DNS server


I have built my first every DNS server. I want to build a DNS round robin cluster as one of my model school lab solutions - trying to improve upon the thin client model lab where currently the central server is a single point of failure. Anyway, I had to start at the beginning and learn about DNS first. So the rest of this post is about what I did, which if you know how to configure a DNS server will be rather boring for you and you need not read the extended body. This is really for me so that later on when I have to put something like this in an Appendix (thesis) I can just copy and paste large chunks from here :-)

I used The Complete FreeBSD (4th Edition - there doesn't appear to be a later edition from what Google tells me) as my DNS educator. Very awesome book, and while ubuntu has changed some of the stuff in their implementation of bind, the book teaches you in such a way that you understand what is happening rather than just copying what they do verbatim and not knowing what is going on.

In Ubuntu start by installing bind9 which should pull in dnsutils. Otherwise, you can specify them both directly like

apt-get install bind9 dnsutils
When its done you will find all you need to configure the DNS server in /etc/bind/. In /etc/bind/ create a new db.<domainname here> file. My example domain was called local.org. So the file was db.local.org. Into it goes the following (I'm going to display the contents of the file first and then explain each section afterwards:
;Definition of zone .local.org.
$TTL 1d
local.org. IN SOA dns-server.local.org. root.local.org. (
2009041601 ; serial
1d ; refresh
2h ; retry
100d ; expire
1h ) ; negative cache

;name servers
IN NS ns
ns IN A 172.16.186.128;

;Hosts
localhost IN A 127.0.0.1
dns-server IN A 172.16.186.128;
tribble IN A 172.16.186.1;
bumble IN A 172.16.186.129;
edubuntu IN A 172.16.186.130;

The first line is just a comment about while zone this file is describing, namely local.org. Next comes the SOA record which is the Start of Authority record and defines the zone. The TTL is the Time To Live and specifies the length of time that the zone should be cached by remote servers. This is then followed by the definition of a single SOA record. The name, local.org. is the name of the zone, IN means Internet and refers to the Internet protocols, and SOA is the type of record. dns-server.local.org. is the master name server and root.local.org. is the email address of teh DNS administrator.  Next the serial number identifies the version of the zone file. So as you make changes to the zone file you update the number, which is composed of the date with a number that identifies the number of changes made on a given day. Remote servers check the serial number and will update records based on changes to that number. All the remaining parameters describe the timeout characteristics of the zone and are fairly self explanatory with the comments in the file, except perhaps for the negative cache value. This comes into play when a record is requested that doesn't exist. The DNS server will respond to indicate that the record doesn't exist and return the SOA record to indicate its authoritive. The local name server will then maintain this information for the period of time specified by the negative cache value before attempting a request again.

Next in the file are the name server records which indicate where the name servers are. In this example the first line tells us that there is a nameserver and its name is ns. The second line is the A record for the name server ns. These are then followed by the A records for all the hosts on the network. The A records define the IP addresses and associated names in the A records.

Next we need to provide the reverse lookups.Reverse lookups allow you to find the name of the machine or domain based on the IP address specified. For example if you know that a particular IP tried to connect to your machine, using host and with reverse lookup you can get the host name of the machine in question. To do the reverse lookups we need another file, I called mine local-reverse and it looks like this:

;reverse dns for local.org.
$TTL 1d
@ IN SOA dns-server.local.org. root.local.org. (
2009041601 ;serial
1d ; refresh
2h ; retry
100d ; expire
2h ) ; negative cache

IN NS ns.local.org.

1 IN PTR tribble.local.org.
128 IN PTR dns-server.local.org.
129 IN PTR bumble.local.org.
130 IN PTR edubuntu.local.org.

This file looks similar to db.local.org with a few exceptions, the @ sign represents the name of the zone, which will be identified in the named.conf file (the name of the this zone being 186.16.172.in-addr.arpa). The rest of the SOA record works in the same way as it did in the forward direction. This is then followed by the name server entry and the hosts. The name server entry is similar to before, but this time the full name is specified as the server is in a different zone (as are the hosts). The PTR records are Pointer Records and are used for reverse lookup. They only specify the last digit of the IP address whcih will be pre-pended to the zone name.

Finally, the last file to edit is named.conf. In Ubuntu the provide a named.conf.local file where they would like you to add your new zones - the file is included in named.conf, so it allows new zones or changing zones to be kept seperate from the base system. That said, you could also just edit named.conf (although there may be people who are violently opposed to that). I say do which ever makes you happy, the outcome is the same. So to one of the files I added:

zone "local.org" {
type master;
file "/etc/bind/db.local.org";
};

zone "186.16.172.in-addr.arpa" {
type master;
file "/etc/bind/local-reverse";
};

The purpose of named.conf is to tell the name server which configurations files to use for which zones. So for my zone local.org. the name server must use the file db.local.org. and for the reverse lookup zone (186.16.172.in-addr.arpa) it uses the file local-reverse. The types here (both master, the alternative is slave) refer to this name server being the primary name server for this zone.

Once this is done you can restart bind, which in Ubuntu is done with /etc/init.d/bind9 restart

All that is left is to point the resolvers on each host to the new name server. This is done in /etc/resolv.conf and adding or changing the line in the file to look as follows: nameserver 172.16.186.128

After which when requesting information about a computer on the domain, such as bumble (using dig) you should see the following:

root@dns-server:/etc/bind# dig bumble.local.org.

; <<>> DiG 9.4.2-P2 <<>> bumble.local.org.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;bumble.local.org. IN A

;; ANSWER SECTION:
bumble.local.org. 86400 IN A 172.16.186.129

;; AUTHORITY SECTION:
local.org. 86400 IN NS ns.local.org.

;; ADDITIONAL SECTION:
ns.local.org. 86400 IN A 172.16.186.128

;; Query time: 15 msec
;; SERVER: 172.16.186.128#53(172.16.186.128)
;; WHEN: Thu Apr 16 13:51:51 2009
;; MSG SIZE rcvd: 83

Finally, if you have a router on your network connecting you to the outside world and you would like DNS for machines beyond your network you can edit named.conf.options in /etc/bind/ and comment out the lines for the forwarders and add in an appropriate IP address for another DNS server that will provide you with outside DNS lookups. In my example network that meant changing the lines in named.conf.options to look like this:

forwarders {
172.16.186.2;
};

After which I could also get dns resolves for machines beyond my network.

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA