INSTITUTO TECNOLÓGICO Y DE ESTUDIOS SUPERIORES DE MONTERREY

Campus Mazatlán

Sistemas Orientados a
Cliente - Servidor

TALLER DE DNS

Semestre Enero - Mayo

Mazatlán, Sinaloa.
Virtual PC
Utilizando la herramienta de Virtual PC, establezca 2 servidores con las siguientes
características:

Servidor: principal.grupovaladez.com
Clave: mazatlan
RAM: 128
Disco Duro: 5 Gb

Servidor: secundario.grupovaladez.com
Clave: mazatlan
RAM: 128
Disco Duro: 5 Gb

Configuraciones de RED.
Establezca dos redes
Adaptador 1: RED del equipo
Adaptador 2: RED local
# Configuracion de la RED en PRINCIPAL
ifconfig_de0="DHCP"
ifconfig_de1="inet 192.168.0.1 netmask 255.255.255.0"
hostname="dns1.grupovaladez.com"
# Configuracion de la RED en SECUNDARIO
ifconfig_de0="DHCP"
ifconfig_de1="inet 192.168.0.2 netmask 255.255.255.0"
hostname="dns1.grupovaladez.com"

Configuración del KERNEL

cd /usr/src/sys/i386/conf
cp GENERIC PRINCIPAL
Agregar a PRINCIPAL como sigue:

# Soporte de Quota - Restringir espacio en HD.

options QUOTA
# Soporte para FIREWALL.
options IPFIREWALL #firewall
options IPDIVERT # Para que haga las funciones de gateway
options IPFIREWALL_VERBOSE #enable logging to syslogd
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
# Soporte para VPN
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for IP security

Ejecutar: /usr/sbin/config PRINCIPAL

cd ../compile/PRINCIPAL
Ejecutar:
make depend && make && make install && reboot

Archivo de Reglas /etc/firewall.rules

-f flush
add divert natd all from any to any via de0
add pass all from any to any

DHCP
Se instaló desde: /usr/ports/net/isc-dhcp3-server
Agregar las lineas en /etc/rc.conf:
dhcpd_enable="YES" # dhcpd enabled?
dhcpd_flags="-q" # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file
dhcpd_ifaces="" # ethernet interface(s)
dhcpd_withumask="022" # file creation mask
Su archivo /usr/local/etc/dhcpd.conf deberá contener algo como:
# GRUPO valadez
# option definitions common to all supported networks...
option ntp-servers 192.168.1.1;
option domain-name "grupovaladez.com";
option domain-name-servers 192.168.1.1;
option netbios-name-servers 192.168.1.1;
option netbios-node-type 8;
default-lease-time 86400;
max-lease-time 172800;

# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-updates on;
ddns-update-style ad-hoc;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {

range dynamic-bootp 192.168.1.50 192.168.1.253;
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
allow unknown-clients;

host cliente {
hardware ethernet 08:00:46:7a:35:e4;
fixed-address 192.168.1.10;
}

host cliente-02 {
hardware ethernet 00:03:47:cb:81:e0;
 fixed-address 192.168.1.11;
}
}

NATD
Para poder que mi servidor sea un gateway que les permita salir a los otros equipos a
Internet, se configura de la siguiente manera:
Requiere que se haya compilado el nuevo kernel con las opciones de Firewall
Agregar las siguientes líneas al /etc/rc.conf:
# Seguridad. Además se requiere para compartir internet
firewall_enable="YES"
firewall_type="/etc/firewall.rules"
firewall_logging="YES"
firewall_script="/etc/rc.firewall"

# Para compartir internet

gateway_enable=YES
natd_enable="YES"
natd_interface="xl0"

DNS
Se activa el servicio de DNS desde el Sysinstall, activándose en rc.conf la línea:
named_enable="YES".
Corremos make-localhost, Esto te genera estos archivos:
#/etc/namedb/master> ls
localhost-v6.rev localhost.rev

Posteriormente, se configura el grupovaladez.com como se muestra

$ORIGIN .
$TTL 38400 ; 10 hours 40 minutes
grupovaladez.com IN SOA principal.grupovaladez.com. root.grupovaladez.com. (
2005123001 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
38400 ; minimum (10 hours 40 minutes)
)
NS principal.grupovaladez.com.
MX 10 mail.grupovaladez.com.
$ORIGIN grupovalades.com.
principal A 192.168.1.1
secundario A 192.168.1.2
www CNAME principal
mail CNAME principal
dns CNAME principal
Nota: El DNS por default solo atiende peticiones locales, hay que comentar la línea correspondiente:
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on { 127.0.0.1; };

Y nuestro archivo named.conf deberá tener la siguiente configuración

// $FreeBSD: src/etc/namedb/named.conf,v 1.15.2.3 2005/03/23 17:35:58 dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.

options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";

// If named is being used only as a local resolver, this is a safe default.

// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
// listen-on { 127.0.0.1; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };

// In addition to the "forwarders" clause, you can force your name

// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;

// If you've got a DNS server around at your upstream provider, enter

// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
127.0.0.1;
};
*/
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND versions 8 and later
* use a pseudo-random unprivileged UDP port by default.
*/
// query-source address * port 53;
};
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

zone "." {
type hint;
file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};

acl mynet {
192.168.1.0/24;
127.0.0.1;
};

// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "master/localhost-v6.rev";
};

// RFC 1886 -- deprecated

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
type master;
file "master/localhost-v6.rev";
};

zone "grupovaladez.com" {
type master;
file "master/grupovaladez.com";
allow-query {
mynet;
};
allow-transfer {
mynet;
};
allow-update {
mynet;
};
};

zone "1.168.192.in-addr.arpa" {
type master;
file "master/192.168.1.0.rev";
allow-query {
mynet;
};
allow-transfer {
mynet;
};
 allow-update {
mynet;
};
};

RC.CONF
Toma el siguiente archivo como referencia
sshd_enable="YES" # Servicio de SSH
apache_enable="YES" # Servicio WWW
mysql_enable="YES" # Base de Datos MySQL
samba_enable="YES" # Compartir carpetas con
Windows.
cups_enable="YES" # Forma parte de Samba.
Impresoras.
sendmail_enable="YES" # Servicio de Correo.
named_enable="YES" # Servidor de DNS.
ddclient_enable="YES" # Actualizar IP de DynDNS

# Para compartir internet

gateway_enable=YES
natd_enable="YES"
natd_interface="xl0"

# DHCP
dhcpd_enable="YES" # dhcpd enabled?
dhcpd_flags="-q" # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file
dhcpd_ifaces="" # ethernet interface(s)
dhcpd_withumask="022" # file creation mask

# Seguridad. Además se requiere para compartir internet

firewall_enable="YES"
firewall_type="/etc/firewall.rules"
firewall_logging="YES"
firewall_script="/etc/rc.firewall"

# Configuracion de la RED
ifconfig_xl0="DHCP"
ifconfig_fxp0="inet 192.168.1.1 netmask 255.255.255.0"
hostname="dns1.grupovalades.com"

# Otros
usbd_enable="YES"
linux_enable="YES"

Se recomienda que instale ddclient

DDCLIENT
Genere su cuenta dominios y subdominios en http://www.dyndns.org
Agregar en /etc/rc.conf: ddclient_enable="YES"
Una ves que se instaló, el sistema pide que se copie /usr/local/etc/ddclient.conf.sample a
/usr/local/etc/ddclient.conf. Una vez realizado, se configura ddclient.conf de la siguiente
manera:
daemon=300 # check every 300 seconds
syslog=yes # log update msgs to syslog
mail=root # mail all msgs to root
mail-failure=root # mail failed update msgs to root
pid=/var/run/ddclient.pid # record PID in file.
use=web, web=checkip.dyndns.org
use=web # via web
protocol=dyndns2 # default protocol
login=usuario # default login
password=clave # default password
server=members.dyndns.org
custom=yes \
wildcard=yes
grupovaladez.com