------------------------- Week 12 Notes for NET2003 ------------------------- -Ian! D. Allen - idallen@idallen.ca Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) Keep up on your readings (Course Outline: average 5 hours/week homework) "ALN" = "Advanced Linux Networking" text Configuring DNS (BIND/named) - ALN Chapter 18 p.451 --------------- - What does D.N.S. stand for and what is its purpose? p.451 - Give two major reasons for running a DNS server on your machine. p.451,452 - Describe how a DNS server might resolve "www.google.ca" into an IP address. p.452-453 - In a lookup of "www.google.ca", why is it unlikely that the root DNS servers would need to be queried? p.454 - If you want to run DNS and connect your DNS server to the broader Internet, what is the minimum number of DNS servers you will be asked to run? p.454 - What makes a "dynamic DNS" different from the usual static DNS? p.455 - True/False: because of the redundant nature of the Internet, it is safe to run a home DNS on a flakey network connection. p.455 - Can a single DNS server running on your machine provide both names for machines that are not on your own network and also provide names for machines that are on your own network? p.455 - True/False: you may specify your own machine address in the /etc/resolv.conf file. p.455 - If you run a local DNS server to look up external addresses (e.g. look up google.ca), what advantages are there over using an outside DNS server? p.455 - What disadvantages might running a local server have, compared with relying exclusively on an external server? (infer from p.454) - True/False: All entries in a DNS server must be public names visible to the Internet. p.455-456 - What is a common alternate way to do name resolution on Unix/Linux systems, without using DNS servers? Where is the config file? p.456 - What is the title (NAME) of the Unix man page for the hosts file? - True/False: the hosts file is usable with DHCP dynamic addresses. p.456 - When you register a new domain name, how many (minimum) DNS servers must you supply at registration? p.458 - What is the package name of the most popular DNS server for Unix/Linux? p.458-459 - What is the actual running name of the DNS server program (and man page) in the above package? p.459 - What is the name of the DNS SysV start-up script? Note that the SysV start-up script is awkwardly written - it defines a variable $prog to hold the name of the program, then forgets to use the variable in most of the rest of the script! - Looking in the start-up script, what is the name of the Linux userid used to run the DNS system (given as an option to the DNS program when it is started as a daemon)? Does this userid exist in the password file? What is the numeric uid and gid for this userid? - Where is the main BIND DNS configuration file? p.459 - What is the title (NAME) of the Unix man page for the BIND DNS config file? - True/False: if the main BIND DNS configuration file exists but is empty, the DNS SysV start-up script will exit without starting DNS. (Go look!) - There is a FAQ file in the BIND documentation directory. What is the absolute pathname of this FAQ file? p.460 - The FAQ says how to solve the error "/var/run/named.pid: Permission denied". Does the suggested directory already exist in your Mini system? Note that, unlike C language, you must put a ';' after a closing brace inside the DNS named.conf file! p.460 - What is the function of the named.conf "directory" option? p.460 Note: Write in the comment "A Forwarding DNS Server" before the options section in Listing 18.1 in your textbook. Unfortunately, the comment and syntax conventions for the main named.conf config file and its subsidiary zone-specific config files are different! (They used to be the same until BIND version 8.) Comment syntax for the named.conf file is documented in the man page (RTFM) - you can use C, C++, or shell-style comments. You must *NOT* use a semicolon. DNS zone-specific file comments *MUST* begin with a semicolon. See the warning p.467 - What is the absolute pathname to the threeroomco.com zone file in Listing 18.1? p.460 - The first stage in a DNS lookup requires the addresses of the DNS root name servers, which are kept in a local file that is referred to by the root zone (".") in the main named.conf file. What does the root zone specification in named.conf look like? p.461 - The root name servers zone-specific file (often called named.ca) has comments at the top that indicate from where you can fetch a fresh copy. Based on the comments, when was this root server file last updated? - Unix pathnames often use "/" to indicate the "root" of the file system. What is the name of the "root" zone of the DNS domain name system? p.461 - What is a "Forwarding DNS Server" (the "fourth" option)? p.462 - What is the function of the DNS "forwarders" and "forward" options? p.462 - What is a BIND "zone"? p.462-463 - What is a "reverse DNS lookup"? p.463 - How would I configure a zone in named.conf for reverse DNS for 127.0.0.0/24? p.463,461 - How would I configure a zone in named.conf for reverse DNS for 127.0.0.0/8? p.463,461 Yes, the book is wrong and should have configured the /8 not the /24. - The zone names for reverse DNS end in what domain name? p.463,461 - What is specified in the smallest basic named.conf zone configuration? p.463 (Hint: You need two lines for the zone. What lines are they?) - Describe these DNS zone types: "master", "slave", "hint" p.463-464 - True/False: a named.conf file can contain only one type of DNS zone. p.464 - What changes are needed to a named.conf zone entry to turn it from a "master" zone to a "slave" zone? p.464 - A slave DNS zone must obtain DNS information from another DNS server (often the "master" for the zone) using a "zone transfer". What DNS keyword is used to specify the IP addresses of the other server(s)? On the other server(s), what DNS config file option controls which machines are allowed to initiate this zone transfer? p.465 Zone transfers are often done using TCP, where most of the rest of DNS runs on UDP. You must open both ports in your firewall. If you have any "master" zones in your named.conf file, those zones refer to other zone-specific config files that you must create. You must create the associated zone-specific config files that contain the actual names and IP addresses of your domain. p.465-466 (We'll cover writing master zone-specific config files if we have time.) - What is the name of a common small-network DNS configuration? p.471 A minimal ("caching") DNS config file needs only the root name server zone. The book claims no root zone is needed (the named.conf file can be empty!); but, that's only because the "named" program comes with a "compiled-in" list of root servers that may or may not be correct - it's best to have the current, up-to-date set of root servers specified. Having a zone to reverse-map localhost 127. is also handy, but not essential. A minimal DNS server minimally configured this way will operate as a "caching-only server" as in Figure 18.1 and cache results received. p.471-472 The book claims that a caching server must have "forward" options; this is not true. You can run a useful caching server without any forwarding set (an empty named.conf file!) - it will simply cache requests that it resolves. See the Warning p.472. I think it better to have "slow but correct" DNS answers rather than "quick but wrong" answers! - How is the DNS server usually started? p.474 - What tool is useful to try DNS host name lookups? p.474 - How would you look up www.google.ca in the DNS server running on machine ns1.algonquincollege.com ? Another useful DNS tool is "dig". The example below fetches the "a" type (address) records for the host idallen.ca. from the name server localhost: $ dig @localhost idallen.ca. a ... ;; ANSWER SECTION: idallen.ca. 7303 IN A 216.180.243.122 ... Where the "host" command often fetches more than you ask for (e.g. it fetches mail delivery MX records too), the "dig" command only asks for exactly what you want. The "dig" command also shows the number of seconds remaining in the cache lifetime of the record fetched. - What well-known port does DNS use? TCP or UDP or both? Configuring SMB (Samba) - ALN Chapter 7 p.167 --------------- - What does Samba let a Linux system do? p.167,168 - What is the name of the main Samba config file? p.169 - What is the syntax to define each share in the config file? p.169 - Where is the main Samba config file on your Mini system (absolute path)? - What is the default workgroup of the Mandrake Mini Samba service? p.170 - What is the name of the SysV start-up script for Samba? (Hint: grep for "samba" in all the SysV start-up scripts) - In which run levels (if any) is the Samba service configured to start on your Mini system? - What are the program names (and therefore man page names) of the two daemons started by the Samba start-up script? (Go look!) - What does the -D option mean to the above two programs? (RTFM) - Are the above two programs currently runnning in your Mini system? - True/False: Samba passwords are always sent in cleartext. p.171 - True/False: Samba can authenticate against the Unix password file. p.171 - True/False: Samba servers running encrypted passwords can accept connections from clients running cleartext passwords. p.171 - Looking in the Samba config file, where is the smb passwd file kept? - How do I add a user to the Samba password file? p.172 - How can I restrict which hosts connect to my Samba server? p.172 - What is the most common use of a Samba server? p.179 - What is the syntax/format of a basic Samba file share? p.179 - What is the purpose of the special [homes] share? p.179 - Is the [homes] share enabled and browsable on your Mini system? - What is the purpose of the special [global] share? p.180,169 The "smbclient" Samba client program is useful for debugging Samba configurations on local and remote machines. (The remote machines will need to have the SMB ports open: 445 and possibly 137-139.) Some distributions suffix the Samba man pages with a version number. If "man smbclient" doesn't work, try to locate the page using "man -k smbclient". That should give the version number. Typing "smbclient" with no arguments will give you a summary of options. You can list the Samba shares on a system, local or remote: $ smbclient -L localhost Password: # just push RETURN - no password Anonymous login successful Domain=[MDKGROUP] OS=[Unix] Server=[Samba 3.0.10] ... Once you have set a Samba password, you can log in and connect to various shares, including home directory shares (replace abcd0001 with your Mini system account name): $ smbclient //localhost/abcd0001 -U abcd0001 Password: # enter the password you gave to smbpasswd for abcd0001 Domain=[SOMEHOST] OS=[Unix] Server=[Samba 3.0.10] smb: \> help ... smb: \> ls ... Without the "-U" option to set your logon userid, smbclient defaults to using the userid in the Linux $USER environment variable. The smbclient interface is FTP-like - put and get work as you expect: smb: \> help get HELP get: [local name] get a file You can run single commands and save the output using the "-c" option of smbclient: $ smbclient //localhost/tmp -U abcd0001 -c "ls" >out Password: Domain=[SOMEHOST] OS=[Unix] Server=[Samba 3.0.10] $ cat out ... Configuring HTTP (Apache) - ALN Chapter 20 p. 527 ---------------- The book (published 2002) talks only of Apache Version 1. Some newer web sites are using Apache Version 2, which has some different configuration details. Some of the program names have changed to have a version number "2" added; most of the man pages are still named for the program without the suffix, e.g. you ask for "man httpd" not "man httpd2". We'll look at the common configuration options between Version 1 and Version 2: - What does a Web server do? p.528 - True/False: The Apache server also handles ftp:// URLs. p.528 - True/False: a single web server can only host a single web site. p.529 - What are the trade-offs in running your own Web server, instead of outsourcing to a Web hosting service? p.529 - True/False: all Unix web servers (e.g. thttpd) occupy about the same amount of memory as Apache. p.531 - What is the name of the SysV start-up script for Apache? (Hint: grep for "apache" in all the SysV start-up scripts) Much code in the Apache start-up script attempts to do the "right thing" for running either Apache Version 1 or Apache Version 2. This makes the script rather complex! - The bottom of the Apache start-up script has a huge shell "case" statement defining all the possible arguments you might type in addition to the usual "start" and "stop" arguments. What is the name of the argument that causes a test of the configuration files? ...that gives a brief status report on the running server? - In which run levels (if any) is the Apache service configured to start on your Mini system? - What are the program names (and therefore man page names) of the two daemons started by the Apache start-up script? (Go look!) Bug: one of the two daemon programs has no man page! - Are both the above Apache programs currently running on your Mini system? - What is the name of the main Apache config file? p.532 Note: Apache Version 2 often names the file httpd2.conf. Using grep on the list of all packages installed on your Mini system, determine whether your system is running Apache Version 1 or Version 2. - Where is the main Apache config file on your Mini system (absolute path)? (The file has a first line of "### Main Configuration Section".) - Looking in the config file, what is the path to the ServerRoot for your Mandrake Mini system? What is the path to the DocumentRoot? What other Global configuration files are included by the main configuration file using "Include" directives? - Looking at the ServerRoot path, what is the absolute pathname of the included commonhttpd.conf file on your mini system? - What is the general syntax used in the Apache config files? p.533 - What is the new (Version 2) name of the Apache mime.types config file? (Look in the config directory on your Mini system.) - How can you change what port the web server listens on? p.537 (The Port and BindAddress directives on p.537 only work for Apache v1 - Apache v2 uses "Listen" for both, e.g. "Listen 127.0.0.0:8080".) - How can you change where HTML documents are stored? p. 539 A great resource that documents in short form all the many configuration directives used by Apache is the "Directive Quick-Reference" link under: http://httpd.apache.org/docs-2.0/