RAC Attack - Oracle Cluster Database at Home/RAC Attack 12c/Configure Bind DNS


  1. Enable BIND DNS to start at boot time.
    [root@collabn1 ~]# chkconfig named on
    
  2. Change named directory permissions.
    [root@collabn1 ~]# touch /var/named/racattack
    [root@collabn1 ~]# chmod 664 /var/named/racattack
    [root@collabn1 ~]# chgrp named /var/named/racattack
    [root@collabn1 ~]# chmod g+w /var/named
    [root@collabn1 ~]# chmod g+w /var/named/racattack
    
  3. Backup the BIND configuration file.
    [root@collabn1 ~]#  cp /etc/named.conf /etc/named.conf.org
    
  4. Run the following command or edit the /etc/named.conf file to change the named configuration manually.
    sed -i -e 's/listen-on .*/listen-on port 53 { 192.168.78.51; };/' \
    -e 's/allow-query .*/allow-query     { 192.168.78.0\/24; localhost; };\n        allow-transfer  { 192.168.78.0\/24; };/' \
    -e '$azone "racattack" {\n  type master;\n  file "racattack";\n};\n\nzone "in-addr.arpa" {\n  type master;\n  file "in-addr.arpa";\n};' \
    /etc/named.conf
    
    • In bold the lines that have been modified from the default.
    options {
           listen-on port 53 { 192.168.78.51; };
           listen-on-v6 port 53 { ::1; };
           directory       "/var/named";
           dump-file       "/var/named/data/cache_dump.db";
           statistics-file "/var/named/data/named_stats.txt";
           memstatistics-file "/var/named/data/named_mem_stats.txt";
           allow-query     { 192.168.78.0/24; localhost; };
           allow-transfer  { 192.168.78.0/24; };
           recursion yes;
    
           dnssec-enable yes;
           dnssec-validation yes;
           dnssec-lookaside auto;
    
           /* Path to ISC DLV key */
           bindkeys-file "/etc/named.iscdlv.key";
    
           managed-keys-directory "/var/named/dynamic";
    };
    
    logging {
           channel default_debug {
                   file "data/named.run";
                   severity dynamic;
           };
    };
    
    zone "." IN {
           type hint;
           file "named.ca";
    };
    
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    
    zone "racattack" {
     type master;
     file "racattack";
    };
    
    zone "in-addr.arpa" {
     type master;
     file "in-addr.arpa";
    };
    
  5. Create the zone file for the racattack domain on collabn1 by running the following command:

    (Copy & Paste the whole box)

    echo '$TTL 3H
    @       IN SOA  collabn1        hostmaster      (
                                            101   ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
                    NS      collabn1
                    NS      collabn2
    localhost       A       127.0.0.1
    collabn1        A       192.168.78.51
    collabn1-vip    A       192.168.78.61
    collabn1-priv   A       172.16.100.51
    collabn2        A       192.168.78.52
    collabn2-vip    A       192.168.78.62
    collabn2-priv   A       172.16.100.52
    collabn-cluster-scan     A       192.168.78.251
    collabn-cluster-scan     A       192.168.78.252
    collabn-cluster-scan     A       192.168.78.253' \
    > /var/named/racattack
    
  6. Create the reverse zone file on collabn1.

    (Copy & Paste the whole box)


    echo '$TTL 3H
    @       IN SOA  collabn1.racattack.        hostmaster.racattack.      (
                                            101   ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
                    NS      collabn1.racattack.
                    NS      collabn2.racattack. 
    
    51.78.168.192   PTR     collabn1.racattack.
    61.78.168.192   PTR     collabn1-vip.racattack.
    51.100.16.172   PTR     collabn1-priv.racattack.
    52.78.168.192   PTR     collabn2.racattack.
    62.78.168.192   PTR     collabn2-vip.racattack.
    52.100.16.172   PTR     collabn2-priv.racattack.
    251.78.168.192  PTR     collabn-cluster-scan.racattack.
    252.78.168.192  PTR     collabn-cluster-scan.racattack.
    253.78.168.192  PTR     collabn-cluster-scan.racattack.' \
    > /var/named/in-addr.arpa
    
  7. Generate the rndc.key file.
    [root@collabn1 ~]# rndc-confgen -a -r /dev/urandom
     wrote key file "/etc/rndc.key"
    
    chgrp named /etc/rndc.key
    chmod g+r /etc/rndc.key
    
  8. Restart the named service.
    [root@collabn1 ~]# service named restart
     Stopping named:                                            [  OK  ]
     Starting named:                                            [  OK  ]
    
  9. Check that the parameter PEERDNS is set to no in /etc/sysconfig/network-scripts/ifcfg-eth2 to prevent the resolv.conf from being overwritten by the dhcp client:
    DEVICE=eth2
    TYPE=Ethernet
    UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
    ONBOOT=yes
    NM_CONTROLLED=yes
    BOOTPROTO=dhcp
    HWADDR=xx:xx:xx:xx:xx
    DEFROUTE=yes
    PEERDNS=no
    PEERROUTES=yes
    IPV4_FAILURE_FATAL=yes
    IPV6INIT=no
    NAME="System eth2"
    USERCTL=no
    

    note: I (Yury) found that the following two should be set to NO to => DEFROUTE=no, PEERROUTES=no

  10. If it was set to yes previously, restart the network and verify that the file /etc/resolv.conf contains now the correct nameservers:
    [root@collabn1 ~]# service network restart
    Shutting down interface eth0:                              [  OK  ]
    Shutting down interface eth1:                              [  OK  ]
    Shutting down interface eth2:                              [  OK  ]
    Shutting down loopback interface:                          [  OK  ]
    Bringing up loopback interface:                            [  OK  ]
    Bringing up interface eth0:                                [  OK  ]
    Bringing up interface eth1:                                [  OK  ]
    Bringing up interface eth2:
    Determining IP information for eth2... done.
                                                              [  OK  ]
    
  11. /etc/resolv.conf should contain:
    [root@collabn1 ~]#  cat /etc/resolv.conf
    ; generated by /sbin/dhclient-script
    nameserver 192.168.78.51
    nameserver 192.168.78.52
    search racattack
    
  12. Check that the master DNS on collabn1 is working.
    [root@collabn1 ~]# nslookup collabn-cluster-scan.racattack
    Server:         192.168.78.51
    Address:        192.168.78.51#53
    
    Name:   collabn-cluster-scan.racattack
    Address: 192.168.78.251
    Name:   collabn-cluster-scan.racattack
    Address: 192.168.78.252
    Name:   collabn-cluster-scan.racattack
    Address: 192.168.78.253
    


Last modified on 10 March 2014, at 14:28