Sunday, July 15, 2012

Public DNS Server setup in production

The power of the World Wide Web we know today relies heavily on the potentialities of the Domain Name System (more popular as DNS) - one of the largest databases in the world,

 which is responsible for the smooth communication of computers within networks.

With the help of DNS servers the domain names are converted to their corresponding numerical IP addresses, which computers need in order to communicate with each other to locate websites on the Internet.


In this entire Setup replace private ip with public ip address
eg fafadiatech.com        IN      A       192.168.0.100
    fafadiatech.com        IN      A        173.193.16.114

Check for how this request processed at end of this post



Table of contents:
  • DNS Servers
  • Install and configure a BIND DNS server
    • How to "chroot" Bind
    • Configuring BIND

DNS servers

DNS servers are divided into public and private DNS servers. While the majority of the public servers are run by larger Internet Service Providers and commercial companies, the private DNS servers are used mainly for private home networks.

Setting up DNS servers in the home network is highly recommended in cases when your network includes more than a few computers with the purpose of increasing its efficiency.

With a DNS Server set up for your private home network you can centralize the management of host information and track the host file for every client in your network. In addition, private DNS servers allow your clients to make

DNS resolution requests within your home network, since they have the ability to cache DNS information.




Install and configure a BIND DNS server

Bind can be easily installed with most Linux distributions - it's available in their repositories. You can also compile it from the source code.

To install BIND 9 from the repositories, enter in superuser mode and run:
apt-get install bind9
And you now have bind installed on your machine. You can start and stop it at any time with the “start” and “stop” commands.

Stopping Bind

/etc/init.d/bind9 stop

Starting Bind

/etc/init.d/bind9 start

How to "chroot" Bind

The first step of the Bind configuration is to "chroot" it. This means that bind will not be executed with root privileges, but as a separate user, which is limited to see only its folder tree. This is done for security purposes - if someone manages to exploit a BIND vulnerability, he will not be able to do much damage, since BIND’s folder structure will act as root folder.







Here we will show you how to chroot bind to the "var/lib/named" folder. The first thing to do is to edit the /etc/default/bind9 file. We will tell the bind daemon to run this file as the user “bind”, who has no privileges. This is how the file should look like:

The /etc/default/bind9 file:

OPTIONS="-u bind -t /var/lib/named"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes

Now, we will have to create the specific folder in the /var/lib directory.

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run


This will create all the necessary folders for BIND to work without a problem in the "var/lib/named" folder. The next step is to copy BIND's configuration file.

The file is located in the "/etc/bind" folder, and we will have to move it to the "/var/lib/named/etc" folder.

cp /etc/bind /var/lib/named/etc

Once we have the configuration file in its new location, it's time to create a symlink to it, since this will be very useful for future BIND updates.

ln -s /var/lib/named/etc/bind /etc/bind

Now BIND will be running without a problem in the chroot jail. However, it will still need access to several files in order to function properly, for example - the /dev/null. You can create all of them with the following commands:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

The final step is to configure the systemlog to send log and error messages to the correct location. For this, you will have to add the following line:
SYSLOGD="-a /var/lib/named/dev/log"
to the "/etc/default/syslogd" file. Here is how the file should look after that:

A syslogd file for a chrooted BIND

#
# Top configuration file for syslogd
#
#
# Full documentation of possible arguments are found in the manpage
# syslogd(8).
#
#
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"
Now, restart syslogd and BIND and check "/var/log/syslog" for any errors.

Restart syslogd and start BIND

/etc/init.d/sysklogd restart

/etc/init.d/bind9 start

Configuring BIND

Once you have installed and chrooted BIND, it's time to start using it. The first thing that you need to do is add a DNS zone for your domain name. To do this, you will need to edit the "named.local.conf" file.

vi /etc/bind/named.conf.local

In there, you can add the following text to create a DNS zone for the "my-best-server.com".
zone "my-best-server.com" {
        type master;
        file "/etc/bind/zones/fafadiatech.com.db";
        };

The next step is to edit the actual DNS zone.

mkdir /etc/bind/zones

vi /etc/bind/zones/my-best-server.com .db

The last command will show you the actual DNS zone. You can add other DNS records, or change the ones shown here with your custom ones.

$TTL 1500
@  IN SOA fafadiatech.com. root (
                             2007062703        ;serial
                             28800             ;refresh
                             3600              ;retry
                             604800            ;expire
                             38400 )           ;minimum 25 minutes
fafadiatech.com.      IN      NS      ns1.fafadiatech.com.
fafadiatech.com        IN      A       173.193.16.114
fafadiatech.com.      IN      MX      10    fafadiatech.com.

Two steps are left - to configure the DNS forwarder and the self-resolving setting.




see how my request goes when my company fafadiatech website is requested


[leo@leo ~]$ dig +trace fafadiatech.com

; <<>> DiG 9.8.3-P1-RedHat-9.8.3-2.P1.fc15 <<>> +trace fafadiatech.com
;; global options: +cmd
.                       437709  IN      NS      h.root-servers.net.
.                       437709  IN      NS      d.root-servers.net.
.                       437709  IN      NS      i.root-servers.net.
.                       437709  IN      NS      j.root-servers.net.
.                       437709  IN      NS      e.root-servers.net.
.                       437709  IN      NS      k.root-servers.net.
.                       437709  IN      NS      l.root-servers.net.
.                       437709  IN      NS      a.root-servers.net.
.                       437709  IN      NS      f.root-servers.net.
.                       437709  IN      NS      c.root-servers.net.
.                       437709  IN      NS      m.root-servers.net.
.                       437709  IN      NS      g.root-servers.net.
.                       437709  IN      NS      b.root-servers.net.
;; Received 512 bytes from 192.168.1.1#53(192.168.1.1) in 1575 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 496 bytes from 128.63.2.53#53(128.63.2.53) in 10572 ms

fafadiatech.com.        172800  IN      NS      dns1.bigrock.in.
fafadiatech.com.        172800  IN      NS      dns2.bigrock.in.
fafadiatech.com.        172800  IN      NS      dns3.bigrock.in.
fafadiatech.com.        172800  IN      NS      dns4.bigrock.in.
;; Received 119 bytes from 192.12.94.30#53(192.12.94.30) in 855 ms

fafadiatech.com.        38400   IN      A       173.193.16.114
;; Received 49 bytes from 50.23.75.45#53(50.23.75.45) in 288 ms
 


so here the

public Dns Server is dns1.bigrock.in
it check for entry fafadiatech.com and when its DNS record it goes in following section


vi /etc/bind/zones/my-best-server.com .db


The last command will show you the actual DNS zone. You can add other DNS records, or change the ones shown here with your custom ones.

$TTL 1500
@  IN SOA fafadiatech. root (
                             2007062703        ;serial
                             28800             ;refresh
                             3600              ;retry
                             604800            ;expire
                             38400 )           ;minimum 25 minutes
fafadiatech.com.      IN      NS      ns1.fafadiatech.com.
fafadiatech.com        IN      A       173.193.16.114
fafadiatech.com.      IN      MX      10    fafadiatech.com.

and get this

fafadiatech.com.        38400   IN      A       173.193.16.114
 

you got resolve to this web address 

notice there can be enumber on entries at bigrock
 
$TTL 1500
@  IN SOA bigrock.in. root (
                             2007062703        ;serial
                             28800             ;refresh
                             3600              ;retry
                             604800            ;expire
                             38400 )           ;minimum 25 minutes

bigrock.in.      IN      NS      dns1.bigrock.in.
bigrock.in       IN         A        62.41.78.200 
bigrock.in.      IN      MX       10     .bigrock.in.



fafadiatech.com        IN      A       173.193.16.114
fafadiatech.com.      IN      MX      10    fafadiatech.com.


here is bigrock nameserver so we have ns record for big rock but for our personal public dns server we will create our domain name as NS record

If i explained some thing wrong please correct me by commenting about this post

No comments:

Post a Comment