Академический Документы
Профессиональный Документы
Культура Документы
In this module you are going to learn how to install software on FreeBSD.
Debian, GNU/Linux, and Ubuntu use the Debian software package format which
is ‘.deb’.
SuSE, RedHat, and Fedora use the RPM Package Manager which is ‘.rpm’.
Correct.
The preferred compression format for pkgng for package archives is .txz
but pkgng can also install .tbz, .tgz and .tar archives.
1. From Source
Open source software is shipped in source form. For the software to be usable on
a system there are several steps to be taken as follows:
It must be unpacked;
Using the ports system means that steps 1-4 will be done for you.
The ports collections contains instructions for over 24,000 software programs as
of July 2015 and is still growing. You can find the Ports Collection in “/usr/ports/”.
Once the port is built, a package can be made. Packages are applications that
have already been compiled, and are equivalents of .deb files and .rpm files that
exist in Linux. A package is a pre-built port and is distributed as a .tgz file.
Packages can be those built by the FreeBSD project or your own. We will use
the pkgng software where packages are installed by typing pkg install
packagename (where the packagename is the package you are installing).
Regardless of what method you use to install 3rd party software, you must be
root or have root privileges (via sudo).
For Ubuntu, you can use apt-get install packagename or download a .deb
and install a pre-compiled package. The ports system is Unique to FreeBSD but
works on other BSD variants and there is also a type of ports system available
on Mac OSX called mac-ports.
When installing from ports, the speed of the installation depends on how fast
your internet connection is and the CPU power available to do the compiling. As
such, if you have a fast machine (high clockrate CPU, multiple cores) and a fast
connection to the Internet, installs will be very fast
For the purposes of this course we will install three softwares without using the
Ports system. These are:
Perl and Python softwares need to be in place for sudo, and portupgrade to
work. Installing them from ports on a virtual installation of FreeBSD will take too
much time due to limited resources and the same applies for VIM
PACKAGE INSTALL
# pkg install perl5 python vim
We must also configure the FreeBSD Ports system to avoid installing softwares or
dependencies with features that work on the Graphical Environment since we
are not using one for this course.
The file /etc/make.conf is a file read by the FreeBSD Ports system before it
installs any port. The first line disables installing of any port with features that
would be needed with a Graphical User Interface which we will not be using
in this course. The second line ensures that the FreeBSD Ports Collection
registers new software with pkg (ie pkgng), and not the traditional packages
format. FreeBSD versions earlier than 10.X require this line in /etc/make.conf
Now, we will update the FreeBSD Ports tree using “portsnap”. Type the following
on the command line:
# portsnap fetch extract
Portsnap connects to a FreeBSD site, verifies the secure key, and downloads a
new copy of the Ports Collection.
The key is used to verify the integrity of all downloaded files. It is useful to
occasionally update your Ports tree.
You only need to do “portsnap fetch extract” the first time you use portsnap.
To update it, you only need to type “portsnap fetch update”
After portsnap has completed the download and extraction of the new ports
tree, you can proceed to the next page
The 2 commands above each have two parts, executed one after another. First
the command would change the directory to /usr/ports/. After a fresh install of
FreeBSD you must do make fetchindex at least once and then proceed to
search for port names/ keywords.
Once you know where the port resides, or its category, you can go to that
directory, and install it with this series of commands.
# cd /usr/ports/shells/zsh
# make
# make install
# make clean
The reason for running the rehash command is that if you change directory after
building the package and try using the command the C shell will return with
'Command not found'. This happens because the C shell stores a hash table
listing of all the programs in the search path.
The C shell will not be able to find the new program until you have used the
rehash command. This applies for csh only and not bash.
For all the above reasons it is strongly recommended to use a set of tools called
portupgrade. Portupgrade is a tool set for working with ports and packages.
In some cases when you upgrade a single port and force the install, other ports
that depend on the port that has just been updated will require to be updated
too. This is when portupgrade becomes a great tool, and is strongly
recommended that you use it.
Portupgrade greatly simplifies software installation and upgrades. It is itself a
port so requires installation as with any port.
It is important that you have a working internet connection for the next steps.
The following commands are the way to install Portupgrade:
# cd /usr/ports/ports-mgmt/portupgrade
# make -DBATCH install clean
# rehash
For the purposes of this course, we will install all the softwares with the make –
DBATCH install clean option which forces the ports system to install all
dependencies with default options and not to raise any option dialog
boxes.
However, if you are installing on a real server that will be in production, its best
to pick and choose which options you are enabling.
Portupgrade is a meta package manager, and sits on a layer above the ports
and package system.
Once installed, you will have to rehash, or start a new session as root to use it
without typing full pathnames.
When in the csh shell, every installation should be followed with the command
rehash so that they can be accessed from the shell without having to type in the
full path to the command.
Unlike csh, when in the bash shell (which will be installed later in this module), a
rehash is not needed after installations.
Portupgrade is a suite of tools one of which is portinstall. Others
are pkg_deinstall, portsclean among several others.
The &&[a] rehash at the end is to ensure that the csh updates to reflect the
shortcuts of the new installs ie sudoand bash instead of having to
type /usr/local/bin/sudo on the shell, we just type sudo.
Portupgrade can be told to try and install a pre-built package, using the -P
option, (one or more times).
When installing software with FreeBSD (and you do not wish to manually
download and install from source), which of these two actions would you do first.
INSTALL A PORT
% unprivileged User
To become the root user, type the command “su” which means “switch user”.
# Privileged User
check if your ports collection is installed.
# ls -l /usr/ports
Finding a Port
You now need to search for a port, first of all you need to change the directory to
the user ports directory. To do this you need to type cd /usr/ports.
# cd /usr/ports
The index is created by via make index, which descends into each port sub
directory and executes make describe there.
# make fetchindex
Now that you have found the information for textmaze you will need to change
to its ports directory so that you can install it. Type as follows:
# cd /usr/ports/games/textmaze
# cd /usr/ports/games/textmaze
# make
Now you have built the port you now need to install it.
# make install && rehash
After running the command above textmaze should now be fully installed and
ready to play.
If you wish to check that the textmaze game has been installed correctly you
can look at the contents of the directory. To do this type "ls -l /var/db/pkg" you
should see the new package that has been registered.
LISTING PACKAGES
To find installed packages on a system use the pkg infocommand:
# pkg info
After you have entered the command above you should have been shown a list
of all installed packages. You can find which file a package belongs to by
adding -W and the file path.
You should now be able to see that the file /usr/local/bin/textmaze was installed
as part of the port textmaze-1.2.
If you need help with pkg type “pkg help”to see a full list of options.
# pkg help
When you have run this command you will be taken to several different install
screens, where you can choose to install additional options for packages to be
installed.
You can install sudo and bash one at a time or both together. There may be
options screens that allow you to choose various customizations to the programs
being installed.
If the package being installed already exists, portinstall will mention this and not
install the package. However, if it is installed but of an older version, portinstall
will update it.
Now run the following command to install sudo and bash.
# portinstall --batch sudo bash && rehash
COMMANDS
Ls List Files
Ls -l List files with more details
cd – change directory (working)
pwd – print working directory
cd /home/afnog – navigate to specified path
ls /home/afnog – list files in specified path
mkdir – creates/makes a directory on the working directory
mkdir /home/afnog/job_files – creates a ‘job_files’ directory in the
path /home/afnog
touch - creates a new file with the name specified if it does not exist. If a file
with that name already exists then the command does nothing.
$ touch /home/afnog/newfile.txt
rm - rm command removes/deletes each specified file. It does not
delete directories tho’
cp [name] [copy-location/name]
The cp command copies the file or directory specified into a new file or
directory.
A new name must be provided if copying in the same directory, otherwise the
name can remain the same
$ cp /home/afnog/original.txt
$ cp /home/afnog/original.txt
/home/afnog/copy.txt
mv [name] [new-name]
The mv command does not simply move files; it renames the file or directory
specified.
This has the effect of moving the file when “renaming” the file or directory into
another location.
$ mv /home/afnog/newdir/original.txt
/home/afnog/new.txt
the easiest way to remove one directory and all of its contents including
subdirectories and their contents is
rm -r dirname
rm -r dirname/
you will remove the contents but not the directory itself.
The cat command concatenates the contents of the files specified and outputs
the result.
The command is most commonly used with just one parameter, in which case it
will read the contents of that one file and output it.
[afnog@maisiba@my ~]$ cat testfile3
chdsjhvh
\::
::exit
more [file]
The command will read the contents of the specified file and display it, but only
display one screen's worth of content at a time.
This is particularly useful for long documents, as the document can be read at
your own pace.
$ more /home/afnog/adocument.txt
less [file]
The less command is very similar to the more command, except that it offers
better support for moving backwards in the file.
$ less /home/afnog/adocument.txt
The grep command is a very powerful search tool, but we will not be taking
advantage of that in this instance. By searching the command history for the
name of the command, we can retrieve it quickly and easily:
$ history | grep [command name]
The man (short for manual) command will display information related to the
specified command.
$ man [command]
You can find out more about the man command by running it on itself:
$ man man
File Permissions
Each file and directory can allow or disallow read (shown as r), write (shown
as w), and execute (shown as x) access to three different categories:
-rw-r--r—
drw-rw-rw-
-r-xrw--wx
The first character indicates the type of file, it will be a dash if we are looking at
a regular file, or the character d if we are looking at a directory, other types
could include sfor a symbolic link, or p for a named pipe.
A file or directory's permissions can be viewed using the lscommand with the -
l option:
$ ls -l
Permissions may not always be set correctly, so there are commands built in to
change these permissions.
These commands, are all available to the root user. Thechgrp command (for
changing group ownership of a file) is available to the un-privileged user.
The above command adds write access to the group category on our file from
the previous example, while the following removes it for the user category
The user or group can be omitted, and they will not be changed.
Some examples of using the chown command are
The jobs command returned the list of the current jobs started by this shell.
$ jobs
Another command ps auxw enables you to see your job in the table of
processes
If you used ps auxw by itself, you'd see all processes on the system, and that's
a big list. So we filter it through grepto extract only lines which contain the
word sleep. Grep is acommand-line utility for searching plain-text data sets for
lines matching a regular expression.
$ ps auxw | grep sleep
inst 8531 0.0 0.0 ... 0:00 sleep 600
inst 6416 0.0 0.0 ... 0:00 grep sleep
The first column is the username the process is running as; the second column is
the pid. Other columns are resource utilisation information, and the end shows
the command itself.
ENVIRONMENT VARIABLES
The printenv command lists the names and values of the variables in the
environment, with one name/value pair per line.
If you do not specify a name to list, then printenv lists all variables in the
environment, so there may well be more than one will fit on the screen.
$ printenv
This shows that the user afnog has no installed crontabs at the moment. Any
user can create a crontab (cron table) file that will be read by cron using the
command crontab -e. This will create a new file or edit an existing one using
the editor specified in the $EDITOR environment variable
$ crontab -e
Let us now add a crontab entry to print the time and date every minute into a
file called “date_file” in our /home/afnog directory.
$ crontab -e
You can remove the crontab entry for the afnog user with the following
command:
$ crontab -r
Also note that when you exit your shell or logout, you lose the settings set via
the export command.
This is because
So, the only way to make the change to the EDITORenvironment variable
permanent is to arrange that every time your shell starts up, it sets the
environment how you want it.
By default FreeBSD uses csh for root's shell, and sh for other users' shells, and
these two different shells have different startup scripts and different syntax for
setting environment variables. We however changed the default shell to bash for
both the root, and the afnog users which simplifies things slightly.
For the afnog user you can change environment variables by editing the
file /home/afnog/.bash_profile in FreeBSD.
Notice the leading . (dot) before the file name. This indicates that the file is a
hidden file, it will not appear with a regular ls –l but will appear with an ls –al.
$ echo $EDITOR
Hint: For this to work, bash must be your default login shell.
Note: to do this for the current session without having to log out in bash, all you
have to do is:
export EDITOR=ee
COMMAND PROCESSING
It's useful to use the command echo for testing: this just prints back its
arguments to you.
$ echo hello world
hello world
So, where actually is the command echo? Well, you can ask the shell to look for
it for you
$ which echo
/bin/echo
It tries them one after the other, stopping as soon as a match is found.
$ echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:
/usr/local/sbin:/usr/local/bin:
/usr/X11R6/bin:/home/yourname/bin
/usr/local/sbin:/usr/local/bin:
/usr/X11R6/bin:/home/yourname/bin
If you want to override the search, or you want to run a program which is in a
directory which is not in $PATH,
then you can give it an explicit location:
Where this becomes a problem is if you need to use a filename which contains a
space (which are usually best avoided, but you will come across them from time
to time)
$ touch my file
You should find that you have actually created *two* files, called "my" and "file".
You need to stop the shell from breaking 'my file' into separate arguments.
You can do this using quoting, and there are three main ways:
$ touch "my file"
$ touch ‘my file’
$ touch my\ file
The first two ways are enclosing the filename in either single or double quotes.
The last is to precede the space with a backslash, which makes it lose its special
meaning as an argument separator.
Quoting also gives you a way to make echo give you a string with lots of spaces
in it
$ /bin/echo "hello world"
hello world
If you use single quotes, make sure you use normal single-quotes: '
(These are shift-7 on many keyboards, or else near the Enter key).
If you've done all this, you now have three files in your current directory: "my",
"file", and "my file". You need to delete them all. You can do this with three
separate commands - or see if you can work out how to make a single line which
deletes all three
The shell performs additional processing on arguments; it's very useful, but it
can cause strange behaviour if you're not aware of it
$ cd /usr/bin
$ echo *what* is your name?
makewhatis what whatis is your name?
That's certainly strange!
You thought echo was supposed to just return the arguments you gave it?
Here the shell is doing pattern matching against files in the filesystem,
otherwise known as "filename globbing".
The character "*" matches any 0 or more characters in the filename. So,
"\*what\*" looks in the current directory for all files whose names contain the
string 'what' anywhere, and replaces it with those filenames
For example you can delete all files in the current directory with names ending
.txt just by typing
$ rm *.txt
/home/yourname
$ echo ~/wibble
/home/yourname/wibble
$ echo ~root/wibble
/root/wibble
$ echo ~www/wibble
/nonexistent/wibble
Hint:
In the standard shell “sh”, there is no checking that the filename produced
actually exists or not. tcsh and other shells do check
$? which gives the exit status of the last command (0=success, >0=failure)
$ echo $?
0
However you can do other fancy things, including using the output of one
command and inserting it in the command line as an argument to another.
For example, we can run wc to count the lines in a file, and use the result as an
argument to another command, such as echo for testing.
24 /etc/motd
This sort of parameter expansion can be disabled by quoting, except that double
quotes don't disable it; single quotes and backslash do. So:
$ echo "Home is $HOME"
Home is /home/yourname
Home is $HOME
Home is $HOME
And argument expansions can even perform basic arithmetic, although it's very
rarely used:
$ echo $((3+4))
7
I/O REDIRECTION
Now the test.txt file should contain two lines, "hello" and "world". To check this,
you can connect the standard input of a process to read from a file (in this case
we will use the less command and pass in test.txt):
COMMAND GROUPING
1) You can run commands one after the other
$ echo hello; echo world
hello
world
hello
world
Hello
Hint:
Again, if you need to use these special symbols as part of an argument (say
they are in a filename), you can quote them.
$ echo "hello; echo world"
hello; echo world
$ ls /etc -ltr
...
The l, t and r flags alter the behavior of ls
$ man ls
$ ls --help
So how would you actually create or delete a file whose name begins with a
dash? The command will try to interpret it as a flag, not a filename.
$ touch -foo
Quoting doesn't help us here, because it's not the shell which is expanding
anything.
But most commands have a convention that if you include '--' as an option, then
everything afterwards is notconsidered an option, even if it starts with a dash.
So:
$ touch -- -foo
$ ls
$ rm -- -foo
Extra Exercise 1
You know that printenv lists all the environment variables which are set, one
per line.
How could you quickly determine how many environment variables are set?
Solution
For this exercise the simplest option is to use command grouping to pass the
output of printenv to the wccommand using the pipe character.
$ printenv | wc -l
Since the output of printenv is a list of environment variables with one per line,
and the -l flag tells wc to return the number of lines from its input, this
combination will return the number of environment variables.
Extra Exercise 2
If you try to run a non-existent command, what exit status do you get?
Solution
For this second exercise we can echo one of the special variables build into the
shell $? which gives the exit status of the last command you executed.
$ touch -foo; echo $?
This same variable is used to check the exit status of running a non-existent
command, remember that $?returns 0 if the command exited successfully,
and greater than 0 if it failed for any reason
Extra Exercise 3
Capture the actual error message which touch -foo gives into a file. Make sure
that the file does actually contain the error message.
(Hint: error messages are sent on the standard error stream, not standard
output)
This is useful in the event that you wanted to mail the error message to
someone, for example.
Solution
$ more myerror.txt
Extra Exercise 4
List all the files in /etc which have "tab" in their name.
Find two or more different ways of doing it, at least one not using an asterisk.
Solution
There are two commands which are used for listing or finding files in
unix, ls and find.
ls /etc | grep tab
$ ls /etc/*tab*
The first example above uses grep to filter the list of files in /etc, whereas the
second ls command uses wildcards to achieve the same result.
The find command uses a slightly different syntax, where you specify the -
name of the file(s) you are looking for, and also pass it the -print flag to make it
output the list to the shell.
EXAMPLES
Example 1: Denying execute permission to everyone
Command Mode
When you open a file in VIM, you are in command mode by default. If you wish
to edit the file you need to switch to
insert mode first by using the i key. To switch back to
command mode, you press the esc key.
There are many, many commands in VIM, but some of the most common and
most useful are:
Insert Mode
In addition to pressing the i key to start entering text
directly after your cursor, you can also press the e key to add a new line below
your cursor and to start adding text on the new line.
In order to save any changes you have made, you must always firstly press
the esc key to verify you are in command mode.
Then depending on what you want to do, type a ":" and then:
w to wite file to disk
wq to wite file to disk and quit
q to quit the file (only works if no changes)
Go to a Specific Line
MOVE
By Character
h move left
j move down
k move up
l move right
By Screen
^F, ^B scroll forward, back one full screen
^D, ^U scroll forward, back one half a screen
^E, ^Y show one more line at bottom, top
L go to the bottom of the screen
z position line with cursor at top
z. position line with cursor at middle
z- position line with cursor at
Miscellaneous Movement
fm forward to character m
Fm backward to character m
tm forward to character before m
Tm backward to character after m
w move to next word (stops at punctuation)
W move to next word (skips punctuation)
b move to previous word (stops at punctuation)
B move to previous word (skips at punctuation)
e end of word (punctuation not part of word)
E end of word (punctuation part of word)
), ( next, previous sentence
]], [[ next, previous section
}, { next, previous paragraph
% goto matching parenthesis () {} []
By Line
:n to line n
home, first, last position on line
end
^ or _ first non-whitespace char on line
+,- first character on next, prev line
xxxG go to line xxx
dm delete (m is movement)
dd delete line
D or delete to end of line
d$
x delete char under cursor
X delete char before cursor
ym yank to buffer (m is movement)
yy or yank to buffer current line
Y
p paste from buffer after cursor
P paste from buffer before cursor
"bdd cut line into named buffer b (a..z)
"bp paste from named buffer b
Miscellaneous
To create the temp.txt file, type the command vim temp.txt and then pressENTER.
To be able to type anything inside your temp.txt file, you must switch to INSERTmode by
pressing i.
So, press i to switch to input mode, and then type some text similar to that below:
VI is great! I think I'll be using VI from now on instead of Word and then
pressENTER to add a new line.
To be able to type anything inside your temp.txt file, you must switch to INSERTmode by
pressing i.
So, press i to switch to input mode, and then type some text similar to that below:
VI is great! I think I'll be using VI from now on instead of Word and then
pressENTER to add a new line.
To be able to type anything inside your temp.txt file, you must switch to INSERT
mode by pressing i.
So, press i to switch to input mode, and then type some text similar to that below:
VI is great! I think I'll be using VI from now on instead of Word and then
pressENTER to add a new line.
I don't know why I haven't used it before now! then press the ESC key to
return to command mode, so that you are ready to save the file.
Now you are in command mode, you can proceed to write your changes and quit
VIM.
To do this you must type :wq and then press ENTER.
You have saved the temp.txt file, and have now returned to the command line.
Now you are going to copy a large file to your home directory.
/etc/defaults/rc.conf rc.conf.bak
You have now returned to the bash prompt to indicate you have successfully copied
the /etc/defaults/rc.conf file.
Now open the rc.conf.bak file, but this time, open it at the bottom of the file:
Here you are going to jump to a particular line in the file. To do this, you need to be
in command mode, and then you type a number, and then press G.
You are going to go to line 1 of this file. So, firstly press ESCAPE, to switch to
command mode. Then, type 1, and pressG (remember this is a capital letter).
Next, you are going practise this command again by moving to line
10.
To do this, press ESC to verify you are still in command mode, then
press 10and then press G.
Enter the following text (remember to press ENTER after each line):
##
##A sample comment
##
So, delete the 3rd line of text you inserted (line 13) by first
pressing ESC to switch to command mode, and then press dd.
Here press dd again to delete the next line (line 12) of text you
inserted.
Copy Pasting
You have successfully moved to line 15 of this file, you can continue
to copy (referred to as yanking) and paste lines of text.
To copy text, you need to use the yy command. You can copy
multiple lines of text by typing a number before yy.
You are going to copy 3 lines (lines 15,16, and 17). As you are
already in command mode, press 3yy.
You now have the 3 lines "yanked", or copied to your clipboard. You
should see a notification at the bottom of the screen saying "3 lines
yanked'".
You are now going to paste the 3 lines at the bottom of this file, so
first go to the bottom of the file by pressing G.
You are now at the bottom of the file. To paste the 3 lines you
"yanked" earlier, you need to press p.
You have now successfully copied, and pasted 3 lines to the bottom
of this file.
Now you are going to undo the 3 lines you have just pasted.
Now you are at line 1, you are going to search for the string "mail"
and replace it with "smtp".
Notice the green text at the bottom which provides you with options
represented by letters. The most common that you will use is y (yes)
and n (no).
Notice the first instance of "mail" has now been replaced with
"smtp", and the second instance of "mail" is now highlighted.
You are now going to quit out of search and replace by holding CTRL
and then pressing C.
Search Only
So press ESC to ensure you are in command mode, type /kernel and
then press ENTER.
Advantages:
Disadvantages:
From the need for a better solution, the Domain Name System, or
DNS, was born. The DNS brought many advantages, which will be
explained in more depth later.
DNS Architecture
All names used in the DNS are globally unique, and are administered
in zones[2]. A zone is a part of a domain for which administrative
responsibility has been delegated to a single manager. These zones
can be seen as each part of a domain, such as:
Resolver
All hosts need a resolver. It’s a piece of software which formats (or ‘resolves’) a
DNS request from an application into a UDP packet, sends it to the caching
name server, and then decodes the answer.
To tell FreeBSD which Caching Name Server(s) to use the resolver needs to be
configured. This is done by adding entries to the file located at /etc/resolv.conf
as in the example below:
nameserver 196.200.219.200
nameserver 196.200.223.1
nameserver 196.200.219.200
The file /etc/resolv.conf is common to all Unix and Linux Operating systems.
Caching
The caching name server checks its database for the data it has stored so far for
the answer to the request from the resolver and returns it, if it's in the cache.
If the answer is NOT in the cache, it will search for an authoritative name server
which has the information, caches/stores the answer, and replies to the resolver.
They find the answer from their own data without needing to reference another
source.
USING DNS
When a web-browser makes a query through the Domain Name System with a
domain name (such as www.ws.afnog.org), the caching name server will reply in
one of 4 ways:
Positive;
Negative;
Refused.
If the reply is positive, it means that the caching name server has found one or
more 'resource records' (RR) that are associated with the domain name.
There are many different types of RRs, depending on the type of information.
You can query for a specific type, by adding it to the request as you will find out
later, or just by asking to receive any and all RRs associated with the domain
name
Some commonly seen RRs are:
TESTING DNS
The easiest way to check if DNS is working is to type a domain name, such as
www.google.com, into a web browser and see if it loads.
This is not a reliable test though, as the web browser could be caching the
result.
Dig is a tool that makes DNS queries and displays the results. It is better suited
to this task than other common networking tools, such as nslookup and host,
as it shows the raw data in full.
Calling dig with just the domain name will default to query type address record
or ‘A’ record:
$ dig afnog.org.
You can add the RR type you wish to the end of the query though:
$ dig afnog.org. mx
If you are testing a new cache, you may also command dig to use this and
ignore the cache setup in the resolver:
Hint:
Note that the domain name has a trailing dot every time;
$ dig afnog.org. mx
This is to ensure that no default domain is being added.
It is good practice to get into the habit of doing this when testing
DNS.
There may come a time when you need to find the domain name or
hostname[3] for a particular IP. For example how would we know the hostname of
the machine with the IP Address 196.216.2.34?
Now try using dig to query for the 'a' record of www.afnog.org
$ dig www.afnog.org. a
The Resource Record type "mx" identifies the host machine to which emails for a
domain will be sent.
If the same query has been dealt with already, then the result will be in the
cache and can be easily sent back
If the query is new, or the Time To Live (TTL) for the requested Resource Record
has expired, then the result will not be in the cache.
This means the caching name server has to consult other servers to find the
result.
DNS is a distributed database, so parts of the DNS tree structure, (or zones) are
held on different servers. If a server holds a zone, then it is called authoritative
for that particular zone
The caching name server needs to locate the correct authoritative name server
and get the result from there.
It may have to ask other name servers first to locate the one it needs.
The caching name server needs to know which authoritative name server to ask.
The best way of finding this out is to follow the hierarchical tree structure,
starting at the top.
If a name server receives a query for a delegated domain, for example, a .org
server receiving a query for afnog.org, it will return an NS record for the
afnog.org Name Servers.
To find a specific Resource Record, the caching name server begins at the root
zone (denoted by a dot) and then starts to query beginning from right to left of
the domain. It starts with the TLD (Top Level Domain) of the requested domain.
For the address Resource Record (A Record) of the zone tiscali.co.uk, it will begin
at .uk.
When an authoritative name server receives a query for a sub-domain that has
been delegated to another server, (for example, a .uk authoritative name server
receiving a query for tiscali.co.uk) it will return a Name server record, or NS
record for the .co.uk authoritative name server.
The answer from the .uk name server is called a referral, which refers a caching
name server to an authoritative name server that will have more information for
the queried domain. Depending on the number of sub-domains separated by
dots (.) and whether each part of the subsequent sub-domain has been
delegated, referrals could occur for each sub-domain eg .co.uk authoritative
name server will then give a referral to tiscali.co.uk name servers. This process
of receiving referrals is called recursion and is performed by your caching
name server until it receives the correct answer or reaches a non responsive
name server. This is why caching name servers are also called recursive name
servers or Resolvers.
Recursion – querying for the answer from other servers until it finds the answer
or reaches a non responsive server.
1. Firstly the resolver sends a query for a Resource Record to the caching
name server. If the caching name server does not have the answer in its
cache it will begin recursion – querying for the answer from other servers
until it finds the answer or reaches a non responsive server.
2. The caching name server begins by querying the root authoritative name
server. The root authoritative name server returns a referral answer,
referring the caching name server to another server of which
administrative control of the requested domain has been delegated to.
3. Using the information from the referral which will consist of an NS (Name
server) record, the caching name server requests the next authoritative
name server in the tree for the specific Resource Record. If this server is
authoritative only for part of the domain, it will not have the answer for
the requested Resource Record and will also refer the caching name
server to another authoritative name server
4. The caching name server will then use this second referral to query the
authoritative name server it has been directed to. This could be the server
that is authoritative for the entire zone which will then provide the answer
for the Resource Record to the caching name server which then passes
the response to the resolver. This process will go on, and on, until the
caching name server finds the desired Resource Record or reaches a
misconfigured or inactive server.
DNS SERVER SOFTWARE
To build your own caching name server, you can use DNS software such as BIND. BIND
can be installed by typingsudo pkg install bind910 on FreeBSD 10 onwards. This would
install the configuration file in/usr/local/etc/namedb but you can make a link
to/etc/namedb for faster access. For the remainder of this module, we will work with folder
of /etc/namedb for BIND's files.
The caching name server needs to know where the authoritative name servers can be
located in order to begin the process of recursion. This is sometimes called seeding of the
caching name server to allow it to find the root! This information is stored in a seed file or
hints file.
BIND software (and indeed all other caching DNS softwares available), have a seed file
configured by default once installed. For BIND installations on FreeBSD, the seed or hints
file is located at /etc/namedb/named.root and contains information of how to locate the 13
root servers of the Internet.
Distributed systems have many points of failure, so steps have to be taken to mitigate this.
Each domain, for example 'org', has two or more authoritative name servers to provide
redundancy in the event one or more of the name servers happens to fail or becomes
unreachable. All the authoritative name servers of a domain are equal and can be tried in
any order until one gives an answer. This also has the effect of sharing the load, which is
particularly important for the root servers!
Another technique used to ease the load on the system is caching. You already know that
caching name servers store the results they receive from authoritative name servers, but all
other information is also cached.
This means NS(name server)[b] records from referrals are cached too. Caching reduces the
load on authoritative name servers.
This is especially important at the higher levels of the DNS hierarchy: root servers, Generic
Top Level Domain Servers (GTLD servers for.com and .net) and Country Code Top Level
Domains (ccTLDs).
All intermediate information is cached as well as the final answer - so NS records from
referrals are cached too.
Keeping the Cache Up-to-date
Caches only work for as long as the information they hold is correct. If they hold outdated
information they may give out the wrong answer.
Caching name servers need to know how long to keep data on resource records (RRs). If
the result is stored for too long the data provided could be out of date. If the result is stored
for a very short period, this would increase the load the authoritative servers higher in the
hierarchy.
The owner of an authoritative server controls how long their data is held in cache. Each RR
has a “time to live”, or TTL, which dictates how long it can be held in cache, by giving the
number of seconds of validity.
A SOA (Start of Authority) record,[c] dictates how long a negative answer can be cached
TIP:
It is good practice to set a fairly long TTL of 1 or 2 days ordinarily,
and then reduce this to minutes a couple of days before making a
change to the data.
The TTL should then be increased back to its original after making
the change.
DNS Issue 1
Solution
All zones should be setup with more than one authoritative server. In this case you would
just move to the next authoritative server if the first one timed out
DNS Issue 2
Solution
Authoritative servers should be on different subnets, to mitigate the effects of a switch or
router failure. They should also have different power sources to improve redundancy in case
of a power cut, and use different Internet connections in case the connection fails.
Authoritative servers should also be in different geographic locations. One server can be in
one part of the country, and the other in another country altogether.
DNS Issue 3
If a referral goes to a non-authoritative name server, this is, again, a bad problem
causing the query to fail, and unfortunately there aren’t as many options to avoid this.
Solution
This is usually caused by Name Server (NS) records for a zone pointing to an Authoritative
Name server which has not been setup as an Authoritative Name server, or a syntax error in
the zone file.
DNS Issue 4
If there are inconsistencies between authoritative servers, then you will receive a
different result depending on which server is queried. This would mean that information on
one authoritative name server differs from another for the same zone and depending on
which one you query, you will receive either correct, or incorrect information.
Solution
This problem can be hard to track down because of caching, and the nature of having
several servers to check. It is important to ensure all authoritative name servers are
updated to have the same information.
DNS Issue 5
If there are inconsistencies in delegation, unpredictable behavior can occur, as you will
be unaware of which results the cache will use, or even if it will use a union of the two sets.
Inconsistencies could occur if two Authoritative Name Servers have differing information
regarding the next server in the zone's delegated hierarchy.
Solution
NS records for the delegation need to match the NS records in the zone file. If they do not
match, then this is down to human error, and can be avoided by checking the configurations
carefully.
DNS Issue 6
If there is an inappropriate choice of parameters, in most cases, this will be down to the
TTL being set either too short, or too long.
If the TTL is too short for your resource records, (eg 60 seconds), it means that caching
name servers will query your Authoritative name servers frequently, increasing load and
use.
If the TTL is too long, (eg 3 months), caching name servers will store resource records for 3
months. This may be disadvantageous to you if you need to make a change to a certain
resource record (or records) since caching name servers may not return for new information
until 3 months expire.
Solution
It is advisable to get into the habit of setting the TTL to 1, or 2 days.
Debugging DNS
As well as just testing DNS, dig can be used to debug and can give you the information
needed to fix problems.
To debug effectively, caching must be bypassed since all authoritative name servers for a
zone must be tried.
Debugging DNS
To the left is the output from a digquery asking what informationa.root-servers.net has
forwww.afnog.org.
It shows that the only information it has about www.afnog.org is related to .org, and refers
us to thesix Authoritative name servers that are in charge of .org.
Now, the dig output to the left shows that according toa0.org.afilias-nst.info (which is one
of the servers in charge of .org), further information forwww.afnog.org is handled by other
name servers.
The AUTHORITY section details the four name servers which will have more information
aboutwww.afnog.org.
Again, the next step is to query one of these four servers for more information.
We have queried each part of the DNS Hierarchy for afnog.org and have confirmed that
information at each branch is correct.
root;
delegation 1 - .org;
delegation 2 -
afnog.org;
Actual records -
www.afnog.org
In summary, to debug the full process of resolving a domain you need to follow four steps:
1. Use dig with the +norec option to query any root server for your chosen domain:
$ dig +norec @a.rootservers.net. www.afnog.org. a
2. Note all the NS records returned.
3. Use dig to query each NS record, in a similar way to how you did Step 1.
4. Repeat from Step 2 until all possible routes to the final answer have been checked.
Now, list the contents of the directory, and look for the main configuration file called
named.conf.
sudo cp named.conf named.conf.backup
$ sudo cp named.conf named.conf.backup
You should now be at line 1 in the named.conf file. You need to scroll down and find the line
"listen-on {127.0.0.1;};" using the j key.
When you have got to this line, you need to add your IP address to this option, like this
"listen-on {127.0.0.1; 192.168.3.25;};" (note that spaces, and semi-colons are important, so
check carefully). Also, please verify what your localhost IP address is if your are using the
online lab with $sudo ifconfig lo1
Once you have done that, you can save your changes and quit the file using the ":wq"
command.
Now you can use the "sudo named-checkconf" command that checks the
/etc/namedb/named.conf file for any errors that would prevent BIND from running.
If there are no errors, you will silently return to the bash prompt, but if there are any errors, it
will report the error, and on which line the error is on. If there are no errors in the
/etc/namedb/named.conf file, then you can move on to the next step in setting up your
caching name server.
Now that you have set up the new named.conf file, you now need to enable your BIND
program.This can be done by first allowing it to automatically start at boot (by editing
/etc/rc.conf) then starting it from the command line.
The /etc/rc.conf file is owned by the root, so as before, you will have to use the echo
command with the sh -c option to append a line at the end of the file (note that the ">>" is
very important):
Now that you have added that line to the /etc/rc.conf file using the echo command, you now
need to start your caching name server.
$ sudo service named start
If you see an output like that in the example above, then you have successfully started your
caching name server and BIND is running. You can ensure that BIND has actually started
by running the $ ps -ax | grep named. command which will display processes with the word
'named' in the output. You will get something like so showing that BIND is running:
$ ps -ax | grep named
If BIND is successfully running, you should see something similar to the example above in
your display. You can also check whether the service is available by telneting port 53.
Now that you have checked BIND is successfully running by checking the log file, you are
going to check BIND is running by using netstat to connect to a port.
$ netstat –an | grep udp
Now you know BIND is running, you have finished setting up your new caching server, and
can now go on to testing it out.
Notice the query time field that indicates how long it took to receive a result (905 msec).
Run the command again, and check the time taken for a result to be received. You should
find that the query time should be less than when you first ran the command.
Open /etc/resolv.conf in VIM, by using this command "sudo vi /etc/resolv.conf". Replace all
the contents with "nameserver" and your IP, for example "nameserver 192.168.100.6":
nameserver 192.168.100.6
Next, you need to check your resolver is pointing to your new caching name server.
Do this by running dig again, but this time you don't need to include "@192.168.100.6":
$ dig www.afnog.com. a
This exercise is to show you how to use dig and to test your new DNS Caching Resolver.
Perform these tests against BIND first then on Unbound later after installing Unbound.
$ less /etc/resolv.conf
nameserver 192.168.0.1
*The IP address may differ and should match the IP Address of your FreeBSD VM that you have just
installed
# dig www.tiscali.co.uk. a
# dig afnog.org. mx
# dig www.afrinic.net. aaaa
# dig psg.com. aaaa
# dig <domain of your choice> a
# dig <domain of your choice> mx
# dig tiscali.co.uk. txt
# dig ripe.net. txt
# dig afnog.org. txt
# dig facebook.com. a
2b. Now send some queries to another caching server. We will use Google's open DNS
caching server with IP Address 8.8.8.8
You should notice that it is faster to use YOUR own DNS Server than Google in terms of
Query Time.
Now try some reverse DNS lookups. Remember to reverse the four parts of
the IP address, add '*.in-addr.arpa.*', and ask for a *PTR* resource record.
(For 216.235.14.38)
# dig 38.14.235.216.in-addr.arpa. ptr
Now try the short form of dig using the '-x' flag for reverse lookups:
# dig -x 216.235.14.38
# dig -x 2001:4900:1:392::38
Now that you have setup your caching name server correctly, you can use it as the DNS
server for your personal PC that FreeBSD is hosted on.
First you need to add some restrictions to BIND so that only your local network can use it.
This is good practice even for ISPs so that a caching name server you configure is not open
to anyone on the Internet as this could result in your cache being misused or getting
poisoned. We will use an Access List (acl) to add restrictions regarding who can use our
BIND DNS Caching server.
Locate the ”statistics-file” line in the /etc/namedb/named.conf file and add ”allow-query
{home_network; };” below it:
statistics-file ”/var/stats/named.stats”;
allow-query {home_network; };
Now you have added the line above, save the file, but
don’t exit.
Your file should now look like that above. You have now configured BIND to make it secure.
Next you need to save the file, and then restart BIND
Your display should state the service "named" was stopped and then started again, which
means you successfully restarted the service. On a production server, it would be better to
use reload rather than restart as that would reduce the impact on other users using your
DNS server.
You can follow a similar procedure to setup a DNS Server on your own network. If you used
VirtualBox for the lab, you can also configure your Windows machine to use your new
Caching DNS Server. Slides 30 and 31 show you how you can do that on Windows.
Configuring Unbound
In this next section, you are going to install, and configure Unbound, which is another DNS
software program - an alternative to using BIND.
The first thing you need to do is install Unbound. You should use the sudo command again
$ sudo portinstall --batch unbound
$ cd /usr/local/etc/unbound
Once Unbound is installed on your FreeBSD VM, you need to go into the Unbound home
directory - /usr/local/etc/unbound. When you are in the directory, list the contents and find
the default configuration file that is called unbound.conf (if it does not exist, then create it
and edit as per the final instructions in this slide).
As you did previously when configuring BIND, make a copy of this file in case something
goes wrong.
You should see an output similar to the example above to indicate you have copied the file
successfully. Using VIM, add the following to a new file called unbound.conf using this
command - sudo vi unbound.conf. You will need to set the access-control option to point at
your IP of your LAN:
server:
verbosity: 1 #
When you have done that, save your changes and exit the file. Next you will replace the
configuration settings you added in the /etc/rc.conf file earlier.
Now you need to edit the /etc/rc.conf file to allow the unbound service to start.
This file is owned by a different user (root) so we must elevate the privileges of the shell
(bash) which will redirect (">>") input into the file (/etc/rc.conf):
Now that you have enabled Unbound, you now need to stop BIND, and then start Unbound.
This is required as you cannot have more than one caching name server running at the
same time. This is because they both listen for requests on the same port - UDP Port 53.
If you intend to use Unbound, it is recommended you remove the entry for BIND in your
/etc/rc.conf file, and vice versa. Now go ahead and stop BIND, and start Unbound.