ISC dynamic DNS Workshop, Part 2

1 Dynamic DNS workshop

The virtual machines have a domain name in the form ddnsXXX.dnslab.org.

Please login to the machines with a modern web browser under the URL https://ddnsXXX.dnslab.org:9090 with the username user and the password DNSandBIND. You can also login with SSH and the same username and password.

The virtual machines run the cockpit tool (https://cockpit-project.org) to provide a terminal in the web browser.

Then select the terminal (last menue option on the left) and start the tutorial.

1.1 Virtual machines

Every participant has a VM number. Please replace the XXX in the instructions with your participant number from the table below:

VM-Nr.	Name

1.2 Basic Installation

The DNS authoritative DNS Server runs a BIND 9.11.20 ESV (RedHat EL 8)
The BIND 9 configuration file can be found in /etc/named.conf
The Logging configuration for authoritative DNS Server from Webinar 1/2021 has been applied
The log-file can be found in /var/named
For the sessions you need to become the user root with the sudo command, for example with sudo -s

2 Session 1 - Securing a dynamic zone with TSIG

The DNS server has one dynamic zone configured with the name myddnsXXX.dnslab.org. This zone has only one authoritative server. The zone is currently secured with only an IP-Address ACL.
Goal: securing the dynamic zone with TSIG

2.1 Making the zone dynamic

Create a TSIG key with the name of the zone myddnsXXX.dnslab.org and redirect the output in a file:

tsig-keygen myddnsXXX.dnslab.org > /var/named/myddnsXXX.dnslab.org.tsig.key

View the created TSIG key in the file

cat /var/named/myddnsXXX.dnslab.org.tsig.key

Open the BIND 9 configuration file /etc/named.conf in your favorite editor (vi, nano, emacs)
Import the TSIG key file at the very beginning of the BIND 9 configuration file:

include "/var/named/myddnsXXX.dnslab.org.tsig.key";

options {
   [...]

Find the zone configuration at the end of the file
change the line allow-update { localhost; }; in the zone block to to use TSIG key authentication

zone "myddnsXXX.dnslab.org." {
   file "dynamic/myddns.dnslab.org";
   allow-update { key myddnsXXX.dnslab.org; };
   type master;
};

check the new BIND 9 configuration with named-checkconf -z
reload the new configuration in the BIND 9 server with rndc reload

2.2 sending an update

Start the nsupdate tool with the TSIG key

nsupdate -k /var/named/myddnsXXX.dnslab.org.tsig.key

Enter the default TTL and the update line

> ttl 60
> update add www.myddnsXXX.dnslab.org IN A 1.2.3.4
> show
> send
> answer
> quit

2.3 Inspect the log-files

check the file /var/named/update.log for update log messages

# tail /var/named/update.log
15-Jun-2021 09:55:06.131 info: client @0x7f6970039c20 2604:a880:400:d0::1a94:4001#42355/key myddnsXXX.dnslab.org: signer "myddnsXXX.dnslab.org" approved
15-Jun-2021 09:55:06.131 info: client @0x7f6970039c20 2604:a880:400:d0::1a94:4001#42355/key myddnsXXX.dnslab.org: updating zone 'myddnsXXX.dnslab.org/IN': 
   adding an RR at 'www.myddnsXXX.dnslab.org' A 1.2.3.4

2.4 Query the new entry

Send a DNS query for the new entry

# dig www.myddnsXXX.dnslab.org a

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> www.myddnsXXX.dnslab.org a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25939
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.myddns002.dnslab.org.      IN      A

;; ANSWER SECTION:
www.myddnsXXX.dnslab.org. 60    IN      A       1.2.3.4

;; Query time: 645 msec
;; SERVER: 67.207.67.3#53(67.207.67.3)
;; WHEN: Wed May 19 10:12:58 UTC 2021
;; MSG SIZE  rcvd: 69

2.5 Inspect the updated zone file

BIND 9 will write the new zone content back into the zone file after around 15 minutes. Committing all changes into the zone files can be forced with rndc sync.
You will find the new (binary) journal file in the same directory as the zone file
Force the zone file to be updated with rndc sync
Inspect the new zone file /var/named/dynamic/myddnsXXX.dnslab.org and compare with the original file (the backup copy)
Find the new IPv4 Address record in the zone file

3 Session 2 - Securing an authentication token TXT record with update-policy

The marketing department is using an external application to track dead links on the company webpage. This external application requires an authentication token in the DNS domain. This authentication token is stored inside an TXT record at deadlinkapp. We want to enable the colleagues from the marketing department to change the authentication token whenever required while securing the integrity of the remainder of the zone file.
Create a new TSIG key for marketing:

tsig-keygen marketing.dnslab.org > /var/named/marketing.dnslab.org.tsig.key

View the created TSIG key in the file

cat /var/named/marketing.dnslab.org.tsig.key

Open the BIND 9 configuration file /etc/named.conf in your favorite editor (vi, nano, emacs)
Import the TSIG key file at the very beginning of the BIND 9 configuration file:

include "/var/named/marketing.dnslab.org.tsig.key";
include "/var/named/myddnsXXX.dnslab.org.tsig.key";

options {
   [...]

Find the zone configuration at the end of the file
remove the line allow-update { key myddnsXXX.dnslab.org; }; in the zone block and replace it with two update-policy statements
- the first update-policy statement allows the key myddnsXXX.dnslab.org to change the whole zone (DNS Administration team)
- the second update-policy statement enables the key marketing.dnslab.org to only change the authentication token at deadlinkapp.myddnsXXX.dnslab.org

zone "myddnsXXX.dnslab.org." {
   file "dynamic/myddns.dnslab.org";
   update-policy { 
          grant myddnsXXX.dnslab.org zonesub ANY;
          grant marketing.dnslab.org name deadlinkapp.myddnsXXX.dnslab.org TXT;
                 };
   type master;
};

check the new BIND 9 configuration with named-checkconf -z
reload the new configuration in the BIND 9 server with rndc reload

3.1 sending an update

First we check if we can still make changes to the zone
Start the nsupdate tool with the DNS administration TSIG key

nsupdate -k /var/named/myddnsXXX.dnslab.org.tsig.key

Enter the default TTL and the update line

> ttl 60
> update add www.myddnsXXX.dnslab.org IN AAAA 2001:db8::1
> show
> send
> answer
> quit

Next we add the authentication token using the marketing TSIG key
Start the nsupdate tool with the marketing TSIG key

nsupdate -k /var/named/marketing.dnslab.org.tsig.key

Enter the default TTL and the update line

> ttl 60
> update add deadlinkapp.myddnsXXX.dnslab.org IN TXT "sec=1234567"
> show
> send
> answer
> quit

Check that the marketing key cannot make other changes to the zone
Start the nsupdate tool with the marketing TSIG key

nsupdate -k /var/named/marketing.dnslab.org.tsig.key

Enter the default TTL and the update line

> update del www.myddnsXXX.dnslab.org
> send
> answer
> quit

3.2 Inspect the log-files

check the file /var/named/update.log for update log messages

# tail /var/named/update.log
15-Jun-2021 10:23:59.307 info: client @0x7f6970039c20 2604:a880:400:d0::1a94:4001#56694/key marketing.dnslab.org: updating zone 'myddnsXXX.dnslab.org/IN': 
   adding an RR at 'deadlinkapp.myddnsXXX.dnslab.org' TXT "sec=1234567"
15-Jun-2021 10:25:56.861 info: client @0x7f6970039c20 2604:a880:400:d0::1a94:4001#53366/key marketing.dnslab.org: updating zone 'myddnsXXX.dnslab.org/IN': 
   update failed: rejected by secure update (REFUSED)

3.3 Query the new entry

Send a DNS query for the new entry

# dig deadlinkapp.myddnsXXX.dnslab.org TXT

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> deadlinkapp.myddnsXXX.dnslab.org TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17832
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;deadlinkapp.myddnsXXX.dnslab.org. IN   TXT

;; ANSWER SECTION:
deadlinkapp.myddnsXXX.dnslab.org. 60 IN TXT     "sec=1234567"

;; Query time: 629 msec
;; SERVER: 67.207.67.3#53(67.207.67.3)
;; WHEN: Tue Jun 15 10:27:26 UTC 2021
;; MSG SIZE  rcvd: 85

4 Session 3 - Catalog zones

The trainer has prepared a primary DNS server that hosts a catalog zone with the name catalog.ddns.dnslab.org. At the beginning of the session this catalog zone only contains the required SOA and one NS record.
This catalog zone on the primary is a dynamic zone that can be updated with the TSIG key catalog below:

key "catalog" {
        algorithm hmac-sha256;
        secret "usvUglF25JkOB0OnbEooX14wx0lnJmjnDiIxgTWzaoA=";
};

The BIND 9 configuration file named.conf on the primary server

include "/var/named/catalog.tsig.key";

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";

        recursion no;
        dnssec-enable yes;
        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

zone "catalog.ddns.dnslab.org" {
     type master;
     file "catalog.ddns.dnslab.org";
     update-policy { grant catalog zonesub PTR A AAAA APL NS; };
};

The original content of the catalog zone file:

$TTl 60
@                        IN SOA catalogdns.dnslab.org. hostmaster 1001 1h 4h 41d 30m
catalog.ddns.dnslab.org. IN NS  catalogdns.dnslab.org.
version                  IN TXT "1"

4.1 Configure the lab server as a secondary for the catalog zone

add the catalog zone as a secondary zone to yout BIND 9 server, use masterfile-format text; (so that you can view the zone file on disk) in the zone block of the secondary zone.

zone "catalog.ddns.dnslab.org" {
  type slave;
  file "catalog.ddns.dnslab.org";
  masterfile-format text;
  masters { 68.183.217.122; 2a03:b0c0:3:d0::13bb:d001; };
};

save and check the configuration, reload the BIND 9 server configuration
check the transfer.log for a successful zone transfer

# tail /var/named/transfer.log 
15-Jun-2021 11:33:20.498 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: connected using 64.227.31.190#55255
15-Jun-2021 11:33:20.582 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: Transfer status: success
15-Jun-2021 11:33:20.582 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: Transfer completed: 1 messages, 4 records, 171 bytes, 0.084 secs (2035 bytes/sec)

4.2 Register the catalog zone

register the new zone catalog.ddns.dnslab.org as a catalog zone in the secondary server options block. Find the IPv6 and IPv4 address of the primary server for catalog.ddns.dnslab.org and enter the addresses into the default-masters clause:
```
 options {
   [...]
   allow-new-zones yes;
   catalog-zones {
      zone "catalog.ddns.dnslab.org" in-memory yes
      default-masters { 
           <IPv4-address of your primary server>; 
           <IPv6-address of your primary server>; 
      };
   };
};
```
- check the configuration and reload the secondary server
- use an editor to save the content of the TSIG key catalog (above) into the file /var/named/catalog.tsig.key. This is the key that can update the catalog zone on the primary server.
- use nsupdate to add your DNS server as an authoritative DNS server to the catalog zone (so that your server will receive NOTIFY messages on zone changes):

# nsupdate -k /var/named/catalog.tsig.key
> ttl 60
> add catalog.ddns.dnslab.org. IN NS ddns002.dnslab.org.
> send
> quit

check the file /var/named/transfer.log for an successful NOTIFY and zone transfer:

# tail /var/named/transfer.log
15-Jun-2021 11:42:43.318 info: client @0x7f69700bfef0 68.183.217.122#51330: received notify for zone 'catalog.ddns.dnslab.org'
15-Jun-2021 11:42:43.496 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: connected using 64.227.31.190#60161
15-Jun-2021 11:42:43.582 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: Transfer status: success
15-Jun-2021 11:42:43.582 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: Transfer completed: 1 messages, 5 records, 229 bytes, 0.086 secs (2662 bytes/sec)

4.3 Creating a new secondary zone via the catalog zone

The primary server contains zones for each lab participant. The zones are named newzoneXXX.ddns.dnslab.org.
Use nsupdate to add a PTR record for your newzoneXXX to the catalog zone on the remote primary server. As we have configured the primary server as the default server for zone transfers, the new version of the catalog zone should be transferred almost immediatly, triggering the new zone to be created on the secondary:

# nsupdate -k /var/named/catalog.tsig.key
> ttl 60
> add newXXX.zones.catalog.ddns.dnslab.org. IN PTR newzoneXXX.ddns.dnslab.org
> send
> quit

In the transfer log file we should see first the new version of the catalog zone being transferred, followed by the newly created newzoneXXX zonefile

# tail -f /var/log/transfer.log
15-Jun-2021 12:00:37.235 info: client @0x7f69700bfef0 68.183.217.122#49652: received notify for zone 'catalog.ddns.dnslab.org'
15-Jun-2021 12:00:37.412 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: connected using 64.227.31.190#50835
15-Jun-2021 12:00:37.510 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: Transfer status: success
15-Jun-2021 12:00:37.510 info: transfer of 'catalog.ddns.dnslab.org/IN' from 68.183.217.122#53: Transfer completed: 1 messages, 5 records, 245 bytes, 0.097 secs (2525 bytes/sec)
15-Jun-2021 12:00:37.512 info: zone catalog.ddns.dnslab.org/IN: sending notifies (serial 1005)
15-Jun-2021 12:00:37.741 info: client @0x7f697182fb60 2a03:b0c0:3:d0::13bb:d001#43753: received notify for zone 'catalog.ddns.dnslab.org'
15-Jun-2021 12:00:37.911 info: transfer of 'newzone002.ddns.dnslab.org/IN' from 68.183.217.122#53: connected using 64.227.31.190#48065
15-Jun-2021 12:00:37.995 info: transfer of 'newzone002.ddns.dnslab.org/IN' from 68.183.217.122#53: Transfer status: success
15-Jun-2021 12:00:37.995 info: transfer of 'newzone002.ddns.dnslab.org/IN' from 68.183.217.122#53: Transfer completed: 1 messages, 6 records, 245 bytes, 0.084 secs (2916 bytes/sec)

The new zone status information:

# rndc zonestatus newzone002.ddns.dnslab.org
name: newzone002.ddns.dnslab.org
type: slave
serial: 1001
nodes: 3
next refresh: Tue, 15 Jun 2021 12:57:43 GMT
expires: Mon, 26 Jul 2021 12:00:37 GMT
secure: no
dynamic: no
reconfigurable via modzone: yes

Check if your DNS server responds to queries for this zone:

# dig @localhost newzone002.ddns.dnslab.org txt 

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> @localhost newzone002.ddns.dnslab.org txt
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61131
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f5016bf254a6238fa79c540e60c89703ce4b1c267758cb23 (good)
;; QUESTION SECTION:
;newzone002.ddns.dnslab.org.    IN      TXT

;; ANSWER SECTION:
newzone002.ddns.dnslab.org. 60  IN      TXT     "This is a zone for the catalog zone lab"

;; AUTHORITY SECTION:
newzone002.ddns.dnslab.org. 60  IN      NS      catalogdns.dnslab.org.

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Jun 15 12:03:15 UTC 2021