Índice/Index

martes, 17 de julio de 2012

Install a local DNS in Linux with Bind

How to mount a quick and basic DNS in a local network.

First let's see the types of DNS and DNS records.


Types of DNS

Master: Owns the authoritative records of a zone, answers the requests of name resolution as an authoritative server and delegates copies to the slave servers.

Slave: Answers to the name resolution requests as an authority server, but the information is distributed by the master servers.

Cachingonly: Answers to name resoution requests but it is not an authority server, it saves the answers in memory by a determined period of time.

Forwarding: Forwards the requests to a list of name servers.


DNS Records

A (Address): Defines an IP address and the name assigned to the host.

AAAA: It's the replacement of the A records when the traduction is from name to IPv6 address.

MX (Mail eXchanger): It's used to identify mail servers.

CNAME (Canonical Name): Is an alias that is assigned to a host that has an IP address and answers to different names. You can declare various for a host.

NS (Name Server): Defines the principal name servers of a domain. It most have one at least.

SOA (Start Of Authority): This is the first record of the zone and it can only be one for each zone file and it's only present if the server is authority of the domian.
Specifies the primary DNS of the domain, the administrator mail account and the times of refresh.

PTR (Domain Name Pointer): Indicates to which IP address corresponds a name.


Parameters of the SOA record

Serial: The serial number is used to synchronize the zones between the primary and secondary DNS. If when the secondary DNS consults the primary DNS finds that the serial number is bigger than the one it has it means that the zone file has been updated, so it will ask for a copy of the updated version.

Refresh: Is the time that a secondary DNS has to wait to verify again the record values of a primary DNS.

Retry: Is the time that a secondary DNS has to wait after a failed attempt to retrieve data from a primary DNS.

Expire: Is the time that data will remain in a secondary DNS before they expire.

Negative Cache TTL: Is the time that a DNS cache will remember the negative consults (NXDOMAIN).

Ok now that we saw some theory let's start with the installation and configuration for the Ubuntu and Fedora distros.


Installation and configuration for Ubuntu and similars

Versions in example: Ubuntu 10.04, Bind 9.7.0-P1
If the versions are different to these ones they might be some variations, but if it is a Bind version 9 you shouldn't have problems.

Installation:




Now we have to go to the directory /etc/bind there we'll find our configuration files.

Well, for the example we'll use the rukia.com domain, that will also be our DNS, in the example the server has the IP of 10.9.8.50 (rukia.com) and our client has the IP of 10.9.8.1 to which we'll set the domain name of goku.rukia.com.

The first file we have to edit is where the zones are declared:




For default the file contains this:




In this content the next zones are declared: the root public primary DNS, localhost, reverse localhost, broadcast and reverse broadcast.

For our own zone using as example that we want to add the domain rukia.com and that the name of the zone file is db.rukia, we add the zone like this:





Now we add the reverse zone file. The reverse zone is to resolved from an IP address to a domain name. For the example we'll add the reverse zone to the network 10.9.8.0, that is the network to which our example IPs belong (10.9.8.1 and 10.9.8.50) and with the name of the reverse zone file as db.rukiaRev:




Note that the network address is written backwards, our network is 10.9.8.0, so it was written 8.9.10.
The names for the zone files can be any name we want.
In the end the named.conf.default-zones file has to look like this:





Before we continue with the zones, let's check that the named.conf file includes the file named.conf.default-zones, for this we just have to read the next file:



The file must contain this:





Now let's write our zone file for rukia.com (/etc/bind/db.rukia), we'll also add in it the name goku.rukia.com for the client 10.9.8.1 and also that if we search for the name www.rukia.com it will give us the IP 10.9.8.50.
So the file must look like this:






I'll explain the file line by line (from line 0 to 10, without counting spaces)

0 - The TTL is set, the TTL is the Time To Live that the consults to the cache will persist instead of consulting the server, this means that if a domain has already been consulted, and another consult is done inside the TTL time, the consult will be made to the cache, but if this time has expired the consult will be made to the server. In the example I put 120 seconds, thinking in critic situations where the domain name has to be updated instantly. The default time is 6054800 seconds.

1 - The SOA is set and the email account of the domain administrator. The email is written like this: rukia.rukia.com, the @ is changed for a period, but the real email is rukia@rukia.com.

2 to 6 - The SOA parameters.

7 - The NameServer is set for the domain, in this case is the same server (rukia.com). The @ makes reference to the domain name to which the zone belongs, in this case is rukia.com. This means that for this zone @=rukia.com.

8 - The rukia.com domain is pointed to the IP 10.9.8.50.

9 - The canonical name www.rukia.com is set. This means that if rukia.com or www.rukia.com is resolved the answer will always be 10.9.8.50.

10 - The domain name goku.rukia.com is set to the IP 10.9.8.1.

Now let's create the reverse zone file for our network (/etc/bind/db.rukiaRev):






Again I'll explain the file line by line (0 to 9, without counting spaces)

0 - TTL.

1 - The SOA and the administrator email is set.

2 to 6 - SOA parameters.

7 - The NameServer is set, in this case is the same server.

8 - The IP 10.9.8.50 is pointed to the domain rukia.com. Note that is only written the host address from theIP. The network address is 10.9.8.0, so the host address is 0.0.0.50.

9 - The IP 10.9.8.1 is pointed to the domain goku.rukia.com.

Now we're only missing the named.conf.options file, but for Ubuntu there's no need to edit it, only in case of having problems with the reverse resolution or if we see and error that says that the DNS refuses the connections when we are trying to resolve the domain names from a client. If this happens we have to verify that the next options are added to the /etc/bind/named.conf.options file to avoid this errors:





To start the service we have to execute this command:




And ready, we have a functional and quick DNS for our LAN.



Installation and configuration for Fedora and similars

Versions in the example: Fedora 16 Security Spin, Bind 9.8.3-P1-RedHat-9.8.3-2.P1.fc16
If the versions are different to these ones they might be some variations, but as long as it is a Bind 9 there should not be any problem.

Installation:



Well, for the example we'll use the domain rukia.com, that will also be our DNS, in this example the server has the IP address of 10.9.8.50 (rukia.com) and our client has the IP 10.9.8.1 to which we'll set the domain name of goku.rukia.com.

The first file to edit is named.conf:





In this file the options for our DNS and the zones will be declared, for default the file already has this:





In this file the options we are interested in editing are:

listen-on-port 53 {127.0.0.1; }; - Here is set that the server will be listening in the port 53 for the localhost IP. Here we have to add the IP of our local computer so it can attend requests from the client in the LAN, in this case we'll add the example IP that is 10.9.8.50.

directory "/var/named"; - The directory where the zone files will be stored, it can be other directory as long as the named service has the rights to read. For the example we'll leave the default directory.

allow-query {localhost; }; - Sets who'll be permited to consult the DNS, for default it is only allow to localhost. For the example we just need to allow the localhost and our LAN, so we'll add 10.9.8.0/24. If we want to any client to request our DNS we only have to add the word any in place of localhost or an IP address.

recursion yes; - Allow the reverse request. This means that if we make a request to obtain the domain name from an IP it will be allowed.

The file also has the public primary root DNS declared for default.

Now we'll see how does the option section has to look, in which the IP 127.0.0.1 and the local IP assigned to the server (10.9.8.50) will listen to port 53, the directory /var/named will be set as the file zone directory, the server will allow requests from localhost and the LAN, and will allow reverse requests:





For our own zone using as an example that we want to add the domain rukia.com and that our zone file name is named.rukia, we add the zone like this:





Now we add the reverse zone file. The reverse zone file is to resolve the domain name from an IP. For the example we'll add the reverse zone of the network 10.9.8.0, which is the network where our example IPs belong (10.9.8.1 and 10.9.8.50) and the name of our reverse zone file is named.rukiaRev:





Note that the network address is written backwards, our network is 10.9.8.0, so it was written 8.9.10.
The names for the zone files can be any name we want.
At the end the named.conf file must be like this:





Now let's write our zone file for rukia.com (/var/named/named.rukia), we'll also add in it the name goku.rukia.com for the client 10.9.8.1 and also that if we search for the name www.rukia.com it will give us the IP 10.9.8.50.
So the file must look like this:





I'll explain the file line by line (from line 0 to 10, without counting spaces)

0 - The TTL is set, the TTL is the Time To Live that the consults to the cache will persist instead of consulting the server, this means that if a domain has already been consulted, and another consult is done inside the TTL time, the consult will be made to the cache, but if this time has expired the consult will be made to the server. In the example I put 120 seconds, thinking in critic situations where the domain name has to be updated instantly. The default time is 6054800 seconds.

1 - The SOA is set and the email account of the domain administrator. The email is written like this: rukia.rukia.com, the @ is changed for a period, but the real email is rukia@rukia.com.

2 to 6 - The SOA parameters.

7 - The NameServer is set for the domain, in this case is the same server (rukia.com). The @ makes reference to the domain name to which the zone belongs, in this case is rukia.com. This means that for this zone @=rukia.com.

8 - The rukia.com domain is pointed to the IP 10.9.8.50.

9 - The canonical name www.rukia.com is set. This means that if rukia.com or www.rukia.com is resolved the answer will always be 10.9.8.50.

10 - The domain name goku.rukia.com is set to the IP 10.9.8.1.

Now let's create the reverse zone file for our network (/var/named/named.rukiaRev):





Again I'll explain the file line by line (0 to 9, without counting spaces)

0 - TTL.

1 - The SOA and the administrator email is set.

2 to 6 - SOA parameters.

7 - The NameServer is set, in this case is the same server.

8 - The IP 10.9.8.50 is pointed to the domain rukia.com. Note that is only written the host address from theIP. The network address is 10.9.8.0, so the host address is 0.0.0.50.

9 - The IP 10.9.8.1 is pointed to the domain goku.rukia.com.

To start the service we execute this command:





And ready we have a simple local DNS.



Configuration of the DNS for the clients

To set the DNS in the clients we just have to add the DNS IP to our network configuration. I'll explain how to do it with the console, in graphic mode is with the network manager in the manual configuration section for IPv4.

In console we just have to edit the file:





In it we add the next line where we set that our DNS is the server with the IP 10.9.8.50:




With this our clients can now make requests to our server.



How to check the domain names resolution

We can use the commands nslookup and dig, the difference is that dig sends a bit more information.

Check with nslookup:





Check with dig:





And well that is like you can configure a DNS for a LAN really simple and quick.

Any doubt comment please.

No hay comentarios:

Publicar un comentario