ISC dynamic DNS Workshop

1 Dynamic DNS workshop

The virtual machines have a domain name in the form ddnsXXX.dnslab.org.

Please login to the machines with a modern web browser under the URL https://ddnsXXX.dnslab.org:9090 with the username user and the password DNSandBIND. You can also login with SSH and the same username and password.

The virtual machines run the cockpit tool (https://cockpit-project.org) to provide a terminal in the web browser.

Then select the terminal (last menue option on the left) and start the tutorial.

1.1 Virtual machines

Every participant has a VM number. Please replace the XXX in the instructions with your participant number from the table below:

VM-Nr. Name

1.2 Basic Installation

  • The DNS authoritative DNS Server runs a BIND 9.11.20 ESV (RedHat EL 8)
  • The BIND 9 configuration file can be found in /etc/named.conf
  • The Logging configuration for authoritative DNS Server from Webinar 1/2021 has been applied
  • The log-file can be found in /var/named
  • For the sessions you need to become the user root with the sudo command, for example with sudo -s

2 Session 1 - Making a static zone dynamic

  • The DNS server has one zone configured with the name myddnsXXX.dnslab.org. This zone has only one authoritative server.
  • Goal: turning the static zone into a dynamic zone

2.1 Making the zone dynamic

  • Inspect the zone file in /var/named/dynamic/myddnsXXX.dnslab.org. Create a backup copy of the file.
  • Open the BIND 9 configuration file /etc/named.conf in your favorite editor (vi, nano, emacs)
  • Find the zone configuration at the end of the file
  • add the line allow-update { localhost; }; in the zone block to mark this zone as a dynamic zone that accepts dynamic update
  • check the new BIND 9 configuration with named-checkconf -z
  • reload the new configuration in the BIND 9 server with rndc reload

2.2 sending an update

  • Start the nsupdate tool
  • Enter the default TTL and the update line 
> ttl 60
> update add www.myddnsXXX.dnslab.org IN A 1.2.3.4
> show
> send
> answer
> quit

2.3 Inspect the log-files

  • check the file /var/named/update.log for update log messages 
# tail /var/named/update.log
19-May-2021 10:09:02.549 info: client @0x7f5cdc039c20 2604:a880:400:d0::18b1:b001#36896: updating zone 'myddnsXXX.dnslab.org/IN': adding an RR at 'www.myddnsXXX.dnslab.org' A 1.2.3.4

2.4 Query the new entry

  • Send a DNS query for the new entry 
# dig www.myddnsXXX.dnslab.org a

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> www.myddnsXXX.dnslab.org a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25939
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.myddns002.dnslab.org.      IN      A

;; ANSWER SECTION:
www.myddnsXXX.dnslab.org. 60    IN      A       1.2.3.4

;; Query time: 645 msec
;; SERVER: 67.207.67.3#53(67.207.67.3)
;; WHEN: Wed May 19 10:12:58 UTC 2021
;; MSG SIZE  rcvd: 69

2.5 Inspect the updated zone file

  • BIND 9 will write the new zone content back into the zone file after around 15 minutes. Committing all changes into the zone files can be forced with rndc sync.
  • You will find the new (binary) journal file in the same directory as the zone file
  • Force the zone file to be updated with rndc sync
  • Inspect the new zone file /var/named/dynamic/myddnsXXX.dnslab.org and compare with the original file (the backup copy)
  • Find the new IPv4 Address record in the zone file

3 Session 2 - Sending scripted dynamic updates

  • Create a text file dns-update.txt with the following content on the VM machine (replacing the XXX with your VM number) 
TTL 60
add info.myddnsXXX.dnslab.org  IN TXT "This is informal"
add www.myddnsXXX.dnslab.org   IN AAAA 2001:db8::1
add mail.myddnsXXX.dnslab.org  IN A 192.0.2.25
add myddnsXXX.dnslab.org       IN MX 10 mail.myddnsXXX.dnslab.org
send
answer
quit
  • execute the updates from the file 
nsupdate dns-update.txt
  • Check that the new records are in the zone (by sending DNS queries to the zone or inspecting the zone file after issuing rndc sync)
  • Check for the new SOA serial number, it should have been incremented

4 Session 3 - Inspecting the journal file

  • Find the journal-file for the zone myddnsXXX.dnslab.org in /var/named/dynamic
  • Print the content of the journal-file and try to match the content with the updates you've send to the zone in Session 1 and Session 2 
# named-journalprint /var/named/dynamic/myddns.dnslab.org.jnl
del myddnsXXX.dnslab.org.       60      IN      SOA     ddnsXXX.dnslab.org. hostmaster.myddnsXXX.dnslab.org. 1001 3600 1200 3542400 60
add myddnsXXX.dnslab.org.       60      IN      SOA     ddnsXXX.dnslab.org. hostmaster.myddnsXXX.dnslab.org. 1002 3600 1200 3542400 60
add www.myddnsXXX.dnslab.org. 60        IN      A       1.2.3.4
del myddnsXXX.dnslab.org.       60      IN      SOA     ddnsXXX.dnslab.org. hostmaster.myddnsXXX.dnslab.org. 1002 3600 1200 3542400 60
add myddnsXXX.dnslab.org.       60      IN      SOA     ddnsXXX.dnslab.org. hostmaster.myddnsXXX.dnslab.org. 1003 3600 1200 3542400 60
add mail.myddnsXXX.dnslab.org. 60       IN      A       192.0.2.25
add myddnsXXX.dnslab.org.       60      IN      MX      10 mail.mayddnsXXX.dnslab.org.
add info.myddnsXXX.dnslab.org. 60       IN      TXT     "This is informal"
add www.myddnsXXX.dnslab.org. 60        IN      AAAA    2001:db8::1

5 Session 4 - Removing DNS entries from a dynamic zone

  • start nsupdate
  • remove the MX DNS resource record and the record for info 
> update delete info.myddnsXXX.dnslab.org
> update delete myddnsXXX.dnslab.org MX
> send
> answer
> quit

6 Session 5 - Inspecting an incremental zone transfer

  • Get the current SOA serial number from your zone using dig 
dig soa myddnsXXX.dnslab.org
  • Send a query for an incremental zone transfer to the authoritative server for the zone myddnsXXX.dnslab.org using the initial SOA serial. This will print all the changes from the initial zone version to the current version. 
dig @ddnsXXX.dnslab.org myddnsXXX.dnslab.org IXFR=1001
  • Inspect the output of the incremental zone transfer
  • Try other incremental zone transfers with SOA serial numbers between 1001 and the current SOA serial

6.1 FIN

  • please "raise your hand" in the zoom meeting to indicate that you are done with the workshop part, so that the host gets feedback and knows when to continue
  • Questions can be asked in the chat or at the end of the workshop part