General Information

Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally.

The exam requires you to setup a DNS caching server. It does not specify which one.

The following virtual machines will be used:

• server1.example.com (192.168.1.150) → Perform all connectivity tests from here
• server2.example.com (192.168.1.151) → Install DNS caching here
• ipa.example.com (192.168.1.152) → DNS Server Here installed with FreeIPA

Installing and configuring the unbound DNS caching only server.

• Advantages: All config you need is included.
• Disadvantage: Need to remember which ones to uncomment and modify, need to remember to run unbound-control-setup, very long config file.

server2: Install required packages

yum install unbound

server2: Enable the service

systemctl enable unbound

server2: Open the firewall

firewall-cmd --permanent --add-service=dns
firewall-cmd --reload

server2: Prevent errors about server-keys not existing

unbound-control-setup

Unbound has almost all config commented out by default. Uncomment and modify items.

vim /etc/unbound/unbound.conf
 
## Listen on all interfaces
# uncomment/modify near config line 30
interface: 0.0.0.0
 
## Allow queries from local networks
# uncomment/modify near config line 180
access-control: 192.168.1.0/24 allow
 
## Disable dns-sec for local domain
# uncomment/modify near config line 375
domain-insecure: "example.com"
 
## Configure forward zone
# uncomment/modify near config line 550
forward-zone:
  name: "."
  forward-addr: 192.168.1.152

server2: Verify configuration

unbound-checkconf

server2: Start the unbound service

systemctl start unbound

Client Testing

server1: Configure a different system to use the DNS caching server

nmcli con mod eth0 ipv4.dns 192.168.1.151

server1: Test a ping and DNS lookup

ping ipa
dig ipa.example.com

Installing and configuring the bind DNS caching only server.

• Advantages: Much smaller config file, everything you need except 1 config part is uncommented (just modify)
• Disadvantages: Need to memorize how to create a forward zone

Install required packages

yum install bind bind-utils

• bind → server package
• bind-utils → client utilities

Enable the service

systemctl enable named

Open the firewall for DNS

firewall-cmd --permanent --add-service=dns
firewall-cmd --reload

Make some named configuration changes

vim /etc/named.conf
 
# existing config items, modify
listen-on port 53 { any; };
allow-query { 192.168.1.0/24; 127.0.0.1; };
 
# copy and paste allow-query line and change to allow-transfer
allow-transfer { 192.168.1.0/24; 127.0.0.1; };
 
# existing config item, modify to no
dnssec-validation no;
 
# new entry for forward zone - needs to be memorized
zone "example.com" IN {
  type forward;
  forwarders { 192.168.1.152; };
};

• listen on any IP
• allow queries/transfers from local private network (192.168.1.0/24)
• do not validate local lookups
• zone
  • “example.com” → local domain
  • type forward; → act as a forwarder for these zone lookups
  • forwarders { 192.168.1.152; }; → forward to this DNS entry

Check named.conf config syntax

named-checkconf

• No output = no mistakes

Start the named service

systemctl start named

Client Testing

server1: Configure a different system to use the DNS caching server

nmcli con mod eth0 ipv4.dns 192.168.1.151

server1: Test a ping and DNS lookup

ping ipa
dig ipa.example.com