Assignment 1

Due Date: See Blackboard

Required VMs
1. Create 3 new VMs for this assignment and name the VMs as pri-dns, co-nfs, and rns-ldap. Make
sure the machines are fully updated.
• These machines will have a network interface in each of your virtual networks.

Hostname Internal Network External Network Centos Release

(private) (default)
pri-dns.assign.<yourdomain>.ops 192.168.(X+100).201/24 192.168.X.201/24 8
co-nfs.assign.<yourdomain>.ops 192.168.(X+100).202/24 192.168.X.202/24 8
rns-ldap.assign.<yourdomain>.ops 192.168.(X+100).203/24 192.168.X.203/24 7

VM network configuration, server requirements

DNS Servers
• You need three DNS servers for this assignment: Primary, Caching-only, and Root Name server:
• The Primary DNS (running on VM pri-dns) is authoritative for your domain. It will be
non-recursive, but will allow anyone to obtain the addresses of servers in your
assignment network.
• The Caching-only name server (running on co-nfs) which allows DNS queries only from
hosts in your network. It will allow machines in your network to send queries to the
name server for the ops domain (172.16.1.1), which will then direct them to the
appropriate nameserver for the sub-domain of ops they are querying for.
• The Root Name server (running on VM rns-ldap), which is authoritative for the root
zone only. It will only answer queries from your co-nfs, but will recursively resolve any
queries it has, sending them on to actual root name servers.
• For your DNS services to work properly, you will need to create a proper hierarchical structure
between your lab DNS server, and your assignment DNS server (which you will notice is a sub-
domain of your lab domain). You will also need to provide information about your domain to
the administrator responsible for the .ops zone (your professor) with the glue records for your
zone.
NFS Server - on VM co-nfs
• This machine will centrally host all of your network users’ home directories, allowing remote
access through NFS version 4.
• Use the appropriate export option(s) (pay particular attention to root_squash and
no_root_squash) when exporting network users' home directories.
• Superuser on the other VMs should not have root privilege on the exported directory, with the
exception of the machine that is running the LDAP server.
• Machines outside your internal network must not be able to contact this service. Every machine
in your network (including ones not created yet) must have access to this service.
• Network users should not have read or write access to other network users' home directories.
• Note: Because we will not be using LDAP for client authentication, you will have to be very
careful to keep user information synchronized across all your machines.

LDAP Server - on VM rns-ldap

• LDAP Domain Name – assign.<yourdomain>.ops, where <yourdomain> is your assigned
domain.
• This machine will act as an LDAP server and provide user and group information to other
machines.
• In theory, the other machines in your assignment domain would act as ldap clients and use the
information on this server for login/authentication, however due to the issues with configuring
ldap with Centos 8, that step will not be required this semester.
• Machines outside your internal network must not be able to contact this service.

Network, firewall, and SELinux

• Your host and all your VMs must be accessible from other machines (hosts and VMs) in the lab.
• Please test your network connectivity with at least one of your classmates to make sure you can
connect your VMs to their VMs.
• Do not allow DNS queries from any machines in your network to any DNS servers in the lab
except your caching-only DNS server (which then passes them on to your root-name server).
• SELinux must be turned on and run in enforcing mode on all of your VMs. You may need to
configure the runtime SELinux booleans accordingly.
• These machines will use firewalld as their firewall. Similar to your lab machines, they should
have an interface in the ‘internal’ zone, with an address only accessibly by your own machines,
along with an interface in the ‘external’ zone, connected to the network that allows access
to/from the outside world. In addition to ssh traffic, your firewalls should only allow the traffic
necessary to fulfill the roles described above.
Grading
Shortly before the due date I will post a rubric on blackboard. On the due date I will provide a script
that will gather information from your machines and create a tar file from them. You will upload that
tar file to blackboard.

Bonus 10%: Dynamic DNS secured with TSIG

Configure your pri-dns server to allow dynamic DNS updates from your host, secured with a TSIG key.

Bonus 10%: Zone transfer secured with TSIG

Configure your pri-dns act as a slave dns for your lab domain, secured with a TSIG key. Note: If you
are attempting both TSIG bonus options, they must use different keys.

Bonus 10%: Configure other servers to be able to search the ldap database on rns-
ldap.
Configure your pri-dns and rns-ldap to be able to ldapsearch. Note that they do not need to be able to
log in, just access information through ldapsearch. Note that this is probably the hardest of the three
bonus options; only attempt it if you have completed all other work.

Questions
If you have any questions about this assignment, please talk to your professor before the due date.