linux_wiki:configure_a_caching-only_name_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux_wiki:configure_a_caching-only_name_server [2016/09/29 22:45]
billdozor [DNS Caching Server: Unbound] 		linux_wiki:configure_a_caching-only_name_server [2018/05/19 14:10]
billdozor [DNS Caching Server: Bind]
Line 6: Line 6:
  
 The exam requires you to setup a DNS caching server. It does not specify which one. The exam requires you to setup a DNS caching server. It does not specify which one.
 +
 +----
 +
 +====== Lab Setup ======
 +
 +The following virtual machines will be used:
 +  * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here
 +  * server2.example.com (192.168.1.151) -> Install DNS caching here
 +  * ipa.example.com (192.168.1.152) -> DNS Server Here installed with FreeIPA
  
 ---- ----
Line 12: Line 21:
  
 Installing and configuring the unbound DNS caching only server. Installing and configuring the unbound DNS caching only server.
 +
 +  * **Advantages**: All config you need is included.
 +  * **Disadvantage**: Need to remember which ones to uncomment and modify, need to remember to run unbound-control-setup, very long config file.
  
 \\ \\
-Install required packages+server2: Install required packages
 <code bash> <code bash>
 yum install unbound yum install unbound
Line 20: Line 32:
  
 \\ \\
-Enable the service+server2: Enable the service
 <code bash> <code bash>
 systemctl enable unbound systemctl enable unbound
Line 26: Line 38:
  
 \\ \\
-Open the firewall+server2: Open the firewall
 <code bash> <code bash>
 firewall-cmd --permanent --add-service=dns firewall-cmd --permanent --add-service=dns
Line 33: Line 45:
  
 \\ \\
-Prevent errors about server-keys not existing+server2: Prevent errors about server-keys not existing
 <code bash> <code bash>
 unbound-control-setup unbound-control-setup
Line 39: Line 51:
  
 \\ \\
-Configure to accept on any interface and allow from certain networks+Unbound has almost all config commented out by default. Uncomment and modify items.
 <code bash> <code bash>
 vim /etc/unbound/unbound.conf vim /etc/unbound/unbound.conf
  
 +## Listen on all interfaces
 +# uncomment/modify near config line 30
 interface: 0.0.0.0 interface: 0.0.0.0
 +
 +## Allow queries from local networks
 +# uncomment/modify near config line 180
 access-control: 192.168.1.0/24 allow access-control: 192.168.1.0/24 allow
-</code> 
  
-\\ +## Disable dns-sec for local domain 
-Configure a fowarder (DNS server that should receive requests the caching server doesn't know) +# uncomment/modify near config line 375 
-<code bash> +domain-insecure: "example.com"
-vim /etc/unbound/unbound.conf+
  
 +## Configure forward zone
 +# uncomment/modify near config line 550
 forward-zone: forward-zone:
   name: "."   name: "."
Line 58: Line 75:
  
 \\ \\
-Unbound requires DNSSEC validation by default. Disable for internal DNS that do not have this setup +server2: Verify configuration
-<code bash> +
-vim /etc/unbound/unbound.conf +
- +
-domain-insecure"example.com" +
-</code> +
- +
-\\ +
-Verify configuration+
 <code bash> <code bash>
 unbound-checkconf unbound-checkconf
Line 72: Line 81:
  
 \\ \\
-Start the unbound service+server2: Start the unbound service
 <code bash> <code bash>
 systemctl start unbound systemctl start unbound
Line 78: Line 87:
  
 \\ \\
-Configure a different system to use the DNS caching server+**Client Testing** 
 + 
 +server1: Configure a different system to use the DNS caching server
 <code bash> <code bash>
 nmcli con mod eth0 ipv4.dns 192.168.1.151 nmcli con mod eth0 ipv4.dns 192.168.1.151
Line 84: Line 95:
  
 \\ \\
-Test a DNS lookup+server1: Test a DNS lookup
 <code bash> <code bash>
 dig server3.example.com dig server3.example.com
Line 93: Line 104:
 ====== DNS Caching Server: Bind ====== ====== DNS Caching Server: Bind ======
  
 +Installing and configuring the bind DNS caching only server.
 +
 +  * **Advantages**: Much smaller config file, everything you need except 1 config part is uncommented (just modify)
 +  * **Disadvantages**: Need to memorize how to create a forward zone
 +
 +\\
 Install required packages Install required packages
 <code bash> <code bash>
Line 118: Line 135:
 vim /etc/named.conf vim /etc/named.conf
  
 +# existing config items, modify
 listen-on port 53 { any; }; listen-on port 53 { any; };
-allow-query { any; };+allow-query { 192.168.1.0/24; 127.0.0.1; };
  
 +# copy and paste allow-query line and change to allow-transfer
 +allow-transfer { 192.168.1.0/24; 127.0.0.1; };
 +
 +# existing config item, modify to no
 dnssec-validation no; dnssec-validation no;
 +
 +# new entry for forward zone - needs to be memorized
 +zone "example.com" IN {
 +  type forward;
 +  forwarders { 192.168.1.152; };
 +};
 </code> </code>
   * listen on any IP   * listen on any IP
-  * allow queries from any sources+  * allow queries/transfers from local private network (192.168.1.0/24)
   * do not validate local lookups   * do not validate local lookups
 +  * zone
 +    * "example.com" -> local domain
 +    * type forward;  -> act as a forwarder for these zone lookups
 +    * forwarders { 192.168.1.152; };  -> forward to this DNS entry
  
 \\ \\
Line 141: Line 173:
  
 \\ \\
-Test domain lookup+**Client Testing** 
 + 
 +server1: Configure different system to use the DNS caching server
 <code bash> <code bash>
-nslookup google.com 127.0.0.1+nmcli con mod eth0 ipv4.dns 192.168.1.151 
 +</code>
  
-OR +\\ 
- +server1: Test a ping and DNS lookup 
-dig @127.0.0.1 google.com+<code bash> 
 +ping ipa 
 +dig ipa.example.com
 </code> </code>
  
 ---- ----
  
  • linux_wiki/configure_a_caching-only_name_server.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)