linux_wiki:configure_a_caching-only_name_server

This is an old revision of the document!


Configure A Caching-only Name Server

General Information

Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally.

The exam requires you to setup a DNS caching server. It does not specify which one.


Lab Setup

The following virtual machines will be used:

  • server1.example.com (192.168.1.150) → Perform all connectivity tests from here
  • server2.example.com (192.168.1.151) → Install DNS caching here

DNS Caching Server: Unbound

Installing and configuring the unbound DNS caching only server.


server2: Install required packages

yum install unbound


server2: Enable the service

systemctl enable unbound


server2: Open the firewall

firewall-cmd --permanent --add-service=dns
firewall-cmd --reload


server2: Prevent errors about server-keys not existing

unbound-control-setup


Unbound has almost all config commented out by default. Uncomment and modify items.

vim /etc/unbound/unbound.conf
 
## Listen on all interfaces
# uncomment/modify near config line 30
interface: 0.0.0.0
 
## Allow queries from local networks
# uncomment/modify near config line 180
access-control: 192.168.1.0/24 allow
 
## Disable dns-sec for local domain
# uncomment/modify near config line 375
domain-insecure: "example.com"
 
## Configure forward zone
# uncomment/modify near config line 550
forward-zone:
  name: "."
  forward-addr: 192.168.1.152


server2: Verify configuration

unbound-checkconf


server2: Start the unbound service

systemctl start unbound


server1: Configure a different system to use the DNS caching server

nmcli con mod eth0 ipv4.dns 192.168.1.151


server1: Test a DNS lookup

dig server3.example.com

DNS Caching Server: Bind

Installing and configuring the bind DNS caching only server.


Install required packages

yum install bind bind-utils
  • bind → server package
  • bind-utils → client utilities


Enable the service

systemctl enable named


Open the firewall for DNS

firewall-cmd --permanent --add-service=dns
firewall-cmd --reload


Make some named configuration changes

vim /etc/named.conf
 
# existing config items, modify
listen-on port 53 { any; };
allow-query { 192.168.1.0/24; 127.0.0.1; };
 
# copy and paste allow-query line and change to allow-transfer
allow-transfer { 192.168.1.0/24; 127.0.0.1; };
 
# existing config item, modify to no
dnssec-validation no;
 
# new entry for forward zone - needs to be memorized
zone "example.com" IN {
  type forward;
  forwarders { 192.168.1.200; };
};
  • listen on any IP
  • allow queries/transfers from local private network (192.168.1.0/24)
  • do not validate local lookups
  • zone
    • “example.com” → local domain
    • type forward; → act as a forwarder for these zone lookups
    • forwarders { 192.168.1.200; }; → forward to this DNS entry


Check named.conf config syntax

named-checkconf
  • No output = no mistakes


Start the named service

systemctl start named


Test a domain lookup

nslookup google.com 127.0.0.1
 
OR
 
dig @127.0.0.1 google.com

  • linux_wiki/configure_a_caching-only_name_server.1523417195.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)