This is an old revision of the document!
Configure A Caching-only Name Server
General Information
Caching-only name servers are non-authoritative. They perform lookups inside or outside the zone and cache the results to use locally.
The exam requires you to setup a DNS caching server. It does not specify which one.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all connectivity tests from here
- server2.example.com (192.168.1.151) → Install DNS caching here
DNS Caching Server: Unbound
Installing and configuring the unbound DNS caching only server.
server2: Install required packages
yum install unbound
server2: Enable the service
systemctl enable unbound
server2: Open the firewall
firewall-cmd --permanent --add-service=dns firewall-cmd --reload
server2: Prevent errors about server-keys not existing
unbound-control-setup
Unbound has almost all config commented out by default. Uncomment and modify items.
vim /etc/unbound/unbound.conf ## Listen on all interfaces # uncomment/modify near config line 30 interface: 0.0.0.0 ## Allow queries from local networks # uncomment/modify near config line 180 access-control: 192.168.1.0/24 allow ## Disable dns-sec for local domain # uncomment/modify near config line 375 domain-insecure: "example.com" ## Configure forward zone # uncomment/modify near config line 550 forward-zone: name: "." forward-addr: 192.168.1.152
server2: Verify configuration
unbound-checkconf
server2: Start the unbound service
systemctl start unbound
server1: Configure a different system to use the DNS caching server
nmcli con mod eth0 ipv4.dns 192.168.1.151
server1: Test a DNS lookup
dig server3.example.com
DNS Caching Server: Bind
Installing and configuring the bind DNS caching only server.
Install required packages
yum install bind bind-utils
- bind → server package
- bind-utils → client utilities
Enable the service
systemctl enable named
Open the firewall for DNS
firewall-cmd --permanent --add-service=dns firewall-cmd --reload
Make some named configuration changes
vim /etc/named.conf # existing config items, modify listen-on port 53 { any; }; allow-query { 192.168.1.0/24; 127.0.0.1; }; # copy and paste allow-query line and change to allow-transfer allow-transfer { 192.168.1.0/24; 127.0.0.1; }; # existing config item, modify to no dnssec-validation no; # new entry for forward zone - needs to be memorized zone "example.com" IN { type forward; forwarders { 192.168.1.200; }; };
- listen on any IP
- allow queries/transfers from local private network (192.168.1.0/24)
- do not validate local lookups
- zone
- “example.com” → local domain
- type forward; → act as a forwarder for these zone lookups
- forwarders { 192.168.1.200; }; → forward to this DNS entry
Check named.conf config syntax
named-checkconf
- No output = no mistakes
Start the named service
systemctl start named
Test a domain lookup
nslookup google.com 127.0.0.1 OR dig @127.0.0.1 google.com