Wikibooks

RAC Attack - Oracle Cluster Database at Home/RAC Attack 12c/Configure Bind DNS

< RAC Attack - Oracle Cluster Database at Home‎ | RAC Attack 12c


  1. Enable BIND DNS to start at boot time.
    2. [root@collabn1 ~]# chkconfig named on
  2. Change named directory permissions.
    3. [root@collabn1 ~]# touch /var/named/racattack [root@collabn1 ~]# chgrp named /var/named/racattack [root@collabn1 ~]# chmod 664 /var/named/racattack [root@collabn1 ~]# chmod g+w /var/named
  3. Backup the BIND configuration file.
    4. [root@collabn1 ~]# cp /etc/named.conf /etc/named.conf.org
  4. Change /etc/named.conf permissions.
    5. [root@collabn1 ~]# chmod 664 /etc/named.conf Otherwise, the original protection may cause trouble in the restarting named step with write-protection errors in /var/log/messages.
  5. Run the following command or edit the /etc/named.conf file to change the named configuration manually. 
    6. sed -i -e 's/listen-on .*/listen-on port 53 { 192.168.78.51; };/' \
-e 's/allow-query .*/allow-query     { 192.168.78.0\/24; localhost; };\n        allow-transfer  { 192.168.78.0\/24; };/' \
-e '$azone "racattack" {\n  type master;\n  file "racattack";\n};\n\nzone "in-addr.arpa" {\n  type master;\n  file "in-addr.arpa";\n};' \
/etc/named.conf
  • In bold the lines that have been modified from the default.
options {
       listen-on port 53 { 192.168.78.51; };
       listen-on-v6 port 53 { ::1; };
       directory       "/var/named";
       dump-file       "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
       allow-query     { 192.168.78.0/24; localhost; };
       allow-transfer  { 192.168.78.0/24; };
       recursion yes;

       dnssec-enable yes;
       dnssec-validation yes;
       dnssec-lookaside auto;

       /* Path to ISC DLV key */
       bindkeys-file "/etc/named.iscdlv.key";

       managed-keys-directory "/var/named/dynamic";
};

logging {
       channel default_debug {
               file "data/named.run";
               severity dynamic;
       };
};

zone "." IN {
       type hint;
       file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "racattack" {
 type master;
 file "racattack";
};

zone "in-addr.arpa" {
 type master;
 file "in-addr.arpa";
};
  • Create the zone file for the racattack domain on collabn1 by running the following command:
    • (Copy & Paste the whole box) echo '$TTL 3H @ IN SOA collabn1 hostmaster ( 101  ; serial 1D  ; refresh 1H  ; retry 1W  ; expire 3H )  ; minimum NS collabn1 NS collabn2 localhost A 127.0.0.1 collabn1 A 192.168.78.51 collabn1-vip A 192.168.78.61 collabn1-priv A 172.16.100.51 collabn2 A 192.168.78.52 collabn2-vip A 192.168.78.62 collabn2-priv A 172.16.100.52 collabn-cluster-scan A 192.168.78.251 collabn-cluster-scan A 192.168.78.252 collabn-cluster-scan A 192.168.78.253' \ > /var/named/racattack
  • Create the reverse zone file on collabn1.
    • (Copy & Paste the whole box) echo '$TTL 3H @ IN SOA collabn1.racattack. hostmaster.racattack. ( 101  ; serial 1D  ; refresh 1H  ; retry 1W  ; expire 3H )  ; minimum NS collabn1.racattack. NS collabn2.racattack. 51.78.168.192 PTR collabn1.racattack. 61.78.168.192 PTR collabn1-vip.racattack. 51.100.16.172 PTR collabn1-priv.racattack. 52.78.168.192 PTR collabn2.racattack. 62.78.168.192 PTR collabn2-vip.racattack. 52.100.16.172 PTR collabn2-priv.racattack. 251.78.168.192 PTR collabn-cluster-scan.racattack. 252.78.168.192 PTR collabn-cluster-scan.racattack. 253.78.168.192 PTR collabn-cluster-scan.racattack.' \ > /var/named/in-addr.arpa
  • Generate the rndc.key file.
    • [root@collabn1 ~]# rndc-confgen -a -r /dev/urandom wrote key file "/etc/rndc.key" [root@collabn1 ~]# chgrp named /etc/rndc.key [root@collabn1 ~]# chmod g+r /etc/rndc.key [root@collabn1 ~]# ls -lrta /etc/rndc.key -rw-r----- 1 root named 77 Nov 10 09:19 /etc/rndc.key
  • Restart the named service.
    • [root@collabn1 ~]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
  • Check that the parameter PEERDNS is set to no in /etc/sysconfig/network-scripts/ifcfg-eth2 to prevent the resolv.conf from being overwritten by the dhcp client:
    • DEVICE=eth2 TYPE=Ethernet UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=dhcp HWADDR=xx:xx:xx:xx:xx DEFROUTE=yes PEERDNS=no PEERROUTES=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth2" USERCTL=no note: I (Yury) found that the following two should be set to NO to => DEFROUTE=no, PEERROUTES=no
  • If it was set to yes previously, restart the network and verify that the file /etc/resolv.conf contains now the correct nameservers:
    • [root@collabn1 ~]# service network restart Shutting down interface eth0: [ OK ] Shutting down interface eth1: [ OK ] Shutting down interface eth2: [ OK ] Shutting down loopback interface: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: [ OK ] Bringing up interface eth1: [ OK ] Bringing up interface eth2: Determining IP information for eth2... done. [ OK ]
  • /etc/resolv.conf should contain:
    • [root@collabn1 ~]# cat /etc/resolv.conf  ; generated by /sbin/dhclient-script nameserver 192.168.78.51 nameserver 192.168.78.52 search racattack
  • Check that the master DNS on collabn1 is working.
    • [root@collabn1 ~]# nslookup collabn-cluster-scan.racattack Server: 192.168.78.51 Address: 192.168.78.51#53 Name: collabn-cluster-scan.racattack Address: 192.168.78.251 Name: collabn-cluster-scan.racattack Address: 192.168.78.252 Name: collabn-cluster-scan.racattack Address: 192.168.78.253


    Retrieved from "https://en.wikibooks.org/w/index.php?title=RAC_Attack_-_Oracle_Cluster_Database_at_Home/RAC_Attack_12c/Configure_Bind_DNS&oldid=3039736"