Friday, September 30, 2011

How to Setup a DNS Server on CentOS 5

1:53 AM Computer ! No comments

This is a pretty geeky thing to do but running your own DNS Server on your intranet does make some sense from a performance and conveience perspective.

Background
The sole purpose of a DNS Server is to provide a look-up service for mapping hostnames e.g. www.google.com to IP addresses 100.101.20.2. By far the most popular DNS Server software out there is a package called bind.
There are essentially 2 reasons to running your own DNS Server.
  1. Improving the speed of hostname lookups
  2. Managing your own intranet hostnames & IP addresses in a central location
The first reason is what is commonly called a Caching Name Server. In essence by having one machine provide all hostname look-ups in your intranet, you’re cutting down on every machine in your intranet having to independently look-up names. Additionally once a name is looked up your DNS Server will cache the results for a set period of time so that subsequent queries can come out of your DNS Server’s cache and not have to go and do the look-up on your ISPs DNS Server.
The second reason is actually the cooler one. Since you control the DNS Server you can create your own local domain (called zones in bind lingo) and name all the systems within your intranet. In so doing this it’s much easier to connect to systems using names rather than IP addresses. Plus it’s fun to name all the systems!
Taking this a step further you can create generic hostnames such as imap, mail, smtp, ntp, pop, etc. and manage these in one stop rather than having to manage them throughout your intranet.
Getting started
First things first, install the necessary bind software.
1
yum install bind bind-utils bind-libs

Generating a rndc key
NOTE: All the config files we’re going to work on are located in /var/named/chroot

Next you’ll need to create/modify a rndc.conf and/or rndc.key file. This file contains a key which is required in order to manage the bind service once it’s up and running. With this key you can theoretically manage bind either on the host where it’s running or you can manage it on any system that is allowed to do so and knows this key!
1
2
# command to generate a new 512 byte key
rndc-confgen -b 512
This command will return the following output which you’ll want to either redirect to a file or copy and paste into a file. The file should be rndc.conf but I like to use this name instead, /var/named/chroot/etc/rndc.key. It just makes more sense to me.
1
2
3
4
5
6
7
8
9
10
11
12
# Start of rndc.conf
key "rndckey" {
        algorithm hmac-md5;
        secret "nHFS3WOpdap75IvsYSXVNYWusnAQPT6z5XC8V5YPWXnZ8RN8tdfSFuClZ8nNouWyGhvHB8mETJgwsrvhiYhIhA==";
};
 
options {
        default-key "rndckey";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf
The rndc-confgen command also returns some additional output below. This goes into the file /var/named/chroot/etc/named.conf. Make sure to remove the comments at the beginning of each line to turn them on.
1
2
3
4
5
6
7
8
9
10
11
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndckey" {
      algorithm hmac-md5;
      secret "nHFS3WOpdap75IvsYSXVNYWusnAQPT6z5XC8V5YPWXnZ8RN8tdfSFuClZ8nNouWyGhvHB8mETJgwsrvhiYhIhA==";
};
# 
controls {
      inet 127.0.0.1 port 953
      allow { 127.0.0.1; } keys { "rndckey"; };
};
# End of named.conf
named.conf file
Now let’s flesh out that named.conf file a little bit more.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
acl lan {   
        192.168.1.0/24;
        127.0.0.1;
};
 
controls {
        inet 127.0.0.1 port 953
        allow { lan; } keys { "rndckey"; };
};
 
logging {
        category default { default_syslog; };
        category lame-servers { null; };
};
 
options {
        pid-file "/var/run/named/named.pid";
        directory "/var/named";
        dump-file "named_dump.db";
        forward only;
        forwarders {
        # the following IP addresses are my ISPs DNS Servers. These will be used for looking up
        # hostnames that I don't locally manage, i.e. the REST OF THE INTERNET!
        24.92.226.40;     # my ISPs DNS Server #1
        24.92.226.41;     # my ISPs DNS Server #2
        };
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        query-source address * port 53;
        allow-query { lan; };
        allow-recursion { lan; };
        allow-transfer { lan; };
};
 
zone "bubba.net"{
        type master;
        file "data/db.bubba.net";
};
zone "0.0.127.in-addr.arpa"{
        type master;
        file "data/db.127.0.0";
};
zone "1.168.192.in-addr.arpa"{
        type master;
        file "data/db.192.168.1";
};
zone "." {
        type hint;
        file "root.hints";
};
Here is a quick rundown of what’s going on here. The acl lan creates an access control list that includes 192.168.1.0/24 and 127.0.0.1 so that only hosts within these IP address ranges can remotely manage and use this bind instance. 192.168.1.0/24 means IP addresses in the range 192.168.1.1 – 192.168.1.255.
The zones, “bubba.net”, “0.0.127.in-addr.arpa”, “1.168.192.in-addr.arpa”, and “.” are all essentially files containing either hostname → IP address mappings or IP address → hostname mappings that this bind server will be responsible for.
Bulding zone files
The first zone: “bubba.net” includes all the hostnames and the IP addresses they point to. So these would be my systems:
  • scully.bubba.net
  • mulder.bubba.net
  • doggett.bubba.net
The second and third zones: “0.0.127.in-addr.arpa” and “1.168.192.in-addr.arpa” are special zones that provide “reverse” name look-ups. These are when you look up a IP address and want to know what name(s) are associated with it. For example:
  • 192.168.1.100
  • 192.168.1.101
The fourth zone: “.” is a special zone that makes this bind server act as a caching name server, for any hostnames and IP addresses that fall outside of the first 3 zones. These hostname and IP address look-ups will be forwarded to my ISPs DNS Server, and the results cached here for subsequent quereies.
Here is what the zone “bubba.net” looks like.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$TTL 604800
;
; Zone file for bubba.net
;
; Mandatory minimum for a working domain
;
@   IN  SOA ns.bubba.net. hostmaster.bubba.net. (
      2000072802 ; serial
      28800 ; refresh
      7200 ; retry
      3600000 ; expire
      86400 ; default_ttl
      )
@   IN  NS      ns.bubba.net.
@   IN  MX  10  mail.bubba.net.
@   IN  MX  20  mail.bubba.net.
;
; Provide familiar names to services but
; acutally all are coming from XXXXX
; These need to be bound to the address directly, no CNAME's.
; -----------------------------------------------------------
bubba.net.              IN  A 192.168.1.1
;
hostmaster.bubba.net.   IN  A 192.168.1.101
ns.bubba.net.           IN  A 192.168.1.101
...
...
; Subnet 192.168.1 machines
; -------------------------
mulder.bubba.net.       IN  A         192.168.1.1
mulder.bubba.net.       IN  HINFO     "AMD Athlon(tm) Dual Core Processor 4850e 2.2GHz" "LINUX"
mulder.bubba.net.       IN  MX        10  mail.bubba.net.
mulder.bubba.net.       IN  TXT       ""
scully.bubba.net.       IN  A         192.168.1.2
scully.bubba.net.       IN  HINFO     "Celeron 450" "Windows 2000"
scully.bubba.net.       IN  MX        10  mail.bubba.net.
scully.bubba.net.       IN  TXT       ""
...
...
The first 16 lines are pretty standard. These setup a TTL or Time To Live which means how long any of this data should be cache. Line 14 denotes which machine is the SOA, Start of Authority, ns.bubba.net is the master of this domain is what it’s saying 8-). Lines 15 & 16 state which machine is the mail exchange for this domain. I only have one mail exchange so I just list it twice.
The most important section in this file starts with the declaration of hostnames. Each hostname gets 4 lines. A “IN A” line which tells you the IP address for this hostname. The “IN HINFO which is just a description of the host itself. The “IN MX” states who the mail exchange is for this host. And finally the “IN TXT line which I’m not going to get into today but it is important later on when you’re setting up you mail server.
Here is what the zone “db.192.168.1″ looks like.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$TTL 604800
@   IN  SOA ns.bubba.net. hostmaster.bubba.net. (
      2000072801 ; serial
      28800 ; refresh
      7200 ; retry
      604800 ; expire
      86400 ; default-ttl
      )
@   IN  NS  ns.bubba.net.
;
101   IN  PTR mulder.bubba.net.
102   IN  PTR scully.bubba.net.
103   IN  PTR doggett.bubba.net.
...
...
The first 9 lines are essentially stating how long any Caching DNS Name Server should cache this data before getting a fresh copy. The SOA ns.bubba.net is saying which machine is the authority for this domain. The hostmaster.bubba.net is actually an email address that is responsible for this domain, hostmaster@bubba.net.
Finally the zone “db.127.0.0″ which really serves no purpose other than as a backup in case a host didn’t configure itself correctly with the loopback address. Here is what my zone file looks like:
1
2
3
4
5
6
7
8
9
10
11
$TTL 604800
@               IN      SOA     ns.bubba.net.   hostmaster.bubba.net. (
                        2000031801 ; serial
                        28800 ; refresh
                        7200 ; retry
                        604800 ; expire
                        86400 ; default_ttl
                        )
@               IN      NS      ns.bubba.net.
;
1               IN      PTR     localhost.bubba.net.
The zone “.” uses a file called root.hints. Here is an example of what this file looks like.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
; <<>> DiG 9.3.4-P1 <<>> @e.root-servers.net . ns
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21247
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
 
;; QUESTION SECTION:
;.                              IN      NS
 
;; ANSWER SECTION:
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
 
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     3600000 IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     3600000 IN      A       128.63.2.53
H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::803f:235
I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:c27::2:30
 
;; Query time: 109 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Fri Feb 20 03:49:01 2009
;; MSG SIZE  rcvd: 500
Starting bind up
Once you have all this in place you can start up bind with this command.
1
/etc/init.d/named start
Configuring a host to use your DNS server
One final step is to configure your host to use your newly setup DNS Server as it’s name server. You can accomplish this by changing 2 files. /etc/resolv.conf and /etc/nsswitch.conf.
The /etc/resolv.conf should look like this:
1
2
search bubba.net
nameserver 192.168.1.101
The /etc/nsswitch.conf should have an entry like this in it:
1
2
3
4
5
...
...
hosts:      files dns
...
...
Taking it out for a test drive
You can see if it’s working by poking the name server using host, dig, or nslookup. Here are a couple of example quereies.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# host example
% host -l bubba.net
bubba.net name server ns.bubba.net.
bubba.net has address 192.168.1.1
...
...
 
# dig example
% dig ns.bubba.net
 
; <<>> DiG 9.3.4-P1 <<>> ns.bubba.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54856
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
 
;; QUESTION SECTION:
;ns.bubba.net.                  IN      A
 
;; ANSWER SECTION:
ns.bubba.net.           604800  IN      A       192.168.1.101
 
;; AUTHORITY SECTION:
bubba.net.              604800  IN      NS      ns.bubba.net.
 
;; Query time: 1 msec
;; SERVER: 192.168.1.101#53(192.168.1.101)
;; WHEN: Sat Feb 28 20:54:46 2009
;; MSG SIZE  rcvd: 60
 
# nslookup example
% nslookup ns.bubba.net
Server:         192.168.1.101
Address:        192.168.1.101#53
 
Name:   ns.bubba.net
Address: 192.168.1.101

Readers who viewed this page, also viewed:

0 comments:

Post a Comment

 
Design by GURU