Rob's web

DNS server

We use BIND as DNS.

In this article we will setup a Dynamic Domain Name System. So first the DNS- and second the DHCP-server are installed and configured.

Installation

# dnf install bind bind-utils

Configuration

Configuration takes many steps.

DHCP-DNS key

First we generate a key for the encryted communication between dhcp and dns. Enter:

rndc-confgen -a -b 256
cd /etc
chmod 640 rndc.key
chown root:named rndc.key
chcon system_u:object_r:dnssec_t:s0 rndc.key

The key is written in /etc/rndc.key.

When we look in the keyfile we see:

key "rndc-key" {
        algorithm hmac-sha256;
        secret "e+LxyV0QEC6mUCNbBtujKidlMceQUye1qvJETRTbDM4=";
};

Don't copy this one, but make your own.

If you need to create a new key, restart named and dhcpd after you created the new key.

Copy this key to the slave dns.

Master dns server

Zone files

The dynamic zone files are stored in /var/named/dynamic.

For non-dynamic zones use /var/named/static.

Serial

Use yyyymmddxx. Where:

yyyyyear
mmmonth
ddday
xxfollowup number. Start with 01.

You can make 99 update per day.

Forward zone file

We start with example.com.

If you don't have IPv6 you can use it with LAN-only fd00 addresses. If you have IPv6 use the prefix you got instead of fd00.

We start with making a static address system. We can add new addresses later. Delete the *.JNL file and restart named.

# cd /var/named/dynamic
# vi example.com
$ORIGIN .
example.com          IN SOA  ns.example.com. root.example.com. (
                                2019032016 ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                10800      ; minimum (3 hours)
                                )

                        NS      server1.example.com.
                        MX      10 server1.example.com.

gate                    A       192.168.1.1
                        AAAA    2001:983:395:1:2665:11ff:fe82:6397
server1                 A       192.168.1.11
                        AAAA    2001:983:395:1:21e:2aff:fe49:522c
mlp                     A       192.168.1.21
clp                     A       192.168.1.22

ftp                     CNAME   server1
imap                    CNAME   server1
ldap                    CNAME   server1
mail                    CNAME   server1
nfs                     CNAME   server1
ns                      A       192.168.1.11
                        AAAA    2001:983:395:1:21e:2aff:fe49:522c
ntp                     CNAME   server1
pop3                    CNAME   server1
smtp                    CNAME   server1
sql                     CNAME   server1
ssh                     CNAME   server1
www                     CNAME   server1

mlp is the monochromatic laser printer(b/w) and clp is the color laser jet.

The AAAA adresses should you change to your own. IPv6 don't use NAT. It's a new way of thinking, but this is how the inernet should work.

Reverse IPv4 zone file

# vi 1.168.192
$ORIGIN .
1.168.192.in-addr.arpa  IN SOA  ns.example.com. root.example.com. (
                                2019032011 ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                10800      ; minimum (3 hours)
                                )

@                       NS      ns.example.com.

1                       PTR     gate.example.com.
11                      PTR     server1.example.com.
21                      PTR     mlp.example.com.
22                      PTR     clp.example.com.

Reverse IPv6 zone file

The host adresses must look like below, but with yours.

# vi lan.ip6.arpa
$ORIGIN 1.0.0.0.5.9.3.0.5.8.9.0.1.0.0.2.ip6.arpa.
@       IN SOA  ns.example.com. root.example.com. (
                2019030501      ; serial
                1D              ; refresh
                1H              ; retry
                1W              ; expire
                3H )            ; minimum

@       IN      NS      ns.example.com.

7.9.3.6.2.8.e.f.f.f.1.1.5.6.6.2 IN      PTR     gate.example.com.
c.2.2.5.9.4.e.f.f.f.a.2.e.1.2.0 IN      PTR     server1.example.com.

After creating the zone files you need to change the owner.

# chown named:named *

Named.conf

We have the rndc-key and zones, so lets start with the configuration. Enter:

cd /etc
# vi named.conf

Our DNS-server resolves all addresses to IP and does reverse lookup. So recursion yes. No forwarders are necessary.

We don't use DNSSEC at this moment.

Our server is the master DNS-server. There is no slave DNS.

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind/sample/ for example named configuration files.
//

acl "trusted" {
        192.168.0.0/16;
        2a02:a465:54ef::/48;
};

options {
        listen-on port 53       {any;};
        listen-on-v6 port 53    {any;};
        directory               "/var/named";
        dump-file               "/var/named/data/cache_dump.db";
        statistics-file         "/var/named/data/named_stats.txt";
        memstatistics-file      "/var/named/data/named_mem_stats.txt";
        secroots-file           "/var/named/data/named.secroots";
        recursing-file          "/var/named/data/named.recursing";
        managed-keys-directory  "/var/named/dynamic";
        geoip-directory         "/usr/share/GeoIP";
        pid-file                "/run/named/named.pid";
        session-keyfile         "/run/named/session.key";

        allow-query             {localhost; trusted;};
        recursion               yes;
        allow-recursion         {localhost; trusted;};

        dnssec-validation       yes;

        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "/var/log/named.log";
                severity dynamic;
        };
};

include "/etc/named.root.key";

include "/etc/rndc.key";

zone "." {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";

zone "example.com" {
        type master;
        file "dynamic/example.com";
        allow-update { key rndc-key; };
        allow-transfer {none;};
        notify no;
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "dynamic/1.168.192";
        allow-update { key rndc-key; };
        allow-transfer {none;};
        notify no;
};

zone "1.0.0.0.5.9.3.0.5.8.9.0.1.0.0.2.ip6.arpa" {
        type master;
        file "dynamic/lan.ip6.arpa";
        allow-update { key rndc-key; };
        allow-transfer {none;};
        notify no;
};

Now we have a basic DNS.

Setting owner

# cd /var
# chown -R named:named named/

Checking the zone files

# named-checkconf

When there are no errors in the configuration files there is no output.

Check after (re)starting named in /var/log/named.log if all zones are loaded.

# cat /var/log/named.log
.....
all zones loaded
running
managed-keys-zone: Initializing automatic trust anchor management for zone '.'; ......
resolver priming query complete
#

Starting the DNS

# chmod 777 /var/log	// Only once.
# systemctl start named
# systemctl enable named

Testing

# nslookup server1.robkalmeijer.nl
Server:         192.168.1.11
Address:        192.168.1.11#53

Name:   server1.robkalmeijer.nl
Address: 192.168.1.11
Name:   server1.robkalmeijer.nl
Address: 2001:985:395:1::1:1
# nslookup 192.168.1.11
11.1.168.192.in-addr.arpa       name = server1.robkalmeijer.nl.
#[root@server4 dynamic]# nslookup ::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa        name = localhost.

If you see something else than you made a type-error or the configuration went wrong.

# nslookup server3.robkalmeijer.nl
Server:         192.168.1.11
Address:        192.168.1.11#53

** server can't find server3: NXDOMAIN

Lets go outside.

# nslookup www.google.com
Server:         192.168.1.11
Address:        192.168.1.11#53

Non-authoritative answer:
Name:   www.google.com
Address: 172.217.17.132
Name:   www.google.com
Address: 2a00:1450:400e:807::2004

Firewall

Both network and host firewalls must allow incoming TCP and UDP traffic over port 53. Standard DNS requests occur over UDP port 53. However, if the response size is over 512 bytes, as the case may be with DNSSEC, the request will need to be sent over TCP port 53.

Add to the firewall rules.

# firewall-cmd --permanent --zone=public --add-port=53/tcp
# firewall-cmd --permanent --zone=public --add-port=53/udp
# firewall-cmd --reload

The DNS-server is ready for duty.

Router

NEVER open this port. Your DNS is private to your LAN and its VPN users. Set your public setiings at the ISPs DNS.

DDNS

First make your dhcp-server and let your clients use this dns-server. Now you can test name-resolving on external users on your lan.

When done restart named.

Slave dns servers

The domain name section will be declared long with the path to the file containing the zone information, that this is the master zone, and the IP address of the secondary server.

At the master dns:

zone "example.com" IN {
    type primary;
    file "example.com";
    allow-transfer { 192.168.1.19; };
};

192.168.1.19 is our slave server.

Copy named.conf file to the slave server or add the zones to it. Add the bold text to the zones. The address is the master address.

At the slave server modify the zones:

# cd /etc
# vi named.conf

zone "example.com" IN {
    type secondary;
    file "slaves/example.com";
    masters { 192.168.1.11; };
    allow-transfer { none; };
    allow-update { none; };
};

A DNS server can be a master/primary for one domain and a slave/secondary of another one.

Add the slave dns to your DHCP configuration as first choice and the master as second.

Test DNS resolution

The following dig command can be run from either name server should return the records for the domain on that server.

# dig any example.com @localhost

You should also confirm results can be retrieved from a remote host that is able to connect to the name servers. This will confirm connectivity and that proper firewall rules are in place.
# dig any example.com @192.168.2.11
# dig any example.com @192.168.2.12

With dig you can test any DNS server in the internet.

# dig any example.com @8.8.8.8

Modifing zone files

Zone files can be modified on the master name servers. Once resource records have been added, modified, or removed, you must remember to increment the zone serial number.

First stop the dynamic updating of the zone files by:

# rndc freeze <zone>

Update the zone manually and update the zone serial.

Restart the rndc and named:

# rndc thaw <zone>
# rndc sync <zone>
# rndc sync <zone> -clean
# systemctl restart named

DNSSEC

Next step is setting up dnssec for your domains.

Setting up dnssec.

Links