223 lines
3.9 KiB
Plaintext
223 lines
3.9 KiB
Plaintext
|
PARTIE 1 — Créer la topologie ddns.imn
|
|||
|
|
1. Copier la topologie du TP22
|
|||
|
|
cp ~/SCR.3.2/TP22/dns1.imn ~/SCR.3.2/TP04/ddns.imn
|
|||
|
|
|
|||
|
|
|
|||
|
|
2. Ouvrir ddns.imn dans IMUNES
|
|||
|
|
Dans IMUNES :
|
|||
|
|
File → Open → ddns.imn
|
|||
|
|
|
|||
|
|
|
|||
|
|
3. Rôles des machines :
|
|||
|
|
Machine
|
|||
|
|
Rôle
|
|||
|
|
osiris
|
|||
|
|
Serveur DNS (bind9)
|
|||
|
|
isis
|
|||
|
|
Serveur DHCP
|
|||
|
|
eno, owt, host1, host2…
|
|||
|
|
Clients DHCP
|
|||
|
|
________________
|
|||
|
|
|
|||
|
|
|
|||
|
|
PARTIE 2 — Préparation des fichiers DNS sur osiris
|
|||
|
|
1. Copier les fichiers DNS du TP22 vers TP04
|
|||
|
|
mkdir -p ~/SCR.3.2/TP04/DNS
|
|||
|
|
cp ~/SCR.3.2/TP22/*.zone ~/SCR.3.2/TP04/DNS/
|
|||
|
|
cp ~/SCR.3.2/TP22/named.conf.local ~/SCR.3.2/TP04/DNS/
|
|||
|
|
|
|||
|
|
|
|||
|
|
Et renomme-les :
|
|||
|
|
mv named.conf.local osiris.named.conf.local
|
|||
|
|
|
|||
|
|
|
|||
|
|
2. Éditer les fichiers de zone
|
|||
|
|
Très important :
|
|||
|
|
Garder uniquement osiris et isis dans la zone.
|
|||
|
|
Supprimer eno, owt, etc. (ces machines seront ajoutées par DHCP).
|
|||
|
|
Exemple :
|
|||
|
|
osiris.db.tp.scr
|
|||
|
|
$TTL 86400
|
|||
|
|
@ IN SOA osiris.tp.scr. admin.tp.scr. (
|
|||
|
|
1 ; serial
|
|||
|
|
3H ; refresh
|
|||
|
|
1H ; retry
|
|||
|
|
1W ; expire
|
|||
|
|
1D ); minimum
|
|||
|
|
|
|||
|
|
|
|||
|
|
@ IN NS osiris.tp.scr.
|
|||
|
|
osiris IN A 192.168.1.158
|
|||
|
|
isis IN A 192.168.1.2
|
|||
|
|
|
|||
|
|
|
|||
|
|
Déplacer les fichiers dans /var/lib/bind (exigé par TP)
|
|||
|
|
sudo cp osiris.db.tp.scr /var/lib/bind/db.tp.scr
|
|||
|
|
sudo cp osiris.db.rev /var/lib/bind/db.1.168.192
|
|||
|
|
|
|||
|
|
|
|||
|
|
Pourquoi pas /etc/bind ?
|
|||
|
|
Car named s’exécute en user bind, donc il n’a pas le droit d’écrire dans /etc/bind, mais il a le droit dans /var/lib/bind.
|
|||
|
|
________________
|
|||
|
|
|
|||
|
|
|
|||
|
|
PARTIE 3 — Générer et installer la clé TSIG
|
|||
|
|
1. Sur osiris, générer la clé :
|
|||
|
|
tsig-keygen -a md5 tp.scr-key > ddns.key
|
|||
|
|
|
|||
|
|
|
|||
|
|
2. Copier la clé dans les bons répertoires
|
|||
|
|
sudo cp ddns.key /etc/bind/
|
|||
|
|
sudo cp ddns.key /etc/dhcp/
|
|||
|
|
|
|||
|
|
|
|||
|
|
3. Protéger la clé (obligatoire)
|
|||
|
|
sudo chown root:bind /etc/bind/ddns.key
|
|||
|
|
sudo chmod 640 /etc/bind/ddns.key
|
|||
|
|
|
|||
|
|
|
|||
|
|
sudo chown root:bind /etc/dhcp/ddns.key
|
|||
|
|
sudo chmod 640 /etc/dhcp/ddns.key
|
|||
|
|
|
|||
|
|
|
|||
|
|
________________
|
|||
|
|
|
|||
|
|
|
|||
|
|
PARTIE 4 — Configurer BIND9 (osiris)
|
|||
|
|
Éditer /etc/bind/named.conf.local :
|
|||
|
|
sudo nano /etc/bind/named.conf.local
|
|||
|
|
|
|||
|
|
|
|||
|
|
Mettre :
|
|||
|
|
include "/etc/bind/ddns.key";
|
|||
|
|
|
|||
|
|
|
|||
|
|
zone "tp.scr" {
|
|||
|
|
type master;
|
|||
|
|
file "/var/lib/bind/db.tp.scr";
|
|||
|
|
allow-update { key tp.scr-key; };
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
|
|||
|
|
zone "1.168.192.in-addr.arpa" {
|
|||
|
|
type master;
|
|||
|
|
file "/var/lib/bind/db.1.168.192";
|
|||
|
|
allow-update { key tp.scr-key; };
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
|
|||
|
|
________________
|
|||
|
|
|
|||
|
|
|
|||
|
|
PARTIE 5 — Configurer DHCP (isis)
|
|||
|
|
Éditer /etc/dhcp/dhcpd.conf
|
|||
|
|
sudo nano /etc/dhcp/dhcpd.conf
|
|||
|
|
|
|||
|
|
|
|||
|
|
Mettre :
|
|||
|
|
include "/etc/dhcp/ddns.key";
|
|||
|
|
|
|||
|
|
|
|||
|
|
ddns-update-style standard;
|
|||
|
|
update-static-leases on;
|
|||
|
|
|
|||
|
|
|
|||
|
|
option domain-name "tp.scr";
|
|||
|
|
option domain-name-servers 192.168.1.158; # osiris
|
|||
|
|
|
|||
|
|
|
|||
|
|
zone tp.scr. {
|
|||
|
|
primary 192.168.1.158;
|
|||
|
|
key tp.scr-key;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
zone 1.168.192.in-addr.arpa. {
|
|||
|
|
primary 192.168.1.158;
|
|||
|
|
key tp.scr-key;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
subnet 192.168.1.0 netmask 255.255.255.0 {
|
|||
|
|
range 192.168.1.11 192.168.1.200;
|
|||
|
|
option routers 192.168.1.254;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
________________
|
|||
|
|
|
|||
|
|
|
|||
|
|
PARTIE 6 — Lancer les services en mode debug
|
|||
|
|
1. DNS (osiris)
|
|||
|
|
sudo named -u bind -g
|
|||
|
|
|
|||
|
|
|
|||
|
|
Attendre les logs de démarrage…
|
|||
|
|
________________
|
|||
|
|
|
|||
|
|
|
|||
|
|
2. DHCP (isis)
|
|||
|
|
Créer d’abord le fichier de leases :
|
|||
|
|
sudo touch /var/lib/dhcp/dhcpd.leases
|
|||
|
|
|
|||
|
|
|
|||
|
|
Lancer DHCP :
|
|||
|
|
sudo dhcpd -d
|
|||
|
|
|
|||
|
|
|
|||
|
|
Tu dois voir :
|
|||
|
|
* DHCPDISCOVER
|
|||
|
|
|
|||
|
|
* DHCPOFFER
|
|||
|
|
|
|||
|
|
* DHCPREQUEST
|
|||
|
|
|
|||
|
|
* DHCPACK
|
|||
|
|
|
|||
|
|
* puis : Forward update → osiris
|
|||
|
|
|
|||
|
|
________________
|
|||
|
|
|
|||
|
|
|
|||
|
|
PARTIE 7 — Tests sur un client
|
|||
|
|
1. Vérifier avant DHCP
|
|||
|
|
sudo himage eno ip a
|
|||
|
|
sudo himage eno cat /etc/resolv.conf
|
|||
|
|
|
|||
|
|
|
|||
|
|
2. Demander une adresse
|
|||
|
|
sudo himage eno dhclient -v eth0
|
|||
|
|
|
|||
|
|
|
|||
|
|
3. Vérifier côté DNS
|
|||
|
|
Sur osiris (qui affiche en live) tu verras :
|
|||
|
|
approved update: add eno.tp.scr A 192.168.1.X
|
|||
|
|
approved update: add X.1.168.192.in-addr.arpa PTR eno.tp.scr
|
|||
|
|
|
|||
|
|
|
|||
|
|
4. Tester DNS
|
|||
|
|
sudo himage eno dig eno.tp.scr
|
|||
|
|
sudo himage eno dig -x 192.168.1.X
|
|||
|
|
|
|||
|
|
|
|||
|
|
________________
|
|||
|
|
|
|||
|
|
|
|||
|
|
PARTIE 8 — Tester une erreur de clé (obligatoire TP)
|
|||
|
|
Sur isis → Modifier volontairement la clé
|
|||
|
|
Dans /etc/dhcp/ddns.key, changer 1 caractère de la clé.
|
|||
|
|
Relancer :
|
|||
|
|
sudo dhcpd -d
|
|||
|
|
|
|||
|
|
|
|||
|
|
Résultat attendu :
|
|||
|
|
* DHCP fonctionne toujours
|
|||
|
|
|
|||
|
|
DNS affiche :
|
|||
|
|
|
|||
|
|
tsig verify failure (BADSIG)
|
|||
|
|
Test DNS :
|
|||
|
|
dig eno.tp.scr
|
|||
|
|
|
|||
|
|
|
|||
|
|
→ Résultat : NXDOMAIN
|