How to configure DNS Server
From FedoraNEWS.ORG
Written by Bimal Pandit on 2005-11-04
I am writing this article as of my experience to share with all of you so that it may help someone to configure a DNS server in their network. Here the example I have taken is as such I have implemented and tested except, the domain I am taking here is Imaginary or call it Unregistered.
Domain :- bimalpandit.com
IP (DNS server) :- 10.11.12.5
IP (Mail server) :- 10.11.12.6 and 10.11.12.7
IP (Proxy server) :- 10.11.12.254
Tested on :- RH9 and FC3
NOTE:-
1) One has an option about wether he wants to run his DNS server in a chrooted environment or not, i.e. for chrooted environment the point of reference would be like "/var/named/chroot/" for example if you install FC3 and the package "bind-chroot-9.2.4-2" you will see that you need to think "/var/named/chroot/" as "/" and rest will remain the same.
2) All the clients should point to "10.11.12.5" as their nameserver (DNS server) i.e. in clients /etc/resolve.conf put "nameserver 10.11.12.5"
3) The Scenario is as shown in the figure...
figure01
figure02
here are my configuratuions...
1) /etc/named.conf one need to add the following entry as...
// for forward lookup
zone "bimalpandit.com" IN {
type master;
file "bimalpandit_for";
allow-update { none; };
};
// for backward lookup(for network address 10.11.12)
zone "12.11.10.in-addr.arpa" IN {
type master;
file "bimalpandit_rev";
allow-update { none; };
};
// for backward lookup(for network address 10.11)
zone "11.10.in-addr.arpa" IN {
type master;
file "bimalpandit_rev";
allow-update { none; };
};
NOTE:-
In case of reverse lookup see that the IP has to be in revers order and leave the pointer that you want to show e.g. here I have taken a network address as 10.11.12 so it is 12.11.10 and the last octet will be shown in bimalpandit_rev file while if I need to take a network address as 10.11 then will show two octets in reverse order in bimalpandit_rev file – see examples.
location for bimalpandit_for and bimalpandit_rev files would be /var/named/<file>
a) bimalpandit_for
$TTL 86400
@ 7200 IN SOA bimalpandit.com. admin.bimalpandit.com. (
2005071101 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
7200 ) ; Minimum
@ IN NS ns.bimalpandit.com.
@ IN MX 10 mail1.bimalpandit.com.
@ IN MX 20 mail2.bimalpandit.com.
@ IN A 10.11.12.5
ns.bimalpandit.com. IN A 10.11.12.5
mail1.bimalpandit.com. IN A 10.11.12.6
mail2.bimalpandit.com. IN A 10.11.12.7
www IN CNAME bimalpandit.com.
mail IN CNAME mail1.bimalpandit.com.
b) bimalpandit_rev(for network address 10.11.12)
$TTL 86400
12.11.10.in-addr.arpa. IN SOA bimalpandit.com. admin.bimalpandit.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
12.11.10.in-addr.arpa. IN NS ns.bimalpandit.com.
5 IN PTR bimalpandit.com.
b) bimalpandit_rev(for network address 10.11)
$TTL 86400
11.10.in-addr.arpa. IN SOA bimalpandit.com. admin.bimalpandit.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
11.10.in-addr.arpa. IN NS ns.bimalpandit.com.
5.12 IN PTR bimalpandit.com.
NOTE:-
In the mentioned example
1) The entries in this file is actually in COLUMNS, column1 is value1, column2 is time, column3 is Record type, column4 is value2 with exception that there could be an entry for precedence for mail exchangers type records(MX) , here with value1 I mean as the thing that I want to show while value2 I mean is actual name/IP address(for my understanding)
2) @ is actually the value you have defined in your named.conf, e.g. in case of forward lookup it is “ bimalpandit.com” while in case of reverse lookup it is “ 12.11.10.in-addr.arpa” so one can use any of these, while using @ is simple and small e.g.
@ IN MX 10 mail1.bimalpandit.com.
bimalpandit.com. IN MX 10 mail1.bimalpandit.com.
both are same.
3) Also one should remember that column 1(value1) will become the part of the domain if not ended by “.” i.e. it could be FQDN or SUBDOMAIN e.g. bimalpandit.com. and www both are different as www will become the part of your domain as www.bimalpandit.com while bimalpandit.com. will remain as it is, being FQDN.
4) The nameserver(NS) could be IP address i.e.
@ IN NS 10.11.12.5
is also correct, the only thing is nameserver should get resolved before using, so one can use as per their choice.
5) The record type MX has positive whole no values adjacent to it, actually it shows the precedence among more than one mail exchangers, lesser has a high precedence e.g.
@ IN MX 10 mail1.bimalpandit.com.
@ IN MX 20 mail2.bimalpandit.com.
so the mails will reach mail1.bimalpandit.com first and in case of unavailability will go to mail2.bimalpandit.com
6) One must take care of the “.” after names as i have shown e.g. “mail1.bimalpandit.com.” , “bimalpandit.com.” etc.
now, add the followiung entries in your "/etc/resolve.conf"
nameserver 10.11.12.5
now do "service named restart" and test your DNS server as (given with results), also you need to tweak into your firewall rules if you have, while I would suggest to stop it first and check your results then start your firewall and make the rules accordingly as this will help you to test your DNS smoothly.
[bimal bimalserver@bimal]$ host www.bimalpandit.com
www.bimalpandit.com is an alias for bimalpandit.com.
bimalpandit.com has address 10.11.12.5
[bimal bimalserver@bimal]$ host bimalpandit.com
bimalpandit.com has address 10.11.12.5
[bimal bimalserver@bimal]$ host mail1.bimalpandit.com
mail1.bimalpandit.com has address 10.11.12.6
[bimal bimalserver@bimal]$ host mail.bimalpandit.com
mail.bimalpandit.com is an alias for mail1.bimalpandit.com.
mail1.bimalpandit.com has address 10.11.12.6
[bimal bimalserver@bimal]$ host -t MX bimalpandit.com
bimalpandit.com mail is handled by 20 mail2.bimalpandit.com.
bimalpandit.com mail is handled by 10 mail1.bimalpandit.com.
[bimal bimalserver@bimal]$ host 10.11.12.5
5.12.11.10.in-addr.arpa domain name pointer bimalpandit.com.
NOTE:-
1) One can also use “dig” command to query .
2) To check other people to query your DNS server, create an access control list as I did(internalnet) and allow to query it only(here 10.11.12.x network). So your named.conf should have entry like
acl internalnet { 10.11.12/24; };
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
allow-query { internalnet; };
};
3) Talking about figure – 2 scenario we need to tell that in case a query comes to resolve a name then first it will try to see the mentioned local DNS server(here 10.11.12.5) and then this server itself will forward this query to the other mentioned server if it could not resolve it(as entry not being there). For such scenario we need to put “forwarders” entry in named.conf of our local DNS server under “options” so it should look like
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
forwarders { 10.11.12.254; };
};
4) In your situation you may not have a Proxy Server, but could have some means to go to the Internet, and also if you use scenario - 2(figure -2) then you have two options as:-
- your clients should have Proxy Server as Gateway, in this case you need not to configure DNS server on your Proxy server.
- Your clients have some other gateway address but use Proxy Server for net access, in this case you need to configure DNS server on your proxy server too , now again you have two options as you made your local DNS server on Proxy Server itself, then just add forwarders as
forwarders { <ISP's DNS1>;<ISP's DNS2>;<ISP's DNS3>; };
you have other machine in your local network as DNS server, then - your Proxy Server and DNS server should have forwarders entry as Proxy Server will be forwarding to ISP's DNS and local DNS will be forwarding to Proxy Server DNS.
and not to forget to start your DNS server on proxy too.
5) In case of Master and Scondary/Slave DNS setup, just make changes in your named.conf file, it should look like as...
type slave;
masters <IP of Master>; ;
Userful Links
- Linux Gazatte Archives:- Hidden master DNS (http://www.linuxgazette.com/node/705)
- DNS Configuration Types (http://www.zytrax.com/books/dns/ch4/)
- Domain Name Service - dns Setup & Configuration (http://www.adminschoice.com/docs/domain_name_service.htm)
- Running the BIND9 DNS Server securely (http://www.boran.com/security/sp/bind9_20010430.html)
