1
00:00:00,000 --> 00:00:17,240
Hey guys and welcome back. Now previously we've been going through some of the basics

2
00:00:17,240 --> 00:00:24,240
of how DNS operates as well as how we as clients can receive information from DNS servers.

3
00:00:24,240 --> 00:00:29,580
We also talked about different DNS records that were available. Now what I want to do

4
00:00:29,579 --> 00:00:35,280
is I want to really dig in and go through the actual configuration of a DNS server itself.

5
00:00:35,280 --> 00:00:40,420
Now what we're going to be doing here as per the exam objectives is we're going to be

6
00:00:40,420 --> 00:00:47,099
configuring something called a BIND DNS server. Now BIND happens to be a very common DNS

7
00:00:47,099 --> 00:00:55,539
server. This is the Berkeley Internet Domain Server B-I-N-D. So with respect to BIND there

8
00:00:55,539 --> 00:00:59,939
actually are different versions of this. The version we're going to be focusing on is

9
00:00:59,939 --> 00:01:06,140
one called BIND9. This is the one that is in the exam objectives. Now before we actually

10
00:01:06,140 --> 00:01:11,019
start I just want to be clear here there actually are other DNS options we have available

11
00:01:11,019 --> 00:01:17,379
to us. So one type of DNS software we can use is one called DNSMask and that is mask

12
00:01:17,379 --> 00:01:24,019
with a Q. Now DNSMask can be used for DNS. It can also be used for DHCP if you can remember

13
00:01:24,019 --> 00:01:28,939
what that was when we talked about our network configuration that allows us to effectively

14
00:01:28,939 --> 00:01:34,859
manage IP address space whereby hosts can come in and request an IP address. DNSMask

15
00:01:34,859 --> 00:01:41,859
can perform this task as well as like I say manage the task of DNS queries. Another one

16
00:01:41,859 --> 00:01:48,699
is one called POWERDNS. This was a DNS solution centred around load balancing. If you don't

17
00:01:48,699 --> 00:01:52,780
know what load balancing is it just means that we can ultimately have let's say one

18
00:01:52,780 --> 00:01:59,340
server here, one server here. So that could be DNS1, DNS2 and we can have requests split

19
00:01:59,340 --> 00:02:04,460
across these different servers so that one is not getting absolutely battered with all

20
00:02:04,460 --> 00:02:09,460
the requests instead we actually split the load i.e. we balance the load and that was

21
00:02:09,460 --> 00:02:16,500
really the primary purpose of POWERDNS and we also have one called DJBDNS. Again we don't

22
00:02:16,500 --> 00:02:22,020
have to be too worried around this solution. This was primarily focused on security. So

23
00:02:22,020 --> 00:02:27,060
now we have a general awareness of these other solutions. Let's have a look at the

24
00:02:27,060 --> 00:02:32,780
bind software then. Now before we actually start I just want to make one thing clear.

25
00:02:32,780 --> 00:02:38,780
Now the exam objectives actually say that we should be able to configure a DNS server,

26
00:02:38,780 --> 00:02:44,820
a bind DNS server should I say that is caching only. So I do feel it is relevant that we

27
00:02:44,820 --> 00:02:50,060
actually understand what a caching server is and what are the alternatives to that.

28
00:02:50,099 --> 00:02:55,259
So the first type of server we can have is that authoritative server. This is the server

29
00:02:55,259 --> 00:03:00,939
which has the original records for that particular domain. Now we also talked about how we could

30
00:03:00,939 --> 00:03:06,460
use say for example like an ISP or something as a DNS server which can ultimately forward

31
00:03:06,460 --> 00:03:12,939
requests. Well as opposed to having the authoritative records we can also have a forwarding DNS

32
00:03:13,819 --> 00:03:20,740
as well as a caching DNS server. Now really we want to be focusing on the distinction

33
00:03:20,740 --> 00:03:26,699
between these two solutions right here and then ultimately configuring a caching DNS

34
00:03:26,699 --> 00:03:31,740
server. So let me talk to you about this then. Let's say that we have our little local machine

35
00:03:31,740 --> 00:03:39,860
right here and we had some type of DNS forwarder. So on our local network we have a DNS forwarder

36
00:03:39,860 --> 00:03:46,100
and then we would have our ISP say for example. Okay so let's imagine on our little network

37
00:03:46,100 --> 00:03:52,180
segments within our local network we have our local client computer and we also have

38
00:03:52,180 --> 00:03:58,020
this DNS forwarder okay which is on the same network here okay and then outside our network

39
00:03:58,020 --> 00:04:04,540
we have our ISP and then way out there we have these root servers as well as our top

40
00:04:04,539 --> 00:04:10,179
level domains as well as our authoritative servers okay. So check this out us as the

41
00:04:10,179 --> 00:04:16,699
client down here if we happen to have a DNS forwarder what's going to happen is we're

42
00:04:16,699 --> 00:04:23,259
going to send our DNS requests to that forwarder okay. What this DNS forwarder is going to do

43
00:04:23,259 --> 00:04:30,180
is going to ultimately offload that and send the request to say for example an ISP i.e.

44
00:04:30,180 --> 00:04:36,340
someone else. Now the ISP as we just talked about it can go through a recursive process

45
00:04:36,340 --> 00:04:40,939
to pull back the information we need say for example we go to the root server to find out

46
00:04:40,939 --> 00:04:46,460
do we need a dot com or do we need a dot edu. Once we know that we can go to the correct

47
00:04:46,460 --> 00:04:51,740
top level domain server and then get the information for the authoritative server and recursively

48
00:04:51,740 --> 00:04:57,939
get that information back to the ISP and then the ISP can send that back to the DNS forwarder

49
00:04:57,939 --> 00:05:03,779
who can then reply to us give us a response with the information we need and suddenly

50
00:05:03,779 --> 00:05:09,459
we can resolve the IP addresses we need from the domain names that we are using or attempting

51
00:05:09,459 --> 00:05:16,459
to reach. This is all very well and good ultimately this DNS server is forwarding these requests

52
00:05:16,459 --> 00:05:23,860
however if we happen to have a DNS caching server okay so we have a DNS cache same type

53
00:05:23,860 --> 00:05:29,660
of process in that when us as the client have a particular request we send that request

54
00:05:29,660 --> 00:05:33,900
to our DNS caching server. The difference being is that the DNS caching server is going

55
00:05:33,900 --> 00:05:39,180
to be proactive on its own it's not going to try to lean on top of the ISP instead it's

56
00:05:39,180 --> 00:05:43,660
going to generate that information itself it's going to go to the root itself it's going

57
00:05:43,660 --> 00:05:50,060
to go to the TLD itself to the auth server and like I say it's going to cache and store

58
00:05:50,060 --> 00:05:55,980
all of this information. Now once all of that very detailed information is stored on this

59
00:05:55,980 --> 00:06:03,100
machine the next time we have to make a similar request we just send it to our DNS caching

60
00:06:03,100 --> 00:06:10,100
server on our network and we get a very quick response back no need to bog down the internet

61
00:06:10,100 --> 00:06:15,220
no need to wait on say for example our ISP making connections this resolution happens

62
00:06:15,220 --> 00:06:20,700
very rapidly and I will just say for posterity you do not have to have the DNS cache on your

63
00:06:20,700 --> 00:06:24,740
same local network you actually can route that traffic if need be but this would be

64
00:06:24,740 --> 00:06:31,020
a common configuration right here. Now it is important to note that when we have a bind

65
00:06:31,020 --> 00:06:36,900
server we actually can make it a forwarding server if we so choose and like I say what

66
00:06:36,900 --> 00:06:41,060
we would be doing in this nugget right here is learning how to make a caching server but

67
00:06:41,060 --> 00:06:47,220
just be aware we still can make it a forwarding DNS server if necessary and really one of

68
00:06:47,220 --> 00:06:53,579
the benefits of being able to have this local access to our DNS like we do with this DNS

69
00:06:53,579 --> 00:06:58,459
caching server well like I say it's going to keep the request local therefore we're going

70
00:06:58,459 --> 00:07:04,060
to get an increase in speed and efficiency we will also use less bandwidth and it also

71
00:07:04,060 --> 00:07:08,060
simplifies certain things such as firewall rulings because you don't need to worry so

72
00:07:08,060 --> 00:07:13,699
much about reaching DNS traffic you can make your firewall rules much stricter because you

73
00:07:13,699 --> 00:07:17,980
don't have to worry about letting through this particular traffic outbound towards the

74
00:07:17,980 --> 00:07:22,939
internet and back in. So now we have an understanding of the different types of DNS software we

75
00:07:22,939 --> 00:07:28,060
have as well as the different styles of DNS that we can actually implement how about we

76
00:07:28,060 --> 00:07:33,620
actually walk through the installation of getting our bind 9 server up and running so

77
00:07:33,699 --> 00:07:38,579
with that said let's dig in then shall we what we'll do here as I will first start with

78
00:07:38,579 --> 00:07:43,420
a pseudo apt update I'll type in my password okay it's going to pull down the updates okay

79
00:07:43,420 --> 00:07:50,259
now we will do a pseudo apt install and we're going to install bind 9 so I'll hit enter

80
00:07:50,259 --> 00:07:57,860
perfect I'll say yes okay and now I'm going to say pseudo apt update install bind 9 utils

81
00:07:57,860 --> 00:08:03,180
all one word if I hit enter now perfect with these two packages now installed what I want

82
00:08:03,220 --> 00:08:07,019
to do is I want to go into the exit directory and then I want to go into this directory

83
00:08:07,019 --> 00:08:13,379
here called bind okay so I'll go into bind okay here we are okay so now we're in this

84
00:08:13,379 --> 00:08:19,780
directory what I want to do is I want to go into this file right here named dot conf

85
00:08:19,780 --> 00:08:25,500
otherwise referred to as named dot conf so what I'll do is I'll say pseudo nano named

86
00:08:25,500 --> 00:08:30,899
dot conf and if I hit enter we can see here this is the primary configuration file for

87
00:08:30,939 --> 00:08:37,019
the bind DNS server now what to note here is that within this configuration file you can

88
00:08:37,019 --> 00:08:43,259
actually specify all the configurations that you need however things have actually been separated

89
00:08:43,259 --> 00:08:50,899
and split up here so we can actually see here the contents of this file named dot conf is actually

90
00:08:50,899 --> 00:08:56,259
split into these three different files we have the named dot conf options as well as the dot

91
00:08:56,299 --> 00:09:03,379
local file as well as the dot default zones file now for the purposes of the examination in

92
00:09:03,379 --> 00:09:09,779
order to configure our caching server we want to go into this one called named dot conf

93
00:09:09,779 --> 00:09:14,059
dot options file so what I will do is I'll just escape out here and I will go in and say

94
00:09:14,059 --> 00:09:22,179
pseudo nano named dot conf dot options so if I hit enter now we can see here this particular

95
00:09:22,219 --> 00:09:27,739
configuration file now one thing to note here about these particular configuration files is

96
00:09:27,739 --> 00:09:32,739
that they might look a little bit intimidating they make a lot of use of these square brackets or

97
00:09:32,739 --> 00:09:38,179
rather these curly braces should I say not square brackets curly braces and we also have these

98
00:09:38,179 --> 00:09:43,979
semicolons which denote different values within the configuration file almost assume they're like

99
00:09:43,979 --> 00:09:49,219
commas work in the English language okay so within this file we have particular configurations

100
00:09:49,259 --> 00:09:55,860
we also have particular keywords here is one keyword we can see right here listen on v6 this

101
00:09:55,860 --> 00:10:01,820
is really whereabouts the DNS server that we are actually running whereabouts should it actually

102
00:10:01,820 --> 00:10:07,300
listen for connections i.e. what is the interface it should be listening on and what particular

103
00:10:07,300 --> 00:10:14,500
port number say for example port number 53 now listen on v6 is just for ipv6 if we want to make

104
00:10:15,100 --> 00:10:21,860
connections listen on ipv4 we would just use the keyword listen on without the v6 at the end so

105
00:10:21,860 --> 00:10:27,340
what I could do is I could get down here and I would just say listen hyphen on and I could say

106
00:10:27,340 --> 00:10:32,980
something like say you know port 53 and then if I wanted to specify an IP address I would use my

107
00:10:32,980 --> 00:10:38,899
curly braces and if I wanted to use my loopback address i.e. the local logical interface I could

108
00:10:38,899 --> 00:10:45,220
specify this and then at the end I would have my semicolon and then again my curly brace this

109
00:10:45,220 --> 00:10:50,100
would close the configuration and then once again to denote the end of the line I would have a

110
00:10:50,100 --> 00:10:54,500
semicolon and in fact let me just get a little bit of space here so this might be a little bit

111
00:10:54,500 --> 00:10:59,059
intimidating the first time you happen to see this particular configuration file but the reality is

112
00:10:59,059 --> 00:11:04,659
we don't have to be too concerned with all of the particular options and I will say if we wanted

113
00:11:04,659 --> 00:11:11,219
to add in additional IP addresses and wish to listen let's say we had our local IP address which I

114
00:11:11,219 --> 00:11:19,299
think is in my case 192.1680.65 I would just add in in fact let me add in eight there I would just

115
00:11:19,299 --> 00:11:24,899
add in that value and again use that semicolon to denote the end and with respect to our ipv6

116
00:11:24,899 --> 00:11:29,860
configuration we can see we're listening on any interfaces now what I will do for simplicity

117
00:11:29,860 --> 00:11:36,500
I will just remove this configuration in order to be able to make this caching only server

118
00:11:36,500 --> 00:11:41,379
configuration the thing that we actually have to add here is a particular keyword and that is

119
00:11:41,379 --> 00:11:48,820
we're going to add the keyword recursion and then the word yes and to make it a valid configuration

120
00:11:48,820 --> 00:11:55,300
we're going to have to end this with our semicolon and if we write this out and we escape that is all

121
00:11:55,299 --> 00:12:02,019
we have to do to make this a caching server now we have this configured what I want to do is to be

122
00:12:02,019 --> 00:12:08,259
able to check that my configuration file is in fact working i.e the configuration is using

123
00:12:08,259 --> 00:12:14,419
acceptable syntax remember all those issues with the curly braces and the semicolons we can actually

124
00:12:14,419 --> 00:12:22,899
auto check our configuration file by saying sudo named checkconf okay so if I enter here everything

125
00:12:22,899 --> 00:12:28,340
seems to be okay whereas if I happen to go back in here and I break something let's maybe say

126
00:12:28,340 --> 00:12:34,819
recursion yes and I forget to put my semicolon and I save this I run the same command and to enter

127
00:12:34,819 --> 00:12:40,419
we can actually see here we are missing our semicolon to definitely make use of this command

128
00:12:40,419 --> 00:12:46,740
if you're having a tough time with respect to the syntax we can actually see here it's on line 23

129
00:12:46,740 --> 00:12:52,419
here so let's go back in and modify this and we shall add in that semicolon perfect so now what I

130
00:12:52,419 --> 00:12:58,179
want to do here is I want to restart the bind 9 service to include this new configuration so I'll

131
00:12:58,179 --> 00:13:05,059
say sudo service bind 9 and I'm going to say restart to restart it okay so I've now loaded in the new

132
00:13:05,059 --> 00:13:10,179
configuration file now what I'm going to do is I'm going to use the dig command to actually make a

133
00:13:10,179 --> 00:13:17,219
request so if I say dig localhost in fact that should be at localhost and I just make a particular

134
00:13:17,300 --> 00:13:23,460
request let's maybe say for CBT nuggets dot com so if I enter now what we're going to do here is

135
00:13:23,460 --> 00:13:28,740
we're going to make a particular request we can see here we have our answer we have CBT nuggets we

136
00:13:28,740 --> 00:13:36,580
have two different options we can see the a record i.e the ipv4 address right here and same right here

137
00:13:36,580 --> 00:13:42,100
we can see the time to live where it's going to cache and crucially we can see the query time

138
00:13:42,100 --> 00:13:49,700
703 milliseconds almost one second now what we know now is that this server went and got all that

139
00:13:49,700 --> 00:13:55,940
information it's resolved and it's now cached that so now if I make the same request and I hit enter

140
00:13:55,940 --> 00:14:01,139
look at how quickly it got the information query time zero milliseconds pretty much it got it

141
00:14:01,139 --> 00:14:08,580
instantaneously and we'll notice now that the time to live has deprecated down to 23 seconds so we

142
00:14:08,580 --> 00:14:14,420
can see we have this caching mechanism in play and as we just use this we can see the time to live

143
00:14:14,420 --> 00:14:19,620
slowly decrement but what I want to draw your attention to is that with DNS there happens to

144
00:14:19,620 --> 00:14:25,460
be quite a lot of security concerns now one of the things that we want to be aware of is how we can

145
00:14:25,460 --> 00:14:33,060
actually control access to our DNS via something called an allow query and this can again be configured

146
00:14:33,060 --> 00:14:38,180
within that same configuration file so let's go back into our options now the very first thing

147
00:14:38,179 --> 00:14:43,620
which I'm going to do is I'm going to create an access control list this is just going to be a list

148
00:14:43,620 --> 00:14:51,139
of particular networks or hosts but I want to allow to make incoming requests to this DNS server

149
00:14:51,139 --> 00:14:55,939
so above the options here what I'm going to do is I'm going to use the keywords ACL to specify an

150
00:14:55,939 --> 00:15:00,819
access control list and then I'm going to give the access control list a name so I can call this

151
00:15:00,819 --> 00:15:06,979
anything I want so I'll just call this my friends and then I'll use my curly brace okay and if I go

152
00:15:06,980 --> 00:15:13,300
in with a tab indentation I can specify networks which are allowed to access this so I will say

153
00:15:13,300 --> 00:15:22,580
anyone within 192.168.0.0 slash 24 I want to match on them so what I will do is I will have my semi

154
00:15:22,580 --> 00:15:27,700
colon and then I will have my curly brace to end the configuration and then a semi colon once again

155
00:15:27,700 --> 00:15:34,500
now that is not all what we want to do is down where our recursion is happening right here I actually

156
00:15:34,500 --> 00:15:40,899
want to reference this access control list via something called an allow query basically this

157
00:15:40,899 --> 00:15:47,700
is where I'm going to allow queries from so I will say allow query i.e allow queries coming from

158
00:15:47,700 --> 00:15:53,299
anything that matches the access control list that is called my friends which ultimately means

159
00:15:53,299 --> 00:16:00,740
allow queries from here which specifies allow queries coming from this network range i.e people

160
00:16:00,740 --> 00:16:07,460
on my local network are allowed to use this DNS server so as we know we're going to use our semi

161
00:16:07,460 --> 00:16:13,299
colon I'll then use my curly brace and then again a semi colon once again and just before I do this

162
00:16:13,299 --> 00:16:18,980
what I will actually do is I'll also add in just specify my local host can make this request so if

163
00:16:18,980 --> 00:16:25,139
I save this write it out let's check that the syntax is correct by using our name check config

164
00:16:25,139 --> 00:16:30,100
it appears it is let's restart the service to make it take effect there we go so now I can

165
00:16:30,100 --> 00:16:36,259
rerun my query we get our answer back from cb to nuggets 895 milliseconds let's try it once again it

166
00:16:36,259 --> 00:16:43,379
should now be cached and we can see here indeed the query time is zero milliseconds now the last

167
00:16:43,379 --> 00:16:48,100
thing that I just want to quickly point out is that with respect to our bind configuration so much of

168
00:16:48,100 --> 00:16:54,340
that relies upon these particular configuration files now one command we want to be aware of is the

169
00:16:54,420 --> 00:17:02,899
rndc command if I go in and say man rndc anti-enter we can see here this is going to be our name

170
00:17:02,899 --> 00:17:09,220
server control utility so this command can actually do a whole lot much of which is beyond the scope

171
00:17:09,220 --> 00:17:14,019
of the examination one of the things we want to be aware of for the purposes of the examination is

172
00:17:14,019 --> 00:17:20,019
that the rndc command can actually allow us to reload every one of our configuration files and the

173
00:17:20,019 --> 00:17:26,819
way we could do this is by simply saying rndc reload if I hit enter now I'm going to have to

174
00:17:26,819 --> 00:17:32,660
use super user privileges of course I'll say rndc reload hit enter and we can now see we actually

175
00:17:32,660 --> 00:17:39,059
were able to successfully reload the server directly via rndc now there are some additional things the

176
00:17:39,059 --> 00:17:44,579
rndc command can do if you check the man page you can see you can actually generate configuration files

177
00:17:44,579 --> 00:17:48,579
via this command but for the purposes of the examination you just want to be aware of this

178
00:17:48,659 --> 00:17:55,539
command as well as its basic functionality so that is us for our introduction into setting up a dns

179
00:17:55,539 --> 00:18:00,099
server we still have a lot more to get into with respect to dns but for now I hope this has been

180
00:18:00,099 --> 00:18:02,819
informative for you and I'd like to thank you for viewing