DNS server setup

From Smith family

Jump to: navigation, search
Server setup
← Previous Next →
Protect SSH NTP

Name servers are necessary so that the various client machines on the LAN can find the services offered by the servers. Setting up the Domain Name servers is a three-stage process. The first stage is to get the name servers running. The second stage is about making them secure by placing them in a chroot jail. The final stage is to make all the other machines on the LAN use these new nameservers, so that they can see the various servers on the LAN.

Contents

Getting the servers running

First, create the master nameserver on Server:

  • Install bind (make sure it's BIND9, not BIND (which is BIND8)): 
 root@server:~# apt-get install bind9 bind9-doc
This will install the configuration files in /etc/bind
  • Disable rndc by adding this line to the top of /etc/bind/named.conf 
controls { };
I could never get it working, and always use the /etc/init.d/bind9 init script to control bind.
  • Alter the /etc/bind/named.conf.options file to mention my ISP's nameservers 
options {
       directory "/var/cache/bind";

       forwarders {
                  1.2.3.4;
                  1.2.3.5;
       };

       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
       allow-recursion { localnets; };

};
  • Tell BIND about all the domains I want machines on my LAN to know about by mentioning them in /etc/bind/named.conf.local This is the file for the master server: 
zone "domain.tld" {
       type master;
       file "/etc/bind/db.domain.tld";
       also-notify { 192.168.1.251; };
       allow-transfer { 192.168.1.251; };
};

zone "other-domain.org" {
       type master;
       file "/etc/bind/db.other-domain.org";
       also-notify { 192.168.1.251; };
       allow-transfer { 192.168.1.251; };
};

zone "1.168.192.in-addr.arpa" {
       type master;
       file "/etc/bind/db.1.168.192";
       also-notify { 192.168.1.251; };
       allow-transfer { 192.168.1.251; };
};
(note the absolute file names for the zone files)
and here is the file for the slave 
zone "domain.tld" {
       type slave;
       file "db.domain.tld";
       masters { 192.168.1.252; };
       allow-notify { 192.168.1.252; };
};

zone "other-domain.org" {
       type slave;
       file "db.other-domain.org";
       masters { 192.168.1.252; };
       allow-notify { 192.168.1.252; };
};

zone "1.168.192.in-addr.arpa" {
       type slave;
       file "db.1.168.192";
       masters { 192.168.1.252; };
       allow-notify { 192.168.1.252; };
};
Note the relative paths of the zone files. This is because BIND's default working directory is /var/cache/bind and the slave's zone files will be stored there. The AppArmour security module prevents BIND itself from saving files into /etc/bind/, so slave zone files can't be stored in that directory.
  • Now, create the zone files themselves, such as /etc/bind/db.domain.tld . Only do this on the master server, as the zone files will be automatically transferred to the slave server. 
;
; BIND data file for the domain.tld domain
;
$ORIGIN domain.tld.
$TTL    60
@       IN      SOA     server.domain.tld. root.domain.tld. (
                     2008051601         ; Serial
                             1w         ; Refresh
                             1d         ; Retry
                             4w         ; Expire
                             1w )       ; Negative Cache TTL
;
; server.domain.tld serves this domain as nameserver (NS)
;  and mail exchange (MX)
                NS      server.domain.tld.
                NS      desktop.domain.tld.
                MX      10 server.domain.tld. 

; define some aliases
ns1             CNAME   server
ns2             CNAME   desktop 

mail            CNAME   server
imap            CNAME   server
smtp            CNAME   server

www             CNAME   server
scripts         CNAME   server
printer         CNAME   desktop
printers        CNAME   desktop

webmail         CNAME   server

; define other servers
localhost       A       127.0.0.1

desktop         A       192.168.1.251
server          A       192.168.1.252
router          A       192.168.1.1
Note that all the CNAME records are only visible to machines within the LAN. If you want them visible to the outside world, you'll need to update the domain information with whoever hosts your DNS records for the wider world.
The reverse zone file, /etc/bind/db.1.168.192 is (note the full stops at the end of the host definition records): 
;
; BIND reverse data file for LAN
;
$ORIGIN 1.168.192.IN-ADDR.ARPA.
$TTL    3D
@       IN      SOA     server.domain.tld. root.domain.tld. (
                     2007042701         ; Serial
                             1w         ; Refresh
                             1d         ; Retry
                             4w         ; Expire
                             1w )       ; Negative Cache TTL
;
; define the authoritative name server
                NS      server.domain.tld.
                NS      desktop.domain.tld.

; our other hosts
1       IN      PTR     router.domain.tld.
251     IN      PTR     desktop.domain.tld.
252     IN      PTR     server.domain.tld.
@       IN      NS      localhost.
(Note the full stops after all the domain names.)
  • Update /etc/resolv.conf to ask the localhost for nameservers 
 search domain.tld
 nameserver 127.0.0.1
 nameserver 192.168.2.251
 nameserver 192.168.2.252
(you may need to include these lines in /etc/resolvconf/resolv.conf.d/tail if resolvconf keeps overwriting /etc/resolv.conf)
  • Restart bind: 
root@server:~# /etc/init.d/bind restart
and check that it works: 
root@server:~# host desktop.domain.tld
root@server:~# host server.domain.tld server.domain.tld
root@server:~# host www.google.com desktop.domain.tld
(and repeat for other hosts and both nameservers). You may need to reboot the master DNS server before the zone files transfer properly. And don't worry about getting rndc working: forcing restarts of BIND seems to work perfectly well.

Chrooting the nameservers

For increased security, it's now time to get the nameservers running in a chroot jail so that they can't see the rest of the filesystem.

Second, create the slave nameserver on Desktop. BIND on Fedora Core 3 is automatically run in a chroot jail. The instructions on the Ubuntu wiki didn't quite work for me.

  • Create the chroot environment: 
root@server:~# mkdir -p /chroot/bind/dev
root@server:~# mkdir -p /chroot/bind/etc/bind
root@server:~# mkdir -p /chroot/bind/var/run/named
root@server:~# mkdir -p /chroot/bind/var/cache/bind
  • Copy the BIND config files into the chroot jail: 
root@server:~# cp /etc/bind/* /chroot/bind/etc/bind
  • Create the devices BIND requires: 
root@server:~# mknod /chroot/bind/dev/null c 1 3 
root@server:~# mknod /chroot/bind/dev/random c 1 8
  • Set the file ownerships and permissions: 
root@server:~# chown -R bind:bind /chroot/bind/etc
root@server:~# chown -R bind:bind /chroot/bind/var/run
root@server:~# chown -R bind:bind /chroot/bind/var/cache
  • Modify the file /etc/default/bind9 so that BIND now runs in a chroot jail: 
OPTIONS="-u bind -t /chroot/bind"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes
  • For Ubuntu 8.04: Modify /etc/default/syslogd to log messages from the chrooted BIND: 
SYSLOGD="-u syslog -a /chroot/bind/dev/log"
  • For Ubuntu 10.04: Create /etc/rsyslog.d/bind-chroot.conf to log messages from the chrooted BIND: 
$AddUnixListenSocket /chroot/bind/dev/log
  • Make AppArmor allow BIND access to the chroot jail. Modify /etc/apparmor.d/usr.sbin.named to include the lines: 
 # Additional permissions for a chrooted bind

 /chroot/bind/etc/bind/** r,
 /chroot/bind/var/lib/bind/** rw,
 /chroot/bind/var/lib/bind/ rw,
 /chroot/bind/var/cache/bind/** rw,
 /chroot/bind/var/cache/bind/ rw,

 /chroot/bind/var/run/named/named.pid w,
 /chroot/bind/var/run/named/session.key w,

 # support for resolvconf
 /chroot/bind/var/run/bind/named.options r,
  • Restart AppArmor, system logger, and BIND: 
root@server:~# /etc/init.d/apparmor restart
    • For Ubuntu 8.04: 
root@server:~# /etc/init.d/sysklogd restart
    • For Ubuntu 10.04: 
root@server:~# service rsyslog restart
  • For both: 
root@server:~# /etc/init.d/bind9 restart
  • Check /var/log/syslog for messages of BIND restarting, loading zone files, sending and receiving notifications, and so on. Check that sample queries still work.

Update the router

Finally, update the router to point to these nameservers, not the ones at the ISP. Normally, the router picks up the ISP's nameservers when it connects to the ISP. The router then acts as a recursive nameserver for the machines on the LAN, and it tells them when machines register with DHCP.

You should be able to tell the router to use Server and Desktop as the nameservers it uses instead. Server and Desktop both know about the ISP's nameservers for finding IPs of machines outside the LAN. This means that the sequence of DNS requests is:

  1. DHCP-connected machine asks the router for an IP number,
  2. Router asks Server for the IP number,
  3. Server asks the ISP's nameserver for the IP number,
  4. ISP's nameserver finds it from somewhere and returns it.

See also

For a tutorial on how to set up nameservers, read BIND for the Small LAN by Paul Heinlein.

Other sources are the book Pro DNS and Bind, which is a great resource on the intricacies of BIND (especially Chapter 5 on BIND and Chapter 6 giving example setups).

There is also the Ubuntu BIND9 howto and the Debian howtos on setting up a BIND server and chrooting a BIND server.

Finally, the /usr/share/doc/bind9/README.Debian.gz file on your machine's local disk has some good pointers.

Retrieved from "http://www.njae.me.uk/DNS_server_setup"
Personal tools