Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:configure_a_caching-only_name_server [2016/09/29 22:45] billdozor [DNS Caching Server: Unbound] |
linux_wiki:configure_a_caching-only_name_server [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 6: | Line 6: | ||
The exam requires you to setup a DNS caching server. It does not specify which one. | The exam requires you to setup a DNS caching server. It does not specify which one. | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Lab Setup ====== | ||
+ | |||
+ | The following virtual machines will be used: | ||
+ | * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here | ||
+ | * server2.example.com (192.168.1.151) -> Install DNS caching here | ||
+ | * ipa.example.com (192.168.1.152) -> DNS Server Here installed with FreeIPA | ||
---- | ---- | ||
Line 12: | Line 21: | ||
Installing and configuring the unbound DNS caching only server. | Installing and configuring the unbound DNS caching only server. | ||
+ | |||
+ | * **Advantages**: | ||
+ | * **Disadvantage**: | ||
\\ | \\ | ||
- | Install required packages | + | server2: |
<code bash> | <code bash> | ||
yum install unbound | yum install unbound | ||
Line 20: | Line 32: | ||
\\ | \\ | ||
- | Enable the service | + | server2: |
<code bash> | <code bash> | ||
systemctl enable unbound | systemctl enable unbound | ||
Line 26: | Line 38: | ||
\\ | \\ | ||
- | Open the firewall | + | server2: |
<code bash> | <code bash> | ||
firewall-cmd --permanent --add-service=dns | firewall-cmd --permanent --add-service=dns | ||
Line 33: | Line 45: | ||
\\ | \\ | ||
- | Prevent errors about server-keys not existing | + | server2: |
<code bash> | <code bash> | ||
unbound-control-setup | unbound-control-setup | ||
Line 39: | Line 51: | ||
\\ | \\ | ||
- | Configure to accept on any interface | + | Unbound has almost all config commented out by default. Uncomment |
<code bash> | <code bash> | ||
vim / | vim / | ||
+ | ## Listen on all interfaces | ||
+ | # uncomment/ | ||
interface: 0.0.0.0 | interface: 0.0.0.0 | ||
+ | |||
+ | ## Allow queries from local networks | ||
+ | # uncomment/ | ||
access-control: | access-control: | ||
- | </ | ||
- | \\ | + | ## Disable dns-sec for local domain |
- | Configure a fowarder (DNS server that should receive requests the caching server doesn' | + | # uncomment/ |
- | <code bash> | + | domain-insecure: |
- | vim / | + | |
+ | ## Configure forward zone | ||
+ | # uncomment/ | ||
forward-zone: | forward-zone: | ||
name: " | name: " | ||
Line 58: | Line 75: | ||
\\ | \\ | ||
- | Unbound requires DNSSEC validation by default. Disable for internal DNS that do not have this setup | + | server2: Verify configuration |
- | <code bash> | + | |
- | vim / | + | |
- | + | ||
- | domain-insecure: " | + | |
- | </ | + | |
- | + | ||
- | \\ | + | |
- | Verify configuration | + | |
<code bash> | <code bash> | ||
unbound-checkconf | unbound-checkconf | ||
Line 72: | Line 81: | ||
\\ | \\ | ||
- | Start the unbound service | + | server2: |
<code bash> | <code bash> | ||
systemctl start unbound | systemctl start unbound | ||
Line 78: | Line 87: | ||
\\ | \\ | ||
- | Configure a different system to use the DNS caching server | + | **Client Testing** |
+ | |||
+ | server1: | ||
<code bash> | <code bash> | ||
nmcli con mod eth0 ipv4.dns 192.168.1.151 | nmcli con mod eth0 ipv4.dns 192.168.1.151 | ||
Line 84: | Line 95: | ||
\\ | \\ | ||
- | Test a DNS lookup | + | server1: |
<code bash> | <code bash> | ||
- | dig server3.example.com | + | ping ipa |
+ | dig ipa.example.com | ||
</ | </ | ||
Line 93: | Line 105: | ||
====== DNS Caching Server: Bind ====== | ====== DNS Caching Server: Bind ====== | ||
+ | Installing and configuring the bind DNS caching only server. | ||
+ | |||
+ | * **Advantages**: | ||
+ | * **Disadvantages**: | ||
+ | |||
+ | \\ | ||
Install required packages | Install required packages | ||
<code bash> | <code bash> | ||
Line 118: | Line 136: | ||
vim / | vim / | ||
+ | # existing config items, modify | ||
listen-on port 53 { any; }; | listen-on port 53 { any; }; | ||
- | allow-query { any; }; | + | allow-query { 192.168.1.0/ |
+ | # copy and paste allow-query line and change to allow-transfer | ||
+ | allow-transfer { 192.168.1.0/ | ||
+ | |||
+ | # existing config item, modify to no | ||
dnssec-validation no; | dnssec-validation no; | ||
+ | |||
+ | # new entry for forward zone - needs to be memorized | ||
+ | zone " | ||
+ | type forward; | ||
+ | forwarders { 192.168.1.152; | ||
+ | }; | ||
</ | </ | ||
* listen on any IP | * listen on any IP | ||
- | * allow queries from any sources | + | * allow queries/ |
* do not validate local lookups | * do not validate local lookups | ||
+ | * zone | ||
+ | * " | ||
+ | * type forward; | ||
+ | * forwarders { 192.168.1.152; | ||
\\ | \\ | ||
Line 141: | Line 174: | ||
\\ | \\ | ||
- | Test a domain lookup | + | **Client Testing** |
+ | |||
+ | server1: Configure | ||
<code bash> | <code bash> | ||
- | nslookup google.com 127.0.0.1 | + | nmcli con mod eth0 ipv4.dns 192.168.1.151 |
+ | </ | ||
- | OR | + | \\ |
- | + | server1: Test a ping and DNS lookup | |
- | dig @127.0.0.1 google.com | + | <code bash> |
+ | ping ipa | ||
+ | dig ipa.example.com | ||
</ | </ | ||
---- | ---- | ||