[<< wikibooks] RAC Attack - Oracle Cluster Database at Home/RAC Attack 12c/Configure Bind DNS
Enable BIND DNS to start at boot time.

 [root@collabn1 ~]# chkconfig named on

Change named directory permissions.

 [root@collabn1 ~]# touch /var/named/racattack
 [root@collabn1 ~]# chgrp named /var/named/racattack
 [root@collabn1 ~]# chmod 664 /var/named/racattack
 [root@collabn1 ~]# chmod g+w /var/named

Backup the BIND configuration file.

 [root@collabn1 ~]#  cp /etc/named.conf /etc/named.conf.org

Change /etc/named.conf permissions.

 [root@collabn1 ~]# chmod 664 /etc/named.conf

Otherwise, the original protection may cause trouble in the restarting named step with write-protection errors in /var/log/messages.

Run the following command or edit the /etc/named.conf file to change the named configuration manually.

sed -i -e 's/listen-on .*/listen-on port 53 { 192.168.78.51; };/' \
-e 's/allow-query .*/allow-query     { 192.168.78.0\/24; localhost; };\n        allow-transfer  { 192.168.78.0\/24; };/' \
-e '$azone "racattack" {\n  type master;\n  file "racattack";\n};\n\nzone "in-addr.arpa" {\n  type master;\n  file "in-addr.arpa";\n};' \
/etc/named.conf

In bold the lines that have been modified from the default.options {
       listen-on port 53 { 192.168.78.51; };
       listen-on-v6 port 53 { ::1; };
       directory       "/var/named";
       dump-file       "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
       allow-query     { 192.168.78.0/24; localhost; };
       allow-transfer  { 192.168.78.0/24; };
       recursion yes;

       dnssec-enable yes;
       dnssec-validation yes;
       dnssec-lookaside auto;

       /* Path to ISC DLV key */
       bindkeys-file "/etc/named.iscdlv.key";

       managed-keys-directory "/var/named/dynamic";
};

logging {
       channel default_debug {
               file "data/named.run";
               severity dynamic;
       };
};

zone "." IN {
       type hint;
       file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "racattack" {
 type master;
 file "racattack";
};

zone "in-addr.arpa" {
 type master;
 file "in-addr.arpa";
};

Create the zone file for the racattack domain on collabn1 by running the following command:

(Copy & Paste the whole box)

 echo '$TTL 3H
 @       IN SOA  collabn1        hostmaster      (
                                         101   ; serial
                                         1D      ; refresh
                                         1H      ; retry
                                         1W      ; expire
                                         3H )    ; minimum
                 NS      collabn1
                 NS      collabn2
 localhost       A       127.0.0.1
 collabn1        A       192.168.78.51
 collabn1-vip    A       192.168.78.61
 collabn1-priv   A       172.16.100.51
 collabn2        A       192.168.78.52
 collabn2-vip    A       192.168.78.62
 collabn2-priv   A       172.16.100.52
 collabn-cluster-scan     A       192.168.78.251
 collabn-cluster-scan     A       192.168.78.252
 collabn-cluster-scan     A       192.168.78.253' \
 > /var/named/racattack

Create the reverse zone file on collabn1.

(Copy & Paste the whole box)

 echo '$TTL 3H
 @       IN SOA  collabn1.racattack.        hostmaster.racattack.      (
                                         101   ; serial
                                         1D      ; refresh
                                         1H      ; retry
                                         1W      ; expire
                                         3H )    ; minimum
                 NS      collabn1.racattack.
                 NS      collabn2.racattack. 
 
 51.78.168.192   PTR     collabn1.racattack.
 61.78.168.192   PTR     collabn1-vip.racattack.
 51.100.16.172   PTR     collabn1-priv.racattack.
 52.78.168.192   PTR     collabn2.racattack.
 62.78.168.192   PTR     collabn2-vip.racattack.
 52.100.16.172   PTR     collabn2-priv.racattack.
 251.78.168.192  PTR     collabn-cluster-scan.racattack.
 252.78.168.192  PTR     collabn-cluster-scan.racattack.
 253.78.168.192  PTR     collabn-cluster-scan.racattack.' \
 > /var/named/in-addr.arpa

Generate the rndc.key file.

 [root@collabn1 ~]# rndc-confgen -a -r /dev/urandom
  wrote key file "/etc/rndc.key"
 
 [root@collabn1 ~]# chgrp named /etc/rndc.key
 [root@collabn1 ~]# chmod g+r /etc/rndc.key
 [root@collabn1 ~]# ls -lrta /etc/rndc.key
  -rw-r----- 1 root named 77 Nov 10 09:19 /etc/rndc.key

Restart the named service.

 [root@collabn1 ~]# service named restart
  Stopping named:                                            [  OK  ]
  Starting named:                                            [  OK  ]

Check that the parameter PEERDNS is set to no in /etc/sysconfig/network-scripts/ifcfg-eth2 to prevent the resolv.conf from being overwritten by the dhcp client:

 DEVICE=eth2
 TYPE=Ethernet
 UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
 ONBOOT=yes
 NM_CONTROLLED=yes
 BOOTPROTO=dhcp
 HWADDR=xx:xx:xx:xx:xx
 DEFROUTE=yes
 PEERDNS=no
 PEERROUTES=yes
 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no
 NAME="System eth2"
 USERCTL=no

note: I (Yury) found that the following two should be set to NO to => DEFROUTE=no, PEERROUTES=no

If it was set to yes previously, restart the network and verify that the file /etc/resolv.conf contains now the correct nameservers:

 [root@collabn1 ~]# service network restart
 Shutting down interface eth0:                              [  OK  ]
 Shutting down interface eth1:                              [  OK  ]
 Shutting down interface eth2:                              [  OK  ]
 Shutting down loopback interface:                          [  OK  ]
 Bringing up loopback interface:                            [  OK  ]
 Bringing up interface eth0:                                [  OK  ]
 Bringing up interface eth1:                                [  OK  ]
 Bringing up interface eth2:
 Determining IP information for eth2... done.
                                                           [  OK  ]

/etc/resolv.conf should contain:

 [root@collabn1 ~]#  cat /etc/resolv.conf
 ; generated by /sbin/dhclient-script
 nameserver 192.168.78.51
 nameserver 192.168.78.52
 search racattack

Check that the master DNS on collabn1 is working.

 [root@collabn1 ~]# nslookup collabn-cluster-scan.racattack
 Server:         192.168.78.51
 Address:        192.168.78.51#53
 
 Name:   collabn-cluster-scan.racattack
 Address: 192.168.78.251
 Name:   collabn-cluster-scan.racattack
 Address: 192.168.78.252
 Name:   collabn-cluster-scan.racattack
 Address: 192.168.78.253