Installing a Caching NameServer using BIND 9 from Source
In this writeup, we are going to look at using BIND to set up a caching nameserver. If you have always wanted to have control over your name resolution, read on.
First, we would explore some concepts:
What is DNS?
DNS which is short for Domain Name System is a naming system for network-connected devices (both intranet and internet) that allows resolution of domain names to IP addresses thus eliminating the need to memorize IP addresses. This makes it a lot easier to locate more services by humans as a large number of people can easily remember google.com as opposed to 192.168.10.20. There are multiple implementations for interacting with DNS example — BIND, NSD, tinyDNS e.t.c.
What is a Caching Nameserver?
A caching-only DNS server does not control any zone data, it primarily obtains all DNS information from other DNS servers thus, it has to have at least one root DNS server or forwarder listed and stores the answers to queries made in its cache for subsequent use. Its primary advantage why it is still useful is that it speeds DNS requests by eliminating zone transfer traffic from remote hosts performing a name lookup against the caching DNS server.
You can also have an authoritative nameserver that doubles as a caching nameserver.
What is BIND?
BIND is a suite of software for interacting with the Domain Name System. It is designed to act both as an authoritative name server for DNS zones and as a recursive resolver in the network.
Required Infrastructure
- A hypervisor — I used VirtualBox.
- BIND 9 source downloaded from http://www.isc.org/ please check to ensure the latest version is downloaded to prevent security vulnerabilities in previous versions.
- A Linux-based server for BIND installation and configuration. I used Ubuntu 20.04.
NB: The server will be installed on the hypervisor. However, in the instance that you have a physical server then we can use that and disregard the need for the hypervisor.
This is a generic guide you can apply to use in installing Ubuntu on VirtualBox https://turbofuture.com/computers/How-to-Install-Ubuntu-on-VirtualBox
Installation of BIND
To proceed with the installation of BIND we have to unpack it then compile it since we are installing from the source.
- Unpack the BIND tarball
tar -Jxvf bind-9.16.6.tar.xz Where:
J — Specifies that this is an xz tarball
x — Unpack all
v — Verbose, log all unpacked files
f — file
2. Verify that there are no previous versions of BIND already installed as this might cause a conflict during operation.
named -v3. Verify that openssl is installed as openssl is needed for encryption and operation of BIND as a DNSSEC server
openssl version4. Verify GCC is installed. This is the C compiler which will be used to build the BIND source files written in C.
gcc –version5. Install libxml2-dev. This is used to track usage statistics and produce its reports as XML.
sudo apt-get install libxml2-dev6. Verify that there is an installed binary of python and its dependent modules. Python is needed if BIND is intended to run DNSSEC and some of the BIND modules are written in python.
python3 --version7. Install libcap-dev which is needed to configure Linux daemons for BIND
sudo apt-get install libcap-dev8. Build and install libuv for asynchronous I/O processing which BIND needs if it is to be multi-threaded.
sh autogen.sh
./configure
make
make check
sudo make installWhere:
make — used to build the source into a single executable file
make check — used to check that the executable target that is built is okay to install.
9. Enter the bind source directory and execute the below command to configure BIND for a build using openssl (for DNSSEC) and libxml (for XML based statistics) with our preferred file paths
./configure --with-openssl –-prefix=/usr/local/ --with-libxml2 \
--localstatedir=/var --sysconfdir=/usr/local/etc/bindWhere:
— prefix — the file path to append to any not specified BIND directories for installation
— localstatedir — the file path where BIND’s state information is written to
— sysconfdir — the file path where BIND’s configuration file will be checked for.
10. Proceed to build the configured sources as an executable target and install.
makesudo make install
11. Verify the successful installation of BIND by checking its version
named -VConfigure the Caching Nameserver
To proceed with configuring your caching named server, you need to ensure that it is configured with an IP address allowed to receive requests from devices in the network. If you are running a virtual machine you have to enable a bridged adapter to make your VM receive an IP address directly from your DHCP server in the network.
Additionally, port 53 TCP and UDP should be open as this is the DNS port. (TCP 53 is used when the packet size is too large to send in a single UDP packet e.g when DNSSEC is involved.)
You can use the command below to open port 53 in ubuntu.
sudo ufw allow 53/tcpsudo ufw allow 53/udp
- Using the locate command you can find a sample named configuration file in your unpacked source.
locate named.conf2. Proceed to download the updated root hint servers file from ftp://ftp.rs.internic.net/domain/named.root . This file will be used in our zone file configuration to help retrieve a more recent list of root servers.
wget ftp://ftp.rs.internic.net/domain/named.root3. Copy the downloaded root file to /usr/local/etc/bind
cp named.root /usr/local/etc/bind4. Create the named.local zone file to resolve the loopback address for localhost
$TTL — The default time to live for all records in this zone
SOA — The zone for this record
NS — The nameserver for this zone
A — The IPV4 record for this zone entry
AAAA — The IPV6 entry for this entry
Refresh — How long in seconds a nameserver should wait prior to checking for a Serial Number increase within the primary zone file
Negative cache TTL — How long in seconds that a nameserver or resolver should cache a negative response.
Retry — How long in seconds a nameserver should wait prior to retrying to update a zone after a failed attempt.
Expire — How long in seconds a nameserver should wait prior to considering data from a secondary zone invalid and stop answering queries for that zone.
Serial — The serial number of this record, it is recommended that this is increased on each change of the record.
5. Confirm the status of the entry by running named-checkzone on the zone entry
named-checkzone 127.0.0.1 /usr/local/etc/bind/named.local6. Using the sample named.conf file located previously, we proceed to set up our named configuration file to add the root and local zones.
acl testnet { 192.168.10.0/24; localhost; }; options {
directory “/usr/local/etc/bind”;
allow-query { testnet; };
recursion yes;
dnssec-validation auto;
tcp-clients 1024;
forwarders { 8.8.8.8; 8.8.4.4; };
forward only;
};
zone “.” IN {
type hint;
file “named.root”;
};
zone “0.0.127.in-addr.arpa” {
type master;
file “named.local”;
};
Where:
acl — Configures an access control list of IP addresses to be allowed
options — Assigns values to different options, including the use of forwarders, the location of the named working directory, the names of the various files, the status of recursion, etc.
zone — Specifies particular zones for which this nameserver is authoritative and points to the location of its zone file. Options assigned in the zone section overrides those made in the options section.
7. Validate the syntax of the configuration files by running the named syntax checker command
sudo named-checkconf8. We can now start the nameserver by starting its daemon
sudo named -g -d2Where:
-d — Set the daemon’s debug level to debug-level. Debugging traces from named become more verbose as the debug level increases.
-g — Run the server in the foreground and force all logging to stderr.
Alternatively, you can run the nameserver silently by running named:
sudo named9. We can now proceed to test our caching nameserver by making DNS requests from another device on the network.
dig @dns-server-ip google.comThe resolution should complete successfully showing that the DNS server is actively working as a forwarding server.