207.1. Basic DNS server configuration

207.1 Basic DNS server configuration

Weight: 3
Description: Candidates should be able to configure BIND to function as a caching-only DNS server. This objective includes the ability to managing a running server and configuring logging.
Key Knowledge Areas:
  • BIND 9.x configuration files, terms and utilities
  • Defining the location of the BIND zone files in BIND configuration files
  • Reloading modified configuration and zone files
  • Awareness of dnsmasq, djbdns and PowerDNS as alternate name servers
The following is a partial list of the used files, terms and utilities:
  • /etc/named.conf
  • /var/named/
  • /usr/sbin/rndc
  • kill
  • host
  • dig

Whats is DNS?

Thirty years ago, when we wanted to visit a website we had to know the IP address of that site. That’s because computers are and were only able to communicate using numbers. As we are human and we are not robots It is very hard to remember. We needed a way to translate computer-readable information into human-readable. First the idea of using host files seemed great but weren't useful as time passed and internet growth.
In the early 1980’s, Paul Mockapetris came up with a system that automatically mapped IP addresses to domain names. and the DNS was born. so The Domain Name System ( DNS) converts human readable domain names (like: www.google.com) into Internet Protocol (IP) addresses (like: 172.217.16.206).DNS still serves as the backbone of the modern Internet, today.

DNS Structure

The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network.
At the highest level "." is considered as root and at other lower levels there are Top Level Domains (TLD)s.
When a query is received by the name server, first it looks at its cache, if the answer is found then name server answers query from its cache.
if nothing is found in the cache, then it tries to mach smaller parts of query to return an answer to help client to send its query to another Name server.

How does it work ?

When we type www.google.com the system will look for www.google.com. Whenever we type some domain name, there is a hidden " . "(dot) at the end of the www.google.com that say to search the root server of namespace.
Then our router will contact our default DNS Service for DNS resolution. The DNS service will contact DNS Root Servers and ask for the IP address of server containing .com records. This address is sent back to your DNS service. The DNS service again reaches the Name Server containing addresses of .com domains and asks it for the address of http://google.com. Upon obtaining the IP address of the servers that host google.com, our DNS service will return the IP address to our computer which then fires up our browser to download the main webpage. Where root servers are defined?
1
[email protected]:/etc/bind# cat db.root
2
; This file holds the information on root name servers needed to
3
; initialize cache of Internet domain name servers
4
; (e.g. reference this file in the "cache . <file>"
5
; configuration file of BIND domain name servers).
6
;
7
; This file is made available by InterNIC
8
; under anonymous FTP as
9
; file /domain/named.cache
10
; on server FTP.INTERNIC.NET
11
; -OR- RS.INTERNIC.NET
12
;
13
; last update: February 17, 2016
14
; related version of root zone: 2016021701
15
;
16
; formerly NS.INTERNIC.NET
17
;
18
. 3600000 NS A.ROOT-SERVERS.NET.
19
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
20
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
21
;
22
; FORMERLY NS1.ISI.EDU
23
;
24
. 3600000 NS B.ROOT-SERVERS.NET.
25
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
26
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
27
;
28
; FORMERLY C.PSI.NET
29
;
30
. 3600000 NS C.ROOT-SERVERS.NET.
31
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
32
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
33
;
34
; FORMERLY TERP.UMD.EDU
35
;
36
. 3600000 NS D.ROOT-SERVERS.NET.
37
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
38
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
39
;
40
; FORMERLY NS.NASA.GOV
41
;
42
. 3600000 NS E.ROOT-SERVERS.NET.
43
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
44
;
45
; FORMERLY NS.ISC.ORG
46
;
47
. 3600000 NS F.ROOT-SERVERS.NET.
48
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
49
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
50
;
51
; FORMERLY NS.NIC.DDN.MIL
52
;
53
. 3600000 NS G.ROOT-SERVERS.NET.
54
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
55
;
56
; FORMERLY AOS.ARL.ARMY.MIL
57
;
58
. 3600000 NS H.ROOT-SERVERS.NET.
59
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
60
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
61
;
62
; FORMERLY NIC.NORDU.NET
63
;
64
. 3600000 NS I.ROOT-SERVERS.NET.
65
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
66
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
67
;
68
; OPERATED BY VERISIGN, INC.
69
;
70
. 3600000 NS J.ROOT-SERVERS.NET.
71
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
72
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
73
;
74
; OPERATED BY RIPE NCC
75
;
76
. 3600000 NS K.ROOT-SERVERS.NET.
77
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
78
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
79
;
80
; OPERATED BY ICANN
81
;
82
. 3600000 NS L.ROOT-SERVERS.NET.
83
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
84
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
85
;
86
; OPERATED BY WIDE
87
;
88
. 3600000 NS M.ROOT-SERVERS.NET.
89
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
90
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
Copied!
DNS is consist of resource records which are stored in Zone files. lets talk about types of DNS Records.

DNS Resource Records (RRs)

Resource Records define data types in the Domain Name System (DNS).Resource Records are stored in binary format internally for use by DNS software. But resource records are sent across a network in text format while they perform zone transfers. Some common ones are A record which contains the IP address of the domain, AAAA record which holds the IPv6 information, and MX record which has mail servers of a domain.

DNS Resource Records Types

DNS servers might have different types of records, each type of records is used for a specific purpose , which can be queried by nslookup using --query=mx or --query=ns.
DNS record type
Description
A/AAA
A Records are the most basic type of DNS record and are used to point a domain or subdomain to an IP address. A is an IPv4 adrress record and AAA is an IPv6 address record.
CNAME
Common Name record is used to point a domain or subdomain to another hostname
MX
the Mail Exchange (MX) record for mail delivery , required "priority" value as a part of their entry to indicate which mail sever should be used first
NS
The NS record specifies an authoritative name server for given host.
SRV
the Server Locator record to designate a host and port for certain services, such as LDAP, for a domain.
SOA
The Start Of Authority record specifies core information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone
Now that we have got familiar with Types of Records in DNS lets learn about one of DNS client tools :

nslookup

name server lookup(nslookup) is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record. to find out IP Address of a Domain:
1
[email protected]:~# nslookup google.com
2
Server: 192.168.10.2
3
Address: 192.168.10.2#53
4
5
Non-authoritative answer:
6
Name: google.com
7
Address: 172.217.16.174
Copied!
and to do reverse domain lookup:
1
[email protected]:~# nslookup 172.217.16.174
2
Server: 192.168.10.2
3
Address: 192.168.10.2#53
4
5
Non-authoritative answer:
6
174.16.217.172.in-addr.arpa name = fra15s11-in-f14.1e100.net.
7
174.16.217.172.in-addr.arpa name = fra15s11-in-f174.1e100.net.
8
174.16.217.172.in-addr.arpa name = fra15s11-in-f14.1e100.net.
9
174.16.217.172.in-addr.arpa name = fra15s11-in-f174.1e100.net.
Copied!
to query for MX records to find out list of mail servers and their priority:
1
[email protected]:~# nslookup -query=mx google.com
2
Server: 192.168.10.2
3
Address: 192.168.10.2#53
4
5
Non-authoritative answer:
6
google.com mail exchanger = 40 alt3.aspmx.l.google.com.
7
google.com mail exchanger = 30 alt2.aspmx.l.google.com.
8
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
9
google.com mail exchanger = 10 aspmx.l.google.com.
10
google.com mail exchanger = 50 alt4.aspmx.l.google.com.
11
12
Authoritative answers can be found from:
Copied!
also to To query SOA (Start of Authority) record:
1
[email protected]:~# nslookup -type=soa google.com
2
Server: 192.168.10.2
3
Address: 192.168.10.2#53
4
5
Non-authoritative answer:
6
google.com
7
origin = ns1.google.com
8
mail addr = dns-admin.google.com
9
serial = 187115749
10
refresh = 900
11
retry = 900
12
expire = 1800
13
minimum = 60
14
15
Authoritative answers can be found from:
Copied!
and to query for all types of DNS records of a domain:
1
[email protected]:~# nslookup -query=any google.com
2
Server: 192.168.10.2
3
Address: 192.168.10.2#53
4
5
Non-authoritative answer:
6
Name: google.com
7
Address: 172.217.22.110
8
google.com has AAAA address 2a00:1450:4001:81d::200e
9
google.com rdata_257 = 0 issue "pki.goog"
10
google.com
11
origin = ns1.google.com
12
mail addr = dns-admin.google.com
13
serial = 186975566
14
refresh = 900
15
retry = 900
16
expire = 1800
17
minimum = 60
18
google.com text = "v=spf1 include:_spf.google.com ~all"
19
google.com mail exchanger = 30 alt2.aspmx.l.google.com.
20
google.com text = "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
21
google.com nameserver = ns4.google.com.
22
google.com nameserver = ns3.google.com.
23
google.com mail exchanger = 40 alt3.aspmx.l.google.com.
24
google.com nameserver = ns2.google.com.
25
google.com mail exchanger = 50 alt4.aspmx.l.google.com.
26
google.com mail exchanger = 10 aspmx.l.google.com.
27
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
28
google.com nameserver = ns1.google.com.
29
30
Authoritative answers can be found from:
Copied!
By default, nslookup will query the same DNS the system is configured to use for all network operations. We can specify a custom DNS to query:
1
[email protected]:~# nslookup google.com 8.8.4.4
2
Server: 8.8.4.4
3
Address: 8.8.4.4#53
4
5
Non-authoritative answer:
6
Name: google.com
7
Address: 172.217.18.14
Copied!
to enable debugging modem, which is very useful for troubleshooting:
1
[email protected]:~# nslookup -debug linux.com
2
Server: 192.168.10.2
3
Address: 192.168.10.2#53
4
5
------------
6
QUESTIONS:
7
linux.com, type = A, class = IN
8
ANSWERS:
9
-> linux.com
10
internet address = 151.101.193.5
11
ttl = 5
12
-> linux.com
13
internet address = 151.101.129.5
14
ttl = 5
15
-> linux.com
16
internet address = 151.101.65.5
17
ttl = 5
18
-> linux.com
19
internet address = 151.101.1.5
20
ttl = 5
21
AUTHORITY RECORDS:
22
ADDITIONAL RECORDS:
23
------------
24
Non-authoritative answer:
25
Name: linux.com
26
Address: 151.101.193.5
27
Name: linux.com
28
Address: 151.101.129.5
29
Name: linux.com
30
Address: 151.101.65.5
31
Name: linux.com
32
Address: 151.101.1.5
Copied!
By default, domain name servers accept queries on port 53. If this is configured differently on the server we are trying to query, we can specify another port number using the -port= option nslookup -port=54 mycompanydns.com .
it is good to know that nslookup command has an interactive mode also:
1
[email protected]:~# nslookup
2
> yahoo.com
3
Server: 192.168.10.2
4
Address: 192.168.10.2#53
5
6
Non-authoritative answer:
7
Name: yahoo.com
8
Address: 98.139.180.180
9
Name: yahoo.com
10
Address: 98.138.252.38
11
Name: yahoo.com
12
Address: 206.190.39.42
13
> server 8.8.4.4
14
Default server: 8.8.4.4
15
Address: 8.8.4.4#53
16
> linux.com
17
Server: 8.8.4.4
18
Address: 8.8.4.4#53
19
20
Non-authoritative answer:
21
Name: linux.com
22
Address: 151.101.129.5
23
Name: linux.com
24
Address: 151.101.193.5
25
Name: linux.com
26
Address: 151.101.65.5
27
Name: linux.com
28
Address: 151.101.1.5
29
> exit
Copied!
use -timeout=10 to Change timeout interval to wait for a reply nslookup -timeout=10 google.com .
How ever nslookup is somehow old and deprecated but it can be used to show ipv6 AAAA and PTR records too.nslookup is very useful and widely used by most of famous operation systems.

Authoritative Answer vs Non-Authoritative Answer

You may also noticed the keyword “Authoritative Answer” and “Non-Authoritative Answer” in the above output.
Any answer that originates from the DNS Server which has the complete zone file information available for the domain is said to be authoritative answer.
In many cases, DNS servers will not have the complete zone file information available for a given domain. Instead, it maintains a cache file which has the results of all queries performed in the past for which it has gotten authoritative response. When a DNS query is given, it searches the cache file, and return the information available as “Non-Authoritative Answer”.

host

host comman is another tool for performing DNS lookups. It is minimal and easy to use and like nslookup command, it can list and verify different types of DNS record like NS and MX records.
1
[email protected]:~# host google.com
2
google.com has address 172.217.16.206
3
google.com has IPv6 address 2a00:1450:4001:824::200e
4
google.com mail is handled by 40 alt3.aspmx.l.google.com.
5
google.com mail is handled by 10 aspmx.l.google.com.
6
google.com mail is handled by 30 alt2.aspmx.l.google.com.
7
google.com mail is handled by 50 alt4.aspmx.l.google.com.
8
google.com mail is handled by 20 alt1.aspmx.l.google.com.
Copied!
some useful host commands are:
host command
Description
host -t ns google.com
find domain name servers, it can be -t cname or -t mx
host -C google.com
find domain SOA record
host google.com 8.8.4.4
Query specific DNS
host -a google.com
All Information of Domain Records and Zones
host -4 google.com or host -6 google.com
Use Either IPv4 or IPv6
host -T google.com
By default, host uses UDP. -T option makes it use a TCP
host -w 10 google.com
Set Query Time Wait for Reply
host 172.217.16.174
performs a reverse lookup on the IP address

dig

Dig stands for (Domain Information Groper) is a network administration command-line tool for querying DNS. It is useful for verifying and troubleshooting DNS problems and also to perform DNS lookups and displays the answers that are returned from the DNS, with no options dig find "A" record of a domain:
1
[email protected]:~# dig google.com
2
3
; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com
4
;; global options: +cmd
5
;; Got answer:
6
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47904
7
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
8
9
;; OPT PSEUDOSECTION:
10
; EDNS: version: 0, flags:; MBZ: 0005 , udp: 512
11
;; QUESTION SECTION:
12
;google.com. IN A
13
14
;; ANSWER SECTION:
15
google.com. 5 IN A 172.217.16.174
16
17
;; Query time: 1041 msec
18
;; SERVER: 192.168.10.2#53(192.168.10.2)
19
;; WHEN: Tue Feb 27 00:01:27 PST 2018
20
;; MSG SIZE rcvd: 55
Copied!
there are some stats about the query. We can turn off these stats using the +nostats option.
1
[email protected]:~# dig google.com +nostat
2
3
; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com +nostat
4
;; global options: +cmd
5
;; Got answer:
6
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8713
7
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
8
9
;; OPT PSEUDOSECTION:
10
; EDNS: version: 0, flags:; MBZ: 0005 , udp: 512
11
;; QUESTION SECTION:
12
;google.com. IN A
13
14
;; ANSWER SECTION:
15
google.com. 5 IN A 172.217.22.78
Copied!
By default dig is quite verbose. One way to cut down the output is to use the +short option:
1
[email protected]:~# dig google.com +short
2
216.58.207.46
Copied!
some other useful dig commands:
dig command
Description
dig google.com MX
Querying MX record for a domain
dig google.com SOA
Querying SOA record for a domain
dig google.com TTL
Querying TTL Record for Domain
dig @8.8.8.8 google.com
Using another DNS server for querying
dig
Shows dig command version and root DNS servers
dig google.com +nocomments +noquestion +noauthority +noadditional +nostats
Querying only answer section
dig google.com ANY +noall +answer
Querying ALL DNS Records Types
dig command has lots of options, and its hard to type options every time.We can store options like +noall +answeroptions permanently in.digrc file under user’s home directory. This way , whenever dig command execute it will show only answer section of dig output.
dig is part of the BIND domain name server software suite. dig command replaces older tool such as nslookup and the host.

The Different DNS Servers

There are many different DNS servers which have been developed and they have some differences with each other from different aspects. Some of famous DNS servers are:
  • bjdns , forked and now used as dbdns in debian
  • powerdns
  • dnsmasq
  • BIND
  • Microsoft DNS
Lets Compare them:
feature\DNS
djbdns
powerdns
dnsmasq
BIND
Microsoft DNS
Authorative
Yes
Yes
Partial
Yes
Yes
Recursive
Yes
Yes
No
Yes
Yes
Slave Mode
Yes
Yes
No
Yes
Yes
Caching
Yes
Yes
Yes
Yes
Yes
DNS SEC
Partial
Yes
Yes
Yes
Yes
TSIG
No
Yes
No
Yes
Yes
IPv6
Partial
Yes
Yes
Yes
Yes
Free-Software
Yes
Yes
Yes
Yes
No
Interface
CMD Line & Web
Web CMD Line
CMD Line
Web CMD Line
GUI CMD Line
Description
Tiny DNS
Modularity
small-simple-forwarder
Most popular
Easy to setup
There is no need to memorize all features of DNS servers for LPIC exam, just get familiar with names. Also we will discuss about some of features that we have mentioned here in the next lessons. Here we use Berkeley Internet Name Domain (BIND9) for lpic2 exam.

Different Types of DNS queries

As a client when we ask for the IP address of a web site we query a DNS Server, But thats is not all. As its impossible to store all domain names and records in the world in one DNS server, DNS servers asks each other for getting information, that make different types of DNS queries
There are two types of DNS queries :
  • Recursive query
  • Iterative quries
  • Inverse queries
  • Recursive name queries are generally made by a DNS client to a DNS server, or by a forwarder DNS server that is configured to pass unresolved name queries to another DNS server.
  • An iterative name query is one in which a DNS client allows the DNS server to return the best answer it can give based on its cache or zone data(Delegation). If the queried DNS server does not have an exact match for the queried name, the best possible information it can return is a referral (that is, a pointer to a DNS server authoritative for a lower level of the domain namespace). The DNS client can then query the DNS server for which it obtained a referral. It continues this process until it locates a DNS server that is authoritative for the queried name, or until an error or time-out condition is met.
  • Inverse/Reverse queries , usually we ask DNS server for the IP address(es) of a Domain Name, and DNS Server answer our query using A or AAA record if it has, but some times because of security issues or any other reason we know the IP address of a Host but we want to verify that, so we ask host name of an IP address that we have and DNS Server answers our Reverse Query using PTR record it has.

DNS implementation types

  • Forwarding Name Server
  • Caching Name Server
  • Master/Slave Name servers

Forwarding DNS vs caching DNS

  • Forwarding: just passes the DNS query to another DNS server ( our ISP's). Home routers use forwarding to pass DNS queries from our network's clients to our ISP's DNS servers. For example, for foo.example.com, a forwarding DNS server would first check its cache (did it already ask this question before), and if the answer is not in its cache, it would ask its forwarder (our ISP's DNS server) for the answer, which would respond with either a cached response, or would perform recursion until it figured out the answer.
  • Caching : In this case our DNS server receiving the query and takes it upon itself to figure out the answer to that query by recursively querying authoritative DNS servers for that domain. For example, for foo.example.com, a recursor would first query the root servers for what DNS servers are responsible for the .com TLD, then it would ask those servers for example.com, then it would query the servers for example.com for foo.example.com, finally getting the answer to the original query.

BIND Caching DNS Server

Now lets setup BIND DNS and configure it to work as Caching DNS(Ubuntu 16.04):
1
[email protected]er1:~# apt install bind9 bind9utils
2
Reading package lists... Done
3
Building dependency tree
4
Reading state information... Done
5
The following packages were automatically installed and are no longer required:
6
linux-headers-4.13.0-31 linux-headers-4.13.0-31-generic
7
linux-image-4.13.0-31-generic linux-image-extra-4.13.0-31-generic
8
Use 'apt autoremove' to remove them.
9
The following additional packages will be installed:
10
libirs141
11
Suggested packages:
12
bind9-doc
13
The following NEW packages will be installed:
14
bind9 bind9utils libirs141
15
0 upgraded, 3 newly installed, 0 to remove and 169 not upgraded.
16
Need to get 591 kB of archives.
17
After this operation, 2,957 kB of additional disk space will be used.
18
Do you want to continue? [Y/n] y
19
Get:1 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libirs141 amd64 1:9.10.3.dfsg.P4-8ubuntu1.10 [18.0 kB]
20
Get:2 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 bind9utils amd64 1:9.10.3.dfsg.P4-8ubuntu1.10 [201 kB]
21
Get:3 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 bind9 amd64 1:9.10.3.dfsg.P4-8ubuntu1.10 [372 kB]
22
Fetched 591 kB in 12s (48.4 kB/s)
23
Preconfiguring packages ...
24
Selecting previously unselected package libirs141:amd64.
25
(Reading database ... 253579 files and directories currently installed.)
26
Preparing to unpack .../libirs141_1%3a9.10.3.dfsg.P4-8ubuntu1.10_amd64.deb ...
27
Unpacking libirs141:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.10) ...
28
Selecting previously unselected package bind9utils.
29
Preparing to unpack .../bind9utils_1%3a9.10.3.dfsg.P4-8ubuntu1.10_amd64.deb ...
30
Unpacking bind9utils (1:9.10.3.dfsg.P4-8ubuntu1.10) ...
31
Selecting previously unselected package bind9.
32
Preparing to unpack .../bind9_1%3a9.10.3.dfsg.P4-8ubuntu1.10_amd64.deb ...
33
Unpacking bind9 (1:9.10.3.dfsg.P4-8ubuntu1.10) ...
34
Processing triggers for libc-bin (2.23-0ubuntu10) ...
35
Processing triggers for man-db (2.7.5-1) ...
36
Processing triggers for ufw (0.35-0ubuntu2) ...
37
Processing triggers for systemd (229-4ubuntu21.1) ...
38
Processing triggers for ureadahead (0.100.0-19) ...
39
Setting up libirs141:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.10) ...
40
Setting up bind9utils (1:9.10.3.dfsg.P4-8ubuntu1.10) ...
41
Setting up bind9 (1:9.10.3.dfsg.P4-8ubuntu1.10) ...
42
Adding group `bind' (GID 129) ...
43
Done.
44
Adding system user `bind' (UID 123) ...
45
Adding new user `bind' (UID 123) with group `bind' ...
46
Not creating home directory `/var/cache/bind'.
47
wrote key file "/etc/bind/rndc.key"
48
#
49
Processing triggers for libc-bin (2.23-0ubuntu10) ...
50
Processing triggers for systemd (229-4ubuntu21.1) ...
51
Processing triggers for ureadahead (0.100.0-19) ...
52
Processing triggers for ufw (0.35-0ubuntu2) ...
Copied!
Okey it creates files which it needs:
1
[email protected]:~# cd /etc/bind
2
[email protected]:/etc/bind# ls
3
bind.keys db.empty named.conf.default-zones zones.rfc1918
4
db.0 db.local named.conf.local
5
db.127 db.root named.conf.options
6
db.255 named.conf rndc.key
Copied!

/etc/named.conf

named.conf (or name daemon configuration file) is main BIND DNS server configuration file.Based on our linux distribution BIND configuration file(s) might look a little bit different. in cent OS there is a one big named.conf (CentOS7.1):
1
[[email protected] etc]# cat named.conf
2
//
3
// named.conf
4
//
5
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
6
// server as a caching only nameserver (as a localhost DNS resolver only).
7
//
8
// See /usr/share/doc/bind*/sample/ for example named configuration files.
9
//
10
11
options {
12
listen-on port 53 { 127.0.0.1; };
13
listen-on-v6 port 53 { ::1; };
14
directory "/var/named";
15
dump-file "/var/named/data/cache_dump.db";
16
statistics-file "/var/named/data/named_stats.txt";
17
memstatistics-file "/var/named/data/named_mem_stats.txt";
18
allow-query { localhost; };
19
recursion yes;
20
21
dnssec-enable yes;
22
dnssec-validation yes;
23
24
/* Path to ISC DLV key */
25
bindkeys-file "/etc/named.iscdlv.key";
26
27
managed-keys-directory "/var/named/dynamic";
28
};
29
30
logging {
31
channel default_debug {
32
file "data/named.run";
33
severity dynamic;
34
};
35
};
36
37
zone "." IN {
38
type hint;
39
file "named.ca";
40
};
41
42
include "/etc/named.rfc1912.zones";
43
include "/etc/named.root.key";
Copied!
in ubuntu bind configuration files are separated (Ubuntu 16.04):
1
[email protected]:/etc/bind# ls -l
2
total 68
3
-rw-r--r-- 1 root root 3954 Jan 16 05:50 bind.keys
4
-rw-r--r-- 1 root root 237 Jan 16 05:50 db.0
5
-rw-r--r-- 1 root root 271 Jan 16 05:50 db.127
6
-rw-r--r-- 1 root root 237 Jan 16 05:50 db.255
7
-rw-r--r-- 1 root root 353 Jan 16 05:50 db.empty
8
-rw-r--r-- 1 root root 270 Jan 16 05:50 db.local
9
-rw-r--r-- 1 root root 3171 Jan 16 05:50 db.root
10
-rw-r--r-- 1 root bind 501 Apr 9 03:36 named.conf
11
-rw-r--r-- 1 root bind 490 Jan 16 05:50 named.conf.default-zones
12
-rw-r--r-- 1 root bind 455 Mar 18 05:01 named.conf.local
13
-rw-r--r-- 1 root bind 890 Mar 5 22:20 named.conf.options
14
-rw-r--r-- 1 root bind 76 Mar 12 05:13 named.conf.tsig
15
-rw-r----- 1 bind bind 77 Mar 5 22:20 rndc.key
16
-rw-r--r-- 1 root root 1317 Jan 16 05:50 zones.rfc1918
Copied!
as we use ubuntu for demonstration in this lesson Lets take a look at inside:
1
[email protected]:/etc/bind# cat named.conf
2
// This is the primary configuration file for the BIND DNS server named.
3
//
4
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
5
// structure of BIND configuration files in Debian, *BEFORE* you customize
6
// this configuration file.
7
//
8
// If you are just adding zones, please do that in /etc/bind/named.conf.local
9
10
include "/etc/bind/named.conf.options";
11
include "/etc/bind/named.conf.local";
12
include "/etc/bind/named.conf.default-zones";
Copied!
named.conf wrap up all the configuration files which BIND daemon need. It is kind of pointer which include required configuration files. For now there is nothing to change in named.conf , lets get into named.conf.options :
1
options {
2
directory "/var/cache/bind";
3
4
// If there is a firewall between you and nameservers you want
5
// to talk to, you may need to fix the firewall to allow multiple
6
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
7
8
// If your ISP provided one or more IP addresses for stable
9
// nameservers, you probably want to use them as forwarders.
10
// Uncomment the following block, and insert the addresses replacing
11
// the all-0's placeholder.
12
13
// forwarders {
14
// 0.0.0.0;
15
// };
16
17
//========================================================================
18
// If BIND logs error messages about the root key being expired,
19
// you will need to update your keys. See https://www.isc.org/bind-keys
20
//========================================================================
21
dnssec-validation auto;
22
23
auth-nxdomain no; # conform to RFC1035
24
listen-on-v6 { any; };
25
};
Copied!
innamed.conf.options as its obvious, most of BIND options are defined. For example if we wanted to make it forwarder, just uncomment forwarders section, but to make our BIND Caching DNS Server add
recursion yes; at the end this file. And then we need to restart bind service in order to our changes take effect:
1
[email protected]:/etc/bind# systemctl restart bind9.service
2
[email protected]:/etc/bind# systemctl status bind9.service
3
● bind9.service - BIND Domain Name Server
4
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: en
5
Drop-In: /run/systemd/generator/bind9.service.d
6
└─50-insserv.conf-$named.conf
7
Active: active (running) since Wed 2018-02-28 00:13:52 PST; 11s ago
8
Docs: man:named(8)
9
Main PID: 84563 (named)
10
CGroup: /system.slice/bind9.service
11
└─84563 /usr/sbin/named -f -u bind
12
13
Feb 28 00:13:52 server1 named[84563]: all zones loaded
14
Feb 28 00:13:52 server1 named[84563]: running
15
Feb 28 00:13:52 server1 named[84563]: network unreachable resolving './DNSKEY/IN
16
Feb 28 00:13:52 server1 named[84563]: network unreachable resolving './NS/IN': 2
17
Feb 28 00:13:52 server1 named[84563]: network unreachable resolving 'G.ROOT-SERV
18
Feb 28 00:13:52 server1 named[84563]: network unreachable resolving 'E.ROOT-SERV
19
Feb 28 00:13:52 server1 named[84563]: network unreachable resolving 'G.ROOT-SERV
20
Feb 28 00:13:52 server1 named[84563]: network unreachable resolving 'E.ROOT-SERV
21
Feb 28 00:13:52 server1 named[84563]: network unreachable resolving './DNSKEY/IN
22
Feb 28 00:13:52 server1 named[84563]: network unreachable resolving './NS/IN': 2
23
lines 1-20/20 (END)
Copied!
darradaaa thats all, setting up BIND DNS server as a caching only server is finished.and check if its working:
1
[email protected]:/etc/bind# dig @localhost google.com
2
3
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost google.com
4
; (1 server found)
5
;; global options: +cmd
6
;; Got answer:
7
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8395
8
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
9
10
;; OPT PSEUDOSECTION:
11
; EDNS: version: 0, flags:; udp: 4096
12
;; QUESTION SECTION:
13
;google.com. IN A
14
15
;; ANSWER SECTION:
16
google.com. 300 IN A 216.58.207.78
17
18
;; AUTHORITY SECTION:
19
google.com. 172797 IN NS ns4.google.com.
20
google.com. 172797 IN NS ns2.google.com.
21
google.com. 172797 IN NS ns3.google.com.
22
google.com. 172797 IN NS ns1.google.com.
23
24
;; ADDITIONAL SECTION:
25
ns1.google.com. 172797 IN A 216.239.32.10
26
ns1.google.com. 172797 IN AAAA 2001:4860:4802:32::a
27
ns2.google.com. 172797 IN A 216.239.34.10
28
ns2.google.com. 172797 IN AAAA 2001:4860:4802:34::a
29
ns3.google.com. 172797 IN A 216.239.36.10
30
ns3.google.com. 172797 IN AAAA 2001:4860:4802:36::a
31
ns4.google.com. 172797 IN A 216.239.38.10
32
ns4.google.com. 172797 IN AAAA 2001:4860:4802:38::a
33
34
;; Query time: 1176 msec
35
;; SERVER: 127.0.0.1#53(127.0.0.1)
36
;; WHEN: Wed Feb 28 00:17:14 PST 2018
37
;; MSG SIZE rcvd: 303
Copied!
Good job, its working but does it do caching? Lets query again to see the time:
1
[email protected]:/etc/bind# dig @localhost google.com
2
3
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost google.com
4
; (1 server found)
5
;; global options: +cmd
6
;; Got answer:
7
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21081
8
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
9
10
;; OPT PSEUDOSECTION:
11
; EDNS: version: 0, flags:; udp: 4096
12
;; QUESTION SECTION:
13
;google.com. IN A
14
15
;; ANSWER SECTION:
16
google.com. 177 IN A 216.58.207.78
17
18
;; AUTHORITY SECTION:
19
google.com. 172674 IN NS ns4.google.com.
20
google.com. 172674 IN NS ns2.google.com.
21
google.com. 172674 IN NS ns3.google.com.
22
google.com. 172674 IN NS ns1.google.com.
23
24
;; ADDITIONAL SECTION:
25
ns1.google.com. 172674 IN A 216.239.32.10
26
ns1.google.com. 172674 IN AAAA 2001:4860:4802:32::a
27
ns2.google.com. 172674 IN A 216.239.34.10
28
ns2.google.com. 172674 IN AAAA 2001:4860:4802:34::a
29
ns3.google.com. 172674 IN A 216.239.36.10
30
ns3.google.com. 172674 IN AAAA 2001:4860:4802:36::a
31
ns4.google.com. 172674 IN A 216.239.38.10
32
ns4.google.com. 172674 IN AAAA 2001:4860:4802:38::a
33
34
;; Query time: 0 msec
35
;; SERVER: 127.0.0.1#53(127.0.0.1)
36
;; WHEN: Wed Feb 28 00:19:17 PST 2018
37
;; MSG SIZE rcvd: 303
Copied!
Yes, because query time is 0 msec :) . 177 and 172674 are TTL numbers and show how much our data would be valid in our cache and when it expires and then our DNS server has to require for the domain:
1
[email protected]:/etc/bind# dig @localhost google.com
2
3
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost google.com
4
; (1 server found)
5
;; global options: +cmd
6
;; Got answer:
7
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37436
8
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
9
10
;; OPT PSEUDOSECTION:
11
; EDNS: version: 0, flags:; udp: 4096
12
;; QUESTION SECTION:
13
;google.com. IN A
14
15
;; ANSWER SECTION:
16
google.com. 300 IN A 216.58.207.78
17
18
;; AUTHORITY SECTION:
19
google.com. 172204 IN NS ns3.google.com.
20
google.com. 172204 IN NS ns2.google.com.
21
google.com. 172204 IN NS ns4.google.com.
22
google.com. 172204 IN NS ns1.google.com.
23
24
;; ADDITIONAL SECTION:
25
ns1.google.com. 172204 IN A 216.239.32.10
26
ns1.google.com. 172204 IN AAAA 2001:4860:4802:32::a
27
ns2.google.com. 172204 IN A 216.239.34.10
28
ns2.google.com. 172204 IN AAAA 2001:4860:4802:34::a
29
ns3.google.com. 172204 IN A 216.239.36.10
30
ns3.google.com. 172204 IN AAAA 2001:4860:4802:36::a
31
ns4.google.com. 172204 IN A 216.239.38.10
32
ns4.google.com. 172204 IN AAAA 2001:4860:4802:38::a
33
34
;; Query time: 327 msec
35
;; SERVER: 127.0.0.1#53(127.0.0.1)
36
;; WHEN: Wed Feb 28 00:27:07 PST 2018
37
;; MSG SIZE rcvd: 303
Copied!
as we saw, making recursion enabled in our DNS Server is very easy but do not forget security issues. Enabling recursion and make our DNS server publicly available make a target from us for different kind of attacks. So we use ACLs and other configurations to limit acceptable queries.

BIND Forwarder DNS Server

To make our Bind DNS Server a forwarder just edit forwarder section like this:
1
options {
2
directory "/var/cache/bind";
3
4
// If there is a firewall between you and nameservers you want
5
// to talk to, you may need to fix the firewall to allow multiple
6
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
7
8
// If your ISP provided one or more IP addresses for stable
9
// nameservers, you probably want to use them as forwarders.
10
// Uncomment the following block, and insert the addresses replacing
11
// the all-0's placeholder.
12
13
forwarders {
14
8.8.8.8;
15
};
16
forward only;
17
18
//========================================================================
19
// If BIND logs error messages about the root key being expired,
20
// you will need to update your keys. See https://www.isc.org/bind-keys
21
//========================================================================
22
dnssec-validation auto;
23
24
auth-nxdomain no; # conform to RFC1035
25
listen-on-v6 { any; };
26
};
Copied!

/usr/sbin/rndc

BIND includes a utility called rndc (Remote Name Daemon Control) which allows command line administration of the named daemon from the localhost or a remote host.
In order to prevent unauthorized access to the named daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf and the rndc configuration file, /etc/rndc.conf.
The name server control utility, rndc, sends named digitally signed commands over a TCP connection. The configuration file for rndc is ‘/etc/rndc.conf’. This configuration file stores configuration information such as the name server to connect to and which key to use for the digital signature. The rndc utility is started when named is started using the initialization script. An rndc.conf file can be generated with a random key with the rndc-confgen commandline utility. rndc related files are like this:
lets takea look at rndc.key file:
1
[email protected]:/etc/bind# ls -al rndc*
2
-rw-r----- 1 bind bind 77 Mar 5 22:20 rndc.key
3
[email protected]:/etc/bind# cat rndc.key
4
key "rndc-key" {
5
algorithm hmac-md5;
6
secret "JFLwN7Sd/sGbIdan+y/XtQ==";
7
};
8
[email protected]:/etc/bind# rndc reload
9
server reload successful
Copied!
for demonstration lets remove and recreate rndc.key :
1
[email protected]:/etc/bind# rm rndc.key
2
[email protected]:/etc/bind# ls -al rndc*
3
ls: cannot access 'rndc*': No such file or directory
4
[email protected]:/etc/bind# rndc reload
5
rndc: neither /etc/bind/rndc.conf nor /etc/bind/rndc.key was found
6
7
[email protected]:/etc/bind# rndc-confgen -r /dev/urandom -a
8
wrote key file "/etc/bind/rndc.key"
9
[email protected]:/etc/bind# ls -al rndc*
10
-rw------- 1 root bind 77 Apr 17 23:48 rndc.key
11
[email protected]:/etc/bind# cat rndc.key
12
key "rndc-key" {
13
algorithm hmac-md5;
14
secret "sIfJgn3msN0RnyzNz6mixQ==";
15
};
Copied!
We have removed and recreate a rndc.key lets set rights:
1
[email protected]:/etc/bind# chown bind.bind rndc.key
2
[email protected]:/etc/bind# chmod 640 rndc.key
Copied!
and check it:
1
[email protected]:/etc/bind# systemctl start bind9.service
2
[email protected]:/etc/bind# systemctl status bind9.service
3
● bind9.service - BIND Domain Name Server
4
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: en
5
Drop-In: /run/systemd/generator/bind9.service.d
6
└─50-insserv.conf-$named.conf
7
Active: active (running) since Wed 2018-04-18 00:10:51 PDT; 27min ago
8
Docs: man:named(8)
9
10
[email protected]:/etc/bind# rndc reload
11
server reload successful
Copied!
for generating rndc.cong and requred key use rndc-confgen -r /dev/urandom>/etc/bind/rndc.conf command, after creating that we have to include the file , and use it but that is not our topic for now.
Except rndc remote features of rndc we can use it locally. Like most of Services in Linux world, when we change a configuration file in BIND or change zones(as we see in next lessons) we need to restart bind service, but there a problem! By restarting bind service all caches would be cleared and that it not acceptable, so instead of that, we use rndc tool. rndc read configuration files and reflect zone changes but does not clear cahce.
1
[email protected]:/etc/bind# rndc reload
2
server reload successful
Copied!
also it is possible to clear specific domain name from cache results with rndc flushname google.com . to flush every thing in the system rndc flush and many other features, but that is enough for now!

Master/ Slave DNS

In Small environments having just one DNS server as a Master is enough but in Large environments we should find a way to provide availability. Having a second DNS Server as a Slave DNS Server is a solution.
Master DNS server (Primary Server) is the original zone data handler and Slave DNS server (Secondary Server) is just a backup server which is used to copy the same zone information’s from the master servers. Master Server will resolve the names for every hosts which we defined in the zone database . But the Slave server transfer Zone Data after a while from Master Server. When master Server become unavailable Slave Server answer queries. Do not forget that it is impossible to modify or change zone data in Slave Server.

Zone transfers - AXFR and IXFR

When a master nameserver is updated , the working contents of the zone held in memory that have changed need to be transferred to the other servers that are authoritative for that zone (the slave servers). This process is called 'zone transfer'.
There are two types of zone transfer - full (AXFR) and incremental (IXFR). A full zone transfer is of the entire zones. An Incremental zone transfer is a list of changes that, when applied, bring the slave zone up to date. The use of incremental zone transfers requires that both the provider and the recipient are maintaining a separate journal file of changes for each zone. The default is that slaves will request IXFR (unless otherwise configured) but they will always handle being given an AXFR instead, if no IXFR is available.
The critical component that controls the decision on whether or not the zone has changed is the serial number that is maintained in the zone's SOA record. BIND assumes that if the serial number remains the same, then the zone is unchanged.
Zone transfers are always initiated by the slave server (they are 'requested' or 'pulled'). Although there are mechanisms in place to alert slaves that they should check to see if a zone transfer is needed, the transfer itself is always started by the slave.
to check AXFR transfer we can use dig AXFR example.com @10.10.0.4 .
Last modified 2yr ago