RAC Attack - Oracle Cluster Database at Home/RAC Attack 12c/Configure Bind DNS



 Enable BIND DNS to start at boot time. 

[root@collabn1 ~]# chkconfig named on

 Change named directory permissions. 

[root@collabn1 ~]# touch /var/named/racattack [root@collabn1 ~]# chgrp named /var/named/racattack [root@collabn1 ~]# chmod 664 /var/named/racattack [root@collabn1 ~]# chmod g+w /var/named

 Backup the BIND configuration file. 

[root@collabn1 ~]# cp /etc/named.conf /etc/named.conf.org

 Change /etc/named.conf permissions. 

[root@collabn1 ~]# chmod 664 /etc/named.conf

Otherwise, the original protection may cause trouble in the restarting named step with write-protection errors in /var/log/messages.

 Run the following command or edit the /etc/named.conf file to change the named configuration manually. 

sed -i -e 's/listen-on .*/listen-on port 53 { 192.168.78.51; };/' \ -e 's/allow-query .*/allow-query    { 192.168.78.0\/24; localhost; };\n        allow-transfer  { 192.168.78.0\/24; };/' \ -e '$azone "racattack" {\n type master;\n  file "racattack";\n};\n\nzone "in-addr.arpa" {\n  type master;\n  file "in-addr.arpa";\n};' \ /etc/named.conf


 * In bold the lines that have been modified from the default.

options { listen-on port 53 { 192.168.78.51; }; listen-on-v6 port 53 { ::1; }; directory      "/var/named"; dump-file      "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query    { 192.168.78.0/24; localhost; }; allow-transfer { 192.168.78.0/24; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "racattack" {  type master;  file "racattack"; }; zone "in-addr.arpa" {  type master;  file "in-addr.arpa"; };

 Create the zone file for the racattack domain on collabn1 by running the following command:  (Copy & Paste the whole box)

echo '$TTL 3H @      IN SOA  collabn1        hostmaster      (                                         101   ; serial                                         1D      ; refresh                                         1H      ; retry                                         1W      ; expire                                         3H )    ; minimum NS     collabn1 NS     collabn2 localhost      A       127.0.0.1 collabn1       A       192.168.78.51 collabn1-vip   A       192.168.78.61 collabn1-priv  A       172.16.100.51 collabn2       A       192.168.78.52 collabn2-vip   A       192.168.78.62 collabn2-priv  A       172.16.100.52 collabn-cluster-scan    A       192.168.78.251 collabn-cluster-scan    A       192.168.78.252 collabn-cluster-scan    A       192.168.78.253' \ > /var/named/racattack

 Create the reverse zone file on collabn1. 

(Copy & Paste the whole box)

echo '$TTL 3H @      IN SOA  collabn1.racattack. hostmaster.racattack. (                                        101   ; serial                                         1D      ; refresh                                         1H      ; retry                                         1W      ; expire                                         3H )    ; minimum NS     collabn1.racattack. NS     collabn2.racattack. 51.78.168.192  PTR     collabn1.racattack. 61.78.168.192  PTR     collabn1-vip.racattack. 51.100.16.172  PTR     collabn1-priv.racattack. 52.78.168.192  PTR     collabn2.racattack. 62.78.168.192  PTR     collabn2-vip.racattack. 52.100.16.172  PTR     collabn2-priv.racattack. 251.78.168.192 PTR     collabn-cluster-scan.racattack. 252.78.168.192 PTR     collabn-cluster-scan.racattack. 253.78.168.192 PTR     collabn-cluster-scan.racattack.' \ > /var/named/in-addr.arpa

 Generate the rndc.key file. </li>

[root@collabn1 ~]# rndc-confgen -a -r /dev/urandom wrote key file "/etc/rndc.key" [root@collabn1 ~]# chgrp named /etc/rndc.key [root@collabn1 ~]# chmod g+r /etc/rndc.key [root@collabn1 ~]# ls -lrta /etc/rndc.key -rw-r- 1 root named 77 Nov 10 09:19 /etc/rndc.key

<li style="margin-top:3em"> Restart the named service. </li>

[root@collabn1 ~]# service named restart Stopping named:                                           [  OK  ] Starting named:                                           [  OK  ]

<li style="margin-top:3em"> Check that the parameter PEERDNS is set to no in /etc/sysconfig/network-scripts/ifcfg-eth2 to prevent the resolv.conf from being overwritten by the dhcp client: </li>

DEVICE=eth2 TYPE=Ethernet UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=dhcp HWADDR=xx:xx:xx:xx:xx DEFROUTE=yes PEERDNS=no PEERROUTES=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth2" USERCTL=no

note: I (Yury) found that the following two should be set to NO to => DEFROUTE=no, PEERROUTES=no <li style="margin-top:3em"> If it was set to yes previously, restart the network and verify that the file /etc/resolv.conf contains now the correct nameservers: </li>

[root@collabn1 ~]# service network restart Shutting down interface eth0:                             [  OK  ] Shutting down interface eth1:                             [  OK  ] Shutting down interface eth2:                             [  OK  ] Shutting down loopback interface:                         [  OK  ] Bringing up loopback interface:                           [  OK  ] Bringing up interface eth0:                               [  OK  ] Bringing up interface eth1:                               [  OK  ] Bringing up interface eth2: Determining IP information for eth2... done. [ OK  ]

<li style="margin-top:3em"> /etc/resolv.conf should contain: </li>

[root@collabn1 ~]# cat /etc/resolv.conf ; generated by /sbin/dhclient-script nameserver 192.168.78.51 nameserver 192.168.78.52 search racattack

<li style="margin-top:3em"> Check that the master DNS on collabn1 is working. </li>

[root@collabn1 ~]# nslookup collabn-cluster-scan.racattack Server:        192.168.78.51 Address:       192.168.78.51#53 Name:  collabn-cluster-scan.racattack Address: 192.168.78.251 Name:  collabn-cluster-scan.racattack Address: 192.168.78.252 Name:  collabn-cluster-scan.racattack Address: 192.168.78.253 </ol>