Re: Complete DNS fake root setup example

2016-01-20 Thread Bob Harold 
On Wed, Jan 20, 2016 at 12:12 PM, MURTARI, JOHN  wrote:
> Folks,
>
> Had to do some testing where we wanted our own insulated
> fake root environment. We wanted to start from simulated root name servers.
> I was surprised I couldn’t find a complete example even after some extensive
> searches.
>
>
>
> The concepts are easy, but the devil is in the details.   We
> had done this before, but no one ever kept notes so I figured by posting it
> on the list it will eventually find its way into Google.   Here are the
> setup instructions below, name & ip address have been changed to protect the
> innocent!   Your comments/suggestions are welcome!
>

Not a bad idea.  Some comments:

/etc/resolv.conf should point to a recursive resolver, not a
non-recursive authoritative server.  Hosts 6,7,12, and 13 should all
be non-recursive authoritative servers.  There should be a separate
resolver.

Looks like the contents of "db.bongo.com" were not fully anonymized.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Complete DNS fake root setup example

2016-01-20 Thread MURTARI, JOHN 
Folks,
Had to do some testing where we wanted our own insulated fake 
root environment. We wanted to start from simulated root name servers.  I was 
surprised I couldn't find a complete example even after some extensive searches.

The concepts are easy, but the devil is in the details.   We 
had done this before, but no one ever kept notes so I figured by posting it on 
the list it will eventually find its way into Google.   Here are the setup 
instructions below, name & ip address have been changed to protect the 
innocent!   Your comments/suggestions are welcome!


#
# This document describes a complete BIND fake root setup
# ?'s - jm5...@att.com
#
# One DNS server is fake root (Host 12 - 1.2.3.4)
# One DNS server is com TLD  (Host 13 - 1.2.3.5)
# One DNS server is bongo.com  (Host 06 - 1.2.3.6)
# One DNS server is support.bongo.com NS (Host 07 - 1.2.3.7)
#

= Host 12 - FAKE ROOT - 1.2.3.4

zone "." {
type master;
file "named.root";
};

-- contents named.root
$TTL 5m
@   IN SOA  . rname.invalid. (
0   ; serial
5m ; refresh
5m  ; retry
5m  ; expire
5m ); minimum
@   IN  NS  fake-root.com
fake-root.com   IN  A   1.2.3.4
com IN  NS  tld.com
tld.com IN  A   1.2.3.5
.   IN  TXT "FAKE ROOT"


-- contents /etc/resolv.conf
nameserver 1.2.3.4


 Host 13 - FAKE .COM TLD server - 1.2.3.5

zone "." {
type hint;
file "named.root";
};

zone "com" {type master; file "named.com";};

-- contents named.root
$TTL 5m
.  300  IN  NSfake-root.com.
fake-root.com. 300  IN   A   1.2.3.4

-- contents named.com
$TTL 5m
@  IN SOA  @ rname.invalid. (
   0   ; serial
5m  ; refresh
5m  ; retry
5m  ; expire
5m ); minimum

@   IN  NS  tld
tld A   1.2.3.5
fake-root   A   1.2.3.4
bongo  NS   ns1.bongo
ns1.bongo   A   1.2.3.6
@   IN  TXT "FAKE COM SRVR"

--- contents resolv.conf
nameserver 1.2.3.5


== Host 06 - NS for BONGO.COM - 1.2.3.6

zone "bongo.com" {type master; file "db.bongo.com" ;};


 contents db.bongo.com
$TTL 10m
lammens.com.   IN SOA ns1.lammens.com. contact.lammens.com. (
  2; Serial
  5m   ; Refresh after 5 minutes
  2m   ; Retry after 2 minutes
  15m  ; Expire after 15 minutes
  1m ) ; Negative cachng TTL of 1 minute

lammens.com.  IN NS ns1.lammens.com.

ns1.lammens.com.  IN A 1.2.3.6

support.lammens.com.  IN NS ns1.support.lammens.com.
ns1.support.lammens.com.  IN A 1.2.3.7


== Host 07 - NS for SUPPORT.BONGO.COM - 1.2.3.7

zone "support.bongo.com"  IN {
type master;
file "db.support.bongo.com";
};

 contents db.support.bongo.com
$TTL 10m
support.bongo.com.   IN SOA ns1.support.bongo.com. contact.bongo.com. (
  11   ; Serial
  5m   ; Refresh after 5 minutes
  2m   ; Retry after 2 minutes
  15m  ; Expire after 15 minutes
  1m ) ; Negative cachng TTL of 1 minute

support.bongo.com.  IN NS ns1.support.bongo.com.

ns1.support.bongo.com. IN A 1.2.3.7


=== complete test trace

root@Host 13# dig support.bongo.com ns +trace +add

; <<>> DiG 9.9.3-S1-P1a-RedHat-2.0-2 <<>> support.bongo.com ns +trace +add
;; global options: +cmd
.   300 IN  NS  fake-root.com.
fake-root.com.  300 IN  A   1.2.3.4
;; Received 70 bytes from 1.2.3.5#53(1.2.3.5) in 0 ms

com.86400   IN  NS  tld.com.
tld.com.86400   IN  A   1.2.3.5
;; Received 82 bytes from 1.2.3.4#53(fake-root.com) in 1 ms

bongo.com.300 IN  NS  ns1.bongo.com.
ns1.bongo.com.300 IN  A   1.2.3.6
;; Received 82 bytes from 1.2.3.5#53(tld.com) in 1 ms

support.bongo.com.600 IN  NS  ns1.support.bongo.com.
ns1.support.bongo.com. 600IN  A   1.2.3.7
;; Received 116 bytes from 1.2.3.6#53(ns1.bongo.com) in 4 ms

support.bongo.com.600 IN  NS  ns1.support.bongo.com.
ns1.support.bongo.com. 600IN  A   1.2.3.7
;; Received 116 bytes from 1.2.3.7#53(ns1.support.bongo.com) in 1 ms



John Murtari - jm5...@att.com
Ciberspring
office: 315-944-0998

RE: Complete DNS fake root setup example

2016-01-20 Thread MURTARI, JOHN 
--- Original msg
On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote:
> Folks,
> Had to do some testing where we wanted our own
> insulated fake root environment. We wanted to start
> from simulated root name servers.  I was surprised I
> couldn't find a complete example even after some
> extensive searches.
> 
> The concepts are easy, but the devil is in the
> details.  We had done this before, but no one ever
> kept notes so I figured by posting it on the list it
> will eventually find its way into Google.  Here are
> the setup instructions below, name & ip address have
> been changed to protect the innocent!  Your
> comments/suggestions are welcome!

The key parts are the root hints and the trust anchors. You can see
several such fake root configurations in the BIND 9 system tests (look
in bin/tests/system), e.g., the resolver system test.
Mukund
--- Original msg

Thanks for that.  I took a look in the distribution at the directories you 
mentioned. There is very little explanatory text.  Not so sure someone
would find it useful in setting up their own fake root and a delegation
path.

John


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Complete DNS fake root setup example

2016-01-20 Thread btb 

On 2016.01.20 12.12, MURTARI, JOHN wrote:

Folks,

 Had to do some testing where we wanted our own
insulated fake root environment. We wanted to start from simulated root
name servers.  I was surprised I couldn’t find a complete example even
after some extensive searches.

 The concepts are easy, but the devil is in the
details.   We had done this before, but no one ever kept notes so I
figured by posting it on the list it will eventually find its way into
Google.   Here are the setup instructions below, name & ip address have
been changed to protect the innocent!   Your comments/suggestions are
welcome!


my suggestion would be to not use other people's domain names and ip 
addresses when protecting the innocent.  after all, they're innocent 
too, and i'd imagine you wouldn't want them using your domain name in 
their examples ;) .  various rfcs [6761, 3330, others] provide for these 
needs.


-ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Complete DNS fake root setup example

2016-01-20 Thread Mukund Sivaraman 
Hi John

On Wed, Jan 20, 2016 at 05:12:44PM +, MURTARI, JOHN wrote:
> Folks,
> Had to do some testing where we wanted our own
> insulated fake root environment. We wanted to start
> from simulated root name servers.  I was surprised I
> couldn't find a complete example even after some
> extensive searches.
> 
> The concepts are easy, but the devil is in the
> details.  We had done this before, but no one ever
> kept notes so I figured by posting it on the list it
> will eventually find its way into Google.  Here are
> the setup instructions below, name & ip address have
> been changed to protect the innocent!  Your
> comments/suggestions are welcome!

The key parts are the root hints and the trust anchors. You can see
several such fake root configurations in the BIND 9 system tests (look
in bin/tests/system), e.g., the resolver system test.

Mukund


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users