linux_wiki:configure_a_caching-only_name_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:configure_a_caching-only_name_server [2016/08/30 22:50]
billdozor [Named DNS Caching Server] 		linux_wiki:configure_a_caching-only_name_server [2019/05/25 23:50] (current)
Line 4: Line 4:
  
 Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally. Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally.
 +
 +The exam requires you to setup a DNS caching server. It does not specify which one.
  
 ---- ----
  
-====== Named DNS Caching Server ======+====== Lab Setup ======
  
 +The following virtual machines will be used:
 +  * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here
 +  * server2.example.com (192.168.1.151) -> Install DNS caching here
 +  * ipa.example.com (192.168.1.152) -> DNS Server Here installed with FreeIPA
 +
 +----
 +
 +====== DNS Caching Server: Unbound ======
 +
 +Installing and configuring the unbound DNS caching only server.
 +
 +  * **Advantages**: All config you need is included.
 +  * **Disadvantage**: Need to remember which ones to uncomment and modify, need to remember to run unbound-control-setup, very long config file.
 +
 +\\
 +server2: Install required packages
 +<code bash>
 +yum install unbound
 +</code>
 +
 +\\
 +server2: Enable the service
 +<code bash>
 +systemctl enable unbound
 +</code>
 +
 +\\
 +server2: Open the firewall
 +<code bash>
 +firewall-cmd --permanent --add-service=dns
 +firewall-cmd --reload
 +</code>
 +
 +\\
 +server2: Prevent errors about server-keys not existing
 +<code bash>
 +unbound-control-setup
 +</code>
 +
 +\\
 +Unbound has almost all config commented out by default. Uncomment and modify items.
 +<code bash>
 +vim /etc/unbound/unbound.conf
 +
 +## Listen on all interfaces
 +# uncomment/modify near config line 30
 +interface: 0.0.0.0
 +
 +## Allow queries from local networks
 +# uncomment/modify near config line 180
 +access-control: 192.168.1.0/24 allow
 +
 +## Disable dns-sec for local domain
 +# uncomment/modify near config line 375
 +domain-insecure: "example.com"
 +
 +## Configure forward zone
 +# uncomment/modify near config line 550
 +forward-zone:
 +  name: "."
 +  forward-addr: 192.168.1.152
 +</code>
 +
 +\\
 +server2: Verify configuration
 +<code bash>
 +unbound-checkconf
 +</code>
 +
 +\\
 +server2: Start the unbound service
 +<code bash>
 +systemctl start unbound
 +</code>
 +
 +\\
 +**Client Testing**
 +
 +server1: Configure a different system to use the DNS caching server
 +<code bash>
 +nmcli con mod eth0 ipv4.dns 192.168.1.151
 +</code>
 +
 +\\
 +server1: Test a ping and DNS lookup
 +<code bash>
 +ping ipa
 +dig ipa.example.com
 +</code>
 +
 +----
 +
 +====== DNS Caching Server: Bind ======
 +
 +Installing and configuring the bind DNS caching only server.
 +
 +  * **Advantages**: Much smaller config file, everything you need except 1 config part is uncommented (just modify)
 +  * **Disadvantages**: Need to memorize how to create a forward zone
 +
 +\\
 Install required packages Install required packages
 <code bash> <code bash>
Line 15: Line 117:
   * bind -> server package   * bind -> server package
   * bind-utils -> client utilities   * bind-utils -> client utilities
 +
 +\\
 +Enable the service
 +<code bash>
 +systemctl enable named
 +</code>
 +
 +\\
 +Open the firewall for DNS
 +<code bash>
 +firewall-cmd --permanent --add-service=dns
 +firewall-cmd --reload
 +</code>
  
 \\ \\
Line 21: Line 136:
 vim /etc/named.conf vim /etc/named.conf
  
 +# existing config items, modify
 listen-on port 53 { any; }; listen-on port 53 { any; };
-allow-query { any; };+allow-query { 192.168.1.0/24; 127.0.0.1; };
  
 +# copy and paste allow-query line and change to allow-transfer
 +allow-transfer { 192.168.1.0/24; 127.0.0.1; };
 +
 +# existing config item, modify to no
 dnssec-validation no; dnssec-validation no;
 +
 +# new entry for forward zone - needs to be memorized
 +zone "example.com" IN {
 +  type forward;
 +  forwarders { 192.168.1.152; };
 +};
 </code> </code>
   * listen on any IP   * listen on any IP
-  * allow queries from any sources+  * allow queries/transfers from local private network (192.168.1.0/24)
   * do not validate local lookups   * do not validate local lookups
 +  * zone
 +    * "example.com" -> local domain
 +    * type forward;  -> act as a forwarder for these zone lookups
 +    * forwarders { 192.168.1.152; };  -> forward to this DNS entry
  
 \\ \\
Line 38: Line 168:
  
 \\ \\
-Open the firewall for DNS+Start the named service
 <code bash> <code bash>
-firewall-cmd --permanent --add-service=dns +systemctl start named
-firewall-cmd --reload+
 </code> </code>
  
 \\ \\
-Start the named service+**Client Testing** 
 + 
 +server1: Configure a different system to use the DNS caching server
 <code bash> <code bash>
-systemctl enable named +nmcli con mod eth0 ipv4.dns 192.168.1.151
-systemctl start named+
 </code> </code>
  
 \\ \\
-Test a domain lookup+server1: Test a ping and DNS lookup
 <code bash> <code bash>
-nslookup google.com 127.0.0.1 +ping ipa 
- +dig ipa.example.com
-OR +
- +
-dig @127.0.0.1 google.com+
 </code> </code>
  
 ---- ----
  
  • linux_wiki/configure_a_caching-only_name_server.1472611847.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)