Deploy Home DNS server
Background
A home-based DNS server speeds up DNS resolution by utilizing its cache. In addtion, a DNS server is a requirement for internal email. An internal email is useful for sending files from mobile devices like iphone or android to a NAS, hence providing an alternative to ftp.
Objectives
- Install Bind
- Configure the home-based DNS server to be a recursive nameserver for web-based servers.
- Extend the home-based DNS to be a authoritative nameserver for an internal domain name "example.lan"
Environment
- Centos 6.4
- SELinux is on
Concepts
- Authoritative nameserver stores actual data for a DNS domain.
- Recursive nameserver server does NOT store ip data. It asks authoritative nameservers for the ip address. Response from authoritative nameservers are cached to improve performance. In other words, recursive name server depends on authoritative name servers.
- BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
Procedure
- Install bind
#yum install bind - Find the configuration files for bind
#rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
The main configuration file is /etc/named.conf - Modify /etc/named.conf to turn bind into an recursive nameserver
An example:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; 192.168.2.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
}; - Start the DNS
#service named start - Confirm that bind is listening to default port 53
#netstat -tulnp | grep named - Configure firewall to allow dns packets
#iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT - Configure stub resolver (/etc/resolv.conf) of the DNS machine and other computers to use the authoritative nameserver configured above.
Example:
nameserver 192.168.1.1 <enter the ip address> - Test DNS lookups from a remote computer.
#yum install bind-utils
#dig google.com
Extract of output:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38733
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 4
NOERROR means query was successful. - In addition to having an recursive nameserver, configure the same nameserver to be a authoritivative nameserver for the home-based private domain called example.com
Example of /var/named/example.com..zone
zone "example.com" IN
{
type master;
file "example.com.zone";
};
zone "0.168.192.in-addr.arpa" IN
{
type master;
file "example.com.rr.zone";
allow-update { none; };
}; - Configure a forward zone file for example.com and saved in as /var/named/example.com.zone
- Configure a reverse zone file and saved it as /var/named/example.com.rr.zone
- Start the named service
#service named restart - Test the authoritative server
#dig example.com
No comments:
Post a Comment