linux_wiki:configure_a_caching-only_name_server

This is an old revision of the document!

Configure A Caching-only Name Server

General Information

Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally.

The exam requires you to setup a DNS caching server. It does not specify which one.

Lab Setup

The following virtual machines will be used:

  • server1.example.com (192.168.1.150) → Perform all connectivity tests from here
  • server2.example.com (192.168.1.151) → Install DNS caching here

DNS Caching Server: Unbound

Installing and configuring the unbound DNS caching only server.


Install required packages 

yum install unbound


Enable the service 

systemctl enable unbound


Open the firewall 

firewall-cmd --permanent --add-service=dns
firewall-cmd --reload


Prevent errors about server-keys not existing 

unbound-control-setup


Configure to accept on any interface and allow from certain networks 

vim /etc/unbound/unbound.conf
 
interface: 0.0.0.0
access-control: 192.168.1.0/24 allow


Configure a fowarder (DNS server that should receive requests the caching server doesn't know) 

vim /etc/unbound/unbound.conf
 
forward-zone:
  name: "."
  forward-addr: 192.168.1.152


Unbound requires DNSSEC validation by default. Disable for internal DNS that do not have this setup 

vim /etc/unbound/unbound.conf
 
domain-insecure: "example.com"


Verify configuration 

unbound-checkconf


Start the unbound service 

systemctl start unbound


Configure a different system to use the DNS caching server 

nmcli con mod eth0 ipv4.dns 192.168.1.151


Test a DNS lookup 

dig server3.example.com

DNS Caching Server: Bind

Installing and configuring the bind DNS caching only server.


Install required packages 

yum install bind bind-utils
  • bind → server package
  • bind-utils → client utilities


Enable the service 

systemctl enable named


Open the firewall for DNS 

firewall-cmd --permanent --add-service=dns
firewall-cmd --reload


Make some named configuration changes 

vim /etc/named.conf
 
# existing config items, modify
listen-on port 53 { any; };
allow-query { 192.168.1.0/24; };
 
# copy and paste allow-query line and change to allow-transfer
allow-transfer { 192.168.1.0/24; };
 
# existing config item, modify to no
dnssec-validation no;
 
# new entry for forward zone - see zone examples at: 
zone "example.com" IN {
  type forward;
  forwarders { 192.168.1.200; };
};
  • listen on any IP
  • allow queries/transfers from local private network (192.168.1.0/24)
  • do not validate local lookups
  • zone
    • “example.com” → local domain
    • type forward; → act as a forwarder for these zone lookups
    • forwarders { 192.168.1.200; }; → forward to this DNS entry


Check named.conf config syntax 

named-checkconf
  • No output = no mistakes


Start the named service 

systemctl start named


Test a domain lookup 

nslookup google.com 127.0.0.1
 
OR
 
dig @127.0.0.1 google.com
  • linux_wiki/configure_a_caching-only_name_server.1523416627.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)