Difference between revisions of "DNS server unique zone"

m (WikiFreak moved page DNS server to DNS server unique zone)
Line 15: Line 15:
  
  
 
 
=Setup=
 
 
<syntaxhighlight lang="bash">
 
apt-get install bind9 dnsutils bind9-doc
 
</syntaxhighlight>
 
  
  
Line 43: Line 36:
 
** File: /etc/bind/named.conf.local
 
** File: /etc/bind/named.conf.local
 
** Rename and adjust file: /etc/bind/db.192
 
** Rename and adjust file: /etc/bind/db.192
 
 
==Set the external DNS==
 
 
This is the list of DNS your server will use to populate its own cache.
 
 
 
The external DNS can either be your ISP's DNS or Google's servers.
 
 
!! Mind the order !!
 
First DNS have a higher priority.
 
 
 
 
Edit configuration file:
 
 
<syntaxhighlight lang="bash">
 
vim /etc/bind/named.conf.options
 
</syntaxhighlight>
 
 
 
Uncomment and adjust the file content
 
 
<syntaxhighlight lang="bash">
 
[...]
 
forwarders {
 
    # Your ISP DNS IP’s
 
    182.176.39.23;
 
    182.176.18.13;
 
 
    # Google's DNS
 
    8.8.8.8;
 
    8.8.4.4;
 
};
 
[...]
 
</syntaxhighlight>
 
  
  
Line 288: Line 245:
 
service bind9 restart
 
service bind9 restart
 
</syntaxhighlight>
 
</syntaxhighlight>
 
 
 
==Use the local DNS server as default one==
 
 
Now that your server is ready to be used, you have to use it !!
 
 
* All the clients will get their configuration from DHCP (see [[DHCP server]]).
 
 
* On the local server, you have to edit your current IP settings
 
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/network/interfaces
 
</syntaxhighlight>
 
 
 
Adjust it like that:
 
 
<syntaxhighlight lang="bash">
 
# The primary network interface [static IP]
 
auto eth0
 
iface eth0 inet static
 
        address 172.16.50.2
 
        netmask 255.255.255.0
 
        gateway 172.16.50.1
 
        network 172.16.50.0
 
        broadcast 172.16.50.255
 
 
        # Local DNS server on 172.16.50.2 as default. Then the DNS server itself will forward the requests to external DNS servers.
 
        dns-nameservers 172.16.50.2
 
        dns-search smartcards.local
 
        dns-domain smartcards.local
 
</syntaxhighlight>
 
 
 
Don't forget to reboot to take on your configuration changes !
 
 
 
 
==Test your configuration==
 
 
 
===Test on SERVER side===
 
 
 
Run the following commands to check your configuration. All commands should output '''OK''' or be a ping success. :)
 
 
 
Check the local zone:
 
 
<syntaxhighlight lang="bash">
 
named-checkzone smartcards.local /etc/bind/zones/smartcards.local
 
named-checkzone smartcards.local /etc/bind/zones/db.172
 
</syntaxhighlight>
 
 
 
Check the reverse zone:
 
 
<syntaxhighlight lang="bash">
 
named-checkzone 50.16.172.in-addr.arpa. /etc/bind/db.172
 
</syntaxhighlight>
 
 
 
 
Now you can try to ping the router and a client:
 
 
<syntaxhighlight lang="bash">
 
ping cisco-router
 
ping smartcard-prod-00
 
</syntaxhighlight>
 
 
 
Now you can try to ping a website:
 
 
<syntaxhighlight lang="bash">
 
ping dev.daxiongmao.eu
 
</syntaxhighlight>
 
 
 
===Test on CLIENT side===
 
 
 
Try to access ping the DNS server name from a client:
 
 
<syntaxhighlight lang="bash">
 
ping smartcard-gw
 
</syntaxhighlight>
 
 
 
Now you can try to ping a website:
 
 
<syntaxhighlight lang="bash">
 
ping tcl.fr
 
</syntaxhighlight>
 
 
  
  
Line 442: Line 302:
 
service bind9 restart
 
service bind9 restart
 
</syntaxhighlight>
 
</syntaxhighlight>
 
 
 
 
=Disable IPv6 DNS requests=
 
 
You can still be listening on your local IPv6 interface, however '''if your router is not IPv6 compatible you should disable IPv6 requests'''. If you do not disable IPv6 requests then you'll see the following errors in your /var/log/syslog:
 
 
<syntaxhighlight lang="bash">
 
error (network unreachable) resolving './DNSKEY/IN': 2001:: ...
 
</syntaxhighlight>
 
 
 
Edit the configuration file:
 
<syntaxhighlight lang="bash">
 
vim /etc/default/bind9
 
</syntaxhighlight>
 
 
 
Add / update the options:
 
<syntaxhighlight lang="bash">
 
OPTIONS="-4"
 
</syntaxhighlight>
 
 
 
That means if the host is capable of IPv4 then IPv4 should be preferred.
 
 
 
Restart the service and check your logs.
 
 
 
 
 
=Disable DNS SEC=
 
 
DNS is one of the most vulnerable protocols. Therefore the next generation called "DNS-SEC" is being implemented right now.
 
 
But... enabling '''DNS SEC can lead to security error and forward blocking''' if you don't have a proper certificate.
 
 
 
I don't have enough time to setup the correct certificate so I disabled DNS-SEC.
 
 
 
'''Edit configuration file''':
 
<syntaxhighlight lang="bash">
 
vim /etc/bind/named.conf.options
 
</syntaxhighlight>
 
 
 
Disable the DNS-SEC options:
 
<syntaxhighlight lang="bash">
 
dnssec-enable no;
 
dnssec-validation no;
 
</syntaxhighlight>
 
 
 
Restart the service and check your logs.
 
 
  
  

Revision as of 13:18, 22 August 2014


The DNS [Domain Name System] is a key component of a network infrastructure. It allows you to use NAMES instead of IP addresses and technical garbage.

You can learn how it works through a simple Google request.


Here, I will present the installation of:

  • DNS primary server (= DNS for domain smartcards.local) using BIND9
  • Local domain (.local)


You can re-use all this content for a web-site or public domain. Just replace smartcards.local by mywebsite.com.



Primary master

A DNS primary master is the main DNS for your local domain (ex: smartcards.local).


These are the steps to do:

  • Set the external DNS to use by your server
    • File: /etc/bind/named.conf.options
  • Declare the new domain to manage
    • File: /etc/bind/named.conf.local
  • Create a dedicated configuration file for the new domain
    • New file: /etc/bind/smartcards.local
  • Adjust the reverse zone
    • File: /etc/bind/named.conf.local
    • Rename and adjust file: /etc/bind/db.192


Declare the new domain

Edit configuration file:

vim /etc/bind/named.conf.local


Uncomment and adjust the file content

zone "smartcards.local" {
	type master;
        file "/etc/bind/smartcards.local";
};


Domain configuration file

Create the domain configuration file from a local template:

cp /etc/bind/db.local /etc/bind/smartcards.local


Edit configuration file:

vim /etc/bind/smartcards.local


Adjust the file content

;
; BIND data file for smartcards.local (you can use mywebsite.com)
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; 
; DNS server declaration
; Each NS must point to an A record, not a CNAME. 
; This is where the Primary and Secondary DNS servers are defined
;
@                IN      NS      smartcard-gw.smartcards.local.
smartcard-gw     IN      A       172.16.50.2

;
; -- alternative -- 
; To declare a server a specific domain only
;
;website.com      IN      NS      smartcard-gw.website.com.
;website.com      IN      A       172.16.50.2


;
; Gateway (router)
;
cisco-router      IN      A       172.16.50.1

;
; Declare your servers and networks hosts 
;
smarcartd-prod-00 IN      A       172.16.50.50
smarcartd-prod-01 IN      A       172.16.50.51
smarcartd-prod-02 IN      A       172.16.50.52
smarcartd-prod-03 IN      A       172.16.50.53

; Create an alias to an existing record
;wwww             IN      CNAME   smartcard-gw


Notes:

  • Don't forget to adjust the serial every-time you edit the file !
  • NS = Name server
  • A = IP v4 entry
  • AAAA = IP v6 entry
  • CNAME = Alias to a previous A or AAAA entry


Reverse zone file

Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.


Declare reverse zone

Edit configuration file:

vim /etc/bind/named.conf.local


Add the following reverse

# Our reverse zone
# Server IP 172.16.50.2
zone "50.16.172.in-addr.arpa" {
        type master;
        file "/etc/bind/db.172";
};


Key points:

  • Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
  • Name the zone file /etc/bind/db.172 : it should match the first octet of your network.


Configure reverse zone

Now create the /etc/bind/db.172 file:

cp /etc/bind/db.127 /etc/bind/db.172


Edit the new file:

vim /etc/bind/db.172


The content is basically the same as /etc/bind/smartcards.local:

;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; Local server
;
@       IN      NS      smartcard-gw.
2       IN      PTR     smartcard-gw.smartcards.local.

; Gateway (router)
1       IN      PTR     cisco-router.smartcards.local

;
; Other components and hosts
;
50       IN      PTR     smartcard-prod-00.smartcards.local.
51       IN      PTR     smartcard-prod-01.smartcards.local.
52       IN      PTR     smartcard-prod-02.smartcards.local.
53       IN      PTR     smartcard-prod-03.smartcards.local.


Notes:

  • Don't forget to adjust the serial every-time you edit the file !
  • You only need to put the last byte value in the reverse
  • PTR = redirection to A entry


Take changes into account

service bind9 restart


DNS server logs

Logs are in /var/log/syslog



Add new hostname

This is how we had a new host-name into the network:


Update LOCAL zone

Edit local zone:

vim /etc/bind/smartcards.local


Add a A or AAAA entry:

my-new-host       IN      A       172.16.50.60


Update REVERSE zone

Edit local zone:

vim /etc/bind/db.172


Add a A or AAAA entry:

60       IN      PTR     my-new-host.smartcards.local.


Restart service

service bind9 restart





Sources

You can find a lot of information about DNS on the web. I used the following tutorials:


Bug fixes: