Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:configure_a_caching-only_name_server [2016/08/30 22:50] billdozor [Named DNS Caching Server] |
linux_wiki:configure_a_caching-only_name_server [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 4: | Line 4: | ||
Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally. | Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally. | ||
+ | |||
+ | The exam requires you to setup a DNS caching server. It does not specify which one. | ||
---- | ---- | ||
- | ====== | + | ====== |
+ | The following virtual machines will be used: | ||
+ | * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here | ||
+ | * server2.example.com (192.168.1.151) -> Install DNS caching here | ||
+ | * ipa.example.com (192.168.1.152) -> DNS Server Here installed with FreeIPA | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== DNS Caching Server: Unbound ====== | ||
+ | |||
+ | Installing and configuring the unbound DNS caching only server. | ||
+ | |||
+ | * **Advantages**: | ||
+ | * **Disadvantage**: | ||
+ | |||
+ | \\ | ||
+ | server2: Install required packages | ||
+ | <code bash> | ||
+ | yum install unbound | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | server2: Enable the service | ||
+ | <code bash> | ||
+ | systemctl enable unbound | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | server2: Open the firewall | ||
+ | <code bash> | ||
+ | firewall-cmd --permanent --add-service=dns | ||
+ | firewall-cmd --reload | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | server2: Prevent errors about server-keys not existing | ||
+ | <code bash> | ||
+ | unbound-control-setup | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | Unbound has almost all config commented out by default. Uncomment and modify items. | ||
+ | <code bash> | ||
+ | vim / | ||
+ | |||
+ | ## Listen on all interfaces | ||
+ | # uncomment/ | ||
+ | interface: 0.0.0.0 | ||
+ | |||
+ | ## Allow queries from local networks | ||
+ | # uncomment/ | ||
+ | access-control: | ||
+ | |||
+ | ## Disable dns-sec for local domain | ||
+ | # uncomment/ | ||
+ | domain-insecure: | ||
+ | |||
+ | ## Configure forward zone | ||
+ | # uncomment/ | ||
+ | forward-zone: | ||
+ | name: " | ||
+ | forward-addr: | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | server2: Verify configuration | ||
+ | <code bash> | ||
+ | unbound-checkconf | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | server2: Start the unbound service | ||
+ | <code bash> | ||
+ | systemctl start unbound | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | **Client Testing** | ||
+ | |||
+ | server1: Configure a different system to use the DNS caching server | ||
+ | <code bash> | ||
+ | nmcli con mod eth0 ipv4.dns 192.168.1.151 | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | server1: Test a ping and DNS lookup | ||
+ | <code bash> | ||
+ | ping ipa | ||
+ | dig ipa.example.com | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== DNS Caching Server: Bind ====== | ||
+ | |||
+ | Installing and configuring the bind DNS caching only server. | ||
+ | |||
+ | * **Advantages**: | ||
+ | * **Disadvantages**: | ||
+ | |||
+ | \\ | ||
Install required packages | Install required packages | ||
<code bash> | <code bash> | ||
Line 15: | Line 117: | ||
* bind -> server package | * bind -> server package | ||
* bind-utils -> client utilities | * bind-utils -> client utilities | ||
+ | |||
+ | \\ | ||
+ | Enable the service | ||
+ | <code bash> | ||
+ | systemctl enable named | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | Open the firewall for DNS | ||
+ | <code bash> | ||
+ | firewall-cmd --permanent --add-service=dns | ||
+ | firewall-cmd --reload | ||
+ | </ | ||
\\ | \\ | ||
Line 21: | Line 136: | ||
vim / | vim / | ||
+ | # existing config items, modify | ||
listen-on port 53 { any; }; | listen-on port 53 { any; }; | ||
- | allow-query { any; }; | + | allow-query { 192.168.1.0/ |
+ | # copy and paste allow-query line and change to allow-transfer | ||
+ | allow-transfer { 192.168.1.0/ | ||
+ | |||
+ | # existing config item, modify to no | ||
dnssec-validation no; | dnssec-validation no; | ||
+ | |||
+ | # new entry for forward zone - needs to be memorized | ||
+ | zone " | ||
+ | type forward; | ||
+ | forwarders { 192.168.1.152; | ||
+ | }; | ||
</ | </ | ||
* listen on any IP | * listen on any IP | ||
- | * allow queries from any sources | + | * allow queries/ |
* do not validate local lookups | * do not validate local lookups | ||
+ | * zone | ||
+ | * " | ||
+ | * type forward; | ||
+ | * forwarders { 192.168.1.152; | ||
\\ | \\ | ||
Line 38: | Line 168: | ||
\\ | \\ | ||
- | Open the firewall for DNS | + | Start the named service |
<code bash> | <code bash> | ||
- | firewall-cmd --permanent --add-service=dns | + | systemctl start named |
- | firewall-cmd --reload | + | |
</ | </ | ||
\\ | \\ | ||
- | Start the named service | + | **Client Testing** |
+ | |||
+ | server1: Configure a different system to use the DNS caching server | ||
<code bash> | <code bash> | ||
- | systemctl enable named | + | nmcli con mod eth0 ipv4.dns 192.168.1.151 |
- | systemctl start named | + | |
</ | </ | ||
\\ | \\ | ||
- | Test a domain | + | server1: |
<code bash> | <code bash> | ||
- | nslookup google.com 127.0.0.1 | + | ping ipa |
- | + | dig ipa.example.com | |
- | OR | + | |
- | + | ||
- | dig @127.0.0.1 google.com | + | |
</ | </ | ||
---- | ---- | ||