HW2

Router setting

Flush firewall rules & set static ip

sudo iptables -F
sudo vim /etc/dhcp/dhcpd.conf

Authoritative DNS Server

• IP: 192.168.14.53
• FQDN: ns1.14.nasa
  • Install package
sudo apt install -y bind9 bind9-utils bind9-dnsutils

bind man page

  • Setting /etc/bind/named.conf.options
options {
  allow-query { any; };
  recursion no;
  
  listen-on { any; };
  listen-on-v6 { none; };
};
  • Setting /etc/bind/named.conf.local
zone "14.nasa" {
    type master;
    file "/etc/bind/db.14.nasa";
};

zone "14.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.14.168.192";
};

zone "14.113.10.in-addr.arpa" {
    type master;
    file "/etc/bind/db.14.113.10";
};

DNSSEC

docs

  • keygen & sign the zone
sudo dnssec-keygen -a ECDSAP256SHA256 14.nasa
sudo dnssec-keygen -a ECDSAP256SHA256 -f KSK 14.nasa
sudo dnssec-keygen -a ECDSAP256SHA256 14.168.192.in-addr.arpa
sudo dnssec-keygen -a ECDSAP256SHA256 -f KSK 14.168.192.in-addr.arpa
sudo dnssec-keygen -a ECDSAP256SHA256 14.113.10.in-addr.arpa
sudo dnssec-keygen -a ECDSAP256SHA256 -f KSK 14.113.10.in-addr.arpa

sudo dnssec-signzone -a -K /etc/bind/key -o 14.nasa -S -t db.14.nasa
sudo dnssec-signzone -a -K /etc/bind/key -o 14.168.192.in-addr.arpa -S -t db.14.168.192
sudo dnssec-signzone -a -K /etc/bind/key -o 14.113.10.in-addr.arpa -S -t db.14.113.10
  • Setting zone file
vim named.conf.local
# file "/etc/bind/db.14.nasa.signed"
# file "/etc/bind/db.14.168.192.signed";
# file "/etc/bind/db.14.113.10.signed";
  • Setting named.conf.options
trust-anchors {
	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=";
	. initial-ds 38696 8 2 "683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16";
        nasa. static-key ~
        168.192.in-addr.arpa. static-key ~
};

options {
    dnssec-validation yes;
};
  • DB record
awk '{print $4, $5, $6, $7$8}' dsset-14.nasa.
awk '{print $4, $5, $6, $7$8}' dsset-14.168.192.in-addr.arpa.
awk '{print $4, $5, $6, $7$8}' dsset-14.113.10.in-addr.arpa.

dig @192.168.254.3 +dnssec nasa. DNSKEY
dig @192.168.254.3 +dnssec 168.192.in-addr.arpa. DNSKEY
  • Check config & restart bind9
sudo named-checkconf
sudo named-checkzone 14.nasa /etc/bind/db.14.nasa
sudo named-checkzone 14.113.10.in-addr.arpa  /etc/bind/db.14.113.10
sudo named-checkzone 14.168.192.in-addr.arpa /etc/bind/db.14.168.192
sudo systemctl restart bind9

dig @192.168.14.53 ns1.14.nasa

Resolver

• IP: 192.168.14.153
• FQDN: dns.14.nasa
  • Setting /etc/bind/named.conf.options
tls local-tls {
        key-file  "/etc/bind/key/cert.key";
        cert-file "/etc/bind/key/cert.pem";
};

options {
    forwarders { 1.1.1.1; };
    
    empty-zones-enable no;
    allow-query { any; };
    recursion yes;
    
    listen-on { any; };
    listen-on port 443 tls local-tls http default { any; };
    listen-on port 853 tls local-tls { any; };
};

Root server

  • Setting config
sudo vim /etc/bind/named.conf.local

zone "nasa" {
    type forward;
    forward first;
    forwarders { 192.168.254.3; };
};

zone "168.192.in-addr.arpa" {
    type forward;
    forward first;
    forwarders { 192.168.254.3; };
};

zone "113.10.in-addr.arpa" {
    type forward;
    forward first;
    forwarders { 192.168.254.3; };
};