Creating a forwarding DNS server for my lab with Oracle Linux

I started some home lab cleanup this long weekend, and one of the first steps was to set up a separate DNS server for the lab. This is really just to make it easier for me to try some automation tricks without risking breaking the home DNS. This new DNS system will forward requests to my main DNS server and also host DNS for lab.m57.local. 

For the first step, lets get the lab it’s own DNS server. For that system, I built a new VM with 4 vCPUs and 8GB of RAM. It’s a little much for a DNS server, but I wanted the system to have plenty of free resources for later. The disk layout is as follows;

Mount Point

Size

/boot

1GB

/

60GB

/var

5GB

/var/log

5GB

/home

5GB

As a note, all of this is done as the root user;

Next, it got a static IP, and I patched it using the following dnf command;

dnf update -y

 Next, I rebooted and then got started on the real work!

 First, I installed bind, the DNS server

dnf install bind bind-utils  -y

 Next up, add port 53 to the firewall so lcients can use the

server. This is done withtwo commands, the first to add the port, and the
second to restart the firewall.

firewall-cmd –permanent –add-port=53/udp

firewall-cmd –reload

 Next, let’s configure the /etc/named.conf configuration file to meet the needs. In the options section comment out the listen-on entries, and in the allow-query section add in the homenet IP address range;

 Next up, we will add in the forwarders to the file . this is added in the options section, and simply lists the DNS servers that unknown

requests will be forwarded to;

  /* DNS forwarding       */
         forwarders {
                192.168.200.11;
                192.168.200.41;
                };
 

When done, the options section should look similar to the following;

 

options {
//      listen-on port 53 { 127.0.0.1; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { localhost;192.168.200.0/21; };
        /* DNS forwarding       */
         forwarders {
                192.168.200.11;
                192.168.200.41;
                };

The next steps are optional, but nice  it is helpful to allow this server to resolve lab.m57.local. To do this, I will add in at the bottom entries to point to files for the forward and reverse lookups. As a reminder, reverse lookup define the zone IP address range backward. So 192.168.204 is 204.168.192 in the file name.

 This section looks like the following;

//Forward Zone
zone "lab.m57.local" IN {
           type master;
           file "lab.m57.local.db";
           allow-update { none; };
};
//Reverse Zone
zone "204.168.192.in-addr.arpa" IN {
             type master;
             file "192.168.204.db";
             allow-update { none; };
};

Next we need to make the two zone files, the first is for forward
lookups. That is turning a name into an IP address. This is in the file /var/named/lab.m57.local.db

[root@dns ~]# more /var/named/lab.m57.local.db

$TTL 86400
@   IN  SOA     dns.lab.m57.local. root.lab.m57.local.(
                                              3           ;Serial
                                              3600        ;Refresh
                                              1800        ;Retry
                                              604800      ;Expire
                                              86400       ;Minimum TTL
)
;Name Server Information
@       IN  NS      dns.lab.m57.locsl.
;IP address of Name Server
dns       IN  A       192.168.204.11

 For now, there is a single server, dns.lab.m57.local. Also, as a note the ; is the comment symbol in dns. Do not use #, as that could be the first character in a server name!

Next we start the reverse lookup. This maps the IP addresses
into a server name. Basically, 192.168.204.11 to dns.lab.m57.local. The file is /var/named/192.168.204.db

[root@dns ~]# more /var/named/192.168.204.db

$TTL 86400

@   IN  SOA     dns.lab.m57.local. root.lab.m57.local. (
                                       3           ;Serial
                                       3600        ;Refresh
                                       1800        ;Retry
                                       604800      ;Expire
                                       86400       ;Minimum TTL
)
;Name Server Information
@         IN      NS         dns.lab.m57.local.
;Reverse lookup for Name Server
11       IN  PTR     dns.lab.m57.local.

Now, lets check the config with the following command;

named-checkconf
/etc/named.conf

Finally, we will start the sever and configure it to restart
on boot,  before testing;

systemctl
start named

systemctl
enable named

We can check if named is running, using “systemctl status
named”

[root@dns ~]# systemctl status  named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2023-10-09 21:41:09 EDT; 36min ago
  Process: 9014 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 9030 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 9028 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo>
 Main PID: 9032 (named)
    Tasks: 5 (limit: 23453)
   Memory: 15.9M
   CGroup: /system.slice/named.service
           └─9032 /usr/sbin/named -u named -c /etc/named.conf
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 198.97.190.53#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: validating ./NS: no valid signature found
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 192.5.5.241#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: validating ./NS: no valid signature found
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 199.9.14.201#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: validating ./NS: no valid signature found
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 192.203.230.10#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: validating ./NS: no valid signature found
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 199.7.91.13#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: resolver priming query complete

We can now test the new DNS system with dig. Int he example I will also force the system to use the localhost as the DNS server with  @SERVER option.

[root@dns ~]# dig @192.168.204.11 dns.lab.m57.local
; <<>> DiG 9.11.36-RedHat-9.11.36-8.el8_8.2 <<>> @192.168.204.11 dns.lab.m57.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28850
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 692577f1a747e044da7d0f1a6524b229dc7aff9b73a393de (good)
;; QUESTION SECTION:
;dns.lab.m57.local.             IN      A
;; ANSWER SECTION:
dns.lab.m57.local.      86400   IN      A       192.168.204.11
;; AUTHORITY SECTION:
lab.m57.local.          86400   IN      NS      dns.lab.m57.locsl.
;; Query time: 2 msec
;; SERVER: 192.168.204.11#53(192.168.204.11)
;; WHEN: Mon Oct 09 22:08:41 EDT 2023
;; MSG SIZE  rcvd: 121
[root@dns ~]#

All done! Now all I need to do is start making a ton of new DNS entries!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.