I started some home lab cleanup this long weekend, and one of the first steps was to set up a separate DNS server for the lab. This is really just to make it easier for me to try some automation tricks without risking breaking the home DNS. This new DNS system will forward requests to my main DNS server and also host DNS for lab.m57.local.
For the first step, lets get the lab it’s own DNS server. For that system, I built a new VM with 4 vCPUs and 8GB of RAM. It’s a little much for a DNS server, but I wanted the system to have plenty of free resources for later. The disk layout is as follows;
|
Mount Point |
Size |
|
/boot |
1GB |
|
/ |
60GB |
|
/var |
5GB |
|
/var/log |
5GB |
|
/home |
5GB |
As a note, all of this is done as the root user;
Next, it got a static IP, and I patched it using the following dnf command;
dnf update -y
Next, I rebooted and then got started on the real work!
First, I installed bind, the DNS server
dnf install bind bind-utils -y
Next up, add port 53 to the firewall so lcients can use the
server. This is done withtwo commands, the first to add the port, and the
second to restart the firewall.
firewall-cmd –permanent –add-port=53/udp
firewall-cmd –reload
Next, let’s configure the /etc/named.conf configuration file to meet the needs. In the options section comment out the listen-on entries, and in the allow-query section add in the homenet IP address range;
Next up, we will add in the forwarders to the file . this is added in the options section, and simply lists the DNS servers that unknown
requests will be forwarded to;
/* DNS forwarding */
forwarders {
192.168.200.11;
192.168.200.41;
};
When done, the options section should look similar to the following;
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost;192.168.200.0/21; };
/* DNS forwarding */
forwarders {
192.168.200.11;
192.168.200.41;
};
The next steps are optional, but nice it is helpful to allow this server to resolve lab.m57.local. To do this, I will add in at the bottom entries to point to files for the forward and reverse lookups. As a reminder, reverse lookup define the zone IP address range backward. So 192.168.204 is 204.168.192 in the file name.
This section looks like the following;
//Forward Zone
zone "lab.m57.local" IN {
type master;
file "lab.m57.local.db";
allow-update { none; };
};
//Reverse Zone
zone "204.168.192.in-addr.arpa" IN {
type master;
file "192.168.204.db";
allow-update { none; };
};
Next we need to make the two zone files, the first is for forward
lookups. That is turning a name into an IP address. This is in the file /var/named/lab.m57.local.db
[root@dns ~]# more /var/named/lab.m57.local.db
$TTL 86400
@ IN SOA dns.lab.m57.local. root.lab.m57.local.(
3 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS dns.lab.m57.locsl.
;IP address of Name Server
dns IN A 192.168.204.11
For now, there is a single server, dns.lab.m57.local. Also, as a note the ; is the comment symbol in dns. Do not use #, as that could be the first character in a server name!
Next we start the reverse lookup. This maps the IP addresses
into a server name. Basically, 192.168.204.11 to dns.lab.m57.local. The file is /var/named/192.168.204.db
[root@dns ~]# more /var/named/192.168.204.db
$TTL 86400
@ IN SOA dns.lab.m57.local. root.lab.m57.local. (
3 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS dns.lab.m57.local.
;Reverse lookup for Name Server
11 IN PTR dns.lab.m57.local.
Now, lets check the config with the following command;
named-checkconf
/etc/named.conf
Finally, we will start the sever and configure it to restart
on boot, before testing;
systemctl
start named
systemctl
enable named
We can check if named is running, using “systemctl status
named”
[root@dns ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-10-09 21:41:09 EDT; 36min ago
Process: 9014 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 9030 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 9028 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo>
Main PID: 9032 (named)
Tasks: 5 (limit: 23453)
Memory: 15.9M
CGroup: /system.slice/named.service
└─9032 /usr/sbin/named -u named -c /etc/named.conf
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 198.97.190.53#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: validating ./NS: no valid signature found
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 192.5.5.241#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: validating ./NS: no valid signature found
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 199.9.14.201#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: validating ./NS: no valid signature found
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 192.203.230.10#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: validating ./NS: no valid signature found
Oct 09 21:41:11 dns.lab.m57.local named[9032]: no valid RRSIG resolving './NS/IN': 199.7.91.13#53
Oct 09 21:41:11 dns.lab.m57.local named[9032]: resolver priming query complete
We can now test the new DNS system with dig. Int he example I will also force the system to use the localhost as the DNS server with @SERVER option.
[root@dns ~]# dig @192.168.204.11 dns.lab.m57.local
; <<>> DiG 9.11.36-RedHat-9.11.36-8.el8_8.2 <<>> @192.168.204.11 dns.lab.m57.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28850
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 692577f1a747e044da7d0f1a6524b229dc7aff9b73a393de (good)
;; QUESTION SECTION:
;dns.lab.m57.local. IN A
;; ANSWER SECTION:
dns.lab.m57.local. 86400 IN A 192.168.204.11
;; AUTHORITY SECTION:
lab.m57.local. 86400 IN NS dns.lab.m57.locsl.
;; Query time: 2 msec
;; SERVER: 192.168.204.11#53(192.168.204.11)
;; WHEN: Mon Oct 09 22:08:41 EDT 2023
;; MSG SIZE rcvd: 121
[root@dns ~]#
All done! Now all I need to do is start making a ton of new DNS entries!
Pingback: Monthly Round Up – Oracle Analytics by Adrian Ward
Thanks for the shout out!