Configure DNS
|
Configure DNS Organic Design procedure |
Dynamic DNS
It's often useful to be able to access machines on our local LAN's from other locations. Most of the LAN's we need to access machines on do not have static IP addresses, so a Dynamic DNS solution is used to keep a domain name up to date with the current IP address.
Our .com domain host is namecheap.com and they provide a free dynamic DNS solution allowing simple HTTP query-string based method of updating a sub-domain. We just add a single entry to /etc/crontab which looks like this (replace SUB, DOMAIN and PASS with your specific settings):
The subdomain will automatically be created when the first request is made if it didn't previously exist. The password is shown in the namecheap.com admin site in the "DynamicDNS" section for the appropriate domain.
Local DNS Server
Requests under the organisation's domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require Dynamic DNS if a static IP address arrangement has not been made with the ISP.
Requests made for the domain from within the LAN require the local server to be authoritative, but to refer all other requests to the ISP-assigned DNS servers.
The following example is for a domain called foo.co.nz which has an internal wiki and mail-server, but an external website on the IP address 1.2.3.5 and all other sub-domains (apart from wiki and mail) pointing at the external IP address 1.2.3.4. This example assumes that the domain is configured correctly for resolving external requests, and focusses on the configuration of the DNS server running internally on the LAN on IP address 192.168.1.1. The wiki, DNS server and mail-server are all running on the same machine.
Install Bind9 with apt-get install bind9, then edit /etc/bind/named.conf.options and set the forwarders to your ISP's domain name server, or a public name-server such as OpenDNS.com (also some easy to remember ones are 4.2.2.2 and 8.8.8.8) e.g.
As of 25 May 2011 there are new versions of BIND for patching a potential Denial of Service attack, make sure you apt-get update and apt-get upgrade if you are running an installation prior to that.
Then add the following zone configuration in /etc/bind/named.conf.local:
The zone files reside in /var/cache/bind and are of the following format:
- Note: The "@" symbol means the naked domain
- Note: CNAME's work for subdomains and * but not for @
And the reverse lookup file, /var/cache/bind/db.192:
After the bind9 daemon is able to successfully start, you must ensure that the resolver is told to use the new local nameserver. Do this by specifying the local hosts own IP address in your /etc/resolv.conf file, for example:
Notes
- Be sure to increase the serial number each time a zone file is edited or the changes will be ignored
- Remember to reload the zone files after making changes with /etc/init.d/bind9 reload.
- Note the "1" in the last line of the reverse lookup is the last digit of the DNS server's IP address
Public DNS servers
- 208.67.222.222
- 208.67.220.220
- 8.8.8.8
- 8.8.4.4
- 2001:4860:4860::8888
- 2001:4860:4860::8844
- 156.154.70.1
- 156.154.71.1
- 198.153.192.1
- 198.153.194.1
Verizon
- 4.2.2.1
- 4.2.2.2
- 4.2.2.3
- 4.2.2.4
- 4.2.2.5
- 4.2.2.6
See also
- Turn on query logging
- DynamicDNS.pl - the script we used to use to update DNS records only when router's external IP changes
- OpenDNS - free fast DNS servers that aren't Google
