Difference between revisions of "Configure DNS"

From Organic Design wiki
m (Local DNS Server)
m (See also)
(22 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<noinclude>{{procedure}}</noinclude>
+
== Local caching non-forwarding DNS Server ==
 +
<onlyinclude>Setting up a local caching non-forwarding DNS server is a good idea to ensure that DNS requests return quickly (especially useful if you have sites that make requests before returning the pages). It's also essential if you're running ''spam assassin'' because the domain black-lists (DNSBL) services operate over DNS and will often block requests made from large ISP's DNS servers.</onlyinclude> The term non-forwarding is confusing, but [http://social.dnsmadeeasy.com/blog/understanding-dns-forwarding/ forwarding] is actually something that authoritative servers do as part of processing recursive queries by sending parts that they can't resolve up the chain to a root server. A non-forwarding server is non-authoritative and simply refers requests to external DNS servers for names that are not cached or local.
  
== Dynamic DNS ==
+
The most popular DNS server is [http://bind9.net/ Bind9] and is set up in caching configuration by default, but the [https://nlnetlabs.nl/projects/unbound/documentation/ unbound] DNS resolver is becoming very popular too, and is the default in some BSD distros now, it's light-weight, fast, modern and more secure in most applications than ''bind''. Both ''bind'' and ''unbound'' should be in local caching non-forwarding configuration out of the box.
It's often useful to be able to access machines on our local LAN's from other locations. Most of the LAN's we need to access machines on do not have static IP addresses, so a [[w:Dynamic DNS|Dynamic DNS]] solution is used to keep a domain name up to date with the current IP address.
+
 
 +
First install ''bind9'' or ''unbound'':
 +
<source>
 +
apt-get install [bind9|unbound]
 +
</source>
 +
 
 +
Change the ISP name servers in your ''/etc/resolv.conf'' file to use the new local server instead:
 +
<source>
 +
search com
 +
nameserver 127.0.0.1
 +
</source>
  
Our .com domain host is [http://www.namecheap.com namecheap.com] and they provide a free dynamic DNS solution allowing simple HTTP query-string based method of updating a sub-domain. We just add a single entry to ''/etc/crontab'' which looks like this (replace SUB, DOMAIN and PASS with your specific settings):
+
'''Note:''' Don't forget to check ''/etc/network/interfaces'' and comment out any DNS servers specified there too.
{{code|<pre>
 
*/10 * * * * nobody wget -q --spider "http://dynamicdns.park-your-domain.com/update?host=SUB&domain=DOMAIN&password=PASS"
 
</pre>}}
 
  
  
The subdomain will automatically be created when the first request is made if it didn't previously exist. The password is shown in the namecheap.com admin site in the "DynamicDNS" section for the appropriate domain.
+
You can ensure that your new DNS server is indeed in local caching configuration with by checking that port 53 is only open to local requests with '''netstat -nlp|grep :53'''
 +
<source>
 +
tcp        0      0 {!127.0.0.1!}:53            0.0.0.0:*              LISTEN      893/unbound
 +
tcp6      0      0 {!::1!}:53                  :::*                    LISTEN      893/unbound
 +
udp        0      0 {!127.0.0.1!}:53            0.0.0.0:*                          893/unbound
 +
udp6      0      0 {!::1!}:53                  :::*                                893/unbound
 +
</source>
  
== Local DNS Server ==
+
== Setting up local domains names with Bind9 ==
 
Requests under the organisation's domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require Dynamic DNS if a static IP address arrangement has not been made with the ISP.
 
Requests under the organisation's domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require Dynamic DNS if a static IP address arrangement has not been made with the ISP.
  
Line 19: Line 33:
 
The following example is for a domain called ''foo.co.nz'' which has an internal wiki and mail-server, but an external website on the IP address 1.2.3.5 and all other sub-domains (apart from wiki and mail) pointing at the external IP address 1.2.3.4. This example assumes that the domain is configured correctly for resolving external requests, and focusses on the configuration of the DNS server running internally on the LAN on IP address 192.168.1.1. The wiki, DNS server and mail-server are all running on the same machine.
 
The following example is for a domain called ''foo.co.nz'' which has an internal wiki and mail-server, but an external website on the IP address 1.2.3.5 and all other sub-domains (apart from wiki and mail) pointing at the external IP address 1.2.3.4. This example assumes that the domain is configured correctly for resolving external requests, and focusses on the configuration of the DNS server running internally on the LAN on IP address 192.168.1.1. The wiki, DNS server and mail-server are all running on the same machine.
  
Install Bind9 with '''apt-get install bind9''', then edit ''/etc/bind/named.conf.options'' and set the ''forwarders'' to your ISP's domain name server, e.g.
+
Install Bind9 with '''apt-get install bind9''', then edit ''/etc/bind/named.conf.options'' and set the ''forwarders'' to your ISP's domain name server, or a public name-server such as [http://www.opendns.com OpenDNS.com] (also some easy to remember ones are 4.2.2.2 and 8.8.8.8) e.g.
{{code|<pre>
+
<source>
 
forwarders {
 
forwarders {
        58.28.4.2;
+
    208.67.222.222;
        58.28.6.2;
+
    208.67.220.220;
 
};
 
};
</pre>}}
+
</source>
 
 
 
 
As of 25 May 2011 there are new versions of BIND for [http://www.theregister.co.uk/2011/05/27/bind_dns_security_update/ patching a Denial of Service, make sure you apt-update and upgrade if you are running an installation prior to that.
 
  
Then and the following zone configuration in ''/etc/bind/named.conf.local'':
+
Add the following zone configuration in ''/etc/bind/named.conf.local'':
{{code|<pre>
+
<source>
 
zone "foo.org" {
 
zone "foo.org" {
 
type master;
 
type master;
Line 41: Line 52:
 
file "db.192";
 
file "db.192";
 
};
 
};
 
+
</source>
</pre>}}
 
 
 
  
 
The zone files reside in '''/var/cache/bind''' and are of the following format:
 
The zone files reside in '''/var/cache/bind''' and are of the following format:
{{code|<pre>
+
<source>
 
$TTL 1D
 
$TTL 1D
 
@ IN SOA ns1.foo.co.nz. root.foo.co.nz. (
 
@ IN SOA ns1.foo.co.nz. root.foo.co.nz. (
Line 64: Line 73:
 
* IN A 1.2.3.4
 
* IN A 1.2.3.4
 
foo    IN      CNAME  foo.com
 
foo    IN      CNAME  foo.com
</pre>}}
+
</source>
 
*'''Note:''' The "@" symbol means the naked domain
 
*'''Note:''' The "@" symbol means the naked domain
 
*'''Note:''' CNAME's work for subdomains and * but not for @
 
*'''Note:''' CNAME's work for subdomains and * but not for @
 
  
 
And the reverse lookup file, '''/var/cache/bind/db.192''':
 
And the reverse lookup file, '''/var/cache/bind/db.192''':
{{code|<pre>
+
<source>
 
@ IN SOA foo.co.nz. root.foo.co.nz. (
 
@ IN SOA foo.co.nz. root.foo.co.nz. (
 
                       200905081 ; Serial
 
                       200905081 ; Serial
Line 80: Line 88:
 
IN NS ns1.foo.co.nz.
 
IN NS ns1.foo.co.nz.
 
1 IN PTR foo.co.nz.
 
1 IN PTR foo.co.nz.
</pre>}}
+
</source>
 
 
 
 
After the ''bind9'' daemon is able to successfully start, you must ensure that the resolver is told to use the new local nameserver. Do this by specifying the local hosts own IP address in your ''/etc/resolv.conf'' file, for example:
 
{{code|<pre>
 
nameserver 192.168.1.1
 
</pre>}}
 
  
 
== Notes ==
 
== Notes ==
 
*Be sure to increase the serial number each time a zone file is edited or the changes will be ignored
 
*Be sure to increase the serial number each time a zone file is edited or the changes will be ignored
*Remember to reload the zone files after making changes with '''/etc/init.d/bind9 reload'''.
+
*Remember to reload the zone files after making changes with '''service bind9 reload'''.
 
*Note the "1" in the last line of the reverse lookup is the last digit of the DNS server's IP address
 
*Note the "1" in the last line of the reverse lookup is the last digit of the DNS server's IP address
 +
 +
== Public DNS servers ==
 +
'''[http://www.opendns.com OpenDNS]'''
 +
*208.67.222.222
 +
*208.67.220.220
 +
 +
'''[https://developers.google.com/speed/public-dns/ Google]'''
 +
*8.8.8.8
 +
*8.8.4.4
 +
*2001:4860:4860::8888
 +
*2001:4860:4860::8844
 +
 +
'''[http://www.dnsadvantage.com/ DNSadvantage]'''
 +
*156.154.70.1
 +
*156.154.71.1
 +
 +
'''[http://nortondns.com/ Norton]'''
 +
*198.153.192.1
 +
*198.153.194.1
 +
 +
'''Verizon'''
 +
*4.2.2.1
 +
*4.2.2.2
 +
*4.2.2.3
 +
*4.2.2.4
 +
*4.2.2.5
 +
*4.2.2.6
 +
 +
== Dynamic DNS ==
 +
It's often useful to be able to access machines on our local LAN's from other locations. Most of the LAN's we need to access machines on do not have static IP addresses, so a [[w:Dynamic DNS|Dynamic DNS]] solution is used to keep a domain name up to date with the current IP address.
 +
 +
Our .com domain host is [http://www.namecheap.com namecheap.com] and they provide a free dynamic DNS solution allowing simple HTTP query-string based method of updating a sub-domain. We just add a single entry to ''/etc/crontab'' which looks like this (replace SUB, DOMAIN and PASS with your specific settings):
 +
<source>
 +
*/10 * * * * nobody wget -q --spider "http://dynamicdns.park-your-domain.com/update?host=SUB&domain=DOMAIN&password=PASS"
 +
</source>
 +
 +
The subdomain will automatically be created when the first request is made if it didn't previously exist. The password is shown in the namecheap.com admin site in the "DynamicDNS" section for the appropriate domain.
  
 
== See also ==
 
== See also ==
 +
*[[Hosting]]
 +
*[http://www.cyberciti.biz/faq/howto-enable-dns-linux-unix-server-logging/ Turn on query logging]
 
*[[DynamicDNS.pl]] ''- the script we used to use to update DNS records only when router's external IP changes''
 
*[[DynamicDNS.pl]] ''- the script we used to use to update DNS records only when router's external IP changes''
[[Category:Domain names|0]]
+
*[http://www.opendns.com/ OpenDNS] ''- free fast DNS servers that aren't Google''
 +
*[https://wiki.opennic.org/opennic/tier2setup Setting up a tier-2 OpenNIC server]
 +
[[Category:Procedures]]

Revision as of 21:51, 20 November 2019

Local caching non-forwarding DNS Server

Setting up a local caching non-forwarding DNS server is a good idea to ensure that DNS requests return quickly (especially useful if you have sites that make requests before returning the pages). It's also essential if you're running spam assassin because the domain black-lists (DNSBL) services operate over DNS and will often block requests made from large ISP's DNS servers. The term non-forwarding is confusing, but forwarding is actually something that authoritative servers do as part of processing recursive queries by sending parts that they can't resolve up the chain to a root server. A non-forwarding server is non-authoritative and simply refers requests to external DNS servers for names that are not cached or local.

The most popular DNS server is Bind9 and is set up in caching configuration by default, but the unbound DNS resolver is becoming very popular too, and is the default in some BSD distros now, it's light-weight, fast, modern and more secure in most applications than bind. Both bind and unbound should be in local caching non-forwarding configuration out of the box.

First install bind9 or unbound:

apt-get install [bind9|unbound]

Change the ISP name servers in your /etc/resolv.conf file to use the new local server instead:

search com
nameserver 127.0.0.1

Note: Don't forget to check /etc/network/interfaces and comment out any DNS servers specified there too.


You can ensure that your new DNS server is indeed in local caching configuration with by checking that port 53 is only open to local requests with netstat -nlp|grep :53

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      893/unbound
tcp6       0      0 ::1:53                  :::*                    LISTEN      893/unbound
udp        0      0 127.0.0.1:53            0.0.0.0:*                           893/unbound
udp6       0      0 ::1:53                  :::*                                893/unbound

Setting up local domains names with Bind9

Requests under the organisation's domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require Dynamic DNS if a static IP address arrangement has not been made with the ISP.

Requests made for the domain from within the LAN require the local server to be authoritative, but to refer all other requests to the ISP-assigned DNS servers.

The following example is for a domain called foo.co.nz which has an internal wiki and mail-server, but an external website on the IP address 1.2.3.5 and all other sub-domains (apart from wiki and mail) pointing at the external IP address 1.2.3.4. This example assumes that the domain is configured correctly for resolving external requests, and focusses on the configuration of the DNS server running internally on the LAN on IP address 192.168.1.1. The wiki, DNS server and mail-server are all running on the same machine.

Install Bind9 with apt-get install bind9, then edit /etc/bind/named.conf.options and set the forwarders to your ISP's domain name server, or a public name-server such as OpenDNS.com (also some easy to remember ones are 4.2.2.2 and 8.8.8.8) e.g.

forwarders {
    208.67.222.222;
    208.67.220.220;
};

Add the following zone configuration in /etc/bind/named.conf.local:

zone "foo.org" {
	type master;
	file "foo.db";
};

zone "1.168.192.in-addr.arpa" {
	type master;
	file "db.192";
};

The zone files reside in /var/cache/bind and are of the following format:

$TTL	1D
@	IN SOA ns1.foo.co.nz. root.foo.co.nz. (
                      200905081             ; Serial
                         604800             ; Refresh
                          86400             ; Retry
                        2419200             ; Expire
                         604800 )           ; Negative Cache TTL

		NS      ns1
		MX	10 mail.foo.co.nz.
ns1	IN	A	192.168.1.1
www	IN	A	1.2.3.5
wiki	IN	A	192.168.1.1
mail	IN	A	192.168.1.1
@	IN	A	1.2.3.4
*	IN	A	1.2.3.4
foo     IN      CNAME   foo.com
  • Note: The "@" symbol means the naked domain
  • Note: CNAME's work for subdomains and * but not for @

And the reverse lookup file, /var/cache/bind/db.192:

@ IN SOA foo.co.nz. root.foo.co.nz. (
                      200905081		; Serial
                         604800		; Refresh
                          86400		; Retry
                        2419200		; Expire
                         604800 )	; Default TTL

	IN	NS	ns1.foo.co.nz.
1	IN	PTR	foo.co.nz.

Notes

  • Be sure to increase the serial number each time a zone file is edited or the changes will be ignored
  • Remember to reload the zone files after making changes with service bind9 reload.
  • Note the "1" in the last line of the reverse lookup is the last digit of the DNS server's IP address

Public DNS servers

OpenDNS

  • 208.67.222.222
  • 208.67.220.220

Google

  • 8.8.8.8
  • 8.8.4.4
  • 2001:4860:4860::8888
  • 2001:4860:4860::8844

DNSadvantage

  • 156.154.70.1
  • 156.154.71.1

Norton

  • 198.153.192.1
  • 198.153.194.1

Verizon

  • 4.2.2.1
  • 4.2.2.2
  • 4.2.2.3
  • 4.2.2.4
  • 4.2.2.5
  • 4.2.2.6

Dynamic DNS

It's often useful to be able to access machines on our local LAN's from other locations. Most of the LAN's we need to access machines on do not have static IP addresses, so a Dynamic DNS solution is used to keep a domain name up to date with the current IP address.

Our .com domain host is namecheap.com and they provide a free dynamic DNS solution allowing simple HTTP query-string based method of updating a sub-domain. We just add a single entry to /etc/crontab which looks like this (replace SUB, DOMAIN and PASS with your specific settings):

*/10 * * * * nobody wget -q --spider "http://dynamicdns.park-your-domain.com/update?host=SUB&domain=DOMAIN&password=PASS"

The subdomain will automatically be created when the first request is made if it didn't previously exist. The password is shown in the namecheap.com admin site in the "DynamicDNS" section for the appropriate domain.

See also