DNS with Linux on z/VM
generous guest naming names
Rick Troth
rogue programmer
<[email protected]>
http://www.casita.net/
VM Workshop, 2017 June
The Ohio State University
Copyright © 2017 Richard M. Troth, Creative Commons.
Other products and company names mentioned herein
may be trademarks of their respective owners.
Disclaimer
The content of this presentation is informational only.
The reader or attendee is responsible for his/her own use
of the concepts and examples presented herein.
In other words: Your mileage may vary. “It Depends.”
Results not typical. Actual mileage will probably be less.
Use only as directed. Do not fold, spindle, or mutilate. Not to
be taken on an empty stomach. Refrigerate after opening.
2
Easy DNS with z/Linux
This is Rick's own system
External DNS for Casita.Net runs on z/Linux
Dunno DynDNS, but we're interactive
Inside -vs- Outside, does it matter?
Hardening is hard, so see some pitfalls
DNSSEC looms
3
about:rick
Unix for 30+ years
Linux since 0.99 (circa 1993)
VM/SP (and following) since 1981
Obsessed with source-based systems
Previous jobs: SSL stack, z/VM, Linux
Day job is data sec … it's all about trust
4
The Small World of Casita.Net
pk
sb
sv
gc
co
gt
nl
sd
cc
5
Berkeley Internet Name Domain
Berkeley Internet Name Daemon, 'named'
BIND9 – long time current family
BIND10 – ISC new and improved family
6
DNS at Casita.Net
/var/named/master/casita.net
/var/named/master/192.168.29
/var/named/master/2604:8800:12b
“internal” DNS has complete domain
“external” DNS has partial
IPv4 PTR records valid internally (NAT)
IPv6 PTRs meaningful everywhere
7
Forward DNS at Casita.Net
$TTL 4H
@ IN SOA @ [email protected]. ( 2011071300 7200 3600 3600000 86400 )
IN
A
192.168.29.1
IN
AAAA
2604:8800:12b::b
IN
NS
jeremiah.casita.net.
main
IN
A
192.168.29.1
jeremiah
IN
A
192.168.29.11
jeremiah
IN
AAAA
2604:8800:12b::b
nehemiah
IN
A
192.168.29.12
nehemiah
IN
AAAA
2604:8800:12b::c
culdesac
IN
A
192.168.29.26
culdesac
IN
AAAA
2604:8800:12b::1a
8
IPv4 Reverse DNS at Casita.Net
$TTL 4H
$ORIGIN
@
IN
29.168.192.IN-ADDR.ARPA.
SOA @ [email protected]. (
2008063000 21600 3600 3600000 86400 )
IN
NS
jeremiah.casita.net.
11
IN
PTR
jeremiah.casita.net.
12
IN
PTR
nehemiah.casita.net.
26
IN
PTR
culdesac.casita.net.
9
IPv6 Reverse DNS at Casita.Net
$TTL 4H
$ORIGIN
@
IN
b.2.1.0.0.0.8.8.4.0.6.2.ip6.arpa.
SOA @ [email protected]. (
2011072400 21600 3600 3600000 86400 )
IN
NS
jeremiah.casita.net.
b.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR jeremiah.casita.net.
c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR nehemiah.casita.net.
a.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR culdesac.casita.net.
10
demos
11
DNS Record Types
SOA – start of authority (“@” means “here”)
A, AAAA – address
NS – name server
CNAME – alias, nickname
MX – mail exchanger
TXT – free-form text
PTR – pointer (to name, from address)
12
DNSSEC
Domain Name System Security Extensions
Crypto Signing of Internet Domain Data
13
DNSSEC Record Types
RRSIG – resource record signature
DNSKEY – public key of signer
DS – delegation signer
NSEC – next secure record
https://en.wikipedia.org/wiki/
Domain_Name_System_Security_Extensions
14
Config file /etc/named.conf
options {
directory "/var/named";
listen-on-v6 { any; };
pid-file "/var/run/named.pid";
forwarders { 68.94.156.10; 68.94.157.10; };
};
First stanza, sans comments
15
Config file /etc/named.conf
logging {
category default { log_syslog; };
channel log_syslog { syslog; };
};
“hints”
We'll come back to that.
zone "." in {
type hint;
file "root.hint";
};
16
Config file /etc/named.conf
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
17
Config file /etc/named.conf
zone "casita.net" in {
type master;
file "master/casita.net";
allow-update { none; };
allow-transfer { none; };
};
Note: Master vs Slave
18
Config file /etc/named.conf
zone "29.168.192.in-addr.arpa" in {
type master;
file "master/192.168.29";
allow-update { none; };
allow-transfer { none; };
};
Contains PTR Records
19
Config file /etc/named.conf
zone "b.2.1.0.0.0.8.8.4.0.6.2.ip6.arpa" in {
type master;
file "master/2604:8800:12b";
allow-update { none; };
allow-transfer { none; };
};
Contains PTR Records
20
Config file /etc/named.conf
zone "BITNET" IN {
type master;
file "master/bitnet";
allow-update { none; };
allow-transfer { none; };
notify yes;
};
21
about:filenames
Filename extensions are a Good Thing
But … .zone, .db, why bother?
Colons: problem for Windows, NTFS, *FAT
/var/named/master/domain
22
Alternative DNS root
Standard set is root-servers.net
Alternate set is orsn-servers.eu
Modify your “hint” file
http://www.orsn.org/roothint/root-hint.txt
Like rolling your own Linux distro,
anyone can do it.
23
BIND, not bondage
Berkeley Internet Name Daemon
… on SUSE:
zypper install bind
… on ClefOS, CentOS, RH:
yum install bind
… on Debian, Ubuntu:
apt-get install bind9
24
BYOB
Build your own BIND
http://ftp.isc.org/isc/bind9/9.11.1/
 bind-9.11.1.tar.gz
 bind-9.11.1.tar.gz.asc
Download, un-tar
./configure ; make ; make install
25
Chicory (Portable Apps)
Rick's Rules for /usr/opt wrapper
make source
make verify
make config
make
make install
make distclean
./setup
26
DNS servers in the house
Guest of z/VM
 Ideal service virtual machine role
Guest of KVM/Xen/any, container, physical
Sub-domains needing agile management
Dev/test/tinker/hobby/staging
BIND “DB files” are easy
27
NORD Project – please help
Not trying to start a distro …
http://www.casita.net/nord
http://www.casita.net/chicory
… just change the world.
Thank You
http://www.casita.net/vmworkshop/2017/presentations/
troth-vmworkshop-dns-2017.odp
http://www.casita.net/vmworkshop/2017/presentations/
troth-vmworkshop-dns-2017.ppt