====== Configure A Caching-only Name Server ======
**General Information**
Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally.
The exam requires you to setup a DNS caching server. It does not specify which one.
----
====== Lab Setup ======
The following virtual machines will be used:
* server1.example.com (192.168.1.150) -> Perform all connectivity tests from here
* server2.example.com (192.168.1.151) -> Install DNS caching here
* ipa.example.com (192.168.1.152) -> DNS Server Here installed with FreeIPA
----
====== DNS Caching Server: Unbound ======
Installing and configuring the unbound DNS caching only server.
* **Advantages**: All config you need is included.
* **Disadvantage**: Need to remember which ones to uncomment and modify, need to remember to run unbound-control-setup, very long config file.
\\
server2: Install required packages
yum install unbound
\\
server2: Enable the service
systemctl enable unbound
\\
server2: Open the firewall
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
\\
server2: Prevent errors about server-keys not existing
unbound-control-setup
\\
Unbound has almost all config commented out by default. Uncomment and modify items.
vim /etc/unbound/unbound.conf
## Listen on all interfaces
# uncomment/modify near config line 30
interface: 0.0.0.0
## Allow queries from local networks
# uncomment/modify near config line 180
access-control: 192.168.1.0/24 allow
## Disable dns-sec for local domain
# uncomment/modify near config line 375
domain-insecure: "example.com"
## Configure forward zone
# uncomment/modify near config line 550
forward-zone:
name: "."
forward-addr: 192.168.1.152
\\
server2: Verify configuration
unbound-checkconf
\\
server2: Start the unbound service
systemctl start unbound
\\
**Client Testing**
server1: Configure a different system to use the DNS caching server
nmcli con mod eth0 ipv4.dns 192.168.1.151
\\
server1: Test a ping and DNS lookup
ping ipa
dig ipa.example.com
----
====== DNS Caching Server: Bind ======
Installing and configuring the bind DNS caching only server.
* **Advantages**: Much smaller config file, everything you need except 1 config part is uncommented (just modify)
* **Disadvantages**: Need to memorize how to create a forward zone
\\
Install required packages
yum install bind bind-utils
* bind -> server package
* bind-utils -> client utilities
\\
Enable the service
systemctl enable named
\\
Open the firewall for DNS
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
\\
Make some named configuration changes
vim /etc/named.conf
# existing config items, modify
listen-on port 53 { any; };
allow-query { 192.168.1.0/24; 127.0.0.1; };
# copy and paste allow-query line and change to allow-transfer
allow-transfer { 192.168.1.0/24; 127.0.0.1; };
# existing config item, modify to no
dnssec-validation no;
# new entry for forward zone - needs to be memorized
zone "example.com" IN {
type forward;
forwarders { 192.168.1.152; };
};
* listen on any IP
* allow queries/transfers from local private network (192.168.1.0/24)
* do not validate local lookups
* zone
* "example.com" -> local domain
* type forward; -> act as a forwarder for these zone lookups
* forwarders { 192.168.1.152; }; -> forward to this DNS entry
\\
Check named.conf config syntax
named-checkconf
* No output = no mistakes
\\
Start the named service
systemctl start named
\\
**Client Testing**
server1: Configure a different system to use the DNS caching server
nmcli con mod eth0 ipv4.dns 192.168.1.151
\\
server1: Test a ping and DNS lookup
ping ipa
dig ipa.example.com
----