User:TSMG 5330 Fall 2013 Grp1

Motivation
Linux runs almost everywhere, for example in Desktops, Smartphones, Servers, Routers,etc. i.e. it is one of the most important part or driving force behind IT industry. Also Linux is an open OS and hence one make alterations in order to improvise it. We have taken this project, in order to get acquainted with the most versatile OS that is used in the IT industry.

Understanding the Protocol
Behaviour of DNS:

When a website location www.test.com is entered, the browser has to find out the IP address if the host. This query is sent to the local DNS servers and so forth and the matching IP is returned back. The host of the corresponding IP is now accessible by the web browser on the host. Here, a BIND9 server with caching has been used. When a DNS request response is cached, the time required to fetch it and display the page the next time the page is requested is reduced by thousands of milliseconds.

Behaviour of DHCP:

There are here ways in which DHCP allows assignment of IP addresses to its clients:

Dynamic allocation: The DHCP allocates IP addresses from a pool of IP addresses dynamically and the IP is associated with lease period.

Automatic allocation: The client is assigned the same IP whenever it comes onto the network. This is the type of allocation used in our project.

Static allocation: The IP addresses are allocated manually and only for those systems that have their MAC addresses listen in the IP translation tables on the router.

DHCP uses both IPv4 and IPv6.

Ideally each subnet must have a DHCP server, without which a router (DHCP relay agent) maybe used to act as a connection between the subnets and containing the address of the DHCP server.

The Requirements
We will need any Linux based OS. In this project we have used Ubuntu 12.04 LTS. We also require bind9 which is used to configure DNS server, apache2 to implement a webserver, dhcp-server in order to implement a DHCP server.

Steps to perform the setup / installation
Installation of Domain Name System (DNS):

Step 1 : Change the interface accordingly (eth0 or wlan0)

Command: sudo nano /etc/network/interfaces

#Change lo to either eth0 or wlan0 and loopback to static

auto eth0

iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 gateway 192.168.0.1 network 192.168.0.0 broadcast 192.168.0.255 dns-domain-nameserver 192.168.0.254 dns-domain-search home.rajiv Step 2: Restart the network

Command: sudo /etc/init.d/networking restart

Step 3 : Install bind9

Command: sudo apt-get install bind9

Step 4 : Remove the comments from the forwarders

Command: sudo nano /etc/bind/named.conf.options

Remove "//" sign to uncomment and add forwarders. For example use Google's public DNS IPs. 8.8.8.8 and 8.8.4.4

Step 5 : Define the entries for Forward and Reverse lookup zones

Command: sudo nano /etc/bind/named.conf.local

In the forward lookup zone write the following commands:

zone "home.rajiv" {                                    zone "home.rajiv" {

type master;                                           type slave;

file "/etc/bind/db.home.rajiv";                        masters { IP of master; };

allow-transfer { IP of slave; };                       file "/var/cache/bind/db.home.raj";

};                                                     };

In the reverse lookup zone write the following commands

zone "0.168.192.in-addr.arpa" {                        zone "0.168.192.in-addr.arpa" {

type master;                                           type slave; allow-transfer {IP of slave; };                        masters { IP of master; };

file "/etc/bind/db.192";                               file "/var/cache/bind/db.192"; };                                                     }; For IPv6 write the following commands

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ipv6.arpa" { type master; notify no; file "/etc/bind/db.ipv6"; };

Step 6 : Create these files when bind9 starts

Command: We need to copy these files to named.conf.local

sudo cp /etc/bind/db.local /etc/bind/db.home.rajiv

Step 7 : Edit the forward lookup zone

Command: sudo nano /etc/bind/db.home.rajiv

$TTL 604800

@ IN SOA ubuntu.home.rajiv. rajiv.ubuntu.home.rajiv. (

2;      This is the serial number

604800; Refresh rate

86400;  Retry

2419200; Expire

604800); Negative Cache TTL                  @ IN NS ubuntu.home.rajiv.

@ IN A   192.168.0.254

@ IN AAAA fe80::be77:37ff:fe7d:dc2d

#A records

abcd    IN A    192.168.0.253

IN AAAA fe80::be77:37ff:fe7d:dc2e ;IPv6 records

ubuntu  IN A    192.168.0.222

IN AAAA fe80::be77:37ff:fe7d:dc2c

ubuntu1 IN A    192.168.0.252

IN AAAA fe80::be77:37ff:fe7d:dc2b

ubuntu2 IN A    192.168.0.251

IN AAAA fe80::be77:37ff:fe7d:dc2a

# MX record

mail    MX 10   mailhost.home.rajiv. #CNAME records

server2013 IN CNAME ubuntu.home.rajiv.

server2014 IN CNAME ubuntu1.home.rajiv.

www       IN CNAME ubuntu.home.rajiv.

Step 8 : Edit the reverse lookup zones for both IPv4 and IPv6

Command: Reverse bind file for IPv4

$TTL 604800

@ IN SOA ubuntu.home.rajiv. rajiv.ubuntu.home.rajiv. (

1; Serial

604800; Refresh

86400; Retry

2419200; Expire

604800 ) ; Negative Cache TTL

@  IN NS  ubuntu.home.rajiv.

253 IN PTR abcd.home.rajiv.

252 IN PTR ubuntu.home.rajiv.

251 IN PTR ubuntu1.home.rajiv.

222 IN PTR ubuntu.home.rajiv.

Reverse bind file for IPv6

$TTL 604800

@ IN SOA ubuntu.home.rajiv. rajiv.ubuntu.home.rajiv. (

1; Serial

604800; Refresh

86400; Retry

2419200; Expire

604800 ) ; Negative Cache TTL

e.c.2.d.d.7.e.f.f.f.7.3.7.7.e.b.ipv6.arpa IN PTR abcd.home.rajiv.

c.c.2.d.d.7.e.f.f.f.7.3.7.7.e.b.ipv6.arpa IN PTR ubuntu.home.rajiv.

b.c.2.d.d.7.e.f.f.f.7.3.7.7.e.b.ipv6.arpa IN PTR ubuntu1.home.rajiv.

a.c.2.d.d.7.e.f.f.f.7.3.7.7.e.b.ipv6.arpa IN PTR ubuntu2.home.rajiv.

Step 9 : Restart bind9 service in order for the changes to be effective

Command: sudo /etc/init.d/bind9 restart

Step 10: Edit the resolv.conf file

Command: sudo nano /etc/resolv.conf

nameserver 192.168.0.254 ; IP of your DNS server

domain home.rajiv ; Name of your domain

search home.rajiv

Dynamic Host Control Protocol (DHCP):(For IPv4) 

Step 1 : Install dhcp server

Command: sudo apt-get install isc-dhcp-server

Step 2 : Set static ip address

Command: sudo nano /etc/network/interfaces

Change lo to either eth0 or wlan0 and loopback to static

auto eth0

iface eth0 inet static

address 192.168.0.2

netmask 255.255.255.0

gateway 192.168.0.1

network 192.168.0.0

broadcast 192.168.0.255

dns-domain-nameserver 192.168.0.254 dns-domain-search home.rajiv Step 3 : Restart the network

Command: sudo nano /etc/init.d/networking restart

Step 4 : Configure the DHCP server

Command: sudo nano /etc/dhcp/dhcpd.conf

ddns-update-style none; option domain-name-servers 192.168.0.254; option domain-name "home.rajiv"; default-lease-time 600; max-lease-time 7200; authoritative; subnet 192.168.0.0 netmask 255.255.255.0{ range 192.168.0.200 192.168.0.220; option broadcast-address 192.168.0.255; option domain-name-servers 192.168.0.254; }

Step 5 : Edit the resolv.conf file

Command: sudo nano /etc/resolv.conf

nameserver 192.168.0.254

Step 6 : Restart the dhcp service

Command: sudo service isc-dhcp-server restart

DHCP configuration for IPv6:

Step 1:

Install radvd to build IPv6 DHCP server.

Command: sudo apt-get install radvd Step 2:

Edit the files in /etc/radvd.conf

Make the following changes:

Interfaces eth1 { AdvSendAdvert on; 		# AdvManagedFlag on; AdvOtherConfigFlag on; Prefix 2001:db8:0:1::/64 { AdvAutonomous off; }; };

Step 3:

Edit the /etc/dhcp/dhcpd.conf and make the following changes:

default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 2001:db8:0:1::/64 { range6 2001:db8:0:1::129 2001:db8:0:1::254; }

Web Server:

Step 1: Install apache2

Command: sudo apt-get install apache2

Step 2: To check whether the web server is listening on port 80

Command: netstat -a | more

Step 3: Restart the web server

Command: sudo /etc/init.d/apache2 stop # When you do netstat now, then the computer is not shown as listening

sudo /etc/init.d/apache2 start

Step 4: To put a webpage for the server

Command: cd/var/www # var is root sudo nano index.html

Firewall:

Firewall is an application program which allows the system admin to configure the tables provided by the Linux kernel firewall.

1. In order to block ICMP requests write the following command:

sudo iptables -A INPUT -d  -p icmp -icmp -type 0 -j DROP

2. In order to prevent SSH login, write the following command:

sudo iptables -A INPUT -s  -d  -p tcp -dport ssh - j DROP 3. In order to block FTP ports, write the following command:

sudo iptables –A INPUT –d 192.168.0.253 –p tcp –dport 20 –j DROP

sudo iptables –A INPUT –d 192.168.0.253 –p tcp –dport 21 –j DROP

4. To block the port used by Telnet, write the following command:

sudo iptables –A INPUT –d 192.168.0.253 –p tcp –dport 23 –j DROP

5. To block webpage write the following command:

sudo iptables –A INPUT –d 192.168.0.200 –s 192.168.0.222 –p tcp –dport –j DROP

Backup:

In order to do backup, we have used a software called crontab.

Step 1: Extract public and private key so that the public key can be first shared to that computer where we can automatically send the files that are backed up.

Commands:

ssh-keygen-t rsa #Create a pair of rsa keys ssh rajiv@192.168.0.254 mkdir –p .ssh cat .ssh/id_rsa.pub | ssh rajiv@192.168.0.254 ‘cat >>.ssh/authorized_keys’

Step 2: We first need to create a script file (.sh file).

Command: sudo nano /home/sony/backup/backup.sh                cd /var/www/ cp index.html /home/sony/backup/ ;copy the file of webpage cd /home/sony/backup tar czf /home/sony/backup/backup.tar.gz ds1.fw index.html sleep 1s

sync:sync sleep 1s scp backup.tar.gz rajiv@192.168.0.254:/home/rajiv/ sleep 1s sync:sync

Step 3: In order to extract the backup file automatically write the following command:

cd /home/rajiv/ sudo nano backup.sh                cd /home/rajiv/ tar xzf backup.tar.gz                0 12 * * * bash /home/rajiv/backup.sh

NFS

Commands to configure NFS:

For server follow these steps:

Step 1:

Install NFS

Command: sudo apt-get install nfs-kernel-server

Step 2:

Edit the exports file

Command: sudo nano /etc/exports /home/wenrui/nfsroot *(rw,sync,no_root_squash) (“rw” means client has read and write authority. “sync” means synchronize,             “no_root_squash” means the client has no authority to change root’s file)

Step 3:

Make a directory called nfsroot using the command: mkdir /home/wenrui/nfsroot

Step 4:

Restart the NFS server for the changes to be effective

sudo service nfs-kernel-server restart

Restart portmap service

sudo /etc/init.d/portmap restart

Cd /home/wenrui/nsfroot/ touch me #Create a field named me                sudo nano me                 //write anything you want and this will become visible for the client

Step 5: For Client NFS

Install nfs-common

Command: sudo apt-get install nfs-common

Step 6:

Check the path of the shared folder

Command: sudo showmount –e 

Step 7:

Link the 2 directories and the mount the file to the server

Command: sudo mount –t nfs :/home/wenrui/nfsroot /home/wenrui/nfs

VPN Step 1:

Install pptpd which is a package used to configure VPN

Command: sudo apt-get install pptpd

Step 2:

Edit the files in /etc/pptpd.conf and make the following changes

localip  remoteip  Step 3:

Edit /etc/ppp/pptpd-options file:

ms-dns 192.168.0.254

Step 4:

Set userid and password

Command: sudo nano /etc/ppp/chap-secrets

wenrui pptpd 123456 *   # wenrui is the user name, pptpd is the VPN server name, 123456 is the password and * indicates for all IPs that fall in the VPN client range.

NIS:

Step 1: Install nis portmap

sudo apt-get install nis portmap

Step 2:

Edit the domain name NISServer when installed

sudo nano /etc/default/nis

set nisserver=master // set the computer as the nis master server sudo nano /etc/yp.conf domain NISServer server ubuntu // set the domain name as NISServer set the server name as Ubuntu sudo nano /etc/ypserv.securenets change the “0.0.0.0  0.0.0.0”line into “255.255.255.0   192.168.0.*” sudo /usr/lib/yp/ypinit –m //refresh the database of the server

Step 3:For NIS Client

sudo apt-get install portmap nis

Step 4:Edit the domain name NISServer

sudo nano /etc/passwd

Step 5:

Add a line +:::::: #hash record

sudo nano /etc/group Add a line +::: sudo nano /etc/shadow Add a line +:::::::: sudo nano /etc/yp.conf Set the ypserver’s ip address

Then update the database in the server.

And we can test the NIS service on the client using yptest ypswitch and ypcat –x

We can also login the uses on the server to test.

PXE Boot and RARP:

To solve the problem of assigning IP addresses for the clients using Internet, there are three possible ways. The first one is RARP, the second one is BOOTP, and the third one is DHCP.

RARP, the Reverse Address Resolution Protocol, is an obsolete computer networking protocol used by a host computer to request its Internet Protocol address from an administrative host, when it has its Link Layer or hardware address, such as a MAC address available. BOOTP, the Bootstrap Protocol, is a network protocol used by a network client to obtain an IP address from a configuration server which holds an IP address pool.

Around 2005, RARP service was almost stopped and DHCP was implemented almost all over the world. Nowadays, in some specified ipv6 scenario, the RARP returns to be used for its simplicity. This old version of DHCP is never suitable to solve ipv4 problems but have some special meanings for the ipv6 implementation.

On the other hand, PXE boot is an extension option starting from the BOOTP as well as DHCP. Using PXE boot, we can boot thousands of Linux Terminals from a remote server and make some workstation work with a disk less mode.

The configuration for PXE boot has the following four steps:

First, configure dhcp service

Add these lines:

allow booting;

allow bootp;

filename “/pxelinux.0”

Restart the dhcp service

Second, configure the tftp service

sudo apt-get install tftp-server

sudo nano /etc/xinetd.d/tftp

Change “disable=yes” to “disable=no”

sudo service xinetd restart

Third, configure the vsftp service

sudo apt-get install vsftp

sudo nano /etc/vsftp/vsftp.conf

Add anon_root= /mnt

Anon_upload_enable=NO

Last, configure the pxe service

sudo mkdir /tftpboot

cp /usr/lib/syslinux/pxelinux.0 /tftpboot/

Then copy the file you need to boot Ubuntu to /tftpboot and you can boot Ubuntu using PXE boot.

Testing
Test Plan

Trying to test the DNS server

Trying to test forward zone entries

Trying to test reverse zone entries

Trying to test CNAME entries

Trying to ping different entries

Test Tools

Following commands were used to test DNS server:

-nslookup

-dig

Using the command netstat -uap we tested DHCP server.

For testing firewall we used the following commands:

-ping= To check whether the IP addresses are blocked correctly.

-ssh = To check whether ssh login is prevented for unauthorized users.

Test Cases

Problems faced:

1. Problem faced while installing bind9.

Solution: sudo apt-get update #Update ubuntu

Update ubuntu by writing the above command and then install bind9.

2. Problem faced while trying to restart the network interface using the command sudo /etc/init.d/networking restart

Common Error messages shown were :

Failed to bring up eth0/wlan0 interface

Ignoring unknown interface eth0=eth0 (wlan0=wlan0)

Solution: Use the command sudo service network-manager restart and then use sudo /etc/init.d/networking restart

3. Other servers viz. DHCP and Webserver were not able to use the command dig home.rajiv or nslookup home.rajiv(Host name as written in  the DNS server)

Status shown: Access denied

Reason: Loopback address 127.0.0.1 was mentioned in the /etc/bind/db.home.raj file instead of the DNS server's IP address.

4. Server Status was SERVFAIL when tried to dig home.rajiv

Reason: The file /etc/bind/named.conf.local was not configured properly.

5. Server Cannot be found error

Solution: Wrong configuration of the file /etc/resolv.conf

6. Only webserver is able to access the webpage.

7. Not able to bridge VMware workstation with Windows.

Testing DNS:

For testing we use the following commands:

1) Dig

Dig stands for Domain Information Groper and is a flexible used to interrogate DNS name servers. It performs the function of DNS lookups and returns the answers as provided by the name servers.

2) Nslookup (Name Server Lookup)

nslookup is a command used to query DNS servers. There are two modes of nslookup, viz. Interactive mode and non-interactive mode. Interactive mode allows the user to query the name servers in order to obtain information about hosts and domains or to just print a list of hosts in a particular domain. 7 Non-interactive mode is used to print only the name and information that is requested for a particular host or domain.

3) Ping

Ping command is used to check network layer status of the server.

4) Host

Host command is used to perform DNS lookups. It is used to convert names to IP addresses and vice versa.

Testing DHCP:

Whenever a client is connected to the network he will get an IPv4 and IPv6 address automatically within the range of address mentioned in the DHCP server. This can be verified using ifconfig/ipconfig command.

sudo dhclient –r      - This command does refreshing

cat /var/lib/dhcp/dhcpd.leases   - This command can view the lease provided by the DHCP server to a particular client

Testing Web Server:

Open any web browser and test it by entering either the host name or the IP address. If both works then the web server is working fine. If they don’t then there is some problem with your DNS server.

Testing Firewall:

One can test by sitting on the client and trying to ping the servers which are blocked. The result will be request timed out since the client is blocked by the firewall.

Also the client will not gain access to the webpage since it is forbidden for the client to use it. The client will not be able to open the webpage when he types the host name or the IP address.

Testing Backup:

We can test backup by going to the particular directory where the files are sent and type the command ls to check whether the files are received or not.

Future Prospects
Future Improvements:

1. Piggybacking related domain names improves DNS performance. It improves the cache rates (by 50%) for the local DNS server. An authoritative DNS server might be used to piggyback future queries when a response message arrives. This reduces the total queries and responses and the cache hit rate. This needs no changes to the existing DNS server.

2. Enhanced security for the DNS servers. Digital signatures, Cache-poisoning, DNS wrapper, authentication, symmetric key encryption and spoofing are the areas to be concentrated on.

3. The staleness of addresses needs to be detected in a DNS server.

4. DNS has a restrictive, centralized model for entering names into a naming database. System admins at different locations may manipulate this and this might not be updated at all locations. This leads to inconsistency.

5. Replication architecture for the DNS allows websites to dynamically wander and replicate them without having to change their URLs. This is possible as a single DNS server is made to have the entire database of all the DNS servers. DNS look up time is reduced and web pages load faster.

6. DNS dynamic updates to update dynamic records of hosts with dynamic IP addresses. Hosts can keep the same domain name.

7. Nowadays DHCP server usually provides IP addresses for multiple subnets and the DHCP Relay makes it possible for a DHCP Server to assign IP addresses for terminals in a subnet which the server does not reside in.