DNS server setup
Server setup | |
← Previous | Next → |
Protect SSH | SSL certificates |
Name servers are necessary so that the various client machines on the LAN can find the services offered by the servers. Setting up the Domain Name servers is a three-stage process. The first stage is to get the name servers running. The second stage is about making them secure by placing them in a chroot jail. The final stage is to make all the other machines on the LAN use these new nameservers, so that they can see the various servers on the LAN.
Getting the servers running
First, create the master nameserver on Server:
- Install bind (make sure it's BIND9, not BIND (which is BIND8)):
root@server:~# aptitude install bind9
- This will install the configuration files in
/etc/bind
- Alter the
/etc/bind/named.conf.options
file to mention my ISP's nameservers
options { directory "/var/cache/bind"; forwarders { 1.2.3.4; 1.2.3.5; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-recursion { localnets; }; };
- if you have problems with your forwarders not implementing DNSSEC (
error (insecurity proof failed) resolving './NS/IN'
appearing in/var/log/syslog
and intermittent DNS service), you may want to replace the dnssec lines with:
// dnssec-validation auto; dnssec-enable no; dnssec-validation no;
- Tell BIND about all the domains I want machines on my LAN to know about by mentioning them in
/etc/bind/named.conf.local
This is the file for the master server:
zone "domain.tld" { type master; file "/etc/bind/db.domain.tld"; notify-source-v6 aaaa:bbbb:cccc:dddd::53; also-notify { aaaa:bbbb:cccc:dddd::54; 192.168.1.251; }; allow-transfer { aaaa:bbbb:cccc:dddd::54; 192.168.1.251; }; }; zone "other-domain.org" { type master; file "/etc/bind/db.other-domain.org"; notify-source-v6 aaaa:bbbb:cccc:dddd::53; also-notify { aaaa:bbbb:cccc:dddd::54; 192.168.1.251; }; allow-transfer { aaaa:bbbb:cccc:dddd::54; 192.168.1.251; }; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.1.168.192"; notify-source-v6 aaaa:bbbb:cccc:dddd::53; also-notify { aaaa:bbbb:cccc:dddd::54; 192.168.1.251; }; allow-transfer { aaaa:bbbb:cccc:dddd::54; 192.168.1.251; }; };
- (note the absolute file names for the zone files)
- and here is the file for the slave
zone "domain.tld" { type slave; file "db.domain.tld"; masters { aaaa:bbbb:cccc:dddd::53; 192.168.1.252; }; allow-notify { aaaa:bbbb:cccc:dddd::53; 192.168.1.252; }; }; zone "other-domain.org" { type slave; file "db.other-domain.org"; masters { aaaa:bbbb:cccc:dddd::53; 192.168.1.252; }; allow-notify { aaaa:bbbb:cccc:dddd::53; 192.168.1.252; }; }; zone "1.168.192.in-addr.arpa" { type slave; file "db.1.168.192"; masters { aaaa:bbbb:cccc:dddd::53; 192.168.1.252; }; allow-notify { aaaa:bbbb:cccc:dddd::53; 192.168.1.252; }; }; zone "d.d.d.d.c.c.c.c.b.b.b.b.a.a.a.a.ip6.arpa" { type slave; file "db.aaaa.bbbb.cccc.dddd"; masters { aaaa:bbbb:cccc:dddd::53; 192.168.1.252; }; allow-notify { aaaa:bbbb:cccc:dddd::53; 192.168.1.252; }; };
- Note the relative paths of the zone files. This is because BIND's default working directory is
/var/cache/bind
and the slave's zone files will be stored there. The AppArmour security module prevents BIND itself from saving files into/etc/bind/
, so slave zone files can't be stored in that directory.
- Now, create the zone files themselves, such as
/etc/bind/db.domain.tld
. Only do this on the master server, as the zone files will be automatically transferred to the slave server.
; ; BIND data file for the domain.tld domain ; $ORIGIN domain.tld. $TTL 60 @ IN SOA server.domain.tld. root.domain.tld. ( 2022072401 ; Serial 1d ; Refresh 1d ; Retry 4w ; Expire 1w ) ; Negative Cache TTL ; ; server.domain.tld serves this domain as nameserver (IN NS) ; and mail exchange (IN MX) IN NS ns1.domain.tld. IN NS ns2.domain.tld. IN MX 10 mail.domain.tld. ; define the base domain name domain.tld. IN AAAA aaaa:bbbb:cccc:dddd::2 domain.tld. IN A 192.168.1.252 ; define other servers localhost IN AAAA ::1 localhost IN A 127.0.0.1 ;;;;;;;;;;;; ; machines desktop IN AAAA aaaa:bbbb:cccc:dddd::1 IN A 192.168.1.251 server IN AAAA aaaa:bbbb:cccc:dddd::2 IN A 192.168.1.252 router IN AAAA 2a02:390:62aa::1 IN A 10.191.106.1 ; Name servers ns1 IN AAAA aaaa:bbbb:cccc:dddd::53 IN A 192.168.1.252 ns2 IN AAAA aaaa:bbbb:cccc:dddd::54 IN A 192.168.1.251 ; ns2 IN CNAME desktop ; Web servers www IN AAAA aaaa:bbbb:cccc:dddd::443 IN A 192.168.1.252 webmail IN CNAME www ; Mail servers mail IN AAAA aaaa:bbbb:cccc:dddd::25 IN A 192.168.1.252 imap IN AAAA aaaa:bbbb:cccc:dddd::143 IN A 192.168.1.252 smtp IN CNAME mail ; Git git IN AAAA aaaa:bbbb:cccc:dddd::9418 IN A 192.168.1.252
- Note that all the CNAME records are only visible to machines within the LAN. If you want them visible to the outside world, you'll need to update the domain information with whoever hosts your DNS records for the wider world.
- The reverse zone files,
/etc/bind/db.1.168.192
/etc/bind/db.dddd.cccc.bbbb.aaaa
are like this (note the full stops at the end of the host definition records):
; ; BIND reverse data file for LAN, IPv4 ; $ORIGIN 1.168.192.IN-ADDR.ARPA. $TTL 3D @ IN SOA server.domain.tld. root.domain.tld. ( 2007042701 ; Serial 1w ; Refresh 1d ; Retry 4w ; Expire 1w ) ; Negative Cache TTL ; ; define the authoritative name server NS server.domain.tld. NS desktop.domain.tld. ; our other hosts 1 IN PTR router.domain.tld. 251 IN PTR desktop.domain.tld. 252 IN PTR server.domain.tld. @ IN NS localhost.
; ; BIND reverse data file for LAN, IPv6 ; $TTL 3D @ IN SOA server.domain.tld. root.domain.tld. ( 2022072401 ; Serial 1d ; Refresh 1d ; Retry 4w ; Expire 1w ) ; Negative Cache TTL ; ; define the authoritative name server NS server.domain.tld. NS desktop.domain.tld. ; our other hosts 1 IN PTR router.domain.tld. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR router.domain.tld. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR desktop.domain.tld. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR server.domain.tld. 3.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR www.domain.tld. 3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ns1.domain.tld. 4.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ns2.domain.tld. 5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR mail.domain.tld. 3.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR imap.domain.tld. 8.1.4.9.0.0.0.0.0.0.0.0.0.0.0.0 PTR git.domain.tld.
- (Note the full stops after all the domain names.)
- Update
/etc/network/interfaces
to telldnsmasq
about the nameservers
- The primary network interface
auto enp0s7 iface enp0s7 inet static address 192.168.1.251 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 192.168.1.252 192.168.1.251 dns-search domain.tld
- Restart bind:
root@server:~# systemctl restart bind9.service
- and check that it works:
root@server:~# host desktop.domain.tld root@server:~# host server.domain.tld server.domain.tld root@server:~# host www.google.com desktop.domain.tld
- (and repeat for other hosts and both nameservers). You may need to reboot the master DNS server before the zone files transfer properly.
Chrooting the nameservers
I used to do this for security. But now AppArmor and SELinux are here, so I don't bother. It's just one more thing to go wrong.
Update the router
Finally, update the router to point to these nameservers, not the ones at the ISP. Normally, the router picks up the ISP's nameservers when it connects to the ISP. The router then acts as a recursive nameserver for the machines on the LAN, and it tells them when machines register with DHCP.
You should be able to tell the router to use Server and Desktop as the nameservers it uses instead. Server and Desktop both know about the ISP's nameservers for finding IPs of machines outside the LAN. This means that the sequence of DNS requests is:
- DHCP-connected machine asks the router for an IP number,
- Router asks Server for the IP number,
- Server asks the ISP's nameserver for the IP number,
- ISP's nameserver finds it from somewhere and returns it.
For DD-WRT, the settings to use are:
- Router IP
- Local DNS: 192.168.0.252
- Network Address Server Settings (DHCP)
- Static DNS 1: 192.168.0.252
- Static DNS 2: 192.168.0.251
- Static DNS 3: 0.0.0.0
- WINS: 0.0.0.0
- Use DNSMasq for DHCP: OFF
- Use DNSMasq for DNS: OFF
- DHCP-Authoritative: OFF
See also
For a tutorial on how to set up nameservers, read BIND for the Small LAN by Paul Heinlein.
Other sources are the book Pro DNS and Bind, which is a great resource on the intricacies of BIND (especially Chapter 5 on BIND and Chapter 6 giving example setups).
There is also the Ubuntu BIND9 howto and the Debian howtos on setting up a BIND server and chrooting a BIND server.
Finally, the /usr/share/doc/bind9/README.Debian.gz
file on your machine's local disk has some good pointers.