Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Configure A Caching-only Name Server ====== **General Information** Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally. The exam requires you to setup a DNS caching server. It does not specify which one. ---- ====== Lab Setup ====== The following virtual machines will be used: * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here * server2.example.com (192.168.1.151) -> Install DNS caching here * ipa.example.com (192.168.1.152) -> DNS Server Here installed with FreeIPA ---- ====== DNS Caching Server: Unbound ====== Installing and configuring the unbound DNS caching only server. * **Advantages**: All config you need is included. * **Disadvantage**: Need to remember which ones to uncomment and modify, need to remember to run unbound-control-setup, very long config file. \\ server2: Install required packages <code bash> yum install unbound </code> \\ server2: Enable the service <code bash> systemctl enable unbound </code> \\ server2: Open the firewall <code bash> firewall-cmd --permanent --add-service=dns firewall-cmd --reload </code> \\ server2: Prevent errors about server-keys not existing <code bash> unbound-control-setup </code> \\ Unbound has almost all config commented out by default. Uncomment and modify items. <code bash> vim /etc/unbound/unbound.conf ## Listen on all interfaces # uncomment/modify near config line 30 interface: 0.0.0.0 ## Allow queries from local networks # uncomment/modify near config line 180 access-control: 192.168.1.0/24 allow ## Disable dns-sec for local domain # uncomment/modify near config line 375 domain-insecure: "example.com" ## Configure forward zone # uncomment/modify near config line 550 forward-zone: name: "." forward-addr: 192.168.1.152 </code> \\ server2: Verify configuration <code bash> unbound-checkconf </code> \\ server2: Start the unbound service <code bash> systemctl start unbound </code> \\ **Client Testing** server1: Configure a different system to use the DNS caching server <code bash> nmcli con mod eth0 ipv4.dns 192.168.1.151 </code> \\ server1: Test a ping and DNS lookup <code bash> ping ipa dig ipa.example.com </code> ---- ====== DNS Caching Server: Bind ====== Installing and configuring the bind DNS caching only server. * **Advantages**: Much smaller config file, everything you need except 1 config part is uncommented (just modify) * **Disadvantages**: Need to memorize how to create a forward zone \\ Install required packages <code bash> yum install bind bind-utils </code> * bind -> server package * bind-utils -> client utilities \\ Enable the service <code bash> systemctl enable named </code> \\ Open the firewall for DNS <code bash> firewall-cmd --permanent --add-service=dns firewall-cmd --reload </code> \\ Make some named configuration changes <code bash> vim /etc/named.conf # existing config items, modify listen-on port 53 { any; }; allow-query { 192.168.1.0/24; 127.0.0.1; }; # copy and paste allow-query line and change to allow-transfer allow-transfer { 192.168.1.0/24; 127.0.0.1; }; # existing config item, modify to no dnssec-validation no; # new entry for forward zone - needs to be memorized zone "example.com" IN { type forward; forwarders { 192.168.1.152; }; }; </code> * listen on any IP * allow queries/transfers from local private network (192.168.1.0/24) * do not validate local lookups * zone * "example.com" -> local domain * type forward; -> act as a forwarder for these zone lookups * forwarders { 192.168.1.152; }; -> forward to this DNS entry \\ Check named.conf config syntax <code bash> named-checkconf </code> * No output = no mistakes \\ Start the named service <code bash> systemctl start named </code> \\ **Client Testing** server1: Configure a different system to use the DNS caching server <code bash> nmcli con mod eth0 ipv4.dns 192.168.1.151 </code> \\ server1: Test a ping and DNS lookup <code bash> ping ipa dig ipa.example.com </code> ---- linux_wiki/configure_a_caching-only_name_server.txt Last modified: 2019/05/25 23:50(external edit)