[[linux_wiki:configure_a_caching-only_name_server]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:configure_a_caching-only_name_server [2018/05/19 18:10]
billdozor [DNS Caching Server: Bind]
linux_wiki:configure_a_caching-only_name_server [2019/05/26 03:50]
Line 1: Line 1:
-====== Configure A Caching-only Name Server ====== 
- 
-**General Information** 
- 
-Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally. 
- 
-The exam requires you to setup a DNS caching server. It does not specify which one. 
- 
----- 
- 
-====== Lab Setup ====== 
- 
-The following virtual machines will be used: 
-  * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here 
-  * server2.example.com (192.168.1.151) -> Install DNS caching here 
-  * ipa.example.com (192.168.1.152) -> DNS Server Here installed with FreeIPA 
- 
----- 
- 
-====== DNS Caching Server: Unbound ====== 
- 
-Installing and configuring the unbound DNS caching only server. 
- 
-  * **Advantages**:​ All config you need is included. 
-  * **Disadvantage**:​ Need to remember which ones to uncomment and modify, need to remember to run unbound-control-setup,​ very long config file. 
- 
-\\ 
-server2: Install required packages 
-<code bash> 
-yum install unbound 
-</​code>​ 
- 
-\\ 
-server2: Enable the service 
-<code bash> 
-systemctl enable unbound 
-</​code>​ 
- 
-\\ 
-server2: Open the firewall 
-<code bash> 
-firewall-cmd --permanent --add-service=dns 
-firewall-cmd --reload 
-</​code>​ 
- 
-\\ 
-server2: Prevent errors about server-keys not existing 
-<code bash> 
-unbound-control-setup 
-</​code>​ 
- 
-\\ 
-Unbound has almost all config commented out by default. Uncomment and modify items. 
-<code bash> 
-vim /​etc/​unbound/​unbound.conf 
- 
-## Listen on all interfaces 
-# uncomment/​modify near config line 30 
-interface: 0.0.0.0 
- 
-## Allow queries from local networks 
-# uncomment/​modify near config line 180 
-access-control:​ 192.168.1.0/​24 allow 
- 
-## Disable dns-sec for local domain 
-# uncomment/​modify near config line 375 
-domain-insecure:​ "​example.com"​ 
- 
-## Configure forward zone 
-# uncomment/​modify near config line 550 
-forward-zone:​ 
-  name: "​."​ 
-  forward-addr:​ 192.168.1.152 
-</​code>​ 
- 
-\\ 
-server2: Verify configuration 
-<code bash> 
-unbound-checkconf 
-</​code>​ 
- 
-\\ 
-server2: Start the unbound service 
-<code bash> 
-systemctl start unbound 
-</​code>​ 
- 
-\\ 
-**Client Testing** 
- 
-server1: Configure a different system to use the DNS caching server 
-<code bash> 
-nmcli con mod eth0 ipv4.dns 192.168.1.151 
-</​code>​ 
- 
-\\ 
-server1: Test a DNS lookup 
-<code bash> 
-dig server3.example.com 
-</​code>​ 
- 
----- 
- 
-====== DNS Caching Server: Bind ====== 
- 
-Installing and configuring the bind DNS caching only server. 
- 
-  * **Advantages**:​ Much smaller config file, everything you need except 1 config part is uncommented (just modify) 
-  * **Disadvantages**:​ Need to memorize how to create a forward zone 
- 
-\\ 
-Install required packages 
-<code bash> 
-yum install bind bind-utils 
-</​code>​ 
-  * bind -> server package 
-  * bind-utils -> client utilities 
- 
-\\ 
-Enable the service 
-<code bash> 
-systemctl enable named 
-</​code>​ 
- 
-\\ 
-Open the firewall for DNS 
-<code bash> 
-firewall-cmd --permanent --add-service=dns 
-firewall-cmd --reload 
-</​code>​ 
- 
-\\ 
-Make some named configuration changes 
-<code bash> 
-vim /​etc/​named.conf 
- 
-# existing config items, modify 
-listen-on port 53 { any; }; 
-allow-query { 192.168.1.0/​24;​ 127.0.0.1; }; 
- 
-# copy and paste allow-query line and change to allow-transfer 
-allow-transfer { 192.168.1.0/​24;​ 127.0.0.1; }; 
- 
-# existing config item, modify to no 
-dnssec-validation no; 
- 
-# new entry for forward zone - needs to be memorized 
-zone "​example.com"​ IN { 
-  type forward; 
-  forwarders { 192.168.1.152;​ }; 
-}; 
-</​code>​ 
-  * listen on any IP 
-  * allow queries/​transfers from local private network (192.168.1.0/​24) 
-  * do not validate local lookups 
-  * zone 
-    * "​example.com"​ -> local domain 
-    * type forward; ​ -> act as a forwarder for these zone lookups 
-    * forwarders { 192.168.1.152;​ };  -> forward to this DNS entry 
- 
-\\ 
-Check named.conf config syntax 
-<code bash> 
-named-checkconf 
-</​code>​ 
-  * No output = no mistakes 
- 
-\\ 
-Start the named service 
-<code bash> 
-systemctl start named 
-</​code>​ 
- 
-\\ 
-**Client Testing** 
- 
-server1: Configure a different system to use the DNS caching server 
-<code bash> 
-nmcli con mod eth0 ipv4.dns 192.168.1.151 
-</​code>​ 
- 
-\\ 
-server1: Test a ping and DNS lookup 
-<code bash> 
-ping ipa 
-dig ipa.example.com 
-</​code>​ 
- 
----- 
  
  • linux_wiki/configure_a_caching-only_name_server.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)