Configuring DNS andDHCP

• Understanding DNS
• Setting Up a DNS Server
• Understanding DHCP
• Setting Up a DHCP Server
Understanding DNS
• Domain Name System (DN S) is the system that associates hostnames with
IP addresses.

• The Domain Name System (DNS) is the phonebook of the Internet.

• Humans access information online through domain names, like

nytimes.com or espn.com.

• Web browsers interact through Internet Protocol (IP) addresses. DNS

translates domain names to IP addresses so browsers can load Internet
resources.
The DNS Hierarchy
• DNS is a worldwide hierarchical system

• top-level domain (T LD)

• common top-level
domains are .org, .gov,
.edu, .mil
Cont..
• many top-level domains that exist for countries, such as .uk, .ca, .in, .cn,
and .nl

• Each of the top-level domains has a number of name servers.

• These are the servers that have information on the hosts within the
domain.

• The root domain is at the top of the DNS hierarchy. This is the domain that
is not directly visible in DNS names but is used to connect all of the top-
level domains together.
Cont..
• The entire portion of DNS for which a name server is responsible is
referred to as a zone.
DNS Server Types
1. primary name server, also referred to as the master name server
2. secondary or slave name server
3. Cache only name server

• To keep the primary and secondary name servers synchronized, a

process known as zone transfer is used.

• In a zone transfer, a primary server can push its database to the

secondary name server, or the secondary name server can request
updates from the primary name ser
DNS Zone Types
• Most DNS servers are configured to service at least two zone types.
First there is the regular zone type that is used to find an IP address
for a hostname. This is the most common use of DNS.

• In some cases, however, it is needed to find the name for a specific IP

address. his type of request is handled by the in-addr.arpa zones.

• In in-addr.arpa zones, PTR resource records are configured. The name

of the in-addr.arpa zone is the reversed network part of the IP
address followed by in-addr.arpa
Cont…
• For example, if the IP address is 193.173.10.87, the in-addr.arpa zone
would be 87.10.173. in-addr.arpa.

• The name server for this zone would be configured to know the
names of all IP addresses within that zone.
Setting Up a DNS Server
• The Berkeley Internet Name Domain (BIND) service is used to offer
DNS services on Red Hat Enterprise Linux
Setting Up a Cache-Only Name Server
• Running a cache-only name server can be useful when optimizing
DNS requests in your network.

• Once the resource record is found, it is stored in cache on the cache-

only name server.

• This means that the next time a client needs the same information, it
can be provided much faster.
Cont….
• Change the file named.conf to include the following parameters:
listen-on port 53 { any; }; and allow-query { any; };.

• Finally, insert the line forwarders x.x.x.x in the same configuration file,
and give it the value of the IP address of the DNS server you normally
use for your Internet connection.

• This ensures that the DNS server of your Internet provider is used for
DNS recursion and that requests are not sent directly to the name
servers of the root domain.
Setting Up a Primary Name Server
• options {
• listen-on port 53 { any; };
• listen-on-v6 port 53 { ::1; };
• directory "/var/named";
• dump-file "/var/named/data/cache_dump.db";
• statistics-file "/var/named/data/named_stats.txt";
• memstatistics-file "/var/named/data/named_mem_stats.txt";
• allow-query { any; };
• forwarders { 8.8.8.8; };
• };
Cont..
• zone "localhost.localdomain" IN {
• type master;
• file "named.localhost";
• allow-update { none; };
• };
Cont..
• zone "1.0.0.127.in-addr.arpa" IN {
• type master;
• file "named.loopback";
• allow-update { none; };
•}
Cont…
• A zone file consists of two parts. The first part is the header, which
provides generic information about the timeouts that should be used
for this zone

• important part in the header file is where the SOA is defied. This line
specifies which name server is authoritative for this DNS domain:

• @ 1D IN SOA rhev.example.com. hostmaster.example.com. (

Common resource records
• A Address Matches a name to an IP address

• PTR Pointer Matches an IP address to a name in reverse DNS

• NS Name server Tells DNS the name of name servers responsible for subdomains

• MX Mail exchange Tells DNS which servers are available as SMTP mail servers

• SRV Service record Used by some operating systems to store service information
Configuring an in-addr.arpa Zone
• Creating an in-addr.arpa zone works similarly to the creation of a
regular zone in DNS. You’ll need to modify the
/etc/named.rfc1912.zones fi le to define the in-addr.arpa zone

• zone "100.173.193.in-addr.arpa" {
• type master;
• file "193.173.100.zone";
• };
Setting Up a Secondary Name Server
• zone “it.com" IN {
• type master;
• file “forward.zone";
• allow-update { none; };
• };
Cont…
• zone “it.com" IN {
• type slave;
• masters {192.168.1.3;};
• file “forward.zone(named.localhost).slave";
• };
Understanding DHCP
• The Dynamic Host Configuration Protocol (DHCP) is used to assign IP-
related configuration to hosts in your network.

• Using a DHCP server makes managing a network a lot easier, because

it gives the the option to manage IP-related configuration on a
single, central location on the network, instead of on multiple
different hosts.
Setting Up a DHCP Server
• To set up a DHCP server, after installing the dhcp package, you need
to change common DHCP settings in the main confi guration file:
/etc/dhcp/dhcpd.conf

• # If this DHCP server is the official DHCP server for the local
• # network, the authoritative directive should be uncommented.
• #authoritative;
Cont…
• subnet 192.168.1.0 netmask 255.255.255.0 {
• range 192.168.1.10 192.168.1.20;
• option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
•}
Setting Up a Mail Server
Message Transfer Agent
• Three components play a role in the process of Internet mail. First there is
the message transfer agent (MTA).

• The MTA uses the Simple Mail Transfer Protocol (SMTP) to exchange mail
messages with other MTAs on the Internet.

• If a user sends a mail message to a user on another domain on the

Internet, it’s the responsibility of the MTA to contact the

• MTA of the other domain and deliver the message there. To find out which
MTA serves the other domain, the DNS MX record is used.
Cont..
• Upon receiving a message, the MTA checks whether it is the final destination.

• If it is, it will deliver the message to the local message delivery agent (MDA), which takes
care of delivering the message to the mailbox of the user.

• If, for some reason, the MTA cannot deliver the message to the other MTA, it will queue
it.

• Queuing means that the MTA stores the message in a local directory and will try to
deliver it again later.

• As an administrator, you can flush the queues, which means that you can tell the MTA to
send all queued messages now.
Cont..
• Upon delivery, it sometimes happens that the MTA, which contacted
an exterior MTA and delivered the message there, receives it back.

• This process is referred to as bouncing.

• In general, a message is bounced if it doesn’t comply with the rules of

the receiving MTA, but it can also be bounced if the destination user
simply doesn’t exist.
Mail Delivery Agent
• Upon receiving a message, the MTA typically delivers it at the mail delivery
agent.

• This is the software component that takes care of delivering the mail
message to the destination user.

• Typically, the MDA delivers mail to the recipient’s local message store,
which by default on Red Hat Enterprise Linux is the directory
/var/spool/mail/$USER.

• In the Postfix mail server, an MDA is included in the form of the local
program.
Mail User Agent
• Finally, the mail message arrives in the mail user agent (MUA).

• This is the mail client that end users use to read their messages or to
compose new messages.

• As a mail server administrator, you typically don’t care much about the
MUA.

• It is the responsibility of users to install an MUA, which allows them to

work with email on their computer, tablet, or smartphone.
Setting Up Postfix as an SMTP Server
• Configuration file /etc/postfix/main.cf

• For troubleshooting the message delivery process, the /var/log/maillog fi le is an

important source of information.

• status information about the message delivery process

• Another common task you’ll use in both configuration scenarios is checking the
mail queue.

• The mail queue is the list of messages that haven’t been sent yet because there
was some kind of problem.
Cont…
• As an administrator, use the mailq command to check the current
contents of the mail queue or use the postfix flush command to flush
the entire mail queue.

• This means that you’ll tell Postfix to process all messages that are
currently in the mail queue and try to deliver them now.
Mutt mail client
• The Mutt MUA is available in the default Red Hat Enterprise Linux
repositories, but you’ll have to install it.

• yum -y install mutt

• Interface
Internet Configuration
• There are a few more steps to take to configure a mail server, which is
going to handle messages from the Internet.

• Most of the additional tasks relate to security.

• You’ll need to make sure your mail server has at least a minimum level of
protection against spam and other email abuses.

• To make a secure Internet configuration, you need to set some additional

parameters. All of these will be set in the /etc/postfix/main.cf fi le.
Cont..
• Myhostname: This parameter specifi es the name of this host. If not
specified, it is set to the full DNS domain name of this host

• mydomain :This parameter specifies the domain of this host.

• Myorigin: This parameter determines the domain seen by the email

recipient when receiving messages.
Cont..
• inet_interfaces: This parameter specifi es the IP addresses of the mail
server to which it binds.

• Mydestination: This parameter contains a list of all domains for which

this server will receive messages

• Mynetworks: This parameter is optional. You can use it to specify the

network address from which your MTA accepts messages for relaying
without further authentication.
Configuring Dovecot for POP and IMAP
• After installing and configuring the Postfix MTA, users can connect to
your server and read mail messages using an MUA such as Mutt.

• To allow users to handle mail on their own computers, you need a

service that offers POP or IMAP mail access.

• Dovecot is the default service to do that on Red Hat Enterprise Linux.

Cont..
• When using POP, users can connect to the mail server and download
messages to their own computers.

• When using IMAP, users connect to the mail server and edit their
messages on that mail server.

• POP works fi ne for users who have one device to handle mail. IMAP
works better for users who have multiple devices to handle their mail.
Cont..
• After a default installation of Dovecot, it will offer POP and IMAP.

• To configure POP, you’ll tune the /etc/dovecot/dovecot.conf file.

• By default, Dovecot offers POP and IMAP over both a secure and an
unsecure port.

• service dovecot start

• chkconfig dovecot on.
Cont..
• By default messages are sent unencrypted in Dovecot

• The default Dovecot certifi cate and private key are in the fi les
/etc/pki/dovecot/certs /dovecot.pem and
/etc/pki/dovecot/private/dovecot.pem.
 Configuring Apache
on Red Hat Enterprise
Linux
Chpter3
Topics
• Configuring the Apache Web Server
• Working with Virtual Hosts
• Securing the Web Server with TLS Certificates
• Configuring Authentication
• Setting Up MySQL
Configuring the Apache Web Server
• Apache is one of the most used services on Red Hat Enterprise Linux.

• offers access to a simple website

Creating a Basic Website
• install the Apache software and create some content in the Apache
document root.

• The default document root is set to /var/www/html on a Red Hat

Enterprise Linux server.

• Just put a file in this directory with the name index.html, and it will be
served by your Apache server.
Understanding the Apache Configuration Files
• Everything related to the configuration of your Apache server is in the
/etc/httpd directory.

• In this directory, you’ll find two subdirectories: conf and conf.d.

• In /etc/httpd/conf, you’ll find the main Apache configuration file

httpd.conf.

• From the httpd.conf file, many configuration files are included, and by
default, they are in /etc/httpd/conf.d.
Cont..
• Many modules are available for Apache to provide different kinds of
functionality.

• Each module normally has its own configuration file, which is stored
in the /etc/httpd/conf.d directory.

• The names of these modules have to end with .conf to ensure they
are included by your web server
Generic Parameters
• configuration file starts with some generic configuration settings.
• An important directive is ServerRoot.
1. PidFile (a file that contains the PID of the httpd process), which is
set to run/httpd.pid. This filename must be related to the server
root directory; hence, the full name is /etc/httpd/run/httpd.pid.
2. Listen:it directs httpd to listen at port 80
3. User and Group: which specify the user and group that should be
used to run the Apache server.
4. DocumentRoot:This specifies where Apache should look for its
content.
Apache Mode
• Apache can be star ted in two different modes:
1. prefork mode
2. worker mode.
• The prefork mode is the default mode. In this mode, a master httpd
process is started, and this master process will start different httpd servers
• In worker mode, one httpd process is active, and it uses different threads
to serve client requests.
• Even if the worker mode is a bit more efficient with regard to resource
usage, some modules cannot handle it, and therefore the prefork mode is
used as default
Cont…
• To change the default mode that Apache uses, you can modify the
HTTPD parameter in /etc/sysconfig/httpd.

• To use the worker mode, you have to start the /usr/sbin/httpd.

• HTTPD= /usr/sbin/httpd.worker

• restart the httpd process using service httpd restart.

Cont..
• StartServers: This is the number of server processes httpd should always
start.

• MinSpareServers: This is the minimum amount of spare server processes

that are kept. It is good to have a certain minimum because it allows httpd
to serve client requests really fast.

• MinSpareThreads: In worker mode, this is the minimum amount of spare

threads that httpd should keep. You can see that it is set considerably
higher than the MinSpareServers parameter in prefork mode.
Cont..
• MaxSpareServers and MaxSpareThreads: This is the maximum
amount of spare servers or threads that httpd should keep.

• ServerLimit: This is the total amount of server processes that can be

started as a maximum.

• MaxClients: This is the maximum number of clients that can be

connected. Note that in worker mode, one client can have several
concurrent requests, which are opened simultaneously.

• MaxRequestPerChild: This is the number of requests that can be

opened by a server process. In prefork mode, the maximum is capped
at 4,000; in worker mode, there is no maximum setting.
Modules
• By including modules, functionality can be added to Apache.

• To include Apache modules, they first need to be installed.

• By default, some of the most common modules are installed to the

/etc/httpd/modules directory.

• To tell Apache that it should load a specific module, you need to use the
LoadModule directive.

• By default, this directive is used to include many modules.

Conf..
• If a module is loaded, it can also have a specific configuration. There
are three ways to load additional confi gurations for modules:

1. Use the IfModule directive in httpd.conf.

2. Put it in an include file.
3. If a module is common, its parameters can be entered in httpd.conf
Handling Basic Directory Restrictions
1. AllowOverride:

• This directive is related to the .htaccess file that an administrator can

use to restrict access to a given directory.

• If AllowOverride is set to none, the contents of any .htaccess file that

is found anywhere in a subdirectory of the current directory will be
ignored.
Cont..
2. Order:

• With this directive, you’ll specify the order in which allow and deny
commands are used.

• order allow, deny

allow from 10.100
deny from all
Apache Log Files
• To help you troubleshoot Apache issues, two log files are used by
default.

• You can find these files in the /var/log/httpd directory.

• The access_log file contains information about users who have

accessed your server

• The error_log file has error messages that can be useful in

troubleshooting your Apache web server.
Working with Virtual Hosts
• One Apache installation can handle more than one Apache website.

• To handle more than one site from an Apache server, you can create virtual
hosts.

• A virtual host is a definition of different websites to be served by the

Apache web server.

• You can include this definition in the main Apache configuration file
/etc/httpd/conf/httpd.conf or in separate files that you’ll create in the
/etc/httpd/conf.d/ directory.
Cont…(hosts)
• Before you can start working with virtual hosts, you’ll need to make
sure that hostname resolving works.

• That means you’ll need to make sure the virtual host can be reached
by its name.

• have to create an entry in the /etc/hosts file

Cont..
• two types of virtual hosts

1. name-based virtual host

2. IP-based virtual host
3. both.
• Name-based virtual hosts are the default, and they are easier to set up because
you can run multiple Apache sites on one IP address.

• IP-virtual hosts are often used if SSL is needed on a website, because in SSL it is
beneficial if a connection can be traced back to its original unique IP address.

• So, you must set up IP-based virtual hosting to get SSL working.
Securing the Web Server with
TLS Certificates
• TLS security guarantees that sensitive data can be encrypted while in
transit.

• It can be used to prove the identity of servers on the Internet.

• To use TLS in an Apache environment, you need mod_ssl.

• After installing mod_ssl, you’ll find its configuration file ssl.conf in the
/etc/httpd/conf.d directory.
Cont..
• listen 443 This line tells mod_ssl to offer TLS services on port 443.

• SSLCertificateFile: file that is used for the server certificate. By

default, the localhost.crt file is used

• SSLCertificateKeyFile: This line tells mod_ssl where it can find the

private key for the server. By default, the localhost.key file is used
Setting Up Authentication with .htpasswd
• To set up authentication is to create a file with the name .htpasswd that
contains the names of users and their hashed passwords.

• Make sure that the file is in a directory where web users will never find it to
read its contents!

• put this file in directory /etc/httpd is a reasonably secure directory.

• To add user accounts to the .htpasswd file, use the htpasswd command.
• htpasswd /etc/httpd/.htpasswd linda
• htpasswd /etc/httpd/.htpasswd leo
Cont..
• AuthName: Specifies a name that is displayed when a user tries to access
the restricted directory.

• AuthType : Specifies the authentication type.

• AuthUserFile: Tells Apache which file to use to find the user accounts and
passwords.

• Require valid-user: Tells Apache which users are allowed access.

Use valid-user to allow access for any user in the authuserfile, or use a list of
users to allow access only for specific users.
Cont..
• <Directory />
• AuthName geheim
• AuthType basic
• AuthUserFile /etc/httpd/.htpasswd
• Require valid-user
• </Directory>
Setting Up MySQL
• Use yum install mysql mysql-server to install the MySQL core components.

• Use service mysqld start to star t MySQL.

• Add a MySQL root user

• Use mysql -u root –p, and enter the root password. You’ll now enter a M
ySQL prompt.

• mysql> SELECT User, Host, Password FROM mysql.user;