Setting Up and Configuring DNS server on a Unix-Based System: A Comprehensive Guide
Overview
The following is the process of setting up and configuring a Domain Name Server (DNS) on a Unix-based system. We'll be addressing both IPv4 and IPv6 addressing, with respective prefixes of /24 and /64. Our chosen domain name for this tutorial is gruppo9.labreti.it. For this demonstration, we'll be working with the Raspbian GNU/Linux operating system and employing the BIND9 Name Server.
Section 1: Installation
Our first step is to install the BIND9 Name Server on our Unix-based system. BIND (Berkeley Internet Name Domain) is a widely used DNS software. To install BIND9, follow these steps:
-
Open a terminal window on your Unix-based system.
-
Update the package list by running:
sudo apt update
- Install BIND9 with the following command:
sudo apt install bind9
- Once the installation is complete, start the BIND9 service and enable it to start on boot with these commands:
sudo systemctl start bind9
sudo systemctl enable bind9
Section 2: Configuration
The next step is configuration, which involves modifying the files named.conf.options and named.conf.default-zones located within the /etc/bind/ directory. To add new zones for the domain, follow this procedure:
- Open the named.conf.default-zones file for editing. This file holds the configuration for domain zones.
- To define a new zone, add a zone entry followed by its name within the named.conf.default-zones file. Inside the zone entry, specify the file where the name resolution data is stored.
- A zone can be either forward or reverse. A forward zone contains data for resolving names to IPv4 and IPv6 addresses. In contrast, a reverse zone contains data for resolving IPv4 addresses to names. The name of a forward zone can be the domain name or a subdomain, while the name of a reverse zone must end with in-addr.arpa or ip6.arpa.
- It's crucial to ensure that when configuring both forward and reverse zones for a domain, all records must be consistent and present in both data files.
Section 2.1: FILE: named.conf.default-zones
In this specific configuration, there are three zones defined:
- For the "gruppo9.labreti.it" domain, we define a forward zone that includes resolutions for both name-to-IPv4 and name-to-IPv6 mappings.
zone "gruppo9.labreti.it" IN{
type master;
file "/etc/bind/db.gruppo9.labreti.it";
};
- For the IPv4 reverse lookup of the 192.168.9 network, we define a reverse zone.
zone "9.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/db.9.168.192";
};
- For the IPv6 reverse lookup of the "gruppo9.labreti.it" domain, we define another reverse zone.
zone "0.0.0.0.0.0.0.0.0.0.0.0.9.0.0.2.ip6.arpa" IN {
type master;
file "/etc/bind/db.reverse.ipv6.gruppo9";
};
Section 2.2: zone files
Within the DNS data files (e.g., db.gruppo9.labreti.it, db.reverse.ipv6.gruppo9, and db.9.168.192), translations are defined, including Start Of Authority (SOA) records indicating the primary name server for the domain and the administrator's email address. Additionally, these files contain important information, such as serial numbers that indicates the last update number and TTL values for DNS records. Here's an explanation of the content of these files:
FILE: db.gruppo9.labreti.it
$TTL 604800
$ORIGIN gruppo9.labreti.it.
@ IN SOA ns.gruppo9.labreti.it. admin.gruppo9.labreti.it. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.gruppo9.labreti.it.
ns IN A 192.168.9.1
IN AAAA 2009::1
ntp IN A 192.168.9.2
IN AAAA 2009::2
www IN A 192.168.9.3
IN AAAA 2009::3
ftp IN A 192.168.9.4
IN AAAA 2009::4
host1 IN A 192.168.9.5
IN AAAA 2009::5
host2 IN A 192.168.9.6
IN AAAA 2009::6
This file contains forward DNS resolutions for both IPv4 and IPv6. It defines the authoritative records for the "gruppo9.labreti.it" domain.
- $TTL: This specifies the default Time To Live (TTL) for records in seconds, set to 604800 seconds (1 week).
- $ORIGIN: The $ORIGIN directive indicates the base domain for relative domain names in this file, set to "gruppo9.labreti.it."
Following the SOA record are resource records (RR) for the domain, including:
- @ IN NS: This specifies the authoritative name server for the domain.
- ns IN A/AAAA: These records map the "ns" subdomain to IPv4 and IPv6 addresses.
- ntp IN A/AAAA: Records for the "ntp" subdomain.
- www IN A/AAAA: Records for the "www" subdomain.
- ftp IN A/AAAA: Records for the "ftp" subdomain.
- host1 IN A/AAAA: Records for the "host1" subdomain.
- host2 IN A/AAAA: Records for the "host2" subdomain.
FILE: db.reverse.ipv6.gruppo9
$TTL 604800
@ IN SOA ns.gruppo9.labreti.it. admin.gruppo9.labreti.it. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.gruppo9.labreti.it.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns.gruppo9.labreti.it.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ntp.gruppo9.labreti.it.
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR www.gruppo9.labreti.it.
4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ftp.gruppo9.labreti.it.
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host1.gruppo9.labreti.it.
6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host2.gruppo9.labreti.it.
This file contains reverse DNS resolutions for IPv6 addresses in the "gruppo9.labreti.it" domain.
- $TTL: The default TTL, set to 604800 seconds (1 week).
- @ IN SOA: Start Of Authority (SOA) record indicating the primary name server and administrator's email address.
Following the SOA record are PTR (Pointer) records that map IPv6 addresses to domain names:
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR: Maps the IPv6 address 2009::1 to ns.gruppo9.labreti.it.
- 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR: Maps the IPv6 address 2009::2 to ntp.gruppo9.labreti.it.
- 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR: Maps the IPv6 address 2009::3 to www.gruppo9.labreti.it.
- 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR: Maps the IPv6 address 2009::4 to ftp.gruppo9.labreti.it.
- 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR: Maps the IPv6 address 2009::5 to host1.gruppo9.labreti.it.
- 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR: Maps the IPv6 address 2009::6 to host2.gruppo9.labreti.it.
FILE: db.9.168.192
$TTL 604800
$ORIGIN 9.168.192.in-addr.arpa.
@ IN SOA ns.gruppo9.labreti.it. admin.gruppo9.labreti.it. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@IN NS ns.gruppo9.labreti.it.
1 IN PTR ns.gruppo9.labreti.it.
2 IN PTR ntp.gruppo9.labreti.it.
3 IN PTR www.gruppo9.labreti.it.
4 IN PTR ftp.gruppo9.labreti.it.
5 IN PTR host1.gruppo9.labreti.it.
6 IN PTR host2.gruppo9.labreti.it.
This file contains reverse DNS resolutions for IPv4 addresses in the 192.168.9 network.
- $TTL: The default TTL, set to 604800 seconds (1 week).
- $ORIGIN: Specifies the base domain for relative domain names as "9.168.192.in-addr.arpa."
Following the SOA record are PTR records that map IPv4 addresses to domain names:
- @ IN SOA: Start Of Authority (SOA) record indicating the primary name server and administrator's email address.
- @ IN NS: Specifies the authoritative name server.
- 1 IN PTR: Maps the IPv4 address "192.168.9.1" to "ns.gruppo9.labreti.it."
- 2 IN PTR: Maps the IPv4 address "192.168.9.2" to "ntp.gruppo9.labreti.it."
- 3 IN PTR: Maps the IPv4 address "192.168.9.3" to "www.gruppo9.labreti.it."
- 4 IN PTR: Maps the IPv4 address "192.168.9.4" to "ftp.gruppo9.labreti.it."
- 5 IN PTR: Maps the IPv4 address "192.168.9.5" to "host1.gruppo9.labreti.it."
- 6 IN PTR: Maps the IPv4 address "192.168.9.6" to "host2.gruppo9.labreti.it."
These files collectively define the DNS records and translations for the "gruppo9.labreti.it" domain, enabling both forward and reverse DNS resolution for IPv4 and IPv6 addresses.
Section 2.3: options file
options {
directory "/var/cache/bind";
allow-query { any; };
forwarders {
8.8.8.8;
};
listen-on port 53 { any; };
dnssec-validation auto;
listen-on-v6 { any; };
};
Inside the named.conf.options file, you can define the behaviors of the Name Server. In this particular configuration, the file has been left mostly unchanged. Let's explore the key options and their significance:
- directory: This option specifies the directory where the DNS server stores its cache. In this setup, it is set to "/var/cache/bind"
- allow-query: The allow-query option determines who is allowed to query the Name Server. In this configuration, "any" allows any host to make queries.
- forwarders: The forwarders option specifies the Name Server to which queries should be forwarded if the local Name Server cannot resolve them. In this case, it is set to "8.8.8.8," which is Google's public DNS server.
- listen-on: The listen-on option designates the network interfaces on which the Name Server listens for DNS queries. Here, it is set to port 53 and "any," indicating that the Name Server can be contacted using the IPv4 protocol.
- dnssec-validation: This option enables DNSSEC (Domain Name System Security Extensions) validation. In this configuration, it is set to "auto," which means the Name Server will perform DNSSEC validation when necessary.
- listen-on-v6: Similar to listen-on but for IPv6, this option defines the network interfaces on which the Name Server listens for IPv6 DNS queries. Here, it is also set to "any," indicating that the Name Server can be contacted using the IPv6 protocol.
In this configuration, the named.conf.options file is nearly pristine, with minimal changes made to the default settings. It allows the Name Server to receive queries from any source, forwards unresolved queries to Google's public DNS server, and supports both IPv4 and IPv6 connections.
Section 3: Conclusion
This minimal configuration ensures that your Name Server is responsive and capable of handling a wide range of DNS queries efficiently. Depending on your network and security requirements, you can further customize these options to suit your needs.