Practice 4 – Pure-FTPd on Centos

The aim of this practice is that students become familiar with the process of installing an FTP server, both from side to Not Limited Limited.

You will need to install on the server software.Of different implementations of existing FTP servers, work with Pure-FTPd.

Pure-FTPd is a free FTP server based on Troll-FTPd. The main objectives of this FTP server are efficiency, security and ease of use. It is designed to be secure in its default configuration, has no known buffer overflows and is very easy to install.  It is designed for modern kernel and has been successfully ported to Linux
FreeBSD, OpenBSD, BSDi, etc FreeBSD, OpenBSD, BSDI, etc

To help we will use the documentation in the web of pureftp. Documentation

The development of practice will be held in several sections:

Practice 3 – Mail server on Centos – Postfix

It will proceed to configure two systems on the network that we have assigned, the first system will be the main system and the 2nd the booking system.

Main system

1) Obtain and install the Postfix mail server.

To install Postfix mail server, we will use the tool to add and remove software that comes with Centos, follow these steps:

Applications → Add / Remove Software → Servers → Options → Mail Servers additional

Once there select the Postfix server. We then applied the changes and we will have the Sendmail server installed and removed.

2) Configure the system to activate the email service each time you start the system.

To do this go to System menu and there do the following:

System → Administration → Services

In the window that appears, select the server as a service to activate Postfix: Since these simple steps have enabled Postfix server as a service.

3) Configurar el servidor de correo conConfigure the mail server with the following characteristics:

3-a) A post office is configured level 2, where the post office on level 1 for the resident on the machine neptuno.redes.dis.ulpgc.es.

For Postfix server configuration we will make use of your configuration file that is present in / etc / postfix / main.cfg. First we are asked to configure a two-level courier, this will be the machine called a gateway, while the post office a level which we will indicate in the statement. The amendments to be made in the configuration file are:

$ vim /etc/postfix/main.cfg

where the line will introduce

relayhost = [neptuno.redes.dis.ulpgc.es]

3-b) Should accept mail for mailboxes as usuario@red2.redes.dis.ulpgc.es.

To accept mail for mailboxes that way, we have to insert in the configuration file / etc / postfix / main.cfg

myhostname = pasarela.red2.redes.dis.ulpgc.es mydomain = red2.redes.dis.ulpgc.es myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

Where:

• myhostname = Nombre de la máquina que corre Postfix.
• mydomain = El dominio de la estafeta de nivel 2.
• myorigin = El nombre de dominio del correo saliente.
• mydestination = Para que dominios recibe correos.

3-c) develop at least 3 mailbox.

To create mailboxes, we simply create new users, and the system automatically creates mailboxes for those that are present in / var / spool / mail. To create the users are going to use the graphical manager for this go to user manager and created three new user:

• user1
• user2
• user3

so that we automatically create three files for the mailboxes in the system:

• /var/spool/mail/user1 • /var/spool/mail/user2 • /var/spool/mail/user3

3-d) Must allow relaying only to machines in your network or domain.

Allowing relaying means that mails sent from the local MTA, are passed to another MTA, for this send mail. Thus we have to add the configuration file are the following lines:

mynetworks = 172.16.2.0/8, 127.0.0.0/8 relay_domains = $mynetworks, $mydestination

3-e) The maximun size of the mailbox is 10 Mbytes.

To limit the mailbox size to a specific capacity, we use the following line to introduce into the configuration file.

mailbox_size_limit = 10000000

3-f) should be defined alias for the following mailboxes.

• webmaster@redx.redes.dis.ulpgc.es
• postmaster@redx.redes.dis.ulpgc.es
• ftp@redx.redes.dis.ulpgc.es

To create aliases for mailboxes are going to modify the / etc / aliases and at the end we introduce the following lines

webmaster: user1 postmaster: user2 ftp: user3

3-g) shall not accept mail from this domain is not declared.

To limit the emails that are no existing domains introduce the following line

unknown_local_recipient_reject_code = 55

3-h) Will be conducted only for mail relaying messages where the sender of the message (mail from) belongs to the domain red2.redes.dis.ulpgc.es.

We introduce the following line

smtpd_sender_restrictions = check_sender_access regexp:/exp/postfix/access

And in the file to which we refer to / etc / postfix / access introduced.

/@red2\.redes\.dis\.ulpgc\.es$/ OK /.*/ 554 La direccion de correo no pertenece a nuestra red

4) Installing and configuring imapd to access encryption (SSL) and unencrypted user agents to their mailboxes.

To do this we use the Dovecot daemon is an IMAP and POP3 server open source GNU / Linux / UNIX-like, written primarily thinking in security. To do this we will do through the utility to add and remove software on CentOS, I select Dovecot and once installed, proceed to edit your configuration file present in /etc/dovecot.conf. In this file add the following lines.

protocols = imap imaps

Reserve System

1) Obtain and install the Postfix mail server.

This process is the same as when you install Postfix server on the gateway machine.

2) Configure the system to activate the email service each time you start the system.

Same as in the gateway machine.

3) Configure the mail server with the following characterics:

3-a) act only as a mail relay for the domain red2.redes.dis.ulpgc.es.

To configure the Postfix server in the machine station, edit the configuration file / etc / postfix / main.cfg and introduce the following line

relay_domains = $mydestination

With this last step we terminate the practice, now we only have to configure a mail client and make sure it works properly, or we can send a mail via telnet and then access the file where you saved the mail received and verify that everything works properly.

Send an email by Telnet.

Open a terminal and type the command telnet server + mail + server port to use

$ 
telnet 
pasarela.red2.redes.dis.ulpgc.es
 25 Trying
 172.16.2.1... Connected
 to 
pasarela.red2.redes.dis.ulpgc.es 
(172.16.2.1). Escape
 character 
is 
'^]'. 220
 pasarela.red2.redes.dis.ulpgc.es 
ESMTP 
Postfix

We identify the system as AaronMR by the command "helo"

helo 
AaronMR 250 
pasarela.red2.redes.dis.ulpgc.es

indicate who the email sender, which in this case esaaronMR@red2.redes.dis.ulpgc.es and that he will send an email to destinatariouser3@red2.redes.dis.ulpgc.es

mail
 from: aaronMR@red2.redes.dis.ulpgc.es 250 
2.1.0
 Ok rcpt 
to: user3@red2.redes.dis.ulpgc.es 250
 2.1.5 
Ok

And we started writing the body of the message through the command "data", to finish writing introduce a "." and give to enter, then type quit to close the connection to the server.

data 354
 End 
data 
with 
. esto
 es 
una
 prueba 
de 
envio 
al
user 
3
 por 
telnet . 250
 2.0.0 
Ok: 
queued 
as 
8DB7817AF7 quit 221
2.0.0
 Bye Connection
 closed 
by 
foreign 
host.
.

Thanks for your attention ...

Practice 2 – DNS in Centos

The aim of this practice is that students become familiar with the process of assigning names to IP addresses in both networks using a name server as in those that do not operate that way. This practice was developed in two phases:

A) Setting up a domain without using DNS.

At this stage the student must configure each of the teams that make up your network so that from each of the stations, remote systems can be accessed using the names assigned to each of them. To carry out this process must properly configure the following files

/etc/hosts
/etc/networks
/etc/host.conf
/etc/nsswitch.conf

so that systems can be achieved both its domain and external domains.
We begin by setting the hostname we call gateway. If you type in the terminal the command "hostname", you return the name of the machine in this case and before the setting is "localhost.localdomain".

To carry out the change of name, edit the file "/ etc / sysconfig / network"

$ vim /etc/sysconfig/network

where we introduce the following line

HOSTNAME=pasarela.red2.redes.dis.ulpgc.es

station and introduce the following line

HOSTNAME=estacion.red2.redes.dis.ulpgc.es

then restart the network service.

$ /etc/init.d/network restart

and found that the name has been successfully restored in the terminal by typing "hostname"

Gateway:

$ hostname

estacion.red2.redes.dis.ulpgc.es

Station;

$ hostname

estacion.red2.redes.dis.ulpgc.es

We already have the names of the computers configured now proceed to enter the addresses of the computers with IP addresses, to do this edit the file "/ etc / hosts"

$ vim /etc/hosts

where we introduce the following lines:

172.16.2.1      pasarela.red2
172.16.1.2      pasarela.red2
172.16.2.2     estacion.red2

where the gateway is the name of the machine that has two network cards, you can see that this information is detailed in the configuration file as the "estacion.red2" has two IP addresses, one of the internal network, and another of the external network.

We do the same in the file "/ etc / hosts" of the machine called station, which will introduce the following lines:

172.16.2.1      pasarela.red2

172.16.2.2      estacion.red2

To verify that you have already made the necessary changes, we can test them by pinging the machine names:

$ ping estacion.red2
$ ping pasarela.red2

and we can see that we hear

PING pasarela.red2 (172.16.2.1) 56(84) bytes of data.
64 bytes from pasarela.red2 (172.16.2.1): icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from pasarela.red2 (172.16.2.1): icmp_seq=2 ttl=64 time=0.025 ms
64 bytes from pasarela.red2 (172.16.2.1): icmp_seq=3 ttl=64 time=0.024 ms

B) Configuration and operation of DNS servers for your domain with the following characteristics:

b-1) own domain Primary Server

As a DNS server will use the software dedicated to it called BIND9, for this we will proceed with the installation of Centos package manager, installing the software also was installed Bind-Bind CHRO.

Once installed proceed to the configuration files present on the primary server is the machine called a gateway, the secondary server will be at the station.

The gateway we set up the following files:

•    Named.conf     (/etc/named.conf)
•    db.red2     (/var/named/db.red2)
•    db.172.16.2    (/var/named/db.172.16.2)
•    named.root    (/var/named/named.root)
•    db.127.0.0    (/var/named/db.127.0.0)

The route detailed above would be where those files would normally, but in our case and after installing Chroot-BIND, the files present in / var / named and / etc / reamente are links to files present in / var / named chroot / var / named, thus encapsulate all these files in the chroot for added security.

Before beginning the work of the realization of the configuration files must be said that it is recommended phased development of these, because if a problem occurs and the server will not start we would be hard to find the problem.

Also we use the log file to monitor initialization, and operation of the DNS server in order to view this file we'll do the following command:

$ tail -80 /var/log/messages |grep named

Initially we will have to create and configure the / etc / named.conf, if we remember this file in that path is a link to the original file present in / var / named / chroot / etc / named.conf, thus proceed to create it and to create the link:

$ vim /var/named/chroot/etc/named.conf

$ ln  /var/named/chroot/etc/named.conf    /etc/named.conf

In this initial configuration file will start the service, then explained the content present in our case:

named.conf

options{

directory "/var/named";

};

zone "." IN {

type hint;

file "named.root";

};

zone "red2.redes.dis.ulpgc.es" IN {

type master;

file "db.red2";

allow-transfer{172.16.2.2;};

};

zone "2.16.172.in-addr.arpa" IN {

type master;

file "db.172.16.2";

allow-transfer {172.16.2.2;};

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "db.127.0.0";

};

The options statement defines server settings and configure global defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and more.

In this case and initial setup is used to specify the working directory.

A zone statement defines the characteristics of an area as the location of your configuration file and zone-specific options. This statement may be used to override the global options statements.

In our case we see multiple zone statements, these are the zones in our network, we have statements by forward and reverse zone as well as local or localhost declaration and the root zone servers that are the root servers worldwide.

The zone statement is determined by a domain immediately following the word zone and then inside several options, depending on the options you can specify a zone type that can be master, slave or hint:

• type master:    The master type means that this area is given this name server. It is something that requires a good zone file configured.
• type slave:     slave type means that this area is transferred from another name server. It should be used together with masters.
• type hint:     hint zone type is used to indicate the root name servers. It is a zone definition that is not modified.

In our configuration file we can see the different areas declared:

• zone “.” = zona encargada de indicar los servidores raíz, cuyo archivo de configuración se encuentra en /var/named/named.root.
• zone “red2.redes.dis.ulpgc.es” = zona que describe el dominio red2.redes.dis.ulpgc.es y todos las máquinas presentes en ese dominio, el archivo de configuración se encuentra en /var/named/db.red2.
• zone "2.16.172.in-addr.arpa"  = se encarga de la resolución inversa de la zona red2.redes.dis.ulpgc.es cuyo archivo de configuración está presente en /var/named/db.172.16.2.
• zone "0.0.127.in-addr.arpa"  = se encarga de la resolución inversa de la zona local o de localhost cuyo archivo de configuración esta presente en /var/named/db.127.0.0.

Below are the zone configuration file:

/var/named/chroot/var/named/named.root

; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7033
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                IN    NS

;; ANSWER SECTION:
.            518400    IN    NS    D.ROOT-SERVERS.NET.
.            518400    IN    NS    E.ROOT-SERVERS.NET.
.            518400    IN    NS    F.ROOT-SERVERS.NET.
.            518400    IN    NS    G.ROOT-SERVERS.NET.
.            518400    IN    NS    H.ROOT-SERVERS.NET.
.            518400    IN    NS    I.ROOT-SERVERS.NET.
.            518400    IN    NS    J.ROOT-SERVERS.NET.
.            518400    IN    NS    K.ROOT-SERVERS.NET.
.            518400    IN    NS    L.ROOT-SERVERS.NET.
.            518400    IN    NS    M.ROOT-SERVERS.NET.
.            518400    IN    NS    A.ROOT-SERVERS.NET.
.            518400    IN    NS    B.ROOT-SERVERS.NET.
.            518400    IN    NS    C.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.    3600000    IN    A    198.41.0.4
A.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.    3600000    IN    A    192.228.79.201
C.ROOT-SERVERS.NET.    3600000    IN    A    192.33.4.12
D.ROOT-SERVERS.NET.    3600000    IN    A    128.8.10.90
E.ROOT-SERVERS.NET.    3600000    IN    A    192.203.230.10
F.ROOT-SERVERS.NET.    3600000    IN    A    192.5.5.241
F.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.    3600000    IN    A    192.112.36.4
H.ROOT-SERVERS.NET.    3600000    IN    A    128.63.2.53
H.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:500:1::803f:235
I.ROOT-SERVERS.NET.    3600000    IN    A    192.36.148.17
J.ROOT-SERVERS.NET.    3600000    IN    A    192.58.128.30
J.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:503:c27::2:30
K.ROOT-SERVERS.NET.    3600000    IN    A    193.0.14.129
K.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:7fd::1
L.ROOT-SERVERS.NET.    3600000    IN    A    199.7.83.42
M.ROOT-SERVERS.NET.    3600000    IN    A    202.12.27.33
M.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:dc3::35

;; Query time: 110 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Feb 26 15:05:57 2008
;; MSG SIZE  rcvd: 615

In this file are present addresses of the global root servers, this file can be obtained from the Internet and is advisable as it would get the updated list of servers.

In our case we used the file already comes with the installation of Bind that is present in / usr / Share / bind / doc / sample / named.root.

/var/named/chroot/var/named/db.red2

$ORIGIN    red2.redes.dis.ulpgc.es.
$TTL    86400
@        IN SOA pasarela root (
1              ; serial
3H              ; refresh
15M             ; retry
1W              ; expiry
1D )            ; minimum

IN NS         pasarela       // servidor dns primario
localhost    IN A        127.0.0.1
pasarela    IN A        172.16.2.1

We can see the beginning of the configuration file multiple tags, these tags we allow:

• $ORIGIN = Appends the domain name to unqualified records, such as those with the host name only. Any names used in resource records that do not end in a period (.) Would have the information that has attached the label $ ORIGIN.
• $TTL = Sets the default Time to Live (TTL) value for the area. This is the time, in seconds, that a zone resource record is valid. Each resource may contain its own TTL value, which overrides this directive.

In this case the domain is specified zone red2.redes.dis.ulpgc.es. is very important end point because it indicates that this is the domain.

Then specify the hostname of the nameserver that is authoritative for this domain, which in this case gateway And look who has no end point because this is not to put the point, really seríapasarela.red2 hostname. redes.dis.ulpgc.es.

What appears below is the email address of the area manager in this case and following the directions above would root.red2.redes.dis.ulpgc.es.

The records below are called resource records, this section of the file, specify all the machines in the domain, in this case to have only one primary server will be detailed as specified in the file, with a bellonging NS indicate that it is a name server and then to an A record to indicate which IP address.

And so with all the configuration files:

/var/named/chroot/var/named/db.172.16.2

$ORIGIN 2.16.172.in-addr.arpa.
$TTL    86400
@               IN SOA pasarela.red2.redes.dis.ulpgc.es. root.red2.redes.dis.ulpgc.es. (
1              ; serial
3H              ; refresh
15M             ; retry
1W              ; expiry
1D )            ; minimum

IN NS           pasarela.red2.redes.dis.ulpgc.es.
1        IN PTR            pasarela.red2.redes.dis.ulpgc.es.
2        IN PTR            estacion.red2.redes.dis.ulpgc.es.

/var/named/chroot/var/named/db.127.0.0

$ORIGIN 0.0.127.in-addr.arpa.
$TTL    86400
@               IN SOA pasarela.red2.redes.dis.ulpgc.es. root.red2.redes.dis.ulpgc.es. (
1              ; serial
3H              ; refresh
15M             ; retry
1W              ; expiry
1D )            ; minimum

IN NS      pasarela.red2.redes.dis.ulpgc.es.
1        IN PTR            localhost.

Reverse lookup zones are highly recommended as this way we assure that this machine is the owner of this domain.

The resource records that appear in the configuration files indicate reverse resolution:

• NS record indicates a name server
• PTR record indicates the number to the left, this is the machine number for that domain, ie in our case to resolve 172.16.2.1 conversely, we see that part of the machine pasarela.red2.redes.dis.ulpgc.es.

Then we have to make links to files that are present in / var / named / chroot / var / named / and put these links in / var / named /, for it will do the following commands:

$ ln  /var/named/chroot/var/named/named.root    /var/named/named.root
$ ln  /var/named/chroot/var/named/db.red2   /var/named/db.red2
$ ln  /var/named/chroot/var/named/db.172.16.2   /var/named/db.172.16.2
$ ln  /var/named/chroot/var/named/db.127.0.0   /var/named/db.127.0.0

We can restart the server and the DNS server work.

$ /etc/init.d/named restart

For all machines on the network using this new server names have to modify the / etc / resolv.conf and put to use the name server on the machine called gateway.

/etc/resolv.conf

Nameserver 172.16.2.1

b-2) At least a secondary server's own domain.

In our case the secondary server will be on the machine called station.

For the configuration of a secondary server have to perform a Bind DNS server installation and proceed to include the following configuration files:

The only files that we created, bearing in mind also that the station has been installed Chroot-BIND, are:

•    /var/named/chroot/etc/named.conf
•    /var/named/chroot/var/named/db.127.0.0
•    /var/named/chroot/var/named/named.root

/var/named/chroot/etc/named.conf

options {

directory "/var/named";

};

zone "." IN {

type hint;

file "named.root";

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "db.127.0.0";

};

zone "red2.redes.dis.ulpgc.es" IN {

type slave;

file "slaves/db.red2";

masters { 172.16.2.1; };

};

zone "2.16.172.in-addr.arpa" IN {

type slave;

file "slaves/db.172.16.2";

masters {172.16.2.1; };

};

/var/named/chroot/var/named/named.root

; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7033
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                IN    NS

;; ANSWER SECTION:
.            518400    IN    NS    D.ROOT-SERVERS.NET.
.            518400    IN    NS    E.ROOT-SERVERS.NET.
.            518400    IN    NS    F.ROOT-SERVERS.NET.
.            518400    IN    NS    G.ROOT-SERVERS.NET.
.            518400    IN    NS    H.ROOT-SERVERS.NET.
.            518400    IN    NS    I.ROOT-SERVERS.NET.
.            518400    IN    NS    J.ROOT-SERVERS.NET.
.            518400    IN    NS    K.ROOT-SERVERS.NET.
.            518400    IN    NS    L.ROOT-SERVERS.NET.
.            518400    IN    NS    M.ROOT-SERVERS.NET.
.            518400    IN    NS    A.ROOT-SERVERS.NET.
.            518400    IN    NS    B.ROOT-SERVERS.NET.
.            518400    IN    NS    C.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.    3600000    IN    A    198.41.0.4
A.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.    3600000    IN    A    192.228.79.201
C.ROOT-SERVERS.NET.    3600000    IN    A    192.33.4.12
D.ROOT-SERVERS.NET.    3600000    IN    A    128.8.10.90
E.ROOT-SERVERS.NET.    3600000    IN    A    192.203.230.10
F.ROOT-SERVERS.NET.    3600000    IN    A    192.5.5.241
F.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.    3600000    IN    A    192.112.36.4
H.ROOT-SERVERS.NET.    3600000    IN    A    128.63.2.53
H.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:500:1::803f:235
I.ROOT-SERVERS.NET.    3600000    IN    A    192.36.148.17
J.ROOT-SERVERS.NET.    3600000    IN    A    192.58.128.30
J.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:503:c27::2:30
K.ROOT-SERVERS.NET.    3600000    IN    A    193.0.14.129
K.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:7fd::1
L.ROOT-SERVERS.NET.    3600000    IN    A    199.7.83.42
M.ROOT-SERVERS.NET.    3600000    IN    A    202.12.27.33
M.ROOT-SERVERS.NET.    3600000    IN    AAAA    2001:dc3::35

;; Query time: 110 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Feb 26 15:05:57 2008
;; MSG SIZE  rcvd: 615

/var/named/chroot/var/named/db.127.0.0

$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA estacion.red2.redes.dis.ulpgc.es root.red2.redes.dis.ulpgc.es (
1; Serial
28800      ; Refresh
14400      ; Retry
3600000    ; Expire
86400 )    ; Minimum

IN NS    pasarela.red2.redes.dis.ulpgc.es
IN NS    estacion.red2.redes.dis.ulpgc.es
1    IN PTR    localhost.

To make use also of the DNS server, we need to create links in their respective folders and also edit / etc / resolv.conf on all machines that want to use this secondary server.

$ ln /var/named/chroot/etc/named.conf   /etc/named.conf

$ ln  /var/named/chroot/var/named/named.root    /var/named/named.root

$ ln  /var/named/chroot/var/named/db.127.0.0   /var/named/db.127.0.0

/etc/resolv.conf

Nameserver 172.16.2.1
Nameserver 172.16.2.2

b-3) The primary server should only allow downloads of their corresponding side zone.

To allow downloads of their corresponding side area we need to add the following lines in their respective configuration files:

DNS primario:

/var/named/chroot/etc/named.conf

zone "red2.redes.dis.ulpgc.es" IN {

type master;

file "db.red2";

allow-transfer{172.16.2.2;};

};

zone "2.16.172.in-addr.arpa" IN {

type master;

file "db.172.16.2";

allow-transfer {172.16.2.2;};

};

allow-transfer (slaves;); With this parameter we give permission to the slave DNS servers that can make a copy of the DNS zone for the domain.

DNS secundario:

/var/named/chroot/etc/named.conf

zone "red2.redes.dis.ulpgc.es" IN {

type slave;

file "slaves/db.red2";

masters { 172.16.2.1; };

};

zone "2.16.172.in-addr.arpa" IN {

type slave;

file "slaves/db.172.16.2";

masters {172.16.2.1; };

};

b-4) Releases of areas should be signed digitally (TSIG).

Apply a digital signature to the discharge zone allows us to increase security, since previously the area was allowed to discharge a particular IP or range of it, and anyone could replace that IP with the security risk that entails, with digital signatures solve this problem.

To generate a digital signature using the following command, which allows the generation of this with specific characteristics:

dnssec-keygen -a hmac-md5 -b 128 -n HOST red2

This command also to generate digital signatures, we create two files that need to be placed in / var / named / chroot / var / named, these two files with corresponding routes are:

• /var/named/chroot/var/named/Kred2.+157+55493.key
• /var/named/chroot/var/named/Kred2.+157+55493.private

these files must also be linked to the / var / named /

$ ln  /var/named/chroot/var/named/Kred2.+157+55493.key  /var/named/Kred2.+157+55493.key
$ ln /var/named/chroot/var/named/Kred2.+157+55493.private   /var/named/Kred2.+157+55493.private

Then proceed to add the new configuration files named.conf

Prumary DNS

/var/named/chroot/etc/named.conf

zone "red2.redes.dis.ulpgc.es" IN {

type master;

file "db.red2";

allow-transfer{key red2;};

};

zone "2.16.172.in-addr.arpa" IN {

type master;

file "db.172.16.2";

allow-transfer {key red2;};

};

key red2 {

algorithm hmac-md5;

secret "YonqS63NCb3GabZCEbZAZg==";

};

Secondary DNS

var/named/chroot/etc/named.conf

key red2 {

algorithm hmac-md5;

secret "YonqS63NCb3GabZCEbZAZg==";

};

server 172.16.2.1 {

keys {red2;};

};

Restart the DNS server and you do that you download digitally signed zone.

$ /etc/init.d/named restart

b-5) Own domain servers should only respond recursively own domain machines.

Primaryt DNS

/var/named/chroot/etc/named.conf

options{

directory "/var/named"; // the default

allow-recursion {172.16.2.0/8;};

}

secondary DNS

/var/named/chroot/etc/named.conf

options {

directory "/var/named";

allow-recursion { 172.16.2.0/8;};

};

b-6) To take advantage of cache servers general name of the university, reducing network traffic to the outside and improving response times, all the questions that made the name servers at the request of its customers must be out throught the name servers of ULPGC above.

Primary DNS

/var/named/chroot/etc/named.conf

options{

directory "/var/named"; // the default

allow-recursion {172.16.2.0/8;};

forwarders {

193.145.138.100;

193.145.138.200;

};

};

Secondary DNS

/var/named/chroot/etc/named.conf

options{

directory "/var/named"; // the default

allow-recursion {172.16.2.0/8;};

forwarders {

193.145.138.100;

193.145.138.200;

};

};

b-7) There shall be the record (log) of the activity of its own file servers, separating at least independently of the server queries and zone transfers.

Primary DNS

/var/named/chroot/etc/named.conf

logging {

channel inter{

file "/var/log/inter" versions 3 size 15m;

print-time yes;

print-category yes;

};

channel zona{

file "/var/log/zone" versions 3 size 15m;

print-time yes;

print-category yes;

};

category queries {inter;};

category xfer-out {zona;};

};

Secondary DNS

/var/named/chroot/etc/named.conf

logging {

channel inter{

file "/var/log/inter" versions 3 size 15m;

print-time yes;

print-category yes;

};

channel zona{

file "/var/log/zone" versions 3 size 15m;

print-time yes;

print-category yes;

};

category queries {inter;};

category xfer-out {zona;};

};

creating log files, has led to several problems because of permissions problems, it was not possible to write these by the name server, then to fix it, must change the file's group, the write access and reboot the server.

Displaying the log file / var / log / messages left the way he discovered this error because when we consult our shows:

$ tail -80 /var/log/messages |grep named

Mar 20 17:56:10 pasarela named[11813]: logging channel 'zona' file '/var/log/zone': permission denied
Mar 20 17:56:10 pasarela named[11813]: logging channel 'inter' file
'/var/log/inter': permission denied

The files we have created with the following commands:

$ vim /var/named/chroot/var/log/zone
$ vim /var/named/chroot/var/log/inter
$ chgrp named /var/named/chroot/var/log/inter
$ chgrp named /var/named/chroot/var/log/zone
$ chmod 771 /var/named/chroot/var/log/inter
$ chmod 771 /var/named/chroot/var/log/zone

$ /etc/init.d/named restart

Thanks for your attention ..