DNS, also known as name server, is a service on the Internet that provides mapping between IP addresses and domain names and vice versa. DNS maintains a database of names and related IP addresses. When an application queries with a domain name, DNS responds with a mapped IP address. Applications can also ask for a domain name by providing an IP address.
DNS is quite a big topic, and an entire chapter can be written just on the DNS setup. This recipe assumes some basic understanding of the working of the DNS protocol. We will cover the installation of BIND, installation of DNS server application, configuration of BIND as a caching DNS, and setup of Primary Master and Secondary Master. We will also cover some best practices to secure your DNS server.
In this article, I will be using four servers. You can create virtual machines if you want to simply test the setup:
ns1: Name server one/Primary Master
ns2: Name server two/Secondary Master
host1: Host system one
host2: Host system two, optional
All servers should be configured in a private network. I have used the 10.0.2.0/24 network
We need root privileges on all servers.
Install BIND and set up a caching name server through the following steps:
- On
ns1, install BIND and dnsutils with the following command:
[et_pb_dmb_code_snippet code=”JCBzdWRvIGFwdC1nZXQgdXBkYXRlIAokIHN1ZG8gYXB0LWdldCBpbnN0YWxsIGJpbmQ5IGRuc3V0aWxz” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIGFwdC1nZXQgdXBkYXRlIAokIHN1ZG8gYXB0LWdldCBpbnN0YWxsIGJpbmQ5IGRuc3V0aWxz[/et_pb_dmb_code_snippet]
- Open
/etc/bind/named.conf.optoins, enable the forwarders section, and add your preferred DNS servers:
[et_pb_dmb_code_snippet code=”Zm9yd2FyZGVycyB7IAoJOC44LjguODsgCgk4LjguNC40OyAKfTs=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]Zm9yd2FyZGVycyB7IAoJOC44LjguODsgCgk4LjguNC40OyAKfTs=[/et_pb_dmb_code_snippet]
- Now restart BIND to apply a new configuration:
[et_pb_dmb_code_snippet code=”JCBzdWRvIHNlcnZpY2UgYmluZDkgcmVzdGFydA==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIHNlcnZpY2UgYmluZDkgcmVzdGFydA==[/et_pb_dmb_code_snippet]
- Check whether the BIND server is up and running:
[et_pb_dmb_code_snippet code=”JCBkaWcgLXggMTI3LjAuMC4x” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBkaWcgLXggMTI3LjAuMC4x[/et_pb_dmb_code_snippet]
- You should get an output similar to the following code:
[et_pb_dmb_code_snippet code=”OzsgUXVlcnkgdGltZTogMSBtc2VjIAo7OyBTRVJWRVI6IDEwLjAuMi41MyM1MygxMC4wLjIuNTMp” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]OzsgUXVlcnkgdGltZTogMSBtc2VjIAo7OyBTRVJWRVI6IDEwLjAuMi41MyM1MygxMC4wLjIuNTMp[/et_pb_dmb_code_snippet]
- Use
dig to external domain and check the query time:
[et_pb_dmb_code_snippet code=”OzsgUXVlcnkgdGltZTogOTEgbXNlYwo7OyBTRVJWRVI6IDEyNy4wLjAuNTMjNTMoMTI3LjAuMC41MykKOzsgV0hFTjogU3VuIE1heSAxNiAxMToyNToyMCBJU1QgMjAyMQo7OyBNU0cgU0laRSAgcmN2ZDogNTI=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]OzsgUXVlcnkgdGltZTogOTEgbXNlYwo7OyBTRVJWRVI6IDEyNy4wLjAuNTMjNTMoMTI3LjAuMC41MykKOzsgV0hFTjogU3VuIE1heSAxNiAxMToyNToyMCBJU1QgMjAyMQo7OyBNU0cgU0laRSAgcmN2ZDogNTI=[/et_pb_dmb_code_snippet]
- Dig the same domain again and cross check the query time. It should be less than the first query:
[et_pb_dmb_code_snippet code=”OzsgUXVlcnkgdGltZTogMjcgbXNlYwo7OyBTRVJWRVI6IDEyNy4wLjAuNTMjNTMoMTI3LjAuMC41MykKOzsgV0hFTjogU3VuIE1heSAxNiAxMToyNToxOCBJU1QgMjAyMQo7OyBNU0cgU0laRSAgcmN2ZDogNTI=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]OzsgUXVlcnkgdGltZTogMjcgbXNlYwo7OyBTRVJWRVI6IDEyNy4wLjAuNTMjNTMoMTI3LjAuMC41MykKOzsgV0hFTjogU3VuIE1heSAxNiAxMToyNToxOCBJU1QgMjAyMQo7OyBNU0cgU0laRSAgcmN2ZDogNTI=[/et_pb_dmb_code_snippet]
Set up Primary Master through the following steps:
- On the
ns1 server, edit /etc/bind/named.conf.options and add the acl block above the options block:
[et_pb_dmb_code_snippet code=”YWNsICJsb2NhbCIgeyAKCgkxMC4wLjIuMC8yNDsgIyBsb2NhbCBuZXR3b3JrIAp9Ow==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]YWNsICJsb2NhbCIgeyAKCgkxMC4wLjIuMC8yNDsgIyBsb2NhbCBuZXR3b3JrIAp9Ow==[/et_pb_dmb_code_snippet]
- Add the following lines under the
options block:
[et_pb_dmb_code_snippet code=”cmVjdXJzaW9uIHllczsgCmFsbG93LXJlY3Vyc2lvbiB7IGxvY2FsOyB9OyAKbGlzdGVuLW9uIHsgMTAuMC4yLjUzOyB9OyAjIG5zMSBJUCBhZGRyZXNzIAphbGxvdy10cmFuc2ZlciB7IG5vbmU7IH07″ _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]cmVjdXJzaW9uIHllczsgCmFsbG93LXJlY3Vyc2lvbiB7IGxvY2FsOyB9OyAKbGlzdGVuLW9uIHsgMTAuMC4yLjUzOyB9OyAjIG5zMSBJUCBhZGRyZXNzIAphbGxvdy10cmFuc2ZlciB7IG5vbmU7IH07[/et_pb_dmb_code_snippet]
- Open the
/etc/bind/named.conf.local file to add forward and reverse zones:
[et_pb_dmb_code_snippet code=”JCBzdWRvIG5hbm8gL2V0Yy9iaW5kL25hbWVkLmNvbmYubG9jYWw=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIG5hbm8gL2V0Yy9iaW5kL25hbWVkLmNvbmYubG9jYWw=[/et_pb_dmb_code_snippet]
[et_pb_dmb_code_snippet code=”em9uZSAiZXhhbXBsZS5jb20iIHsgCgl0eXBlIG1hc3RlcjsgCglmaWxlICIvZXRjL2JpbmQvem9uZXMvZGIuZXhhbXBsZS5jb20iOyAKfTs=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]em9uZSAiZXhhbXBsZS5jb20iIHsgCgl0eXBlIG1hc3RlcjsgCglmaWxlICIvZXRjL2JpbmQvem9uZXMvZGIuZXhhbXBsZS5jb20iOyAKfTs=[/et_pb_dmb_code_snippet]
[et_pb_dmb_code_snippet code=”em9uZSAiMi4wLjEwLmluLWFkZHIuYXJwYSIgeyAKCXR5cGUgbWFzdGVyOyAKCWZpbGUgIi9ldGMvYmluZC96b25lcy9kYi4xMCI7IAp9Ow==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]em9uZSAiMi4wLjEwLmluLWFkZHIuYXJwYSIgeyAKCXR5cGUgbWFzdGVyOyAKCWZpbGUgIi9ldGMvYmluZC96b25lcy9kYi4xMCI7IAp9Ow==[/et_pb_dmb_code_snippet]
- Create the
zones directory under /etc/bind/:
[et_pb_dmb_code_snippet code=”JCBzdWRvIG1rZGlyIC9ldGMvYmluZC96b25lcw==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIG1rZGlyIC9ldGMvYmluZC96b25lcw==[/et_pb_dmb_code_snippet]
- Create the forward
zone file using the existing zone file, db.local, as a template:
[et_pb_dmb_code_snippet code=”JCBjZCAvZXRjL2JpbmQvIAokIHN1ZG8gY3AgZGIubG9jYWwgem9uZXMvZGIuZXhhbXBsZS5jb20=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBjZCAvZXRjL2JpbmQvIAokIHN1ZG8gY3AgZGIubG9jYWwgem9uZXMvZGIuZXhhbXBsZS5jb20=[/et_pb_dmb_code_snippet]
- The default file should look similar to the following image:
-
Edit the SOA entry and replace localhost with FQDN of your server.
-
Increment the serial number (you can use the current date time as the serial number, 201507071100)
-
Remove entries for localhost, 127.0.0.1 and ::1.
-
Add new records:
[et_pb_dmb_code_snippet code=”OyBuYW1lIHNlcnZlciAtIE5TIHJlY29yZHMgCkAgSU4gTlMgbnMuZXhtcGxlLmNvbSAKOyBuYW1lIHNlcnZlciBBIHJlY29yZHMgCm5zIElOIEEgMTAuMC4yLjUzIAo7IGxvY2FsIC0gQSByZWNvcmRzIApob3N0MSBJTiBBIDEwLjAuMi41OA==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]OyBuYW1lIHNlcnZlciAtIE5TIHJlY29yZHMgCkAgSU4gTlMgbnMuZXhtcGxlLmNvbSAKOyBuYW1lIHNlcnZlciBBIHJlY29yZHMgCm5zIElOIEEgMTAuMC4yLjUzIAo7IGxvY2FsIC0gQSByZWNvcmRzIApob3N0MSBJTiBBIDEwLjAuMi41OA==[/et_pb_dmb_code_snippet]
- Save the changes and exit the nano editor. The final file should look similar to the following image:
- Now create the reverse
zone file using /etc/bind/db.127 as a template:
[et_pb_dmb_code_snippet code=”JCBzdWRvIGNwIGRiLjEyNyB6b25lcy9kYi4xMA==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIGNwIGRiLjEyNyB6b25lcy9kYi4xMA==[/et_pb_dmb_code_snippet]
- The default file should look similar to the following screenshot:
-
Change the SOA record and increment the serial number.
-
Remove NS and PTR records for localhost.
-
Add NS, PTR, and host records:
[et_pb_dmb_code_snippet code=”OyBOUyByZWNvcmRzIApAIElOIE5TIG5zLmV4YW1wbGUuY29tIAo7IFBUUiByZWNvcmRzIAo1MyBJTiBQVFIgbnMuZXhhbXBsZS5jb20gCjsgaG9zdCByZWNvcmRzIAo1OCBJTiBQVFIgaG9zdDEuZXhhbXBsZS5jb20=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]OyBOUyByZWNvcmRzIApAIElOIE5TIG5zLmV4YW1wbGUuY29tIAo7IFBUUiByZWNvcmRzIAo1MyBJTiBQVFIgbnMuZXhhbXBsZS5jb20gCjsgaG9zdCByZWNvcmRzIAo1OCBJTiBQVFIgaG9zdDEuZXhhbXBsZS5jb20=[/et_pb_dmb_code_snippet]
- Save the changes. The final file should look similar to the following image:
- Check the configuration files for syntax errors. It should end with no output:
[et_pb_dmb_code_snippet code=”JCBzdWRvIG5hbWVkLWNoZWNrY29uZg==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIG5hbWVkLWNoZWNrY29uZg==[/et_pb_dmb_code_snippet]
- Check
zone files for syntax errors:
[et_pb_dmb_code_snippet code=”JCBzdWRvIG5hbWVkLWNoZWNrem9uZSBleGFtcGxlLmNvbSAvZXRjL2JpbmQvem9uZXMvZGIuZXhhbXBsZS5jb20=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIG5hbWVkLWNoZWNrem9uZSBleGFtcGxlLmNvbSAvZXRjL2JpbmQvem9uZXMvZGIuZXhhbXBsZS5jb20=[/et_pb_dmb_code_snippet]
- If there are no errors, you should see an output similar to the following:
[et_pb_dmb_code_snippet code=”em9uZSBleGFtcGxlLmNvbS9JTjogbG9hZGVkIHNlcmlhbCAzIApPSw==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]em9uZSBleGFtcGxlLmNvbS9JTjogbG9hZGVkIHNlcmlhbCAzIApPSw==[/et_pb_dmb_code_snippet]
- Check the reverse
zone file, zones/db.10:
[et_pb_dmb_code_snippet code=”JCBzdWRvIG5hbWVkLWNoZWNrem9uZSBleGFtcGxlLmNvbSAvZXRjL2JpbmQvem9uZXMvZGIuMTA=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIG5hbWVkLWNoZWNrem9uZSBleGFtcGxlLmNvbSAvZXRjL2JpbmQvem9uZXMvZGIuMTA=[/et_pb_dmb_code_snippet]
- If there are no errors, you should see output similar to the following:
[et_pb_dmb_code_snippet code=”em9uZSBleGFtcGxlLmNvbS9JTjogbG9hZGVkIHNlcmlhbCAzIApPSw==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]em9uZSBleGFtcGxlLmNvbS9JTjogbG9hZGVkIHNlcmlhbCAzIApPSw==[/et_pb_dmb_code_snippet]
- Now restart the DNS server bind:
[et_pb_dmb_code_snippet code=”JCBzdWRvIHNlcnZpY2UgYmluZDkgcmVzdGFydA==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIHNlcnZpY2UgYmluZDkgcmVzdGFydA==[/et_pb_dmb_code_snippet]
[et_pb_dmb_code_snippet code=”JCBuc2xvb2t1cCBob3N0MS5leGFtcGxlLmNvbSA=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBuc2xvb2t1cCBob3N0MS5leGFtcGxlLmNvbSA=[/et_pb_dmb_code_snippet]
- You should see an output similar to following:
[et_pb_dmb_code_snippet code=”JCBuc2xvb2t1cCBob3N0MS5leGFtcGxlLmNvbSAKU2VydmVyOiAxMC4wLjIuNTMgCkFkZHJlc3M6IDEwLjAuMi41MyM1MyAKTmFtZTogaG9zdDEuZXhhbXBsZS5jb20gCkFkZHJlc3M6IDEwLjAuMi41OA==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBuc2xvb2t1cCBob3N0MS5leGFtcGxlLmNvbSAKU2VydmVyOiAxMC4wLjIuNTMgCkFkZHJlc3M6IDEwLjAuMi41MyM1MyAKTmFtZTogaG9zdDEuZXhhbXBsZS5jb20gCkFkZHJlc3M6IDEwLjAuMi41OA==[/et_pb_dmb_code_snippet]
- Now test the reverse lookup:
[et_pb_dmb_code_snippet code=”JCBuc2xvb2t1cCAxMC4wLjIuNTg=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBuc2xvb2t1cCAxMC4wLjIuNTg=[/et_pb_dmb_code_snippet]
- It should output something similar to the following:
[et_pb_dmb_code_snippet code=”JCBuc2xvb2t1cCAxMC4wLjIuNTggClNlcnZlcjogMTAuMC4yLjUzIApBZGRyZXNzOiAxMC4wLjIuNTMjNTMgCjU4LjIuMC4xMC5pbi1hZGRyLmFycGEgbmFtZSA9IGhvc3QxLmV4YW1wbGUuY29t” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBuc2xvb2t1cCAxMC4wLjIuNTggClNlcnZlcjogMTAuMC4yLjUzIApBZGRyZXNzOiAxMC4wLjIuNTMjNTMgCjU4LjIuMC4xMC5pbi1hZGRyLmFycGEgbmFtZSA9IGhvc3QxLmV4YW1wbGUuY29t[/et_pb_dmb_code_snippet]
Set up Secondary Master through the following steps:
- First, allow zone transfer on Primary Master by setting the
allow-transfer option in /etc/bind/named.conf.local:
[et_pb_dmb_code_snippet code=”em9uZSAiZXhhbXBsZS5jb20iIHsgCgl0eXBlIG1hc3RlcjsgCglmaWxlICIvZXRjL2JpbmQvem9uZXMvZGIuZXhhbXBsZS5jb20iOyAKCWFsbG93LXRyYW5zZmVyIHsgMTAuMC4yLjU0OyB9OyAKfTsgCnpvbmUgIjIuMC4xMC5pbi1hZGRyLmFycGEiIHsgCgl0eXBlIG1hc3RlcjsgCglmaWxlICIvZXRjL2JpbmQvem9uZXMvZGIuMTAiOyAKCWFsbG93LXRyYW5zZmVyIHsgMTAuMC4yLjU0OyB9OyAKfTs=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]em9uZSAiZXhhbXBsZS5jb20iIHsgCgl0eXBlIG1hc3RlcjsgCglmaWxlICIvZXRjL2JpbmQvem9uZXMvZGIuZXhhbXBsZS5jb20iOyAKCWFsbG93LXRyYW5zZmVyIHsgMTAuMC4yLjU0OyB9OyAKfTsgCnpvbmUgIjIuMC4xMC5pbi1hZGRyLmFycGEiIHsgCgl0eXBlIG1hc3RlcjsgCglmaWxlICIvZXRjL2JpbmQvem9uZXMvZGIuMTAiOyAKCWFsbG93LXRyYW5zZmVyIHsgMTAuMC4yLjU0OyB9OyAKfTs=[/et_pb_dmb_code_snippet]
- Restart BIND9 on Primary Master:
[et_pb_dmb_code_snippet code=”JCBzdWRvIHNlcnZpY2UgYmluZDkgcmVzdGFydA==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIHNlcnZpY2UgYmluZDkgcmVzdGFydA==[/et_pb_dmb_code_snippet]
-
On Secondary Master (ns2), install the BIND package.
-
Edit /etc/bind/named.conf.local to add zone declarations as follows:
[et_pb_dmb_code_snippet code=”em9uZSAiZXhhbXBsZS5jb20iIHsgCgl0eXBlIHNsYXZlOyAKCWZpbGUgImRiLmV4YW1wbGUuY29tIjsgCgltYXN0ZXJzIHsgMTAuMC4yLjUzOyB9OyAKfTsgCnpvbmUgIjIuMC4xMC5pbi1hZGRyLmFycGEiIHsgCgl0eXBlIHNsYXZlOyAKCWZpbGUgImRiLjEwIjsgCgltYXN0ZXJzIHsgMTAuMC4yLjUzOyB9OyAKfTs=” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]em9uZSAiZXhhbXBsZS5jb20iIHsgCgl0eXBlIHNsYXZlOyAKCWZpbGUgImRiLmV4YW1wbGUuY29tIjsgCgltYXN0ZXJzIHsgMTAuMC4yLjUzOyB9OyAKfTsgCnpvbmUgIjIuMC4xMC5pbi1hZGRyLmFycGEiIHsgCgl0eXBlIHNsYXZlOyAKCWZpbGUgImRiLjEwIjsgCgltYXN0ZXJzIHsgMTAuMC4yLjUzOyB9OyAKfTs=[/et_pb_dmb_code_snippet]
[et_pb_dmb_code_snippet code=”JCBzdWRvIHNlcnZpY2UgYmluZDkgcmVzdGFydA==” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f”]JCBzdWRvIHNlcnZpY2UgYmluZDkgcmVzdGFydA==[/et_pb_dmb_code_snippet]
- This will initiate the transfer of all zones configured on Primary Master. You can check the logs on Secondary Master at
/var/log/syslog to verify the zone transfer.
In the first section, we have installed the BIND server and enabled a simple caching DNS server. A caching server helps to reduce bandwidth and latency in name resolution. The server will try to resolve queries locally from the cache. If the entry is not available in the cache, the query will be forwarded to external DNS servers and the result will be cached.
In the second and third sections, we have set Primary Master and Secondary Master respectively. Primary Master is the first DNS server. Secondary Master will be used as an alternate server in case the Primary server becomes unavailable.
Under Primary Master, we have declared a forward zone and reverse zone for the example.com domain. The forward zone is declared with domain name as the identifier and contains the type and filename for the database file. On Primary Master, we have set type to master. The reverse zone is declared with similar attributes and uses part of an IP address as an identifier. As we are using a 24-bit network address (10.0.2.0/24), we have included the first three octets of the IP address in reverse order (2.0.10) for the reverse zone name.
Lastly, we have created zone files by using existing files as templates. Zone files are the actual database that contains records of the IP address mapped to FQDN and vice versa. It contains SOA record, A records, and NS records. An SOA record defines the domain for this zone; A records and AAAA records are used to map the hostname to the IP address.
When the DNS server receives a query for the example.com domain, it checks for zone files for that domain. After finding the zone file, the host part from the query will be used to find the actual IP address to be returned as a result for query. Similarly, when a query with an IP address is received, the DNS server will look for a reverse zone file matching with the queried IP address.
0 Comments