Difference between revisions of "Configure DNS"

From Organic Design wiki
m (Local DNS Server)
m (Setting up local domains names)
 
(40 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{procedure
+
== Local caching non-forwarding DNS Server ==
|description = This procedure defines the steps required to handle domain names either on a local LAN or Internet server.
+
<onlyinclude>Setting up a local caching non-forwarding DNS server is a good idea to ensure that DNS requests return quickly (especially useful if you have sites that make requests before returning the pages). It's also essential if you're running ''spam assassin'' because the domain black-lists (DNSBL) services operate over DNS and will often block requests made from large ISP's DNS servers.</onlyinclude> The term non-forwarding is confusing, but [http://social.dnsmadeeasy.com/blog/understanding-dns-forwarding/ forwarding] is actually something that authoritative servers do as part of processing recursive queries by sending parts that they can't resolve up the chain to a root server. A non-forwarding server is non-authoritative and simply refers requests to external DNS servers for names that are not cached or local.
|role = Sysop
 
|status = in use
 
}}
 
  
== Dynamic DNS ==
+
The most popular DNS server is [http://bind9.net/ Bind9] and is set up in caching configuration by default, but the [https://nlnetlabs.nl/projects/unbound/documentation/ unbound] DNS resolver is becoming very popular too, and is the default in some BSD distros now, it's light-weight, fast, modern and more secure in most applications than ''bind''. Both ''bind'' and ''unbound'' should be in local caching non-forwarding configuration out of the box.
It's often useful to be able to access machines on our local LAN's from other locations. Most of the LAN's we need to access machines on do not have static IP addresses, so a [[w:Dynamic DNS|Dynamic DNS]] solution is used to keep a domain name up to date with the current IP address.
+
 
 +
First install ''bind9'' or ''unbound'':
 +
<source>
 +
apt-get install [bind9|unbound]
 +
</source>
 +
 
 +
Change the ISP name servers in your ''/etc/resolv.conf'' file to use the new local server instead:
 +
<source>
 +
search com
 +
nameserver 127.0.0.1
 +
</source>
 +
 
 +
'''Note:''' Don't forget to check ''/etc/network/interfaces'' and comment out any DNS servers specified there too.
 +
 
 +
 
 +
You can ensure that your new DNS server is indeed in local caching configuration with by checking that port 53 is only open to local requests with '''netstat -nlp|grep :53'''
 +
<source>
 +
tcp        0      0 {!127.0.0.1!}:53            0.0.0.0:*              LISTEN      893/unbound
 +
tcp6      0      0 {!::1!}:53                  :::*                    LISTEN      893/unbound
 +
udp        0      0 {!127.0.0.1!}:53            0.0.0.0:*                          893/unbound
 +
udp6      0      0 {!::1!}:53                  :::*                                893/unbound
 +
</source>
 +
 
 +
== Setting up local domains names ==
 +
Requests under the organisation's domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require Dynamic DNS if a static IP address arrangement has not been made with the ISP.
 +
 
 +
Requests made for the domain from within the LAN require the local DNS server to resolve the request to resolve to the internal LAN IP address of the server, but to refer all other requests to an external DNS server.
  
Our .com domain host is [http://www.namecheap.com namecheap.com] and they provide a free dynamic DNS solution allowing simple HTTP query-string based method of updating a sub-domain. We just add a single entry to ''/etc/crontab'' which looks like this (replace SUB, DOMAIN and PASS with your specific settings):
+
The following example is for a domain called ''foo.com'' which has an internal Nextcloud on ''office.foo.com''4. This example assumes that the domain is configured correctly for resolving external requests, including dynamic DNS, and focusses on the configuration of the DNS server running internally on the LAN, and the internal Nextcloud server (which probably runs the DNS server too) on IP address 192.168.1.2.
{{code|<pre>
 
*/10 * * * * nobody wget -q --spider "http://dynamicdns.park-your-domain.com/update?host=SUB&domain=DOMAIN&password=PASS"
 
</pre>}}
 
  
 +
Install ''unbound'' as shown above, then edit ''/etc/unbound/unbound.conf'' and append the following configuration:
 +
<source>
 +
server:
  
The subdomain will automatically be created when the first request is made if it didn't previously exist. The password is shown in the namecheap.com admin site in the "DynamicDNS" section for the appropriate domain.
+
    interface: 0.0.0.0
 +
    access-control: 192.168.1.0/24 allow
 +
    verbosity: 1
  
== Local DNS Server ==
+
    cache-min-ttl: 3600
Requests under the organisation's domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require [[Dynamic DNS]] if a static IP address arrangement has not been made with the ISP.
+
    cache-max-ttl: 86400
  
Requests made for the domain from within the LAN require the local server to be authoritative, but to refer all other requests to the ISP-assigned DNS servers.
+
    private-address: 192.168.1.0/24
 +
    private-domain: "foo.com"
  
Install Bind9 with '''apt-get install bind9''', then edit ''/etc/bind9/named.conf.options'' and set the ''forwarders'' to your ISP's domain name server, e.g.
+
    local-zone: "foo.com." static
{{code|<pre>
+
    local-data: "office.foo.com. IN A 192.168.1.2"
forwarders {
+
    local-data-ptr: "192.168.1.2 office.foo.com"
        58.28.4.2;
 
        58.28.6.2;
 
};
 
</pre>}}
 
  
 +
    forward-zone:
 +
        name: "."
 +
        forward-addr: 208.67.222.222
 +
        forward-addr: 208.67.220.220
 +
</source>
  
Then and the following zone configuration in ''/etc/bind/named.conf.local'':
+
== Notes ==
{{code|<pre>
+
*Be sure to increase the serial number each time a zone file is edited or the changes will be ignored
zone "foo.org" {
+
*Remember to reload the zone files after making changes with '''service bind9 reload'''.
type master;
+
*Note the "1" in the last line of the reverse lookup is the last digit of the DNS server's IP address
file "foo.db";
 
};
 
  
zone "1.168.192.in-addr.arpa" {
+
== Public DNS servers ==
type master;
+
'''[http://www.opendns.com OpenDNS]'''
file "db.192";
+
*208.67.222.222
};
+
*208.67.220.220
  
</pre>}}
+
'''[https://developers.google.com/speed/public-dns/ Google]'''
 +
*8.8.8.8
 +
*8.8.4.4
 +
*2001:4860:4860::8888
 +
*2001:4860:4860::8844
  
 +
'''[http://www.dnsadvantage.com/ DNSadvantage]'''
 +
*156.154.70.1
 +
*156.154.71.1
  
The zone files reside in '''/var/cache/bind''' and are of the following format:
+
'''[http://nortondns.com/ Norton]'''
{{code|<pre>
+
*198.153.192.1
$TTL 1D
+
*198.153.194.1
@ IN SOA ns1.foo.co.nz. root.foo.co.nz. (
 
                      200905081        ; Serial
 
                        604800        ; Refresh
 
                          86400        ; Retry
 
                        2419200        ; Expire
 
                        604800 )      ; Negative Cache TTL
 
  
NS      ns1
+
'''Verizon'''
MX 10 mail.foo.co.nz.
+
*4.2.2.1
ns1 IN A 192.168.1.1
+
*4.2.2.2
www IN A 202.174.108.130
+
*4.2.2.3
wiki IN A 192.168.1.1
+
*4.2.2.4
mail IN A 192.168.1.1
+
*4.2.2.5
</pre>}}
+
*4.2.2.6
  
 +
== Dynamic DNS ==
 +
It's often useful to be able to access machines on our local LAN's from other locations. Most of the LAN's we need to access machines on do not have static IP addresses, so a [[w:Dynamic DNS|Dynamic DNS]] solution is used to keep a domain name up to date with the current IP address.
  
And the reverse lookup file also in '''/var/cache/bind''':
+
Our .com domain host is [http://www.namecheap.com namecheap.com] and they provide a free dynamic DNS solution allowing simple HTTP query-string based method of updating a sub-domain. We just add a single entry to ''/etc/crontab'' which looks like this (replace SUB, DOMAIN and PASS with your specific settings):
{{code|<pre>
+
<source>
@ IN SOA foo.co.nz. root.foo.co.nz. (
+
*/10 * * * * nobody wget -q --spider "http://dynamicdns.park-your-domain.com/update?host=SUB&domain=DOMAIN&password=PASS"
                      20090508 ; Serial
+
</source>
                        604800 ; Refresh
 
                          86400 ; Retry
 
                        2419200 ; Expire
 
                        604800 ) ; Default TTL
 
  
IN NS ns1.foo.co.nz.
+
The subdomain will automatically be created when the first request is made if it didn't previously exist. The password is shown in the namecheap.com admin site in the "DynamicDNS" section for the appropriate domain.
1 IN PTR foo.co.nz.
 
</pre>}}
 
  
 
== See also ==
 
== See also ==
*[[DynamicDNS.pl]] ''- the script we used to use to update DNS records only when router's external IP changes''
+
*[[Hosting]]
[[Category:Domain names|0]]
+
*[http://www.cyberciti.biz/faq/howto-enable-dns-linux-unix-server-logging/ Turn on query logging]
 +
*[http://www.opendns.com/ OpenDNS] ''- free fast DNS servers that aren't Google''
 +
*[https://wiki.opennic.org/opennic/tier2setup Setting up a tier-2 OpenNIC server]
 +
*[https://dnswatch.com/dns-docs/UNBOUND/ Sample configuration for Unbound DNS server]
 +
[[Category:Procedures]]

Latest revision as of 10:56, 4 May 2022

Local caching non-forwarding DNS Server

Setting up a local caching non-forwarding DNS server is a good idea to ensure that DNS requests return quickly (especially useful if you have sites that make requests before returning the pages). It's also essential if you're running spam assassin because the domain black-lists (DNSBL) services operate over DNS and will often block requests made from large ISP's DNS servers. The term non-forwarding is confusing, but forwarding is actually something that authoritative servers do as part of processing recursive queries by sending parts that they can't resolve up the chain to a root server. A non-forwarding server is non-authoritative and simply refers requests to external DNS servers for names that are not cached or local.

The most popular DNS server is Bind9 and is set up in caching configuration by default, but the unbound DNS resolver is becoming very popular too, and is the default in some BSD distros now, it's light-weight, fast, modern and more secure in most applications than bind. Both bind and unbound should be in local caching non-forwarding configuration out of the box.

First install bind9 or unbound:

apt-get install [bind9|unbound]

Change the ISP name servers in your /etc/resolv.conf file to use the new local server instead:

search com
nameserver 127.0.0.1

Note: Don't forget to check /etc/network/interfaces and comment out any DNS servers specified there too.


You can ensure that your new DNS server is indeed in local caching configuration with by checking that port 53 is only open to local requests with netstat -nlp|grep :53

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      893/unbound
tcp6       0      0 ::1:53                  :::*                    LISTEN      893/unbound
udp        0      0 127.0.0.1:53            0.0.0.0:*                           893/unbound
udp6       0      0 ::1:53                  :::*                                893/unbound

Setting up local domains names

Requests under the organisation's domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require Dynamic DNS if a static IP address arrangement has not been made with the ISP.

Requests made for the domain from within the LAN require the local DNS server to resolve the request to resolve to the internal LAN IP address of the server, but to refer all other requests to an external DNS server.

The following example is for a domain called foo.com which has an internal Nextcloud on office.foo.com4. This example assumes that the domain is configured correctly for resolving external requests, including dynamic DNS, and focusses on the configuration of the DNS server running internally on the LAN, and the internal Nextcloud server (which probably runs the DNS server too) on IP address 192.168.1.2.

Install unbound as shown above, then edit /etc/unbound/unbound.conf and append the following configuration:

server:

    interface: 0.0.0.0
    access-control: 192.168.1.0/24 allow
    verbosity: 1

    cache-min-ttl: 3600
    cache-max-ttl: 86400

    private-address: 192.168.1.0/24
    private-domain: "foo.com"

    local-zone: "foo.com." static
    local-data: "office.foo.com.  IN A 192.168.1.2"
    local-data-ptr: "192.168.1.2 office.foo.com"

    forward-zone:
        name: "."
        forward-addr: 208.67.222.222
        forward-addr: 208.67.220.220

Notes

  • Be sure to increase the serial number each time a zone file is edited or the changes will be ignored
  • Remember to reload the zone files after making changes with service bind9 reload.
  • Note the "1" in the last line of the reverse lookup is the last digit of the DNS server's IP address

Public DNS servers

OpenDNS

  • 208.67.222.222
  • 208.67.220.220

Google

  • 8.8.8.8
  • 8.8.4.4
  • 2001:4860:4860::8888
  • 2001:4860:4860::8844

DNSadvantage

  • 156.154.70.1
  • 156.154.71.1

Norton

  • 198.153.192.1
  • 198.153.194.1

Verizon

  • 4.2.2.1
  • 4.2.2.2
  • 4.2.2.3
  • 4.2.2.4
  • 4.2.2.5
  • 4.2.2.6

Dynamic DNS

It's often useful to be able to access machines on our local LAN's from other locations. Most of the LAN's we need to access machines on do not have static IP addresses, so a Dynamic DNS solution is used to keep a domain name up to date with the current IP address.

Our .com domain host is namecheap.com and they provide a free dynamic DNS solution allowing simple HTTP query-string based method of updating a sub-domain. We just add a single entry to /etc/crontab which looks like this (replace SUB, DOMAIN and PASS with your specific settings):

*/10 * * * * nobody wget -q --spider "http://dynamicdns.park-your-domain.com/update?host=SUB&domain=DOMAIN&password=PASS"

The subdomain will automatically be created when the first request is made if it didn't previously exist. The password is shown in the namecheap.com admin site in the "DynamicDNS" section for the appropriate domain.

See also