DNS server installation
The DNS [Domain Name System] is a key component of a network infrastructure. It allows you to use NAMES instead of IP addresses.
Contents
Introduction
A quick DNS overview is available here: DNS server split principle#Simple DNS zone
Setup
apt-get install bind9 dnsutils bind9-doc
DNS server configuration
You need to configure the OVERRALL behavior of the DNS server.
- What are the external DNS?
- Enable DNSSEC?
- IP v6 support?
Set the external DNS
This is the list of DNS your server will use to populate its own cache.
The external DNS can either be your ISP's DNS or Google's servers.
!! Mind the order !! First DNS have a higher priority.
Edit configuration file:
vim /etc/bind/named.conf.options
Uncomment and adjust the file content
[...]
forwarders {
# Your ISP DNS IP’s
182.176.39.23;
182.176.18.13;
# Google's DNS
8.8.8.8;
8.8.4.4;
};
[...]
Disable DNS SEC
DNS is one of the most vulnerable protocols. Therefore the next generation called "DNS-SEC" is being implemented right now.
But... enabling DNS SEC can lead to security error and forward blocking if you don't have a proper certificate.
I don't have enough time to setup the correct certificate so I disabled DNS-SEC.
Edit configuration file:
vim /etc/bind/named.conf.options
Disable the DNS-SEC options:
dnssec-enable no;
dnssec-validation no;
Disable IPv6 DNS requests
You can still be listening on your local IPv6 interface, however if your router is not IPv6 compatible you should disable IPv6 requests. If you do not disable IPv6 requests then you'll see the following errors in your /var/log/syslog:
error (network unreachable) resolving './DNSKEY/IN': 2001:: ...
Edit the configuration file:
vim /etc/default/bind9
Add / update the options:
OPTIONS="-4"
That means if the host is capable of IPv4 then IPv4 should be preferred.
Register zone and reverse
Create zone(s)
>> See DNS server unique zone
>> If you plan to share some resources with Internet then have a look to DNS server split howto
Don't forget to restart BIND when your configuration is complete.
Test zone(s) # server side
Run the following commands to check your configuration.
- All commands should output OK or be a ping success. :)
- Adjust both the DNS "smartcards.vehco.com" and ping test to your OWN situation !
Check the local zone:
## Internal zone "smartcards.vehco.com"
named-checkzone smartcards.vehco.com /etc/bind/smartcards.vehco.com
#### DNS split horizon ####
## External zone for "smartcards.vehco.com"
named-checkzone smartcards.vehco.com /etc/bind/external.smartcards.vehco.com
Check the reverse zone:
named-checkzone 50.16.172.in-addr.arpa. /etc/bind/db.172
Now you can try to ping something / someone in the INTERNAL zone:
ping cisco-router
ping smartcard-prod-00
Now you can try to ping something on INTERNET:
ping dev.daxiongmao.eu
Set the new DNS server as local default
You can register your DNS server in:
- DHCP configuration: all the clients will get their configuration from DHCP, including default DNS (see DHCP server).
- Locally: on the local server (= where the DNS service is installed), you can use the new DNS for all other services and applications
Local changes on DNS server
vim /etc/network/interfaces
Adjust it like that:
# The primary network interface [static IP]
auto eth0
iface eth0 inet static
address 172.16.50.2
netmask 255.255.255.0
gateway 172.16.50.1
network 172.16.50.0
broadcast 172.16.50.255
# Local DNS server on 172.16.50.2 as default. Then the DNS server itself will forward the requests to external DNS servers.
# It's better to put your IP @ than 127.0.0.1 because some services do not support the "loopback"
dns-nameservers 172.16.50.2
dns-search smartcards.local
dns-domain smartcards.local'Replace "smartcard.local" by your own internal zone.
Don't forget to reboot to take on your configuration changes !
DNS server logs
Logs are in /var/log/syslog
