Howto setup Bind 9 DNS - 1

Domain Name Servers DNS are the cornerstone in networking. Usually you have several running in each network - just in case. Proxmox clusters can run a name server on each node and the hidden primary in HA. BIND 9 is an open source DNS software system including an authoritative server, a recursive resolver and related utilities. For more details visit the web site, ^[2] .

The software was originally designed at the University of California, Berkeley (UCB) ^[4] in the early 1980s. The name originates as an acronym of Berkeley Internet Name Domain,^[2] reflecting the application's use within UCB. The latest version is BIND 9, first released in 2000 and still actively maintained by the Internet Systems Consortium (ISC) ^[5] with new releases issued several times a year.

Of the 20+ DNS servers Bind 9 has a 70% share and is the de facto standard.

The difference between networking and not working is DNS.
No DNS means no internet.

Home DNS running in Docker

Setting up one DNS is OK for most home users. Even if you are running a small one node lab it will be OK for most of us. We will use a Docker container for our setup. Other ways are to setup a small VM or CT running an OS, I like Ubuntu.

1. The initial setup starts be downloading myVMsetup script.
2. Read the script and change what is needed for your environment
3. Run it and make your choices by entering [y/n] and by editing the script.

wget https://raw.githubusercontent.com/nallej/MyJourney/main/myVMsetup.sh

This script can install Docker-ce, Docker-compose and Portainer if you so you may set up the stack from there.

Planning the network

Make a list of your machines and prepare a structure you want to have vis-à-vis IP numbering and possible other subnets to use for security and visibility reasons.

Document it well! Use netbox, draw.it or just use a spreadsheet or a text file.

Then edit the files in the ~/docker/dns/config directory

1. Edit db.lab-example-com.zone
2. Edit db.192.168.1.zone
3. Edit named.conf

As always, be aware of punctuation and spaces - the syntax is critical.
It is a good practice to make a copy of each file before editing.

Now you can start the DNS from a terminal by issuing the command dcup (alias dcup='docker-compose up -d').
If you did set it up as an stack in Portainer then start it from there.

Now you have a Domain Name Server you control. Setup the DHCP to use the new DNS.

The file: named.config file

acl internal {
    localhost;
    localnets;
    192.168.1.0/24;
};

options {
    forwarders {
        192.168.1.5;                                       # Your Pi-hole
        1.1.1.1;
        1.0.0.1;
    };
   	recursion yes;
    allow-recursion { 127.0.0.1; 192.168.1.0/24; };
    allow-query { internal; };
    allow-query-cache { internal; };
    allow-recursion { internal; };
    
    dnssec-validation no;
    
    listen-on-v6 port 53 { ::1; };
    listen-on port 53 { 127.0.0.1; 192.168.1.3; };

};

zone "lab.example.com" IN {
    type master;
    file "/etc/bind/db.lab-excample-com.zone";
};

zone "1.168.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.192.168.1";
};

The zone file: db.lab-example-com.zone

$TTL 2d

$ORIGIN lab.example.com.

@               IN      SOA     ns1.lab.example.com. admin.example.com. (
                                2022011000      ; serial
                                12h             ; refresh
                                15m             ; retry
                                3w              ; expire
                                2h              ; minimum ttl
                                )

@               IN      NS      ns1.lab.example.com.

gw              IN      A       192.168.1.1
fw              IN      A       192.168.1.2
ns1             IN      A       192.168.1.3
dhcp            IN      A       192.168.1.4
pihole          IN      A       192.168.1.5

; -- add the production dns records below

pve1            IN      A       192.168.1.41
nas             IN      A       192.168.1.42
mgmt-pc         IN      A       192.168.1.251

Reverse name resolution file: db.192.168.1

$TTL 2d

@               IN      SOA     ns1.lab.example.com. admin.example.com. (
                                2023011000      ; serial
                                12h             ; refresh
                                15m             ; retry
                                3w              ; expire
                                2h              ; minimum ttl
                                )

@               IN      NS      ns1.lab.example.com.

; -- add reverse dns records below

1               IN      PTR     gw1.lab.example.com.
2               IN      PTR     fw.lab.example.com.
3               IN      PTR     ns1.lab.example.com.
4               IN      PTR     dhcp.lab.example.com.
5               IN      PTR     pihole.lab.example.com.

41              IN      PTR     pve1.lab.example.com.
42              IN      PTR     nas.lab.example.com.

251             IN      PTR     mgmt-pc.lab.example.com.

Here we used Docker because it's easy to do. But you can follow the guide and modify it and set it up directly to the VM and you can split it into several files.

See the documentation chapter 3, link

Implementation

Check your firewall settings

Check on Proxmox that the firewall is open for TCP and UDP 0n port 53. Traditionally UDP was used for lookups and TCP for zone transfers, but now both UDP and TCP get used for lookups.

Start the DNS

Test the DNS is working

Adding ICS-DHCP server to the stack

This is just as an example and not a guide. ICS has EOL this server. ^[5]

Add this to your DNS config for adding a DHCP server

# Your DNS stuff is abow
#
dhcp:
  image: networkboot/dhcpd
  container_name: dhcpd
  volumes:
    - ./dhcp/data:/data
  network_mode: "host"
  restart: unless-stopped
  # Using port 67/udp

# Sample /etc/dhcpd.conf

# (add your comments here) 

ddns-update-style none;

log-facility local7;

default-lease-time 600;
max-lease-time 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {
    option routers                  192.168.1.1;
    option subnet-mask              255.255.255.0;
    option broadcast-address        192.168.1.255;
    option domain-name-servers      192.168.1.3, 192.168.1.5;
    option ntp-servers              192.168.1.1;
    option domain-name              "lab.example.com";

    default-lease-time              43200;
    max-lease-time                  86400;
    
    range                           192.168.1.100 192.168.1.199;


    host pve1 {
         hardware ethernet DD:GH:DF:E5:F7:D7;
         fixed-address     192.168.1.41;
        }
    host pve2 {
         hardware ethernet 00:JJ:YU:38:AC:45;
         fixed-address     192.168.1.42;
        }

}

# Next subnet starts here

DHCP Relay Agent

Configure a DHCP Relay Agent on Layer 3 gateways to point to the DHCP server

Firewall Rules to allow DHCP traffic

Allow UDP traffic from the LAN subnet, source port 68, to the DHCP server, destination port 67

Part 2

Building on the part one: Domain Name Servers are used in corporations. Enterprise networks typically have many subnets in the rfc-1918 range like 10. or 172. range, divided by function, department, floor of building and/or division - there is many ways to skin a cat.

References and external links

Bind9 documentation ^[1] Bind9 home page ^[2] Berkeley Internet Name Domain ^[3] University of California, Berkeley (UCB) ^[4] Internet Systems Consortium (ISC) ^[5] Private IP adresses ^[6] ICS DHCP xx Cyncing DNS and DHCP ^[7]