DNS server setup

Published November 1, 2015 07:53:44 AM  |  Last update April 14, 2019 12:12:08 AM

DNS (Domain Name System) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various kinds of information with domain names assigned to each of the participating entities. Most prominently, it translates easily memorized domain names to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide.

As an essential information component of the functionality of the Internet, DNS works based on a distributed database which is maintained by a system of DNS servers. Most DNS servers are run by businesses to serve the public, such as Google DNS servers at 8.8.8.8 and 8.8.4.4. However, DNS server can be set up for business own or personal purposes only. In this tutorial, I will show how to set up a DNS server and join it to the DNS. First, you need a server connected to the internet, or network, where it will provide DNS service. For small size and light traffic DNS service, a 256MB VPS which costs less than ten bucks a year is just fine. You will also need Berkeley Internet Name Domain version 9 (bind9), a free and popular DNS software, to set up and run DNS service. I suggest a fresh bind9 installation on your server. Please remove bind9, if any version exists, from your server and reinstall it.

# clean any installation of bind9
# remove the current install version
apt-get remove --auto-remove bind9
apt-get purge --auto-remove bind9
# check to make sure all clean
  #deb
dpkg -l | grep bind
  #yum
rpm -qa bind*
  # Should list the following packages:
  #  bind-libs-9.2.4-2
  #  bind-utils-9.2.4-2
  #  bind-9.2.4-2

# Reinstall bind9
  #debian:
apt-get update
apt-get install bind9 bind9utils dnsutils
  #yum
yum update -y
yum install bind bind-utils

Next, create the initial version of your DNS database. Assume that the domain to be served is dns.tinyray.com. The DNS database, including forward lookup and reversed lookup data, will be placed in two separate data files: dns.tinyray.com.zone and dns.tinyray.com.192.rev respectively. Let your-dns-folder be the folder for your DNS database, please apply the following standard contents for these files.

$ vi /your-dns-folder/dns.tinyray.com.zone
$TTL 86400
@	IN	SOA	dns.tinyray.com. root.dns.tinyray.com. (
		200	; Serial
        	3600	; Refresh
		1800	; Retry
		604800	; Expire
		86400	; Minimum TTL
)			; root. is the one who access DNS server
; Specify your two nameservers, followings are examples
	IN      NS      ns1.tinyray.com.
	IN      NS      ns2.tinyray.com.
; Resolve nameserver hostnames to IP, replace with your real DNS IPs.
ns1	IN	A	198.23.131.xx1
ns2	IN	A	198.23.131.xx2
; Define (hostname -> IP) forward pairs which you wish to resolve
@	IN	A	11.22.33.55
test	IN	A	11.22.33.66
www	IN	CNAME	dns.tinyray.com
$ vi /your-dns-folder/dns.tinyray.com.192.rev
$TTL    86400
@       IN	SOA	dns.tinyray.com. root.dns.tinyray.com. (
		100	; serial
		1H	; refresh
		1M	; retry
		1W	; expiry
		1D	; minimum
)
; Specify
@	IN	NS	ns1.tinyray.com.
@	IN	NS	ns2.tinyray.com.
1	IN	PTR	dns.tinyray.com.

Once done, check to make sure the database contents are properly set.

##### for the forward lookup data
$ cd <your-dns-folder>
$ named-checkzone  dns.tinyray.com  dns.tinyray.com.zone
zone dns.tinyray.com/IN: loaded serial 200
OK
##### for the reverved lookup date
$ named-checkzone  dns.tinyray.com  dns.tinyray.com.192.rev
zone dns.tinyray.com/IN: loaded serial 100
OK

Please correct the errors if any exists. Otherwise, go to the next step to configure your DNS service. Open the bind9 config file to set DNS server names as below:

##### open the config file
$ vi /etc/resolv.conf
##### enter the following content into the config file
domain dns.tinyray.com
search dns.tinyray.com
#nameserver 127.0.0.1 	# locked your LAN to your DNS
			# if you turn off the last two line by this
			# you may need to update your DNS or:
			# "Could not resolve 'ftp.debian.org'"
			# when apt-get update
... add as much NS IPs as you have
# Google IPv4 nameservers disabled
#nameserver 8.8.8.8
#nameserver 8.8.4.4

##### save file and restart the network
$ /etc/init.d/networking restart
# OR: /etc/init.d/bind9 restart
##### check the log file, make sure no error
tail -f /var/log/syslog

Then, do DNS service configuration based on the contents in two DNS config files: the one named named.conf.local, placed in your-dns-folder or in any folder of your choice, is for zone database with the content looking like the following:

// provide as much zone databases as needed
zone "dns.tinyray.com" IN {
	type master;
	file "/your-dns-folder/dns.tinyray.com.zone";
	allow-update { localhost; };
};
zone "0.168.192.in-addr.arpa" IN {
	type master;
	file "/your-dns-folder/dns.tinyray.com.192.rev";
	allow-update { none; };
};

The other DNS config file, named named.conf.options, is for how your DNS service works and can be placed in the same folder of named.conf.local. DNS service configuration is very important because improperly settings can expose your DNS server at risks. Following is an example of DNS service settings:

options {
	directory "/var/cache/bind";
	//query-source address * port 53;
	forwarders {
	  8.8.8.8; 8.8.4.4; //0.0.0.0;
	};
	forward only;
	//dnssec-enable yes;
	dnssec-validation auto;
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
	//----- security -----
	allow-recursion { none; };
	allow-transfer { none; };
	allow-query-cache { none; };
	recursion no;
	additional-from-auth no;
	additional-from-cache no;
};

By default, bind will allow recursive queries for lookups on other domains that are not master zones on the name server. This presents some PCI compliance issues and some informational vulnerabilities (allowing third parties to query the nameserver). It is important to restrict who can perform DNS queries, in addition to what is allowed to be queried. If this DNS server is only meant to be recursively queried by internal users for third-party domains, then there is no reason to allow the general internet to also perform queries against it. If the server is meant only to act as a nameserver for specific domains, then recursive queries should be disabled as it is unnecessary for the server to resolve anything other than its own domains. To disable recursive queries, please consider the following settings:

	allow-recursion { none; };
	allow-transfer { none; };
	allow-query-cache { none; };
	recursion no;
	additional-from-auth no;
	additional-from-cache no;
	listen-on-v6 { any; };
	// To allow recursion sub-net
	options {
	  recursion yes;
	  allow-recursion { 127.0.0.1; 192.168.1.0/24; };
	};

Finally, attach your two DNS service config files to bind9:

#deb
$ vi /etc/bind/named.conf
include "/your-dns-folder/named.conf.options";
include "/your-dns-folder/named.conf.local";
#yum
$ vi /etc/named.conf

Please grant bind9 proper read/write permissions to the folder: your-dns-folder prior to restarting bind9 to have your DNS service settings taken into effect.

#deb
chown -R bind:bind your-dns-folder
chmod -R 0744 your-dns-folder
#yum
chown -R named:named your-dns-folder
chmod -R 0744 your-dns-folder

#### Restart service
  #deb
/etc/init.d/bind9 restart
  #yum
service named restart

Voila! Your server is now ready for DNS service. To join your DNS server to the DNS, just open your domain name service provider control panel, update A records with your server names, two different server names as usual, pointing to your server IP. Then, add as many Nameserver (NS) records, two records as usual, as your server names for the domains or sub-domains that will use your DNS server. For example, if you want to use your server for the subdomain "dns.tinyray.com" then create NS records for "dns" sub-domain, each for one of your server names. Followings are some tips on using your DNS server.

Manage DNS records— You can add or remove DNS records to or from your server database, nsupdate of bind9 can be a tool of use. Following is an example of removing test.dns.tinyray.com from then add me.dns.tinyray.com to the database.

$ nsupdate
# type the following commands:
> server localhost
> zone dns.tinyray.com
> update delete test.dns.tinyray.com
> update add me.dns.tinyray.com 86400 IN A 172.245.21.7
> send
> quit
# issues:
  # error: UNAUTH (** except BADKEY)
  # solution: set system permissions on "your-dns-folder"
  # so that nsupdate can write to files in this folder.
  # Or, you may want to delete *.jnl files if just reinstall server
# check if the added domain works:
$ nslookup test.dns.tinyray.com

Server:         23.94.38.149
Address:        23.94.38.149#53

Name:   test.dns.tinyray.com
Address: 23.94.38.149

Check your DNS server against Amplification Attacks— A DNS Server amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic. You can find more information from this article. To check if your DNS server is vulnerable to this kind of attacks, please use this online service. Here below is a test result:

# Enter your DNS server domain name or IP then select "Test IP"
[ns1.tinyray.com]
Recursive resolver is not detected on ns1.tinyray.com
IP address ns1.tinyray.com is not vulnerable to DNS Amplification attacks

That's it. Thank you for reading this article.

web builder  tnWeb_1.54 – powered and hosted by tinyray