Complete DNS fake root setup example

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Complete DNS fake root setup example

MURTARI, JOHN

Folks,

                Had to do some testing where we wanted our own insulated fake root environment. We wanted to start from simulated root name servers.  I was surprised I couldn’t find a complete example even after some extensive searches.

 

                The concepts are easy, but the devil is in the details.   We had done this before, but no one ever kept notes so I figured by posting it on the list it will eventually find its way into Google.   Here are the setup instructions below, name & ip address have been changed to protect the innocent!   Your comments/suggestions are welcome!

 

 

#

# This document describes a complete BIND fake root setup

# ?'s - [hidden email]

#

# One DNS server is fake root (Host 12 - 1.2.3.4)

# One DNS server is com TLD  (Host 13 - 1.2.3.5)

# One DNS server is bongo.com  (Host 06 - 1.2.3.6)

# One DNS server is support.bongo.com NS (Host 07 - 1.2.3.7)

#

 

================= Host 12 - FAKE ROOT - 1.2.3.4

 

zone "." {

        type master;

        file "named.root";

};

 

-- contents named.root

$TTL 5m

@       IN SOA  . rname.invalid. (

                                        0       ; serial

                                        5m     ; refresh

                                        5m      ; retry

                                        5m      ; expire

                                        5m )    ; minimum

@       IN      NS      fake-root.com

fake-root.com   IN      A               1.2.3.4

com     IN      NS      tld.com

tld.com IN      A       1.2.3.5

.       IN      TXT     "FAKE ROOT"

 

 

-- contents /etc/resolv.conf

nameserver 1.2.3.4

 

 

==================== Host 13 - FAKE .COM TLD server - 1.2.3.5

 

zone "." {

        type hint;

        file "named.root";

};

 

zone "com" {type master; file "named.com";};

 

-- contents named.root

$TTL 5m

.              300  IN  NS    fake-root.com.

fake-root.com. 300  IN   A       1.2.3.4

 

-- contents named.com

$TTL 5m

@  IN SOA  @ rname.invalid. (

                                       0       ; serial

                                        5m      ; refresh

                                        5m      ; retry

                                        5m      ; expire

                                        5m )    ; minimum

 

@       IN      NS      tld

tld             A       1.2.3.5

fake-root       A       1.2.3.4

bongo          NS       ns1.bongo

ns1.bongo       A       1.2.3.6

@       IN      TXT     "FAKE COM SRVR"

 

--- contents resolv.conf

nameserver 1.2.3.5

 

 

============== Host 06 - NS for BONGO.COM - 1.2.3.6

 

zone "bongo.com" {type master; file "db.bongo.com" ;};

 

 

---- contents db.bongo.com

$TTL 10m

lammens.com.   IN SOA ns1.lammens.com. contact.lammens.com. (

                              2    ; Serial

                              5m   ; Refresh after 5 minutes

                              2m   ; Retry after 2 minutes

                              15m  ; Expire after 15 minutes

                              1m ) ; Negative cachng TTL of 1 minute

 

lammens.com.  IN NS ns1.lammens.com.

 

ns1.lammens.com.  IN A 1.2.3.6

 

support.lammens.com.  IN NS ns1.support.lammens.com.

ns1.support.lammens.com.  IN A 1.2.3.7

 

 

============== Host 07 - NS for SUPPORT.BONGO.COM - 1.2.3.7

 

zone "support.bongo.com"  IN {

        type master;

        file "db.support.bongo.com";

};

 

---- contents db.support.bongo.com

$TTL 10m

support.bongo.com.   IN SOA ns1.support.bongo.com. contact.bongo.com. (

                              11   ; Serial

                              5m   ; Refresh after 5 minutes

                              2m   ; Retry after 2 minutes

                              15m  ; Expire after 15 minutes

                              1m ) ; Negative cachng TTL of 1 minute

 

support.bongo.com.  IN NS ns1.support.bongo.com.

 

ns1.support.bongo.com. IN A 1.2.3.7

 

 

======= complete test trace

 

root@Host 13# dig support.bongo.com ns +trace +add

 

; <<>> DiG 9.9.3-S1-P1a-RedHat-2.0-2 <<>> support.bongo.com ns +trace +add

;; global options: +cmd

.                       300     IN      NS      fake-root.com.

fake-root.com.          300     IN      A       1.2.3.4

;; Received 70 bytes from 1.2.3.5#53(1.2.3.5) in 0 ms

 

com.                    86400   IN      NS      tld.com.

tld.com.                86400   IN      A       1.2.3.5

;; Received 82 bytes from 1.2.3.4#53(fake-root.com) in 1 ms

 

bongo.com.            300     IN      NS      ns1.bongo.com.

ns1.bongo.com.        300     IN      A       1.2.3.6

;; Received 82 bytes from 1.2.3.5#53(tld.com) in 1 ms

 

support.bongo.com.    600     IN      NS      ns1.support.bongo.com.

ns1.support.bongo.com. 600    IN      A       1.2.3.7

;; Received 116 bytes from 1.2.3.6#53(ns1.bongo.com) in 4 ms

 

support.bongo.com.    600     IN      NS      ns1.support.bongo.com.

ns1.support.bongo.com. 600    IN      A       1.2.3.7

;; Received 116 bytes from 1.2.3.7#53(ns1.support.bongo.com) in 1 ms

               

 

----------------   
John Murtari – [hidden email]

Ciberspring

office: 315-944-0998

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Complete DNS fake root setup example

Mukund Sivaraman
Hi John

On Wed, Jan 20, 2016 at 05:12:44PM +0000, MURTARI, JOHN wrote:

> Folks,
>                 Had to do some testing where we wanted our own
>                 insulated fake root environment. We wanted to start
>                 from simulated root name servers.  I was surprised I
>                 couldn't find a complete example even after some
>                 extensive searches.
>
>                 The concepts are easy, but the devil is in the
>                 details.  We had done this before, but no one ever
>                 kept notes so I figured by posting it on the list it
>                 will eventually find its way into Google.  Here are
>                 the setup instructions below, name & ip address have
>                 been changed to protect the innocent!  Your
>                 comments/suggestions are welcome!
The key parts are the root hints and the trust anchors. You can see
several such fake root configurations in the BIND 9 system tests (look
in bin/tests/system), e.g., the resolver system test.

                Mukund

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Complete DNS fake root setup example

Bob Harold
In reply to this post by MURTARI, JOHN
On Wed, Jan 20, 2016 at 12:12 PM, MURTARI, JOHN <[hidden email]> wrote:

> Folks,
>
>                 Had to do some testing where we wanted our own insulated
> fake root environment. We wanted to start from simulated root name servers.
> I was surprised I couldn’t find a complete example even after some extensive
> searches.
>
>
>
>                 The concepts are easy, but the devil is in the details.   We
> had done this before, but no one ever kept notes so I figured by posting it
> on the list it will eventually find its way into Google.   Here are the
> setup instructions below, name & ip address have been changed to protect the
> innocent!   Your comments/suggestions are welcome!
>

Not a bad idea.  Some comments:

/etc/resolv.conf should point to a recursive resolver, not a
non-recursive authoritative server.  Hosts 6,7,12, and 13 should all
be non-recursive authoritative servers.  There should be a separate
resolver.

Looks like the contents of "db.bongo.com" were not fully anonymized.

--
Bob Harold
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Complete DNS fake root setup example

MURTARI, JOHN
In reply to this post by Mukund Sivaraman
------- Original msg
On Wed, Jan 20, 2016 at 05:12:44PM +0000, MURTARI, JOHN wrote:

> Folks,
>                 Had to do some testing where we wanted our own
>                 insulated fake root environment. We wanted to start
>                 from simulated root name servers.  I was surprised I
>                 couldn't find a complete example even after some
>                 extensive searches.
>
>                 The concepts are easy, but the devil is in the
>                 details.  We had done this before, but no one ever
>                 kept notes so I figured by posting it on the list it
>                 will eventually find its way into Google.  Here are
>                 the setup instructions below, name & ip address have
>                 been changed to protect the innocent!  Your
>                 comments/suggestions are welcome!

The key parts are the root hints and the trust anchors. You can see
several such fake root configurations in the BIND 9 system tests (look
in bin/tests/system), e.g., the resolver system test.
                Mukund
------- Original msg

Thanks for that.  I took a look in the distribution at the directories you
mentioned. There is very little explanatory text.  Not so sure someone
would find it useful in setting up their own fake root and a delegation
path.
                                                                                        John


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
btb
Reply | Threaded
Open this post in threaded view
|

Re: Complete DNS fake root setup example

btb
In reply to this post by MURTARI, JOHN
On 2016.01.20 12.12, MURTARI, JOHN wrote:

> Folks,
>
>                  Had to do some testing where we wanted our own
> insulated fake root environment. We wanted to start from simulated root
> name servers.  I was surprised I couldn’t find a complete example even
> after some extensive searches.
>
>                  The concepts are easy, but the devil is in the
> details.   We had done this before, but no one ever kept notes so I
> figured by posting it on the list it will eventually find its way into
> Google.   Here are the setup instructions below, name & ip address have
> been changed to protect the innocent!   Your comments/suggestions are
> welcome!

my suggestion would be to not use other people's domain names and ip
addresses when protecting the innocent.  after all, they're innocent
too, and i'd imagine you wouldn't want them using your domain name in
their examples ;) .  various rfcs [6761, 3330, others] provide for these
needs.

-ben
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users