RAC Attack - Oracle Cluster Database at Home/RAC Attack 12c/Configure Bind DNS

From Wikibooks, open books for an open world
Jump to: navigation, search

  1. Enable BIND DNS to start at boot time.
    [root@collabn1 ~]# chkconfig named on
  2. Change named directory permissions.
    [root@collabn1 ~]# touch /var/named/racattack
    [root@collabn1 ~]# chgrp named /var/named/racattack
    [root@collabn1 ~]# chmod 664 /var/named/racattack
    [root@collabn1 ~]# chmod g+w /var/named
  3. Backup the BIND configuration file.
    [root@collabn1 ~]#  cp /etc/named.conf /etc/named.conf.org
  4. Change /etc/named.conf permissions.
    [root@collabn1 ~]# chmod 664 /etc/named.conf

    Otherwise, the original protection may cause trouble in the restarting named step with write-protection errors in /var/log/messages.

  5. Run the following command or edit the /etc/named.conf file to change the named configuration manually.
    sed -i -e 's/listen-on .*/listen-on port 53 {; };/' \
    -e 's/allow-query .*/allow-query     {\/24; localhost; };\n        allow-transfer  {\/24; };/' \
    -e '$azone "racattack" {\n  type master;\n  file "racattack";\n};\n\nzone "in-addr.arpa" {\n  type master;\n  file "in-addr.arpa";\n};' \
    • In bold the lines that have been modified from the default.
    options {
           listen-on port 53 {; };
           listen-on-v6 port 53 { ::1; };
           directory       "/var/named";
           dump-file       "/var/named/data/cache_dump.db";
           statistics-file "/var/named/data/named_stats.txt";
           memstatistics-file "/var/named/data/named_mem_stats.txt";
           allow-query     {; localhost; };
           allow-transfer  {; };
           recursion yes;
           dnssec-enable yes;
           dnssec-validation yes;
           dnssec-lookaside auto;
           /* Path to ISC DLV key */
           bindkeys-file "/etc/named.iscdlv.key";
           managed-keys-directory "/var/named/dynamic";
    logging {
           channel default_debug {
                   file "data/named.run";
                   severity dynamic;
    zone "." IN {
           type hint;
           file "named.ca";
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    zone "racattack" {
     type master;
     file "racattack";
    zone "in-addr.arpa" {
     type master;
     file "in-addr.arpa";
  6. Create the zone file for the racattack domain on collabn1 by running the following command:

    (Copy & Paste the whole box)

    echo '$TTL 3H
    @       IN SOA  collabn1        hostmaster      (
                                            101   ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
                    NS      collabn1
                    NS      collabn2
    localhost       A
    collabn1        A
    collabn1-vip    A
    collabn1-priv   A
    collabn2        A
    collabn2-vip    A
    collabn2-priv   A
    collabn-cluster-scan     A
    collabn-cluster-scan     A
    collabn-cluster-scan     A' \
    > /var/named/racattack
  7. Create the reverse zone file on collabn1.

    (Copy & Paste the whole box)

    echo '$TTL 3H
    @       IN SOA  collabn1.racattack.        hostmaster.racattack.      (
                                            101   ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
                    NS      collabn1.racattack.
                    NS      collabn2.racattack.    PTR     collabn1.racattack.   PTR     collabn1-vip.racattack.   PTR     collabn1-priv.racattack.   PTR     collabn2.racattack.   PTR     collabn2-vip.racattack.   PTR     collabn2-priv.racattack.  PTR     collabn-cluster-scan.racattack.  PTR     collabn-cluster-scan.racattack.  PTR     collabn-cluster-scan.racattack.' \
    > /var/named/in-addr.arpa
  8. Generate the rndc.key file.
    [root@collabn1 ~]# rndc-confgen -a -r /dev/urandom
     wrote key file "/etc/rndc.key"
    [root@collabn1 ~]# chgrp named /etc/rndc.key
    [root@collabn1 ~]# chmod g+r /etc/rndc.key
    [root@collabn1 ~]# ls -lrta /etc/rndc.key
     -rw-r----- 1 root named 77 Nov 10 09:19 /etc/rndc.key
  9. Restart the named service.
    [root@collabn1 ~]# service named restart
     Stopping named:                                            [  OK  ]
     Starting named:                                            [  OK  ]
  10. Check that the parameter PEERDNS is set to no in /etc/sysconfig/network-scripts/ifcfg-eth2 to prevent the resolv.conf from being overwritten by the dhcp client:
    NAME="System eth2"

    note: I (Yury) found that the following two should be set to NO to => DEFROUTE=no, PEERROUTES=no

  11. If it was set to yes previously, restart the network and verify that the file /etc/resolv.conf contains now the correct nameservers:
    [root@collabn1 ~]# service network restart
    Shutting down interface eth0:                              [  OK  ]
    Shutting down interface eth1:                              [  OK  ]
    Shutting down interface eth2:                              [  OK  ]
    Shutting down loopback interface:                          [  OK  ]
    Bringing up loopback interface:                            [  OK  ]
    Bringing up interface eth0:                                [  OK  ]
    Bringing up interface eth1:                                [  OK  ]
    Bringing up interface eth2:
    Determining IP information for eth2... done.
                                                              [  OK  ]
  12. /etc/resolv.conf should contain:
    [root@collabn1 ~]#  cat /etc/resolv.conf
    ; generated by /sbin/dhclient-script
    search racattack
  13. Check that the master DNS on collabn1 is working.
    [root@collabn1 ~]# nslookup collabn-cluster-scan.racattack
    Name:   collabn-cluster-scan.racattack
    Name:   collabn-cluster-scan.racattack
    Name:   collabn-cluster-scan.racattack