Testbed of DNS Installation and Deployment In Real Environment

From UNamur InfoSec
Jump to navigation Jump to search

Testbed DNS Installation

=

System Infrastructure and Installation

===

Our testbed has been implemented to see the process of DNS flow. The blue shapes of figure.1 are the local servers that have been installed such as Name Server and its sub-Name Server, Resolver Server, Web Server.


  • Registered Domain

    • bekhinfosec.be have been pointed to two name servers:

      • ns1.infosec.unamur.be (stands as parent zone and child zone which resolves sub-domain is ns2.bekhinfosec.be)

        ns1.infosec.unamur.be : 138.48.246.201

        ns2.bekhinfosec.be : 138.48.246.202

      • ns2.infosec.umamur.be (not installed)

      1.png

      Figure 1. Testbed Architecture


      1. Servers Installation

      • Name Sever Installation and Configuration
        We use Ubuntu Server version 20.04 as Operating System and in order to make name server we use bind9 and the process of installation as below:

        • Update system and Package Installation

          Sudo apt-get update

          Sudo apt-get install bind9 dnsutils

        • Zone Configuration file and Zone file

          In the location of /etc/bind

          Sudo nano named.conf.local

          For example: ns1.infosec.unamur.be : 138.48.246.201

          zone "bekhinfosec.be" IN {

          type master;

          file "/var/lib/bind/db.bekhinfosec.be";

          };

          zone "246.48.138.in-addr.arpa" IN {

          type master;

          file "/var/lib/bind/db.246.48.138.in-addr.arpa";

          };

          That we store the zone file and its reverse file in the location of /var/lib/bind

          File: db.bekhinfosec.be

          $TTL 1H

          @ IN SOA @ hostmaster.bekhinfosec.be. (

          0 ; serial

          1H ; refresh

          1H ; retry

          1W ; expire

          1H ) ;minimum

          @ IN NS ns1.infosec.unamur.be.

          ns1 IN A 138.48.246.201

          www IN NS ns2.bekhinfosec.be.

          ns2 IN A 138.48.246.202

          host1 IN A 138.48.246.203 ;

          Reverse zone file: db.246.48.138.in-addr.arpa

          $TTL 1H

          @ IN SOA @ hostmaster.bekhinfosec.be. (

          0 ; serial

          1H ; refresh

          1H ; retry

          1W ; expire

          1H ) ;minimum

          @ IN NS ns1.infosec.unamur.be.

          ns1 IN A 138.48.246.201

          www IN NS ns2.bekhinfosec.be.

          ns2 IN A 138.48.246.202

          host1 IN A 138.48.246.203

          201 IN PTR ns1.infosec.unamur.be.

          202 IN PTR ns2.bekhinfosec.be.

          203 IN PTR host1.bekhinfosec.be.

          For the sub name server the process, installation and configuration is the same as parent zone. For named.conf.local in this installation it is put the same name and location. And for the zone file is like below:

          File: db.bekhinfosec.be

          $TTL 604800

          @ IN SOA @ hostmaster.bekhinfosec.be. (

          2 ; Serial

          604800 ; Refresh

          86400 ; Retry

          2419200 ; Expire

          604800 ) ; Negative Cache TTL

          ;

          @ IN NS ns2.bekhinfosec.be.

          ns2 IN A 138.48.246.202

          www IN A 138.48.246.205

          Reverse zone file: db.246.48.138.in-addr.arpa

          $TTL 604800

          @ IN SOA @ hostmaster.bekhinfosec.be. (

          2 ; Serial

          604800 ; Refresh

          86400 ; Retry

          2419200 ; Expire

          604800 ) ; Negative Cache TTL

          ;

          @ IN NS ns2.bekhinfosec.be.

          ns2 IN A 138.48.246.202

          www IN A 138.48.246.205

          202 IN PTR ns2.bekhinfosec.be.

          205 IN PTR www.bekhinfosec.be.

          Below is the most common used syntax for our installation and configuration

          # Check syntax and zone in configuration and restart service:

          Sudo named-checkconf

          sudo named-checkzone bekhinfosec.be db.bekhinfosec.be

          sudo named-checkzone 246.48.138.in-addr.arpa db.246.48.138.in-addr.arpasudo service bind9 restart

          sudo service bind9 status

      • Resolver Installation and Configuration

      To install resolver server there are many open-source can be used, but in this testbed, we have used unbound package to implement our local resolver.

      • Update system and Package Installation

        Sudo apt-get update

        Sudo apt-get install unbound

      • Configuration file in the location /etc/unbound/

        Sudo nano unbound.conf

        For example: our resolver: 138.48.246.204

        server:

        directory: "/etc/unbound"

        username: infosec

        interface: 138.48.246.204

        interface: ::0

        access-control: 138.48.246.0/24 allow

        access-control: 172.0.0.1 allow

        access-control: ::1 allow

        access-control: 0.0.0.0/0 deny

        access-control: ::/0 deny

        # In case you want to limit the ttl of cache of your resolver

        # cache-max-ttl: 30

        # cache-min-ttl: 0

        serve-expired: no

        # In case you want to base on other public resolver (google)

        #forward-zone:

        # name: "."

        # forward-addr: 4.2.2.2

        # forward-addr: 4.2.2.1

        # forward-first: yes

      • Restart and service check up

      sudo systemctl restart unbound.service

      sudo systemctl status unbound.service

      • Web Server installation

      To resolver the name of one machine, we have made web hosting to represent that machine. We used nginx as web server.

      • Update system and Package Installation

        Sudo apt-get update

        Sudo apt-get install nginx

      • Create project folder and file in the location /var/www/bekhinfosec.be/index.html

        <!DOCTYPE html>

        <html>

        <head>

        <style>

        title {text-align: center;}

        h1 {text-align: center;}

        </style>

        <title> Welcome to My Page</title>

        </head>

        <body>

        <h1> Here is my Testbet Page</h1>

        <p> Welcome to my pages and this page is for testing only</p>

        </body>

        </html>

      • File configuration (site) in a location /etc/nginx/sites-available/bekhinfosec.be

        server {

        listen 80 default_server;

        listen [::]:80 default_server;

        root /var/www/bekhinfosec.be;

        index index.html;

        server_name bekhinfosec.be www.bekhinfosec.be;

        location / {

        try_files $uri $uri/ =404;

        }

        }

        Then we have to create a hard link for other directory is sites-enabled

        sudo ln -s /etc/nginx/sites-available/bekhinfosec.be /etc/nginx/sites-enabled/bekhinfosec.be

        finally, we have to restart nginx

        sudo systemctl restart nginx

        To check error of your configuration you can use:

        Sudo nginx -t

      • Client machine configuration

      For client machine we just need to assign the resolver and name to resolv.conf file so we can test our connection. In the location of /etc/resolv.conf

      Sudo nano /etc/resolv.conf

      Search bekhinfosec.be

      Nameserver 138.48.246.204

      1. Traffic Capturing

      As we installed our system in Proxmox as VM so to capture traffic we can use tcpdump or you can install wireshark to capture the data

      1. Wireshark Installation

        Sudo apt-get update

        Sudo apt-get upgrade

        Sudo apt-get install wireshark

        File:Media/image2.png

      For this process we don’t see the whole connection from client to Name Server because we have tested it and the data have been cached in the resolver: 138.48.246.204. But if you see like this it means that your testbed has been working well. For example you can test with: www.bekhinfosec.be you will see the result of testing page (index.html):

      File:Media/image3.png

      File:Media/image4.pngWe can use tcpdump and save in pcap file then it can be opened with wireshark.

      Sudo tcpdump -in vmbr0 port 53 -w testing.pcap

      Vmbr0 is the vitual interface of my network in proxmox and we capture only dns traffic (port 53)