Howto setup Bind 9 DNS - 2

Building on the part one: Domain Name Servers are used in corporations. Enterprise networks typically have many subnets in the rfc-1918 range like 10. or 172. range, divided by function, department, floor of building and/or division - there is many ways to skin a cat. #DNS

Howto setup Bind 9 DNS - 2
Photo by Christina @ wocintechchat.com / Unsplash

Building on the part one we will now discuss on a theoretical level how Domain Name Servers are used in corporations. Enterprise networks typically have many subnets in the rfc-1918 range like 10. or 172. range, divided by function, department, floor of building and/or division - there is many ways to skin a cat.

Creation of new users is usually automated and DHCP and DNS syncing.

Reference also my first part on DNS. My post on Bind 9 DNS

Enterprise DNS

All below is just examples and just the basics. Through enterprise DNS setups can be extensive. We can start with 2 - 3 Bind 9 servers. One will be a hidden primary and then 2 or more secondary servers. The primary manages the zone (DNS zone) and corresponding in-addr.arpa (Reverse DNS lookup) zone for the network. All modifications and changes are performed on this server and clients cannot query this server directly.
This DNS server replicates then the zones to the two secondary DNS servers by a DNS zone transfer.
The other DNS servers can be queried by any client according to the ACL.

Note: DNS queries work over UDP port 53,
DNS zone transfers work over TCP port 53.
Transfer on UDP from port 68 to port 67

My Home Network uses 3 Bind9 and 2 PiHole blockers and Unbound

Back to Part 1

The Planning

It is key to plan the networks in detail before starting to set up the servers and the networks. Remember to allow for expansion - the lab will grow! First if you don't have a domain buy one, its only a few $/€ per month. We use a subdomain of it for our internal LAN's.
If you do not have a Domain use a "Fake Domain" like lab.example.lan.

💡
Document every thing - now !
  • Subnet's and Network Ranges:
    - LAN 192.0.2.0/24 (using one subnet)
    - Infra network (DHCP, DNS, Logs, Monitoring, Switches ... )
    - Servers
    - Cluster
    - Replication
    - IoT
    - Guest
    - VPN and their Tunnels
    - Management
  • Numbering strategy (using one subnet)
    - Default Gateway (.1 or 254),
    - Main level 3 Switch (.10 or .252),
    - Level 2 switches ( .11 - .19)
    - Network Printers (.20 - .29 or .247),
    - SAN/NAS File Server (.40 or .251),
    - Wireless Access Point (.50-59 or .253),
    - Linux VM's A (.100 - .199),
    - Linux VM's B (.200 - .249),
    - Proxmox Servers (.41 - .49)
    - Management PC (.251 - 252 or .247)
    - DHCP and DNS servers (.2 - .10 0r .80 - .89)
  • Firewall ports and rules
  • DHCP Range:
    - 192.168.1.100 to 192.168.1.199 (Note: always leave a few extra static IPs)
    - Fixed IP needed for servers and other devices
    - Default and max lease times
    - logging and security notifications
  • Default Gateway IP: 192.0.2.254
  • ISP and other External DNS Servers: 1.2.3.4, 1.2.3.5, 1.1.1.1, 1.0.0.1, 8.8.8.8, 8.0.0.8, 9.9.9.9
  • Internal DNS name: lab.example.com (a subdomain is safe to use)
Documentation on NetBox, Draw.it or spreadsheat is NEEDED

The software to install

We will need 2-3 small VM's and some software on them. We use Ubuntu 22.4 server for the VM's (or hw if you like, Rasberry Pi or a NUC)

You need to have control of your network (i.e. DHCP, DNS, switches, etc), and know how your network is currently laid out. We will pretend we are on a single 192.168.1.0/24 subnet, with a default gateway of 192.168.1.254.

On The Master i.e. Primary

sudo apt-get update && sudo apt-get dist-upgrade -y && sudo apt install isc-dhcp-server bind9 bind9utils

On the Slaves i.e. Secondary

sudo apt-get update && sudo apt-get dist-upgrade -y && sudo apt install bind9 bind9utils

Generate secure key for automation

We need key's for the DNS and DHCP to talk to each other securely.

rndc-confgen

You need to copy the top part into /etc/bind/rndc.conf. This file needs to be present in the config of both the DHCP and the DNS server.

And create the /etc/rndc.key file and place just the key part into it.

Now change the file permissions so only root and bind can read it, and create a link for DHCP. And remember to include this line to /etc/named.conf (include "/etc/rndc.key"; ) chmode 640 own root:bind/root:root add include"/etc/rndc.key to DHCP and Bind and add the key to the slaves later

chmod 660 /etc/bind/rndc.conf
chown root:bind /etc/bind/rndc.conf
cd /etc/dhcp
ln -s /etc/bind/rndc.conf


The DHCP configuration

The master of IP's in our network. It is good practices to use DHCP over fixed numbering for all systems. You assign fixed IPs for servers and such in the DHCP and make DHCP redundant please. Decide what TTL is best for your site.

We know from our planning document what our IP range is, so we’ll copy that range while the current DHCP server is running (i.e. from your SOHO router). Then before starting the configuration, take a copy of the config file as installed. We’ll then have a safe place of return in dhcp.conf.bak if anything goes sideways.

Remember that after every statement, you need a semicolon ( ; ) !
Use lower case characters only
sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp.conf.bak &&
sudo nano /etc/dhcp/dhcpd.conf

Example file:

authoritative;
default-lease-time    14400;
max-lease-time        18000;
log-facility          local7;

#ddns-domainname "lab.example.com.";
#ddns-rev-domainname "in-addr.arpa.";
#ddns-update-style interim;
ignore client-updates;
update-static-leases on;
use-host-decl-names on;
option domain-name "lab.example.com.";
#option ns1.lab.example.com, ns2.lab.example.com, ns3.lab.example.com
include "/etc/dhcp/rndc.key";
update-optimization off;
update-conflict-detection off;
include /etc/dhcp/rndc.conf;
zone lab.example.com. {
        primary 192.168.1.2;
        key rndc-key;
}
zone 168.192.in-addr.arpa. {
        primary 192.168.1.2;
        key rndc-key;
}


subnet 192.168.0.0 netmask 255.255.255.0 {
  range                      192.168.1.100 192.168.1.199;
  option subnet-mask         255.255.255.0;
  option routers             192.168.1.254;
  option domain-name-servers 192.168.1.2;

  host gateway {
    hardware ethernet 00:11:22:33:44:55;
    fixed-address 192.168.1.254;
  }
  host wireless {
    hardware ethernet 22:33:44:55:66:77;
    fixed-address 192.168.1.253;
  }
.....
  host dhcpdns {
    hardware ethernet aa:bb:cc:dd:ee:ff;
    fixed-address 192.168.1.2;
  }
}

Check your configuration

A bad DHCPd configuration will prevent the service from starting.
Check it anytime by running dhcpd -t. As long as you don’t see any warnings, then the syntax check has passed, and the service can start.
We do not start it yet - keep it turned off for now.

Primary server configuration

The BIND 9 config files are split up into many different, smaller files. We can keep it like this so that package upgrades do not wipe out our configurations. Make copies of the files before configuring them! We’ll then have safe places of return in named.conf.bak, named.conf.options, named.conf.local and the zones .bak files, if anything goes sideways. Keep the TCP port 953 open internally but closed for external users, on the slaves it can be closed. Its secured by the rndc.key.

The .zone files

A zone file can contain 3 types of entries:

  • Comments: start with a semicolon (;)
  • Directives: start with a dollar sign ($)
  • Resource Records: aka DNS records

A zone file typically consists of the following types of DNS records.

  • The SOA (Start of Authority) record: defines the key characteristics of a zone. It’s the first DNS record in the zone file and is mandatory.
  • NS (Name Server) record: specifies which servers are used to store DNS records and answer DNS queries for a domain name. There must be at least two NS record in a zone file.
  • MX (Mail Exchanger) record: specifies which hosts are responsible for email delivery for a domain name.
  • A (Address) record: Converts DNS names into IPv4 addresses.
  • AAAA (Quad A) record: Converts DNS names into IPv6 addresses.
  • CNAME record (Canonical Name): It’s used to create alias for a DNS name.
  • TXT record: SPF, DKIM, DMARC, etc.

The file: named.conf

If this is a standalone DNS server then allow-query { internal; } and no allow-transfer or also-notify. But is used as master then allow-query { none; } and allow-transfer and also-notify.

acl internal {
    localhost;
    localnets;
    10.10.10.0/24;
    192.168.1.0/24;
};

options {
    forwarders {
        192.168.1.2;                                       # Your Pi-hole
        1.1.1.1;
        1.0.0.1;
    };
   	recursion yes;
    allow-query { internal; };
    allow-query-cache { internal; };
    allow-recursion { internal; };
    allow-transfer { 192.168.1.4; 192.168.33.5; };
    also-notify { 192.168.1.4; 192.168.1.5; };
    
    dnssec-validation no;

	listen-on-v6 port 53 { ::1; };
	listen-on port 53 { 127.0.0.1; 192.168.1.3; };

};

zone "lab.example.com" IN {
    type master;
    file "/etc/bind/db.lab-excample-com.zone";
};

zone "1.168.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.192.168.1";
};

zone "10.10.10.in-addr.arpa" {
	type master;
	file "/etc/bind/db.10.10.10";
};

Secondary 192.168.1.4 named.conf

acl internal {
    localhost;
    localnets;
    10.10.10.0/24;
    192.168.1.0/24;
};

options {
    forwarders {
        192.168.1.1;
        1.1.1.1;
        1.0.0.1;
    };
   	recursion yes;
    allow-query { internal; };
    allow-query-cache { internal; };
    allow-recursion { internal; };
    allow-transfer { none; };                   # Never transfer zone files
    
    dnssec-validation no;

	listen-on-v6 port 53 { ::1; };
	listen-on port 53 { 127.0.0.1; 192.168.1.4; };

zone "lab.example.com" IN {
    type secondary;
    file "/etc/bind/db.lab-excample-com.zone";
    master { 192.168.1.3; }
};

zone "1.168.192.in-addr.arpa" {
	type secondary;
	file "/etc/bind/db.192.168.1";
    master { 192.168.1.3; }
};

zone "10.10.10.in-addr.arpa" {
	type secondary;
	file "/etc/bind/db.10.10.10";
    master { 192.168.1.3; }
};

The file: db.lab-example-com.zone

  • The $TTL directive defines the default Time to Live value for the zone, which is the time a DNS record can be cached on a DNS resolver. This directive is mandatory. The time is specified in seconds.
  • The $ORIGIN directive defines the base domain.
  • Domain names must end with a dot (.), which is the root domain. When a domain name ends with a dot, it is a fully qualified domain name (FQDN).
  • The @ symbol references to the base domain.
  • IN is the DNS class. It stands for Internet. Other DNS classes exist but are rarely used.

db.lab-example-com.zone

;
;BIND9 data file for lab.example.com  
;
$TTL 2d
$ORIGIN lab.example.com.

@               IN      SOA     ns1.lab.example.com. admin.example.com. (
                                2022011000      ; serial
                                12h             ; refresh
                                15m             ; retry
                                3w              ; expire
                                2h              ; minimum ttl
                                )
; Name servers
                IN      NS      ns1.lab.example.com.
                IN      NS      ns2.lab.example.com.
                IN      NS      ns3.lab.example.com.                
; Mailservers for this domain 10 has higher priority than 20
                IN      MX  10  mail.example.com.
                IN      MX  20  mx2.archexample.com.
                
; A records
gw              IN      A       192.168.1.1
fw              IN      A       192.168.1.2
ns1             IN      A       192.168.1.3
ns2             IN      A       192.168.1.4
ns3             IN      A       192.168.1.5
dhcp1           IN      A       192.168.1.6
dhcp2           IN      A       192.168.1.7
dhcp3           IN      A       192.168.1.8
ntp             IN      A       192.168.1.9

; -- Switches, AP's 
SW-1            IN      A       192.168.20  

; -- production servers
pve1            IN      A       192.168.1.41
pve2            IN      A       192.168.1.42
pve3            IN      A       192.168.1.43

; -- test servers not in production
srv1-nas        IN      A       10.10.20.50
srv2-ubuntu     IN      A       10.10.20.54
*.srv2-ubuntu   IN      A       10.10.20.54
srv55           IN      A       10.10.20.55

; AAAA records if using ipv6

; CNAME records aliases ftp (ftp server) to an external domain
ftp             IN      CNAME   ftp.example.net.

; TXT records ( SPF, DKIM, DMARC ... )

A zone file can contain 3 types of entries:

  • Comments: start with a semicolon (;)
  • Directives: start with a dollar sign ($)
  • Resource Records: aka DNS records

A zone file typically consists of the following types of DNS records.

  • The SOA (Start of Authority) record: defines the key characteristics of a zone. It’s the first DNS record in the zone file and is mandatory.
  • NS (Name Server) record: specifies which servers are used to store DNS records and answer DNS queries for a domain name. There must be at least two NS record in a zone file.
  • MX (Mail Exchanger) record: specifies which hosts are responsible for email delivery for a domain name.
  • A (Address) record: Converts DNS names into IPv4 addresses.
  • AAAA (Quad A) record: Converts DNS names into IPv6 addresses.
  • CNAME record (Canonical Name): It’s used to create alias for a DNS name.
  • TXT record: SPF, DKIM, DMARC, etc.

The file: db.192.168.1 (use as base for all subnets)

$TTL 2d

@               IN      SOA     ns1.lab.example.com. admin.example.com (
                                2022122800      ; serial
                                12h             ; refresh
                                15m             ; retry
                                3w              ; expire
                                2h              ; minimum ttl
                                )

                IN      NS      ns1.lab.example.com.

; -- add reverse dns records below

1               IN      PTR     gw1.lab.example.com.
2               IN      PTR     ns1.lab.example.com.
3               IN      PTR     ns2.lab.example.com.
4               IN      PTR     ns3.lab.example.com.
5               IN      PTR     dhcp1.lab.example.com.
6               IN      PTR     pfSense.lab.example.com.
41              IN      PTR     pve1.lab.example.com.
42              IN      PTR     pve2.lab.example.com.
43              IN      PTR     pve3.lab.example.com.
44              IN      PTR     pve4.lab.example.com.
45              IN      PTR     pve5.lab.example.com.
46              IN      PTR     pve6.lab.example.com.
49              IN      PTR     pbs.lab.example.com.


; -- lab servers for testing ar in the db.10.10.10 file 

Setup the hidden primary (master)

The hidden primary (master) DNS NS1 is managing two zones.
Disabling DNS lookups in the file /etc/bind/named.conf.local on both zones by allow-query none. No direct client query to this DNS server.
Enabling zone-transfer by allow-transfer IP1; IP2, the IP of NS2 and NS3.

zone "1.168.192.in-addr.arpa" {
  type master;
  file "/etc/bind/master/db.192.168.1";                 # On per network 
  allow-query { none; };                                # Never answer any DNS queries
  allow-transfer { 192.168.1.4; 192.168.1.5; }; # Transfer to DNS1 and DNS2
};
zone "local.domain" {
  type master;
  file "/etc/bind/master/db.local.domain";
  allow-query { none; };                                # Never answer any DNS queries
  allow-transfer { 192.168.1.4; 192.168.1.5; }; # Transfer to DNS1 and DNS2
};

In addition, I’m allowing in the file /etc/bind/named.conf.options the zone-transfer to DNS #1 and DNS #2 and disable any forwarders.

allow-transfer { 192.168.1.4; 192.168.1.5; };   # Transfer to NS1and NS2
notify yes;                                     # Notify of changed zones
forwarders {                                    # Don't use any forwarder
};

Setup on NS2 and NS3

Setup of NS2 and NS3 for clients use the file /etc/bind/named.conf.local the IP address of the hidden primary DNS as master and with allow-query any allowing the DNS queries from clients.
With the option allow-transfer none we disable zone-transfers from these DNS servers.

zone "1.168.192.in-addr.arpa" {
  type slave;
  masters { 192.168.1.3; };                      # IP of hidden primary 
  file "/var/cache/bind/slave/db.192.168.1";
  allow-query { any; };                          # Allow DNS queries
  allow-transfer { none; };                      # Never transfer zone files
};
zone "local.hacks" {
  type slave;
  masters { none.none.none.none; };              # IP of hidden primary 
  file "/var/cache/bind/slave/db.local.domain";
  allow-query { any; };                          # Allow DNS queries
  allow-transfer { none; };                      # Never transfer zone files
};

In the file /etc/bind/named.conf.options I’m allowing queries from my local network and localhost. Zone-transfers are disabled here as well. As forwarders, I’m setting up here the IP address of the main Pi-hole server.

allow-query { 192.168.1.0/16; 127.0.0.0/24; }; # Allow DNS queries from LAN
allow-transfer { none; };                      # Never transfer zone files
forwarders {
    192.168.1.80;                              # IP of main Pi-hole
};

Check your firewall settings

Check on Proxmox that the firewall is open for TCP and UDP 0n port 53. Traditionally UDP was used for lookups and TCP for zone transfers, but now both UDP and TCP get used for lookups.

Start the DNS

start bind9
sudo systemctl start bind9
sudo systemctl status bind9

Test the DNS is working

host pve1.examole.com
host 192.168.1.41
ping www.google.com
nslookup dhcp1.example.com 192.168.1.4
nslookup 192.168.1.41 192.168.1.4

Next part in this Series on DNS and DHCP

In the next part we will take a look on the newer Kea DHCP Server and Stork dashboard

References


Bind9 documentation [1] Bind9 home page [2] Berkeley Internet Name Domain [3] University of California, Berkeley (UCB) [4] Internet Systems Consortium (ISC) [5] Private IP adresses [6] ICS DHCP xx Cyncing DNS and DHCP [7]
A alternative [8]


  1. The documentation can be found on the web page also read this page ↩︎

  2. Bind9 official home page ↩︎

  3. Berkeley Internet Name Domain. web page ↩︎

  4. University of California, Berkeley wiki article ↩︎

  5. Internet Systems Consortium home page ↩︎

  6. Address Allocation for Private Internets. See the IETF document ↩︎

  7. Syncing DNS & DHCP and other advanced topics. See the documentation ↩︎

  8. See A redundant DNS - Pi-stack blog post ↩︎