.Pi Top-Level Domain¶
One member of each group should host a secondary copy of the .pi zone (https://github.com/i314-campbell-sp19/docker-dotpi). This server will be available across the network on the 10.10.10.10 Anycast Address.
To get started, assign an additional address (`10.10.10.10/32) to your DMZ network interface.[^dmz]
Install Docker¶
If you have not already done so, install the Docker service now. The easiest (though not the most secure) method of doing this is to execute the scripted installer from the Docker website:
- Download and run the docker installer, ensuring that it completes without error.
- Give the pi user permission to manage Docker. You must exit and log in again before this change will take effect.
Build the DotPi Container Image¶
In order to run the dotpi container, you will need to build a new container image based on the Dockerfile in the Github respository. To prepare for this task, clone the docker-dotpi repository and then cd
into its location.
sudo apt install git # (1)
git clone https://github.com/i314-campbell-sp19/docker-dotpi.git
cd docker-dotpi
- You will need to install git if this wasn't done in a previous task.
From the local repository, you can build the container image by running docker build -t dotpi .
.
Create an automated task for zone updates¶
The zonefile included in the base container will not be up-to-date, but the latest version of this file can be downloaded from https://gist.githubusercontent.com/clintoncampbell/3df1705652a46c1f400607e5542ab827/raw.
To ensure that you are always running with the latest version of the database, you will need to automate a download. Within Linux, cron is responsible for running recurring tasks. We can set up our own tasks within cron by editing the crontab with crontab -e
.
Follow the steps below to configure a root task that downloads the zone into /etc/dotpi
once every 30 minutes:
sudo mkdir -p /etc/dotpi/zones
sudo crontab -e
- Insert a new line in the crontab containing
*/30 * * * * wget -O /etc/dotpi/zones/db.pi https://gist.githubusercontent.com/clintoncampbell/3df1705652a46c1f400607e5542ab827/raw
- Save and exit
- Insert a new line in the crontab containing
- Confirm that the file has been downloaded to
/etc/dotpi/zones/db.pi
Launch the DotPi Container¶
Use Docker to run the container and bind it to port 53 (udp+tcp). The following command will also map the /etc/dotpi/zones directory into the container at /etc/bind/zones so that the named instance running inside the container will pick up the updates retrieved by the cron job on the host.
docker run -d --restart always --name dotpi -v /etc/dotpi/zones:/etc/bind/zones -p 10.10.10.10:53:53/udp -p 10.10.10.10:53:53/tcp dotpi
Configure BGP to advertise 10.10.10.10¶
This section assumes that you have previously configured BGP and peered it to at least one other router. In the commands below, substitute _ASN_
for the Autonomous System Number you used when setting up BGP initially. You can review your previous settings by executing show run
from the enable prompt of VTY shell.
Run the following commands within VTY shell:
Note that we are advertising the full /24 for the anycast address. In production systems, prefixes larger than /24 are often filtered from BGP advertisements in order to constrain the size of the Internet routing tables. As such, a full /24 is used as a covering prefix for the Anycast address.
Test the DotPi Resolver¶
To confirm that you've installed the resolver correctly, use dig to find the NS record for gradebook.pi by running dig +norecurse @10.10.10.10 NS gradebook.pi
. You should also look up the NS records for your team. If you receive an NXDOMAIN response, confirm that you have provided the proper details in the PiCANN registry. If .pi responds with the wrong address, please add a comment to your name server in the PiCANN Google Sheet so that the instructor can update the registry.
If you have completed the LAN configuration, you should also be able to obtain the same information from your local Bind9 instance as shown below by running dig +norecurse @127.0.0.1 NS gradebook.pi
. The +norecurse
option is required to keep bind from reaching out to gradebook.pi's authoritative server, which won't be reachable until you are joined to the rest of the class network.
-
If you have not created this interface yet, create a new dummy interface named
dmz0
by following instructions provided in Configuring Dummy Interfaces in systemd-networkd. ↩