Difference between revisions of "DNS server split howto"

(Created page with "Category:Linux Let's use "'''smartcards.vehco.com'''" domain as example. * The DNS will handle both internal and external requests (Intranet / Internet). * The DNS wil...")
(No difference)

Revision as of 13:05, 22 August 2014


Let's use "smartcards.vehco.com" domain as example.

  • The DNS will handle both internal and external requests (Intranet / Internet).
  • The DNS will have 2 zones: one for the Internal members (LAN, VPN, loopback) and one for the External members.


Setup

apt-get install bind9 dnsutils bind9-doc


Primary master

A DNS primary master is the main DNS for your local domain (ex: smartcards.local).


These are the steps to do:

  • Set the external DNS to use by your server
    • File: /etc/bind/named.conf.options
  • Declare the new domain to manage
    • File: /etc/bind/named.conf.local
  • Create a dedicated configuration file for the new domain
    • New file: /etc/bind/smartcards.local
  • Adjust the reverse zone
    • File: /etc/bind/named.conf.local
    • Rename and adjust file: /etc/bind/db.192


Set the external DNS

This is the list of DNS your server will use to populate its own cache.


The external DNS can either be your ISP's DNS or Google's servers.

!! Mind the order !! First DNS have a higher priority.


Edit configuration file:

vim /etc/bind/named.conf.options


Uncomment and adjust the file content

[...]
forwarders {
     # Your ISP DNS IP’s 
     182.176.39.23;
     182.176.18.13;

     # Google's DNS
     8.8.8.8;
     8.8.4.4;
};
[...]


Declare the new domain

Edit configuration file:

vim /etc/bind/named.conf.local


Uncomment and adjust the file content

zone "smartcards.local" {
	type master;
        file "/etc/bind/smartcards.local";
};


Domain configuration file

Create the domain configuration file from a local template:

cp /etc/bind/db.local /etc/bind/smartcards.local


Edit configuration file:

vim /etc/bind/smartcards.local


Adjust the file content

;
; BIND data file for smartcards.local (you can use mywebsite.com)
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; 
; DNS server declaration
; Each NS must point to an A record, not a CNAME. 
; This is where the Primary and Secondary DNS servers are defined
;
@                IN      NS      smartcard-gw.smartcards.local.
smartcard-gw     IN      A       172.16.50.2

;
; -- alternative -- 
; To declare a server a specific domain only
;
;website.com      IN      NS      smartcard-gw.website.com.
;website.com      IN      A       172.16.50.2


;
; Gateway (router)
;
cisco-router      IN      A       172.16.50.1

;
; Declare your servers and networks hosts 
;
smarcartd-prod-00 IN      A       172.16.50.50
smarcartd-prod-01 IN      A       172.16.50.51
smarcartd-prod-02 IN      A       172.16.50.52
smarcartd-prod-03 IN      A       172.16.50.53

; Create an alias to an existing record
;wwww             IN      CNAME   smartcard-gw


Notes:

  • Don't forget to adjust the serial every-time you edit the file !
  • NS = Name server
  • A = IP v4 entry
  • AAAA = IP v6 entry
  • CNAME = Alias to a previous A or AAAA entry


Reverse zone file

Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.


Declare reverse zone

Edit configuration file:

vim /etc/bind/named.conf.local


Add the following reverse

# Our reverse zone
# Server IP 172.16.50.2
zone "50.16.172.in-addr.arpa" {
        type master;
        file "/etc/bind/db.172";
};


Key points:

  • Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
  • Name the zone file /etc/bind/db.172 : it should match the first octet of your network.


Configure reverse zone

Now create the /etc/bind/db.172 file:

cp /etc/bind/db.127 /etc/bind/db.172


Edit the new file:

vim /etc/bind/db.172


The content is basically the same as /etc/bind/smartcards.local:

;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; Local server
;
@       IN      NS      smartcard-gw.
2       IN      PTR     smartcard-gw.smartcards.local.

; Gateway (router)
1       IN      PTR     cisco-router.smartcards.local

;
; Other components and hosts
;
50       IN      PTR     smartcard-prod-00.smartcards.local.
51       IN      PTR     smartcard-prod-01.smartcards.local.
52       IN      PTR     smartcard-prod-02.smartcards.local.
53       IN      PTR     smartcard-prod-03.smartcards.local.


Notes:

  • Don't forget to adjust the serial every-time you edit the file !
  • You only need to put the last byte value in the reverse
  • PTR = redirection to A entry


Take changes into account

service bind9 restart


Use the local DNS server as default one

Now that your server is ready to be used, you have to use it !!

  • All the clients will get their configuration from DHCP (see DHCP server).
  • On the local server, you have to edit your current IP settings


vim /etc/network/interfaces


Adjust it like that:

# The primary network interface [static IP]
auto eth0
iface eth0 inet static
        address 172.16.50.2				
        netmask 255.255.255.0				
        gateway 172.16.50.1				
        network 172.16.50.0				
        broadcast 172.16.50.255

        # Local DNS server on 172.16.50.2 as default. Then the DNS server itself will forward the requests to external DNS servers.
        dns-nameservers 172.16.50.2
        dns-search smartcards.local
        dns-domain smartcards.local


Don't forget to reboot to take on your configuration changes !


Test your configuration

Test on SERVER side

Run the following commands to check your configuration. All commands should output OK or be a ping success. :)


Check the local zone:

named-checkzone smartcards.local /etc/bind/zones/smartcards.local
named-checkzone smartcards.local /etc/bind/zones/db.172


Check the reverse zone:

named-checkzone 50.16.172.in-addr.arpa. /etc/bind/db.172


Now you can try to ping the router and a client:

ping cisco-router
ping smartcard-prod-00


Now you can try to ping a website:

ping dev.daxiongmao.eu


Test on CLIENT side

Try to access ping the DNS server name from a client:

ping smartcard-gw


Now you can try to ping a website:

ping tcl.fr



DNS server logs

Logs are in /var/log/syslog



Add new hostname

This is how we had a new host-name into the network:


Update LOCAL zone

Edit local zone:

vim /etc/bind/smartcards.local


Add a A or AAAA entry:

my-new-host       IN      A       172.16.50.60


Update REVERSE zone

Edit local zone:

vim /etc/bind/db.172


Add a A or AAAA entry:

60       IN      PTR     my-new-host.smartcards.local.


Restart service

service bind9 restart



Disable IPv6 DNS requests

You can still be listening on your local IPv6 interface, however if your router is not IPv6 compatible you should disable IPv6 requests. If you do not disable IPv6 requests then you'll see the following errors in your /var/log/syslog:

error (network unreachable) resolving './DNSKEY/IN': 2001:: ...


Edit the configuration file:

vim /etc/default/bind9


Add / update the options:

OPTIONS="-4"


That means if the host is capable of IPv4 then IPv4 should be preferred.


Restart the service and check your logs.



Disable DNS SEC

DNS is one of the most vulnerable protocols. Therefore the next generation called "DNS-SEC" is being implemented right now.

But... enabling DNS SEC can lead to security error and forward blocking if you don't have a proper certificate.


I don't have enough time to setup the correct certificate so I disabled DNS-SEC.


Edit configuration file:

vim /etc/bind/named.conf.options


Disable the DNS-SEC options:

dnssec-enable no;
dnssec-validation no;


Restart the service and check your logs.





Sources

You can find a lot of information about DNS on the web. I used the following tutorials:


Bug fixes: