Robert's Virtual Networkingeast82.com

BIND DNS UbuntuMake an Ubuntu DNS server

First, a brief intro to DNS

DNS stands for either Domain Name System when referring to a networked group of computers that resolve URL or Fully Qualified Domain Names (FQDN) to IP addresses and sometimes the other way around in a reverse query. A server in this network is a Domain Name Server.

We, use computer names or URLs, networks use IP addresses. You enter www.cisco.com in your browser, but you don't connect until a DNS server returns an IP address. Your computer knows the IP addresses of DNS server(s), because it was either entered statically or via DHCP. Obviously there is more. Here is a tutorial.

Let's get going

First we need to install BIND9, which is our DNS service. The IP address of our Ubuntu server is 192.168.11.3; we'll need this later.

sudo apt-get install bind9 dnsutils

BIND will install configuration files to the /etc/bind directory. Here we're concerned with three files:

  • /etc/bind/named.conf.local - This file tells BIND where to find the files for our zone, in our case lopez.loc. A DNS zone is a grouping of computers for a particular namespace. Later we will create and configure those files, a forward and a reverse lookup.

  • /etc/bind/named.conf.options - This tells BIND which other DNS server(s) it should send requests it cannot resolve. Since our DNS server is authorative for the lopez.loc zone we can resolve DNS requests for computers on in the lopez.loc domain.  However, if we get a request for cisco.com, we have no clue what the IP addresses are in that zone, so we forward the request for resolution to the DNS servers listed in this file.

    Configuring this on your DNS server makes it a caching server. What will happen is this, computer A on the LAN will send a request to the DNS server for, say,  prometric.com. We can't resolve this, so we hand it to one of the "forwarders". When the answer returns, computer A connects to prometric and the DNS server caches the answer. When a request is made again instead of forwarding the request it simply returns the cached answer, making resolution faster for future requests. Pretty cool!

  • /etc/resolv.conf - OK this isn't installed by BIND. This our nameserver file and tells the computer which DNS server(s) to send requests for DNS resolution.

    We want to make sure the IP address of our DNS server is entered here, otherwise our DNS server won't be contacted for resolution. This is local only and needs to be configured on each Linux machine. It's different in Windows, but similar. Also, if you use DHCP, you need to make this server the primary DNS server in your scope.

    This IP addresses listed in the resolv.conf file are used differently from the IP addresses listed in the named.conf.options file. The resolv.conf is what DNS servers the computer will forward requests; the named.conf.options is where the DNS service will forward requests.

Creating and configuring forward and reverse zone files

Create the files

touch /etc/bind/db.lopez.loc
touch /etc/bind/rev.11.168.192.in-addr.arpa

Let's start with the db.lopez.loc file, our forward lookup. Open up the db.lopez.loc file in a text editor, such as nano or vi and, in the case of my configuration, enter.
e.g. sudo nano /etc/bind/db.lopez.loc

;
;
$TTL 1h
$ORIGIN lopez.loc.
@           IN         SOA    kasparov.lopez.loc. robert.lopez.loc. (
                             2 ; Serial
                        604800 ; Refresh
                         86400 ; Retry
                       2419200 ; Expire
                        604800 ) ; Negative Cache TTL
;
@ IN NS kasparov.lopez.loc.
@ IN MX 10 mail.lopez.loc.
@ IN A 192.168.11.3
kasparov IN A 192.168.11.3
mail IN A 192.168.11.4
lasker IN A 192.168.11.4
www IN A 192.168.11.3

;

The first line $TTL 1h, tells secondary DNS servers to hold the data for 1 hour before requesting a zone transfer.

The $ORIGIN directive says to add lopez.loc to unqualified entries. For example replace the @ symbol that appear at the beginning of entries with lopez.loc. Another example is the last entry which could have been written in is actually:
www.lopez.loc       IN        A          192.168.11.3 
 
@           IN         SOA    kasparov.lopez.loc. robert.lopez.loc.
says we are authorative server is kasparov.lopez.loc and the contact email is robert@lopez.loc. NOTE: the periods at the end of the entries and using . instead of @ for the email address. Next lines
Serial — the zone serial number, incremented when the zone file is modified, so the slave and secondary name servers know when the zone has been changed and should be reloaded.
Refresh — This is the number of seconds between update requests from secondary and secondary name servers.
Retry — This is the number of seconds the secondary server will wait before retrying when the last attempt has failed.
Expire — This is the number of seconds a master or secondary will wait before considering the data stale if it cannot reach the primary name server.

Next the actual records:
the @ is shorthand to indicate the domain itself. So, @ IN NS kasparov.lopez.loc. is the same as lopez.loc IN NS kasparov.lopez.loc.

NS means kasparov is a name server
MX is a mail server record for lopez
@ IN A 192.168.11.3 means that the computer with the IP indicated (our DNS server) is lopez.loc. So if someone pings or request a web page from lopez.loc that computer responds. Other lines:
kasparov IP
mail IP
lasker IP
www IP

If you discect the above you'll see that www.lopez.loc, lopez.loc, and kasparov.lopez.loc will all resolve to the computer with the IP of 192.168.11.3. mail.lopez.loc and lasker.lopez.loc will resolve to 192.168.11.4

OK, time to create our reverse lookup records. Reverse lookups are used to verify identities. For example, I send you an email claiming to be from east82.com. The receiving email server has the actual IP I sent from, does a reverse lookup and verifies I am from the domain from which I claim.

;
;
$TTL 1h
$ORIGIN 11.168.192.IN-ADDR-ARPA.
@           IN         SOA    kasparov.lopez.loc. robert.lopez.loc. (
                             2 ; Serial
                        604800 ; Refresh
                         86400 ; Retry
                       2419200 ; Expire
                        604800 ) ; Negative Cache TTL
;
  IN NS kasparov.lopez.loc.
3 IN PTR kasparov.lopez.loc.
3 IN PTR lopez.loc.
3 IN PTR www.lopez.loc.
4 IN PTR lasker.lopez.loc.
4 IN PTR mail.lopez.loc.

;
 

A few differences here. We have our standard NS record followed by pointer records (PTR) which make use of the $ORIGIN directive. 3 IN PTR kasparov.lopez.loc. means that 3.11.168.192 resolves to kasparov.lopez.loc. Notice how the "3" is added to the value from the $ORIGIN directive. Wait a minute you say, the IP address is backwards. Yup, cause it truly is a reverse lookup and that's how it resolves.

Well, the hard part is over ...let's press on.

Modifying DNS configuration files

open up /etc/bind/named.conf.local in a text editor file and modify it to look like this

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "lopez.loc" {
type master;
file "/etc/bind/db.lopez.loc";
};

zone "11.168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/rev.11.168.192.in-addr.arpa"; };

This file enumerates the zones we're responsible for and points to the files that manage hold the records; the ones we just created. type master; says we are the master DNS server for the zone and the notify no; says not to notify secondary DNS servers on changes.

open up /etc/bind/named.conf.options in a text editor and modify it to look like this

options {  
directory "/var/cache/bind";  
// If there is a firewall between you and nameservers you want  
// to talk to, you may need to fix the firewall to allow multiple  
// ports to talk.  See http://www.kb.cert.org/vuls/id/800113  
// If your ISP provided one or more IP addresses for stable  
// nameservers, you probably want to use them as forwarders.   
// Uncomment the following block, and insert the addresses replacing  
// the all-0's placeholder.  
forwarders {  
131.XXX.XXX.12;  
131.XXX.XXX.194;  
206.XXX.XXX.65;
 
};  

auth-nxdomain no;    # conform to RFC1035  
listen-on-v6 { any; };
};

Replace the censored IP's with those of actual DNS servers. These are the other DNS servers your DNS server will forward requests it cannot resolve.

Finally open up your /etc/resolv.conf and update it to reflect your newly created DNS server.

nameserver 192.168.11.3
nameserver 131.XXX.XXX.12;  
nameserver 131.XXX.XXX.194;  
nameserver 206.XXX.XXX.65;

Restart DNS
sudo /etc/init.d/bind9 restart

Restart networking
sudo /etc/init.d/networking restart

And test
dig
$ dig lopez.loc

nslookup
nslookup kasparov

Don't forget to update your computers that have static IP addresses. If you're running a DHCP server on your network, update that too, to reflect your new DNS server.

./Robert