Data Networking/Spring 2015/Group 7

Introduction
In this project, we are configuring a LAN environment by implementing DHCP, DNS and Web server. Also, implemented firewall to prevent unauthorized access.

Understanding the Protocol
Functionality of DNS:

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates domain names, which can be easily memorized by humans, to the numerical IP addresses needed for the purpose of computer services and devices worldwide. The Domain Name System is an essential component of the functionality of most Internet services because it is the Internet's primary directory service. In an internet based system, the DNS sends a query to the internet which is further processed to extract the IP address using following processes:

Recursive Process. Iterative Process.

Depending on the query forwarded by the client, the DNS can perform two functions:

Forward DNS Query – Hostname to IP address. Reverse DNS Query – IP address to Hostname.

There are three classes of DN servers.

Root DNS servers TLD- top level domain DNS servers Authoritative DNS servers

BIND is an acronym for Berkley Internet Name Domain.Version 9 was developed by Nominum, Inc.The BIND 9 software distribution contains both a name server and a resolver library.

DNSSEC (DNS Security Extension) TSIG (Transaction Signature) IPv6 – Resolves IPv6 addresses as well. RNDC (remote name daemon control), Multiprocessor support, and Improved portability architecture.

The basic terms used in Bind9 are given as below

Domains and Domain Name

The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Each node of the tree is called a domain.

Zones

A zone consists of some parts of the domain tree for which name server has complete information. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones.

Authoritative Name Servers

Each zone is served by at least one authoritative name server, which contains the complete data for the zone. The authoritative servers can be classified into three types:

i. The Primary Master:

The authoritative server where the master copy of the zone data is maintained is called the primary master server.

ii. Slave Servers:

The slave servers loads the zone contents from another server using a replication process known as a zone transfer

Name Servers in Multiple Roles

The BIND name server can simultaneously act as a master for some zones, a slave for other zones, and as a caching (recursive) server for a set of local clients. The server in our configuration is primary as well as the caching server which helps in resolving query at the local level.

When a client tries to open a website, say www.wikiversity.com, we can get the data from this website if we reach the webserver of the website. but this webserver can be reached or identified by its gloabal IP address. Now the DNS ( Domain Name Server) plays the important role of converting the website name to its corresponding IP addresss and vice versa. This query of conversion is sent to the local DNS servers and so forth and the matching IP is returned back. The host of the corresponding IP is now accessible by the web browser on the host. Here, a BIND9 server with caching has been used. When a DNS request response is cached, the time required to fetch it and display the page the next time the page is requested is reduced by thousands of milliseconds.

Functionality of DHCP:

The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for dynamically distributing network configuration parameters, such as IP addresses for interfaces and services. With DHCP, computers request IP addresses and networking parameters automatically from a DHCP server, reducing the need for a network administrator or a user to configure these settings manually.

The communication between the Client and the DHCP Server can be given as below:

• When a client (device) is connected to the Network, it sends DHCP-DISCOVER message to DHCP server. Since no network configuration is there, so source address is 0.0.0.0 and destination is 255.255.255.255. If server is in local subnet, it directly receives the message else a relay agent is used to pass request to DHCP server • When DHCP server receives DHCPDISCOVER, it replies with DHCP-OFFER providing all network configurations required to the client. • To indicate that client wants to accept the configuration sent in DHCPOFFER, it sends back DHCP-REQUEST message to server. If there were multiple DHCP servers that that received DHCPDISCOVER, then client would receive multiple DHCPOFFER but the client replies to only one of messages. • Once the server receives DHCPREQUEST, it sends back DHCP-ACK which indicates that client can use IP address assigned to it. And along with it the lease for IP address starts.

Functionality of Webserver
A web server is an information technology that processes requests via HTTP, the basic network protocol used to distribute information on the World Wide Web. The term can refer either to the entire computer system, an appliance, or specifically to the software that accepts and supervises the HTTP requests

The HTTP connection can be of three types.

Non Persistent HTTP: In this type of connection, the session breaks after transfer of data and needs to perform the handshake once again to do the data transfer. Persistent HTTP: In persistent HTTP connection, the session continues to be going on even after data has been transferred and thus no new HTTP connection is required for multiple times data transfer. Persistent with Pipelining: This is a special case of Persistent HTTP connection. In this connection, multiple objects can received in a fixed time interval. Thus the benefit of this type of connection is to save time and have more data transfer.

Apache2:

Apache2 is an HTTP Web server.Apache2 supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. A sample of other features include Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriter (mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter).

Firewall:

A firewall is a hardware or software system that prevents unauthorized access to or from a network. It can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria. The name firewall comes from a common architectural practice of placing a brick wall between two structures, to prevent a fire in one from spreading to the other.

The National Institute of Standards and Technology (NIST) 800-10 divides firewalls into three basic types: •	Packet Filters •	Stateful inspection •	Proxys

Firewalls act as a platform for network security policy enforcement and network traffic inspection. They are defined by following attributes: Standard capabilities: Packet filtering, Stateful protocol inspection, network address translation(NAT), VPN connectivity. Truly integrated intrusion connection: Support for vulnerability-facing and threat-facing signatures and suggesting rules based on IPS activity. Full stack visibility and application identification: Ability to enforce policy at the application layer Extra firewall intelligence: ability to take information from external sources and make improved decisions. Adaptability to modern threat landscapes: Supports upgrade paths for integration of new information feeds and new techniques to address future threats. In-line support with minimum performance degradation or disruption to network service

The Requirements
We will need any Linux based OS. In this project we have used Ubuntu 12.04 LTS. We also require bind9 which is used to configure DNS server, apache2 to implement a webserver, dhcp-server in order to implement a DHCP server.

Steps to perform the setup / installation
Installation of Domain Name System (DNS):

Step 1 : Change the interface accordingly (eth0 or wlan0) Command: sudo nano /etc/network/interfaces #Change lo to either eth0 or wlan0 and loopback to static auto eth0 iface eth0 inet static address 192.168.2.4 netmask 255.255.255.0 gateway 192.168.2.3 network 192.168.2.0 broadcast 192.168.2.255 dns-domain-nameserver 192.168.2.1 dns-domain-search "projectlinuxnash.com" Step 2: Restart the network Command: sudo /etc/init.d/networking restart

Step 3 : Install bind9 Command: sudo apt-get install bind9

Step 4 : Remove the comments from the forwarders Command: sudo nano /etc/bind/named.conf.options Remove "//" sign to uncomment and add forwarders. Used DNS IP address 192.168.2.4

Step 5 : Define the entries for Forward and Reverse lookup zones Command: sudo nano /etc/bind/named.conf.local

In the forward lookup zone write the following commands:

zone "projectlinuxnash.com" {                          zone "projectlinuxnash.com" { type master;                                           type slave; file "/etc/bind/db.projectlinuxnash.com";              masters { IP of master; }; allow-transfer { IP of slave; };                       file "/var/cache/bind/db.projectlinuxnash.com"; };                                                     };

In the reverse lookup zone write the following commands

zone "2.168.192.in-addr.arpa" {                        zone "2.168.192.in-addr.arpa" { type master;                                           type slave; allow-transfer {IP of slave; };                        masters { IP of master; }; file "/etc/bind/db.192";                               file "/var/cache/bind/db.192"; };                                                     };

Step 6 : Create these files when bind9 starts Command: We need to copy these files to named.conf.local

sudo cp /etc/bind/db.local /etc/bind/db.projectlinuxnash.com

Step 7 : Edit the forward lookup zone Command: sudo nano /etc/bind/db.projectlinuxnash.com

$TTL 604800 @ IN SOA projectlinuxnash.com. root.projectlinuxnash.com. (                  2;       This is the serial number                   604800;  Refresh rate                   86400;   Retry                   2419200; Expire                   604800); Negative Cache TTL @ IN NS ubuntu.projectlinuxnash.com. @ IN A   192.168.2.1 @ IN AAAA fe80::be77:37ff:fe7d:dc2d #A records abcd    IN A    192.168.2.54 ubuntu  IN A    192.168.2.68 ubuntu1 IN A    192.168.2.92 ubuntu2 IN A    192.168.2.74 # MX record mail    MX 10   mailhost.projectlinuxnash.com. #CNAME records server2013 IN CNAME ubuntu.projectlinuxnash.com. server2014 IN CNAME ubuntu1.projectlinuxnash.com. www       IN CNAME ubuntu.projectlinuxnash.com.

Step 8 : Edit the reverse lookup zones for both IPv4 and IPv6 Command: Reverse bind file for IPv4 $TTL 604800 @ IN SOA projectlinuxnash.com. root.projectlinuxnash.com. (                  1; Serial                   604800; Refresh                   86400; Retry                   2419200; Expire                   604800 ) ; Negative Cache TTL @  IN NS  ubuntu.projectlinuxnash.com. 54 IN PTR abcd.projectlinuxnash.com. 68 IN PTR ubuntu.projectlinuxnash.com. 92 IN PTR ubuntu1.projectlinuxnash.com. 74 IN PTR ubuntu.projectlinuxnash.com. Reverse bind file for IPv6 $TTL 604800 @ IN SOA projectlinuxnash.com. root.ubuntu.projectlinuxnash.com. (                  1; Serial                   604800; Refresh                   86400; Retry                   2419200; Expire                   604800 ) ; Negative Cache TTL Step 9 : Restart bind9 service in order for the changes to be effective Command: sudo /etc/init.d/bind9 restart

Step 10: Edit the resolv.conf file Command: sudo nano /etc/resolv.conf nameserver 192.168.2.1 nameserver 127.0.1.1 search projectlinuxnash.com example.org Dynamic Host Control Protocol (DHCP):(For IPv4)  Step 1 : Install dhcp server Command: sudo apt-get install isc-dhcp-server Step 2 : Set static ip address Command: sudo nano /etc/network/interfaces Change lo to either eth0 or wlan0 and loopback to static auto eth0 iface eth0 inet static address 192.168.2.10 netmask 255.255.255.0 gateway 192.168.2.3 network 192.168.2.0 broadcast 192.168.2.255 dns-domain-nameserver 192.168.2.1 dns-domain-search projectlinuxnash.com Step 3 : Restart the network Command: sudo nano /etc/init.d/networking restart

Step 4 : Configure the DHCP server Command: sudo nano /etc/dhcp/dhcpd.conf ddns-update-style none; option domain-name-servers 192.168.2.1; option domain-name "projectlinuxnash.com"; default-lease-time 600; max-lease-time 7200; authoritative; subnet 192.168.2.0 netmask 255.255.255.0{ range 192.168.2.10 192.168.0.100; option broadcast-address 192.168.2.255; option domain-name-servers 192.168.2.1; }

Step 5 : Edit the resolv.conf file Command: sudo nano /etc/resolv.conf nameserver 192.168.2.1

Step 6 : Restart the dhcp service Command: sudo service isc-dhcp-server restart

Web Server:

Step 1: Install apache2 Command: sudo apt-get install apache2 Step 2: To check whether the web server is listening on port 80 Command: netstat -a | more Step 3: Restart the web server Command: sudo /etc/init.d/apache2 stop # When you do netstat now, then the computer is not shown as listening sudo /etc/init.d/apache2 start Step 4: To put a webpage for the server Command: cd/var/www # var is root sudo nano index.html

Firewall: Firewall is an application program which allows the system admin to configure the tables provided by the Linux kernel firewall.

1. In order to block ICMP requests write the following command: sudo iptables -A INPUT -d  -p icmp -icmp -type 0 -j DROP 2. In order to prevent SSH login, write the following command: sudo iptables -A INPUT -s  -d  -p tcp -dport ssh - j DROP 3. In order to block FTP ports, write the following command: sudo iptables –A INPUT –d 192.168.2.11 –p tcp –dport 20 –j DROP sudo iptables –A INPUT –d 192.168.2.11 –p tcp –dport 21 –j DROP 4. To block the port used by Telnet, write the following command: sudo iptables –A INPUT –d 192.168.2.11 –p tcp –dport 23 –j DROP 5. To block webpage write the following command: sudo iptables –A INPUT –d 192.168.2.90 –s 192.168.2.99 –p tcp –dport –j DROP Backup: In order to do backup, we have used a software called crontab. Step 1: Extract public and private key so that the public key can be first shared to that computer where we can automatically send the files that are backed up. Commands: ssh-keygen-t rsa #Create a pair of rsa keys ssh root@192.168.0.254 mkdir –p .ssh cat .ssh/id_rsa.pub | ssh root@192.168.0.254 ‘cat >>.ssh/authorized_keys’ Step 2: We first need to create a script file (.sh file). Command: sudo nano /home/dell/backup/backup.sh                cd /var/www/ cp index.html /home/dell/backup/ ;copy the file of webpage cd /home/dell/backup tar czf /home/dell/backup/backup.tar.gz ds1.fw index.html sleep 1s

sync:sync sleep 1s scp backup.tar.gz root@192.168.0.254:/home/root/ sleep 1s sync:sync Step 3: In order to extract the backup file automatically write the following command: cd /home/root/ sudo nano backup.sh                cd /home/root/ tar xzf backup.tar.gz                0 12 * * * bash /home/root/backup.sh NFS Commands to configure NFS: For server follow these steps: Step 1: Install NFS Command: sudo apt-get install nfs-kernel-server Step 2: Edit the exports file Command: sudo nano /etc/exports /home/wenrui/nfsroot *(rw,sync,no_root_squash) (“rw” means client has read and write authority. “sync” means synchronize,                “no_root_squash” means the client has no authority to change root’s file) Step 3: Make a directory called nfsroot using the command: mkdir /home/wenrui/nfsroot Step 4: Restart the NFS server for the changes to be effective sudo service nfs-kernel-server restart Restart portmap service sudo /etc/init.d/portmap restart Cd /home/wenrui/nsfroot/ touch me #Create a field named me                sudo nano me                 //write anything you want and this will become visible for the client

Step 5: For Client NFS Install nfs-common Command: sudo apt-get install nfs-common Step 6: Check the path of the shared folder Command: sudo showmount –e 

Step 7: Link the 2 directories and the mount the file to the server Command: sudo mount –t nfs :/home/wenrui/nfsroot /home/wenrui/nfs VPN Step 1: Install pptpd which is a package used to configure VPN Command: sudo apt-get install pptpd Step 2: Edit the files in /etc/pptpd.conf and make the following changes localip  remoteip  Step 3: Edit /etc/ppp/pptpd-options file: ms-dns 192.168.0.254 Step 4: Set userid and password Command: sudo nano /etc/ppp/chap-secrets wenrui pptpd 123456 *   # wenrui is the user name, pptpd is the VPN server name, 123456 is the password and * indicates for all IPs that fall in the VPN client range. NIS: Step 1: Install nis portmap sudo apt-get install nis portmap Step 2: Edit the domain name NISServer when installed sudo nano /etc/default/nis set nisserver=master // set the computer as the nis master server sudo nano /etc/yp.conf domain NISServer server ubuntu // set the domain name as NISServer set the server name as Ubuntu sudo nano /etc/ypserv.securenets change the “0.0.0.0  0.0.0.0”line into “255.255.255.0   192.168.0.*” sudo /usr/lib/yp/ypinit –m //refresh the database of the server

Step 3:For NIS Client sudo apt-get install portmap nis Step 4:Edit the domain name NISServer sudo nano /etc/passwd Step 5: Add a line +:::::: #hash record sudo nano /etc/group Add a line +::: sudo nano /etc/shadow Add a line +:::::::: sudo nano /etc/yp.conf Set the ypserver’s ip address

Then update the database in the server. And we can test the NIS service on the client using yptest ypswitch and ypcat –x We can also login the uses on the server to test.

FTP: Step 1: sudo apt-get install vsftpd

Step 2: sudo vi /etc/vsftpd.conf make the following changes in file: anonymous=yes
 * 1) write_enable=yes  .....remove the "#" sign

'Step 3: sudo restart vsftpdt

Step 4: cd /srv/ftp sudo touch file1 file2 file3 sudo chmod 777 file1 file2 file3

SAMBA: Step 1: sudo apt-get install samba

Step 2: Edit the configuration file sudo gedit /etc/samba/smb.conf & Add the folder you need to share here ".srv" directory is used to put the shared files

Step 3: sudo mkdir -p /srv/samba/share

Step 4: To change the ownership to nobody sudo chown nobody.nogroup /src/samba/share

Step 5: Edit NetBIOS name server configuration sudo gedit /etc/init/nmbd.conf &

Step 6: Restart samba and NetBIOS sudo restart smbd

Step 7: Create a file in the share directory sudo touch /srv/samba/share/test.txt

Testing
Test Plan Trying to test the DNS server Trying to test forward zone entries Trying to test reverse zone entries Trying to test CNAME entries Trying to ping different entries Test Tools Following commands were used to test DNS server: -nslookup -dig Using the command netstat -uap we tested DHCP server. For testing firewall we used the following commands: -ping= To check whether the IP addresses are blocked correctly. -ssh = To check whether ssh login is prevented for unauthorized users. Test Cases Problems faced: 1. Problem faced while installing bind9. Solution: sudo apt-get update #Update ubuntu Update ubuntu by writing the above command and then install bind9. 2. Problem faced while trying to restart the network interface using the command sudo /etc/init.d/networking restart Common Error messages shown were : Failed to bring up eth0/wlan0 interface Ignoring unknown interface eth0=eth0 (wlan0=wlan0) Solution: Use the command sudo service network-manager restart and then use sudo /etc/init.d/networking restart 3. Other servers viz. DHCP and Webserver were not able to use the command dig projectlinuxnash.com or nslookup projectlinuxnash.com(Host name as written in  the DNS server) Status shown: Access denied Reason: Loopback address 127.0.0.1 was mentioned in the /etc/bind/db.home.raj file instead of the DNS server's IP address. 4. Server Status was SERVFAIL when tried to dig projectlinuxnash.com Reason: The file /etc/bind/named.conf.local was not configured properly. 5. Server Cannot be found error Solution: Wrong configuration of the file /etc/resolv.conf 6. Only webserver is able to access the webpage. 7. Not able to bridge VMware workstation with Windows.

Testing DNS: For testing we use the following commands: 1) Dig Dig stands for Domain Information Groper and is a flexible used to interrogate DNS name servers. It performs the function of DNS lookups and returns the answers as provided by the name servers.

2) Nslookup (Name Server Lookup) nslookup is a command used to query DNS servers. There are two modes of nslookup, viz. Interactive mode and non-interactive mode. Interactive mode allows the user to query the name servers in order to obtain information about hosts and domains or to just print a list of hosts in a particular domain. 7 Non-interactive mode is used to print only the name and information that is requested for a particular host or domain.

3) Ping Ping command is used to check network layer status of the server.

4) Host Host command is used to perform DNS lookups. It is used to convert names to IP addresses and vice versa.

Testing DHCP: Whenever a client is connected to the network he will get an IPv4 and IPv6 address automatically within the range of address mentioned in the DHCP server. This can be verified using ifconfig/ipconfig command. sudo dhclient –r      - This command does refreshing cat /var/lib/dhcp/dhcpd.leases   - This command can view the lease provided by the DHCP server to a particular client

Testing Web Server: Open any web browser and test it by entering either the host name or the IP address. If both works then the web server is working fine. If they don’t then there is some problem with your DNS server.

Testing Firewall: One can test by sitting on the client and trying to ping the servers which are blocked. The result will be request timed out since the client is blocked by the firewall. Also the client will not gain access to the webpage since it is forbidden for the client to use it. The client will not be able to open the webpage when he types the host name or the IP address.

Testing Backup: We can test backup by going to the particular directory where the files are sent and type the command ls to check whether the files are received or not.

Future Prospects
Future Improvements: 1.Enhanced security for the DNS servers. Digital signatures, Cache-poisoning, DNS wrapper, authentication, symmetric key encryption and spoofing are the areas to be concentrated on. 2. DNS has a restrictive, centralized model for entering names into a naming database. System admins at different locations may manipulate this and this might not be updated at all locations. This leads to inconsistency. 3. DNS dynamic updates to update dynamic records of hosts with dynamic IP addresses. Hosts can keep the same domain name. 4. Replication architecture for the DNS allows websites to dynamically wander and replicate them without having to change their URLs. This is possible as a single DNS server is made to have the entire database of all the DNS servers. DNS look up time is reduced and web pages load faster. 5. Nowadays DHCP server usually provides IP addresses for multiple subnets and the DHCP Relay makes it possible for a DHCP Server to assign IP addresses for terminals in a subnet which the server does not reside in. 6. LDAP is a service that creates and maintains directories. This service can also be invoked from within Linux to add easier maintenance.