| Category | |
| DNS – Blog No 2 | |
| Time to Read | |
| 30 Minutes | |
| Who should read this blog.? | |
| If you want to learn how to install and configure the bind9 utility on Ubuntu Linux Server and configure the DNS server in Nameserver caching and Forwarder mode. |
Preface
In the previous blog, we covered the DNS configuration on the scope of a local Machine and it was limited to the hosts file on a machine.
In the real world, you will seldom configure anything on the hosts file.
In an organization, DNS is always served by DNS server/s. Mostly you will these find types of DNS servers.
- Linux server as a DNS Server
- Windows server as a DNS Server
Linux as a DNS Server
There are many variants of Linux in the market. But in our case, we have selected Ubuntu LTS Server.
To create a DNS server on Linux Ubuntu 20 LTS, you’ll need to install and configure the BIND9 (Berkeley Internet Name Domain) software.
- Install BIND:
sudo apt update
sudo apt install bind9 bind9utils bind9-doc dnsutils
- Once the BIND9 package is installed, The primary configuration file is
/etc/bind/named.conf.
nano /etc/bind/named.conf
=============Output=================
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
- These different bind files are used for different configuration needs as below
/etc/bind/named.conf.options: global DNS options
/etc/bind/named.conf.local: for your zones and its records
/etc/bind/named.conf.default-zones: default zones such as localhost, its reverse, and the root hintsConfiguration Modes
There are many ways to configure BIND9. Some of the most common configurations are a caching nameserver, primary server, and secondary server.
- When configured as a Caching DNS Nameserver BIND9 will find the answer to name queries and remember the answer when the domain is queried again.
- As a Primary DNS Server, BIND9 reads the data for a zone from a file on its host and is authoritative for that zone.
- As a Secondary DNS server, BIND9 gets the zone data from another nameserver that is authoritative for the zone.
Caching Nameserver/Forwarder Mode
As the name suggests, Caching name servers do not own any DNS records rather they just cache the DNS entries. They have forwarder name servers configured which they use to forward any DNS query and cache the reply for a TTL value defined for that record Type.
For example- We will configure google DNS name servers(8.8.8.8,8.8.4.4) as our default point to resolve any internet name resolutions. and once these DNS servers resolve the entry we can hold them on our local DNS server until the TTL Value ( time to live) expires. We can see these entries on our DNS servers as well as on local machines.
There is only one difference between caching Nameserver mode and Forwarder mode is that in Caching mode DNS server is configured to perform the recursive query while in Forwarder mode server just forwards the query to forwarders and takes no effort to resolve itself (Iterative Query). To know the difference between recursive and iterative queries refer to my blog – What is DNS Trace ?
Checking caching on Ubuntu using systemd-resolved service
killall -USR1 systemd-resolved && journalctl -u systemd-resolved | grep -A 100000 "CACHE:"
Feb 12 16:41:45 linuxdns-vm01 systemd-resolved[588]: CACHE:
Feb 12 16:41:45 linuxdns-vm01 systemd-resolved[588]: youtube-ui.l.google.com IN A 172.253.115.136
Feb 12 16:41:45 linuxdns-vm01 systemd-resolved[588]: youtube-ui.l.google.com IN A 172.253.115.190
Feb 12 16:41:45 linuxdns-vm01 systemd-resolved[588]: youtube-ui.l.google.com IN A 172.253.62.91
Checking caching on Ubuntu using Dnsmasq service
If you are not using the ubuntu default DNS resolved service and using the Dnsmasq DNS service then note –
Dnsmasq stores the cache in RAM, By default the Dnsmasq has the cache size to keep 150 entries. If there is no space in the cache to store a new positive DNS response it will replace an older entry. Such replacements are logged with the Dnsmasq usage statistics. To get it logged immediately one should call ‘killall -s USR1 dnsmasq’ and check the syslog:
$ sudo pkill -USR1 dnsmasqThen consult the system logs:
$ sudo tail /var/log/syslog
Jan 21 13:37:57 dnsmasq[29469]: time 1232566677
Jan 21 13:37:57 dnsmasq[29469]: cache size 150, 0/475 cache insertions re-used unexpired cache entries.
Jan 21 13:37:57 dnsmasq[29469]: queries forwarded 392, queries answered locally 16
Jan 21 13:37:57 dnsmasq[29469]: server 208.67.222.222#53: queries sent 206, retried or failed 12
Jan 21 13:37:57 dnsmasq[29469]: server 208.67.220.220#53: queries sent 210, retried or failed 6Checking caching on Windows Machine
Checking the DNS record cache entries is easiest, all you need is to type the command ‘ipconfig /displaydns’
ipconfig /displaydns
Windows IP Configuration
fe3cr.delivery.mp.microsoft.com
----------------------------------------
Record Name . . . . . : fe3cr.delivery.mp.microsoft.com
Record Type . . . . . : 5
Time To Live . . . . : 138
Data Length . . . . . : 8
Section . . . . . . . : Answer
CNAME Record . . . . : fe3.delivery.mp.microsoft.com
Record Name . . . . . : fe3.delivery.mp.microsoft.com
Record Type . . . . . : 5
Time To Live . . . . : 138
Data Length . . . . . : 8
Section . . . . . . . : Answer
CNAME Record . . . . : glb.cws.prod.dcat.dsp.trafficmanager.net
Record Name . . . . . : glb.cws.prod.dcat.dsp.trafficmanager.net
Record Type . . . . . : 1
Time To Live . . . . : 138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 40.125.122.151
Configuration
- The default configuration acts as a caching server. Simply uncomment and edit
/etc/bind/named.conf.optionsto set the IP addresses of your ISP’s DNS servers:
sudo nano /etc/bind/named.conf.options
=============Output=================
GNU nano 4.8 /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//=====================================================================>
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
- After uncommenting and updating the ISP-provided name servers
GNU nano 4.8 /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// listen on all interfaces
listen-on { any; };
// allow queries from all networks
allow-query { any; };
forwarders {
8.8.8.8;
8.8.4.4'
};
//=====================================================================>Nameserver Cache mode
- As discussed above there are two configuration modes with very minute differences. Below is an example of Nameserver cache mode :
GNU nano 4.8 /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
//acl definition
acl "myacl" {
10.1.2.0/24;
localhost;
localnets;
};
// Server is allowed to send recursive queries to TLD servers untill a response is received (cache Mode)
recursion yes;
//For running recursive queries only from localhost(default), locatnets(default) and end machines from acl 'myacl' allowed
allow-recursion { myacl; };
//Server listens on port 53 on localhost(127.0.0.53) and ip 10.1.1.5(Local interface) ipv4 network interface
listen-on port 53 { localhost; 10.1.1.5; };
//Queries only from localhost and myacl network users will be alllowed
allow-query { localhost; myacl; };
//zone-transfer to none
allow-transfer { none; };
// Listen on any ipv6 network interface for dns queries
listen-on-v6 { any; };
dnssec-validation auto;
forwarders {
8.8.8.8;
8.8.4.4'
};
};Forwarder mode
In the Forwarder mode, we don’t need to add recursion to No rather have to add just one keyword forward only, and the server will not try to do recursive queries itself rather will cache the resolution only resolved by configured forwarders.
forwarders {
8.8.8.8;
8.8.4.4'
};
forward only; // just this line and nothing changes in above mentioned configuration even recursion yes remains same.- To enable the new configuration, restart the DNS server. From a terminal prompt:
sudo systemctl restart bind9.serviceValidation
- First, let’s check the syntax of the bind9 configuration file with commands from bind9 utility tools.
sudo named-checkconf- If you have syntax errors in your configuration files, you will be alerted to the error and line number otherwise you will see a prompt.
- To check if the DNS server is listening for DNS queries use ‘netstat -antp’ command and check if the local server is listening on DNS port 53.
root@linuxdns-vm01:/# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 769/sshd: /usr/sbin
tcp 0 0 127.0.0.53:53 0.0.0.0:* <<<<DNS listen LISTEN 586/systemd-resolve
tcp6 0 0 :::22 :::* LISTEN 769/sshd: /usr/sbin
root@linuxdns-vm01:/# - Kindly note that any first resolution for any webpage will always be resolved by the forwarder name servers configured and hence will take a longer time, all further resolutions will be from cache files and resolution will be much faster.
- Now to verify if the DNS caching is working and the record is being fetched from the local cache file, we can either use dig and check the Query time, or we can use the time nslookup command to check the real-time.
root@linuxdns-vm01:/# time nslookup www.thecloudblogger.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.thecloudblogger.com canonical name = thecloudblogger.com.
Name: thecloudblogger.com
Address: 192.0.78.25
Name: thecloudblogger.com
Address: 192.0.78.24
real 0m0.134s <<< First resolution through forwarder took 134 ms
user 0m0.004s
sys 0m0.029s
root@linuxdns-vm01:/# time nslookup www.thecloudblogger.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.thecloudblogger.com canonical name = thecloudblogger.com.
Name: thecloudblogger.com
Address: 192.0.78.25
Name: thecloudblogger.com
Address: 192.0.78.24
real 0m0.035s <<< Next time resolution took .035 ms from cache
user 0m0.011s
sys 0m0.017s
root@linuxdns-vm01:/# root@linuxdns-vm01:/# dig www.timeofindia.com
; <<>> DiG 9.16.1-Ubuntu <<>> www.timeofindia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54463
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.timeofindia.com. IN A
;; ANSWER SECTION:
www.timeofindia.com. 1800 IN A 192.99.158.243
;; Query time: 52 msec << First resolution through Forwarder
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Feb 12 18:57:12 UTC 2023
;; MSG SIZE rcvd: 64
root@linuxdns-vm01:/# dig www.timeofindia.com
; <<>> DiG 9.16.1-Ubuntu <<>> www.timeofindia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37425
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.timeofindia.com. IN A
;; ANSWER SECTION:
www.timeofindia.com. 1790 IN A 192.99.158.243
;; Query time: 0 msec << Next resolution from cache file
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Feb 12 18:57:22 UTC 2023
;; MSG SIZE rcvd: 64
root@linuxdns-vm01:/# Conclusion:
In this blog, we started with installing with bind9 utility and then went through different files available under bind. We then covered the caching nameserver configuration mode of DNS server. In this DNS blog series, In the next blog we will configure the Ubuntu DNS server as Primary DNS server.
