6b0:32::85 @192.16.126.66 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62653 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;5.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. IN PTR ;; ANSWER SECTION: 5.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 600 IN PTR gwupdate.carenet-se.se. ;; AUTHORITY SECTION: 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 600 IN NS 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 600 IN NS 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 600 IN NS ns.ssvl.kth.se. ns2.ssvl.kth.se. ns.carenet-se.se. ;; ADDITIONAL SECTION: ns.carenet-se.se. 600 IN A 192.16.126.66 ns.carenet-se.se. 600 IN AAAA 2001:6b0:32::66 ;; Query time: 76 msec ;; SERVER: 192.16.126.66#53(192.16.126.66) ;; WHEN: Tue Nov 29 14:04:59 2011 6

5 TROUBLESHOOTING If DNS server is not responding to queries coming on its IPv6 interface: Make sure that BIND is listening on the IPv6 interface (UDP, port 53). You can check that by running following command: vprokopov@domain:/$ etc/bind$ netstat anu Proto Recv-Q Send-Q Local Address Foreign Address State udp6 0 0 ff02::1:2:547 :::* udp6 0 0 :::53 :::* If no, then check if BIND is actually configured to listen on IPv6. You should have similar entry in your /etc/bind/named.conf.options file: vprokopov@domain:/$ sudo nano /etc/bind/named.conf.options listen-on-v6 { any; It is also useful to check the log: vprokopov@domain:/$ sudo tail -100 /var/log/syslog grep named Dec 2 14:02:14 domain named[11033]: listening on IPv6 interfaces, port 53 Dec 2 14:02:14 domain named[11033]: listening on IPv4 interface lo, 127.0.0.1#53 Dec 2 14:02:14 domain named[11033]: listening on IPv4 interface br0, 192.16.126.66#53 Dec 2 14:02:14 domain named[11033]: listening on IPv4 interface br0:0, 192.168.0.3#53 Another reason why BIND could fail to use IPv6 interface is that it is invoked with - 4 option. You can check it in the /etc/default/bind9 file. It should look like the example below. If - 4 option was specified there, then remove it. vprokopov@domain:/$ sudo cat /etc/default/bind9 # run resolvconf? RESOLVCONF=yes # startup options for the server OPTIONS="-u bind -t /var/lib/named" Sometimes, even if the DNS server is listening on IPv6- enabled interface, the IPv6- enabled client could be rejected: vprokopov@domain:/$ sudo cat /var/log/syslog grep denied Dec 2 13:41:08 domain named[10690]: client 2001:6b0:32::70#44326: view _meta: query (cache) 'domain.carenet-se.se/a/in' denied This could happen because the client is being rejected by the ACL configured in the /etc/bind/named.conf.options file. Make sure that zone that you have defined permits IPv6 hosts in its allow- query clause. If you use ACL all or similar to match all possible clients (like we do in CareNet) then make sure you have specified IPv6 entry there: acl all { 0/0; ::/0; 7

6 REFERENCES [1] CareNet Fall 2011 Team, "Incident report: DNS misconfiguration". [Online]. Available: http://gwupdate.carenet- se.se/docs/carenet- Fall2011- %5BNOC- 06%5D- Incedent_report- DNS_misconfiguration_ver1-0.pdf. 8

APPENDIX A /etc/bind/zones/external/carenet- se.se.db $TTL 600 carenet-se.se. IN SOA ns.carenet-se.se. domain.carenet-se.se. ( 2011112901 28800 3600 604800 38400) carenet-se.se. IN NS ns.carenet-se.se. carenet-se.se. IN NS ns.ssvl.kth.se. carenet-se.se. IN NS ns2.ssvl.kth.se. carenet-se.se. IN A 192.16.126.66 carenet-se.se. IN AAAA 2001:6b0:32::66 ;; Routers and interfaces hemma.hecc.se IN A 130.237.72.200 umsdb IN CNAME hemma.hecc.se vav-kislink IN A 192.16.126.1 kis-vavlink IN A 192.16.126.2 vav-hudlink IN A 192.16.126.5 hud-vavlink IN A 192.16.126.6 kis-lanlink IN A 192.16.126.65 vav-kislink IN AAAA 2001:6b0:32:1::1 kis-vavlink IN AAAA 2001:6b0:32:1::2 vav-hudlink IN AAAA 2001:6b0:32:3::1 hud-vavlink IN AAAA 2001:6b0:32:3::2 kis-lanlink IN AAAA 2001:6b0:32::1 ;; Routers' loopacks vr IN A 192.16.126.9 kr IN A 192.16.126.10 hr IN A 192.16.126.11 vr IN AAAA 2001:6b0:32:10::1 kr IN AAAA 2001:6b0:32:10::2 hr IN AAAA 2001:6b0:32:10::3 ;; CareNet-SE servers ns IN A 192.16.126.66 log IN A 192.16.126.94 sip IN A 192.16.126.69 management IN A 192.16.126.70 vmhost1 IN A 192.16.126.72 vmhost2 IN A 192.16.126.71 ums IN A 192.16.126.75 vpn IN A 192.16.126.84 mrs IN A 192.16.126.112 portal IN A 192.16.126.91 gwupdate IN A 192.16.126.85 domain IN CNAME ns mcu IN CNAME sip syslog IN CNAME management server01 IN CNAME vmhost1 server02 IN CNAME vmhost2 ns IN AAAA 2001:6b0:32::66 log IN AAAA 2001:6b0:32::94 sip IN AAAA 2001:6b0:32::69 management IN AAAA 2001:6b0:32::7 9

vmhost1 IN AAAA 2001:6b0:32::72 vmhost2 IN AAAA 2001:6b0:32::71 mrs IN AAAA 2001:6b0:32::112 portal IN AAAA 2001:6b0:32::91 gwupdate IN AAAA 2001:6b0:32::85 ;; SIP service records carenet-se.se. IN NAPTR 2 0 "s" "SIP+D2U" "" _sip._udp.carenet-se.se. carenet-se.se. IN NAPTR 2 0 "s" "SIP+D2T" "" _sip._tcp.carenet-se.se. _sip._tcp.carenet-se.se. IN SRV 1 0 5060 sip.carenet-se.se. _sip._udp.carenet-se.se. IN SRV 1 0 5060 sip.carenet-se.se. ;; SSVL servers www IN A 192.16.124.51 mail IN CNAME mail.ssvl.kth.se. 10

APPENDIX B /etc/bind/zones/2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa $TTL 600 $ORIGIN 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. @ IN SOA ns.carenet-se.se. admin.carenet-se.se. ( 2011112902; 28800; 604800; 604800; 86400); @ IN NS ns.carenet-se.se. @ IN NS ns.ssvl.kth.se. @ IN NS ns2.ssvl.kth.se. 6.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns.carenet-se.se. $ORIGIN 0.0.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 9.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR sip.carenet-se.se. 4.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR log.carenet-se.se. 0.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR management.carenet-se.se. 2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR vmhost1.carenet-se.se. 1.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR vmhost2.carenet-se.se. 5.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ums.carenet-se.se. 4.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR vpn.carenet-se.se. 2.1.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR mrs.carenet-se.se 1.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR portal.carenet-se.se. 5.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR gwupdate.carenet-se.se. 5.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR kis-lanlink.carenet-se.se. $ORIGIN 1.0.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR vav-kislink.carenet-se.se. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR kis-vavlink.carenet-se.se. $ORIGIN 3.0.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR vav-hudlink.carenet-se.se. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR hud-vavlink.carenet-se.se. $ORIGIN 0.1.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR vr.carenet-se.se. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR kr.carenet-se.se. 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR hr.carenet-se.se. 11

APPENDIX C /etc/bind/named.conf.local view "internal" { match-clients { vpn; include "/etc/bind/zones.rfc1918"; zone "carenet-se.se" { file "/etc/bind/zones/internal/carenet-se.se.db"; allow-query { vpn; zone "0.168.192.in-addr.arpa" { file "/etc/bind/zones/rev.0.168.192.in-addr.arpa"; allow-query { kistanetwork; zone "localhost" { file "/etc/bind/db.local"; zone "127.in-addr.arpa" { file "/etc/bind/db.127"; zone "0.in-addr.arpa" { file "/etc/bind/db.0"; zone "255.in-addr.arpa" { file "/etc/bind/db.255"; view "external" { match-clients {!vpn; all; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; zone "carenet-se.se" { file "/etc/bind/zones/external/carenet-se.se.db"; // also-notify { ssvl-ns; ssvl-ns2; gaia; also-notify { 192.16.124.50; 192.16.125.100; 130.237.212.6; // allow-transfer { ssvl-ns; ssvl-ns2; gaia; allow-transfer { 192.16.124.50; 192.16.125.100; 130.237.212.6; allow-query { any; zone "126.16.192.in-addr.arpa" { file "/etc/bind/zones/rev.126.16.192.in-addr.arpa"; // also-notify { ssvl-ns; ssvl-ns2; gaia; also-notify { 192.16.124.50; 192.16.125.100; 130.237.212.6; // allow-transfer { ssvl-ns; ssvl-ns2; gaia; allow-transfer { 192.16.124.50; 192.16.125.100; 130.237.212.6; allow-query { any; 12

zone "2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa" { file "/etc/bind/zones/2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa"; // also-notify { ssvl-ns; ssvl-ns2; gaia; also-notify { 192.16.124.50; 192.16.125.100; 130.237.212.6; // allow-transfer { ssvl-ns; ssvl-ns2; gaia; allow-transfer { 192.16.124.50; 192.16.125.100; 130.237.212.6; allow-query { any; 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information