Data Networking/Fall 2016/DUNS

Team:

1. Sandeep Balaji

2. Akinade Oladipupo

3. Udaykarthik Muruganand

4. Naeem Elham


Motivation:


The motivation is to design an inter network structure using the files and commands in Ubuntu which is capable of most of the functionalities of the Internet. The protocols implemented in DNS, DHCP, Webserver, Firewall and Backup. The DNS contain the zone for the webserver. The DHCP behaves dynamically and provides IPv4 and IPv6 addresses to clients. The Webserver is responsible for the web page creation and maintenance. The security and redundancy comes in the Firewall part. The following are implemented on Linux.


Behavior of Protocols:


(1.) DNS

A name server can be either a hardware-implemented or software developed server that can provide a network service of providing name requests and responses against a directory service. The DNS server provides the service of looking up a domain name such as yahoo.com or google.com and get their associated public IP address. We can also obtain data about the non-authoritative name server attached to those IP addresses. The DNS server can also be implemented as a Forwarding and caching server as the IP addresses information will be cached to the name server database. This approach will reduce the latency of the user to access the domain/ website again. In this project, the DNS server is implemented by Bind9 software. Also, in order to achieve redundancy and constant availability of the DNS server, the master and slave configuration is implemented. Automatic Zone updates are implemented at both the Master DNS Server and Slave DNS Server, for periodic updates in the forward zones and reverse zones. Both the DNS Servers are configured to be static, as allocating a dynamic IP address to the DNS server defeats the purpose of caching and forwarding the requests.

(2.) DHCP Dynamic Host Configuration Protocol (DHCP IPV4 & IPV6)

Understanding the DHCP protocol

DHCP is a client/server protocol which dynamically assigns IP-addresses to hosts in a network. It also provides the client configuration information like the subnet mask and default gateway. DHCP supports both static and dynamic IP addressing. DHCP server assigns IP address automatically within the network, which eradicates the tedious work of assigning IP address manually especially within a network with alot of users.

Static Allocation Static allocation of ip address is a method of reserving a certain IP address to a specific device in the network e.g router, servers. It can be achieved by assigning an IP address to the device’s Mac address. This would enable the device to always get the same IP address whenever it connects to the network.

Dynamic Allocation In this type of allocation, a DHCP server allocates IP addresses to the devices from a pre-defined pool of addresses

Behavior of the protocol It is a client-server architecture. The server dynamically assigns IP addresses, subnet mask and gateways to clients from a pool of IP addresses given to it. When a DHCP client connects to the server by sending a DHCP message, the server processes it based on current binding state of the client.

Types of DHCP Messages and use.

DHCPDISCOVER - Client broadcast to locate available servers.

DHCPOFFER - Server to client in response to DHCPDISCOVER with offer of configuration parameters.

DHCPREQUEST - Client message to servers either:

I. requesting offered parameters from one server and implicitly declining offers from all others

II. confirming correctness of previously allocated address after, e.g., system reboot, or

III. extending the lease on a particular network address.

DHCPACK - Server to client with configuration parameters, committed network address.

DHCPNAK - Server to client indicating client's notion of network address is incorrect (e.g., client has moved to new subnet) or client's lease as expired

DHCPDECLINE - Client to server indicating network address is already in use.

DHCPRELEASE - Client to server relinquishing network address and cancelling remaining lease.

DHCPINFORM - Client to server, asking only for local configuration parameters; client already has externally configured network address.

(3.) Webserver and Firewall

The Webserver serves the purpose of hosting a Website. The website can be static or dynamic depending on its configuration. Here we have a static web site. This web server is run on the Linux OS. Apache2 is a popular webserver. There are specific commands in Linux to install the webserver (Apache2). Apart from the webserver, the other constituent keeping the security into consideration is the Firewall. Firewall can be a two-way side process. It can block incoming messages to the webserver as well as block a host from accessing the website. Specific commands are present in Linux to work on the Firewall. The Firewall allows the traffic specified in the iptables to either get access or deny the services provided by the Webserver.

(4.) Backup:

In order to have a copy of our webserver stored in a remote server in case of a failure or lost, we use the backup server. The backup process should be periodically automated and incremental. To implement this, we will use ‘rsync’ for copying and it does incremental backup. For secure transmission and sharing public key to get rid of password entry every time we do backup, we will use ‘ssh’. For automatic backup in a certain period we will use the ‘crontab’. The period we have used is every thirty minutes and it can be schedules in any desired period.


Add Ons:

(1.) NFS:

NFS is a distributed file sharing protocol that allows the user to mount remote directories on the server and make it available for the all the others connected to the network.

It was an efficient technique to reduce storage space as all the shard file and folders can be accessed from the directory mounted at the server.

(2.) IPSec VPN

In order to have secure communication between two hosts communicating over the internet we use IPsec. The IPsec VPN creates a logical channel connecting the host at the two ends.


Installation Steps:


[1] DNS:

Step.1)

Install the Bind9 software as per the step in Ubuntu machine.

• sudo apt-get install bind9

• Click Y (for yes) for proceeding the installation

Step.2)

Configure the hosts file to create a domain name with details of the name server and local host:

• sudo nano /etc/hosts

Add

• <Your IP Address of DNS server> <Fully Qualified Domain name> <Domain name (optional) >

Step.3)

Configure the network interface to assign yourself a static IP Address.

Add the interface details of the Ethernet interface as:

auto ens33

iface ens33 inet static

<IP address to be assigned>

<Netmask>

<network address>

<broadcast address>

<gateway IP address>

Optional:

<IPv6 Address to be assigned>

<Netmask of IPv6 address>

Step.4)

Do a network restart by :

sudo /etc/init.d/networking/restart

Step.5)

Do an interface restart by:

sudo ifdown ens33

sudo ifup ens33

Step.6)

If the interface is not activated by these procedures:

Try rebooting the system by sudo reboot command

Step.7)

Configure the nameserver in resolv.conf file:

sudo nano /etc/resolv.conf

Enter the details of your nameserver:

nameserver <Static IP addess of DNS Server>

domain <your domain name>

search <your domain name>

Step.8)

Configure the named.conf.options:

• Open the named.conf.options file by the command

sudo nano /etc/bind/named.conf.options

• Edit the forwarders section by including your DNS IP addresses and Gateway IP addresses.

Step.9)

Configure the named.conf.local file by the command:

• Open the file by :

sudo nano /etc/bind/named.conf.local

• Add the forward zone file for the DNS server as:

zone “example.com” {

type master;

file “/etc/bind/db.example”;

allow-transfer { IP of Slave/ secondary DNS ;};

};

• Add the reverse zone file for IPv4 in the DNS server as:

zone “0.110.10.in-addr.arpa”{

type master;

file “/etc/bind/db.10”;

allow-transfer { IP of slave/ secondary DNS; };

};

• Add the reverse zone for IPv6 addresses in the DNS server as:

zone “0.a.2.1.3.a.5.8.8.b.d.0.1.0.0.2.ip6.arpa” {

type master;

file “/etc/bind/db.2001”;

allow-transfer { IP of slave DNS; };

};

Step.10)

Create a database file to create the records for the forward zone:

• Copy the contents of db.local to db.example by:

Sudo cp /etc/bind/db.local /etc/bind/db.example

• Edit the content and enter the records for the forward zone:

BIND data file for example.com

$TTL 604800

@ IN SOA example.com. root.example.com. (

2  ; Serial

604800  ; Refresh

86400  ; Retry

2419200  ; Expire

604800 )  ; Negative Cache TTL

IN A 10.110.0.11

@ IN NS ubuntu.linux.net

@ IN A 10.110.0.11

@ IN AAAA 2001:0db8:85a3:12a:1ddd:8a2e:37:7311

ns IN A 10.110.0.12

Step.11)

Similarly, create a database file for both IPv4 and IPv6 addresses for reverse lookup:

• Create a file db.10 in the directory of /etc/bind/

• Edit the content of the zone files as:

$TTL 604800

@ IN SOA example.com. root.example.com. (

2  ; Serial

604800  ; Refresh

86400  ; Retry

2419200  ; Expire

604800 )  ; Negative Cache TTL

@ IN NS example.com.

12 IN PTR ns.example.com.

11 IN PTR example.com.

Step.12)

Similarly for IPv6 addresses, follow the steps as per the previous file and when editing the contents of db.2001:

$TTL 604800

@ IN SOA example.com. root.example.com. (

2  ; Serial

604800  ; Refresh

86400  ; Retry

2419200  ; Expire

604800 )  ; Negative Cache TTL

@ IN NS example.com.

1.1.3.7.7.3.0.0.e.2.a.8.d.d.d.1.a.2.1.0.3.a.5.8.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR ns.example.com.


Step.13)

After setting up the Reverse zones, restart bind9 by:

sudo /etc/init.d/bind9 restart

Step.14)

Check the status of the bind9 service for any errors:

sudo systemctl status bind9

Step.15)

On the second Ubuntu machine, follow the steps from 1 to 8.

Step.16)

Edit the named.conf.local file for the Secondary or slave DNS server by:

sudo nano /etc/bind/named.conf.local

Add the details of the zone file as:


zone "example.com" {

type slave;

file "/var/lib/bind/db.example.com";

masters { <IP address of master DNS server>; };

};

zone "0.110.10.in-addr.arpa" {

type slave;

file "/var/lib/bind/db.10";

masters { <IP address of master DNS Server>; };

};


zone “0.a.2.1.3.a.5.8.8.b.d.0.1.0.0.2.ip6.arpa” {

type slave;

file “/var/lib/bind/db.2001”;

masters { IP of master DNS; };

};

Step.17)

Restart the bind9 service by: sudo /etc/init.d/bind9 restart

Step.18)

Check the bind9 service for any errors by: sudo systemctl bind9 status


[2] DHCP:


IPV4 Configuration

Step.1)

Install the DHCP package

• sudo apt-get install isc-dhcp-server

Step.2)

Configure the dhcpd.config


Step.3)

Open the dhcpd.config file using the following command:

• sudo nano -w /etc/dhcp/dhcpd.conf

Step.4)

Assign an interface for which the server will lease out ip address from:

• Sudo nano /etc/default/isc-dhcp-server and edit the option INTERFACES="ens33"


Step.5)

Assign a static IPv4 address to the ens33 interface of the DHCP server.

• sudo nano /etc/network/interfaces


Step.6)

use command: sudo ifup ens33 to startup the interface

Step.7)

Restart isc-dhcp-server service: sudo service isc-dhcp-server restart

Check status: sudo systemctl status isc-dhcp-server service


IPV6 Configuration

Step.1)

Install the router advertisement daemon (radvd )

• sudo apt-get install radvd

Step.2)

Create and configure radvd.conf file as follows

• sudo nano /etc/radvd.conf

Step.3)

Create and configure a dhcpd6.conf file as follow

• sudo nano /etc/dhcp/dhcp6.conf

Step.4)

Assign a static IPv6 address to the ens33 interface of the DHCP server.

• sudo nano /etc/network/interfaces

Step.5)

Enable IPv6 routing.

• sudo nano /etc/sysctl.conf

Step.6)

Set the command to the following:

• net.ipv6.conf.default.forwarding=1;

Step.7)

Restart radvd service:

• sudo service radvd restart

Check status :

• sudo systemctl status radvd service


[3] Webserver:


Step 1.)

Install Apache2 Webserver

Command: - sudo apt-get install apache2

Step 2.)

Check whether Webserver is able to listen at the HTTP port (Port 80)

Command: - netstat – a | more

Step 3.)

Restart the Webserver

i.) STOP

Command: - sudo /etc/init.d/apache2 stop

ii.) START

Command: - sudo /etc/init.d/apache2 start


Step.4)

Edit the webpage (html file)

Command: - cd /var/www/html

sudo nano index.html


[4] Firewall:

1.) Block ICMP requests

Command: - sudo iptables -A INPUT -s (IP address of destination) -p ICMP –icmp-type 8 -j DROP

2.) Block FTP ports

Command: - sudo iptables -A INPUT -p tcp –dtport 20 -j DROP

sudo iptables -A INPUT -p tcp –dtport 21 -j DROP

3.) Block TELNET port:

Command: - sudo iptables -A INPUT -p tcp –dtport 23 -j DROP

4.) Restrict SSH login:

Command: -

sudo iptables -A INPUT -s (IP address of source) -d (IP address of destination) -p tcp -dport ssh -j DROP

5.) Block a webpage:

Command: -

sudo iptables -A INPUT -d (IP address of destination) -s (IP address of source) -p tcp -dport -j DROP


[5] Backup:

Step 1.)

Install rsync in Webserver and Backup server

Command: - sudo apt-get install rsync

Step 2.)

Transfer the files to backup server. -a is for archive, -v is for verbose, -z is for zipped transfer and -p will show the progress

Command: - sudo rsync -avzp /var/www/html backupserver@ip:/Destination folder

Step 3.)

Install SSH

Command: - sudo apt-get install openssh-server

Step 4.)

Create public and private key

Command: - ssh-keygen

Step 5.)

Copy the public key to the server

Command: - ssh-copy-id -i /root/.ssh/id_rsa.pub backupserver@ipaddress

Step 6.)

Use Crontab to automate the task and edit the crontab file as follows

Command: - crontab -e (Choose your editor)

Command: - */30 * * * *

rsync -avzh -e ssh /var/www/html backupserver@ip:/Destination folder


[6] NFS(Add-on):

1. Configuring the NFS server:

Install nfs-kernel-server

sudo apt-get install nfs-kernel-server

Create a directory for the files to be mounted:

sudo mkdir /export

sudo mkdir /export/shared

Provide complete access to the directory created:

sudo chmod 777 /export/shared

Edit the file /etc/exports by:

sudo nano /etc/exports

Include the line at the end of the file:

/export/shared <IP address of the client > (rw, sync, no_root_squash)

Create a file in the /exports/shared directory:

cd /export/shared

touch <name of the file>

Reboot the system:

sudo reboot

Restart the server:

sudo service nfs-kernel-server restart

2. Configuring the client:

Install nfs-common

sudo apt-get install nfs-common

Mount the directory to your client system:

sudo mount <Server IP address> /server/directory /client/directory

Reboot the system:

sudo reboot

Mount the file directory:

sudo mount -a


[7] IPSec VPN (Add-0n):


Step 1.) Install IPsec in two computers

Command: - sudo apt-get install ipsec-tools strongswan-starter

Step 2.) Edit the following configuration files on both sides respectively

Command: - sudo nano /etc/ipsec.conf

  1. Do the reverse on the other computer

conn comp1-to-comp2

authby=secret

auto=route

keyexchange=ike

left=IP comp1

right=IP comp2

type=transport

esp=aes128gcm16!

Step 3.) Create the file which holds the PSK

Command: - sudo nano /etc/ipsec.secrets

  1. Do the reverse on the comp2

IP comp1 IP comp2 : PSK "csomp1 password"

Step 4.) Restart the IPSec on both sides

Command: - sudo ipsec restart

Step 5.) To test run the following ping format on Comp1

Command: - ping -s 4048 Comp2 IP

Step 6.) On comp2 run the following command

Command: - watch ipsec statusall


Testing:

'1.) DNS Testing'

• dig command:

o This command is used to perform query lookup for the domain name and displays the results in detailed format.

o Example:

dig redhat.com

Output should be like:

<<>> DiG 9.7.3-RedHat-9.7.3-2.el6 <<>> redhat.com
global options
+cmd
Got answer
->>HEADER<<- opcode
QUERY, status
NOERROR, id: 62863
flags
qr rd ra; QUERY
1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3


QUESTION SECTION
redhat.com. IN A
ANSWER SECTION

redhat.com. 37 IN A 209.132.183.81

AUTHORITY SECTION

redhat.com. 73 IN NS ns4.redhat.com.

redhat.com. 73 IN NS ns3.redhat.com.

redhat.com. 73 IN NS ns2.redhat.com.

redhat.com. 73 IN NS ns1.redhat.com.

ADDITIONAL SECTION

ns1.redhat.com. 73 IN A 209.132.186.218

ns2.redhat.com. 73 IN A 209.132.183.2

ns3.redhat.com. 73 IN A 209.132.176.100

Query time
13 msec
SERVER
209.144.50.138#53(209.144.50.138)
WHEN
Thu Jan 12 10
09:49 2012
MSG SIZE rcvd
164

• nslookup command:

o This command is used to resolve the query of the IP addresses or domain name and provides the non-authoritative domain name of the website.

o Example :

nslookup redhat.com

Output:

Server: <Your DNS Server>

Address: 129.XXX.XXX.XXX

Non-authoritative answer:

Name: redhat.com

Address: 209.132.183.105

• Ping command:

o Pinging the domain name or DNS IP server can be good choice for checking its availability.

o Example:

ping redhat.com


Output:

Pinging redhat.com [209.132.183.105] with 32 bytes of data:


Reply from 209.132.183.105: bytes=32 time=74ms TTL=235

Reply from 209.132.183.105: bytes=32 time=75ms TTL=235

Reply from 209.132.183.105: bytes=32 time=81ms TTL=235

Reply from 209.132.183.105: bytes=32 time=75ms TTL=235

Ping statistics for 209.132.183.105:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 74ms, Maximum = 81ms, Average = 76ms

• Checking the domain-name zone files is a good way to know how good are your configuration of the bind server database and records.

named-checkzone example.com /etc/bind/db.example

Output should be like:

zone example.com/IN: loaded serial 6


OK


Named-checkzone 0.110.10.in-addr.arpa /etc/bind/db.10

Output should be like:

zone 0.110.10.in-addr.arpa/IN: loaded serial 3

OK


[ Note: serial number can vary]

• Check the transferred zone files in the slave DNS system for getting the updated records.

• Also check the system log in the Ubuntu system for any errors in the process.

2.) DHCP Testing

cat /var/lib/dhcp/dhcpd.leases to show the list of ip configuration the dhcp server has assigned.

3.) Webserver

The web server can be tested by opening the browser on the local machine and enter the local ip address or by typing “localhost”. If the intended web page

opens, the web server is up and running.

4.) Firewall

The best way to test the firewall is to ping the server from the destined client. If the client receives the response for the ping message, the firewall

is not working. Else, if the client is not able to reach the server, the firewall is said to be up and running.

5.) Backup

The file is sent to backup server every thirty minutes. If the content is changed on the Webserver side, it can be seen on the backup side.

6.) NFS

When there is an update in the server directory files, the client directory files also gets updated.

7.) IPSec VPN

When you watch the ipsec status after pinging you can see that there is communication in VPN.


References:

1.] www.youtube.com

2.] www.google.com

3.] https://help.ubuntu.com/

4.] https://www.ietf.org/rfc/rfc2131.txt

5.] http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/hints-daemons-radvd.html

6.] http://wiki.hill.com/wiki/index.php?title=Image:DHCP.jpg


Books:

1.] Computer Networking [Sixth Edition]-James F. Kurose, Keith W. Ross