Introduction

Installing Software with FreeBSD

In this module you are going to learn how to install software on FreeBSD.

Different UNIX distributions use different package systems for distributing

software.

Debian, GNU/Linux, and Ubuntu use the Debian software package format which
is ‘.deb’.

SuSE, RedHat, and Fedora use the RPM Package Manager which is ‘.rpm’.
Correct.

The preferred compression format for pkgng for package archives is .txz
but pkgng can also install .tbz, .tgz and .tar archives.

There are three methods of installing software on FreeBSD:

From the Source
From Port
From Package

1. From Source
Open source software is shipped in source form. For the software to be usable on
a system there are several steps to be taken as follows:

It must be unpacked;

It must be adapted to the system you are

running
on;
It may be compiled (source to binary);

It must installed; and

It may need to be configured.

Using the ports system means that steps 1-4 will be done for you.

2. From the port

The Ports Collection is a framework of Makefiles[a] and patches specifically

customized for installing software applications from source on FreeBSD.
It is described in detail athttp://www.freebsd.org/doc/en_US.ISO8859-
1/books/handbook/ports.html

During installation of a port on FreeBSD, the system automatically fetches the

Source code, applies any required patches, compiles the code and installs the
application.

It is good practice to update the Ports tree as frequently as possible. We will do

so in this course to ensure you are running modern software.

The ports collections contains instructions for over 24,000 software programs as
of July 2015 and is still growing. You can find the Ports Collection in “/usr/ports/”.

3. From the Package

Once the port is built, a package can be made. Packages are applications that
have already been compiled, and are equivalents of .deb files and .rpm files that
exist in Linux. A package is a pre-built port and is distributed as a .tgz file.

Packages can be installed:

From the network via FTP; and

From the FreeBSD CDROM.

Packages can be those built by the FreeBSD project or your own. We will use
the pkgng software where packages are installed by typing pkg install
packagename (where the packagename is the package you are installing).

Regardless of what method you use to install 3rd party software, you must be
root or have root privileges (via sudo).

For Ubuntu, you can use apt-get install packagename or download a .deb
and install a pre-compiled package. The ports system is Unique to FreeBSD but
works on other BSD variants and there is also a type of ports system available
on Mac OSX called mac-ports.

Faster to install (especially large applications). Package

You can customize installation options. Port
You don’t need to understand how to compile software. Package
You can apply your own patches to applications. Port

When installing from ports, the speed of the installation depends on how fast
your internet connection is and the CPU power available to do the compiling. As
such, if you have a fast machine (high clockrate CPU, multiple cores) and a fast
connection to the Internet, installs will be very fast

For the purposes of this course we will install three softwares without using the
Ports system. These are:

Perl which is a family of high-level, general-

purpose, interpreted, dynamic programming
languages.
(http://en.wikipedia.org/wiki/Perl);
Python which is a widely used general-
purpose, high-level programming language;
and
VIM the Vi Improved editor which will be used
for the rest of the course.

Perl and Python softwares need to be in place for sudo, and portupgrade to
work. Installing them from ports on a virtual installation of FreeBSD will take too
much time due to limited resources and the same applies for VIM

PACKAGE INSTALL
# pkg install perl5 python vim

We must also configure the FreeBSD Ports system to avoid installing softwares or
dependencies with features that work on the Graphical Environment since we
are not using one for this course.

To do so, do the following as root:

# echo “OPTIONS_UNSET=X11” >> /etc/make.conf

# echo “OPTIONS_UNSET=X11” >> /etc/make.conf

# echo “WITH_PKGNG=yes” >> /etc/make.conf

# echo “OPTIONS_UNSET=X11” >> /etc/make.conf

The file /etc/make.conf is a file read by the FreeBSD Ports system before it
installs any port. The first line disables installing of any port with features that
would be needed with a Graphical User Interface which we will not be using
in this course. The second line ensures that the FreeBSD Ports Collection
registers new software with pkg (ie pkgng), and not the traditional packages
format. FreeBSD versions earlier than 10.X require this line in /etc/make.conf

Now, we will update the FreeBSD Ports tree using “portsnap”. Type the following
on the command line:
# portsnap fetch extract

Portsnap connects to a FreeBSD site, verifies the secure key, and downloads a
new copy of the Ports Collection.

The key is used to verify the integrity of all downloaded files. It is useful to
occasionally update your Ports tree.

You only need to do “portsnap fetch extract” the first time you use portsnap.
To update it, you only need to type “portsnap fetch update”

After portsnap has completed the download and extraction of the new ports
tree, you can proceed to the next page

Installing Ports and Making Packages

You can use the following commands to search for a port either by name or
keyword (substitute “<name>” and “<keyword>” respectively):
# cd /usr/ports; make fetchindex && search name=<name>
# cd /usr/ports; make search key=<keyword>

The 2 commands above each have two parts, executed one after another. First
the command would change the directory to /usr/ports/. After a fresh install of
FreeBSD you must do make fetchindex at least once and then proceed to
search for port names/ keywords.

Once you know where the port resides, or its category, you can go to that
directory, and install it with this series of commands.
# cd /usr/ports/shells/zsh
# make
# make install
# make clean

BUILD A PACKAGE FROM A PORT

To build a package from a port, you need to input the following command in the
directory where the port was built
# cd /usr/ports/shells/zsh
# make package
# rehash

The reason for running the rehash command is that if you change directory after
building the package and try using the command the C shell will return with
'Command not found'. This happens because the C shell stores a hash table
listing of all the programs in the search path.
The C shell will not be able to find the new program until you have used the
rehash command. This applies for csh only and not bash.

Installing Ports and Making Packages

But what if:

You don't know in which category the port is

located or which version you want?
You can't find up-to-date packages for the
version of FreeBSD you are running (maybe
it's a bit older)?
You want to upgrade a package, but other
packages depend on it?

For all the above reasons it is strongly recommended to use a set of tools called
portupgrade. Portupgrade is a tool set for working with ports and packages.

Some ports in the ports collection, expect a certain version of software to

already be installed on your system. When they don’t find the correct version,
the ports system automatically installs the version needed.

In some cases when you upgrade a single port and force the install, other ports
that depend on the port that has just been updated will require to be updated
too. This is when portupgrade becomes a great tool, and is strongly
recommended that you use it.
Portupgrade greatly simplifies software installation and upgrades. It is itself a
port so requires installation as with any port.

It is important that you have a working internet connection for the next steps.
The following commands are the way to install Portupgrade:
# cd /usr/ports/ports-mgmt/portupgrade
# make -DBATCH install clean
# rehash

For the purposes of this course, we will install all the softwares with the make –
DBATCH install clean option which forces the ports system to install all
dependencies with default options and not to raise any option dialog
boxes.

However, if you are installing on a real server that will be in production, its best
to pick and choose which options you are enabling.
Portupgrade is a meta package manager, and sits on a layer above the ports
and package system.

Once installed, you will have to rehash, or start a new session as root to use it
without typing full pathnames.

When in the csh shell, every installation should be followed with the command
rehash so that they can be accessed from the shell without having to type in the
full path to the command.

Unlike csh, when in the bash shell (which will be installed later in this module), a
rehash is not needed after installations.
Portupgrade is a suite of tools one of which is portinstall. Others
are pkg_deinstall, portsclean among several others.

# portinstall --batch sudo bash && rehash

Please note that there are two dashes before batch not one.

The &&[a] rehash at the end is to ensure that the csh updates to reflect the
shortcuts of the new installs ie sudoand bash instead of having to
type /usr/local/bin/sudo on the shell, we just type sudo.

Portupgrade can be told to try and install a pre-built package, using the -P
option, (one or more times).

In this example we fallback to the port if the package isn't found:

# portinstall -P <port name>
In this example we stop if the package isn't found
# portinstall -P -P <port name>
To upgrade an already installed software package you’d use:
# portupgrade <package name>

When installing software with FreeBSD (and you do not wish to manually
download and install from source), which of these two actions would you do first.
INSTALL A PORT

PORTS: A framework of makefiles and patches specifically customized for

installing software applications from source with FreeBSD.

PORTSUPGRADE: What is the name of the very useful meta-package manager

which will be used for the remainder of this course?

% unprivileged User
To become the root user, type the command “su” which means “switch user”.
# Privileged User
check if your ports collection is installed.
# ls -l /usr/ports

make sure you have the Perl language interpreter installed:

# perl –v

Finding a Port
You now need to search for a port, first of all you need to change the directory to
the user ports directory. To do this you need to type cd /usr/ports.
# cd /usr/ports

ports index needs to be set up first.

The index is a database stored in /usr/ports/INDEX which keeps track of such
items as ports available and their dependencies.

The index is created by via make index, which descends into each port sub
directory and executes make describe there.

# make fetchindex

INSTALLING FROM PORTS

The first thing you need to do when installing from a port is locate where it is.
We have already used the command to find ports (make search
name=apache | more). You will need to modify this command to find
textmaze.
# make search name=textmaze | more

Now that you have found the information for textmaze you will need to change
to its ports directory so that you can install it. Type as follows:
# cd /usr/ports/games/textmaze
# cd /usr/ports/games/textmaze
# make
Now you have built the port you now need to install it.
# make install && rehash

After running the command above textmaze should now be fully installed and
ready to play.

If you wish to check that the textmaze game has been installed correctly you
can look at the contents of the directory. To do this type "ls -l /var/db/pkg" you
should see the new package that has been registered.

LISTING PACKAGES
To find installed packages on a system use the pkg infocommand:
# pkg info

After you have entered the command above you should have been shown a list
of all installed packages. You can find which file a package belongs to by
adding -W and the file path.
You should now be able to see that the file /usr/local/bin/textmaze was installed
as part of the port textmaze-1.2.

If you need help with pkg type “pkg help”to see a full list of options.
# pkg help

Installing with Portupgrade

You now need to make sure that portupgrade/portinstallis installed. To do this
you need to use # portinstall
# portinstall
If this command worked correctly you should have been shown the portinstall
help screen. If 'Command not found' was returned you simply need to run the
following command

When you have run this command you will be taken to several different install
screens, where you can choose to install additional options for packages to be
installed.

You can install sudo and bash one at a time or both together. There may be
options screens that allow you to choose various customizations to the programs
being installed.

For this course, we will use the defaults by including the

--batch flag. (However on production environments, you are strongly urged to
choose which options you enable for security and performance purposes.)

If the package being installed already exists, portinstall will mention this and not
install the package. However, if it is installed but of an older version, portinstall
will update it.
Now run the following command to install sudo and bash.
# portinstall --batch sudo bash && rehash

COMMANDS
Ls List Files
Ls -l List files with more details
cd – change directory (working)
pwd – print working directory
cd /home/afnog – navigate to specified path
ls /home/afnog – list files in specified path
mkdir – creates/makes a directory on the working directory
mkdir /home/afnog/job_files – creates a ‘job_files’ directory in the
path /home/afnog
touch - creates a new file with the name specified if it does not exist. If a file
with that name already exists then the command does nothing.
$ touch /home/afnog/newfile.txt
rm - rm command removes/deletes each specified file. It does not
delete directories tho’
cp [name] [copy-location/name]

The cp command copies the file or directory specified into a new file or
directory.

A new name must be provided if copying in the same directory, otherwise the
name can remain the same
$ cp /home/afnog/original.txt
$ cp /home/afnog/original.txt
/home/afnog/copy.txt

mv [name] [new-name]

The mv command does not simply move files; it renames the file or directory
specified.

This has the effect of moving the file when “renaming” the file or directory into
another location.
$ mv /home/afnog/newdir/original.txt
/home/afnog/new.txt

the easiest way to remove one directory and all of its contents including
subdirectories and their contents is

rm -r dirname

if you put the trailing slash in

rm -r dirname/

you will remove the contents but not the directory itself.

The cat command concatenates the contents of the files specified and outputs
the result.

The command is most commonly used with just one parameter, in which case it
will read the contents of that one file and output it.
[afnog@maisiba@my ~]$ cat testfile3
chdsjhvh
\::
::exit

more [file]

The more command is what's called a pager.

The command will read the contents of the specified file and display it, but only
display one screen's worth of content at a time.

This is particularly useful for long documents, as the document can be read at
your own pace.
$ more /home/afnog/adocument.txt

less [file]

The less command is very similar to the more command, except that it offers
better support for moving backwards in the file.
$ less /home/afnog/adocument.txt

The grep command is a very powerful search tool, but we will not be taking
advantage of that in this instance. By searching the command history for the
name of the command, we can retrieve it quickly and easily:
$ history | grep [command name]

The man (short for manual) command will display information related to the
specified command.
$ man [command]
You can find out more about the man command by running it on itself:
$ man man

You can also get help on a command by adding --help

after the command, this generally shows a short output detailing which flags
and options you can use for the command:
$ man -–help

File Permissions
Each file and directory can allow or disallow read (shown as r), write (shown
as w), and execute (shown as x) access to three different categories:

User the person that owns the

file/directory;
 Grou the group that owns the file/directory;
p and
Other users who do not own and are not in a
s group that owns the file/directory
(essentially all users that do not fit
into the
first two categories)

-rw-r--r—

drw-rw-rw-

-r-xrw--wx

The first character indicates the type of file, it will be a dash if we are looking at
a regular file, or the character d if we are looking at a directory, other types
could include sfor a symbolic link, or p for a named pipe.

A file or directory's permissions can be viewed using the lscommand with the -
l option:
$ ls -l

Permissions may not always be set correctly, so there are commands built in to
change these permissions.

These commands, are all available to the root user. Thechgrp command (for
changing group ownership of a file) is available to the un-privileged user.

chmod [permissions] [file/directory]

The chmod command changes the permissions on the specified file/directory.

The permissions parameter takes the format of;

[category]+[access] to add an access right, or
[category]-[access] to remove an access right

# chmod g+w /home/afnog/file.txt

The above command adds write access to the group category on our file from
the previous example, while the following removes it for the user category

# chmod u-w /home/afnog/file.txt

chown [user]:[group] [file/directory]

The chown command changes the owner of the specified file/directory.

The user or group can be omitted, and they will not be changed.
Some examples of using the chown command are

Change owner to a different user in a different group

# chown newuser:newgroup /home/afnog/file.txt

Change owner to the same user but a different group

# chown :newgroup /home/afnog/file.txt

Change owner to a different user in the same group

# chown newuser /home/afnog/file.txt

STARTING AND KILLING PROCESSES

The jobs command returned the list of the current jobs started by this shell.
$ jobs

Another command ps auxw enables you to see your job in the table of
processes
If you used ps auxw by itself, you'd see all processes on the system, and that's
a big list. So we filter it through grepto extract only lines which contain the
word sleep. Grep is acommand-line utility for searching plain-text data sets for
lines matching a regular expression.
$ ps auxw | grep sleep
inst 8531 0.0 0.0 ... 0:00 sleep 600
inst 6416 0.0 0.0 ... 0:00 grep sleep

The first column is the username the process is running as; the second column is
the pid. Other columns are resource utilisation information, and the end shows
the command itself.

ENVIRONMENT VARIABLES

The printenv command lists the names and values of the variables in the
environment, with one name/value pair per line.

If you do not specify a name to list, then printenv lists all variables in the
environment, so there may well be more than one will fit on the screen.

$ printenv

Another option is to capture the output of the command into a file.

You can then open this file using a text editor (or you can mail it to someone
else to look at) .

This process is called redirection.

$ printenv > env.txt
$ vi env.txt

To exit the text editor type <ESC> :q! <Enter>

This shows that the user afnog has no installed crontabs at the moment. Any
user can create a crontab (cron table) file that will be read by cron using the
command crontab -e. This will create a new file or edit an existing one using
the editor specified in the $EDITOR environment variable
$ crontab -e

Next, let's change the $EDITOR environment variable using

the export command so that we can edit the crontab with the ee editor:
$ export EDITOR=ee && echo $EDITOR
ee
$

Let us now add a crontab entry to print the time and date every minute into a
file called “date_file” in our /home/afnog directory.
$ crontab -e

Add this line

*/1 * * * * date >> /home/afnog/date_file
Save the file by pressing Esc then selecting leave editor at the first menu,
then save changes at the second menu. Type $crontab -l to see if the crontab
was installed

You can remove the crontab entry for the afnog user with the following
command:
$ crontab -r

Also note that when you exit your shell or logout, you lose the settings set via
the export command.

This is because

Every shell has its own *copy* in memory of

the set
of environment variables;
When you change them, you are changing
only
the shell's local memory copy;
When the shell exits, any changes you made
are
 lost; and

Permanent changes to environment variables

have
to be set by editing specific files for specific
shells.
We will look at how to do that for FreeBSD on
the
next page in this module

So, the only way to make the change to the EDITORenvironment variable
permanent is to arrange that every time your shell starts up, it sets the
environment how you want it.

This is done through shell startup files, sometimes called

rc files (for Runtime Configuration).

So, how would you make ee the default editor permanently?

By default FreeBSD uses csh for root's shell, and sh for other users' shells, and
these two different shells have different startup scripts and different syntax for
setting environment variables. We however changed the default shell to bash for
both the root, and the afnog users which simplifies things slightly.

For the afnog user you can change environment variables by editing the
file /home/afnog/.bash_profile in FreeBSD.

Notice the leading . (dot) before the file name. This indicates that the file is a
hidden file, it will not appear with a regular ls –l but will appear with an ls –al.

$ echo “export EDITOR=ee” >> /home/afnog/.bash_profile

This will create the file if it does not exist. Next log out by typing exit and then
log back in. Now check that ee is your current editor:

$ echo $EDITOR

Hint: For this to work, bash must be your default login shell.

Note: to do this for the current session without having to log out in bash, all you
have to do is:
export EDITOR=ee

COMMAND PROCESSING
It's useful to use the command echo for testing: this just prints back its
arguments to you.
$ echo hello world
hello world

So, where actually is the command echo? Well, you can ask the shell to look for
it for you
$ which echo
/bin/echo

The which command has displayed the location of theecho command.

How did it find it?

By looking in a series of standard directories, and this

list of places comes from the environment variable
$PATH.

It tries them one after the other, stopping as soon as a match is found.
$ echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:
/usr/local/sbin:/usr/local/bin:
/usr/X11R6/bin:/home/yourname/bin
/usr/local/sbin:/usr/local/bin:
/usr/X11R6/bin:/home/yourname/bin

So it tries /sbin/echo and fails; next it tries /bin/echo

and succeeds. If it wasn't there, it would try the other directories.

If you want to override the search, or you want to run a program which is in a
directory which is not in $PATH,
then you can give it an explicit location:

$ /bin/echo hello world

hello world

Now let's look at line and parameter splitting.

The following things happen:

the shell splits this into three words:

"/bin/echo",
"hello" and "world", using spaces as the
separator;
the shell performs various types of expansion
on
these words;
 it then starts a new process,
runs /bin/echo in it,
and passes in "hello" and "world" as
arguments; and
/bin/echo just sends its arguments back
down
its standard output, separated by a space,
and
ending with a newline.
Normally we'd be running something more
useful

Where this becomes a problem is if you need to use a filename which contains a
space (which are usually best avoided, but you will come across them from time
to time)
$ touch my file

You should find that you have actually created *two* files, called "my" and "file".

You need to stop the shell from breaking 'my file' into separate arguments.

You can do this using quoting, and there are three main ways:
$ touch "my file"
$ touch ‘my file’
$ touch my\ file

The first two ways are enclosing the filename in either single or double quotes.

The last is to precede the space with a backslash, which makes it lose its special
meaning as an argument separator.

Quoting also gives you a way to make echo give you a string with lots of spaces
in it
$ /bin/echo "hello world"
hello world

If you use single quotes, make sure you use normal single-quotes: '
(These are shift-7 on many keyboards, or else near the Enter key).

Don't use backticks: `

(often the top left-hand key on the keyboard).

They have an entirely different meaning!

If you've done all this, you now have three files in your current directory: "my",
"file", and "my file". You need to delete them all. You can do this with three
separate commands - or see if you can work out how to make a single line which
deletes all three
The shell performs additional processing on arguments; it's very useful, but it
can cause strange behaviour if you're not aware of it
$ cd /usr/bin
$ echo *what* is your name?
makewhatis what whatis is your name?
That's certainly strange!

You thought echo was supposed to just return the arguments you gave it?

Well it has, but the shell has expanded them first.

Here the shell is doing pattern matching against files in the filesystem,
otherwise known as "filename globbing".

The character "*" matches any 0 or more characters in the filename. So,
"\*what\*" looks in the current directory for all files whose names contain the
string 'what' anywhere, and replaces it with those filenames

Globbing is really useful. The term globbing in particular in a Unix-like

environment is used to refer to pattern matching based on wildcard characters.
Unix shells such as Bash, tcsh, and zsh provide globbing on filenames at the
command line and in shell scripts.

For example you can delete all files in the current directory with names ending
.txt just by typing
$ rm *.txt

Filename globbing uses these special characters:

* matches any 0 or more characters;

? matches any 1 character;

[abc] matches 'a', 'b' or 'c' only; and

[a-z] matches any character between 'a' and

'z'
inclusive.

Another example of argument expansion is the tilde (~) which is expanded by

the shell to return your home
directory (i.e. /home/afnog). If it is followed immediately
by a username then it expands to the home directory of
that user.
$ echo ~

/home/yourname
$ echo ~/wibble

/home/yourname/wibble

$ echo ~root/wibble

/root/wibble

$ echo ~www/wibble

/nonexistent/wibble

It's a useful shortcut; e.g. ~/.ssh/authorized_keys refers to a file within

directory .ssh within your home directory.

Hint:
In the standard shell “sh”, there is no checking that the filename produced
actually exists or not. tcsh and other shells do check

$? which gives the exit status of the last command (0=success, >0=failure)
$ echo $?
0

and $$ which gives the process id of the shell itself.

$ echo $$
2307

However you can do other fancy things, including using the output of one
command and inserting it in the command line as an argument to another.

There are two syntaxes for this, $(...) and backticks.

For example, we can run wc to count the lines in a file, and use the result as an
argument to another command, such as echo for testing.

$ echo $(wc -l /etc/motd)

24 /etc/motd

$ echo `wc -l /etc/motd`

24 /etc/motd

This sort of parameter expansion can be disabled by quoting, except that double
quotes don't disable it; single quotes and backslash do. So:
$ echo "Home is $HOME"

Home is /home/yourname

$ echo 'Home is $HOME'

Home is $HOME

$ echo Home is \$HOME

Home is $HOME

And argument expansions can even perform basic arithmetic, although it's very
rarely used:
$ echo $((3+4))
7

I/O REDIRECTION

$ echo "hello" > test.txt

Now you have created a file called test.txt and written "hello" to it. As the next
example shows, you can also append to a file, instead of overwriting it:

$ echo "world" >> test.txt

Now the test.txt file should contain two lines, "hello" and "world". To check this,
you can connect the standard input of a process to read from a file (in this case
we will use the less command and pass in test.txt):

$ less < test.txt

COMMAND GROUPING
1) You can run commands one after the other
$ echo hello; echo world

hello
world

2) You could run commands only if the preceding command succeeded:

$ echo hello && echo world
hello
world
$ echo hello && echo world

hello

world

3) Or run a command only if the preceding command failed

$ echo hello || echo world

Hello

4) You can run a group of commands in a subshell (the subshell is in brackets).

They can share I/O redirection.
$ (echo hello; echo world) > out.txt

Hint:
Again, if you need to use these special symbols as part of an argument (say
they are in a filename), you can quote them.
$ echo "hello; echo world"
hello; echo world

FLASH & DASH

$ ls /etc -ltr
...
The l, t and r flags alter the behavior of ls

-l use a long listing format

-t sort by modification time

-r reverse the order of sorting

So the result of using these three flags together for ls is to

list the contents of the /etc directory, in a long format, with
the items sorted by their last modification time in reverse
order. For more information on the use of flags for a
particular command, look at the man page or the help page:

$ man ls
$ ls --help

So how would you actually create or delete a file whose name begins with a
dash? The command will try to interpret it as a flag, not a filename.

$ touch -foo

touch: illegal option -- o

usage: touch [-acfhm] [-r file] ...

Quoting doesn't help us here, because it's not the shell which is expanding
anything.

But most commands have a convention that if you include '--' as an option, then
everything afterwards is notconsidered an option, even if it starts with a dash.

So:

$ touch -- -foo

$ ls

$ rm -- -foo

Extra Exercise 1

You know that printenv lists all the environment variables which are set, one
per line.

How could you quickly determine how many environment variables are set?

(That is, without counting them by hand!)

Solution

For this exercise the simplest option is to use command grouping to pass the
output of printenv to the wccommand using the pipe character.

$ printenv | wc -l

Since the output of printenv is a list of environment variables with one per line,
and the -l flag tells wc to return the number of lines from its input, this
combination will return the number of environment variables.
Extra Exercise 2

The command touch -foo we looked at earlier on gives a failure message.

What exit status value does it return?

If you try to run a non-existent command, what exit status do you get?

Solution

For this second exercise we can echo one of the special variables build into the
shell $? which gives the exit status of the last command you executed.
$ touch -foo; echo $?

This same variable is used to check the exit status of running a non-existent
command, remember that $?returns 0 if the command exited successfully,
and greater than 0 if it failed for any reason

Extra Exercise 3

Capture the actual error message which touch -foo gives into a file. Make sure
that the file does actually contain the error message.

(Hint: error messages are sent on the standard error stream, not standard
output)

This is useful in the event that you wanted to mail the error message to
someone, for example.

Solution

Here we are using redirection to send the error message

to a file

$ touch -foo 2> myerror.txt

With this command we are causing the stderr (2)

(standard error) of the touch command to be written to
the myerror.txt file. You can then check to see what the error is by using

$ more myerror.txt

Extra Exercise 4

List all the files in /etc which have "tab" in their name.
Find two or more different ways of doing it, at least one not using an asterisk.

Solution

There are two commands which are used for listing or finding files in
unix, ls and find.
ls /etc | grep tab

$ ls /etc/*tab*

$ find /etc -name "*tab*" -print

The first example above uses grep to filter the list of files in /etc, whereas the
second ls command uses wildcards to achieve the same result.

The find command uses a slightly different syntax, where you specify the -
name of the file(s) you are looking for, and also pass it the -print flag to make it
output the list to the shell.

EXAMPLES
Example 1: Denying execute permission to everyone

example% chmod a-x file

Example 2: Allowing only read permission to everyone

example% chmod 444 file

Example 3: Making a file readable and writable by the

group and others

example% chmod go+rw file

 example% chmod 066 file

Example 4: Causing a file to be locked during access

example% chmod +l file

Example5: Allowing everyone to read, write, and execute

the file and
turn on the set group-ID

example% chmod a=rwx,g+s file

example% chmod 2777 file

WORKING WITH VIM

Vim Modes
Normal mode - this is the default mode
Visual mode - similar to normal mode but with movement commands extent to
highlighted area
Select mode - similar to visual mode, but with a more Microsoft Windows like
behavior
Insert mode - used to add text
Command mode - for searching, filtering in the file
Ex mode - similar to command mode but it is limited

Command Mode

When you open a file in VIM, you are in command mode by default. If you wish
to edit the file you need to switch to
insert mode first by using the i key. To switch back to
command mode, you press the esc key.

There are many, many commands in VIM, but some of the most common and
most useful are:

Press x to delete a character at a time;

Press d twice to delete the line you are on;

Press t and text to search for, and
press enter

Insert Mode
In addition to pressing the i key to start entering text
directly after your cursor, you can also press the e key to add a new line below
your cursor and to start adding text on the new line.

In order to save any changes you have made, you must always firstly press
the esc key to verify you are in command mode.

Then depending on what you want to do, type a ":" and then:
w to wite file to disk
wq to wite file to disk and quit
q to quit the file (only works if no changes)

Find First Occurrence

To search for the first occurrence of something:

i + string then enter

n + n for each of the following occurrence
N + N for each of the previous occurrence

Replace All Occurrences

To replace all occurrences of a string in a file, use the following command:

%s/old_string/new_string/g

Go to a Specific Line

To go directly to a specific line number type in a number and press G

For example “100” + G = go to line 100

Go to the Start and End of a Line

To go to the start of a line press 0

To go to the end of the line press $

Go to the Top and Bottom of a File

To go to the top of a file press 1 + G

To go to the bottom of a file press 0 + G

Undo the Last Change You Made (In Command Mode)

To undo the last change you made in command mode press u

VIM QUICK GUIDE

MOVE
By Character

h move left
j move down
k move up
l move right

By Screen
^F, ^B scroll forward, back one full screen
^D, ^U scroll forward, back one half a screen
^E, ^Y show one more line at bottom, top
L go to the bottom of the screen
z position line with cursor at top
z. position line with cursor at middle
z- position line with cursor at

Miscellaneous Movement
fm forward to character m
Fm backward to character m
tm forward to character before m
Tm backward to character after m
w move to next word (stops at punctuation)
W move to next word (skips punctuation)
b move to previous word (stops at punctuation)
B move to previous word (skips at punctuation)
e end of word (punctuation not part of word)
E end of word (punctuation part of word)
), ( next, previous sentence
]], [[ next, previous section
}, { next, previous paragraph
% goto matching parenthesis () {} []

By Line
:n to line n
home, first, last position on line
end
^ or _ first non-whitespace char on line
+,- first character on next, prev line
xxxG go to line xxx

Marking Position On Screen

mp mark current position as p (a.z)
`p move to mark position p
'p move to first non-whitespace on line w/mark p
EDIT
Editing Text
a append after cursor
A append at end of line
i insert before cursor
I insert at beginning of line
o open line below cursor
O open line above cursor
cm change text (m is movement)

Searching and Replacing

/w search forward for w

?w search backward for w
/w/ search forward for w and move
+n down n lines
n repeat search (forward)
N repeat search (backward)

:s/old/new replace next occurrence

of old with new
:s/old/new/g replace all occurrences on the
line
: replace all occurrences on the
x,ys/old/new/ line x to y
g
: replace all occurrences in file
%s/old/new/g
: same as above, with confirmation
%s/old/new/g
c

Cut, Copy, Paste (Working w/Buffers)

dm delete (m is movement)
dd delete line
D or delete to end of line
d$
x delete char under cursor
X delete char before cursor
ym yank to buffer (m is movement)
yy or yank to buffer current line
Y
p paste from buffer after cursor
P paste from buffer before cursor
"bdd cut line into named buffer b (a..z)
"bp paste from named buffer b
Miscellaneous

n>m indent n lines (m is movement)

n<m un-indent left n lines (m is movement)
. repeat last command
U undo changes on current line
u undo last command
J join end of line with next line (at <cr>)
:rf insert text from external file f
^G show status

PRACTISE USING VIM

To create the temp.txt file, type the command vim temp.txt and then pressENTER.

To be able to type anything inside your temp.txt file, you must switch to INSERTmode by
pressing i.

So, press i to switch to input mode, and then type some text similar to that below:
VI is great! I think I'll be using VI from now on instead of Word and then
pressENTER to add a new line.

To be able to type anything inside your temp.txt file, you must switch to INSERTmode by
pressing i.

So, press i to switch to input mode, and then type some text similar to that below:
VI is great! I think I'll be using VI from now on instead of Word and then
pressENTER to add a new line.
To be able to type anything inside your temp.txt file, you must switch to INSERT
mode by pressing i.

So, press i to switch to input mode, and then type some text similar to that below:

VI is great! I think I'll be using VI from now on instead of Word and then
pressENTER to add a new line.

Now type some more text, similar to that shown below:

I don't know why I haven't used it before now! then press the ESC key to
return to command mode, so that you are ready to save the file.

Now you are in command mode, you can proceed to write your changes and quit
VIM.
To do this you must type :wq and then press ENTER.

You have saved the temp.txt file, and have now returned to the command line.

Now you are going to copy a large file to your home directory.

The file you are going to copy is:

/etc/defaults/rc.conf rc.conf.bak

To copy the file, type in the following command:

cp /etc/defaults/rc.conf rc.conf.bak and then press ENTER.

You have now returned to the bash prompt to indicate you have successfully copied
the /etc/defaults/rc.conf file.

Now open the rc.conf.bak file, but this time, open it at the bottom of the file:

vim + rc.conf.bak and then pressENTER.

Here you are going to jump to a particular line in the file. To do this, you need to be
in command mode, and then you type a number, and then press G.

You are going to go to line 1 of this file. So, firstly press ESCAPE, to switch to
command mode. Then, type 1, and pressG (remember this is a capital letter).

You are now at line 1.

Next, you are going practise this command again by moving to line
10.

To do this, press ESC to verify you are still in command mode, then
press 10and then press G.

You are now at line 10 in this file.

Next, you are going to insert a new line, ready for inserting some
text.

Press o to insert a new line.

You have now inserted a new line (line 11).

You are now ready to insert some text there.

Enter the following text (remember to press ENTER after each line):
##
##A sample comment
##

Now you have entered your first comment using VIM.

You are now going to practise deleting lines of text by pressing dd

(press d twice).

So, delete the 3rd line of text you inserted (line 13) by first
pressing ESC to switch to command mode, and then press dd.

Here press dd again to delete the next line (line 12) of text you
inserted.

Copy Pasting

Move to line 15 by;

escape
15G
enter

You have successfully moved to line 15 of this file, you can continue
to copy (referred to as yanking) and paste lines of text.

To copy text, you need to use the yy command. You can copy
multiple lines of text by typing a number before yy.

You are going to copy 3 lines (lines 15,16, and 17). As you are
already in command mode, press 3yy.
You now have the 3 lines "yanked", or copied to your clipboard. You
should see a notification at the bottom of the screen saying "3 lines
yanked'".

You are now going to paste the 3 lines at the bottom of this file, so
first go to the bottom of the file by pressing G.

So, go ahead and press G to go to the bottom of the file (remember

this is an uppercase letter, so ensure you have Caps Lock turned
on).

You are now at the bottom of the file. To paste the 3 lines you
"yanked" earlier, you need to press p.

Go ahead and press p (this is a lowercase character, so turn off Caps

Lock).

You have now successfully copied, and pasted 3 lines to the bottom
of this file.

Now you are going to undo the 3 lines you have just pasted.

To undo anything in VIM all you have to do is press u.

Press u to undo the paste you have just done.

Search Text and Replace

First, go to line 1 of this document (remember to press ESC to verify

you are in command mode).

Now you are at line 1, you are going to search for the string "mail"
and replace it with "smtp".

To do this, press ESC to ensure you are in command mode, type in

the following:
:%s/mail/smtp/gc and then pressENTER.
The cursor has now moved to the first instance of the string "mail"
and highlighted it.

Notice the green text at the bottom which provides you with options
represented by letters. The most common that you will use is y (yes)
and n (no).

Now, press y to proceed with replacing the first instance of "mail"

with "smtp"

Notice the first instance of "mail" has now been replaced with
"smtp", and the second instance of "mail" is now highlighted.

Press y again to replace the second instance.

As before, the second instance of "mail" has been replaced with
"smtp", and the third instance of "mail" is highlighted.

You are now going to quit out of search and replace by holding CTRL
and then pressing C.

So, hold CTRL and press C.

Search Only

To search for a word, you must first type /followed by a string.

The word you are going to search for is "kernel".

So press ESC to ensure you are in command mode, type /kernel and
then press ENTER.

Know the current user /Working User

$whoami
afnog

NOMAIN NAME SYSTEM DNS

The Domain Name System (DNS)[1] is a hierarchical distributed
naming system for computers, services, or any resource connected
to the Internet or a private network.

The DNS translates easily memorized domain names to the

numerical IP addresses needed for the purpose of locating computer
services and devices worldwide.

Computers use IP addresses to identify each other. This system

works well, so why do we need to identify hosts by name? There are
two main reasons:

Firstly, giving a host a name makes it much easier for people to

remember. Remembering to type www.example.com is much easier
than remembering 192.0.2.1.

Secondly, computers may be moved between networks and their IP

address would change. Having to tell everyone that a website has
moved to a new IP address would be a major task.

The Domain Name System provides a worldwide, distributed and

resilient querying service that is a key infrastructure of the Internet.

In the ARPANET (Advanced Research Projects Agency Network)

which was the predecessor of today’s Internet, there was no
distributed host name database. Translation of domain names to IP
Addresses was accomplished via a centrally maintained file,
distributed to all hosts on the Internet, but this solution had many
disadvantages.

Advantages:

It was quick to implement; and

It required no interaction with a third
party.

Disadvantages:

It did not scale well;

 It was a huge file;
There was no guarantee of unique
names;
Different hosts could be holding
different versions
of the file; and
One person (or organisation) had to be
in charge
of updating it.

From the need for a better solution, the Domain Name System, or
DNS, was born. The DNS brought many advantages, which will be
explained in more depth later.

A domain name consists of one or more parts that are separated by

dots, such as afnog.org.
A domain name that has at least one IP Address associated with it is
called a hostname. There aren't many restrictions governing the
structure of what would constitute a valid hostname and there are
many ways to express a hostname eg afnog.org or w-s.afnog.org

The two main restrictions are:

The two main restrictions are:

Maximum of 255 characters in total

(Defined in RFC 1034 and RFC 1035);
and
Maximum of 63 characters in each part
(Defined inRFC 1034 and RFC 1035).

Initially, domain names could not start with a digit (eg

1example.com) or a hyphen and could not end in a hyphen as
mandated in RFC 952 but this was later superseded by RFC 1123
which allowed them.

DNS Architecture

All names used in the DNS are globally unique, and are administered
in zones[2]. A zone is a part of a domain for which administrative
responsibility has been delegated to a single manager. These zones
can be seen as each part of a domain, such as:

 root (.) which is the top-level DNS

zone in the hierarchical
namespace of the Domain Name
System;
 org (which is a Top Level Domain
or TLD);
 afnog.org (afnog is a sub-domain
of .org) is a zone because its
administrative control has been
delegated to another server; and
 ws.afnog.org (ws. is a sub-domain
of afnog.org) could be a zone by
itself if control of it was to be
delegated to another
administrative authority).

A server can give away, or delegate, control of one or more of these

zones to another server, placing it in the tree underneath the
original. For example:

 org - first server

 afnog.org - second server
 ws.afnog.org - third server

This hierarchical structure is very similar to that found in

filesystems, as shown in the diagram below.
Roles in DNS
1. Resolver
2. Caching
3. Authoritative

Resolver
All hosts need a resolver. It’s a piece of software which formats (or ‘resolves’) a
DNS request from an application into a UDP packet, sends it to the caching
name server, and then decodes the answer.

The resolver needs to be configured with the IP Address of a caching name

server in order to function. This must be explicitly configured, though in most
cases DHCP supplies the host with the location of a caching name server. It is a
good idea to provide the resolver with more than one caching name server, to
protect against failures.

To tell FreeBSD which Caching Name Server(s) to use the resolver needs to be
configured. This is done by adding entries to the file located at /etc/resolv.conf
as in the example below:

nameserver 196.200.219.200
nameserver 196.200.223.1
nameserver 196.200.219.200

The file /etc/resolv.conf is common to all Unix and Linux Operating systems.

Caching

The caching name server checks its database for the data it has stored so far for
the answer to the request from the resolver and returns it, if it's in the cache.
If the answer is NOT in the cache, it will search for an authoritative name server
which has the information, caches/stores the answer, and replies to the resolver.

In choosing a caching name server, you should ensure that:

 You have permission to use it;

 The cache is nearby as this will
minimize the time to return the
answer; and
 The cache should be reliable.

Authoritative Name Server

An Authoritative Name Server is configured by the domain owner (or zone

administrator) to answer queries from the caching name servers.

They find the answer from their own data without needing to reference another
source.

USING DNS

When a web-browser makes a query through the Domain Name System with a
domain name (such as www.ws.afnog.org), the caching name server will reply in
one of 4 ways:

Positive;

Negative;

Server fail; and

Refused.

If the reply is positive, it means that the caching name server has found one or
more 'resource records' (RR) that are associated with the domain name.

There are many different types of RRs, depending on the type of information.

You can query for a specific type, by adding it to the request as you will find out
later, or just by asking to receive any and all RRs associated with the domain
name
Some commonly seen RRs are:

a (address): map hostname to IPv4 address;

aaaa (quad a): map a hostname to IPv6

address;
ptr (pointer): map IP address to hostname;

mx (mail exchanger): where to deliver mail

for user@domain;
cname (canonical name): map alternative
hostname to real hostname;
txt (text): any descriptive text; and

ns (name server), soa (start of authority):

used for delegation and management of the
DNS itself.

TESTING DNS

The easiest way to check if DNS is working is to type a domain name, such as
www.google.com, into a web browser and see if it loads.

This is not a reliable test though, as the web browser could be caching the
result.

There is a tool specifically built for testing DNS called dig.

Dig is a tool that makes DNS queries and displays the results. It is better suited
to this task than other common networking tools, such as nslookup and host,
as it shows the raw data in full.

Calling dig with just the domain name will default to query type address record
or ‘A’ record:

$ dig afnog.org.

You can add the RR type you wish to the end of the query though:

$ dig afnog.org. mx

If you are testing a new cache, you may also command dig to use this and
ignore the cache setup in the resolver:

$ dig @192.168.0.100 afnog.org. mx

The above example assumes you want to use 192.168.0.100 as your caching
DNS Server.

Hint:
Note that the domain name has a trailing dot every time;
$ dig afnog.org. mx
This is to ensure that no default domain is being added.
It is good practice to get into the habit of doing this when testing
DNS.

There may come a time when you need to find the domain name or
hostname[3] for a particular IP. For example how would we know the hostname of
the machine with the IP Address 196.216.2.34?

Fortunately, this is easy to do, simply follow these steps:

dig 23.5.248.197 .in-addr.arpa. ptr
dig -x 197.248.5.23
QUERRYING DNS

First check if your resolver is configured to use a caching DNS Server:

$ less /etc/resolv.conf

Now try using dig to query for the 'a' record of www.afnog.org
$ dig www.afnog.org. a

The Resource Record type "mx" identifies the host machine to which emails for a
domain will be sent.

How a Caching Name Server Works

A caching name server works like any other cache.[a]When it receives a query
from the resolver, it checks the data it has stored so far for the result.

If the same query has been dealt with already, then the result will be in the
cache and can be easily sent back

If the query is new, or the Time To Live (TTL) for the requested Resource Record
has expired, then the result will not be in the cache.

This means the caching name server has to consult other servers to find the
result.

DNS is a distributed database, so parts of the DNS tree structure, (or zones) are
held on different servers. If a server holds a zone, then it is called authoritative
for that particular zone

The caching name server needs to locate the correct authoritative name server
and get the result from there.
It may have to ask other name servers first to locate the one it needs.

The caching name server needs to know which authoritative name server to ask.
The best way of finding this out is to follow the hierarchical tree structure,
starting at the top.

If a name server receives a query for a delegated domain, for example, a .org
server receiving a query for afnog.org, it will return an NS record for the
afnog.org Name Servers.

This is called a referral and provides the location of another name

server lower down the tree.

How a Caching Name Server Works

DNS Tree Structure

To find a specific Resource Record, the caching name server begins at the root
zone (denoted by a dot) and then starts to query beginning from right to left of
the domain. It starts with the TLD (Top Level Domain) of the requested domain.
For the address Resource Record (A Record) of the zone tiscali.co.uk, it will begin
at .uk.
When an authoritative name server receives a query for a sub-domain that has
been delegated to another server, (for example, a .uk authoritative name server
receiving a query for tiscali.co.uk) it will return a Name server record, or NS
record for the .co.uk authoritative name server.

The answer from the .uk name server is called a referral, which refers a caching
name server to an authoritative name server that will have more information for
the queried domain. Depending on the number of sub-domains separated by
dots (.) and whether each part of the subsequent sub-domain has been
delegated, referrals could occur for each sub-domain eg .co.uk authoritative
name server will then give a referral to tiscali.co.uk name servers. This process
of receiving referrals is called recursion and is performed by your caching
name server until it receives the correct answer or reaches a non responsive
name server. This is why caching name servers are also called recursive name
servers or Resolvers.
Recursion – querying for the answer from other servers until it finds the answer
or reaches a non responsive server.

1. Firstly the resolver sends a query for a Resource Record to the caching
name server. If the caching name server does not have the answer in its
cache it will begin recursion – querying for the answer from other servers
until it finds the answer or reaches a non responsive server.

2. The caching name server begins by querying the root authoritative name
server. The root authoritative name server returns a referral answer,
referring the caching name server to another server of which
administrative control of the requested domain has been delegated to.

3. Using the information from the referral which will consist of an NS (Name
server) record, the caching name server requests the next authoritative
name server in the tree for the specific Resource Record. If this server is
authoritative only for part of the domain, it will not have the answer for
the requested Resource Record and will also refer the caching name
server to another authoritative name server

4. The caching name server will then use this second referral to query the
authoritative name server it has been directed to. This could be the server
that is authoritative for the entire zone which will then provide the answer
for the Resource Record to the caching name server which then passes
the response to the resolver. This process will go on, and on, until the
caching name server finds the desired Resource Record or reaches a
misconfigured or inactive server.
DNS SERVER SOFTWARE

To build your own caching name server, you can use DNS software such as BIND. BIND
can be installed by typingsudo pkg install bind910 on FreeBSD 10 onwards. This would
install the configuration file in/usr/local/etc/namedb but you can make a link
to/etc/namedb for faster access. For the remainder of this module, we will work with folder
of /etc/namedb for BIND's files.

The caching name server needs to know where the authoritative name servers can be
located in order to begin the process of recursion. This is sometimes called seeding of the
caching name server to allow it to find the root! This information is stored in a seed file or
hints file.

BIND software (and indeed all other caching DNS softwares available), have a seed file
configured by default once installed. For BIND installations on FreeBSD, the seed or hints
file is located at /etc/namedb/named.root and contains information of how to locate the 13
root servers of the Internet.

BIND’s default configuration /etc/namedb/named.conf file has a default configuration that

includes the location of this file as on the right.

Creating a Robust and Reliable System

Distributed systems have many points of failure, so steps have to be taken to mitigate this.

Each domain, for example 'org', has two or more authoritative name servers to provide
redundancy in the event one or more of the name servers happens to fail or becomes
unreachable. All the authoritative name servers of a domain are equal and can be tried in
any order until one gives an answer. This also has the effect of sharing the load, which is
particularly important for the root servers!

Another technique used to ease the load on the system is caching. You already know that
caching name servers store the results they receive from authoritative name servers, but all
other information is also cached.

This means NS(name server)[b] records from referrals are cached too. Caching reduces the
load on authoritative name servers.

This is especially important at the higher levels of the DNS hierarchy: root servers, Generic
Top Level Domain Servers (GTLD servers for.com and .net) and Country Code Top Level
Domains (ccTLDs).

All intermediate information is cached as well as the final answer - so NS records from
referrals are cached too.
Keeping the Cache Up-to-date

Caches only work for as long as the information they hold is correct. If they hold outdated
information they may give out the wrong answer.

Caching name servers need to know how long to keep data on resource records (RRs). If
the result is stored for too long the data provided could be out of date. If the result is stored
for a very short period, this would increase the load the authoritative servers higher in the
hierarchy.

The owner of an authoritative server controls how long their data is held in cache. Each RR
has a “time to live”, or TTL, which dictates how long it can be held in cache, by giving the
number of seconds of validity.

A SOA (Start of Authority) record,[c] dictates how long a negative answer can be cached

TIP:
It is good practice to set a fairly long TTL of 1 or 2 days ordinarily,
and then reduce this to minutes a couple of days before making a
change to the data.

The TTL should then be increased back to its original after making
the change.

The purpose of reducing the TTL before making a change to the

resource records is so that the updates you make to the records can
reflect faster on the Internet than they normally would. So instead of
waiting for 2 days for the new resource records to be useable, the
new records can be useable within hours

Potential DNS Issues

DNS Issue 1

If a zone only has one Authoritative DNS server.

It would be a problem if that server is unreachable for any reason (power failure, network
outage) as that entire zone would not be available on the Internet. This is very bad because
it would mean all websites and email servers for a zone would not be identifiable, hence
unreachable.

Solution
All zones should be setup with more than one authoritative server. In this case you would
just move to the next authoritative server if the first one timed out
DNS Issue 2

If all authoritative servers are unreachable, this is a

very substantial problem causing the query to fail. It is a
high priority to avoid this.

Solution
Authoritative servers should be on different subnets, to mitigate the effects of a switch or
router failure. They should also have different power sources to improve redundancy in case
of a power cut, and use different Internet connections in case the connection fails.
Authoritative servers should also be in different geographic locations. One server can be in
one part of the country, and the other in another country altogether.

DNS Issue 3

If a referral goes to a non-authoritative name server, this is, again, a bad problem
causing the query to fail, and unfortunately there aren’t as many options to avoid this.

Solution
This is usually caused by Name Server (NS) records for a zone pointing to an Authoritative
Name server which has not been setup as an Authoritative Name server, or a syntax error in
the zone file.

Both cases are due to human error, so careful checking is important

DNS Issue 4

If there are inconsistencies between authoritative servers, then you will receive a
different result depending on which server is queried. This would mean that information on
one authoritative name server differs from another for the same zone and depending on
which one you query, you will receive either correct, or incorrect information.

Solution
This problem can be hard to track down because of caching, and the nature of having
several servers to check. It is important to ensure all authoritative name servers are
updated to have the same information.

DNS Issue 5

If there are inconsistencies in delegation, unpredictable behavior can occur, as you will
be unaware of which results the cache will use, or even if it will use a union of the two sets.
Inconsistencies could occur if two Authoritative Name Servers have differing information
regarding the next server in the zone's delegated hierarchy.

Solution
NS records for the delegation need to match the NS records in the zone file. If they do not
match, then this is down to human error, and can be avoided by checking the configurations
carefully.

DNS Issue 6

If there is an inappropriate choice of parameters, in most cases, this will be down to the
TTL being set either too short, or too long.

If the TTL is too short for your resource records, (eg 60 seconds), it means that caching
name servers will query your Authoritative name servers frequently, increasing load and
use.

If the TTL is too long, (eg 3 months), caching name servers will store resource records for 3
months. This may be disadvantageous to you if you need to make a change to a certain
resource record (or records) since caching name servers may not return for new information
until 3 months expire.

Solution
It is advisable to get into the habit of setting the TTL to 1, or 2 days.

Running a caching name server is relatively easy,

running an authoritative name server requires greater care and attention to detail.

Debugging DNS

As well as just testing DNS, dig can be used to debug and can give you the information
needed to fix problems.

To debug effectively, caching must be bypassed since all authoritative name servers for a
zone must be tried.

Recursion must also be bypassed to test every referral.

To do this you would type:

$ dig +norec @192.168.100.6 www.afnog.org. a

This tells dig:

 not to recursively search (dig +norec);

 to go straight to the name server at
192.168.100.6 (@ 192.169.100.6); and
 to look for the domain www.afnog.org with
record type 'a'. (www.afnog.org. a).
When running this command, you should first look at the
status that is output.

A successful query will return with a status of

NXDOMAIN, or NOERROR;

 NXDOMAIN, means that the query was

answered successfully, but there was no RRs for
that name; and
 NOERROR, means that the name queried for
does exist and it should be accompanied by one
or more Resource Record answers. However, if
you requested for a Resource Record type that
does not exist, you will receive zero answers.
For example, if
www.example.com is an A record but you
request for a
CNAME record that does not exist (eg $dig
www.example.comcname), you will receive a
NOERROR status indicating that there is indeed
such a name but zero answers meaning there
are no
Resource Records for the requested Resource
Record type.

Other statuses may indicate an error, as well as

receiving a "connection refused" message, or a timeout.

Debugging DNS
To the left is the output from a digquery asking what informationa.root-servers.net has
forwww.afnog.org.

It shows that the only information it has about www.afnog.org is related to .org, and refers
us to thesix Authoritative name servers that are in charge of .org.

The next step is to query one of these six name servers.

Now, the dig output to the left shows that according toa0.org.afilias-nst.info (which is one
of the servers in charge of .org), further information forwww.afnog.org is handled by other
name servers.
The AUTHORITY section details the four name servers which will have more information
aboutwww.afnog.org.

Again, the next step is to query one of these four servers for more information.

Finally, we have found the server

that is the Authoritative server forafnog.org and it has supplied us with an actual A record
forwww.afnog.org.

We have queried each part of the DNS Hierarchy for afnog.org and have confirmed that
information at each branch is correct.

What we have done is gone through this tree:

 root;
 delegation 1 - .org;
 delegation 2 -
afnog.org;
 Actual records -
www.afnog.org

In summary, to debug the full process of resolving a domain you need to follow four steps:
1. Use dig with the +norec option to query any root server for your chosen domain:
$ dig +norec @a.root­servers.net. www.afnog.org. a 
 2. Note all the NS records returned.

3. Use dig to query each NS record, in a similar way to how you did Step 1.

4. Repeat from Step 2 until all possible routes to the final answer have been checked.

Setting up a Caching Name server

We will work on the bash shell, and use sudo.

The first thing you need to do is navigate to the BIND directory:

$ cd /etc/namedb

Now, list the contents of the directory, and look for the main configuration file called
named.conf.
sudo cp named.conf named.conf.backup
$ sudo cp named.conf named.conf.backup

Next, you need to find out your IP address, so type:

$ ifconfig

192.168.3.25 for my lab

Now you know what your IP address is, you need to insert it into the named.conf file. So,
open it for editing in VIM
$ sudo vi /etc/namedb/named.conf

You should now be at line 1 in the named.conf file. You need to scroll down and find the line
"listen-on {127.0.0.1;};" using the j key.

When you have got to this line, you need to add your IP address to this option, like this
"listen-on {127.0.0.1; 192.168.3.25;};" (note that spaces, and semi-colons are important, so
check carefully). Also, please verify what your localhost IP address is if your are using the
online lab with $sudo ifconfig lo1

Once you have done that, you can save your changes and quit the file using the ":wq"
command.

Now you can use the "sudo named-checkconf" command that checks the
/etc/namedb/named.conf file for any errors that would prevent BIND from running.
If there are no errors, you will silently return to the bash prompt, but if there are any errors, it
will report the error, and on which line the error is on. If there are no errors in the
/etc/namedb/named.conf file, then you can move on to the next step in setting up your
caching name server.

Now that you have set up the new named.conf file, you now need to enable your BIND
program.This can be done by first allowing it to automatically start at boot (by editing
/etc/rc.conf) then starting it from the command line.

The /etc/rc.conf file is owned by the root, so as before, you will have to use the echo
command with the sh -c option to append a line at the end of the file (note that the ">>" is
very important):

$ sudo sh -c "echo named_enable=YES >> /etc/rc.conf"

Now that you have added that line to the /etc/rc.conf file using the echo command, you now
need to start your caching name server.
$ sudo service named start

If you see an output like that in the example above, then you have successfully started your
caching name server and BIND is running. You can ensure that BIND has actually started
by running the $ ps -ax | grep named. command which will display processes with the word
'named' in the output. You will get something like so showing that BIND is running:
$ ps -ax | grep named

If BIND is successfully running, you should see something similar to the example above in
your display. You can also check whether the service is available by telneting port 53.

Now that you have checked BIND is successfully running by checking the log file, you are
going to check BIND is running by using netstat to connect to a port.
$ netstat –an | grep udp

Exit back to your shell by pressing Ctrl+c+l

Now you know BIND is running, you have finished setting up your new caching server, and
can now go on to testing it out.

Testing the Caching Name Server

Now you need to test your new caching name server. Using dig, run a query through your IP
$ dig @192.168.3.25 www.afnog.com. a

Notice the query time field that indicates how long it took to receive a result (905 msec).

Run the command again, and check the time taken for a result to be received. You should
find that the query time should be less than when you first ran the command.

Now edit your resolver to use the new name server.

Open /etc/resolv.conf in VIM, by using this command "sudo vi /etc/resolv.conf". Replace all
the contents with "nameserver" and your IP, for example "nameserver 192.168.100.6":

nameserver 192.168.100.6

Now you have updated the /etc/resolv.conf file, you can

save your changes and exit VIM (:wq).

Next, you need to check your resolver is pointing to your new caching name server.

Do this by running dig again, but this time you don't need to include "@192.168.100.6":

$ dig www.afnog.com. a

Testing the Caching Name Server

This exercise is to show you how to use dig and to test your new DNS Caching Resolver.
Perform these tests against BIND first then on Unbound later after installing Unbound.

You will perform the tests on your FreeBSD Bash shell.

1. Check that you have a resolver on your VirtualMachine:

$ less /etc/resolv.conf

Ensure that it has something like:

nameserver 192.168.0.1

*The IP address may differ and should match the IP Address of your FreeBSD VM that you have just
installed

2. Issue the following DNS queries using 'dig'

Run each command below, look for the "ANSWER SECTION".

ENSURE THAT THE ANSWER SECTION INDICATES THE DNS SERVER USED IS YOUR
OWN! DO EACH QUERY TWICE AND NOTE THE CHANGE IN RESPONSE TIME!

# dig www.tiscali.co.uk. a
# dig afnog.org. mx
# dig www.afrinic.net. aaaa
# dig psg.com. aaaa
# dig <domain of your choice> a
# dig <domain of your choice> mx
# dig tiscali.co.uk. txt
# dig ripe.net. txt
# dig afnog.org. txt
# dig facebook.com. a

2b. Now send some queries to another caching server. We will use Google's open DNS
caching server with IP Address 8.8.8.8

# dig @8.8.8.8 isoc.org. a

# dig @8.8.8.8 nsrc.org. a
# dig @8.8.8.8 afnog.org. a

You should notice that it is faster to use YOUR own DNS Server than Google in terms of
Query Time.

3. Reverse DNS lookups

Now try some reverse DNS lookups. Remember to reverse the four parts of
the IP address, add '*.in-addr.arpa.*', and ask for a *PTR* resource record.

(For 216.235.14.38)
# dig 38.14.235.216.in-addr.arpa. ptr

Repeat for an IP address of your choice.

Now try the short form of dig using the '-x' flag for reverse lookups:

# dig -x 216.235.14.38

# dig -x 2001:4900:1:392::38

# dig @<server-of-your-choice> -x <ip-address-of-your-choice>

Using the Name Server on Your Host Machine

Now that you have setup your caching name server correctly, you can use it as the DNS
server for your personal PC that FreeBSD is hosted on.
First you need to add some restrictions to BIND so that only your local network can use it.
This is good practice even for ISPs so that a caching name server you configure is not open
to anyone on the Internet as this could result in your cache being misused or getting
poisoned. We will use an Access List (acl) to add restrictions regarding who can use our
BIND DNS Caching server.

Locate the ”statistics-file” line in the /etc/namedb/named.conf file and add ”allow-query
{home_network; };” below it:

statistics-file ”/var/stats/named.stats”;
allow-query {home_network; };

Now you have added the line above, save the file, but
don’t exit.

Move to the bottom of the file and

add the following on a new line: "acl home_network
{192.168.0.0/24;};".
statistics-file ”/var/stats/named.stats”;
allow-query {home_network; };
acl home_network {192.168.0.0/24;};

Your file should now look like that above. You have now configured BIND to make it secure.

Next you need to save the file, and then restart BIND

$ sudo service named restart

Your display should state the service "named" was stopped and then started again, which
means you successfully restarted the service. On a production server, it would be better to
use reload rather than restart as that would reduce the impact on other users using your
DNS server.

You can follow a similar procedure to setup a DNS Server on your own network. If you used
VirtualBox for the lab, you can also configure your Windows machine to use your new
Caching DNS Server. Slides 30 and 31 show you how you can do that on Windows.

Configuring Unbound

In this next section, you are going to install, and configure Unbound, which is another DNS
software program - an alternative to using BIND.

The first thing you need to do is install Unbound. You should use the sudo command again
$ sudo portinstall --batch unbound
$ cd /usr/local/etc/unbound
Once Unbound is installed on your FreeBSD VM, you need to go into the Unbound home
directory - /usr/local/etc/unbound. When you are in the directory, list the contents and find
the default configuration file that is called unbound.conf (if it does not exist, then create it
and edit as per the final instructions in this slide).

As you did previously when configuring BIND, make a copy of this file in case something
goes wrong.

$ sudo cp unbound.conf unbound.conf.bak

You should see an output similar to the example above to indicate you have copied the file
successfully. Using VIM, add the following to a new file called unbound.conf using this
command - sudo vi unbound.conf. You will need to set the access-control option to point at
your IP of your LAN:

server:

interface: 0.0.0.0 # This means listen on all

interfaces

access-control: 192.168.0.0/24 allow #

replace with your LAN

verbosity: 1 #
When you have done that, save your changes and exit the file. Next you will replace the
configuration settings you added in the /etc/rc.conf file earlier.
Now you need to edit the /etc/rc.conf file to allow the unbound service to start.

This file is owned by a different user (root) so we must elevate the privileges of the shell
(bash) which will redirect (">>") input into the file (/etc/rc.conf):

$ sudo bash -c "echo unbound_enable=YES >> /etc/rc.conf"

Now that you have enabled Unbound, you now need to stop BIND, and then start Unbound.

This is required as you cannot have more than one caching name server running at the
same time. This is because they both listen for requests on the same port - UDP Port 53.

If you intend to use Unbound, it is recommended you remove the entry for BIND in your
/etc/rc.conf file, and vice versa. Now go ahead and stop BIND, and start Unbound.

$ sudo service named stop && sudo service unbound start

The first part of the command stops BIND, and the second part starts Unbound. To ensure
your caching name server is running correctly, run the same tests you ran earlier for the
BIND server (page 27). Once you have done that, you can check out the transactions with
tcpdump

$ sudo tcpdump -i em0 -n udp port 53

Now you know the Unbound program is running correctly.

It is highly recommended that you read more on BIND and Unbound, and find out how you
can collect statistics, and graph utilization. If you are using SSH you can copy and paste
text instead to typing out each line.