Primary Master DNS for a LAN on Debian 6.0 (III)

fico

7 minutes

It is a tremendous effort to reduce in 5 small articles the Previous Knowledge, the Installation, the Configuration, and the Creation of the Zones and Checks of a BIND, so that it can be understood by the largest number of readers which is our fundamental purpose.

Those who have had the patience to carefully read the 1era y 2da For part of this article, they are ready to continue with the configuration and setup of a Domain Name Server for a LAN.

For the New, and those who are not very clear about the very summarized concepts given in the preceding parts, we recommend that you read and study them before proceeding. Usual Suspects of Despair! back if you didn't read carefully.

We will see below:

  • LAN main data
  • Minimum host configurations
  • Modifications to the /etc/resolv.conf file
  • Modifications to the /etc/bind/named.conf file
  • Modifications to the /etc/bind/named.conf.option file
  • Modifications to the /etc/bind/named.conf.local file

 LAN main data

LAN Domain Name: amigos.cu LAN Subnet: 192.168.10.0/255.255.255.0 BIND Server IP: 192.168.10.10 Server NetBIOS Name: ns

Although it is obvious, remember to change the previous data for your own.

Minimum host configurations

It is very important to have the files correctly configured / etc / network / interfaces y/ Etc / hosts to get good DNS performance. If all data was declared during installation, no modification will be necessary. The contents of each of them must be the following:

# contents of the / etc / network / interfaces file # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces (5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.10.10 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255 gateway 192.168.10.2 # dns- * options are implemented by the resolvconf package, if installed dns-nameservers 192.168.10.10 dns-search amigos.cu # content of / etc / hosts 127.0.0.1 localhost 192.168.10.10 ns.amigos.cu ns # The following lines are desirable for IPv6 capable hosts :: 1 ip6-localhost ip6-loopback fe00 :: 0 ip6-localnet ff00 :: 0 ip6-mcastprefix ff02 :: 1 ip6-allnodes ff02 :: 2 ip6-allrouters

Modifications to the /etc/resolv.conf file

For our queries and checks to work correctly, it is necessary to declare in the local configuration of the host, which will be our search domain and which will be our local DNS. Without the above parameters at a minimum, any DNS query will fail. And this is a mistake that many beginners make. So let's edit the file / Etc / resolv.conf and we leave it with the following content:

# content of /etc/resolv.conf search friends.cu nameserver 192.168.10.10

On the computer where we have installed the DNS server we can write:

search amigos.cu nameserver 127.0.0.1

In the above content, the statement nameserver 127.0.0.1, indicates that inquiries will be made to localhost.

After we have our BIND correctly configured we can make any DNS query from our host, be it the server itself bind9 or another connected to the network and that belongs to the same subnet and has the same network mask. To learn more about the file, run man resolv.conf.

Modifications to the /etc/bind/named.conf file

To limit queries to our BIND so that they only respond to our subnet and prevent an attack spoofing, we declare in the file named.conf the Access Control List or ACL (Access Control List) and we call it look. The filenamed.conf should be as follows:

// /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, * BEFORE * you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local // // The comments in Spanish are ours // We leave the originals in English // BEWARE of copying and paste // DO NOT LEAVE BLANK SPACES AT THE END OF EACH LINE // // Access Control List: // Will allow queries from the local domain and from our subnet // In the file included named.conf.options we will refer to it . acl mired {127.0.0.0/8; 192.168.10.0/24; }; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; // end of file /etc/bind/named.conf

Let's check the BIND configuration so far and restart the service:

named-checkconf -z service bind9 restart

Modifications to the /etc/bind/named.conf.options file

In the first section “options"We will only declare the forwarders, and who will be the ones who will be able to consult our BIND. Then we declare the Key or key through which we can control the bind9, and finally from which host we can control it. To know which is the key or key, we must do cat /etc/bind/rndc.key. We copy the output and paste it into the file named.conf.options. In the end, our file should look like this:

// /etc/bind/named.conf.options options {// BEWARE OF COPYING AND PASTE, PLEASE ... // Default directory to locate our Zones files directory "/ var / cache / bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders {// 0.0.0.0; // 0.0.0.0; //} // The Forwarders. I don't have a better translation // The addresses are from servers of ceniai.net.cu // If it does NOT have an exit to the Internet, it is NOT necessary // to declare them, unless you have a more complex LAN // with DNS servers that act as Forwarders outside // of your subnet's IP address range. In that case // you must declare the IP (s) of those servers. // Forwarders queries are Cascade. forwarders {169.158.128.136; 169.158.128.88; }; // In a well configured LAN, ALL DNS queries // should be made to the local DNS server on that LAN, // NOT to servers outside the LAN. // Especially when you have Internet access, // be it National or International. For that // we declare the Forwarders auth-nxdomain no; # conform to RFC1035 listen-on-v6 {any; }; // Protect against spoofing allow-query {mired; }; }; // Contents of the file / etc / bind / rndc-key // obtained through cat / etc / bind / rndc-key // Remember to change it if we regenerate the key "rndc-key" {algorithm hmac-md5; secret "dlOFESXTp2wYLa86vQNU6w =="; }; // From which host we will control and through which key controls {inet 127.0.0.1 allow {localhost; } keys {rndc-key; }; }; // end file /etc/bind/named.conf.options

Let's check the BIND configuration so far and restart the service:

named-checkconf -z service bind9 restart

We have decided to include as // Comments the fundamental aspects that can serve as a reference for future consultations.

The fact of declaring the Forwarders, converts our BIND Local server into a Cache server, maintaining its functionality as a Primary Master. When we ask for a host or external domain, the answer -if it is positive- will be stored in its cache, so that when we ask it again for the same host or for the same external domain, we get a quick response by not consulting back to external DNSs.

Modifications to the /etc/bind/named.conf.local file

In this file we declare the local zones of our domain. We must include the Forward and Reverse Zones as a minimum. Remember that in the configuration file/etc/bind/named.conf.options We declare in which directory we will host the Zones files through the directory directive. In the end, the file should be as follows:

// /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization // include "/ etc / bind /zones.rfc1918 "; // The names of the files in each zone are to // consumer's taste. We chose amigos.cu.hosts // and 192.168.10.rev because they give us clarity on their // contents. There is no more mystery // // The Names of the Zones ARE NOT ARBITRARY // and will correspond to the name of our domain // and the LAN subnet // Main Master Zone: type "Direct" zone "amigos.cu" { type master; file "amigos.cu.hosts"; }; // Master Main Zone: type "Inverse" zone "10.168.192.in-addr.arpa" {type master; file "192.168.10.rev"; }; // End of named.conf.local file

To check the BIND configuration so far:

named-checkconf -z

The previous command will return an error until the zone files do not exist. The main thing is that it warns us that the Zones declared in named.conf.local will not be loaded, since the DNS records files simply do not exist, which is true for now. We can move on.

Let's restart the service so that the changes are taken into account:

service bind9 restart

As we do not want to make each post very long, we will address the topic of creating the Local Zones files in the next 4th part. Until then friends!


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   st0rmt4il said
    ago 11 years

    Thanks man!

    Today it is difficult to see posts of this quality on the internet!

    Regards!

    Reply to st0rmt4il
    1.    fico said
      ago 11 years

      Thank you very much for your comment .. It's a pleasure to read things like that .. 😉

      Reply to Fico
  2.   dasht0 said
    ago 11 years

    Excellent article!
    Thanks fico, Elav, KZ, anyway… DesdeLinux for exist

    Collectively, a plugin could be implemented that allows you to download the articles as pdf (HumanOS style)
    regards
    dasht

    Reply to dasht0
    1.    federico said
      ago 11 years

      Thank you all for your comments. We learn ALL of them.
      The download of the articles in PDF does not include the comments of friends and colleagues, which complement the post and are very useful. Giving a Guide without comments is practically impossible given the breadth of the subject. UNIX / Linux is extremely broad to obviate everyone's experiences.

      Reply to federico
      1.    dasht0 said
        ago 11 years

        Excellent articles!
        It is clear that the comments complement the information of the articles, they even suggest things that may remain or that could be added, but I maintain my idea that it would be ideal if the article could be saved as pdf, at least for me
        A hug from Cuba and continue to win

        Reply to dasht0
  3.   elpapineo said
    ago 9 years

    Running:
    named-checkconf -z
    I feel like:
    /etc/bind/named.conf.options:30: unknown option 'controls'

    Reply to elpapineo
    1.    elpapineo said
      ago 9 years

      I answer myself: you have to place the controls section outside the options section.

      I would also like to contribute something: if instead of copying and pasting in the named.conf.options file

      key "rndc-key" {
      algorithm hmac-md5;
      secret "dlOFESXTp2wYLa86vQNU6w ==";
      };

      We make a:

      include "/etc/bind/rndc.key";

      in named.conf file I think it works too.

      Greetings.

      Reply to elpapineo