====== Complete the following DNS lab exercises ======
==== Step 1: Login ====
The username and password is "kenog".
There is no root password on the lab.
We will use **sudo** to obtain temporary root authorizations. This is recommended best practice.
==== Step 2: Configure the stub resolver ====
Add the DNS google server as the recursive server for now:
sudo rm /etc/resolv.conf
sudo sh -c "echo nameserver 8.8.8.8 > /etc/resolv.conf"
==== Step 3: Install BIND and dig ====
Then, install bind and dnstools
sudo apt-get update
sudo apt-get install -y bind9 dnsutils net-tools
==== Step 4: Verify IP address ====
Then we verify the current IP address on the debian server using ifconfig .
sudo ifconfig
You should get output as below:
{{::screenshot_2025-04-01_at_7.44.05 am.png?400|}}
In this case, the IP address is 192.168.122.4
=== Step 5: Configure BIND ===
First we will remove the default BIND configuration
sudo mv /etc/bind/named.conf.options /etc/bind/named.conf.options.old
Then we will use a text editor to open a blank config file:
sudo nano /etc/bind/named.conf.options
Adjust the following text and replcace the IP address with what you saw from ifconfig
options {
directory "/var/cache/bind";
dnssec-validation auto;
listen-on { 192.168.122.4; 127.0.0.1; }; ## match your IP address
recursion yes; # This tell BIND to recursively find DNS data.
allow-query { trusted; }; ## Add security to prevent unwanted users
};
acl "trusted" {
192.168.0.0/16; # The trusted network
localhost; # Loopback interface
};
Save and exit the file by holding "Ctrl and X" at the same time. At the next prompt, press "y" and hit enter to save the file.
=== Step 6: Check BIND config syntax ===
Bind has a tool to verify that the configuration has no mistakes so that BIND can work properly.
sudo named-checkconf
If there is no output from that command, BIND is ready to start.
Start BIND with the following command
sudo service bind9 start
=== Step 7: Test BIND ===
The following will use the local DNS server you have installed using "dig"
dig @192.168.122.4 twitter.com
Assess the response below and look at the Server response section:
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @192.168.122.4 twitter.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3236
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: d037dd9d1fddd3230100000067eb72700fd63029431f046c (good)
;; QUESTION SECTION:
;twitter.com. IN A
;; ANSWER SECTION:
twitter.com. 300 IN A 162.159.140.229
;; Query time: 36 msec
;; SERVER: 192.168.122.4#53(192.168.122.4) (UDP)
;; WHEN: Tue Apr 01 04:58:24 UTC 2025
;; MSG SIZE rcvd: 84
Try the command again and see if there is a change in the query time.
=== Adjust the stub resolver to use the new DNS server ===
sudo sh -c "echo nameserver 192.168.122.4 > /etc/resolv.conf"
The above command will delete the previous config so use carefully in future
=== Testing DNS with dig ===
Try the following dig commands and assess the results: You can substitute with your preferred domain.
- To see the DNS referral process: dig +trace www.kenic.or.ke
- To see mail servers for a domain: dig +short cnn.com
- To see the name servers for a domain: dig +short angani.co ns