Difference between revisions of "DNS server unique zone"
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
The DNS [Domain Name System] is a key component of a network infrastructure. '''It allows you to use NAMES''' instead of IP addresses and technical garbage.
+
[[Category:Linux]]
  
You can learn how it works through a simple Google request.  
+
Here, I will present the installation of:
 +
* Local domain (.local)
  
 +
That means '''all the INTERNAL resources are private'''. Nothing is reachable from the outside.
  
Here, I will present the installation of:
 
* '''DNS primary server''' (= DNS for domain smartcards.local) using ''BIND9''
 
* Local domain (.local)
 
  
  
 +
In the following example I'll be using:
 +
* INTERNAL zone: ''smartcards.'''local'''''
 +
* DNS server name: ''smartcard-gw''
 +
* Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
  
You can re-use all this content for a web-site or public domain. Just replace ''smartcards.local'' by ''mywebsite.com''.
 
  
  
 +
=Zone configuration (name to IP @)=
  
 +
==Declare the new zone==
  
=Setup=
+
Edit configuration file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
apt-get install bind9 dnsutils bind9-doc
+
vim /etc/bind/named.conf.local
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
 +
Uncomment and adjust the file content
  
=Primary master=
+
<syntaxhighlight lang="apache">
 +
zone "smartcards.local" {
 +
type master;
 +
        file "/etc/bind/smartcards.local";
 +
};
 +
</syntaxhighlight>
  
A DNS primary master is the main DNS for your local domain (ex: smartcards.local).
 
  
  
These are the steps to do:
+
==Zone configuration file==
* '''Set the external DNS''' to use by your server
 
**File: /etc/bind/named.conf.options
 
  
* '''Declare the new domain''' to manage
 
** File: /etc/bind/named.conf.local
 
  
* Create a '''dedicated configuration file''' for the new domain
+
Create the zone configuration file from a local template:
** New file: /etc/bind/smartcards.local
 
  
* Adjust the '''reverse zone'''
+
<syntaxhighlight lang="bash">
** Rename and adjust file: /etc/bind/db.192
+
cp /etc/bind/db.local /etc/bind/smartcards.local
 +
</syntaxhighlight>
  
  
==Set the external DNS==
+
Edit configuration file:
  
This is the list of DNS your server will use to populate its own cache.
+
<syntaxhighlight lang="bash">
 +
vim /etc/bind/smartcards.local
 +
</syntaxhighlight>
  
  
The external DNS can either be your ISP's DNS or Google's servers.
+
Adjust the file content
  
!! Mind the order !!
+
<syntaxhighlight lang="apache">
First DNS have a higher priority.
+
;
 +
; BIND data file for smartcards.local
 +
;
 +
$TTL    604800
 +
@      IN      SOA    smartcard-gw.smartcards.local. root.smartcards.local. (
 +
                      20140603        ; Serial
 +
                                        ; As the serial be changed everytime you edit this file
 +
                                        ; it is recommended to use the pattern "yyyyMMdd"
 +
                        604800        ; Refresh
 +
                          86400        ; Retry
 +
                        2419200        ; Expire
 +
                        604800 )      ; Negative Cache TTL
  
 +
;
 +
; DNS server declaration
 +
; Each NS must point to an A record, not a CNAME.
 +
; This is where the Primary and Secondary DNS servers are defined
 +
;
 +
@                IN      NS      smartcard-gw.smartcards.local.
 +
smartcard-gw    IN      A      172.16.50.2
  
 +
;
 +
; Gateway (router)
 +
;
 +
cisco-router      IN      A      172.16.50.1
 +
 +
;
 +
; Declare your servers and networks hosts
 +
;
 +
smarcartd-prod-00 IN      A      172.16.50.50
 +
smarcartd-prod-01 IN      A      172.16.50.51
 +
smarcartd-prod-02 IN      A      172.16.50.52
 +
smarcartd-prod-03 IN      A      172.16.50.53
  
Edit configuration file:
+
; Create an alias to an existing record
 +
;wwww            IN      CNAME  smartcard-gw
  
<syntaxhighlight lang="bash">
 
vim /etc/bind/named.conf.options
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Uncomment and adjust the file content
 
  
<syntaxhighlight lang="bash">
+
Notes:
[...]
+
 
forwarders {
+
* Don't forget to adjust the serial every-time you edit the file !
    # Local gateway or router
+
 
    172.16.50.1;
+
* NS = Name server
 +
 
 +
* A = IP v4 entry
 +
 
 +
* AAAA = IP v6 entry
 +
 
 +
* CNAME = Alias to a previous A or AAAA entry
 +
 
 +
 
  
    # Your ISP DNS IP’s
+
=Reverse zone (IP @ to name)=
    182.176.39.23;
 
    182.176.18.13;
 
  
    # Google's DNS
+
Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name.
    8.8.8.8
 
    8.8.4.4
 
};
 
[...]
 
</syntaxhighlight>
 
  
  
 +
===Declare reverse zone===
  
==Declare the new domain==
 
  
 
Edit configuration file:
 
Edit configuration file:
Line 91: Line 127:
  
  
Uncomment and adjust the file content
+
Add the following reverse
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
zone "smartcards.local" {
+
# Our reverse zone
type master;
+
# Server IP 172.16.50.2
         file "/etc/bind/smartcards.local";
+
zone "50.16.172.in-addr.arpa" {
 +
        type master;
 +
         file "/etc/bind/db.172";
 
};
 
};
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
 +
Key points:
  
==Domain configuration file==
+
* Replace ''50.16.172'' with the '''first three octets''' of whatever network you are using - '''in reverse order'''!
  
 +
* Name the zone file /etc/bind/''db.172'' : it should match the '''first octet''' of your network.
  
Create the domain configuration file from a local template:
+
 
 +
 
 +
==Configure reverse zone==
 +
 
 +
 
 +
Now create the /etc/bind/db.172 file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
cp /etc/bind/db.local /etc/bind/smartcards.local
+
cp /etc/bind/db.127 /etc/bind/db.172
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Edit configuration file:
+
Edit the new file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/bind/smartcards.local
+
vim /etc/bind/db.172
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Adjust the file content
+
The content is basically the same as /etc/bind/smartcards.local:
 
+
<syntaxhighlight lang="apache">
<syntaxhighlight lang="bash">
 
 
;
 
;
; BIND data file for smartcards.local (you can use mywebsite.com)
+
; BIND reverse data file for local 172.16.50.XXX net
 
;
 
;
 
$TTL    604800
 
$TTL    604800
@      IN      SOA    smartcards.local. root.smartcards.local. (
+
@      IN      SOA    smartcard-gw.smartcards.local. root.smartcards.local. (
                  201406031132         ; Serial
+
                      20140603         ; Serial
 
                                         ; As the serial be changed everytime you edit this file
 
                                         ; As the serial be changed everytime you edit this file
                                         ; it's recommended to use the pattern "yyyyMMddHHmm"
+
                                         ; it is recommended to use the pattern "yyyyMMdd"
 
                         604800        ; Refresh
 
                         604800        ; Refresh
 
                           86400        ; Retry
 
                           86400        ; Retry
 
                         2419200        ; Expire
 
                         2419200        ; Expire
 
                         604800 )      ; Negative Cache TTL
 
                         604800 )      ; Negative Cache TTL
;
 
; Primary DNS server declaration
 
@      IN      NS      smartcard-gw.smartcards.local
 
@      IN      A      172.16.50.2
 
 
;
 
;
; -- alternative -- To declare a server a specific domain only
+
; Local server
 +
;
 +
@      IN      NS      smartcard-gw.
 +
2      IN      PTR    smartcard-gw.smartcards.local.
 +
 
 +
; Gateway (router)
 +
1      IN      PTR    cisco-router.smartcards.local
 +
 
 +
;
 +
; Other components and hosts
 
;
 
;
;website.com      IN      NS      smartcard-gw.website.com
+
50      IN      PTR    smartcard-prod-00.smartcards.local.
;website.com      IN      A      172.16.50.2
+
51      IN      PTR    smartcard-prod-01.smartcards.local.
                  IN      A      192.168.1.10
+
52      IN      PTR    smartcard-prod-02.smartcards.local.
 +
53      IN      PTR    smartcard-prod-03.smartcards.local.
  
; Make
 
@      IN      A      192.168.1.10
 
@      IN      AAAA    ::1
 
ns      IN      A      192.168.1.10
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
 +
Notes:
 +
 +
* Don't forget to adjust the serial every-time you edit the file !
 +
 +
* You only need to put the last byte value in the reverse
 +
 +
* PTR = redirection to A entry
 +
 +
 +
 +
=Take changes into account=
  
  
==Reverse zone file==
+
<syntaxhighlight lang="bash">
 +
service bind9 restart
 +
</syntaxhighlight>
  
  
Edit configuration file:
+
 
 +
 
 +
 
 +
=Add new hostname=
 +
 
 +
 
 +
This is how we had a new host-name into the network:
 +
 
 +
 
 +
==Update LOCAL zone==
 +
 
 +
 
 +
Edit local zone:
 +
 
 +
<syntaxhighlight lang="bash">
 +
vim /etc/bind/smartcards.local
 +
</syntaxhighlight>
 +
 
 +
 
 +
Add a A or AAAA entry:
 +
 
 +
<syntaxhighlight lang="apache">
 +
my-new-host      IN      A      172.16.50.60
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
==Update REVERSE zone==
 +
 
 +
 
 +
Edit local zone:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/bind/named.conf.local
+
vim /etc/bind/db.172
 +
</syntaxhighlight>
 +
 
 +
 
 +
Add a A or AAAA entry:
 +
 
 +
<syntaxhighlight lang="apache">
 +
60      IN      PTR    my-new-host.smartcards.local.
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Uncomment and adjust the file content
+
 
 +
==Restart service==
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 +
service bind9 restart
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
 +
 +
 +
 +
 +
=Sources=
 +
 +
You can find a lot of information about DNS on the web. I used the following tutorials:
 +
 +
* https://help.ubuntu.com/community/BIND9ServerHowto
 +
 +
* https://help.ubuntu.com/14.04/serverguide/dns-references.html#dns-record-types
 +
 +
* https://help.ubuntu.com/14.04/serverguide/dns-configuration.html
 +
 +
* http://blog.bobbyallen.me/2013/09/19/setting-up-internal-dns-on-ubuntu-server-12-04-lts/
 +
 +
* http://doc.ubuntu-fr.org/bind9  (in French)
 +
 +
 +
Bug fixes:
 +
 +
* no forwarding due to DNS-SEC errors (broken trust chain): http://pewetheb.blogspot.se/2013/11/named-error-broken-trust-chain.html

Latest revision as of 15:16, 22 August 2014


Here, I will present the installation of:

  • Local domain (.local)

That means all the INTERNAL resources are private. Nothing is reachable from the outside.


In the following example I'll be using:

  • INTERNAL zone: smartcards.local
  • DNS server name: smartcard-gw
  • Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2


Zone configuration (name to IP @)

Declare the new zone

Edit configuration file: 

vim /etc/bind/named.conf.local


Uncomment and adjust the file content 

zone "smartcards.local" {
	type master;
        file "/etc/bind/smartcards.local";
};


Zone configuration file

Create the zone configuration file from a local template: 

cp /etc/bind/db.local /etc/bind/smartcards.local


Edit configuration file: 

vim /etc/bind/smartcards.local


Adjust the file content 

;
; BIND data file for smartcards.local
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; 
; DNS server declaration
; Each NS must point to an A record, not a CNAME. 
; This is where the Primary and Secondary DNS servers are defined
;
@                IN      NS      smartcard-gw.smartcards.local.
smartcard-gw     IN      A       172.16.50.2

;
; Gateway (router)
;
cisco-router      IN      A       172.16.50.1

;
; Declare your servers and networks hosts 
;
smarcartd-prod-00 IN      A       172.16.50.50
smarcartd-prod-01 IN      A       172.16.50.51
smarcartd-prod-02 IN      A       172.16.50.52
smarcartd-prod-03 IN      A       172.16.50.53

; Create an alias to an existing record
;wwww             IN      CNAME   smartcard-gw


Notes:

  • Don't forget to adjust the serial every-time you edit the file !
  • NS = Name server
  • A = IP v4 entry
  • AAAA = IP v6 entry
  • CNAME = Alias to a previous A or AAAA entry


Reverse zone (IP @ to name)

Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.


Declare reverse zone

Edit configuration file: 

vim /etc/bind/named.conf.local


Add the following reverse 

# Our reverse zone
# Server IP 172.16.50.2
zone "50.16.172.in-addr.arpa" {
        type master;
        file "/etc/bind/db.172";
};


Key points:

  • Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
  • Name the zone file /etc/bind/db.172 : it should match the first octet of your network.


Configure reverse zone

Now create the /etc/bind/db.172 file: 

cp /etc/bind/db.127 /etc/bind/db.172


Edit the new file: 

vim /etc/bind/db.172


The content is basically the same as /etc/bind/smartcards.local: 

;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; Local server
;
@       IN      NS      smartcard-gw.
2       IN      PTR     smartcard-gw.smartcards.local.

; Gateway (router)
1       IN      PTR     cisco-router.smartcards.local

;
; Other components and hosts
;
50       IN      PTR     smartcard-prod-00.smartcards.local.
51       IN      PTR     smartcard-prod-01.smartcards.local.
52       IN      PTR     smartcard-prod-02.smartcards.local.
53       IN      PTR     smartcard-prod-03.smartcards.local.


Notes:

  • Don't forget to adjust the serial every-time you edit the file !
  • You only need to put the last byte value in the reverse
  • PTR = redirection to A entry


Take changes into account

service bind9 restart



Add new hostname

This is how we had a new host-name into the network:


Update LOCAL zone

Edit local zone: 

vim /etc/bind/smartcards.local


Add a A or AAAA entry: 

my-new-host       IN      A       172.16.50.60


Update REVERSE zone

Edit local zone: 

vim /etc/bind/db.172


Add a A or AAAA entry: 

60       IN      PTR     my-new-host.smartcards.local.


Restart service

service bind9 restart




Sources

You can find a lot of information about DNS on the web. I used the following tutorials:


Bug fixes:

Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=DNS_server_unique_zone&oldid=1412"