Institute of Computer Science
  1. Courses
  2. 2017/18 spring
  3. System Administration (LTAT.06.003)
ET
Log in

System Administration 2017/18 spring

  • Home
  • Video Lectures
  • Practicals
  • Exam
  • References

Lab 6: Understanding .est Zone forwarding

NB! You have a 60GB storage limit in ETAIS therefore dont forget to delete your backups before creating new ones.

In order to check your usage ...

  • Log into ETAIS environment
  • Choose your project workspace
  • From left menu select Resources -> Private clouds -> click on the name of your cloud (i.e. teacher-cloud ) -> Quotas -> look for Storage: parameter (i.e 44GB of 60GB).
  • You can delete backups by selecting from ETAIS left menu Resources -> Virtual machines -> click on the name of your VM -> Backups -> Choose a backup and on the right click Actions -> Destroy -> Are you sure... -> OK -> Quota should be released automatically for futurebackups.
  • Disclaimer: Please dont overload ETAIS and use only resources you need for System Administration course as University of Tartu HPC backend (as most cloud environments) does not have unlimited physical resources. Anyone found to be violating ETAIS and general rules of this course will be punished with a bad grade or even worse. So really please dont stress-test our system, we know it wont survive denial-of-service attack from well educated cyber security / IT students (as proven by last week downtime). Thank you for your co-operation and good luck with course tasks.

Up to now we have configured our bind9 to contain:

  • Local resolver (serving only localhost 127.0.0.0/8) and it has:
    • Recursive resolver (for resolving world-wide addresses)
      • relying on TLD information available in default bind9 configuration
    • Regular Zone for resolving addresses in personal domain
    • Reverse Mapping Zone for resolving IP in LAB subnet

Any ideas what is still missing ?

You may notice that you can resolve only hosts in your own domain, or the hosts world wide. You can not resolve the hosts in other student domains (sub-domains of .est).

  • Try resolving hosts in teacher's domain:
    • nslookup example.teacher.est
  • You should have NXDOMAIN in response

Any ideas why this is happening ?

What happening in fact is:

  • when resolving the personal domain (sub-domain in .est) - the local Zone definition is used
  • when resolving world wide address, let's say www.ut.ee the recursive resolving is used (finding first .ee then .ut.ee then www.ut.ee using world-wide TLDs)
  • when resolving address in a sub-domain of .est, let's say mail.teacher.est bind9 will still try to rely on recursion.
    • The teacher .est domain is not defined in any local Zones
    • bind9 thinks it is then teacher.est should be world-wide one and starts recursive query (finding .est first then .teacher.est using world-wide TLDs)
    • The point is: none of the world-wide TLDs knows aboy .est - it's inexistent world-wide

We have agreed in the LAB network we use .est as our TLD which is configured on LAB DNS server on 172.17.64.203. This one contains the Zone file containing all the information about the student personal domains inside our lab network. If you check if he can resolve mail.teacher.est it will give 172.17.65.162.

  • dig @172.17.64.203 mail.teacher.est

... should give an answer: 

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13579
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;teacher.est.			IN	A

;; ANSWER SECTION:
teacher.est.		10	IN	A	172.17.65.162

;; AUTHORITY SECTION:
teacher.est.		900	IN	NS	nsdom5.est.

;; ADDITIONAL SECTION:
nsdom5.est.		900	IN	A	172.17.65.162

Therefore it would be enough for our local_resolver to know that in case .est query which is not our personal one (defined locally in Zone file) we should refer to 172.17.64.203 and avoid doing recursive query relying on standard TLDs. The technique is called forwarding and in this case we need to define the zone clause for .est in local_resolver specifying type forward (check the details about zone type forward here). According to documentation regarding type option of the zone clause:

  • in case zone type is forward additional options have to be provided: 
...
A zone of type forward is simply a way to configure forwarding on a per-domain or per zone basis. To be effective both a forward and forwarders statement should be included. 
...
  • So additional options we have to add are:
    • forward option which has only two choices:
      • only - forward only (and not try to user recursion)
      • first - forward once and if not answered try to resolve using recursion
    • forwarders list of IP addresses of the servers to whom to forward the query
      • example: { 8.8.8.8; 7.7.7.7; };

After understanding the idea of forward zone, please, declare the one for .est in your local configuration file of the bind9 service.

Edit the local configuration file of the bind9 service:

  • In local_resolver declare new zone clause:
    • having zone name est
    • having zone type forward
    • having forward option set to only
    • having IP of the LAB main DNS server (172.17.64.203) in the list of forwarders
  • Save the local configuration

Check the configuration files using corresponding syntax checking command

Undestanding DNSSEC

An further important step is to enforce the DNSSEC feature, otherwise forward queries will not work and here is explanation. The forward query resolving is not happening in our local bind9 setup as opposed to recursive queries. In case of forwarding the query is delegated to 172.17.64.203 machine in our case and then 172.17.64.203 is resolving the query relying on his Zone definitions or using the recursion. When delegating the query-resolving somewhere outside our local bind9 setup we need obviously ensure the endpoint is trusted, and here the DNSSEC feature is useful. Without it there is no way to guarantee that the 172.17.64.203 IP is having Name Service which is not compromised. Imagine scenario:

  • first day: we did setup our local bind9 to relay on 172.17.64.203 when resolving .est and we assumed 172.17.64.203 is trusted
  • the next day the IP 172.17.64.203 is assigned to different machine running compromised Name Service software
  • how do we understand the fact of changed software serving port 53 on 172.17.64.203
    • original DNS protocol do no include any features to validate the endpoints

Therefore by default bind9 does not allow the query forwarding if the DNSSEC is not explicitly enabled. If you try resolving some host from .est domain which is not our own sub-domain of .est - this will evolve forwarding the query to 172.17.64.203 (according to our configuration). The answer will be however SERVFAIL, and this OK default behavior of bind9 according to documentation: 

...
 Any tampering with DNS replies would be replaced with a SERVFAIL reply by an intermediate resolver or detected by the resolver on the user's local machine. 
...

Try resolving hostname mail.teacher.est:

  • nslookup mail.teacher.est

It will give SERVFAIL in responce: 

Server:		127.0.0.1
Address:	127.0.0.1#53

** server can't find mail.teacher.est: SERVFAIL

There are number of options that affect the DNSSEC features in bind9 configuration. The default one we have in the options configuration file /etc/bind/named.conf.options :

  • dnssec-enable possible: yes, no (default)
  • dnssec-validation possible values: yes, no, auto (default)

In oder to enforce DNSSEC the options shall be set to yes. The details and explanations of DNSSEC options is well documented here

Edit the options file of bind9 configuration, ensure the following lines are present in the options section:

  • dnssec-enable yes;
  • dnssec-validation yes;

Modify existing lines if needed. Save the options file

Check the configuration using corresponding command

Now everything related to forwarding .est zone should be configured.

Restart bind9 service

  • Check the service status, if bind9 did actually started
    • If not check the log of the bind9 service, fix errors.

If bind9 restart successfully, you may check if the forwarding now working. The previously failing query mail.teacher.est should now give 172.17.65.162 in response.

Lookup the mail.teacher.est

  • nslookup mail.teacher.est

Should give an answer like: 

Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	mail.teacher.est
Address: 172.17.65.162

Understanding other existing Zone files in bind9 default setup

There are existing zone-data files given in /etc/bind directory, and those are referenced in the /etc/bind/named.conf.default-zones (the one we included in local_resolver):

  • db.root
    • Very important zone data file - holds the information on root name servers, thanks to it our local_resolver can do recursive queries ( recursion yes; directive makes sense only if bind9 knows where to find the "." TLD responsible servers).

Now the next 4 files are there because of RFC recommendation. According to RFC1912 (point 4.1): 

Certain zones should always be present in nameserver configurations.
...
These are set up to either provide nameservice for "special"
addresses, or to help eliminate accidental queries for broadcast or
local address to be sent off to the root nameservers. 
...

Regarding the localhost address in the context of DNS configuration and RFC1912 recommends: 

...
The "localhost" address is a "special" address which always 
refers to the local host. 
...
localhost by itself is used and expected to work in some systems.
Translating 127.0.0.1 into "localhost.dom.ain" can cause some
software to connect back to the loopback interface when it didn't
want to because "localhost" is not equal to "localhost.dom.ain".
...

Therefore we have following zone data files regarding localhost:

  • db.local
    • Contains the localhost to IP associations (127.0.0.1 IPv4 and ::1 IPv6). We have the corresponding associations in /etc/hosts file, which is considered before the DNS resolver (from /etc/resolv.conf).
  • db.127
    • Reverse associations for localhost (backwards 127.0.0.1 to localhost)

Additionally RFC1912 recommends to kill the queries to broadcast addresses in order to avoid accidental PTR queries on the "." TLD nameservers: 

...
to help eliminate accidental queries for broadcast 
or local address to be sent off to the root nameservers.
...
The "255" and "0" files should not contain any additional 
data beyond the NS and SOA records.
...

Therefore there are two files that contain nothing, and are meant just to capture the PTR queries regarding 255.x.x.x and 0.x.x.x addresses:

  • db.255 - capturing accidental PTR queries regarding 255.x.x.x addresses
  • db.0 - capturing accidental PTR queries regarding 0.x.x.x addresses

Seriously, there is no reason to overload the TLD root servers with non-sense queries as broadcast address is not-unique address anyway.

The only zone data file which is not referenced in /etc/bind/named.conf.default-zones is:

  • db.empty

You may find its reference in /etc/bind/zones.rfc1918 configuration file, which we did not include anywhere:

  • # cd /etc/bind
  • # grep -RnH zones.rfc1918 .

The output should look like: 

./named.conf.local:7://include "/etc/bind/zones.rfc1918";

... looks like the inclusion of this file is disabled ?

We know that RFC1912 is recommended to prevent sending the non-sense PTR queries to TLD root servers, and it is fulfilled in previously described zone files (db.0, db.255, db.127). Looks like there is another recommendation RFC1918 which is about the private subnets: 

...
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
...

And the question is ''shall we also exclude PTR queries regarding these addresses from being sent to TLD root servers ? The answer is you should only serve PTR queries of the corresponding subnetwork that your are using and kill all the rest by serving empty zones. And this is exactly what the /etc/bind/zones.rfc1918 configuration file is for: it associates an empty zone to IP address ranges of private networks: 

...
zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
...
zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
...
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
...

Once included in bind9 configuration, the /etc/bind/zones.rfc1918 included will capture all PTR queries regarding private subnets. The only place where we allow such queries is the VM itself (recursion is only enabled for the queries sent from loopback interface of the VM). Hence the place where to include the /etc/bind/zones.rfc1918 is the local_resolver, moreover an inclusion must appear after the reverse zone declarations. Next lets add enable /etc/bind/zones.rfc1918 inclusion in our configuration. The /etc/bind/zones.rfc1918 file contains everything we need except for one line which we want to exclude: 

...
zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
...

Enable the RFC1918 suggested declarations. First, make sure 172.17.0.0 is excluded from the zones.rfc1918:

  • Edit /etc/bind/zones.rfc1918
    • Find the reverse zone declaration for 172.17.0.0 network:
      • Comment out this line, please do forget we use // for commenting int conf files, in contrast to ;; used in zone files.
  • Save and close the file.

Next, enable RFC1918 zones inclusion in local_resolver:

  • Edit the named.conf.local file:
    • Find the recommendation of RFC1918, it is marked with a comment: 
...
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
...
  • Move the corresponding fragment of configuration into your local_resolver (as lines of a resolver)
  • Uncomment the include statement
  • Save and close the file
  • Do syntax check of the configuration
  • If OK, restart the bind9 service

Make sure the reverse lookups are not broken by adding the RFC1918 zones, those queries must perfectly work:

  • host yourVM-IP should work
  • host <any public IP address>

... in contrast, those queries have fail with NXDOMAIN:

  • host 10.0.0.6
  • host 192.168.0.4
  • actually any query to private address except our campus network (172.17.0.0)

Understanding the search keyword of /etc/resolv.conf

As we have configured now the local DNS server, and even featured it with information about personal domains in a fake domain est. We may remove corresponding alias from the /etc/hosts (remember we have added a record regarding our host name and FQDN into /etc/hosts file. We do not need it anymore - the local DNS server (if configured correct) should resolve it for us.

In /etc/resolv.conf file we have a system resolver configuration setup: 

...The resolver is a set of routines in the C library that provide access to the Internet Domain Name System (DNS). The resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process...

More details regarding /etc/resolv.conf you may read using corresponding man command:

  • man resolv.conf
  • ... or in web browser by opening this link.

Normally in client machine configurations, we have /etc/resolv.conf automatically configured by the DCHP client when joining new network and the following variables are then assigned:

The options we are interested in are:

  • nameserver - Name server IP address
  • domain - Local Domain Name
  • search - Search-list for host name lookup

In some configuration however we use static IP and therefore the /etc/resolv.conf have to edit manually. We did already edit it at least once, putting following line in it in First DNS lab https://courses.cs.ut.ee/2018/sa/spring/Main/DNS#DHCPconf

  • Make sure you disabled auto-update of domain-name, domain-name-servers, domain-search parameters in file /etc/dhcp/dhclient.conf
  • Make sure file /etc/resolv.conf contains lines 
domain <yourdomain>.est
search <yourdomain>.est
nameserver 127.0.0.1

nameserver 127.0.0.1 guarantee our OS will refer to our local DNS server for host name resolving, the following queries should work: Up to now local DNS should be able to resolve:

  • nslookup www.ut.ee
  • nslookup yourhost.yourdomain.est

In our /etc/hosts file we however did declare an alias for both host name and FQDN, so both yourhostname as well as yourhostname.yourdomain.est are in use. If you check:

  • nslookup yourhostname - giving host name with no FQDN ...
  • nslookup yourhostname.<personaldomain>.est - giving host name as FQDN ...
    • They both should work.

OK for educational purposes lets now brake the configuration so you see what happens if you would have not changed domain and search parameters in previous lab.

Edit the /etc/resolv.conf :

  • Make sure is has line nameserver 127.0.0.1
  • If not there add the following lines:
    • domain wrong.est
    • search wrong.est
  • nslookup yourhostname - giving host name with no FQDN ...
    • There will be result NXDOMAIN. This is OK behavior as the OS does not know his domain through /etc/resolv.conf , and just need to add the corresponding variables into this file.
  • nslookup yourhostname.<personaldomain>.est - giving host name as FQDN ...
    • should work.

Edit the /etc/resolv.conf :

  • Make sure is has line nameserver 127.0.0.1
  • Change domain and search lines back to correct ones
    • domain <yourdomain>.est
    • search <yourdomain>.est

Now the OS should also be able to resolver short host names (with no FQDN) in your domain again:

  • nslookup yourhostname where hostname is your short hostmane (i.e. teacher.est)

Should give an distinct IP now

Check /etc/hosts file:

  • There should be alias 127.0.1.1 for yorhostname and yourhostname.yourdomain.est
    • Make a change in /etc/cloud/cloud.cfg as recommended by hosts file so that cloud system does not overwrite it.
  • NOW reboot your instance to apply changes

After reboot, Check by ping your own host from VM command line, it should still work:

  • ping yourhost.yourdomain.est
  • ping yourhost

Configuring world resolver

If everything we configured so far for our local resolver works perfectly ?

Local resolver is having recursion enabled and the default-zones with "." TLD hints are attached:

  • The DNS server should be able to resolve any existing world wide address.
    • $ nslookup www.ut.ee
    • etc.

Local resolver is having Zone yourdomain.est attached and also the corresponding reverse mappings.

  • The DNS server should be able to resolve your individual domain and the hosts inside:
    • nslookup yourhostname.yourdomain.est
    • nslookup ns1.yourdomian.est
    • host yourVM-IP

Local resolver is configured to forward the est Zone queries to IP 172.17.64.203 (in case the sub-domain is unknown in your local Zone declaration:

  • The teacher's VMs or the other students VMs.
    • nslookup teacher-vm.teacher.est
    • You may also just select any domain and host name we have enlisted in the list of students IPs.

You may however notice when resolving the other students host name the nslookup command just hangs for awhile and the gives SERVFAIL. This is OK behavior as everything we configured so far regarding the DNS - is isolated inside your own VM (127.0.0.0/8).

  • # netstat -upln | grep named

... so the port 53 of the bind9 is bound only on the 127.0.0.1 interface isn't it ?

In order to make it listening world-wide (all interfaces and all IP addresses that VM currently has) what shall we do ?

Edit the bind9 options configuration file:

  • Check what IP addresses your VM has directly attached # ip addr l
  • Add the IP address of your VM to the list of addresses the bind9 is listening on, listen-on option (the currently containing only 127.0.0.1)
    • listen-on { 127.0.0.1; 192.168.42.X; }; - where 192.168.42.X is the Internal network IP address of your VM
    • Example, for teacher.est we have it { 127.0.0.1; 192.168.42.17; };
  • Save the file
  • Check the configuration using named-checkconf command
    • If everything is OK - restart the bind9 service
  • # netstat -upln | grep named

... what do you see now ? is the bind9 service listening to the LAB network too ? (does the list contain both 127.0.0.1 (localhost) and the IP of your VM)

Additionally we have local_resolver is set to server local network only:

  • allow-query clause is set to white list goodclients which is 127.0.0.0/8 network

Let's now create another resolver calling it world world_resolver and make it serving Zone yourdomain.est to everyone except 127.0.0.0/8 network (all networks except local one). So the world_resolver shall contain only one zone clause and nothing else (no forwarding, no reverses and no recursion).

Edit the the bind9 local configurations file:

  • Append world resolver declaration
    • Use view clause
    • Use view name "world_resolver"
    • Follow the syntax of the view clause
    • Inside world_resolver add:
      • allow-query { any; };
      • recursion no;
  • Copy the Zone "yourdomain.est" from the local_resolver into world_resolver

Now we have 2 resolvers declared local_resolver and world_resolver, let's make them aware of each other by adding match-clients and match-destinations options into both world_resolver and local_resolver . By adding them we tell the particular resolver to take actions on the queries that have positive match, and if there is no match then the resolver should skip the query so the next resolver tries to match it. Details about match- options of the view your may read here. In our setup we have local_resolver the first and world_resolver second, according to local configuration of the bind9 . So we want local_resolver to first match the query ( check if this originates from 127.0.0.0/8 and was sent to port 53 of 127.0.0.1 ).

Edit the bind9 local configuration file:

  • Inside the local_resolver:
    • Add properly the match-clients and match-destinations options
    • Use the white list goodclients we declared in the beginning

Now in the world_resolver we match any clients and any destinations

Edit the bind9 local configuration file:

  • Inside the world_resolver:
    • Add properly the match-clients and match-destinations options
    • Use the word any in place of white list
  • Save the file
  • Do the syntax check bind9 using proper command
  • Restart the bind9 service

If everything was configured properly both local_resolver and world_resolver should now serve Zone yourdomain.est, which should be observable from the bind9 logs. Example of the log file for teacher.est domain: 

...
11-Apr-2016 17:50:03.593 general: info: zone teacher.est/IN/world_resolver: loaded serial 2015040602
...
11-Apr-2016 17:50:03.606 general: info: zone teacher.est/IN/local_resolver: loaded serial 2015040602
...

In addition you may test if both world and local resolvers are working properly by resolving hosts in your own domain:

  • dig @127.0.0.1 yourdomain.est - the local resolver should take action
  • dig @192.168.42.Y yourdomain.est - the world resolver should take action
    • here 192.168.42.Y refers to your server real IP that you can see with command ip addr l

Both queries should give same answer

However the recursive queries should only work on local resolver:

  • dig @127.0.0.1 www.ut.ee - the local resolver should take action
    • should give an IP address of the www.ut.ee
  • dig @192.168.42.Y www.ut.ee - the world resolver should take action
    • should give REFUSED ( we did disable recursion on world resolver )

Also the est Zone forwarding should only work on local rsolver

  • dig @127.0.0.1 teacher.est - the local resolver should take action
    • should give an IP address of the teacher.est
  • dig @192.168.42.Y teacher.est - the world resolver should take action
    • should give REFUSED ( we did not inlcude Zone "est" forwarding in world resolver )

If everything works as expected - the DNS service is ready to be exposed to LAB network. Yes, it is no yet available in LAB network - our firewall does not have the corresponding rule added.

Enable Firewall and final testing.

In cloud environment our VM is protected by 2 different Firewalls:

  1. Firewall in Debian
  2. NAT router acting as Firewall in cloud infrastructure

Open debian Firewall ports

  • Try to understand current Firewall rules # iptables -n -L -v --line-numbers
  • Add the new rule allowing UDP port 53 used by DNS service
    • i.e with command # iptables -I INPUT 4 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
    • Try to understand iptables rule parameters as next lab you have to be able to create custom Firewall rules yourself.
    • Do not save iptables live configuration yet, lets test it first and later save it with iptables-save command. If you mess up live (running) Firewall an lock yourself out you can revert to last known good by forcing restart in ETAIS.

You can check active Firewall configuration with command # iptables -S and # iptables -n -L -v --line-numbers

Enable traffic through in NAT

Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in IP header of packets while they are in transit across a traffic routing device. The technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network. https://en.wikipedia.org/wiki/Network_address_translation

Our Cloud environment is actively remapping 172.17.64.A IP range to 192.168.42.B and more precisely we use one-to-one NAT or basic NAT.

Now we need to allow traffic through your NAT router in cloud environment. It can be done by something called security groups.

  • Log into ETAIS environment
  • Choose your project workspace
  • From left menu select Resources -> Private clouds -> click on the name of your cloud (i.e. teacher-cloud ) -> Security groups -> look for security group named ssh and click Actions -> Set rules -> Identify parameters of SSH rule and click cancel
  • Repeat the action for Security group ping
  • Add new rule for DNS
    • Click Create
    • Name -- DNS
    • Description -- Open UDP port 53 for DNS
    • Click Add rule
    • IP protocol -- UDP
    • From port -- 53
    • To port -- 53
    • Click Submit
  • From left menu select Resources -> Virtual machines -> Actions -> Update Security Groups -> Add Security Goups DNS and ping.

Our DNS should work now so we do not need anymore an alias in /etc/hosts file:

Edit the /etc/hosts :

  • remove the alias of yorhostname and yourhostname.yourdomain.est

Check by ping your own host from VM command line, it should still work:

  • ping yourhost.yourdomain.est
  • ping yourhost

Now lets test the configuration from your personal laptop / machine.

Depending which operating system you use following actions may differ slightly

  • Open Command prompt (in Linux & Mac terminal)
  • ping 172.17.64.X where 172.17.64.x should refer to your Public IP (a.k.a. External IP).
    • Should get positive reply from your personal VM
  • nslookup yourhost.yourdomain.est where yourhost.yourdomain.est Should refer to FQDN of your VM
    • This should not work as your machine is probably using University of Tartu DNS server that does not know anything about .est domain.
  • Add 172.17.64.203 (or your own IP 172.17.64.X) as primary DNS server for your laptop
    • Now depending of which host operating system you use actions differ greatly.
    • In Linux you can edit /etc/resolv.conf but remember that in most modern OS-es it will be overwritten by Network Manager (or DHCP service) if you change network (network updates).
    • In Windows you should change Network interface Properties of IPv4 protocol and specify custom DNS server there. NB! Do not forget to add one working public DNS server also i.e Google 8.8.8.8.8
  • Finally after adding changes done, you should be able to refer to your VM by host name from the client machine (the one you use to connect to with SSH):
  • nslookup yourhost.yourdomain.est where yourhost.yourdomain.est Should refer to FQDN of your VM
    • Should return now your IP address
  • ping yourhost.yourdomain.est should work also in client machine
  • In SSH client you may now use the yourhost.yourdomain.est in place of yourVM-IP when connecting.
  • NB! Do not forget to change your personal laptop back to Dynamic DNS after lab as otherwise you might encounter internet loss at some point in future.

Setting Manual DNS in Windows

Correct answer from custom DNS server in Windows

If everything works till now lets save new Firewall configuration.

  • # iptables-save > /etc/firewall.conf
  • Institute of Computer Science
  • Faculty of Science and Technology
  • University of Tartu
In case of technical problems or questions write to:

Contact the course organizers with the organizational and course content questions.
The proprietary copyrights of educational materials belong to the University of Tartu. The use of educational materials is permitted for the purposes and under the conditions provided for in the copyright law for the free use of a work. When using educational materials, the user is obligated to give credit to the author of the educational materials.
The use of educational materials for other purposes is allowed only with the prior written consent of the University of Tartu.
Terms of use for the Courses environment