h3. Background

In order to test different CommIT environments, it is necessary to override the authoritative DNS server(s) for the *commonidtrust.or{*}g domain with one that directs the user to the front door  (loadbalancer) for the CPR and IDP instances in the desired environment.  To that end, we have set up separate DNS servers for the CommIT VPC-Dev and VPC-Prod environments.  These are configured to serve up the A and/or CNAME records for *account.commonidtrust.org* and *login.commonidtrust.org* for the specific VPC environment.

Currently, the DNS server for VPC-Dev runs on the CommIT VPC Gitolite server in the VPC-Dev public subnet and is accessible at EIP address {color:#444444}{*}54.68.170.122.*{color} {color:#444444} The DNS server for VPC-Prod runs on a t2.micro instance in the VPC-Prod public subnet and is accessible at EIP address {color}{color:#444444}{*}54.149.84.152.*{color}

h3. *Installation*

yum \-y install bind

Configure */etc/named.conf* and zone files, */var/named/masters/commonidtrust-dev.local* and */var/named/masters/commonidtrust.org (see examples for VPC-Dev attached).*

chkconfig named on

h3. *Logging*

named logs to */var/log/messages*

*Start/Stop Commands*

/etc/init.d/named start

/etc/init.d/named stop

h3. *Open Nameserver Protection*

Since users who need to leverage the VPC DNS servers are speckled around the internet and not accessing them from a well-defined IP address or CIDR block, we needed to leave the VPC DNS servers open to serve requests from anywhere.  This is done by configuring:

{noformat}
allow-query { all; };
{noformat}

Furthermore, once a client is configured to use these DNS servers, they may need to access additional name servers, for example, those for wisc.edu.  We therefore configured:

{noformat}
recursion yes;
{noformat}

Of course, it didn't take very long for some nefarious outfit to realize this and set up a DNS amplification attack (see [https://www.us-cert.gov/ncas/alerts/TA13-088A]) ricocheting off of our open DNS server.  To resolve this, we include the *rate-limit* option. 

        rate-limit {
                responses-per-second 10;
        };

{noformat}
rate-limit {
       responses-per-second 10;
};
{noformat}