Howto setup Bind 9 DNS - 2
Building on the part one: Domain Name Servers are used in corporations. Enterprise networks typically have many subnets in the rfc-1918 range like 10. or 172. range, divided by function, department, floor of building and/or division - there is many ways to skin a cat. #DNS
Building on the part one we will now discuss on a theoretical level how Domain Name Servers are used in corporations. Enterprise networks typically have many subnets in the rfc-1918 range like 10. or 172. range, divided by function, department, floor of building and/or division - there is many ways to skin a cat.
Creation of new users is usually automated and DHCP and DNS syncing.
Reference also my first part on DNS. My post on Bind 9 DNS
Enterprise DNS
All below is just examples and just the basics. Through enterprise DNS setups can be extensive. We can start with 2 - 3 Bind 9 servers. One will be a hidden primary and then 2 or more secondary servers. The primary manages the zone (DNS zone) and corresponding in-addr.arpa (Reverse DNS lookup) zone for the network. All modifications and changes are performed on this server and clients cannot query this server directly.
This DNS server replicates then the zones to the two secondary DNS servers by a DNS zone transfer.
The other DNS servers can be queried by any client according to the ACL.
Note: DNS queries work over UDP port 53,
DNS zone transfers work over TCP port 53.
Transfer on UDP from port 68 to port 67
My Home Network uses 3 Bind9 and 2 PiHole blockers and Unbound
Back to Part 1
The Planning
It is key to plan the networks in detail before starting to set up the servers and the networks. Remember to allow for expansion - the lab will grow! First if you don't have a domain buy one, its only a few $/€ per month. We use a subdomain of it for our internal LAN's.
If you do not have a Domain use a "Fake Domain" like lab.example.lan.
- Subnet's and Network Ranges:
- LAN 192.0.2.0/24 (using one subnet)
- Infra network (DHCP, DNS, Logs, Monitoring, Switches ... )
- Servers
- Cluster
- Replication
- IoT
- Guest
- VPN and their Tunnels
- Management - Numbering strategy (using one subnet)
- Default Gateway (.1 or 254),
- Main level 3 Switch (.10 or .252),
- Level 2 switches ( .11 - .19)
- Network Printers (.20 - .29 or .247),
- SAN/NAS File Server (.40 or .251),
- Wireless Access Point (.50-59 or .253),
- Linux VM's A (.100 - .199),
- Linux VM's B (.200 - .249),
- Proxmox Servers (.41 - .49)
- Management PC (.251 - 252 or .247)
- DHCP and DNS servers (.2 - .10 0r .80 - .89) - Firewall ports and rules
- DHCP Range:
- 192.168.1.100 to 192.168.1.199 (Note: always leave a few extra static IPs)
- Fixed IP needed for servers and other devices
- Default and max lease times
- logging and security notifications - Default Gateway IP: 192.0.2.254
- ISP and other External DNS Servers: 1.2.3.4, 1.2.3.5, 1.1.1.1, 1.0.0.1, 8.8.8.8, 8.0.0.8, 9.9.9.9
- Internal DNS name: lab.example.com (a subdomain is safe to use)
Documentation on NetBox, Draw.it or spreadsheat is NEEDED
The software to install
We will need 2-3 small VM's and some software on them. We use Ubuntu 22.4 server for the VM's (or hw if you like, Rasberry Pi or a NUC)
You need to have control of your network (i.e. DHCP, DNS, switches, etc), and know how your network is currently laid out. We will pretend we are on a single 192.168.1.0/24
subnet, with a default gateway of 192.168.1.254
.
On The Master i.e. Primary
sudo apt-get update && sudo apt-get dist-upgrade -y && sudo apt install isc-dhcp-server bind9 bind9utils
On the Slaves i.e. Secondary
sudo apt-get update && sudo apt-get dist-upgrade -y && sudo apt install bind9 bind9utils
Generate secure key for automation
We need key's for the DNS and DHCP to talk to each other securely.
rndc-confgen
You need to copy the top part into /etc/bind/rndc.conf
. This file needs to be present in the config of both the DHCP and the DNS server.
And create the /etc/rndc.key file and place just the key part into it.
Now change the file permissions so only root and bind can read it, and create a link for DHCP. And remember to include this line to /etc/named.conf (include "/etc/rndc.key"; ) chmode 640 own root:bind/root:root add include"/etc/rndc.key to DHCP and Bind and add the key to the slaves later
chmod 660 /etc/bind/rndc.conf
chown root:bind /etc/bind/rndc.conf
cd /etc/dhcp
ln -s /etc/bind/rndc.conf
The DHCP configuration
The master of IP's in our network. It is good practices to use DHCP over fixed numbering for all systems. You assign fixed IPs for servers and such in the DHCP and make DHCP redundant please. Decide what TTL is best for your site.
We know from our planning document what our IP range is, so we’ll copy that range while the current DHCP server is running (i.e. from your SOHO router). Then before starting the configuration, take a copy of the config file as installed. We’ll then have a safe place of return in dhcp.conf.bak if anything goes sideways.
Remember that after every statement, you need a semicolon ( ; ) !
Use lower case characters only
sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp.conf.bak &&
sudo nano /etc/dhcp/dhcpd.conf
Example file:
authoritative;
default-lease-time 14400;
max-lease-time 18000;
log-facility local7;
#ddns-domainname "lab.example.com.";
#ddns-rev-domainname "in-addr.arpa.";
#ddns-update-style interim;
ignore client-updates;
update-static-leases on;
use-host-decl-names on;
option domain-name "lab.example.com.";
#option ns1.lab.example.com, ns2.lab.example.com, ns3.lab.example.com
include "/etc/dhcp/rndc.key";
update-optimization off;
update-conflict-detection off;
include /etc/dhcp/rndc.conf;
zone lab.example.com. {
primary 192.168.1.2;
key rndc-key;
}
zone 168.192.in-addr.arpa. {
primary 192.168.1.2;
key rndc-key;
}
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.199;
option subnet-mask 255.255.255.0;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.2;
host gateway {
hardware ethernet 00:11:22:33:44:55;
fixed-address 192.168.1.254;
}
host wireless {
hardware ethernet 22:33:44:55:66:77;
fixed-address 192.168.1.253;
}
.....
host dhcpdns {
hardware ethernet aa:bb:cc:dd:ee:ff;
fixed-address 192.168.1.2;
}
}
Check your configuration
A bad DHCPd configuration will prevent the service from starting.
Check it anytime by running dhcpd -t
. As long as you don’t see any warnings, then the syntax check has passed, and the service can start.
We do not start it yet - keep it turned off for now.
Primary server configuration
The BIND 9 config files are split up into many different, smaller files. We can keep it like this so that package upgrades do not wipe out our configurations. Make copies of the files before configuring them! We’ll then have safe places of return in named.conf.bak, named.conf.options, named.conf.local and the zones .bak files, if anything goes sideways. Keep the TCP port 953 open internally but closed for external users, on the slaves it can be closed. Its secured by the rndc.key.
The .zone files
A zone file can contain 3 types of entries:
- Comments: start with a semicolon (;)
- Directives: start with a dollar sign ($)
- Resource Records: aka DNS records
A zone file typically consists of the following types of DNS records.
- The SOA (Start of Authority) record: defines the key characteristics of a zone. It’s the first DNS record in the zone file and is mandatory.
- NS (Name Server) record: specifies which servers are used to store DNS records and answer DNS queries for a domain name. There must be at least two NS record in a zone file.
- MX (Mail Exchanger) record: specifies which hosts are responsible for email delivery for a domain name.
- A (Address) record: Converts DNS names into IPv4 addresses.
- AAAA (Quad A) record: Converts DNS names into IPv6 addresses.
- CNAME record (Canonical Name): It’s used to create alias for a DNS name.
- TXT record: SPF, DKIM, DMARC, etc.
The file: named.conf
If this is a standalone DNS server then allow-query { internal; } and no allow-transfer or also-notify. But is used as master then allow-query { none; } and allow-transfer and also-notify.
acl internal {
localhost;
localnets;
10.10.10.0/24;
192.168.1.0/24;
};
options {
forwarders {
192.168.1.2; # Your Pi-hole
1.1.1.1;
1.0.0.1;
};
recursion yes;
allow-query { internal; };
allow-query-cache { internal; };
allow-recursion { internal; };
allow-transfer { 192.168.1.4; 192.168.33.5; };
also-notify { 192.168.1.4; 192.168.1.5; };
dnssec-validation no;
listen-on-v6 port 53 { ::1; };
listen-on port 53 { 127.0.0.1; 192.168.1.3; };
};
zone "lab.example.com" IN {
type master;
file "/etc/bind/db.lab-excample-com.zone";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.1";
};
zone "10.10.10.in-addr.arpa" {
type master;
file "/etc/bind/db.10.10.10";
};
Secondary 192.168.1.4 named.conf
acl internal {
localhost;
localnets;
10.10.10.0/24;
192.168.1.0/24;
};
options {
forwarders {
192.168.1.1;
1.1.1.1;
1.0.0.1;
};
recursion yes;
allow-query { internal; };
allow-query-cache { internal; };
allow-recursion { internal; };
allow-transfer { none; }; # Never transfer zone files
dnssec-validation no;
listen-on-v6 port 53 { ::1; };
listen-on port 53 { 127.0.0.1; 192.168.1.4; };
zone "lab.example.com" IN {
type secondary;
file "/etc/bind/db.lab-excample-com.zone";
master { 192.168.1.3; }
};
zone "1.168.192.in-addr.arpa" {
type secondary;
file "/etc/bind/db.192.168.1";
master { 192.168.1.3; }
};
zone "10.10.10.in-addr.arpa" {
type secondary;
file "/etc/bind/db.10.10.10";
master { 192.168.1.3; }
};
The file: db.lab-example-com.zone
- The
$TTL
directive defines the default Time to Live value for the zone, which is the time a DNS record can be cached on a DNS resolver. This directive is mandatory. The time is specified in seconds. - The
$ORIGIN
directive defines the base domain. - Domain names must end with a dot (.), which is the root domain. When a domain name ends with a dot, it is a fully qualified domain name (FQDN).
- The @ symbol references to the base domain.
IN
is the DNS class. It stands for Internet. Other DNS classes exist but are rarely used.
db.lab-example-com.zone
;
;BIND9 data file for lab.example.com
;
$TTL 2d
$ORIGIN lab.example.com.
@ IN SOA ns1.lab.example.com. admin.example.com. (
2022011000 ; serial
12h ; refresh
15m ; retry
3w ; expire
2h ; minimum ttl
)
; Name servers
IN NS ns1.lab.example.com.
IN NS ns2.lab.example.com.
IN NS ns3.lab.example.com.
; Mailservers for this domain 10 has higher priority than 20
IN MX 10 mail.example.com.
IN MX 20 mx2.archexample.com.
; A records
gw IN A 192.168.1.1
fw IN A 192.168.1.2
ns1 IN A 192.168.1.3
ns2 IN A 192.168.1.4
ns3 IN A 192.168.1.5
dhcp1 IN A 192.168.1.6
dhcp2 IN A 192.168.1.7
dhcp3 IN A 192.168.1.8
ntp IN A 192.168.1.9
; -- Switches, AP's
SW-1 IN A 192.168.20
; -- production servers
pve1 IN A 192.168.1.41
pve2 IN A 192.168.1.42
pve3 IN A 192.168.1.43
; -- test servers not in production
srv1-nas IN A 10.10.20.50
srv2-ubuntu IN A 10.10.20.54
*.srv2-ubuntu IN A 10.10.20.54
srv55 IN A 10.10.20.55
; AAAA records if using ipv6
; CNAME records aliases ftp (ftp server) to an external domain
ftp IN CNAME ftp.example.net.
; TXT records ( SPF, DKIM, DMARC ... )
A zone file can contain 3 types of entries:
- Comments: start with a semicolon (;)
- Directives: start with a dollar sign ($)
- Resource Records: aka DNS records
A zone file typically consists of the following types of DNS records.
- The SOA (Start of Authority) record: defines the key characteristics of a zone. It’s the first DNS record in the zone file and is mandatory.
- NS (Name Server) record: specifies which servers are used to store DNS records and answer DNS queries for a domain name. There must be at least two NS record in a zone file.
- MX (Mail Exchanger) record: specifies which hosts are responsible for email delivery for a domain name.
- A (Address) record: Converts DNS names into IPv4 addresses.
- AAAA (Quad A) record: Converts DNS names into IPv6 addresses.
- CNAME record (Canonical Name): It’s used to create alias for a DNS name.
- TXT record: SPF, DKIM, DMARC, etc.
The file: db.192.168.1 (use as base for all subnets)
$TTL 2d
@ IN SOA ns1.lab.example.com. admin.example.com (
2022122800 ; serial
12h ; refresh
15m ; retry
3w ; expire
2h ; minimum ttl
)
IN NS ns1.lab.example.com.
; -- add reverse dns records below
1 IN PTR gw1.lab.example.com.
2 IN PTR ns1.lab.example.com.
3 IN PTR ns2.lab.example.com.
4 IN PTR ns3.lab.example.com.
5 IN PTR dhcp1.lab.example.com.
6 IN PTR pfSense.lab.example.com.
41 IN PTR pve1.lab.example.com.
42 IN PTR pve2.lab.example.com.
43 IN PTR pve3.lab.example.com.
44 IN PTR pve4.lab.example.com.
45 IN PTR pve5.lab.example.com.
46 IN PTR pve6.lab.example.com.
49 IN PTR pbs.lab.example.com.
; -- lab servers for testing ar in the db.10.10.10 file
Setup the hidden primary (master)
The hidden primary (master) DNS NS1 is managing two zones.
Disabling DNS lookups in the file /etc/bind/named.conf.local on both zones by allow-query none. No direct client query to this DNS server.
Enabling zone-transfer by allow-transfer IP1; IP2, the IP of NS2 and NS3.
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/master/db.192.168.1"; # On per network
allow-query { none; }; # Never answer any DNS queries
allow-transfer { 192.168.1.4; 192.168.1.5; }; # Transfer to DNS1 and DNS2
};
zone "local.domain" {
type master;
file "/etc/bind/master/db.local.domain";
allow-query { none; }; # Never answer any DNS queries
allow-transfer { 192.168.1.4; 192.168.1.5; }; # Transfer to DNS1 and DNS2
};
In addition, I’m allowing in the file /etc/bind/named.conf.options the zone-transfer to DNS #1 and DNS #2 and disable any forwarders.
allow-transfer { 192.168.1.4; 192.168.1.5; }; # Transfer to NS1and NS2
notify yes; # Notify of changed zones
forwarders { # Don't use any forwarder
};
Setup on NS2 and NS3
Setup of NS2 and NS3 for clients use the file /etc/bind/named.conf.local the IP address of the hidden primary DNS as master and with allow-query any allowing the DNS queries from clients.
With the option allow-transfer none we disable zone-transfers from these DNS servers.
zone "1.168.192.in-addr.arpa" {
type slave;
masters { 192.168.1.3; }; # IP of hidden primary
file "/var/cache/bind/slave/db.192.168.1";
allow-query { any; }; # Allow DNS queries
allow-transfer { none; }; # Never transfer zone files
};
zone "local.hacks" {
type slave;
masters { none.none.none.none; }; # IP of hidden primary
file "/var/cache/bind/slave/db.local.domain";
allow-query { any; }; # Allow DNS queries
allow-transfer { none; }; # Never transfer zone files
};
In the file /etc/bind/named.conf.options I’m allowing queries from my local network and localhost. Zone-transfers are disabled here as well. As forwarders, I’m setting up here the IP address of the main Pi-hole server.
allow-query { 192.168.1.0/16; 127.0.0.0/24; }; # Allow DNS queries from LAN
allow-transfer { none; }; # Never transfer zone files
forwarders {
192.168.1.80; # IP of main Pi-hole
};
Check your firewall settings
Check on Proxmox that the firewall is open for TCP and UDP 0n port 53. Traditionally UDP was used for lookups and TCP for zone transfers, but now both UDP and TCP get used for lookups.
Start the DNS
start bind9
sudo systemctl start bind9
sudo systemctl status bind9
Test the DNS is working
host pve1.examole.com
host 192.168.1.41
ping www.google.com
nslookup dhcp1.example.com 192.168.1.4
nslookup 192.168.1.41 192.168.1.4
Next part in this Series on DNS and DHCP
In the next part we will take a look on the newer Kea DHCP Server and Stork dashboard
References
Bind9 documentation [1] Bind9 home page [2] Berkeley Internet Name Domain [3] University of California, Berkeley (UCB) [4] Internet Systems Consortium (ISC) [5] Private IP adresses [6] ICS DHCP xx Cyncing DNS and DHCP [7]
A alternative [8]
The documentation can be found on the web page also read this page ↩︎
University of California, Berkeley wiki article ↩︎
Address Allocation for Private Internets. See the IETF document ↩︎
Syncing DNS & DHCP and other advanced topics. See the documentation ↩︎