Creating an internal DNS server

Published on December 30, 2012 by in Articles

0

internal dns

Internal DNS

The purpose of this article is to describe how to build an internal DNS server.In our first article we discussed about how to implement a penetraion testing lab , now we have a small physical/virtual network topology which we intend to expand to be used for further analysis and for various testing methodologies.We need a local DNS server so we can resolve addresses internally on the network, in such way we don’t need anymore remember all ip adresses for each system.We will also forward each unknown external request to OpenDNS to solve name such as google.com or any other external name.

Installation

Install required packages

yum install bind bind-chroot caching-nameserver bind-utils

Auto boot at startup

/sbin/chkconfig --level 2345 named on

Zone configuration

First we need to create a zone which is a configuration file where we specify a list of hostname’s map to IP addresses.Since it will be a chrooted environment the zones files will be stored into “/var/named/chroot/var/named” .We will add also an optional directory called “zones” to store all files under the same place.So the full path will be “/var/named/chroot/var/named/zones”.First configuration file will be called “internal.tld.ns” with the following content:


$TTL 3h
@	IN	SOA	ns.internal.tld. root.internal.tld. (
		777          ; Serial number
    		3h         ; Refresh after 3 hours
    		1h         ; Retry after 1 hour
    		3w         ; Expire after 1 week
    		1h )        ; Negative caching TTL of 1 day

@    	IN    	NS    	ns.internal.tld.

;DNS server
ns	   	IN    A    192.168.123.2

;Morpheus Cluster Nodes
echelon       	IN    A    192.168.123.102 
phoenix		IN    A    192.168.123.104
nexus	      	IN    A    192.168.123.103

;Virtual Hosts
bt 	      	IN    A    192.168.123.108
infinity      	IN    A    192.168.123.3
opsec 	      	IN    A    192.168.123.4

;Personal computer
me          	IN    A    192.168.123.123
hercules	IN    A    192.168.123.2

 

We also must create a corresponding reverse zone for “internal.tld.ns” under “/var/named/chroot/var/named/zones”This one is basically a reverse map of “internal.tld.ns”.This will be “192.168.123.reverse” with the following content:


[root@hercules zones]# cat 192.168.123.reverse 
$TTL    3h	
@	IN	SOA   ns.internal.tld. admin.internal.tld. (
		    777 	; Serial number
		    3h         	; Refresh after 3 hours 
		    1h        	; Retry after 1 hour
		    1w         	; Expire after 1 week
		    1h )        ; Negative caching TTL of 1 day

	IN    NS    ns.internal.tld.    

; Reverse Lookup DNS Server
2		IN 	PTR  ns.internal.tld.

;Reverse Lookup Morpheus Cluster
102 		IN      PTR  phoenix.internal.tld.
103		IN	PTR  nexus.internal.tld.
104		IN 	PTR  phoenix.internal.tld.

;Reverse Lookup Virtual Hosts
108 		IN	PTR  bt.internal.tld.
3		IN 	PTR  infinity.internal.tld.

 

Setting up the main configuration file “/var/named/chroot/etc/named.conf”


###BEGIN
options {
  	directory "/var/named"; // the default 
	pid-file "/var/run/named/named.pid";
  	forwarders { 208.67.222.222; 208.67.220.220; };
	allow-recursion {192.168.123.1/24;}; //restrict query access
        empty-zones-enable no; //disabling RFC 1918 empty zones
};

//First zone, maps hostname to IP addresses
zone "internal.tld" in {
 	type master; 
  	file "zones/internal.tld.ns";
  	allow-update { none; };
};

//Second zone, reverse to first zone
zone "123.168.192.in-addr.arpa" in {
  	type master;
  	file "zones/192.168.123.reverse";
  	allow-update { none; };
};
###END

Optional, using rndc

According to CentOS documentation ,BIND includes a utility called rndc which allows command line administration of the named daemon from the localhost or a remote host.Implementing rndc is simple.We need to generate a key ,include this key into configuration file and share the key with remote host from which we want to perform administration tasks.
Generating a 512 bit key


rndc-confgen -a -b 512 -k rndc-key

-a: generate just the key clause and write it to keyfile (/etc/rndc.key)
-b bits: from 1 through 512, default 128; total length of the secret
-c keyfile: specify an alternate key file (requires -a)

Note from CentOS Documentation: If you have installed the bind-chroot package, the BIND service will run in the /var/named/chroot environment. All configuration files will be moved there. As such, the rndc.conf file is located in /var/named/chroot/etc/rndc.conf.Note that since the rndc utility does not run in a chroot environment, /etc/rndc.conf is a symlink to /var/named/chroot/etc/rndc.conf.

rndc key sample

sample-rndc-key

sample-rndc-key

After the key was generated, it can be included into the main configuration file “/var/named/chroot/etc/named.conf.


//Including the key path
include "/etc/rndc.key";

//Allow access from localhost and 192.168.123.104
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; };
inet 192.168.123.2 allow { 192.168.123.104; } keys { "rndc-key"; };
};

Note: To use rndc from remote host we must install bind-utils and copy the key under /etc/rndc.key (Centos) /etc/bind/rndc.key (Debian)
Checking the main configuration file

named-checkconf -t /var/named/chroot /etc/named.conf

Checking the zone files

[root@hercules zones]# named-checkzone 192.168.123.reverse 192.168.123.reverse
zone 192.168.123.reverse/IN: loaded serial 777
OK
[root@hercules zones]# named-checkzone internal.tld.ns internal.tld.ns
zone internal.tld.ns/IN: loaded serial 777
OK
[root@hercules zones]#

Starting the service

service named start

Assuming named started successfully


[root@hercules zones]# netstat -ln | grep 53*
tcp 0 0 192.168.123.2:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.123.2:953 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
udp 0 0 192.168.123.2:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
[root@hercules zones]#

Check service using rndc from allowed remote hosts

[root@hercules zones]# rndc -s 192.168.123.2 status
version: 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6
CPUs found: 1
worker threads: 1
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

Now all clients can be configured to use our DNS server , we need also change the domain and nameserver configuration file “/etc/resolv.conf”with new dns records.Basically we only need to configure the main cluster “/etc/resolv.conf” and each new virtual host created will inherit its configuration.


domain internal.tld
nameserver 192.168.123.2

Performing resolution

Local nslookup and reverse

Local nslookup and reverse

Forwarding

Nslookup Forwarding

Nslookup Forwarding

Additional Notes

If you encounter a problem while you are trying to start the server , please check the error messages it will help you understand where the problem may occur.Be aware that you need to set the right permissions on files , check the /etc/group to find out the right group name for the bind user which may be “bind” or “named”, this depends on your linux installation.If you have questions or comments regarding this article please feel free to write them here.

References

[1]Using rndc
[2]BIND Configuration Files

No comments yet.

Leave a Reply

 
Read previous post:
OpenMPI Parallel and distributed processing
OpenMPI parallel and distributed processing

OpenMPI, How Does Work? OpenMPI is an Message Passing Interface library used for parallel and distributed processing .OpenMPI itself is...

Close