Background
In order to test different CommIT environments, it is necessary to override the authoritative DNS
...
server(s)
...
for
...
the
...
commonidtrust.or
...
g
...
domain
...
with
...
one
...
that
...
directs
...
the
...
user
...
to
...
the
...
front
...
door
...
(loadbalancer)
...
for
...
the
...
CPR
...
and
...
IDP
...
instances
...
in
...
the
...
desired
...
environment.
...
To that end,
...
we
...
have
...
set
...
up
...
separate
...
DNS
...
servers
...
for
...
the
...
CommIT
...
VPC-Dev
...
and
...
VPC-Prod
...
environments.
...
These are configured to serve up the A and/or
...
CNAME
...
records
...
for
...
account.commonidtrust.org
...
and
...
login.commonidtrust.org
...
for
...
the
...
specific
...
VPC
...
environment.
...
Currently,
...
the
...
DNS
...
server
...
for
...
VPC-Dev
...
runs
...
on
...
the
...
CommIT
...
VPC
...
Gitolite
...
server
...
in
...
the
...
VPC-Dev
...
public
...
subnet
...
and
...
is
...
accessible
...
at
...
EIP address 54.68.170.122.
...
The DNS server for VPC-Prod
...
runs
...
on
...
a
...
t2.micro
...
instance
...
in
...
the
...
VPC-Prod
...
public
...
subnet
...
and
...
is
...
accessible
...
at
...
EIP address 54.149.84.152.
...
Installation
yum -y
...
install
...
bind
...
Configure
...
/etc/named.conf
...
and
...
zone
...
files,
...
/var/named/masters/commonidtrust-dev.local
...
and
...
/var/named/masters/commonidtrust.org
...
(see
...
examples
...
for
...
VPC-Dev
...
attached).
...
chkconfig
...
named
...
on
...
Logging
named logs to /var/log/messages
...
Start/Stop
...
Commands
...
/etc/init.d/named
...
start
...
/etc/init.d/named
...
stop
...
Open
...
Nameserver
...
Protection
...
Since
...
users
...
who
...
need
...
to
...
leverage
...
the
...
VPC
...
DNS
...
servers
...
are
...
speckled
...
around
...
the
...
internet
...
and
...
not
...
accessing
...
them
...
from
...
a
...
well-defined
...
IP
...
address
...
or
...
CIDR
...
block,
...
we
...
needed
...
to
...
leave
...
the
...
VPC
...
DNS
...
servers
...
open
...
to
...
serve
...
requests
...
from
...
anywhere. This is done by configuring:
| No Format |
|---|
allow-query This is done by configuring: allow-query { all; }; |
Furthermore,
...
once
...
a
...
client
...
is
...
configured
...
to
...
use
...
these
...
DNS
...
servers,
...
they
...
may
...
need
...
to
...
access
...
additional
...
name
...
servers,
...
for
...
example,
...
those
...
for
...
wisc.edu.
...
We therefore configured:
| No Format |
|---|
recursion yes; |
Of
...
course,
...
it
...
didn't
...
take
...
very
...
long
...
for
...
some
...
nefarious
...
outfit
...
to
...
realize
...
this
...
and
...
set
...
up
...
a
...
DNS
...
amplification
...
attack
...
(
...
see https://www.us-cert.gov/ncas/alerts/TA13-088A)
...
ricocheting
...
off
...
of
...
our
...
open
...
DNS
...
server.
...
To resolve this,
...
we
...
downloaded,
...
built
...
and
...
deployed
...
bind
...
9.10.1
...
which
...
includes
...
rate-limit
...
support.
...
This binary for this version is installed in /usr/local/sbin/named
...
and
...
the
...
configuration
...
file
...
is
...
in
...
/usr/local/etc/named.conf.
...
It uses the same zone files in /var/named/masters
...
as
...
the
...
bind
...
9.8.2
...
rpm
...
package.
...
To
...
start
...
this
...
version:
...
/usr/local/sbin/named
...
-u
...
named
...
To
...
stop
...
this
...
version:
...
ps
...
-ef
...
|
...
grep
...
named
...
kill
...
<pid>
...
returned
...
above