KeNOG Workshops Wiki

User Tools

Site Tools

Trace: intro_dns_lab
intro_dns_lab

Table of Contents

Complete the following DNS lab exercises

Step 1: Login

The username and password is “kenog”.

There is no root password on the lab.

We will use sudo to obtain temporary root authorizations. This is recommended best practice.

Step 2: Configure the stub resolver

Add the DNS google server as the recursive server for now: 

 sudo rm /etc/resolv.conf
 sudo  sh -c "echo nameserver  8.8.8.8 > /etc/resolv.conf"

Step 3: Install BIND and dig

Then, install bind and dnstools 

sudo apt-get update 
sudo apt-get install -y bind9 dnsutils net-tools

Step 4: Verify IP address

Then we verify the current IP address on the debian server using 

 ifconfig

. 

sudo ifconfig

You should get output as below:

In this case, the IP address is 192.168.122.4

Step 5: Configure BIND

First we will remove the default BIND configuration 

sudo mv /etc/bind/named.conf.options /etc/bind/named.conf.options.old

Then we will use a text editor to open a blank config file: 

sudo nano /etc/bind/named.conf.options

Adjust the following text and replcace the IP address with what you saw from ifconfig 

options {
	directory "/var/cache/bind";
	dnssec-validation auto;
	listen-on { 192.168.122.4; 127.0.0.1; }; ## match your IP address
        recursion yes;   # This tell BIND to recursively find DNS data.
        allow-query { trusted; };  ## Add security to prevent unwanted users
};

acl "trusted" {
    192.168.0.0/16;  # The trusted network
    localhost;   # Loopback interface
  
};

Save and exit the file by holding “Ctrl and X” at the same time. At the next prompt, press “y” and hit enter to save the file.

Step 6: Check BIND config syntax

Bind has a tool to verify that the configuration has no mistakes so that BIND can work properly. 

sudo named-checkconf

If there is no output from that command, BIND is ready to start.

Start BIND with the following command 

sudo service bind9 start

Step 7: Test BIND

The following will use the local DNS server you have installed using “dig” 

dig @192.168.122.4 twitter.com

Assess the response below and look at the Server response section: 

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @192.168.122.4 twitter.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3236
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: d037dd9d1fddd3230100000067eb72700fd63029431f046c (good)
;; QUESTION SECTION:
;twitter.com.                   IN      A

;; ANSWER SECTION:
twitter.com.            300     IN      A       162.159.140.229

;; Query time: 36 msec
;; SERVER: 192.168.122.4#53(192.168.122.4) (UDP)
;; WHEN: Tue Apr 01 04:58:24 UTC 2025
;; MSG SIZE  rcvd: 84

Try the command again and see if there is a change in the query time.

Adjust the stub resolver to use the new DNS server

 sudo  sh -c "echo nameserver  192.168.122.4 > /etc/resolv.conf"

The above command will delete the previous config so use carefully in future

Testing DNS with dig

Try the following dig commands and assess the results: You can substitute with your preferred domain.

  1. To see the DNS referral process: 
     dig +trace www.kenic.or.ke
  2. To see mail servers for a domain: 
     dig +short cnn.com
  3. To see the name servers for a domain: 
     dig +short angani.co ns
intro_dns_lab.txt · Last modified: 2025/04/02 11:35 by admin