Difference between revisions of "DNS server split howto"
(Created page with "Category:Linux Let's use "'''smartcards.vehco.com'''" domain as example. * The DNS will handle both internal and external requests (Intranet / Internet). * The DNS wil...") |
(No difference)
|
Revision as of 13:05, 22 August 2014
Let's use "smartcards.vehco.com" domain as example.
- The DNS will handle both internal and external requests (Intranet / Internet).
- The DNS will have 2 zones: one for the Internal members (LAN, VPN, loopback) and one for the External members.
Contents
- 1 Setup
- 2 Primary master
- 3 Add new hostname
- 4 Disable IPv6 DNS requests
- 5 Disable DNS SEC
- 6 Sources
Setup
apt-get install bind9 dnsutils bind9-doc
Primary master
A DNS primary master is the main DNS for your local domain (ex: smartcards.local).
These are the steps to do:
- Set the external DNS to use by your server
- File: /etc/bind/named.conf.options
- Declare the new domain to manage
- File: /etc/bind/named.conf.local
- Create a dedicated configuration file for the new domain
- New file: /etc/bind/smartcards.local
- Adjust the reverse zone
- File: /etc/bind/named.conf.local
- Rename and adjust file: /etc/bind/db.192
Set the external DNS
This is the list of DNS your server will use to populate its own cache.
The external DNS can either be your ISP's DNS or Google's servers.
!! Mind the order !! First DNS have a higher priority.
Edit configuration file:
vim /etc/bind/named.conf.options
Uncomment and adjust the file content
[...]
forwarders {
# Your ISP DNS IP’s
182.176.39.23;
182.176.18.13;
# Google's DNS
8.8.8.8;
8.8.4.4;
};
[...]
Declare the new domain
Edit configuration file:
vim /etc/bind/named.conf.local
Uncomment and adjust the file content
zone "smartcards.local" {
type master;
file "/etc/bind/smartcards.local";
};
Domain configuration file
Create the domain configuration file from a local template:
cp /etc/bind/db.local /etc/bind/smartcards.local
Edit configuration file:
vim /etc/bind/smartcards.local
Adjust the file content
;
; BIND data file for smartcards.local (you can use mywebsite.com)
;
$TTL 604800
@ IN SOA smartcard-gw.smartcards.local. root.smartcards.local. (
20140603 ; Serial
; As the serial be changed everytime you edit this file
; it is recommended to use the pattern "yyyyMMdd"
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@ IN NS smartcard-gw.smartcards.local.
smartcard-gw IN A 172.16.50.2
;
; -- alternative --
; To declare a server a specific domain only
;
;website.com IN NS smartcard-gw.website.com.
;website.com IN A 172.16.50.2
;
; Gateway (router)
;
cisco-router IN A 172.16.50.1
;
; Declare your servers and networks hosts
;
smarcartd-prod-00 IN A 172.16.50.50
smarcartd-prod-01 IN A 172.16.50.51
smarcartd-prod-02 IN A 172.16.50.52
smarcartd-prod-03 IN A 172.16.50.53
; Create an alias to an existing record
;wwww IN CNAME smartcard-gw
Notes:
- Don't forget to adjust the serial every-time you edit the file !
- NS = Name server
- A = IP v4 entry
- AAAA = IP v6 entry
- CNAME = Alias to a previous A or AAAA entry
Reverse zone file
Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.
Declare reverse zone
Edit configuration file:
vim /etc/bind/named.conf.local
Add the following reverse
# Our reverse zone
# Server IP 172.16.50.2
zone "50.16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.172";
};
Key points:
- Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
- Name the zone file /etc/bind/db.172 : it should match the first octet of your network.
Configure reverse zone
Now create the /etc/bind/db.172 file:
cp /etc/bind/db.127 /etc/bind/db.172
Edit the new file:
vim /etc/bind/db.172
The content is basically the same as /etc/bind/smartcards.local:
;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL 604800
@ IN SOA smartcard-gw.smartcards.local. root.smartcards.local. (
20140603 ; Serial
; As the serial be changed everytime you edit this file
; it is recommended to use the pattern "yyyyMMdd"
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; Local server
;
@ IN NS smartcard-gw.
2 IN PTR smartcard-gw.smartcards.local.
; Gateway (router)
1 IN PTR cisco-router.smartcards.local
;
; Other components and hosts
;
50 IN PTR smartcard-prod-00.smartcards.local.
51 IN PTR smartcard-prod-01.smartcards.local.
52 IN PTR smartcard-prod-02.smartcards.local.
53 IN PTR smartcard-prod-03.smartcards.local.
Notes:
- Don't forget to adjust the serial every-time you edit the file !
- You only need to put the last byte value in the reverse
- PTR = redirection to A entry
Take changes into account
service bind9 restart
Use the local DNS server as default one
Now that your server is ready to be used, you have to use it !!
- All the clients will get their configuration from DHCP (see DHCP server).
- On the local server, you have to edit your current IP settings
vim /etc/network/interfaces
Adjust it like that:
# The primary network interface [static IP]
auto eth0
iface eth0 inet static
address 172.16.50.2
netmask 255.255.255.0
gateway 172.16.50.1
network 172.16.50.0
broadcast 172.16.50.255
# Local DNS server on 172.16.50.2 as default. Then the DNS server itself will forward the requests to external DNS servers.
dns-nameservers 172.16.50.2
dns-search smartcards.local
dns-domain smartcards.local
Don't forget to reboot to take on your configuration changes !
Test your configuration
Test on SERVER side
Run the following commands to check your configuration. All commands should output OK or be a ping success. :)
Check the local zone:
named-checkzone smartcards.local /etc/bind/zones/smartcards.local
named-checkzone smartcards.local /etc/bind/zones/db.172
Check the reverse zone:
named-checkzone 50.16.172.in-addr.arpa. /etc/bind/db.172
Now you can try to ping the router and a client:
ping cisco-router
ping smartcard-prod-00
Now you can try to ping a website:
ping dev.daxiongmao.eu
Test on CLIENT side
Try to access ping the DNS server name from a client:
ping smartcard-gw
Now you can try to ping a website:
ping tcl.fr
DNS server logs
Logs are in /var/log/syslog
Add new hostname
This is how we had a new host-name into the network:
Update LOCAL zone
Edit local zone:
vim /etc/bind/smartcards.local
Add a A or AAAA entry:
my-new-host IN A 172.16.50.60
Update REVERSE zone
Edit local zone:
vim /etc/bind/db.172
Add a A or AAAA entry:
60 IN PTR my-new-host.smartcards.local.
Restart service
service bind9 restart
Disable IPv6 DNS requests
You can still be listening on your local IPv6 interface, however if your router is not IPv6 compatible you should disable IPv6 requests. If you do not disable IPv6 requests then you'll see the following errors in your /var/log/syslog:
error (network unreachable) resolving './DNSKEY/IN': 2001:: ...
Edit the configuration file:
vim /etc/default/bind9
Add / update the options:
OPTIONS="-4"
That means if the host is capable of IPv4 then IPv4 should be preferred.
Restart the service and check your logs.
Disable DNS SEC
DNS is one of the most vulnerable protocols. Therefore the next generation called "DNS-SEC" is being implemented right now.
But... enabling DNS SEC can lead to security error and forward blocking if you don't have a proper certificate.
I don't have enough time to setup the correct certificate so I disabled DNS-SEC.
Edit configuration file:
vim /etc/bind/named.conf.options
Disable the DNS-SEC options:
dnssec-enable no;
dnssec-validation no;
Restart the service and check your logs.
Sources
You can find a lot of information about DNS on the web. I used the following tutorials:
- http://doc.ubuntu-fr.org/bind9 (in French)
Bug fixes:
- no forwarding due to DNS-SEC errors (broken trust chain): http://pewetheb.blogspot.se/2013/11/named-error-broken-trust-chain.html