General index of the series: Computer Networks for SMEs: Introduction
This article is a continuation of:
Hello friends and friends!
El grupo Enthusiasts bought the internet domain name desdelinux.fan your Internet Services Provider or ISP. As part of this acquisition, they asked their ISP to include all the DNS records necessary for the Internet to resolve the pertinent queries regarding their domain.
They also requested that SRV records be included regarding the XMPP because they plan to install an instant messaging server based on Prosody that will join the existing federation of compatible XMMP servers on the Internet.
- The main purpose of this article is to show how we can reflect the SRV records related to the XMPP-compatible Instant Messaging service in a DNS zone file..
- The installation of the shore wall With a single network interface, it can serve those who decide to install a server like this to manage a delegated DNS Zone. If that server connects to the Enterprise LAN in addition to the Internet, the necessary settings must be made to use two network interfaces.
Base server
We are going to install an authoritative DNS server NSD on Debian "Jessie". This is the root server for the "fan." The main parameters of the server are:
Name: ns.fan IP address: 172.16.10.30 root @ ns: ~ # hostname ns root @ ns: ~ # hostname --fqdn ns.fan root @ ns: ~ # ip addr show 1: what: mtu 65536 qdisc noqueue state UNKNOWN group default link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 :: 1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link / ether 00: 0c: 29: dc: d7: 1b brd ff: ff: ff: ff: ff: ff inet 172.16.10.30/24 brd 172.16.10.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80 :: 20c: 29ff: fedc: d71b / 64 scope link valid_lft forever preferred_lft forever
shore wall
Before leaving a service to the WWW Village, it is very positive to protect the server and the services it provides through a powerful Firewall - Router. Shorewall is relatively easy to configure and is a safe option for protection.
- The correct and complete configuration of a Firewall is the task of connoisseurs or experts, which we are not. We only offer a guide for a minimal and functional configuration.
We install the shorewall package and its documentation.
root @ ns: ~ # aptitude show shorewall
Package: shorewall New: yes Condition: not installed
Version: 4.6.4.3-2
root @ ns: ~ # aptitude install shorewall shorewall-doc
Documentation
You will find abundant documentation in the folders:
- / usr / share / doc / shorewall
- / usr / share / doc / shorewall / examples
- / usr / share / doc / shorewall-doc / html
We configure for a network interface
root @ ns: ~ # cp / usr / share / doc / shorewall / examples / one-interface / interfaces \ / etc / shorewall / root @ ns: ~ # nano / etc / shorewall / interfaces #ZONE INTERFACE OPTIONS net eth0 tcpflags, logmartians, nosmurfs, sourceroute = 0
We declare the firewall zones
root @ ns: ~ # cp / usr / share / doc / shorewall / examples / one-interface / zones \ / etc / shorewall / root @ ns: ~ # nano / etc / shorewall / zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4
Default policies to access the firewall
root @ ns: ~ # cp / usr / share / doc / shorewall / examples / one-interface / policy \
/ etc / shorewall /
root @ ns: ~ # nano / etc / shorewall / policy
#SOURCE DEST POLICY LOG LEVEL LIMIT: BURST $ FW net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST all all REJECT info
Rules for accessing the firewall
root @ ns: ~ # cp / usr / share / doc / shorewall / examples / one-interface / rules \
/ etc / shorewall /
root @ ns: ~ # nano / etc / shorewall / rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER / MARK CON $ # PORT PORT (S) DEST LIMIT GROUP? SECTION ALL? SECTION ESTABLISHED? SECTION RELATED? SECTION INVALID? SECTION UNTRACKED? SECTION NEW # DROP packets in the INVALID state # Discard packets in an invalid state Invalid (DROP) net $ FW tcp # Drop Ping from the "bad" NET zone .. and prevent your log from being flooded .. # Discard Ping from the "bad" net zone. # Prevent flooding of the system log (/ var / log / syslog) Ping (DROP) net $ FW # Permit all ICMP traffic FROM the firewall TO the net zone # Allow all ICMP traffic FROM the firewall TO the zone NET. ACCEPT $ FW net icmp
# Own rules # Access via SSH from two computers
SSH / ACCEPT net: 172.16.10.1,172.16.10.10 $ FW tcp 22
# Allow traffic on ports 53 / tcp and 53 / udp
ACCEPT net $ FW tcp 53
ACCEPT net $ FW udp 53
We check the syntax of the configuration files
root @ ns: ~ # shorewall check
Checking ... Processing / etc / shorewall / params ... Processing /etc/shorewall/shorewall.conf ... Loading Modules ... Checking / etc / shorewall / zones ... Checking / etc / shorewall / interfaces .. Determining Hosts in Zones ... Locating Action Files ... Checking / etc / shorewall / policy ... Adding Anti-smurf Rules Checking TCP Flags filtering ... Checking Kernel Route Filtering ... Checking Martian Logging ... Checking Accept Source Routing ... Checking MAC Filtration - Phase 1 ... Checking / etc / shorewall / rules ... Checking / etc / shorewall / conntrack ... Checking MAC Filtration - Phase 2 ... Applying Policies .. . Checking /usr/share/shorewall/action.Drop for chain Drop ... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast ... Shorewall configuration verified
root @ ns: ~ # nano / etc / default / shorewall
# prevent startup with default configuration # set the following varible to 1 in order to allow Shorewall to start
startup =1
------
root @ ns: ~ # service shorewall start
root @ ns: ~ # service shorewall restart
root @ ns: ~ # service shorewall status
● shorewall.service - LSB: Configure the firewall at boot time Loaded: loaded (/etc/init.d/shorewall) Active: active (exited) since Sun 2017-04-30 16:02:24 EDT; 31min ago Process: 2707 ExecStop = / etc / init.d / shorewall stop (code = exited, status = 0 / SUCCESS) Process: 2777 ExecStart = / etc / init.d / shorewall start (code = exited, status = 0 / SUCCESS)
It is very educational to carefully read the output of the command iptables -L especially in relation to the default policies for INPUT, FORWARD, OUTPUT, and those it rejects - reject the Firewall to protect against external attacks. At least, it goes to the Internet with a little protection, right? 😉
root @ ns: ~ # iptables -L
NSD
root @ ns: ~ # aptitude show nsd
Package: nsd New: yes Status: installed Installed automatically: no
Version: 4.1.0-3
root @ ns: ~ # aptitude install nsd
root @ ns: ~ # ls / usr / share / doc / nsd /
contrib changelog.Debian.gz NSD-DIFFFILE REQUIREMENTS.gz examples changelog.gz NSD-FOR-BIND-USERS.gz TODO.gz copyright differences.pdf.gz README.gz UPGRADING CREDITS NSD-DATABASE RELNOTES.gz
root @ ns: ~ # nano /etc/nsd/nsd.conf
# NSD configuration file for Debian. # See the nsd.conf (5) man page.
# See /usr/share/doc/nsd/examples/nsd.conf for a commented
# reference config file.
# The following line includes additional configuration files from the # /etc/nsd/nsd.conf.d directory. # WARNING: The glob style doesn't work yet ... # include: "/etc/nsd/nsd.conf.d/*.conf" server: logfile: "/var/log/nsd.log" ip-address : 172.16.10.30 # listen on IPv4 connections do-ip4: yes # listen on IPv6 connections do-ip6: no # port to answer queries on. default is 53. port: 53 username: nsd # In zones, the provide-xfr option is for # axfr checks zone: name: fan zonefile: /etc/nsd/fan.zone zone: name: desdelinux.fan
zonefile: /etc/nsd/desdelinux.fan.zone provide-xfr: 172.16.10.250 NOKEY zone: name: 10.16.172.in-addr.harp
zonefile: /etc/nsd/10.16.172.arpa.zone provide-xfr: 172.16.10.250 NOKEY zone: name: swl.fan zonefile: /etc/nsd/swl.fan.zone zone: name: debian.fan zonefile: /etc/nsd/debian.fan.zone zone: name: centos.fan zonefile: /etc/nsd/centos.fan.zone zone: name: freebsd.fan zonefile: /etc/nsd/freebsd.fan.zone
root @ ns: ~ # nsd-checkconf /etc/nsd/nsd.conf
root @ ns: ~ #
We create the Zones files
The Root Zone «fan.»Configured below is FOR TESTING ONLY and should not be taken as an example. We are not Administrators of Real Estate Name Servers. 😉
root @ ns: ~ # nano /etc/nsd/fan.zone
$ ORIGIN fan. $ TTL 3H @ IN SOA ns.fan. root.fan. (1; serial 1D; refresh 1H; retry 1W; expire 3H); minimum or; Negative caching time to live; @ IN NS ns.fan. @ IN A 172.16.10.30; ns IN A 172.16.10.30
root@ns:~# nano /etc/nsd/desdelinux.fan.zone
$ORIGIN desdelinux.fan. $TTL 3H @ IN SOA nos.desdelinux.fan. root.desdelinux.fan. ( 1 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum or ; Negative caching time to live ; @ IN NS ns.desdelinux.fan. @ IN MX 10 email.desdelinux.fan. @ IN TXT "v=spf1 a:mail.desdelinux.fan -all" ; ; Register to resolve dig queries desdelinux.fan @ IN A 172.16.10.10 ; ns IN A 172.16.10.30 mail IN CNAME desdelinux.fan. chat IN CNAME desdelinux.fan. www IN CNAME desdelinux.fan. ; ; SRV records related to XMPP
_xmpp-server._tcp IN SRV 0 0 5269 desdelinux.fan.
_xmpp-client._tcp IN SRV 0 0 5222 desdelinux.fan.
_jabber._tcp IN SRV 0 0 5269 desdelinux.fan.
root @ ns: ~ # nano /etc/nsd/10.16.172.arpa.zone
$ ORIGIN 10.16.172.in-addr.arpa.
$TTL 3H @ IN SOA nos.desdelinux.fan. root.desdelinux.fan. ( 1 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum or ; Negative caching time to live ; @ IN NS ns.desdelinux.fan. ; 30 IN PTR nos.desdelinux.fan. 10 IN PTR desdelinux.fan.
root@ns:~# nsd-checkzone desdelinux.fan /etc/nsd/desdelinux.fan.zone
areas desdelinux.fan is ok
root @ ns: ~ # nsd-checkzone 10.16.172.in-addr.arpa /etc/nsd/10.16.172.arpa.zone
zone 10.16.172.in-addr.arpa is ok # On Debian, the NSD terminates its installation enabled by default
root @ ns: ~ # systemctl restart nsd
root @ ns: ~ # systemctl status nsd
● nsd.service - Name Server Daemon Loaded: loaded (/lib/systemd/system/nsd.service; enabled) Active: active (running) since Sun 2017-04-30 09:42:19 EDT; 21min ago Main PID: 1230 (nsd) CGroup: /system.slice/nsd.service ├─1230 / usr / sbin / nsd -d -c /etc/nsd/nsd.conf ├─1235 / usr / sbin / nsd - d -c /etc/nsd/nsd.conf └─1249 / usr / sbin / nsd -d -c /etc/nsd/nsd.conf
Checks from the ns.fan server itself
root@ns:~# host desdelinux.fan desdelinux.fan has address 172.16.10.10 desdelinux.fan mail is handled by 10 mail.desdelinux.fan. root@ns:~#hostmail.desdelinux.fan .desdelinux.fan is an alias for desdelinux.fan. desdelinux.fan has address 172.16.10.10 desdelinux.fan mail is handled by 10 mail.desdelinux.fan. root@ns:~#hostchat.desdelinux.fan chatdesdelinux.fan is an alias for desdelinux.fan. desdelinux.fan has address 172.16.10.10 desdelinux.fan mail is handled by 10 mail.desdelinux.fan. root@ns:~#host www.desdelinux.fan www.desdelinux.fan is an alias for desdelinux.fan. desdelinux.fan has address 172.16.10.10 desdelinux.fan mail is handled by 10 mail.desdelinux.fan. root@ns:~# host ns.desdelinux.fan ns.desdelinux.fan has address 172.16.10.30 root @ ns: ~ # host 172.16.10.30 30.10.16.172.in-addr.arpa domain name pointer ns.desdelinux.fan. root @ ns: ~ # host 172.16.10.10 10.10.16.172.in-addr.arpa domain name pointer desdelinux.fan. root @ ns: ~ # host ns.fan ns.fan has address 172.16.10.30
Name resolution checks from the Internet
- The detailed DNS queries are never too much, because the correct operation of the Domain Name Resolution will depend to a great extent on the correct operation of the network.
To perform DNS queries I connected to my switch - Switch test, a laptop with the IP 172.16.10.250 and gateway 172.16.10.1, IP address that corresponds to my workstation sysadmin.desdelinux.fan as known from previous articles.
sandra @ laptop: ~ $ sudo ip addr show 1: what: mtu 16436 qdisc noqueue state UNKNOWN link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 inet 127.0.0.1/8 scope host lo inet6 :: 1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link / ether 00: 17: 42: 8e: 85: 54 brd ff: ff: ff: ff: ff: ff inet 172.16.10.250/24 brd 172.16.10.255 global scope eth0 inet6 fe80: : 217: 42ff: fe8e: 8554/64 scope link valid_lft forever preferred_lft forever 3: wlan0: mtu 1500 qdisc noop state DOWN qlen 1000 link / ether 00: 1d: e0: 88: 09: d5 brd ff: ff: ff: ff: ff: ff 4: pan0: mtu 1500 qdisc noop state DOWN link / ether de: 0b: 67: 52: 69: ad brd ff: ff: ff: ff: ff: ff sandra @ laptop: ~ $ sudo route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.16.10.1 0.0.0.0 UG 0 0 0 eth0 172.16.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 sandra @ laptop: ~ $ cat /etc/resolv.conf nameserver 172.16.10.30 sandra@laptop:~$host desdelinux.fan desdelinux.fan has address 172.16.10.10 desdelinux.fan mail is handled by 10 mail.desdelinux.fan. sandra @ laptop:~$hostmail.desdelinux.fan .desdelinux.fan is an alias for desdelinux.fan. desdelinux.fan has address 172.16.10.10 desdelinux.fan mail is handled by 10 mail.desdelinux.fan. sandra @ laptop:~$ host ns.desdelinux.fan ns.desdelinux.fan has address 172.16.10.30 sandra @ laptop: ~ $ host 172.16.10.30 30.10.16.172.in-addr.arpa domain name pointer ns.desdelinux.fan. sandra @ laptop: ~ $ host 172.16.10.10 10.10.16.172.in-addr.arpa domain name pointer desdelinux.fan. sandra@laptop:~$ host -t SRV _xmpp-server._tcp.desdelinux.fan _xmpp-server._tcp.desdelinux.fan has SRV record 0 0 5269 desdelinux.fan. sandra @ laptop:~$ host -t SRV _xmpp-client._tcp.desdelinux.fan _xmpp-client._tcp.desdelinux.fan has SRV record 0 0 5222 desdelinux.fan. sandra @ laptop:~$ host -t SRV _jabber._tcp.desdelinux.fan _jabber._tcp.desdelinux.fan has SRV record 0 0 5269 desdelinux.fan. sandra @ laptop: ~ $ host -a fan. Trying "fan" ;; - >> HEADER << - opcode: QUERY, status: NOERROR, id: 57542 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION:; fan. IN ANY ;; ANSWER SECTION: fan. 10800 IN SOA ns.fan. root.fan. 1 86400 3600 604800 10800 fan. 10800 IN NS ns.fan. fan. 10800 IN A 172.16.10.30 ;; ADDITIONAL SECTION: ns.fan. 10800 IN A 172.16.10.30 Received 111 bytes from 172.16.10.30 # 53 in 0 ms
- We intentionally set the address 172.16.10.250 On the Laptop, to check EVERYTHING by means of a DNS AXFR query, since the Zones were configured to allow -without any password- this type of query from that IP.
sandra@laptop:~$ dig desdelinux.fan axfr
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> desdelinux.fan axfr ;; global options: +cmd
desdelinux.fan. 10800 IN SOA nos.desdelinux.fan. root.desdelinux.fan. 1 86400 3600 604800 10800
desdelinux.fan. 10800 IN NS nos.desdelinux.fan.
desdelinux.fan. 10800 IN MX 10 email.desdelinux.fan.
desdelinux.fan. 10800 IN TXT "v=spf1 a:mail.desdelinux.fan -all"
desdelinux.fan. 10800 IN A 172.16.10.10 _jabber._tcp.desdelinux.fan. 10800 IN SRV 0 0 5269 desdelinux.fan. _xmpp-client._tcp.desdelinux.fan. 10800 IN SRV 0 0 5222 desdelinux.fan. _xmpp-server._tcp.desdelinux.fan. 10800 IN SRV 0 0 5269 desdelinux.fan. chat.desdelinux.fan. 10800 IN CNAME desdelinux.fan. email.desdelinux.fan. 10800 IN CNAME desdelinux.fan. ns.desdelinux.fan. 10800 IN A 172.16.10.30 www.desdelinux.fan. 10800 IN CNAME desdelinux.fan.
desdelinux.fan. 10800 IN SOA nos.desdelinux.fan. root.desdelinux.fan. 1 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 172.16.10.30#53(172.16.10.30) ;; WHEN: Sun Apr 30 10:37:10 EDT 2017 ;; XFR size: 13 records (messages 1, bytes 428)
sandra @ laptop: ~ $ dig 10.16.172.in-addr.arpa axfr
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> 10.16.172.in-addr.arpa axfr ;; global options: +cmd 10.16.172.in-addr.arpa. 10800 IN SOA nos.desdelinux.fan. root.desdelinux.fan. 1 86400 3600 604800 10800 10.16.172.in-addr.arpa. 10800 IN NS nos.desdelinux.fan. 10.10.16.172.in-addr.arpa. 10800 IN PTR desdelinux.fan. 30.10.16.172.in-addr.arpa. 10800 IN PTR nos.desdelinux.fan. 10.16.172.in-addr.arpa. 10800 IN SOA nos.desdelinux.fan. root.desdelinux.fan. 1 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 172.16.10.30#53(172.16.10.30) ;; WHEN: Sun Apr 30 10:37:27 EDT 2017 ;; XFR size: 5 records (messages 1, bytes 193)
sandra @ laptop:~$ ping ns.desdelinux.fan
PING nos.desdelinux.fan (172.16.10.30) 56(84) bytes of data.
The necessary DNS queries were answered correctly. We also check that the Shorewall works correctly and that it does not accept ping from computers connected to the Internet.
Summary
- We saw how to install and configure - with the basic and minimum options - an Authoritative DNS server based on the NSD. We verify that the syntax of the zone files is very similar to that of BIND. On the Internet there is very good and complete literature on NSD.
- We met the goal of displaying the declaration of SRV records related to XMPP.
- We assist in the installation and minimal configuration of a Shorewall-based firewall.
Next delivery
Prosody IM and local users.
Good morning friends of the linux community very good tutorial I tried to install the dns but it claims that this command is not found if there is another alternative to thank for the information
Question?…. Are you not going to use SAMBA as a domain controller for SME networks?
fracielarevalo: Note that the article is based on installing the NSD on the Debian operating system "Jessie", not on CentOS.
Alberto: You have to go from the simple to the complex. Later we will see Samba 4 as an AD-DC, that is, an Active Directory - Domain Controler. Patience. I recommend you read the previous article, especially the paragraph that says: Was the authentication mechanism at the birth of the ARPANET, the Internet, and other early Wide Area Networks or Local Area Networks based on LDAP, Directory Service, or Microsoft LSASS, or Active Directory, or Kerberos? mention a few.
Remember that all articles are related and that it is a series. I do not think it is useful at all to start the other way around, that is, from an Active Directory and return to PAM. As you will see, many types of authentications end in PAM on your Linux desktop. Simple solutions like the one we cover with PAM deserve to be written. If the purpose is understood, they should be read and studied.
Greetings and thank you both for commenting.
Another great article by the author, as usual there is always something new and extremely useful for those of us who think we are "sysadmins".
Here are my notes:
1- Use of NSD instead of BIND as Authoritarian DNS server.
2- Insert in the DNS zone file the SRV records related to the Instant Messaging service compatible with XMPP.
3- Using the Shorewall Firewall with a network interface.
This post serves as a "base" for me (as he has modestly stated and is the aspiration of the author throughout the entire SME series) if in the future I see the need to implement a similar solution.
The enthusiastic group again helps us to increase our knowledge in the area of networks for SMEs. Thank you very much for such a good contribution, the community, myself and I think that a good number of sysadmin thank you for such an invaluable contribution ... In the past I had some other relationship with shorewall, but delve into a practical case in the way I do you have done is quite difficult, this series of networks for SMEs is a pioneer in the documentation in various areas that a sysadmin should handle, understanding that most of the documentation in this regard is in the universal language of English ...
Don't stop, congratulations and we move on !!!
Lagarto: Thank you very much for your comment and for the gratitude. I try to give in the series the minimum base that a Sysadmin needs. Of course, self-study and the personal interest of each on each of the topics discussed will depend to a degree.
We continue forward !!!
Hello to the linx community;). I am new to the OS.opte po leave windows in the past and I am eager to learn as much as I can..very good article .. best regards
Thanks Ghost for joining the Community and for commenting