Difference between revisions of "DNS server unique zone"

 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
The DNS [Domain Name System] is a key component of a network infrastructure. '''It allows you to use NAMES''' instead of IP addresses and technical garbage.
+
[[Category:Linux]]
 
 
You can learn how it works through a simple Google request.
 
 
 
  
 
Here, I will present the installation of:  
 
Here, I will present the installation of:  
* '''DNS primary server''' (= DNS for domain smartcards.local) using ''BIND9''
 
 
* Local domain (.local)
 
* Local domain (.local)
  
 +
That means '''all the INTERNAL resources are private'''. Nothing is reachable from the outside.
  
  
You can re-use all this content for a web-site or public domain. Just replace ''smartcards.local'' by ''mywebsite.com''.
 
 
 
 
 
=Setup=
 
 
<syntaxhighlight lang="bash">
 
apt-get install bind9 dnsutils bind9-doc
 
</syntaxhighlight>
 
 
 
 
=Primary master=
 
 
A DNS primary master is the main DNS for your local domain (ex: smartcards.local).
 
 
 
These are the steps to do:
 
* '''Set the external DNS''' to use by your server
 
**File: /etc/bind/named.conf.options
 
  
* '''Declare the new domain''' to manage
+
In the following example I'll be using:
** File: /etc/bind/named.conf.local
+
* INTERNAL zone: ''smartcards.'''local'''''  
 +
* DNS server name: ''smartcard-gw''
 +
* Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
  
* Create a '''dedicated configuration file''' for the new domain
 
** New file: /etc/bind/smartcards.local
 
  
* Adjust the '''reverse zone'''
 
** File: /etc/bind/named.conf.local
 
** Rename and adjust file: /etc/bind/db.192
 
 
 
==Set the external DNS==
 
 
This is the list of DNS your server will use to populate its own cache.
 
 
 
The external DNS can either be your ISP's DNS or Google's servers.
 
 
!! Mind the order !!
 
First DNS have a higher priority.
 
  
 +
=Zone configuration (name to IP @)=
  
 
+
==Declare the new zone==
Edit configuration file:
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/bind/named.conf.options
 
</syntaxhighlight>
 
 
 
 
 
Uncomment and adjust the file content
 
 
 
<syntaxhighlight lang="bash">
 
[...]
 
forwarders {
 
    # Local gateway or router
 
    172.16.50.1;
 
 
 
    # Your ISP DNS IP’s
 
    182.176.39.23;
 
    182.176.18.13;
 
 
 
    # Google's DNS
 
    8.8.8.8;
 
    8.8.4.4;
 
};
 
[...]
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Declare the new domain==
 
  
 
Edit configuration file:
 
Edit configuration file:
Line 94: Line 28:
 
Uncomment and adjust the file content
 
Uncomment and adjust the file content
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
 
zone "smartcards.local" {
 
zone "smartcards.local" {
 
type master;
 
type master;
Line 103: Line 37:
  
  
==Domain configuration file==
+
==Zone configuration file==
  
  
Create the domain configuration file from a local template:
+
Create the zone configuration file from a local template:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 122: Line 56:
 
Adjust the file content
 
Adjust the file content
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
 
;
 
;
; BIND data file for smartcards.local (you can use mywebsite.com)
+
; BIND data file for smartcards.local
 
;
 
;
 
$TTL    604800
 
$TTL    604800
 
@      IN      SOA    smartcard-gw.smartcards.local. root.smartcards.local. (
 
@      IN      SOA    smartcard-gw.smartcards.local. root.smartcards.local. (
                  201406031132         ; Serial
+
                      20140603         ; Serial
 
                                         ; As the serial be changed everytime you edit this file
 
                                         ; As the serial be changed everytime you edit this file
                                         ; it is recommended to use the pattern "yyyyMMddHHmm"
+
                                         ; it is recommended to use the pattern "yyyyMMdd"
 
                         604800        ; Refresh
 
                         604800        ; Refresh
 
                           86400        ; Retry
 
                           86400        ; Retry
 
                         2419200        ; Expire
 
                         2419200        ; Expire
 
                         604800 )      ; Negative Cache TTL
 
                         604800 )      ; Negative Cache TTL
 +
 
;  
 
;  
 
; DNS server declaration
 
; DNS server declaration
 
; Each NS must point to an A record, not a CNAME.  
 
; Each NS must point to an A record, not a CNAME.  
 
; This is where the Primary and Secondary DNS servers are defined
 
; This is where the Primary and Secondary DNS servers are defined
 +
;
 
@                IN      NS      smartcard-gw.smartcards.local.
 
@                IN      NS      smartcard-gw.smartcards.local.
 
smartcard-gw    IN      A      172.16.50.2
 
smartcard-gw    IN      A      172.16.50.2
  
 
;
 
;
; -- alternative --
+
; Gateway (router)
; To declare a server a specific domain only
+
;
;website.com      IN      NS      smartcard-gw.website.com.
+
cisco-router     IN      A      172.16.50.1
;website.com     IN      A      172.16.50.2
 
  
 +
;
 
; Declare your servers and networks hosts  
 
; Declare your servers and networks hosts  
smarcartd-prod-00 IN      A      172.16.50.10
+
;
smarcartd-prod-01 IN      A      172.16.50.11
+
smarcartd-prod-00 IN      A      172.16.50.50
smarcartd-prod-02 IN      A      172.16.50.12
+
smarcartd-prod-01 IN      A      172.16.50.51
smarcartd-prod-03 IN      A      172.16.50.13
+
smarcartd-prod-02 IN      A      172.16.50.52
 +
smarcartd-prod-03 IN      A      172.16.50.53
  
 
; Create an alias to an existing record
 
; Create an alias to an existing record
Line 175: Line 112:
  
  
==Reverse zone file==
+
=Reverse zone (IP @ to name)=
 
 
  
 
Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name.
 
Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name.
Line 193: Line 129:
 
Add the following reverse
 
Add the following reverse
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
 
# Our reverse zone
 
# Our reverse zone
 
# Server IP 172.16.50.2
 
# Server IP 172.16.50.2
Line 211: Line 147:
  
  
===Configure reverse zone===
+
==Configure reverse zone==
  
  
Line 229: Line 165:
  
 
The content is basically the same as /etc/bind/smartcards.local:
 
The content is basically the same as /etc/bind/smartcards.local:
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
 
;
 
;
 
; BIND reverse data file for local 172.16.50.XXX net
 
; BIND reverse data file for local 172.16.50.XXX net
Line 235: Line 171:
 
$TTL    604800
 
$TTL    604800
 
@      IN      SOA    smartcard-gw.smartcards.local. root.smartcards.local. (
 
@      IN      SOA    smartcard-gw.smartcards.local. root.smartcards.local. (
                    201406031301      ; Serial
+
                      20140603        ; Serial
 
                                         ; As the serial be changed everytime you edit this file
 
                                         ; As the serial be changed everytime you edit this file
                                         ; it is recommended to use the pattern "yyyyMMddHHmm"
+
                                         ; it is recommended to use the pattern "yyyyMMdd"
 
                         604800        ; Refresh
 
                         604800        ; Refresh
 
                           86400        ; Retry
 
                           86400        ; Retry
Line 244: Line 180:
 
;
 
;
 
; Local server
 
; Local server
 +
;
 
@      IN      NS      smartcard-gw.
 
@      IN      NS      smartcard-gw.
 
2      IN      PTR    smartcard-gw.smartcards.local.
 
2      IN      PTR    smartcard-gw.smartcards.local.
; Other servers
+
 
10       IN      PTR    smartcard-prod-00.smartcards.local.
+
; Gateway (router)
11       IN      PTR    smartcard-prod-01.smartcards.local.
+
1      IN      PTR    cisco-router.smartcards.local
12       IN      PTR    smartcard-prod-02.smartcards.local.
+
 
13       IN      PTR    smartcard-prod-03.smartcards.local.
+
;
 +
; Other components and hosts
 +
;
 +
50       IN      PTR    smartcard-prod-00.smartcards.local.
 +
51       IN      PTR    smartcard-prod-01.smartcards.local.
 +
52       IN      PTR    smartcard-prod-02.smartcards.local.
 +
53       IN      PTR    smartcard-prod-03.smartcards.local.
  
 
</syntaxhighlight>
 
</syntaxhighlight>
Line 265: Line 208:
  
  
==Take changes into account==
+
=Take changes into account=
  
  
Line 275: Line 218:
  
  
==Test your configuration==
 
  
Run the following commands to check your configuration. All commands should output '''OK'''.
+
=Add new hostname=
 +
 
 +
 
 +
This is how we had a new host-name into the network:
 +
 
 +
 
 +
==Update LOCAL zone==
  
  
Check the local zone:
+
Edit local zone:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
named-checkzone smartcards.local /etc/bind/zones/smartcards.local
+
vim /etc/bind/smartcards.local
named-checkzone smartcards.local /etc/bind/zones/db.172
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Check the reverse zone:
+
Add a A or AAAA entry:
  
<syntaxhighlight lang="bash"
+
<syntaxhighlight lang="apache">
named-checkzone 50.16.172.in-addr.arpa. /etc/bind/db.172
+
my-new-host      IN      A      172.16.50.60
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
 +
 +
==Update REVERSE zone==
 +
 +
 +
Edit local zone:
 +
 +
<syntaxhighlight lang="bash">
 +
vim /etc/bind/db.172
 +
</syntaxhighlight>
 +
 +
 +
Add a A or AAAA entry:
 +
 +
<syntaxhighlight lang="apache">
 +
60      IN      PTR    my-new-host.smartcards.local.
 +
</syntaxhighlight>
 +
 +
 +
 +
==Restart service==
 +
 +
<syntaxhighlight lang="bash">
 +
service bind9 restart
 +
</syntaxhighlight>
  
  
Line 301: Line 273:
  
 
=Sources=
 
=Sources=
 +
 +
You can find a lot of information about DNS on the web. I used the following tutorials:
 +
 +
* https://help.ubuntu.com/community/BIND9ServerHowto
 +
 +
* https://help.ubuntu.com/14.04/serverguide/dns-references.html#dns-record-types
 +
 +
* https://help.ubuntu.com/14.04/serverguide/dns-configuration.html
 +
 +
* http://blog.bobbyallen.me/2013/09/19/setting-up-internal-dns-on-ubuntu-server-12-04-lts/
 +
 +
* http://doc.ubuntu-fr.org/bind9  (in French)
 +
 +
 +
Bug fixes:
 +
 +
* no forwarding due to DNS-SEC errors (broken trust chain): http://pewetheb.blogspot.se/2013/11/named-error-broken-trust-chain.html

Latest revision as of 14:16, 22 August 2014


Here, I will present the installation of:

  • Local domain (.local)

That means all the INTERNAL resources are private. Nothing is reachable from the outside.


In the following example I'll be using:

  • INTERNAL zone: smartcards.local
  • DNS server name: smartcard-gw
  • Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2


Zone configuration (name to IP @)

Declare the new zone

Edit configuration file:

vim /etc/bind/named.conf.local


Uncomment and adjust the file content

zone "smartcards.local" {
	type master;
        file "/etc/bind/smartcards.local";
};


Zone configuration file

Create the zone configuration file from a local template:

cp /etc/bind/db.local /etc/bind/smartcards.local


Edit configuration file:

vim /etc/bind/smartcards.local


Adjust the file content

;
; BIND data file for smartcards.local
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; 
; DNS server declaration
; Each NS must point to an A record, not a CNAME. 
; This is where the Primary and Secondary DNS servers are defined
;
@                IN      NS      smartcard-gw.smartcards.local.
smartcard-gw     IN      A       172.16.50.2

;
; Gateway (router)
;
cisco-router      IN      A       172.16.50.1

;
; Declare your servers and networks hosts 
;
smarcartd-prod-00 IN      A       172.16.50.50
smarcartd-prod-01 IN      A       172.16.50.51
smarcartd-prod-02 IN      A       172.16.50.52
smarcartd-prod-03 IN      A       172.16.50.53

; Create an alias to an existing record
;wwww             IN      CNAME   smartcard-gw


Notes:

  • Don't forget to adjust the serial every-time you edit the file !
  • NS = Name server
  • A = IP v4 entry
  • AAAA = IP v6 entry
  • CNAME = Alias to a previous A or AAAA entry


Reverse zone (IP @ to name)

Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.


Declare reverse zone

Edit configuration file:

vim /etc/bind/named.conf.local


Add the following reverse

# Our reverse zone
# Server IP 172.16.50.2
zone "50.16.172.in-addr.arpa" {
        type master;
        file "/etc/bind/db.172";
};


Key points:

  • Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
  • Name the zone file /etc/bind/db.172 : it should match the first octet of your network.


Configure reverse zone

Now create the /etc/bind/db.172 file:

cp /etc/bind/db.127 /etc/bind/db.172


Edit the new file:

vim /etc/bind/db.172


The content is basically the same as /etc/bind/smartcards.local:

;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; Local server
;
@       IN      NS      smartcard-gw.
2       IN      PTR     smartcard-gw.smartcards.local.

; Gateway (router)
1       IN      PTR     cisco-router.smartcards.local

;
; Other components and hosts
;
50       IN      PTR     smartcard-prod-00.smartcards.local.
51       IN      PTR     smartcard-prod-01.smartcards.local.
52       IN      PTR     smartcard-prod-02.smartcards.local.
53       IN      PTR     smartcard-prod-03.smartcards.local.


Notes:

  • Don't forget to adjust the serial every-time you edit the file !
  • You only need to put the last byte value in the reverse
  • PTR = redirection to A entry


Take changes into account

service bind9 restart



Add new hostname

This is how we had a new host-name into the network:


Update LOCAL zone

Edit local zone:

vim /etc/bind/smartcards.local


Add a A or AAAA entry:

my-new-host       IN      A       172.16.50.60


Update REVERSE zone

Edit local zone:

vim /etc/bind/db.172


Add a A or AAAA entry:

60       IN      PTR     my-new-host.smartcards.local.


Restart service

service bind9 restart




Sources

You can find a lot of information about DNS on the web. I used the following tutorials:


Bug fixes: