Data Networking/Fall 2015/Anvitha
Project Objective
editTo build a robust, secure, dynamic and intelligent network consisting of a DNS server, DHCP server, Web server with firewall and a client for a start-up company situated in Boston.
Project Team members
editAnirudh Vasudevan
Anvitha Manjunath
Priyesh kiran Gawad
Sri Pradeep Dhanekula
Network elements
editImplemented network consists of following elements:
- DHCP
- DNS
- WEB SERVER AND FIREWALL
- Backup
Dynamic Host Configuration Protocol (DHCP)
editDHCP is a client/server protocol which dynamically assigns IP addresses to clients connected to the network along with other network information such as DNS IP address, default gateway etc. It lets network administrator to centrally manage and allocate IP addresses within the network.
Behavior of the protocol
editIt is a client-server protocol; which uses UDP at port 67. The server dynamically assigns IP addresses, subnet mask and gateways to clients from a pool of IP addresses given to it. When a DHCP client connects to the server by sending a DHCP message, the server processes it based on current binding state of the client. The various types of DHCP message can be following: DHCPDISCOVER DHCPREQUEST DHCPRELEASE DHCPINFORM
a.DHCPDISCOVER: To every DHCPDISCOVER message from client, the server chooses an IP address from its DHCP pool. If no IP address is available, it reports the system administrator otherwise it simply assigns the IP to the client based on the binding state with the client.
b.DHCPREQUEST: When the server offers an IP to the client in reply to DHCPDISCOVER, the clients sends a DHCPREQUEST message to the server, by checking whether the IP is previously allocated or whether the lease has ended, etc. Generally in response to DHCPOFFER given by server, the client sends a DHCP request containing 'Server Identifier' option.
c.DHCPRELEASE: If the network address is not allocated, the client sends DHCPRELEASE message to the server and the server thus makes an entry of client's initialization parameters.
d.DHCPINFORM: To every DHCPINFORM message from the client, the server sends a DHCPACK message directly to the address specified at 'ciaddr' field of DHCPINFORM message.
DHCP client behavior: A client can receive following messages from the server. DHCPOFFER DHCPACK DHCPNACK
Configuration
editsudo nano /etc/dhcp/dhcpd.conf
ddns-update-style none; option domain-name-servers; option domain-name ""; default-lease-time 600; max-lease-time 7200; authoritative; subnet 10.0.0.0 netmask 255.255.255.0{ range 10.0.0.100 10.0.0.200; option broadcast-address 10.0.0.255; option domain-name-servers ; }
The server will lease addresses on an interface and so we need to name the interface first. Command: sudonano /etc/default/isc-dhcp-server Here there will be an Interface option which we need to set up to ethernet0. INTERFACES="eth0" When we configure a server on an interface, we need to assign an IP to that interface. Here we are assigning a DHCP server which will assign IPs dynamically to all the clients but the serer itself should have a static IP. So, we will give the DHCP server a static IP first. Command: sudonano /etc/network/interfaces Set static ip address: sudo nano /etc/network/interfaces
auto eth0 iface eth0 inet static address 10.0.0.254 netmask 10.0.0.0 gateway 10.0.0.1 network 10.0.0.0 broadcast 10.0.0.255 dns-domain-nameserver “ip addrerss of server” dns-domain-search “domain name”
Restart the network sudo init 6 Configuration should be done in following manner: Till here, the configuration process was same for IPv4 as well as IPv6 implementation. Firstly we will discuss configuration for IPV4 addresses.
IPV4 Implementation
edit/etc/dhcp/dhcp.conf In this file itself, we configure a range of IPs that will be dynamically assigned(DHCP IP Pool), subnet mask, network ID, etc. The lease time for which IP will be assigned to the client will also be configured in the same file.
Command: sudonano/etc/dhcp/dhcpd.conf
Here all the settings have been adjusted as per the network requirement. The option domain-name is group11.lan which is the domain we have created in our network. The Dynamic IP Range given is 10.0.0.100 to 10.0.0.200. 6. The next step is to restart the dhcp service Command: sudo service isc-dhcp-server restart Once we restart the isc-dhcp-server, the server starts running and assigns IP to all the clients present in the network. Every client gets an IP from this dhcp pool. If there are more than one virtual machines in VMware then every machine gets a dynamic IP from the server.
IPv6 Implementation
edit1.To enable IPV6 routing, we to follow this process:
Command: sudonano /etc/sysctl.conf set up the command net.ipv6.conf.default.forwarding=1;
2.To advertise IPs and let network's systems select their own IPs, we need to install router advertisement daemon radvd
Command: sudo apt-get install radvd after installing the daemon, we need to edit the file /etc/radvd.conf
Command: sudonano /etc/radvd.conf
To propogate IPV6 address space, we need to restart
Command: sudo service radvd restart
Start the DHCP server
Command: sudo service isc-dhcp-server restart sudo service isc-dhcp-server6 restart : when dhcpd6.conf file is configured to enable dhcpv6 for windows
Testing
edit1. To test the IP given to interface on which DHCP is configured, command is ifconfig
2. To test the IPs assigned to the client from dhcp pool, Commands are for windows: ipconfig For Ubuntu: ifconfig
3. To check the assigned IP to a client and its lease time we use the command Command: sudo tail /var/lib/dhcp/dhclient.leases
Domain Name system(DNS)
editBehavior of the protocol
editDomain Name System (DNS) is an application layer protocol used to provide domain name to address
resolution and vice-versa. It is critical service run by different ISP providers, organizations and internet
authorities. DNS is not a centralized service and it is a distributed service. It is distributed to avoid the
single point of failure, distant centralized database, heavy traffic volume and nightmare maintenance. It
uses caching mechanism to reduce the load on network. It uses port 53 for lookups and transfers. DNS
uses UDP for lookups and TCP for replication of servers. DNS uses TCP if the response or query message
size exceeds 512 bytes. Reverse lookup provides weak security against email spoofing. Replication of
DNS servers is used for load balancing.
Distributed Hierarchy of DNS
The hierarchical server structure in the above diagram has three levels.
They are:
1) Root DNS servers – These are present at the top level of hierarchy
2) Top level domain (TLD) DNS servers – These are present at the next level to root servers in hierarchy
3) Authoritative or Local DNS servers – These are present at the next level to TLD servers in hierarchy
Query Types
There are two types of queries in DNS hierarchy. They are:
1) Recursive queries
2) Iterative queries
1) Recursive queries:
Whenever a host looks for resolution local Name server associated with that host recursively requests
another level of DNS servers for resolution and fetches the name resolution for the requested host.
Recursive queries are allowed if the hosts are in the same domain.
2) Iterative queries:
Iterative queries are handled by root DNS servers, TLD DNS servers and authoritative name servers.
Resource Records
Resource Records: In DNS hierarchy, DNS server replies to a query with one or more records.
Format of BIND9 server resource records
Name TTL Class Type Pref Value
TTL is Time To Live
Pref is the preference value (Used in the case of multiple mail servers)
Class is used to identify protocol family
Type=A
Name is the hostname
Value is the IP address
This type is simply a hostname-to-IP address mapping
Type = NS
Name is the domain, e.g., auburn.edu
Value is the hostname of the authoritative name server for this domain
This type is used as a routing function for queries
Type = CNAME
Name is the alias name, e.g., www.ibm.com
Value is the canonical name, e.g., servereast.backup2.ibm.com
This type simply provides the canonical name when requested
Type = MX
Name is domain name
Value is the name of the mail server associated with this domain
Type = PTR
Reverse DNS lookup is used to specify the name of the host associated with specific IP address
The master server contains original sets of records, whereas slave contains copy of records.
Steps to configure BIND9 Master DNS server and Slave DNS server
DNS Configuration
editMaster DNS configuration
editInstall all the required updates and packages related to BIND9 using following commands.
sudo apt-get update
sudo apt-get install bind9
Open network interfaces file to make changes as in the below screenshot using the following
command.
sudo nano /etc/network/interfaces
Open hosts file by using the following command and make the changes
sudo nano /etc/hosts
Open hostname file using the following command and make below changes.
sudo nano /etc/hostname
Reboot the virtual machine by using the following command to apply changes.
sudo init 6
Open the named.conf.options file by using the following command and make the changes as below.
sudo nano /etc/bind/named.conf.options
Open the named.conf.local file by using the following command and make the changes as below.
sudo nano /etc/bind/named.conf.local
Create and open the db.adeptmaster.com forward zone file by using the following command and
make the changes as below.
sudo nano /etc/bind/db.adeptmaster.com
Create and open the db.adeptmaster.com reverse zone file by using the following command and
make the changes as below.
sudo nano /etc/bind/db.10
Open the head file by using the following command and make the changes as below.
sudo nano /etc/resolvconf/resolv.conf.d/head
Restart BIND9 server using the below command.
sudo service bind9 restart
Slave DNS configuration
editInstall all the required updates and packages related to BIND9 using following commands.
sudo apt-get update
sudo apt-get install bind9
Open network interfaces file to make changes as in the below screenshot using the following
command.
sudo nano /etc/network/interfaces
Open hosts file by using the following command
sudo nano /etc/hosts
Open hostname file using the following command and make below changes.
sudo nano /etc/hostname
Reboot the virtual machine by using the following command to apply changes.
sudo init 6
Open the named.conf.options file by using the following command and make the changes as below.
sudo nano /etc/bind/named.conf.options
Open the named.conf.local file by using the following command and make the changes as below.
sudo nano /etc/bind/named.conf.local
Open the head file by using the following command and make the changes as below.
sudo nano /etc/resolvconf/resolv.conf.d/head
Restart BIND9 server using the below command.
sudo service bind9 restart
Testing
editTesting on master DNS server
1) To verify whether the records updated in master are available.
2) To verify whether the records updated are checked by using nslookup and dig
Commands.
nslookup <domain name>
nslookup <IPaddress>
dig <IPaddress> <domain name>
nslookup –query=AAAA FQDN (For IPV6 records)
To verify whether the master is able to ping slave.
Ping <slave ip address>
To verify whether changes made under zone files are being reflected.
Testing on slave DNS server
1) To verify whether the records updated in are available.
2) To verify whether the records updated are checked by using nslookup and dig
nslookup <domain name
nslookup <IPaddress>
3) To verify whether the master is able to ping slave.
Ping <master ip address>
4) To verify whether changes made under zone files are being reflected.
5) To verify whether updated zone records in master are being transferred to slave DNS server.
Dig <master ipaddress> domain name AXFR
Web server
editA Web Server is a host machine, or workstation, which has the capability to host multiple web sites. The first step is to build a list of available options for the type of Web Server we will use for our project. The available Web Servers are hosted by either Windows (Windows Web Server) or Linux (APACHE HTTP Server or NGINX). There are a lot of differences between the previously mentioned web servers, but the most important factor for a network engineer with low funding would be the cost of the system. Windows Web Servers require purchasing a license to be able to download and configure their web server. On the other hand, Linux is an open source system which provides free license for hosting websites via their web servers.
Therefore, from our previous discussion, we exclude Windows Web Servers from our list of options. The other option we are left with is Apache or Nginx. Nginx is more efficient and powerful than Apache in terms of the time and resources required to serve incoming requests. Nginx uses a parent process, referred to with PID, to dispatch worker processes who use multi‐threading to serve incoming requests. In other words, each worker process can handle multiple HTTP connections. On the other hand, Apache uses a parent process, which dispatches child processes, and each HTTP request is handled by a separate process. Apache offers a tradeoff between speed and compatibility with add‐on modules, hence providing more flexibility in terms of server configuration options. Still we can not decide whether Apache or Nginx is more suitable for our project. For our project, the web server is required to host a small number of websites for a small network. Since speed will not be a major problem in our design, therefore we will configure and implement Apache2 web server. The second step is to decide the type of host machine or workstation that will host or web server and web sites. There are multiple options, including virtual machines, standalone machines and computers. One of the drawbacks of using a Server‐Client architecture is that we need an always‐on device that will host the web server and serve incoming requests. Therefore, a standalone machine, that supports a client‐server architecture, is the preferred choice, but since we are required to demonstrate our networking project, hence we created dual‐boot for our laptops, hosting Linux on a separate partition than Windows.
Configuration
editIn this article, we will describe the steps and procedures required to install and configure Apache 2 web server on a Linux machine, (specifically Ubuntu 14.04).
Installing Apache2
To install Apache2 on Ubuntu 14.04, use the following commands Update Linux files
sudo aptget update
Installs Apache2 Web Server
sudo aptget install apache2
To check that Apache2 is successfully installed, open a web browser and type the following
http://localhost
Creating Directory files After successfully installing Apache2, we'll create the html file that will contain our web site information and design. To create the directory folder, use the following command
sudo mkdir /var/www/neunetworks.com/
Change the properties of the directory to allow the web server to read the html file
sudo chmod 755 /var/www/
sudo chown $USER:$USER /var/www/neunetworks.com/
Create and edit sample.html to the layout you prefer
sudo nano /var/www/neunetworks.com/sample.html
Configuring Apache2 apache2.conf
Now we have to configure it to meet our needs. The Apache2 configuration file is apache2.conf and can be accessed using the following command
sudo nano /etc/apache2/apache2.conf
We are required to do the following modifications, add the following lines to apache2.conf:
<Directory /var/www/neunetworks.com/> Options Indexes FollowSymLinks AllowOverride None
Require all granted </Directory> Adding /var/www/neunetworks.com/ directory allows the Apache2 to reach our hosted web site located at that directory. The apache2.conf has many other variables that can be modified to our demands, such as KeepAlive and MaxKeepAliveRequests, which determines how the web server would handle persistent HTTP connections.
Configuring Apache2 dir.conf
Since we didn't use the default .html file syntax (index.html), we have to add our 'sample.html' to the list of accessible directory indices. Modify the following file
sudo nano /etc/apache2/modsavailable/dir.conf
Append sample.html to the list of indices
<IfModule mod_dir.c>
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm sample.html
</IfModule>
Configuring Apache2 000default.conf
000default.conf is used by the Server to identify itself. For our web site, we need to modify/add the following lines to direct the web server to our web site
ServerAdmin webmaster@localhost ServerName neunetworks.com Document Root /var/www/neunetworks.com
Restart Apache2
Now that the Apache2 configuration is complete, we need to reload the web server, so that the new configurations can be implemented
sudo service Apache2 restart
Testing
editTo verify that our changes have been successfully configured and implemented, simply reload the web site (you might need to delete your browser's cache)
http://localhost
Firewall
editconfiguration
editInstall ip-tables persistent
sudo apt-get iptables-persistent
Start the service using the command
sudo service iptables-persistent start
Accepts and deny the ports according to the necessity
sudo iptables –A INPUT –p tcp –dport 22 –j ACCEPT sudo iptables –A INPUT –p tcp –dport 80 –j ACCEPT sudo iptables –A INPUT –j DROP
sudo iptables -A INPUT -p tcp -s 10.0.0.254 --dport 80 -j REJECT
Backup
editWhy do we need backup? This is required to take the backups of the HTML page webserver at constant intervals and make sure that we do not lose the HTML page and this can be hosted on to another IP.
Configuration
editsudo ssh-keygen -t rsa #Generating a pair of public keys ssh anirudh@10.0.0.180 mkdir -p .ssh #creating the .ssh on the host machine cat .ssh/id_rsa.pub | ssh anirudh@10.0.0.180 'cat >> .ssh/authorized_keys'
appending the Web server's public key to host
sudo tar -cvpzf minutebackup.tar.gz /var/www/adepmaster.com/sample.html
compress the backup and keep it in the server.
sudo crontab –e * * * * * sudo tar -cvpzf /home/priyesh/minutebackup.tar.gz/var/www/adeptmaster.com/sample.html * * * * * sudo scp /home/priyesh/minutebackup.tar.gzanirudh@10.0.0.180:home/anirudh/backup
We do Cron jobs to take backup every minute
Algorithm and Flow chart
editAlgorithm
edit1. A client tries to connect to the network.
2. Client sends an IP address request to DHCP server.
3. If DHCP request is successful, DHCP server will reply with an IP address
Else DHCP will reply with ‘request fail.’ In this case, re-connect or contact network administrator for help.
4. Client wants to access the web page.
if domain name is correct, a request will be sent to DNS for IP address of the domain.
DNS will reply with IP address of the website.
else if DNS reply fails An error message will be displayed saying, ‘server not found.’
else if URL entered is wrong An error message will be displayed saying, ‘webpage unavailable.’
Retry
5. Client accessed the web server. Now he sends HTTP request to the server.
if the request is successful, Web page will be displayed
else Error message like ‘no data received’ will be displayed.
Retry
Flow Chart
editAdd Ons Implemented
editVirtual Private network(VPN)
editA virtual private network extends your private network to public network like Internet.It lets the client connect to the private network and behave as if it is connected to a public network, while retaining features of private network such as functionality, security and management policies. Resources are accessed in same way as in a private network.
Configuration
editInstall packet ‘pptpd’
sudo apt-get install pptpd
Edit file /etc/pptpd.conf as follows
sudo nano /etc/pptpd.conf localip 10.0.0.99 remoteip 10.0.0.100-200
Edit /etc/ppp/pptpd/options file.
sudo nano /etc/ppp/pptpd.options ms-dns 10.0.0.55 ms-dns 10.0.0.56
Set ‘user-id’ and ‘password’
sudo nano /etc/ppp/chap-secrets vpn pptpd user *
Testing
editOn the client machine, create a new VPN connection with gateway as vpn server and username and password created.
MAIL server
editMail server is responsible for receiving, sending and distributing e-mail messages from your computer to others. In Linux we call it ‘mail daemon’.
Configuration
editTo implement mail server, we have used postfix mail services
sudo apt-get update sudo apt-get install postfix
Change the configurations in the /etc/postfix/main.cf Telnet into the server and port 25 and send a mail Mail from: Rcpt to: Data Enter data . Quit
NTP
editconfiguration
editIn server:
Install ntp and ntpdate sudo apt-get install ntp ntpdate
For the time server send the time to your other machines. Edit the file /etc/ntp.conf on the server. You have to add a line for your network.
broadcast 10.255.255.255
Client:
Install ntp and ntpdate sudo apt-get install ntp ntpdate
Edit file:
/etc/ntp.conf Add server ntps IP
Start ntp in server and client:
Sudo nano /etc/init.d/ntp restart
Testing
editTo check if ntp is working:
ntpq -c lpeer
NETWORK FILE SYSTEM (NFS)
editIt is similar to an FTP protocol and used to share the files across the same networks.
Configuration
editinstall the nfs on to server
Sudo apt –get install nfs-kernel-server
make directory
Sudo mkdir /home/anirudh/sharing Sudo chmod 777 /sharing
we are making the directory public to all
Sudo chmod 777 /home/anirudh
editing the exports file having the network address
Sudo nano /etc/exports
Write the following command
/home/anirudh/sharing 10.0.0.0/24
exports
sudo service nfs-kernel-service restart
Client end commands
ls –l ls test
making directory test to share the file of the server
mkdir test
making the test directory read and write
ls –a test
mounting the servers directory on to test
sudo mount –t nfs 10.0.0.180/home/anirudh/sharing test
Network Information System (NIS)
editNetwork Information System is used for smaller networks. It is used to name the network and for the administration of the system. NIS enables the client and server to have the information about entire system. Applications and files on the network are accessible by the user having the SSID username and password. On a broader view, NIS works in a similar way like DNS and the only difference is that NIS is used for smaller networks. The servers used in the NIS conatin the programs and some administrative tools required for the network.
Configuration of NIS
edit1. Configuration of NIS server
sudo nano etc/hosts.allow
in this file add the following
portmap ypserv ypbind : list of IP addresses
2. Installation of NIS
sudo apt-get install portmap nis
3.Modifying the portmap file
sudo nano /etc/default/portmap
Replace the line with the following ARGS=”-i 127.0.0.1"
4. Modifying the NIS file
sudo nano /etc/default/nis
The following line NISSERVER line is changed to NISSERVER = master
5. Modifying the yp.conf file
sudo nano /etc/yp.conf
Here we add a server line which is as:
domain <domainname> server <servername>
6. Modifying the Makefile
sudo nano /var/yp/Makefile
Here the value of MINDGID is set to 1
7.Modifying the securenets file
sudo nano /etc/ypserv.securenets
A line is added here to restrict the access to domain numbers. Here after adding the line make sure that u have removed the 0.0.0.0 line.
8. Building the Database
sudo /usr/lib/yp/ypinit -m
9. Finally restart the portmap and NIS server
sudo /etc/init.d/portmap restart sudo /etc/init.d/nis restart
Integration
editWe have used Linux ubantu for implementing DHCP,DNS,Webserver, Firewall and backup.We have used the 10.0.0.0/24 network.10.0.0.1 is our default gateway and 10.0.0.255 is the broadcast.
All the devices are connected to the network via a switch.
The DHCP server will assign the reserved IPs to the DNS master (10.0.0.55), DNS slave (10.0.0.56), webserver (10.0.0.65) and an ip between 10.0.0.100-200 for the client.
The client after IP assignment will open the web browser and access 10.0.0.65 webpage and the same will be displayed.
The client can also access the webpage with the url, www.adeptmaster.com. The DNS in the network will resolve the name and point it to webserver ip address and the page is displayed.