top of page

DNS CONFIGURATION IN LINUX UBUNTU -16.04.3-server

  • Writer: Sankalpa H.T.S
    Sankalpa H.T.S
  • Jun 19, 2018
  • 7 min read

Updated: Jun 20, 2018


ree

We are going to configure Primary & Secondary DNS servers and through the client machine we’re going to browse the apache web server.


For the purpose of this article, we will assume the following:

• We have a primary DNS server “server” – 192.168.200.10

a secondary DNS server “server2” – 192.168.200.12


• Apache web server – 192.168.200.200

www.amaa.com

smallco.amaa.com


• A client machine “san” - 192.168.200.50


By the end of this document, we will have a primary DNS server ns1, and secondary DNS server ns2, which will serve as a backup.


Let’s get started by installing our Primary DNS server, ns1.


Configure Primary DNS server


ree
Server ns1

Update the apt package cache by typing:

ree

Now install BIND:

ree

IPv4 Mode


Before continuing, let’s set BIND to IPv4 mode. On both servers, edit the bind9 systemd unit file by typing:

ree

Add “-4” to the end of the ExecStart line.

ree

Reload the systemd daemon to read the new configuration into the running system:

ree

Restart BIND to implement changes:

ree

Configure Options File


Open the named.conf.options file for editing:

ree

It will looks like below:

ree

Above the existing options block, create a new ACL block called “trusted”. This is where we will define list of clients that we will allow recursive DNS queries from (servers that are in same datacenter).


In here we will add primary DNS server, secondary DNS server and all clients in the 192.168.200.0/24 network. If we give specified IP addresses for clients then it will only allow recursive DNS queries from that specified client. From adding the network here, we will allow recursive DNS queries from all hosts in that network.


After we have our list of trusted DNS clients, we will want to edit the options block. Currently, the start block looks like as above.


Below the directory directive, add the showed configuration lines.

ree

When you are finished, save and close the named.conf.options file. The above configuration specifies that only your own servers (the “trusted” ones) will be able to query your DNS server.


Next, we will configure the local file, to specify our DNS zones.


Configure Local File


Open the named.conf.local file for editing:

ree

Aside from few comments, we will specify our forward and reverse zones.


Add the forward zone with the lines showed. Substitute the zone name with your own. In here I used amaa.com for my zone name because I’m gonna curl my apache web site which I created as www.amaa.com smallco.amaa.com


Assuming that our private subnet is 192.168.200.0/24, add the reverse zone by with the showed lines. Our reverse zone file starts with “200.168.192” which is the octet reversal of “192.168.200”:

ree

If your servers span multiple private subnets but are in the same datacenter, be sure to specify an additional zone and zone file for each distinct subnet. When you are finished adding all of your desired zones, save and exit the named.conf.local file.


Now that our zones are specified in BIND, we need to create the corresponding forward and reverse zone files.


Create Forward Zone File


The forward zone file is where we define DNS records for forward DNS lookups. That is, when the DNS receives a name query, it will look in the forward zone file to resolve hosts’s corresponding private IP address.


According to our named.conf.local configuration that the location should be /etc/bind/zones:

ree

After it created go to the zones file:

ree

ree

We will base our forward zone file on the sample db.local zone file. And we will base our reverse zone file on the sample db.127 zone file. Copy it to the proper locations with the following commands.

ree

ree

Now let’s edit our forward zone file:

ree

First, you will want to edit the SOA record. Replace the first “localhost” with ns1’s fully qualified domain name, the replace “root.localhost” with “admin.amaa.com”. Also, every time you edit a zone file, you should increment the serial value before you restart the named process. We will increment it to “3” and so on. Here I edited it 8 times. That’s why here it is “10”.


Now delete the records at the end of the file (after the SOA record) and add your name server records with the following lines (replace the names with your own). NS records – name server records.


Then add the A records for your hosts that belong in this zone. This includes any server whose name we want to end with “amaa.com”. We will add A records for ns1, ns2, smallco like so.


Add CNAME record to smallco.amaa.com as www.amaa.com . When we add a CNAME record it will resolve only as www.amaa.com. Not as www.smallco.amaa.com. You will understand it later.

ree

Save and close the db.amaa.com file.


Now let’s move onto the reverse zone file(s).


Create Reverse Zone File(s)


Edit the reverse zone file that corresponds to the reverse zone(s) defined in named.conf.local:

ree

In the same manner as the forward zone file, you will want to edit the SOA record and increment the serial value.


Now delete the records at the end of the file (after SOA record), add your name server records with the following lins (replace the name with your own).


Then add PTR records for all your servers whose IP addresses are on the subnet of the zone file that you are editing. In here, this includes all of our hosts because they are all on the 192.168.200.0/24 subnet. Note that the first column consists of the last octet of my servers’ private IP addresses in reversed order(last two octet if we use .. . .. . .. . ../16 subnet). Be sure to substitute names and private IP addresses to match your servers.


ree

Save and close the reverse zone file (repeat this section if you need to add more reverse zone files).


Check BIND Configuration Syntax


Run the following command to check the syntax of the named.conf* files.

ree

If your named configuration files have no syntax errors, you will return the prompt and see no error massages. If there are problems go through the configure primary DNS server section. And retry.

ree

The named-checkzone command can be used to check correctness of your zone files. Its first argument specifies a zone name, and the second argument specifies the corresponding zone file, which are both defined in named.conf.local

ree

As shown below you can see there are no errors in configuration.

ree

And to check "200.168.192.in-addr.arpa” reverse zone configuration, run the following command.

ree

As shown below you can see there are no errors in configuration.

ree


Restart BIND

ree

See the syslog for errors and /etc/init.d/bind9 status for errors.

ree

If you have the UFW firewall configured, open up access to BIND by typing:

ree

If you are configuring the server through ssh be sure to see UFW ststus and confirm ssh rules are added. If not use sudo ufw allow ssh command.

ree


Configure Secondary DNS Server


ree
Server ns2

In most environments, it is good idea to set up a secondary DNS server that will respond to requests if the primary becomes unavailable. The secondary DNS server is much easier to sonfigure.


Edit the named.conf.options file:

ree

At the top of the file, add the ACL with the private IP addresses of all of your trusted servers:


Below the directory directive add the lines as below.


This file should looks like ns1’s named.conf.options file except it should be configured to listen on ns2’s private IP address.

ree

Now edit the name.conf.local file:

ree

Define slave zones that correspond to the master zones on the primary DNS server. Type is “slave”, the file does not contain a path, and there is masters directive which should be set to the primary DNS server’s private address. If you defined multiple reverse zones in the primary DNS server, make sure to add them all here.

ree

Run the following command to check the validity of our configuration files:

ree

ree

It will return the prompt if there is no errors.


Restart BIND

ree

ree

When BIND restarting see syslog and confirm the service restart without any errors.

ree

Allow DNS connections to the server by altering the UFW firewall rules:

ree

ree

Now we have primary and secondary DNS servers for private network name and IP address resolution. Now we must configure our client servers to use our private DNS servers.


Configure DNS Clients


We must configure each clients to use ns1 and ns2 as name servers.

ree

For clients we may need to install the utility with:

ree

On ubuntu we can edit the resolv.conf file.

ree

Inside the file add two name servers for our primary and secondary DNS servers as below. Add a search option pointed to the base domain of our infrastructure.

ree

Test Clients


For example, we request a forward DNS query from primary DNS server for our apache web server using dig command.

ree

ree

We request a reverse DNS query from primary DNS server for our apache web server using dig -x command

ree

Forward nslookup:

ree

Reverse nslookup:

ree

Here we are querying our apache server using CNAME record that we put to the zone configuration files.

ree

If we are using that CNAME record as following it will not resolve the DNS query

ree

Browsing apache server

ree
Apache server

Confirm that our web server working properly using curl -G command:

ree

When we were configuring our apache web server we put lines to /etc/network/interfaces in order to resolve curl requests.

ree

We must remove those lines and Add Primary and Secondary DNS servers and search option to the resolv.conf file in order to check our DNS name servers are working properly.

ree

Now confirm our web server working properly by using curl -G command again.


Browsing Apache On Client


Curl smallco.amaa.com

ree

Curl www.amaa.com

ree

Curl amaa.com

ree

You can see it gives us a message could not resolve host.


Now you may refer to your servers’ private network interfaces by name, rather than by IP address. This makes configuration of services and applications easier because you no longer have to remember the private IP addresses, and files will be easier to read and understand. Also now you can change your configurations to point to a new servers in a single place, your primary DNS server, instead of having to edit a variety of distributed configuration files, which eases maintainance.


References

Comments


bottom of page