DNS Notes
DNS Notes
I’ve heard that using a personal DNS is a good idea to keep safe and calm for personal servers/devices.
DNS Server: domain <–> IP
Domain Name Resolution
Search www.google.com:
- Check local DNS cache and return
- Check local hosts file, and return IP in the mapping
- Check the attached DNS server, if the server has cache then return
- Resolve the domain, send the request to root DNS server
- Root server shares the DNS address of
.comDNS server - DNS server checks .com domain DNS to resolve www.google.com
.comdomain DNS tell DNS server the DNS address of google.com- DNS server checks the DNS of google.com
- google.com server returns the IP address of www.google.com and send to DNS server
- DNS server will send DNS response to the user
DNS Records
-
NS Record Specifies the authoritative nameservers for the domain name.
-
A (address) Record Used to point the domain name or subdomain to an IP address.
-
CNAME Record Used to alias one name with another, allowing to point to other domain names.
-
MX Record Specifies the domain to which mail is delivered, allowing domain’s mail to be sent to another domain.
DNS Lookup Tool
- nslookup
- host
- dig
BIND as a Private Network DNS Server
Using fully qualified domain names (FQDNs), instead of IP addresses, to specify network addresses eases the configuration of services and applications, and increases the maintainability of configuration files.
BIND name server software (BIND9)
Choose dedicated servers as DNS server (primary, secondary)
Install system, tool, and domain resolution
Installing BIND on DNS Servers
NS:
sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc # Install BIND
sudo nano /etc/default/bind9
sudo nano /etc/default/bind9 # edit for IPv4
In /etc/default/bind9, append a line: OPTIONS="-u bind -4"
Restart BIND to implement the changes:
sudo systemctl restart bind9
Configuring the Primary DNS Server
Only your own servers (the “trusted” ones) will be able to query your DNS server for outside domains.
NS1:
sudo nano /etc/bind/named.conf.options
Define a list of clients that we will allow recursive DNS queries from (i.e. your servers that are in the same datacenter as ns1):
In /etc/bind/named.conf.options:
acl "trusted" {
10.128.10.11; # ns1 - can be set to localhost
10.128.20.12; # ns2
10.128.100.101; # host1
10.128.200.102; # host2
};
. . .
options {
directory "/var/cache/bind";
. . .
recursion yes; # enables resursive queries
allow-recursion { trusted; }; # allows recursive queries from "trusted" clients
listen-on { 10.128.10.11; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
8.8.8.8;
8.8.4.4;
};
}
Configuring the Local File (Forward & Reverse Zone)
Specify our forward and reverse zones. DNS zones designate a specific scope for managing and defining DNS records.
NS1:
sudo nano /etc/bind/named.conf.local
/etc/bind/named.conf.local:
# forward zone
zone "nyc3.example.com" {
type master;
file "/etc/bind/zones/db.nyc3.example.com"; # zone file path
allow-transfer { 10.128.20.12; }; # ns2 private IP address - secondary
};
# reverse zone
zone "128.10.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.10.128"; # 10.128.0.0/16 subnet
allow-transfer { 10.128.20.12; }; # ns2 private IP address - secondary
};
Specify an additional zone and zone file for each distinct subnet.
Creating the Forward Zone File
sudo mkdir /etc/bind/zones
sudo cp /etc/bind/db.local /etc/bind/zones/db.nyc3.example.com # create based on sample db.local file
sudo nano /etc/bind/zones/db.nyc3.example.com
Original:
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost. ; delete this line
@ IN A 127.0.0.1 ; delete this line
@ IN AAAA ::1 ; delete this line
Edited(update serial number everytime updates):
@ IN SOA ns1.nyc3.example.com. admin.nyc3.example.com. (
3 ; Serial
. . .
At the end delete the three records at the end of the file (after the SOA record), and add:
; name servers - NS records
IN NS ns1.nyc3.example.com.
IN NS ns2.nyc3.example.com.
Add A record:
. . .
; name servers - A records
ns1.nyc3.example.com. IN A 10.128.10.11
ns2.nyc3.example.com. IN A 10.128.20.12
; 10.128.0.0/16 - A records
host1.nyc3.example.com. IN A 10.128.100.101
host2.nyc3.example.com. IN A 10.128.200.102
Final Forward Zone File:
$TTL 604800
@ IN SOA ns1.nyc3.example.com. admin.nyc3.example.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
IN NS ns1.nyc3.example.com.
IN NS ns2.nyc3.example.com.
; name servers - A records
ns1.nyc3.example.com. IN A 10.128.10.11
ns2.nyc3.example.com. IN A 10.128.20.12
; 10.128.0.0/16 - A records
host1.nyc3.example.com. IN A 10.128.100.101
host2.nyc3.example.com. IN A 10.128.200.102
Creating the Reverse Zone File
sudo cp /etc/bind/db.127 /etc/bind/zones/db.10.128
sudo nano /etc/bind/zones/db.10.128
In /etc/bind/zones/db.10.128:
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost. ; delete this line
1.0.0 IN PTR localhost. ; delete this line
Final Reverse Zone File:
$TTL 604800
@ IN SOA nyc3.example.com. admin.nyc3.example.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ns1.nyc3.example.com.
IN NS ns2.nyc3.example.com.
; PTR Records
11.10 IN PTR ns1.nyc3.example.com. ; 10.128.10.11
12.20 IN PTR ns2.nyc3.example.com. ; 10.128.20.12
101.100 IN PTR host1.nyc3.example.com. ; 10.128.100.101
102.200 IN PTR host2.nyc3.example.com. ; 10.128.200.102
Checking the BIND Configuration Syntax
sudo named-checkconf # check the correctness of your zone files
sudo named-checkzone nyc3.example.com db.nyc3.example.com # Check forward
sudo named-checkzone 128.10.in-addr.arpa /etc/bind/zones/db.10.128 # Check Reverse
Restarting BIND
sudo systemctl restart bind9
sudo ufw allow Bind9
Configuring the Secondary DNS Server
In most environments, it is a good idea to set up a secondary DNS server that will respond to requests if the primary becomes unavailable. Luckily, the secondary DNS server is much easier to configure.
Configuring DNS Clients
Ubuntu 18.04:
sudo nano /etc/netplan/00-private-nameservers.yaml
sudo netplan try # attempt to use the new configuration
sudo systemd-resolve --status
/etc/netplan 00-private-nameservers.yaml:
network:
version: 2
ethernets:
eth1: # Private network interface
nameservers:
addresses:
- 10.128.10.11 # Private IP for ns1
- 10.132.20.12 # Private IP for ns2
search: [ nyc3.example.com ] # DNS zone