Wednesday, July 28, 2010

Configuring a DNS Server


Step 1. Create named.conf file with the following content:
Note: options "directory", ", "pid-file", "dump-file", "statistics-file" might have other values if you configure bind server on Linux. The following values are for FreeBSD.
Note: do not forget to put ";" after every IP, incuding last IP, and to enclose rules between { }.


options {
directory       "/etc/namedb";
pid-file        "/var/run/named/pid";
dump-file       "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
forwarders      { 213.157.176.3; 213.157.176.1; };
allow-recursion { 10.0.0.1/16; 127.0.0.1; };
allow-transfer  { 213.157.176.3; 213.157.176.1; 192.162.16.0/24; };
listen-on       { 127.0.0.1; 86.X.Y.Z; };
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
zone "Z.Y.X.86.in-addr.arpa" {
type master;
file "master/Z.Y.X.86.in-addr.arpa";
};
zone "domeniu.ro" in {
type master;
file "/etc/namedb/domeniu.ro";
};
Few explanations regarding following variables:
forwarders      { 213.157.176.3; 213.157.176.1; };
allow-recursion { 10.0.0.1/16; 127.0.0.1; };
allow-transfer  { 213.157.176.3; 213.157.176.1; 192.162.16.0/24; };
listen-on       { 127.0.0.1; 86.X.Y.Z; };
forwarders - here you place your ISP DNS Servers (or other DNS servers from root, that accept your IPs). This is also useful for DNS cache.

allow-recursion - allow only to IP placed here (or to subnets) to query the DNS server. You must place here all IPs or subnets that will use the DNS server.
allow-transfer - allow only to these servers to transfer zones from current DNS server (there can be DNS slave servers for example).
listen-on - the IP on which will run the DNS server.


Step 2. Create the file for the domain "example.com", (we asume example.com is the domain you want to setup) with the following content:

$TTL 3600        ; 1 ora
example.com.    IN      SOA      ns1.example.com. admin.example.com. (
2006051501      ; Serial
10800           ; Refresh
3600            ; Retry
604800          ; Expire
86400           ; Minimum TTL
)
; DNS Servers
IN      NS      ns1.example.com.
IN      NS      ns2.example.com.
; MX Records
IN      MX 10   mx.example.com.
IN      MX 20   mail.example.com.
IN      A       86.X.Y.Z
; Machines
localhost       IN      A       127.0.0.1
ns1             IN      A       86.X.Y.Z
ns2             IN      A       86.X.Y.Z
mx              IN      A       86.X.Y.Z
mail            IN      A       86.X.Y.Z
; Aliases
www             IN      CNAME   @
Note: be careful not to omit "." when defining zone, after every host name. If you omit ".", bind will add after machine name the origin of zone (in our case example.com). So "." at the end of hostname in zone means the
exact name of hostname.


Step 3. Add in /etc/resolv.conf the following line:
nameserver 127.0.0.1

Step 4. Test the DNS server
After you've configured bind (named.conf) and you've created zone file you will start bind service to test if it works. After you've stared bind (/etc/rc.d/named -forcestart) you must have answer when pinging the domain name from localhost. Try to ping every hostname defined as A records in your zone file.

Note: NS and MX records from zone must all have defined A records in order to properly work. If NS and MX records do not have A records defined with the same name it won't answer to ping either from localhost or from outside and it won't work.

Test example (from localhost):
#ping ns1.example.com

If after configuration hosts defined in DNS server zone answers to ping then from localhost everything works well. To test from outside you must wait for DNS to propagate to the Internet. This will take up to 24 hours.

Then you must the proper answer to queries on zone records (NS, MX, subdomains).

If DNS server does not answers when you ping on A records from localhost:
- check if name server is started (ps awux | grep named)
- check if name server is listen on port 53 (netstat -an | grep 53)
- you can start named in foreground with "named -f" to check error messages or you can activate logs for named service)

As a note you should also have open port 953 which is used by rndc service to reload named server.

Test DNS server with dig:

dig -x @ domeniu.com any
If you do not want to see all records but only MX or NS replace "any" with NS or MX. If digs returns your records defined in your zone then you've succesfuly setup your DNS server, and you must wait for DNS records to propagate to the Internet.

Test DNS Server with nslookup:

#nslookup
>set q=any
>example.com
^D
Example:
webserver# nslookup
> set q=any
> example.com
Server:         127.0.0.1
Address:        127.0.0.1#53
example.com
origin = ns1.example.com
mail addr = webmaster.example.com
serial = 2007061061
refresh = 21600
retry = 3600
expire = 604800
minimum = 86400
example.com    nameserver = ns1.example.com.
example.com    mail exchanger = 10 mail.example.com.
Name:   example.com
Address: 86.X.Y.Z
Query the DNS Server by using local DNS server:

> lserver example.com
Default server: example.com
Address: 86.X.Y.Z#53
Example DNS server query for MX records with nslookup:

# nslookup -type=mx example.com
Server:         127.0.0.1
Address:        127.0.0.1#53
example.com    mail exchanger = 10 mail.example.com.
Query the DNS server in verbose mode, useful for debug:
> set debug
> example.com
Server:         127.0.0.1
Address:        127.0.0.1#53
------------
QUESTIONS:
example.com, type = A, class = IN
ANSWERS:
->  example.com
internet address = 86.X.Y.Z
AUTHORITY RECORDS:
->  example.com
nameserver = ns1.example.com.
ADDITIONAL RECORDS:
->  ns1.example.com
internet address = 86.X.Y.Z
------------
Name:   example.com
Address: 86.X.Y.Z
Query of the DNS server in more verbose mode (debug 2):
> set d2
> example.com
Howto configure a Slave DNS server:

The Slave DNS server usualy is setup for redundancy. It will share the load with MasterDNS server and will answer to DNS request if the Master DNS server is not accesible. Usualy is not recommended to use two Master DNS servers (it is possible). You can use multiple Slave DNS servers. A Slave DNS server can transfer DNS zones to other SlaveDNS server (of course if it is configured to do that).
How it works: the Master DNS server read DNS records from file and then sends those records to the Slave DNS server. The zone file from Slave DNS server is a copy of the zone file from Master DNS server.
Example for Master and Slave DNS servers:
zone "example.com" in {
type master;
file "/etc/namedb/example.com";
zone "example.com" in {
type slave;
file "/etc/namedb/slave.example.com";
masters { 86.X.Y.Z; };