Hello, today I will try to teach how to configure a DNS (Domain Name Server or System). “Putting a DNS server on a network allows for the replacement of IP addresses of individual machines by a name. As a result, it’s
even possible to associate multiple names to the same machine to update the different available services. For example, www.example.com and pop.example.com, could both point to the primary server where the mail server and the business intranet reside, and the domain could be example.com. It’s easy to remember that these two services are running on the same machine whose IP address is 192.168.0.1.
Note: This post is part of a bigger Debian GNU-Linux material that you can access here.
Content
Now imagine that our network administrator decides for some reason or another to move the mail server to the machine 192.168.0.11. The only thing that has to be changed is the DNS server configuration file. You could always go and modify the host configuration for all the users, but that would be time consuming and inconvenient.”
Taken from: https://wiki.debian.org/Bind9 on 2014-03-19
This sounds simply great! But how do we do it?
DNS Installation
Well is not very difficult, but probably it will take some effort to be done. This is in fact the most complex thing we have done so far, but there is nothing to worry if you follow the class. Also if you have any question you can post it here.
We will use bind as it’s one of the most powerful and popular DNS server in the root of DNS servers in the world. Any way there are a lot of other options for DNS servers like powerdns or djbdns, all of them have their own advantages ( pros) and disadvantages ( cons ) so I will limit to say two things: one if you know how to work with binds is simpler to learn how to work with any other. Two bind is really good, I am not teaching second line knowledge (today 2014-05-14). Let’s start; the first by installing the software.
apt-get install bind9
It will install your software. and once it’s installed you can optionally also install the bind documentation.
apt-get install bind9-doc
The documentation is very useful and important because is 100% reliable in case you have any doubt. Now that we have the software installed we can start configuring it if we know what we want. But before that I recommend to back up the folder. Just in case we do messy things, we can always copy back the backup and start over. to do so copy the directory /etc/bind, to any other place, let say /home/class.
cp -r /etc/bind /home/class
The -r option enables us to copy the whole folder with all it’s files in a recursive way. And then we can start the configuration of our server bind 9 server. But again we might not know how do we want the server to be configured. And we do not know the main concepts and philosophy involved, so we need to get some information about how to do it.
Let use the simplest use case:
- We work for a “Company” that has computers and we have a domain name “myco.com”, our network will be 192.168.0.0/24.
- You want to have some internal services and give them IP to naming translation and vise-versa.
- The IP address of the DNS that we are going to configure will be 192.168.1.1.
- This “Company” has let’s say 2 servers the DNS server it self with a real name and we want to give it an alias “ns1.myco.com”.
- Also this DNS is the DHCP server and and it’s alias will be “dhcp1.myco.com”.
- The second server will be a web server with IP 192.168.1.2 and we want it to respond to the name “web1.myco.com” even if it’s name is different.
- We have been using the same telecoms company and we do not want to change it and either any of their DNS services. So we will still use the telecoms DNS server to go out of out network, who’s IP address is 192.168.3.25.
Now we need to introduce a few concepts. Zone and Domain; are they the same?
Configuration
“Domain name servers store information about part of the domain name space called a zone. The name server is authoritative for a particular zone. A single name server can be authoritative for many zones.
Understanding the difference between a zone and a domain is sometimes confusing. A zone is simply a portion of a domain. For example, the Domain Microsoft.com may contain all of the data for Microsoft.com, Marketing.microsoft.com and Development.microsoft.com. However, the zone Microsoft.com contains only information for Microsoft.com and references to the authoritative name servers for the subdomains.
The zone Microsoft.com can contain the data for subdomains of Microsoft.com if they have not been delegated to another server. For example, Marketing.microsoft.com may manage its own delegated zone. Development.microsoft.com may be managed by the parent, Microsoft.com.
If there are no subdomains, then the zone and domain are essentially the same. In this case the zone contains all data for the domain.”
Taken from: http://support.microsoft.com/kb/164054 on 2014-03-24.
In our case as I said the simplest problem the domain and the zone are the same. So let’s declare our zone on the file /etc/bind/named.conf.local with the following content.
zone "myco.com" { type master; file "/etc/bind/zones/myco.com.db"; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/1.168.192.in-addr.arpa"; };
Well here we have declared 2 zones instead of 1. Why is that done on that way? Why do we need 2 zones if we have only one domain and we said before that our zone = our domain?
“Reverse DNS is IP address to domain name mapping – the opposite of forward (normal) DNS which maps domain names to IP addresses.
Reverse DNS is separate from forward DNS.
Forward DNS for “abc.com” pointing to IP address “1.2.3.4”, does not necessarily mean that reverse DNS for IP “1.2.3.4” also points to “abc.com”.
This comes from two separate sets of data.
A special [pointer record] PTR-record type is used to store reverse DNS entries. The name of the [pointer record] PTR-record is the IP address with the segments reversed + “.in-addr.arpa”.
For example the reverse DNS entry for IP 1.2.3.4 would be stored as a PTR-record for “4.3.2.1.in-addr.arpa”.”
Taken from: http://support.simpledns.com/kb/a45/what-is-reverse-dns-and-do-i-need-it.aspx on 2014-03-24.
Well, from this we can conclude that we need zone to point names to IP addresses and a reverse zone to point the IP addresses to names. That is why we have to zones defined in out configuration. So, basically both zones have the same structure. The first line defines the name of the zone. the second line says the the server is master of the DNS zone. This means that the server is the one who decides about the zone and what to do about this zone. There are also other types of zones like the slave zones. Those are zones that the server can answer for, but he receives the zone definition file from a higher server. Then the third line is the one that says where are the zone configuration settings defined. This file is the one that really relates IP Addresses to names and vice-versa. So now the net thing we have to do is to work on these files. And the forth is just the close up of the zone.
Well to start with the files, let’s create the structure. The directory called zones, might not exist in your environment, so let’s create it.
mkdir -p /etc/bind/zones
and the the first file:
nano /etc/bind/zones/myco.com.db
The name and path to the file is just the same as the one created on the zone definition. Now we need to fill out our domain zone file:
$TTL 86400
@ IN SOA ns1.myco.com. admin.myco.com. (
2014032404 ; serial number YYMMDDNN
28800 ; Refresh
7200 ; Retry
864000 ; Expire
86400 ; Min TTL
)
;
; NS Recors
@ IN NS ns1.myco.com.
; DNS IP address Definition
ns1 IN A 192.168.1.1
khs01wxl001 IN A 192.168.1.1
WebServerRealName IN A 192.168.1.2
; Alias names (Cname)
dhcp1 IN CNAME khs01wxl001
web1 IN CNAME WebServerRealName
That is the configuration for the zone. Now we need to create the file for the reverse zone as follows.
nano /etc/bind/zones/1.168.192.in-addr.arpa
But now we need to configure the DNS reverse zone.
$TTL 86400
@ IN SOA ns1.myco.com. admin.myco.com. (
2014032401 ; serial number YYMMDDNN
28800 ; Refresh
7200 ; Retry
864000 ; Expire
86400 ; Min TTL
)
IN NS ns1.myco.com.
1 IN PTR ns1.myco.com.
2 IN PTR web1.myco.com.
Once we have done this we can restart the server and check the configuration. any way I leave you here,
“Some Explanations :
$TTL : (Time To Live) expresses the duration (in seconds) validity, by default, of the information contained in the RRs. Once this time expires, it is necessary to recheck the data. Types :
SOA : Show romanization
to define information about the area. In this case the name of the primary DNS server “sid.example.com.” and the email address of technical contact (root.example.com.; the @ is replaced by a dot). It is composed of several fields:
1. Serial : is the whole non-signed 32 bits. This is the serial number to increment with each change of file. It allows the secondary server to reload the information they have. The general purpose is to format it this way YYYYMMDDXX, either for the first amendment 01/04/2007 -> 2007040101, for the second 2007040102.
2. Refresh : defines the data refresh period.
3. Retry : if an error occurs during the last refresh, it will be repeated at the end of time Retry.
4. Expires‘: the server is considered unavailable after the time expires.
5. Negative cache TTL‘: set the lifetime of a NXDOMAIN response from us.
‘NS: information on behalf of nameservers for the domain.
‘X.: information on the mail server. Many can be defined. Thus, it is possible to give them a priority, assigning a number. The lower the number, the higher the priority.
‘A: associates a host name to an IPv4 address (32 bits)
‘YYYY: associates a host name to an IPv6 address (128 bits)
‘CNAME: identifies the canonical name of an alias (a name that points to another name)
‘PTR: This is simply the inverse resolution (the opposite of type A).”
Taken from: https://wiki.debian.org/Bind9 on 2014-03-24
Now we can restart the service as I said.
service bind9 restart
Test the service.
The next is to check that it’s working. For that we will user a few methods. Test to make sure that your DNS server is listening on the DNS port, 53:
netstat -tunlp | grep :53
And you should see something similar to:
root@khs01wxl001:/home/abel# netstat -tunlp | grep :53 tcp 0 0 10.175.1.134:53 0.0.0.0:* LISTEN 5092/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5092/named tcp6 0 0 :::53 :::* LISTEN 5092/named udp 0 0 10.175.1.134:53 0.0.0.0:* 5092/named udp 0 0 127.0.0.1:53 0.0.0.0:* 5092/named udp 0 0 0.0.0.0:5353 0.0.0.0:* 2242/avahi-daemon: udp6 0 0 :::53 :::* 5092/named udp6 0 0 :::5353 :::* 2242/avahi-daemon: root@khs01wxl001:/home/abel#
Now to do a ‘dig’ test, to make sure everything is correctly configured:
root@khs01wxl001:/home/abel# dig @10.175.1.134 myco.com ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @10.175.1.134 myco.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16325 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;myco.com. IN A ;; AUTHORITY SECTION: myco.com. 86400 IN SOA ns1.myco.com. admin.myco.com. 2014032404 28800 7200 864000 86400 ;; Query time: 5 msec ;; SERVER: 10.175.1.134#53(10.175.1.134) ;; WHEN: Mon Mar 24 11:54:29 2014 ;; MSG SIZE rcvd: 72 root@khs01wxl001:/home/abel#
Setting up the client
We have already configured the clients in the last class, we just have to change these opetions on our resolv.conf
dns-nameservers 192.168.1.1 search example.com nameserver 192.168.1.1
This is it, we are done! The DNS should be up and running. Any way if you have any question do not hesitate on posting your doubts. Cheers!