INE 2810 Mission 3

Mission outlines

1. Set up a DNS server for your branch office domain
2. Set up a mail server for your branch office domain
3. Configure your router access lists to protect your hosts in DMZ

Task 1 : Set up your DNS server

Set up your master DNS server first

1. Choose a host in DMZ to set up your master DNS server. Its IP must be the one specified in your enterprise background information.

2. Configure your /etc/named.conf file so as to
• allow your slave DNS server to do DNS zone transfer from this master DNS server
• set the DNS forwarder to be 192.168.11.1 so that all other DNS queries will go through this IP
• define the zone filename for your branch office domain
• define the zone filename for your reverse IP mapping (in-addr.arpa) domain

 
3. Configure your zone files in /var/named
• in your branch office domain zone file define the followings:
• the SOA of your domain
• the NS of your domain
• the MX of your domain
• the IP of ns1 (master DNS name server)
• the IP of ns2 (slave DNS name server)
• the IP of fw (firewall interface to DMZ)
• the IP of gateway (router interface to DMZ)
• the IP of router (router interface to upstream ISP)
• the CNAME of mail (point to ns1)
• in your in-addr.arpa domain zone file
• define the reverse IP mapping for the hosts: ns1,ns2,fw and gateway
4. Configure your /etc/resolv.conf file to define your domain and your master DNS server IP
5. Start your named by the command "/etc/rc.d/init.d/named start" and use host command to verify your setting
6. If you find your named does not work, tail /var/log/messages to see if there is any error messages. If there is any error, fix the error and restart the named by " /etc/rc.d/init.d/named restart"

Then set up your slave DNS server
 

1. Choose another host in DMZ to set up your slave DNS server. Its IP must be the one specified in your enterprise background information.
2. Configure your /etc/named.conf file so as to define the domain zone file of your domains and their master server IP.
3. Configure your /etc/resolv.conf file to define your domain and your master DNS server IP
4. Start your named by the command "/etc/rc.d/init.d/named start" and see if your slave DNS server can transfer the zone files from your master server to your slave directory
5. If you find your named does not work, tail /var/log/messages to see if there is any error messages. If there is any error, fix the error and restart the named by " /etc/rc.d/init.d/named restart"

1. Choose your master DNS host as your mail server
2. Configure your sendmail marco file (mc) file.
• copy /etc/mail/sendmail.mc to /usr/share/sendmail-cf/cf directory
• edit the sendmail.mc file to
• add the follow entries:

MASQUERADE_AS([your_domain])
FEATURE(masquerade_envelope)
FEATURE(allmasquerade)dnl

• to comment the following entries by dnl keyword
dnl EXPOSED_USER(`root')
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
• cd to the directory of /usr/share/sendmail-cf/cf and type "make sendmail.cf" to generate the sendmail.cf file
• backup the original sendmail.cf file: cp -p /etc/sendmail.cf  /etc/sendmail.cf.orig
• replace the /etc/sendmail.cf file with yours in /usr/share/sendmail-cf/cf
3. Edit the /etc/mail/local-host-names to include your domain
4. Restart the sendmail daemon: /etc/rc.d/init.d/sendmail restart
5. tail /var/log/messages to see if there is any error messages. If there is any error, fix the error and restart the sendmail by " /etc/rc.d/init.d/sendmail restart"
6. create user accounts for yourselves at your mail server. If you do not know how to create, man useradd and man passwd.
7. Test your mail server by sending mails from your mail server to your INE account. See if your mail sending out from your mail server is masqueraded as your office domain
8. Try to send mail from your INE account to your user account at your mail server. See if your mail server can receive mails from outside
 

Here is the specification of your router access list
 

1. permit any host in your enterprise network to have IP access to your hosts in DMZ
2. permit gateway.ine.cuhk.edu.hk to have ICMP and  ssh access to your hosts in DMZ
3. permit network 192.168.8.0/22 to have ICMP and ssh access to your hosts in DMZ
4. permit DNS query (udp port 53) from any host  to your ns1 and ns2 DNS server
5. permit DNS qurey result (udp port above 1023) from the DNS  forwarder (192.168.11.1) to your ns1 (your master DNS servers)
6. permit SMTP traffic (tcp port 25) from any host to your mail server
7. permit ICMP echo-reply from any hosts to any hosts in your branch office network
8. permit any tcp estahlished packets (initated from your hosts in DMZ) to your hosts in DMZ
9. deny all packets by default and log the deny packet

Collaborate with other OTs in your enterprise and your partner enterprise to test your access list. You may open guest accounts for the other OTs to facilitate the test if needed.

Enable the log buffer at your router by "logging buffer 7".
"show log"  at your router can give you some information to debug your access list.
 
 

References

• Simple DNS Configuration Example
• comp.protocols.tcp-ip.domains Frequently Asked Questions
• DNS Resources Directory
• Book: DNS and BIND
• sendmail.org
• Book: Cisco IOS Access Lists 
• Configuring IP Access Lists
• IOS 12.1 Configuring IP Services