Primary Master DNS for a LAN on Debian 6.0 (V) and final

fico

5 minutes

Those who followed the 1era2da3era y 4ta Part of this article and the inquiries made to their BIND returned satisfactory results, they are already experts on the subject. :-) And without further ado let's get into the last part:

  • Creation of the “Inverse” type Main Master Zone file 10.168.192.in-addr.arpa
  • Problem solving
  • Summary

Creation of the “Inverse” type Main Master Zone file 10.168.192.in-addr.arpa

The name of the area brings them to you, right? And it is that the Reverse Zones are mandatory to have a correct name resolution according to Internet standards. We have no choice but to create the one corresponding to our domain. For this we use as a template the file /etc/bind/db.127:

cp /etc/bind/db.127 /var/cache/bind/192.168.10.rev

We edit the file /var/cache/bind/192.168.10.rev and we leave it like this:

; /var/cache/bind/192.168.10.rev; ; BIND reverse data file for master zone 10.168.192.in-addr.arpa; BIND data files for Master Zone (Reverse) 10.168.192.in-addr.arpa; $ TTL 604800 @ IN SOA ns.amigos.cu. root.amigos.cu. (2; Serial 604800; Refresh 86400; Retry 2419200; Expire 604800); Negative Cache TTL; @ IN NS ns. 10 IN PTR ns.amigos.cu. 1 IN PTR gandalf.amigos.cu. 9 IN PTR mail.amigos.cu. 20 IN PTR web.amigos.cu. 100 IN PTR fedex.amigos.cu. ; we can also write the full IP address. Ex:; 192.168.10.1 IN PTR gandalf.amigos.cu.
  • Observe how in this case we have left the times in seconds as it is created by default when the bind9. It works the same. They are the same times as those indicated in the file friends.cu.host. When in doubt, check.
  • Also note that we only declare the reverse records of the hosts that have an assigned or "real" IP on our LAN, and that uniquely identifies it.
  • Remember to update the Reverse Zone file with ALL the correct IP addresses declared in the Direct Zone.
  • Remember to increase the Zone Serial Number every time they modify the file and before restarting the BIND.

Let's check the newly created zone:

named-checkzone 10.168.192.in-addr.arpa /var/cache/bind/192.168.10.rev

We check the configuration:

named-checkconf -z named-checkconf -p

If everything went OK, we restart the service:

service bind9 restart

From now on, every time we modify the zone files, we just have to execute:

rndc reload

For that we declare the key in /etc/bind/named.conf.options, Right?

Problem solving

Very important is the correct content of the file / Etc / resolv.conf as we saw in the previous chapter. Remember to indicate in it at least the following:

search amigos.cu nameserver 192.168.10.20

Command you of the package dnsutils. On a console, type the commands preceded by #:

# dig -x 127.0.0.1 ..... ;; ANSWER SECTION: 1.0.0.127.in-addr.arpa. 604800 IN PTR localhost. .... # dig -x 192.168.10.9 .... ;; ANSWER SECTION: 9.10.168.192.in-addr.arpa. 604800 IN PTR mail.amigos.cu. .... # host gandalf gandalf.amigos.cu has address 192.168.10.1 # host gandalf.amigos.cu gandalf.amigos.cu has address 192.168.10.1 # dig gandalf; << >> DiG 9.7.2-P3 << >> gandalf ;; global options: + cmd ;; connection timed out; no servers could be reached # dig gandalf.amigos.cu .... ;; ANSWER SECTION: gandalf.amigos.cu. 604800 IN A 192.168.10.1 .... If they have access to the Cuban or Global Internet, and the Forwarders are correctly declared try: # dig debian.org .... ;; QUESTION SECTION:; debian.org. IN A ;; ANSWER SECTION: debian.org. 3600 IN A 86.59.118.148 debian.org. 3600 IN A 128.31.0.51 .... # host bohemia.cu bohemia.cu has address 190.6.81.130 # host yahoo.es yahoo.es has address 77.238.178.122 yahoo.es has address 87.248.120.148 yahoo.es mail is handled by 10 mx-eu.mail.am0.yahoodns.net. # dig -x 77.238.178.122 ;; ANSWER SECTION: 122.178.238.77.in-addr.arpa. 429 IN PTR w2.rc.vip.ird.yahoo.com.

… And in general with other domains outside our LAN. Consult and find out about interesting things on the Internet.

One of the best ways to check the performance of a server bind9, and in general of any other installed service, is reading the output of the System Log Messages using the command tail -f / var / log / syslog run as userroot.

It is very interesting to see the output of that command when we ask our local BIND a question about an external domain or host. In that case, several scenarios can be presented:

  • If we don't have access to the Internet, our query will fail.
  • If we have access to the Internet and we do NOT have declared Forwarders, we will most likely not get a response.
  • If we have access to the Internet and we have declared the Forwarders, we will obtain an answer since they will be in charge of consulting the DNS servers that are necessary.

If we are working on a LAN Closed in which it is impossible in any way to go outside and we do not have Forwarders of any kind, we can eliminate the search messages of the Root Servers "Emptying" the file /etc/bind/db.root. To do this, we first save the file with another name and then delete all its content. Then we check the configuration and restart the service:

cp /etc/bind/db.root /etc/bind/db.root.original cp / dev / null /etc/bind/db.root named-checkconf -z named-checkconf -p service bind9 restart

Summary

So far, folks, a little introduction to the DNS service. What we have done so far can serve us perfectly for our small business. Also for the house if we create virtual machines with different operating systems and different IP addresses, and we do not want to refer to them by IP but by name. I always install a BIND on my home host to install, configure and test services that depend heavily on the DNS service. I make extensive use of Desktops and Virtual Servers, and I don't like to keep a file / Etc / hosts on each of the machines. I'm wrong too much.

If you've never installed and configured a BIND, please don't be discouraged if something goes wrong on the first try and you have to start all over again. We always recommend in these cases to start with a clean installation. It's worth a try!

For those who need high availability in the name resolution service, which can be achieved by configuring a Secondary Master server, we recommend that you continue with us on the next adventure: Secondary Master DNS for a LAN.

Congratulations to those who followed all the articles and got the expected results!


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   st0rmt4il said
    ago 11 years

    At last! .. the final post: D!

    Thanks for sharing my friend!

    Regards!

    Reply to st0rmt4il
  2.   Rafael Hernandez said
    ago 11 years

    Very interesting, your articles, I have an authoritative DNS set up in a freeBSD for a .edu.mx domain, so far it has worked perfectly for me, but in the last month I detected several attacks, towards the server, what would be the defense methods to An exposed DNS ?, and I don't know if it can be, have the master exposed to the internet and a secondary one that serves a small lan of about 60 computers, both DNS interconnected, or to be able to define two zones, one internal and one external, thanks in the master

    Reply to Rafael Hernandez
  3.   PICCORUS said
    ago 11 years

    The squeeze bind9 package has a problem working with samba, a version 9.8.4 is already available in the backports branch of squeeze, the wheeze version does not have this problem, for lenny venenux.net backport the package.

    Very good article.

    This is the only article that does everything well explained ..

    It should be noted that the acl for spofing does not work since in the same way it will be injected from the internal network, the solution would be to deny the redirects for the clients, and create a complex acl that prevents reassignment of names (something similar to static dns)

    SPECIAL TIP:

    It would be good to have an extra config on how to make the dns filter content instead of the firewall

    Reply to PICCORO
    1.    Federico Antonio Valdes Toujague said
      ago 11 years

      Thanks for commenting @PICCORO !!!.
      I declare at the beginning of all my articles that I do not consider myself a specialist. Much less on the DNS issue. Here we all learn. I will take into account your recommendations when installing a DNS facing the Internet and not for a normal and simple LAN.

      Reply to Federico Antonio Valdés Toujague
  4.   Frank davila said
    ago 9 years

    EXCELLENT TUTORIAL !!! It was a great help to me since I just started in this server turn, everything worked OK. Thank you and keep posting such great tutorials !!!

    Reply to Frank Davila
  5.   Jesus Fenández Toledo said
    ago 9 years

    Fico, once again I congratulate you on this great material.

    I am not an expert in BIND9, forgive me if I am wrong about the comment, but I think you have lacked defining the zone for reverse searches in the named.conf.local file

    Reply to Jesús Fenández Toledo
    1.    elav said
      ago 9 years

      It's a shame that Fico can't answer you right now.

      Reply to elav
      1.    Federico Antonio Valdes Toujague said
        ago 9 years

        Greetings and Thanks, Elav, and here I am responding. As always, I recommend that you read slowly ... 🙂

        Reply to Federico Antonio Valdés Toujague
    2.    Federico Antonio Valdes Toujague said
      ago 9 years

      In the post: https://blog.desdelinux.net/dns-maestro-primario-para-una-lan-en-debian-6-0-iii/

      I write the following:
      Modifications to the /etc/bind/named.conf.local file

      In this file we declare the local zones of our domain. We must include the Forward and Reverse Zones as a minimum. Remember that in the configuration file /etc/bind/named.conf.options we declare in which directory we will host the Zones files using the directory directive. In the end, the file should be as follows:

      // /etc/bind/named.conf.local
      //
      // Do any local configuration here
      //
      // Consider adding the 1918 zones here, if they are not used in your
      // organization
      // include "/etc/bind/zones.rfc1918";
      // The names of the files in each zone are a
      // consumer taste. We chose friends.cu.hosts
      // and 192.168.10.rev because they give us clarity of their
      // contents. There is no more mystery 😉
      //
      // The Names of the Zones ARE NOT ARBITRARY
      // and will correspond to the name of our domain
      // and to the LAN subnet
      // Master Main Zone: «Direct» type
      zone "friends.cu" {
      typemaster;
      file "amigos.cu.hosts";
      };
      // Master Main Zone: «Inverse» type
      zone "10.168.192.in-addr.arpa" {
      typemaster;
      file "192.168.10.rev";
      };
      // End of named.conf.local file

      Reply to Federico Antonio Valdés Toujague
  6.   Fabian Valery said
    ago 9 years

    Good, very interesting your post about dns, they have helped me to get started on the subject, thank you. I clarify that I am a newbie in this regard. But reading your published information I have observed that it works with fixed addresses in the hosts of an internal network. My question is, how would you do with an internal network with dynamic IP addresses, assigned by a dhcp server, to create the files of the main master zone of type "direct" and "reverse"?

    I will appreciate the light that you can give on the matter raised. Thank you. Fv

    Reply to Fabian Valery
    1.    Federico A. Valdes Toujague said
      ago 9 years

      Thanks for commenting, @fabian. You can consult the following articles, which I hope will help you implement a network with dynamic addresses:

      https://blog.desdelinux.net/servicio-de-directorio-con-ldap-2-ntp-y-dnsmasq/
      https://blog.desdelinux.net/servicio-de-directorio-con-ldap-3-isc-dhcp-server-y-bind9/

      regards

      Reply to Federico A. Valdés Toujague