Configure a Linux DNS Server - Part I (Caching Name Server)Not everybody's a Linux hacker straight out of the womb. For those who need a solid example or just want a little advice--no heckling involved--here's another how-to to get you going. We've helped you set up your home web server, so now let's get DNS working so you can have your very own domain.
How to set up a home DNS serverby Shannon Hughes
Domain Name SystemThe Domain Name System (DNS) is the crucial glue that keeps computer networks in harmony by converting human-friendly hostnames to the numerical IP addresses computers require to communicate with each other. DNS is one of the largest and most important distributed databases the world depends on by serving billions of DNS requests daily for public IP addresses. Most public DNS servers today are run by larger ISPs and commercial companies but private DNS servers can also be useful for private home networks. This article will explore some advantages of setting up various types of DNS servers in the home network.
Why set up a private DNS server?This question is valid and the answer may vary depending on your home network environment. Maintaining a host file on each client with IP/hostname mappings in a home network that contains a router and a few machines may be sufficient for most users. If your network contains more than a few machines, then adding a private DNS server may be more attractive and worth the setup effort. Some advantages may include:
*
Maintenance: keeping track of the host file for every client in your network can be tedious. In fact, it may not even be feasible for roaming DHCP laptops or your occasional LAN party guests. Maintaining host information in one central area and allowing DNS to manage host names is more efficient.
*
Cache performance: DNS servers can cache DNS information, allowing your clients to acquire DNS information internally without the need to access public nameservers. This performance improvement can add up for tasks such as web browsing.
*
Prototyping: A private internal DNS server is an excellent first step to eventually setting up a public accessible DNS server to access a web server or other services hosted on your internal network. Learning from mistakes on an internal network can help prevent duplicate errors on a public DNS server that could result in loss of service for external users. Note: Some ISPs require customers to have a static IP or business subscription when hosting services in a home network environment.
*
Cool factor: Ok, I may be stretching it, but the "cool" factor did have some influence when I set up my first home network DNS server. Creating an internal domain that reflects an individual's personality without paying a domain registrar and issuing hostnames to your clients is cool. The cool factor doubles when your customized hostname glows from your friend's laptop screen.
Let's start out simply by setting up a caching-only nameserver to handle client DNS requests. A caching-only nameserver won't allow references to internal clients by hostname, but it does allow clients to take advantage of frequently requested domains that are cached.
Caching nameserver
Fortunately, setting up a caching nameserver is easy using RHEL (Red Hat Enterprise Linux) or Fedora RPMs. The following RPMs need to be installed on the machine acting as the nameserver (use rpm -q to determine if these packages are installed):
*
bind (includes DNS server, named)
*
bind-utils (utilities for querying DNS servers about host information)
*
bind-libs (libraries used by the bind server and utils package)
*
bind-chroot (tree of files which can be used as a chroot jail for bind)
*
caching-nameserver (config files for a simple caching nameserver)
A caching nameserver forwards queries to an upstream nameserver and caches the results. Open the file /var/named/chroot/etc/named.conf and add the following lines to the global options section:
forwarders { xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; }; #IP of upstream ISP nameserver(s) forward only; #rely completely on our upstream nameserversThe block above will cause the caching name server to forward DNS requests it can't resolve to your ISP nameserver. Save the named.conf file and then assign 644 permissions:
$ chmod 644 named.confCheck the syntax using the named-checkconf utility provided by the bind RPM:
named-checkconf named.conf
Correct any syntax errors (watch those semicolons) named-checkconf reports. Monitoring the /var/log/messages file may also be helpful in debugging any errors.
We now need to set the local resolver to point to itself for DNS resolution. Modify the /etc/resolv.conf file to the following:
nameserver 127.0.0.1If you are running a DHCP server on your router make sure your /etc/resolv.conf file does not get overwritten whenever your DHCP lease is renewed. To prevent this from happening, modify /etc/sysconfig/network-scripts/ifcfg-eth0 (replace eth0 with your network interface if different) and make sure the following settings are set:
BOOTPROTO=dhcpPEERDNS=noTYPE=EthernetGo ahead and start the nameserver as root and configure to start in runlevels 2-5:
service named startchkconfig named onTestingThe bind-utils RPM contains tools we can use to test our caching nameserver. Test your nameserver using host or dig and querying redhat.com:
dig redhat.com..;; Query time: 42 msec;; SERVER: 127.0.0.1#53(127.0.0.1)From the above dig query you can see it took 42 msec to receive the DNS request. Now test out the caching ability of your nameserver by running dig again on the redhat.com domain:
dig redhat.com..;; Query time: 1 msec;; SERVER: 127.0.0.1#53(127.0.0.1)We dropped from 42 msec to 1 msec after the previous DNS query was cached. Caching is working! Let's now put the cache to work by configuring the clients to use the new caching nameserver.
Client Configuration
For Linux and Windows clients you may have a couple of options for your resolver configuration depending on your network environment:
1. If you have a router and your client's IP address is assigned via DHCP from the router, then you can use the router to assign the primary nameserver during the DHCP lease requested from the client. Log in to your router and make sure your primary nameserver points to your caching nameserver IP address in the router DHCP settings.
2. For Linux clients, you can set up the resolver in the same procedure as the nameserver by modifying the /etc/resolv.conf file. For Windows clients you will need to set the nameserver IP address in the Control Panel -> Network Connections -> TCP/IP -> Properties -> Use the DNS Server Address option.
NOTE: The Windows DNS server option may vary depending on your version.
Test your new client configuration(s) using dig. You can use the nslookup command for Windows clients. Your DNS requests should have similar response times as we saw earlier when testing the nameserver directly.
NOTE: If you are running a firewall on the nameserver system, make sure clients have access to port 53. An example iptables rule for the 192.168.15.0/24 subnet would be:
iptables -A INPUT -s 192.168.15.0/24 -p udp --dport 53 -j ACCEPT
service iptables save
SummaryYour new caching nameserver offers a performance improvement with a minimal amount of set up effort. Clients can now ask the caching nameserver for DNS information, and it only needs to ask the upstream ISP nameserver for cache misses. In the next issue we will setup a master nameserver that is responsible for the authoritative information for our internal client hostnames. An authoritative nameserver also caches by default but additionally allows managing both static and DHCP clients using personalized hostnames set up in zone files. In the meantime, enjoy your new caching nameserver and be thinking about a creative domain and hostname theme for your future authoritative nameserver.
Configure a Linux DNS Server - Part II (Private DNS Server)Welcome back
In the first part of this series on the Domain Name System (DNS), we set up a caching nameserver that allowed our clients to take advantage of faster network operations by caching frequently requested DNS queries. In this article, we will extend our caching nameserver to a master nameserver that is responsible for managing the authoritative information for our internal client hostnames.
OverviewAs with our caching-only nameserver, we will see that BIND RPMS packaged by Red Hat® Enterprise Linux® and Fedora ease the process of configuring our master nameserver. Adding authoritative responsibility to the caching-only nameserver only requires us to add two more files and modify the existing named.conf file. For the purpose of this article we will assume the following:
* The BIND 9.x RPMS discussed in Part 1 are installed on the machine that will serve as a nameserver.
* Our internal network is in the 192.168.15.0/24 subnet. You will need to substitute your subnet if different.
* The master nameserver will only allow DNS queries from internal clients in the 192.168.15.0/24 subnet.
* The master nameserver will continue to forward any DNS requests it can't answer to your upstream ISP nameserver(s).
* We will use the domain hughes.lan as our internal domain name.
You might notice that we selected a mock top-level domain (sometimes referred as a TLD) named lan. Our internal domain name can be as creative as we wish since the domain is only known inside our home network. The naming convention for a public nameserver is not as relaxed, since we would need to follow certain rules that would allow our nameserver to respond to other nameservers requesting host information from around the world.
ZonesNameservers store information about a domain namespace in files called zone data files. A zone data file contains all the resource records that describe the domain represented in the zone. The resource records further describe all the hosts in the zone. We will need to modify our existing named.conf to reference two zone files for our domain name:
* Forward zone definitions that map hostnames to IP addresses.
* Reverse zone definitions that map IP addresses to hostnames.
Open /var/named/chroot/etc/named.conf and add the following forward and reverse zone file directives:
# Forward Zone for hughes.lan domainzone "hughes.lan" IN { type master; file "hughes.lan.zone";};# Reverse Zone for hughes.lan domainzone "15.168.192.in-addr.arpa" IN { type master; file "192.168.15.zone"; };Both the forward and reverse zones contain the type master indicating that our nameserver is the master or primary nameserver for the hughes.lan domain. The file keyword indicates which zone file contains the resource records for the corresponding zone. Note that the reverse zone contains a special domain named in-addr-arpa. DNS uses this special domain to support IP to hostname mappings. Reverse lookups are backwards since the name is read from the leaf to the root (imagine a domain name as a tree structure) so the resultant domain name has the topmost element at the right-hand side. For a home network the reverse lookup zones can be considered optional but we will include them for completeness.
Included with the BIND RPMs is a root zone nameservers use when a query is unresolvable by any other configured zones. The root zone directive is named ".", has a type of hint and references a file named named.ca that contains a list of 13 root name servers located around the world. We will not directly use the root servers since we are forwarding any unresolvable queries to our ISP nameservers.
We need to modify the named.conf global options to allow our internal clients to query the nameserver. Modify the existing global options block to the following:
acl hughes-lan { 192.168.15.0/24; 127.0/8; };options { directory "/var/named"; allow-query { hughes-lan; }; forwarders { xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; }; # ISP primary/secondary forward-only; # Rely completely on ISP for cache misses};The acl statement above sets up a range of IP addresses we can reference throughout the named.conf file. The allow-query specifies IP addresses of hosts that can query our nameserver. The forwarders statement tells our nameserver to forward any unresolvable queries to our upstream nameservers. The forward-only statement restricts our nameserver to only rely on our ISP nameservers and not contact other nameservers to find information that our ISP can not provide. It's very rare for a primary and secondary ISP nameserver to be down at the same time but you can comment forward-only if you want your nameserver to try the root nameservers when the upstream ISP nameservers cannot resolve a hostname.
Zone filesWe are now ready to start defining our hostname mappings in the zone files we referenced in the named.conf configuration. Zone files need to be placed in the /var/named/chroot/var/named directory, have 644 permissions with an owner and group of named:
$ cd /var/named/chroot/var/named $ touch hughes.lan.zone $ chown named:named hughes.lan.zone $ chmod 644 hughes.lan.zoneLet's take a look at an example zone file for the hughes.lan forward zone and then dive into the various parts:
$TTL 1Dhughes.lan. IN SOA velma.hughes.lan. foo.bar.tld. ( 200612060 ; serial 2H ; refresh slaves 5M ; retry 1W ; expire 1M ; Negative TTL )@ IN NS velma.hughes.lan.velma.hughes.lan. IN A 192.168.15.10 ; RHEL serverfred.hughes.lan. IN A 192.168.15.1 ; routerscooby.hughes.lan. IN A 192.168.15.2 ; upstairs WAPshaggy.hughes.lan. IN A 192.168.15.3 ; downstairs WAPscooby-dum.hughes.lan. IN A 192.168.15.4 ; Fedora desktopdaphne.hughes.lan. IN A 192.168.15.5 ; network printermysterymachine IN A 192.168.15.6 ; mail serverscrappy IN A 192.168.15.7 ; Windows box ; aliaseswww IN CNAME velma.hughes.lan. ; WWW server virtual IN CNAME velma ; virtual WWW testsmail IN CNAME mysterymachine ; sendmail host ; DHCP Clientsdhcp01.hughes.lan. IN A 192.168.15.100dhcp02.hughes.lan. IN A 192.168.15.101dhcp03.hughes.lan. IN A 192.168.15.102dhcp04.hughes.lan. IN A 192.168.15.103dhcp05.hughes.lan. IN A 192.168.15.104@ IN MX 10 mail.hughes.lan.The very first line in the hughes.lan.zone contains the TTL (Time To Live) value and is set to one day. TTL is used by nameservers to know how long to cache nameserver responses. This value would have more meaning if our nameserver was public and had other external nameservers depending on our domain information. Notice the 'D' in the TTL value stands for Day. Bind also uses 'W' for weeks, 'H' for hours, and 'M' for minutes.
The first resource record is the SOA (Start Of Authority) Record which indicates that this nameserver is the best authoritative resource for the hughes.lan domain. The IN stands for Internet Class and is optional. The first hostname after the SOA is the name of our master or primary nameserver. The second name, "foo.bar.tld.", is the email address for the person in charge of this zone. Notice the '@' is replaced with a '.' and also ends with a '.'. The third value is the serial number that indicates the current revision, typically in the YYYYMMDD format with a single digit at the end indicating the revision number for that day. The fourth, fifth, sixth, and seventh values can be ignored for the purposes of this article.
The NS record lists each authoritative nameserver for the current zone. Notice the first '@' character in this line. The '@' character is a short-hand way to reference the domain, hughes.lan, that was referenced in the named.conf configuration file for this zone.
The next block of A records contains our hostname to address mappings. The CNAME records act as aliases to previously defined A records. Notice how fully qualified domains end with a '.'. If the '.' is omitted then the domain, hughes.lan, is appended to the hostname. In our example the hostname, scrappy, will become scrappy.hughes.lan
If you want to reference an internal mail server, then add a MX record that specifies a mail exchanger. The MX value "10" in our example indicates the preference value (number between 0 and 65535) for this mail exchanger's priority. Clients try the highest priorty exchanger first.
The reverse zone file, 192.168.15.zone, is similar to our forward zone but contains PTR records instead of A records:
$TTL 1D@ IN SOA velma.hughes.lan. foo.bar.tld. (200612060 ; serial2H ; refresh slaves5M ; retry1W ; expire1M ; Negative TTL) IN NS velma.hughes.lan.10 IN PTR velma.hughes.lan.1 IN PTR fred.hughes.lan.2 IN PTR scooby.hughes.lan.3 IN PTR shaggy.hughes.lan.4 IN PTR scooby-dum.hughes.lan.5 IN PTR daphne.hughes.lan.6 IN PTR mysterymachine.hughes.lan.7 IN PTR scrappy.hughes.lan.100 IN PTR dhcp01.hughes.lan.101 IN PTR dhcp02.hughes.lan.102 IN PTR dhcp03.hughes.lan.103 IN PTR dhcp04.hughes.lan.104 IN PTR dhcp05.hughes.lan.TestingSave your zone files, make sure you have the correct permissions and check the syntax using named-checkzone:
named-checkzone hughes.lan hughes.lan.zone
named-checkzone 15.168.192.in-addr.arpa 192.168.15.zone
Correct any syntax errors reported by named-checkzone.
Restart the nameserver:service named restart
Browse through the tail of the /var/log/messages file and confirm the domain loaded successfully.
Make the following DNS queries (substituting your domain):dig scooby.hughes.landig -x 192.168.15.2Your output should be similar to the following:...;; QUESTION SECTION:;scooby.hughes.lan. IN A;; ANSWER SECTION:scooby.hughes.lan. 86400 IN A 192.168.15.2;; AUTHORITY SECTION:hughes.lan. 86400 IN NS velma.hughes.lan.;; ADDITIONAL SECTION:velma.hughes.lan. 86400 IN A 192.168.15.10...Continue to test each host you added to the zone file and then enjoy your new master nameserver.
ConclusionThe goal of this series of DNS articles was to pick the high-level features DNS can offer to improve the efficiency and management of the home network. In addition to the performance improvement we saw with the caching nameserver, the master nameserver helps manage both static and dynamic clients using human-friendly hostnames instead of IP addresses. For readers interested in learning more about DNS or expanding the nameservers discussed in this series, checkout the following resources:
* BIND user documenation located in /usr/share/doc/bind-9.x.x
* DNS and BIND (5th Edition)
About the authorShannon Hughes is a Red Hat Network (RHN) engineer who enjoys using open source software to solve the most demanding software projects. When he is not cranking out code, tweaking servers, or coming up with new RHN projects, you can find him trying to squeeze in yet another plant in the yard/garden with his wife, watching Scooby Doo reruns with his two kids and dog, or incorporating the latest open source projects for his church.
Copyright © 2006 Red Hat, Inc. All rights reserved.
Privacy Policy : Terms of Use : Patent promise : Company : Contact
Log in to Your Account
Taken From: http://www.redhat.com/magazine/025nov06/features/dns/
http://www.redhat.com/magazine/026dec06/features/dns/
A much more complete howto can be found at: http://www.aboutdebian.com/dns.htm
