This is an old revision of the document!
Configure A Caching-only Name Server
General Information
Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally.
The exam requires you to setup a DNS caching server. It does not specify which one.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all connectivity tests from here
- server2.example.com (192.168.1.151) → Install DNS caching here
DNS Caching Server: Unbound
Installing and configuring the unbound DNS caching only server.
Install required packages
yum install unbound
Enable the service
systemctl enable unbound
Open the firewall
firewall-cmd --permanent --add-service=dns firewall-cmd --reload
Prevent errors about server-keys not existing
unbound-control-setup
Configure to accept on any interface and allow from certain networks
vim /etc/unbound/unbound.conf interface: 0.0.0.0 access-control: 192.168.1.0/24 allow
Configure a fowarder (DNS server that should receive requests the caching server doesn't know)
vim /etc/unbound/unbound.conf forward-zone: name: "." forward-addr: 192.168.1.152
Unbound requires DNSSEC validation by default. Disable for internal DNS that do not have this setup
vim /etc/unbound/unbound.conf domain-insecure: "example.com"
Verify configuration
unbound-checkconf
Start the unbound service
systemctl start unbound
Configure a different system to use the DNS caching server
nmcli con mod eth0 ipv4.dns 192.168.1.151
Test a DNS lookup
dig server3.example.com
DNS Caching Server: Bind
Installing and configuring the bind DNS caching only server.
Install required packages
yum install bind bind-utils
- bind → server package
- bind-utils → client utilities
Enable the service
systemctl enable named
Open the firewall for DNS
firewall-cmd --permanent --add-service=dns firewall-cmd --reload
Make some named configuration changes
vim /etc/named.conf listen-on port 53 { any; }; allow-query { any; }; dnssec-validation no;
- listen on any IP
- allow queries from any sources
- do not validate local lookups
Check named.conf config syntax
named-checkconf
- No output = no mistakes
Start the named service
systemctl start named
Test a domain lookup
nslookup google.com 127.0.0.1 OR dig @127.0.0.1 google.com