DNS and BIND Deep Dive
Linux Training Architect II
Welcome to DNS and BIND Deep Dive. This course is intended for students who have a basic understanding of the Linux operating system and are comfortable with basic sysadmin tasks such as moving around the file system structure, basic command line utilities, and installing packages. Students should also have some basic configuration skills.
In this course, we will work with many BIND configurations such as creating a caching name server, configuring zones and domains, and BIND server security.
Hello, and welcome to this deep dive course on DNS and BIND. This is a deep dive course, intended for students with a good understanding of the Linux operating system. Students should be able to perform basic tasks, such as running commands, editing text files, moving around in the filesystem structure, and installing packages. Students should also have some basic configuration skills. In this video, we will talk about what to expect from this course as well as the configuration types we'll be creating in the course videos and hands-on labs.
About the Training Architect
Hi, my name is Cara. I will be your course author for the course you are about to take. Here is a little bit about me...
How to Use the Cloud Playground for This Course
This course walks students through the Cloud Playground feature of their subscriptions. Students will learn how to create cloud lab servers offering multiple Linux distributions and custom images.
Introduction to DNS and BIND
DNS Types Overview
The DNS Types Overview lesson will cover the two main configuration types for BIND, authoritative and recursive. We'll explore the differences between them and discuss how each responds to DNS queries.
DNS Concepts - Terms and Definitions
In this video lesson we will we will discuss some of the terms and definitions used in BIND DNS. This will help students become familiar with the different components used to configure a BIND server. We will also review different DNS record, types to familiarize students with the types of data stored in DNS records.
Zones and Domains
This video explains the domain namespace and gives a description of each tier in the domain namespace heirarchy. We'll talk about each tier of the domain name system to get a good understanding of what domains are located on each level, as well as touch on familiar examples of each domain type. Students will also learn about the root domain or root servers that are at the top of the namespace tree.
Basic DNS Server Configuration
In this video, we will be walking through some of the files used by BIND. We'll discuss basic DNS configuration and students will become familiar with running DNS queries using the
Configure a Caching Name Server
In this video, we walk through the most basic BIND configuration. Students will learn to configure a recursive, or caching-only, name server. We'll look at
/etc/named.conf and start the
named service. Then we will test DNS queries against our caching name server with the
**Please note that due to restrictions on UDP traffic to prevent abuse in the Cloud Playground, this activity must be completed in the lab environment configured for the Create a Caching Name Server lab activity at the end of this video section.
Named Service and RNDC Keys
This video is an overview of RNDC. The remote node daemon control utility is used to control the
named service. We will learn to run
rndc commands and work with the RNDC key that is auto-generated by the
named startup process.
In this video, students will learn to manually create RNDC key file and the RNDC configuration file using the
rndc-confgen command. Then we will link the new key and configuration to the named configuration to enable secure control of the named service.
Using the dig Command
dig command is an essential command for name resolution queries and for troubleshooting name server issues. In this video, we'll learn to write queries for very verbose output, and also customize queries to return short or very specific information about a DNS record.
Working with DNS Zones
Configuring for Zones
In this video, we will discuss how to configure the
named.conf file for DNS zones. We will discuss the components and the approriate syntax used to configure
named.conf to create the zone configuration that is critical for resolving name service queries.
Zone Files and Record Types - Start of Authority
The Start of Authority, or SOA record, is a crucial piece to configuring zone files. The SOA record appears at the top of zone file and contains information about the zone and other DNS records. In this video, we'll look at the components needed and the syntax required fr the SOA record configuration.
Zone Files and Record Types - Common Record Types
Configuring zone files for successful name resolution requires configuring many record types. In this video, we'll examine common record types and the syntax for configuring them in a zone file.
Creating Forward Zone Files
Creating forward zone files is crucial to DNS server configuration. In this video, we will learn to configure the Start of Authority record, as well as other records in the forward zone file.
Creating Reverse Zone Files
Creating reverse zone files crucial to DNS server configuration, and in performing reverse name service lookups. In this video, we will see how to configure the Start of Authority record as well as other records in the reverse zone file.
Zone File Validity Checking
When configuring DNS zones, administrators need to be able to manually verify the validity of the files they create, to check for syntax errors. In this video, we will see how to use the
named-checkzone commands to verify there are no syntax errors in configuration files. We will also use the
nslookup command to verify that we can resolve the DNS names that we have configured.
Advanced DNS Configuration
Configuring Multiple Domains
In this video, we will add a second domain to our name server configuration. This allows us to host multiple domains on the same name server. We'll edit the
named.conf file and create the forward zone file. Then we will check our configuration with the
named-checkzone commands, restart the
named service, and test our configuration using
DNS Master and Replication Slave
In this video, we will talk about the Primary and Secondary, or Master/Slave, zone configuration for BIND. It is important to know how to configure master and slave zones for redundancy and security.
In this lesson, we will create two name servers, configuring the first as a master server and the second as a slave, in the
named.conf file. We will then create the associated forward and reverse zone files, and pull zone information down to the slave from the master. Finally, we will test the configuration with the
DNS Server Security
Securing a DNS Server
Split DNS Configuration for Security
In this video, we will discuss the split DNS infrastructure configuration for DNS server security. We will look at the private and public domains, and learn which servers to place on either side of the firewall, depending on their intended use and whether they should be accessed by internal clients only or open to the public. We will also discuss how to mask the internal IP address of the internal DNS server when accessing the public DNS servers. The split DNS configuration is necessary for ensuring your name servers are secure and cannot be accessed by unauthorized users on the internet.
Running BIND in a Chroot Jail
In this video, we'll discuss the chroot jail and how to configure the
named service to run in the chroot jail manually. Knowing the steps for manually creating the chroot jail is important, so that we can adequately troubleshoot chroot issues. For this exercise, we'll configure the named service to
DNS Security Tools - Keys and Signing a Zone File
DNSSEC is a utility that offers additional security, such as signing a zone file to ensure zones are coming from trusted sources. In this video, we will talk about DNSSEC and signing a zone file. We will use the
dnssec-keygen to create our key files and
dnssec-signzone to sign our forward zone file.
DANE and TLSA Records
Implementing DANE and TLSA is a security measure we can use to secure a DNS server. Since certificate authorities are often compromised, and trusts are broken, DANE uses a DNS query to associate a web server's certificate with the web server's domain name. This data is stored in the TLSA (Transport Layer Security Authentication) record type. In this video, we'll discuss the components of a DANE TLSA record.
In this video, we will talk about what comes next for a student at Linux Academy who has completed this course. We'll talk about some other recommended courses, similar to this one, and how to build on the skills learned here.