NS Setup

October 9 2015

# # #

The NS server of choice is the bind9 server (named) which would be configured for providing a DNS server service for a local subnet

Each server needs to be set to the IP for this DNS server in its /etc/resolv.conf


We install bind9 from the package managers.

For CentOS 7 - minimal, the commands to install are.

yum install -y epel-release
yum install -y bind bind-utils

If you are behind a proxy, first set teh env variable before running yum

export {http,https,ftp,rsync,socks}_proxy='http://proxy.example.com:8080'
export no_proxy='comma, separated, hosts, for, which, no, proxy, need, be, applied'


All configuration is done via editing the named.conf. The location of this file varies depending upon your OS.

In CentOS - 7 it is located in the /etc/named.conf

We create a demo new domain here, and enable recursion to some other primary nameserver. We also create a trusted ACL to manage access.

After editing named.conf looks something like this

acl "trusted" { // Create a Trusted ACL for trusted networks.;;

options {
    listen-on port 53 { // Listen for connections from all IP.;
    listen-on-v6 port 53 { // Listen for IPv6 from localhost.
    directory "/var/named"; // Place where zonefiles are
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";

    allow-query { // Allow only localhost and trusted to query the nameserver
                  // It shows REFUSED for all others.
    allow-recursion { // Allow only localhost and trusted to use recursion
    allow-transfer { // Do not allow zone transfer.
    forwarders { // Forward requests to thsese if non authoratative.;;
    recursion yes; // Allow recustion

    dnssec-enable no; 
    dnssec-validation no;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;

zone "." IN { // Show hint to '.' servers for '.'
    type hint;
    file "named.ca";

zone "nonexistant." IN { // Authoratative for "nonexistant"
    type master;
    file "nonexistant.forward";

zone "1.168.192.in-addr.arpa." IN { // Authoratative for rDNS as well
    type master;
    file "1.168.192.in-addr.arpa.forward";

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Zone Files

The bind9 looks at the dir 'directory' in the config and looks there for the zone files.

The zonefile is simple to make, with a SOA record, on which other records are added.

For example, here is the nonexistant.forward

$TTL 3600
@ SOA ns.nonexistant. nonexistant.nonexistant. (8 15m 5m 30d 1h)
    NS ns.nonexistant.

login   IN  A
ns  IN  A
ldap    IN  A
vpn IN  A
base    IN  A

And for the reverse lookup, the 1.168.192.in-addr.arpa.forward

$TTL 3600
@ SOA ns.nonexistant. nonexistant.nonexistant. (10 15m 5m 30d 1h)
    NS ns.nonexistant.

7   PTR login.nonexistant.
6   PTR ns.nonexistant.
5   PTR ldap.nonexistant.
4   PTR     vpn.nonxistant.
1   PTR base.nonxistant.

Be sure to increment the serial numbers when making a change to the zone files.

Starting service

Start the service by using the

service named start

On using

service named status

the logs are printed in the /var/log/messages.

Restricting IPv6 for IPv4 only Network

For setting the bind9 server to serve ipv4 only addreses, you need to enable the following options in the /etc/named.conf

filter-aaaa-on-v4 yes;

Recommended Reading

Breaking Random Number Generators with Chosen Seed

# # # #

Find the flag.

Source is as follows

#!/usr/bin/env python3

import random
import time
import string
import signal

# use secure seed

with open('flag.txt') as f:
	flag = f.read()

# large constant prime
p = 174807157365465092731323561678522236549173502913317875393564963123330281052524687450754910240009920154525635325209526987433833785499384204819179549544106498491589834195860008906875039418684191252537604123129659746721614402346449135195832955793815709136053198207712511838753919608894095907732099313139446299843

Recommended Reading

Setting Up httpd (2.2) as ReverseProxy (OLD)

# # #

httpd can be configured as a frontend load balancing proxyfier. There are better tools in the market for doing this exact thing, and nginx and haproxy have shown a much better performance in real world and benchmarks with a lower RAM footprint but...