DNS
BIND
Installation
- Get the latest ISC BIND tarball
Get the latest DLZ patch from Sourceforge/- NOTE: DLZ is included in ISC Bind since 9.4.0
wget https://ftp.isc.org/isc/bind9/9.17.3/bind-9.17.3.tar.xz{,sha512.asc} gpg --keyserver pgp.mit.edu --recv-keys 0xF1B11BF05CF02E57 gpg --verify bind*.tar.gz.sha512.asc bind*tar.gz gzip -dc bind*.tar.gz | tar -xf - cd bind*/ ./configure --prefix=/opt/bind --localstatedir=/var/run/named/ --enable-threads --with-dlz-mysql --with-openssl make sudo make install groupadd bind useradd -g bind -s /bin/false -d /var/run/named bind mkdir -m0750 -p /var/run/named /var/log/named chown -R bind:bind /var/run/named /var/log/named echo 'OPTIONS="-u bind -c /etc/bind/named.conf"' > /etc/default/named
Configuration
Configuration of BIND[1] is rather complex, a basic configuration might look like this:
named.conf
:
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";
named.conf.options
:
options { directory "/var/cache/bind"; listen-on { 127.0.0.1; 123.0.0.2; }; listen-on-v6 { any; }; };
named.conf.local
:
include "/etc/bind/zones.rfc1918"; zone "example.org" IN { type master; file "/etc/bind/db.example"; }; zone "0.0.123.in-addr.arpa" IN { type master; notify yes; file "/etc/bind/db.123.0.0"; };
Zones
db.example
:
$TTL 604800 @ IN SOA ns1.example.org. root.example.org. ( 2014031001 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS ns1.example.org. @ IN NS ns2.example.org. ns1 IN A 123.0.0.1 ns2 IN A 123.0.0.2 www IN CNAME example.org. example.org. IN A 123.0.0.3
db.123.0.0
:
$TTL 604800 @ IN SOA ns1.example.org. root.example.org. ( 2014031001 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS ns1.example.org. @ IN NS ns2.example.org. 1 IN PTR ns1.example.org. 2 IN PTR ns2.example.org. 3 IN PTR example.org. 4 IN PTR admin.example.org.
named.conf.default-zones
:
Here, all the default zones should be defined. These configuration files can be found in the distribution package.
- root zone (via db.root)
- localhost
- 127.in-addr.arpa
- 0.in-addr.arpa
- 255.in-addr.arpa
Tests
A basic syntax check, loading the configuration from the chroot directory:
$ named-checkconf -t /var/chroot/bind9/ -z; echo $? [...] 0
Checking the validity of a zone file:
$ named-checkzone example.org /var/chroot/bind9/etc/bind/db.example zone example.org/IN: loaded serial 2014031001 OK
Chroot
BIND is a complex beast, let's put it in a chroot to lessen the blow if something goes wrong.
Stop BIND and create the chroot directories and all the necessary bits:
service bind9 stop mkdir -m 0770 -p /var/chroot/bind9/{etc,dev,var/log/named,var/cache/bind,var/run/named} mknod -m 0600 /var/chroot/bind9/dev/null c 1 3 mknod -m 0600 /var/chroot/bind9/dev/random c 1 8 chgrp bind /var/chroot/bind9/var/{cache/bind,log/named,run/named} /var/chroot/bind9/dev/{null,random} chmod 0711 /var/chroot
Add the chroot directory to BIND's start options:
$ grep ^OPTIONS /etc/default/bind9 OPTIONS="-u bind -t /var/chroot/bind9"
Add a syslog socket, e.g. for rsyslog:
$AddUnixListenSocket /var/chroot/bind9/dev/log
Restart rsyslog:
$ service rsyslog restart $ ls -lgo /var/chroot/bind9/dev/log srw-rw-rw- 1 0 Mar 13 01:10 /var/chroot/bind9/dev/log
Move configuration files to the chroot location, but keep a symlink in /etc for compatibility:
mv /etc/bind /var/chroot/bind9/etc/ ln -s /var/chroot/bind9/etc/bind /etc/bind mv /var/log/named/* /var/chroot/bind9/var/log/named/ && rmdir /var/log/named
Now BIND should start just fine:
service bind9 start
Let's see:
$ pwdx `pgrep named` 15321: /var/chroot/bind9/var/cache/bind
Knot
Installation
If no distribution packages are available[2], we can compile Knot DNS from source:[3]
git clone https://gitlab.labs.nic.cz/knot/knot-dns.git knot-dns-git cd knot-dns-git sudo dnf install gnutls-devel userspace-rcu-devel libedit-devel ./autogen.sh ./configure --prefix=/opt/knot --disable-documentation make && sudo make install
Configuration
Minimal configuration to get things going:
$ cat knot.conf server: # Listen on all configured IPv4 interfaces. listen: 0.0.0.0@53 # Listen on all configured IPv6 interfaces. listen: ::@53 # User for running the server. user: knot:knot log: # Log info and more serious events to syslog. - target: syslog any: info zone: - domain: example.net storage: "/etc/knot" file: "example.net.zone"
Note: both rundir
and storage
need to be writable by the user
!
Zones
Zone file:
$ORIGIN example.net. $TTL 7d @ SOA www.example.net. root.example.net. ( 2018020501 ; Serial 7d ; Refresh 1d ; Retry 28d ; Expire 7d ) ; Negative Cache TTL NS ns1 NS ns2 MX 10 mx.example.net www A 93.184.216.34 AAAA 2606:2800:220:1:248:1893:25c8:1946 mx A 93.184.216.34 AAAA 2606:2800:220:1:248:1893:25c8:1946 ns1 A 93.184.216.34 AAAA 2606:2800:220:1:248:1893:25c8:1946 ns2 A 93.184.216.34 AAAA 2606:2800:220:1:248:1893:25c8:1946 example.net. A 93.184.216.34 AAAA 2606:2800:220:1:248:1893:25c8:1946 ; CAA 128 issue "letsencrypt.org"
Note: CAA records are only supported in Knot DNS 2.2.0 and later.[4]
Tests
Check that our newly configured name server is not an open resolver:
dig +short test.openresolver.com TXT @ns1.example.net
No output is expected here. An open resolver would answer like this:
$ dig +short test.openresolver.com TXT @1.1.1.1 "open-resolver-detected"
NSD
A very basic NSD configuration,[5][6] listening on 63/udp
:
server: ip-address: 127.0.0.1@63 # port: 63 verbosity: 0 username: nsd logfile: "/var/log/nsd.log" pidfile: "/run/nsd/nsd.pid" zone: name: "example.net" zonefile: "/etc/nsd/example.net.zone" zone: name: "0.3.0.10.in-addr-arpa" zonefile: "/etc/nsd/example.net.reverse"
Zones
See #Zones
systemd-resolved
With systemd-resolved we can configure[7] a DNS over TLS stub resolver quite easily:
$ grep -v ^\# /etc/systemd/resolved.conf [Resolve] DNS=9.9.9.9#dns.quad9.net 1.1.1.1#cloudflare-dns.com DNSOverTLS=yes
This will make systemd-resolved
listen on 127.0.0.53
and we can point /etc/resolv
to that:
nameserver 127.0.0.53
With that, all queries will be sent to 127.0.0.53
and then, over an encrypted connection, to the name servers configured.
Stubby
If we don't have access to a recent systemd-resolved package, we can use stubby to do the job:
$ cat /etc/stubby/stubby.yml [...] listen_addresses: - 127.0.0.53@853 - 0::53@853 dnssec_trust_anchors: "/var/lib/unbound/root.key" upstream_recursive_servers: [...]
With that in place, we can point e.g. dnsmasq - sometimes more complex setups like this are necessary:
$ cat /etc/resolv.conf
nameserver 127.0.0.1
$ grep ^[a-z] /etc/dnsmasq.conf user=dnsmasq group=dnsmasq interface=lo conf-dir=/etc/dnsmasq.d/,*.conf $ grep ^[a-z] /etc/dnsmasq.d/work.conf interface=lo listen-address=127.0.0.1 bind-dynamic read-ethers log-queries log-facility=/var/log/dnsmasq.log server=127.0.0.53#853 server=/example.net/127.0.0.53 server=/foobar.corp/10.0.0.2 server=/foobar.group/10.0.0.2
DNSCrypt
A very basic dnscrypt-proxy configuration:
$ cat /etc/dnscrypt-proxy/dnscrypt-proxy.toml [...] listen_addresses = ['127.0.0.1:53'] ipv4_servers = true ipv6_servers = false dnscrypt_servers = true doh_servers = true require_dnssec = false require_nolog = true [...]
This will make dnscrypt-proxy
on port 53
and we can point /etc/resolv.conf
to it:
nameserver 127.0.0.1
Public Resolvers
Provider | IPv4 | IPv6 |
Quad9 | 9.9.9.9 149.112.112.112 | 2620:fe::fe 2620:fe::9 |
Cloudflare | 1.1.1.1 1.0.0.1 | 2606:4700:4700::1111 2606:4700:4700::1001 |
8.8.8.8 8.8.4.4 | 2001:4860:4860::8888 2001:4860:4860::8844 | |
OpenDNS | 208.67.222.222 208.67.220.220 | 2620:119:35::35 2620:119:53::53 |
Use DuckDuckGo to show even more providers.