228 lines
4.3 KiB
Markdown
228 lines
4.3 KiB
Markdown
|
# **PARTIE 1 — Créer la topologie ddns.imn**
|
|||
|
|
|
|||
|
|
### **1\. Copier la topologie du TP22**
|
|||
|
|
|
|||
|
|
`cp ~/SCR.3.2/TP22/dns1.imn ~/SCR.3.2/TP04/ddns.imn`
|
|||
|
|
|
|||
|
|
### **2\. Ouvrir ddns.imn dans IMUNES**
|
|||
|
|
|
|||
|
|
Dans IMUNES :
|
|||
|
|
|
|||
|
|
`File → Open → ddns.imn`
|
|||
|
|
|
|||
|
|
### **3\. Rôles des machines :**
|
|||
|
|
|
|||
|
|
| Machine | Rôle |
|
|||
|
|
| ----- | ----- |
|
|||
|
|
| osiris | Serveur DNS (bind9) |
|
|||
|
|
| isis | Serveur DHCP |
|
|||
|
|
| eno, owt, host1, host2… | Clients DHCP |
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# **PARTIE 2 — Préparation des fichiers DNS sur osiris**
|
|||
|
|
|
|||
|
|
### **1\. Copier les fichiers DNS du TP22 vers TP04**
|
|||
|
|
|
|||
|
|
`mkdir -p ~/SCR.3.2/TP04/DNS`
|
|||
|
|
`cp ~/SCR.3.2/TP22/*.zone ~/SCR.3.2/TP04/DNS/`
|
|||
|
|
`cp ~/SCR.3.2/TP22/named.conf.local ~/SCR.3.2/TP04/DNS/`
|
|||
|
|
|
|||
|
|
Et renomme-les :
|
|||
|
|
|
|||
|
|
`mv named.conf.local osiris.named.conf.local`
|
|||
|
|
|
|||
|
|
### **2\. Éditer les fichiers de zone**
|
|||
|
|
|
|||
|
|
Très important :
|
|||
|
|
Garder uniquement **osiris** et **isis** dans la zone.
|
|||
|
|
Supprimer **eno**, **owt**, etc. (ces machines seront ajoutées par DHCP).
|
|||
|
|
|
|||
|
|
Exemple :
|
|||
|
|
|
|||
|
|
`osiris.db.tp.scr`
|
|||
|
|
|
|||
|
|
`$TTL 86400`
|
|||
|
|
`@ IN SOA osiris.tp.scr. admin.tp.scr. (`
|
|||
|
|
`1 ; serial`
|
|||
|
|
`3H ; refresh`
|
|||
|
|
`1H ; retry`
|
|||
|
|
`1W ; expire`
|
|||
|
|
`1D ); minimum`
|
|||
|
|
|
|||
|
|
`@ IN NS osiris.tp.scr.`
|
|||
|
|
`osiris IN A 192.168.1.158`
|
|||
|
|
`isis IN A 192.168.1.2`
|
|||
|
|
|
|||
|
|
### **Déplacer les fichiers dans /var/lib/bind (exigé par TP)**
|
|||
|
|
|
|||
|
|
`sudo cp osiris.db.tp.scr /var/lib/bind/db.tp.scr`
|
|||
|
|
`sudo cp osiris.db.rev /var/lib/bind/db.1.168.192`
|
|||
|
|
|
|||
|
|
Pourquoi pas /etc/bind ?
|
|||
|
|
Car `named` s’exécute en **user bind**, donc il n’a pas le droit d’écrire dans `/etc/bind`, mais **il a le droit** dans `/var/lib/bind`.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# **PARTIE 3 — Générer et installer la clé TSIG**
|
|||
|
|
|
|||
|
|
### **1\. Sur osiris, générer la clé :**
|
|||
|
|
|
|||
|
|
`tsig-keygen -a md5 tp.scr-key > ddns.key`
|
|||
|
|
|
|||
|
|
### **2\. Copier la clé dans les bons répertoires**
|
|||
|
|
|
|||
|
|
`sudo cp ddns.key /etc/bind/`
|
|||
|
|
`sudo cp ddns.key /etc/dhcp/`
|
|||
|
|
|
|||
|
|
### **3\. Protéger la clé (obligatoire)**
|
|||
|
|
|
|||
|
|
`sudo chown root:bind /etc/bind/ddns.key`
|
|||
|
|
`sudo chmod 640 /etc/bind/ddns.key`
|
|||
|
|
|
|||
|
|
`sudo chown root:bind /etc/dhcp/ddns.key`
|
|||
|
|
`sudo chmod 640 /etc/dhcp/ddns.key`
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# **PARTIE 4 — Configurer BIND9 (osiris)**
|
|||
|
|
|
|||
|
|
Éditer `/etc/bind/named.conf.local` :
|
|||
|
|
|
|||
|
|
`sudo nano /etc/bind/named.conf.local`
|
|||
|
|
|
|||
|
|
Mettre :
|
|||
|
|
|
|||
|
|
`include "/etc/bind/ddns.key";`
|
|||
|
|
|
|||
|
|
`zone "tp.scr" {`
|
|||
|
|
`type master;`
|
|||
|
|
`file "/var/lib/bind/db.tp.scr";`
|
|||
|
|
`allow-update { key tp.scr-key; };`
|
|||
|
|
`};`
|
|||
|
|
|
|||
|
|
`zone "1.168.192.in-addr.arpa" {`
|
|||
|
|
`type master;`
|
|||
|
|
`file "/var/lib/bind/db.1.168.192";`
|
|||
|
|
`allow-update { key tp.scr-key; };`
|
|||
|
|
`};`
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# **PARTIE 5 — Configurer DHCP (isis)**
|
|||
|
|
|
|||
|
|
### **Éditer `/etc/dhcp/dhcpd.conf`**
|
|||
|
|
|
|||
|
|
`sudo nano /etc/dhcp/dhcpd.conf`
|
|||
|
|
|
|||
|
|
Mettre :
|
|||
|
|
|
|||
|
|
`include "/etc/dhcp/ddns.key";`
|
|||
|
|
|
|||
|
|
`ddns-update-style standard;`
|
|||
|
|
`update-static-leases on;`
|
|||
|
|
|
|||
|
|
`option domain-name "tp.scr";`
|
|||
|
|
`option domain-name-servers 192.168.1.158; # osiris`
|
|||
|
|
|
|||
|
|
`zone tp.scr. {`
|
|||
|
|
`primary 192.168.1.158;`
|
|||
|
|
`key tp.scr-key;`
|
|||
|
|
`}`
|
|||
|
|
|
|||
|
|
`zone 1.168.192.in-addr.arpa. {`
|
|||
|
|
`primary 192.168.1.158;`
|
|||
|
|
`key tp.scr-key;`
|
|||
|
|
`}`
|
|||
|
|
|
|||
|
|
`subnet 192.168.1.0 netmask 255.255.255.0 {`
|
|||
|
|
`range 192.168.1.11 192.168.1.200;`
|
|||
|
|
`option routers 192.168.1.254;`
|
|||
|
|
`}`
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# **PARTIE 6 — Lancer les services en mode debug**
|
|||
|
|
|
|||
|
|
### **1\. DNS (osiris)**
|
|||
|
|
|
|||
|
|
`sudo named -u bind -g`
|
|||
|
|
|
|||
|
|
Attendre les logs de démarrage…
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
### **2\. DHCP (isis)**
|
|||
|
|
|
|||
|
|
Créer d’abord le fichier de leases :
|
|||
|
|
|
|||
|
|
`sudo touch /var/lib/dhcp/dhcpd.leases`
|
|||
|
|
|
|||
|
|
Lancer DHCP :
|
|||
|
|
|
|||
|
|
`sudo dhcpd -d`
|
|||
|
|
|
|||
|
|
Tu dois voir :
|
|||
|
|
|
|||
|
|
* DHCPDISCOVER
|
|||
|
|
|
|||
|
|
* DHCPOFFER
|
|||
|
|
|
|||
|
|
* DHCPREQUEST
|
|||
|
|
|
|||
|
|
* DHCPACK
|
|||
|
|
|
|||
|
|
* puis : **Forward update → osiris**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# **PARTIE 7 — Tests sur un client**
|
|||
|
|
|
|||
|
|
### **1\. Vérifier avant DHCP**
|
|||
|
|
|
|||
|
|
`sudo himage eno ip a`
|
|||
|
|
`sudo himage eno cat /etc/resolv.conf`
|
|||
|
|
|
|||
|
|
### **2\. Demander une adresse**
|
|||
|
|
|
|||
|
|
`sudo himage eno dhclient -v eth0`
|
|||
|
|
|
|||
|
|
### **3\. Vérifier côté DNS**
|
|||
|
|
|
|||
|
|
Sur osiris (qui affiche en live) tu verras :
|
|||
|
|
|
|||
|
|
`approved update: add eno.tp.scr A 192.168.1.X`
|
|||
|
|
`approved update: add X.1.168.192.in-addr.arpa PTR eno.tp.scr`
|
|||
|
|
|
|||
|
|
### **4\. Tester DNS**
|
|||
|
|
|
|||
|
|
`sudo himage eno dig eno.tp.scr`
|
|||
|
|
`sudo himage eno dig -x 192.168.1.X`
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# **PARTIE 8 — Tester une erreur de clé (obligatoire TP)**
|
|||
|
|
|
|||
|
|
### **Sur isis → Modifier volontairement la clé**
|
|||
|
|
|
|||
|
|
Dans `/etc/dhcp/ddns.key`, changer 1 caractère de la clé.
|
|||
|
|
|
|||
|
|
Relancer :
|
|||
|
|
|
|||
|
|
`sudo dhcpd -d`
|
|||
|
|
|
|||
|
|
### **Résultat attendu :**
|
|||
|
|
|
|||
|
|
* DHCP fonctionne toujours
|
|||
|
|
|
|||
|
|
DNS affiche :
|
|||
|
|
|
|||
|
|
`tsig verify failure (BADSIG)`
|
|||
|
|
|
|||
|
|
### **Test DNS :**
|
|||
|
|
|
|||
|
|
`dig eno.tp.scr`
|
|||
|
|
|
|||
|
|
→ Résultat : **NXDOMAIN**
|
|||
|
|
|