How to configure DNS forwarding on Ubuntu

Category
DNS – Blog No 2
Time to Read
30 Minutes
Who should read this blog.?
If you want to learn how to install and configure the bind9 utility on Ubuntu Linux Server and configure the DNS server in Nameserver caching and Forwarder mode.
How to configure DNS forwarding on Ubuntu

Preface

In the previous blog, we covered the DNS configuration on the scope of a local Machine and it was limited to the hosts file on a machine.

In the real world, you will seldom configure anything on the hosts file.

In an organization, DNS is always served by DNS server/s. Mostly you will these find types of DNS servers.

  1. Linux server as a DNS Server
  2. Windows server as a DNS Server

Linux as a DNS Server

There are many variants of Linux in the market. But in our case, we have selected Ubuntu LTS Server.

To create a DNS server on Linux Ubuntu 20 LTS, you’ll need to install and configure the BIND9 (Berkeley Internet Name Domain) software.

  • Install BIND:
sudo apt update
sudo apt install bind9 bind9utils bind9-doc dnsutils
  • Once the BIND9 package is installed, The primary configuration file is /etc/bind/named.conf.
nano /etc/bind/named.conf

=============Output=================
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

  • These different bind files are used for different configuration needs as below
/etc/bind/named.conf.options: global DNS options

/etc/bind/named.conf.local: for your zones and its records

/etc/bind/named.conf.default-zones: default zones such as localhost, its reverse, and the root hints

Configuration Modes

There are many ways to configure BIND9. Some of the most common configurations are a caching nameserver, primary server, and secondary server.

  1. When configured as a Caching DNS Nameserver BIND9 will find the answer to name queries and remember the answer when the domain is queried again.
  2. As a Primary DNS Server, BIND9 reads the data for a zone from a file on its host and is authoritative for that zone.
  3. As a Secondary DNS server, BIND9 gets the zone data from another nameserver that is authoritative for the zone.

Caching Nameserver/Forwarder Mode

As the name suggests, Caching name servers do not own any DNS records rather they just cache the DNS entries. They have forwarder name servers configured which they use to forward any DNS query and cache the reply for a TTL value defined for that record Type.

For example- We will configure google DNS name servers(8.8.8.8,8.8.4.4) as our default point to resolve any internet name resolutions. and once these DNS servers resolve the entry we can hold them on our local DNS server until the TTL Value ( time to live) expires. We can see these entries on our DNS servers as well as on local machines.

There is only one difference between caching Nameserver mode and Forwarder mode is that in Caching mode DNS server is configured to perform the recursive query while in Forwarder mode server just forwards the query to forwarders and takes no effort to resolve itself (Iterative Query). To know the difference between recursive and iterative queries refer to my blog – What is DNS Trace ?

Checking caching on Ubuntu using systemd-resolved service
killall -USR1 systemd-resolved && journalctl -u systemd-resolved | grep -A 100000 "CACHE:"

Feb 12 16:41:45 linuxdns-vm01 systemd-resolved[588]: CACHE:
Feb 12 16:41:45 linuxdns-vm01 systemd-resolved[588]:         youtube-ui.l.google.com IN A 172.253.115.136
Feb 12 16:41:45 linuxdns-vm01 systemd-resolved[588]:         youtube-ui.l.google.com IN A 172.253.115.190
Feb 12 16:41:45 linuxdns-vm01 systemd-resolved[588]:         youtube-ui.l.google.com IN A 172.253.62.91
Checking caching on Ubuntu using Dnsmasq service

If you are not using the ubuntu default DNS resolved service and using the Dnsmasq DNS service then note –

Dnsmasq stores the cache in RAM, By default the Dnsmasq has the cache size to keep 150 entries. If there is no space in the cache to store a new positive DNS response it will replace an older entry. Such replacements are logged with the Dnsmasq usage statistics. To get it logged immediately one should call ‘killall -s USR1 dnsmasq’ and check the syslog:

$ sudo pkill -USR1 dnsmasq

Then consult the system logs:

$ sudo tail /var/log/syslog
Jan 21 13:37:57 dnsmasq[29469]: time 1232566677
Jan 21 13:37:57 dnsmasq[29469]: cache size 150, 0/475 cache insertions re-used unexpired cache entries.
Jan 21 13:37:57 dnsmasq[29469]: queries forwarded 392, queries answered locally 16
Jan 21 13:37:57 dnsmasq[29469]: server 208.67.222.222#53: queries sent 206, retried or failed 12
Jan 21 13:37:57 dnsmasq[29469]: server 208.67.220.220#53: queries sent 210, retried or failed 6
Checking caching on Windows Machine

Checking the DNS record cache entries is easiest, all you need is to type the command ‘ipconfig /displaydns’

ipconfig /displaydns

Windows IP Configuration

    fe3cr.delivery.mp.microsoft.com
    ----------------------------------------
    Record Name . . . . . : fe3cr.delivery.mp.microsoft.com
    Record Type . . . . . : 5
    Time To Live  . . . . : 138
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    CNAME Record  . . . . : fe3.delivery.mp.microsoft.com


    Record Name . . . . . : fe3.delivery.mp.microsoft.com
    Record Type . . . . . : 5
    Time To Live  . . . . : 138
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    CNAME Record  . . . . : glb.cws.prod.dcat.dsp.trafficmanager.net


    Record Name . . . . . : glb.cws.prod.dcat.dsp.trafficmanager.net
    Record Type . . . . . : 1
    Time To Live  . . . . : 138
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 40.125.122.151

Configuration
  • The default configuration acts as a caching server. Simply uncomment and edit /etc/bind/named.conf.options to set the IP addresses of your ISP’s DNS servers:
sudo nano /etc/bind/named.conf.options

=============Output=================
 GNU nano 4.8              /etc/bind/named.conf.options                        
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //=====================================================================>
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys

  • After uncommenting and updating the ISP-provided name servers
  GNU nano 4.8              /etc/bind/named.conf.options                        
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.
 // listen on all interfaces
        listen-on { any; };

 // allow queries from all networks
        allow-query { any; };

        forwarders {
                8.8.8.8;
                8.8.4.4'
         };

        //=====================================================================>
Nameserver Cache mode
  • As discussed above there are two configuration modes with very minute differences. Below is an example of Nameserver cache mode :
GNU nano 4.8              /etc/bind/named.conf.options   
options {
        directory "/var/cache/bind";

//acl definition
acl "myacl" {
        10.1.2.0/24;
          localhost;

          localnets;
};
       

// Server is allowed to send recursive queries to TLD servers untill a response is received (cache Mode)
        recursion yes;
 

 //For running recursive queries only from localhost(default), locatnets(default) and end machines from acl 'myacl' allowed
        allow-recursion { myacl; }; 

      //Server listens on port 53 on localhost(127.0.0.53) and ip 10.1.1.5(Local interface) ipv4 network interface 
        listen-on port 53 { localhost; 10.1.1.5; }; 

//Queries only from localhost and myacl network users will be alllowed
 
        allow-query { localhost; myacl; };
//zone-transfer to none 
        allow-transfer { none; }; 
//  Listen on any ipv6 network interface for dns  queries   
        listen-on-v6 { any; };
   
        dnssec-validation auto;

forwarders {
                8.8.8.8;
                8.8.4.4'
         };
        
};
Forwarder mode

In the Forwarder mode, we don’t need to add recursion to No rather have to add just one keyword forward only, and the server will not try to do recursive queries itself rather will cache the resolution only resolved by configured forwarders.

forwarders {
                8.8.8.8;
                8.8.4.4'
         };
forward only; // just this line and nothing changes in above mentioned configuration even recursion yes remains same.
  • To enable the new configuration, restart the DNS server. From a terminal prompt:
sudo systemctl restart bind9.service

Validation
  • First, let’s check the syntax of the bind9 configuration file with commands from bind9 utility tools.
sudo named-checkconf
  • If you have syntax errors in your configuration files, you will be alerted to the error and line number otherwise you will see a prompt.
  • To check if the DNS server is listening for DNS queries use ‘netstat -antp’ command and check if the local server is listening on DNS port 53.
root@linuxdns-vm01:/# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      769/sshd: /usr/sbin 
tcp        0      0 127.0.0.53:53           0.0.0.0:*  <<<<DNS listen        LISTEN      586/systemd-resolve 
tcp6       0      0 :::22                   :::*                    LISTEN      769/sshd: /usr/sbin 
root@linuxdns-vm01:/# 

  • Kindly note that any first resolution for any webpage will always be resolved by the forwarder name servers configured and hence will take a longer time, all further resolutions will be from cache files and resolution will be much faster.
  • Now to verify if the DNS caching is working and the record is being fetched from the local cache file, we can either use dig and check the Query time, or we can use the time nslookup command to check the real-time.
root@linuxdns-vm01:/# time nslookup www.thecloudblogger.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
www.thecloudblogger.com canonical name = thecloudblogger.com.
Name:   thecloudblogger.com
Address: 192.0.78.25
Name:   thecloudblogger.com
Address: 192.0.78.24


real    0m0.134s <<< First resolution through forwarder took 134 ms
user    0m0.004s
sys     0m0.029s 
root@linuxdns-vm01:/# time nslookup www.thecloudblogger.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
www.thecloudblogger.com canonical name = thecloudblogger.com.
Name:   thecloudblogger.com
Address: 192.0.78.25
Name:   thecloudblogger.com
Address: 192.0.78.24


real    0m0.035s <<< Next time resolution took .035 ms from cache
user    0m0.011s
sys     0m0.017s
root@linuxdns-vm01:/# 
root@linuxdns-vm01:/# dig www.timeofindia.com

; <<>> DiG 9.16.1-Ubuntu <<>> www.timeofindia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54463
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.timeofindia.com.           IN      A

;; ANSWER SECTION:
www.timeofindia.com.    1800    IN      A       192.99.158.243

;; Query time: 52 msec  << First resolution through Forwarder
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Feb 12 18:57:12 UTC 2023
;; MSG SIZE  rcvd: 64

root@linuxdns-vm01:/# dig www.timeofindia.com

; <<>> DiG 9.16.1-Ubuntu <<>> www.timeofindia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37425
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.timeofindia.com.           IN      A

;; ANSWER SECTION:
www.timeofindia.com.    1790    IN      A       192.99.158.243

;; Query time: 0 msec << Next resolution from cache file
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Feb 12 18:57:22 UTC 2023
;; MSG SIZE  rcvd: 64

root@linuxdns-vm01:/# 

Conclusion:

In this blog, we started with installing with bind9 utility and then went through different files available under bind. We then covered the caching nameserver configuration mode of DNS server. In this DNS blog series, In the next blog we will configure the Ubuntu DNS server as Primary DNS server.


Related Posts

SSL Certificate Check

Category Internet – Blog No 3 Time to Read 30 Minutes Who should read this blog? SSL Certificate check SSL Certificate Check Preface While choosing the topic…

How HTTPS works

Category Internet – Blog No 2 Time to Read 30 Minutes Who should read this blog? To learn about HTTPS , SSL/TLS. How HTTPS works Preface God!…

Website slow to load

Category Network Troubleshooting – Blog No 1 Time to Read 5 Minutes Who should read this blog? To learn about the commands which make troubleshooting easier. Website…

Forwarders, Conditional Forwarders, and Root Hints

Category DNS – Blog Time to Read 20 Minutes Who should read this blog.? If you want to learn about Forwarders, Conditional Forwarders, and Root Hints and…

How to add DNS Reverse Lookup Zone in Windows Server

Category DNS – Blog Time to Read 15 Minutes Who should read this blog.? If you want to learn how to add Reverse Lookup Zone in Windows…

How to add DNS Forward Lookup Zone in Windows Server

Category DNS – Blog Time to Read 15 Minutes Who should read this blog.? If you want to learn how to add Forward Lookup Zone in Windows…

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights