Thursday, 11 July 2013

Centos 6/RHEL install Bind as caching only DNS server

Bind, the Berkeley Internet Name Domain DNS server has a variety of uses on your Centos 6/RHEL system and one of them is caching only DNS. A caching-only DNS server supplies information related to queries based on the data it contains in its DNS cache and is authoritative only for the localhost.

The concept of caching only DNS servers has been around for a while so I decided to set it up on a Centos 6 box. For this we used the bind available in the updates repo, which should be enabled. Then we do a DNS query both locally and remotely, so you will need bind setting up on the remote host also.

You also need OpenSSH installed and set up with a static IP and port 22 forwarded from the router.

After setting up OpenSSH we install Bind.

$ sudo yum -y install bind bind-utils

$ named -v
BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4
 

Once that is done, the first thing we need to do is edit named.conf

$ sudo vi /etc/named.conf

Change the following values

listen-on port 53    {any;};
listen-on-v6 port 53 {none;};
(due to limited IPv6 support, set to any otherwise)
allow-transfer{none;};
allow-query {any;} 

Now list the forwarders we have permission to query and determine that they should be checked first. Do this by substituting the relevant IP address values and type:

forwarders {XXX.XXX.XXX.XXX;XXX.XXX.XXX.XXX;};
forward first;


Now scroll down and find the following line to make sure that the server will always provide a recursive query behavior:

recursion yes;


Then enhance this by adding the following lines

recursion yes;
allow-recursion { any ; };
allow-query-on {any;};
allow-query-cache { any; };
 

Finalize the configuration process by ensuring that IPv6 is no longer required. To do this, type

echo 'OPTIONS="-4"' >> /etc/sysconfig/named


(Skip this step if still using IPv6)
 

Close and save the file.

Enable the service

$ sudo chkconfig named on

$ sudo service named start

$ sudo service named status
version: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4
CPUs found: 2
worker threads: 2
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named (pid  2928) is running...


Now run the netstat tool to view the ports.

$ netstat -ntul

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             Stat                                                                                       e     
tcp        0      0 192.168.0.100:53            0.0.0.0:*                   LIST                                                                                       EN     
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LIST                                                                                       EN     
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LIST                                                                                       EN     
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LIST                                                                                       EN     
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LIST                                                                                       EN     
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LIST                                                                                       EN     
tcp        0      0 0.0.0.0:17500               0.0.0.0:*                   LIST                                                                                       EN     
tcp        0      0 ::1:53                      :::*                        LIST                                                                                       EN     
tcp        0      0 :::22                       :::*                        LIST                                                                                       EN     
tcp        0      0 ::1:631                     :::*                        LIST                                                                                       EN     
tcp        0      0 ::1:953                     :::*                        LIST                                                                                       EN     
tcp        0      0 ::1:25                      :::*                        LIST                                                                                       EN     
udp        0      0 192.168.0.100:53            0.0.0.0:*                                                                                                                     
udp        0      0 127.0.0.1:53                0.0.0.0:*                                                                                                                     
udp        0      0 0.0.0.0:17500               0.0.0.0:*                                                                                                                     
udp        0      0 0.0.0.0:631                 0.0.0.0:*                                                                                                                     
udp        0      0 192.168.0.100:123           0.0.0.0:*                                                                                                                     
udp        0      0 127.0.0.1:123               0.0.0.0:*                                                                                                                     
udp        0      0 ::1:53                      :::*   


Now test DNS queries against the caching only DNS server using dig (domain information groper)

$ dig @localhost www.duckduckgo.com 


dig @localhost
So if it is all working, now we can connect to a remote host to run DNS queries. 

$ ssh anton2@192.168.0.101 
anton2@192.168.0.101's password:
Last login: Thu Jul 11 06:46:48 2013 from 192.168.0.100
[anton2@Dell ~]$ hostname
Dell


$ dig anton2@192.168.0.101 www.duckduckgo.com


dig @remote
There is plenty more to Bind and we have barely scratched the surface here, the Administrators Reference Manual shows more.








No comments:

Post a Comment