DNS

From Segfault
(Redirected from NSD)
Jump to navigation Jump to search

BIND

Installation

  • Get the latest ISC BIND tarball
  • Get the latest DLZ patch from Sourceforge/ - NOTE: DLZ is included in ISC Bind since 9.4.0
wget https://ftp.isc.org/isc/bind9/9.17.3/bind-9.17.3.tar.xz{,sha512.asc}
gpg --keyserver pgp.mit.edu --recv-keys 0xF1B11BF05CF02E57
gpg --verify bind*.tar.gz.sha512.asc bind*tar.gz

gzip -dc bind*.tar.gz | tar -xf -
cd bind*/
 
./configure --prefix=/opt/bind --localstatedir=/var/run/named/ --enable-threads --with-dlz-mysql --with-openssl
make
sudo make install

groupadd bind
useradd -g bind -s /bin/false -d /var/run/named bind
mkdir -m0750 -p /var/run/named /var/log/named
chown -R bind:bind /var/run/named /var/log/named
echo 'OPTIONS="-u bind -c /etc/bind/named.conf"' > /etc/default/named

Configuration

Configuration of BIND[1] is rather complex, a basic configuration might look like this:

named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options:

options {
       directory "/var/cache/bind";
       listen-on { 127.0.0.1; 123.0.0.2; };
       listen-on-v6 { any; };
};

named.conf.local:

include "/etc/bind/zones.rfc1918";

zone "example.org" IN {
       type master;
       file "/etc/bind/db.example";
};

zone "0.0.123.in-addr.arpa" IN {
       type master;
       notify yes;
       file "/etc/bind/db.123.0.0";
};

Zones

db.example:

$TTL    604800
@       IN      SOA     ns1.example.org. root.example.org. (
                        2014031001     ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL

@               IN      NS      ns1.example.org.
@               IN      NS      ns2.example.org.
ns1             IN      A       123.0.0.1
ns2             IN      A       123.0.0.2
www             IN      CNAME   example.org.
example.org. IN A       123.0.0.3

db.123.0.0:

$TTL    604800
@       IN      SOA     ns1.example.org. root.example.org. (
                       2014031001      ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL

@       IN      NS      ns1.example.org.
@       IN      NS      ns2.example.org.

1       IN      PTR     ns1.example.org.
2       IN      PTR     ns2.example.org.
3       IN      PTR     example.org.
4       IN      PTR     admin.example.org.

named.conf.default-zones:

Here, all the default zones should be defined. These configuration files can be found in the distribution package.

  • root zone (via db.root)
  • localhost
  • 127.in-addr.arpa
  • 0.in-addr.arpa
  • 255.in-addr.arpa

Tests

A basic syntax check, loading the configuration from the chroot directory:

$ named-checkconf -t /var/chroot/bind9/ -z; echo $?
[...]
0

Checking the validity of a zone file:

$ named-checkzone example.org /var/chroot/bind9/etc/bind/db.example 
zone example.org/IN: loaded serial 2014031001
OK

Chroot

BIND is a complex beast, let's put it in a chroot to lessen the blow if something goes wrong.

Stop BIND and create the chroot directories and all the necessary bits:

service bind9 stop
mkdir -m 0770 -p /var/chroot/bind9/{etc,dev,var/log/named,var/cache/bind,var/run/named}

mknod -m 0600 /var/chroot/bind9/dev/null c 1 3
mknod -m 0600 /var/chroot/bind9/dev/random c 1 8

chgrp bind /var/chroot/bind9/var/{cache/bind,log/named,run/named} /var/chroot/bind9/dev/{null,random}
chmod 0711 /var/chroot

Add the chroot directory to BIND's start options:

$ grep ^OPTIONS /etc/default/bind9
OPTIONS="-u bind -t /var/chroot/bind9"

Add a syslog socket, e.g. for rsyslog:

$AddUnixListenSocket            /var/chroot/bind9/dev/log

Restart rsyslog:

$ service rsyslog restart
$ ls -lgo /var/chroot/bind9/dev/log 
srw-rw-rw- 1 0 Mar 13 01:10 /var/chroot/bind9/dev/log

Move configuration files to the chroot location, but keep a symlink in /etc for compatibility:

mv /etc/bind /var/chroot/bind9/etc/
ln -s /var/chroot/bind9/etc/bind /etc/bind
mv /var/log/named/* /var/chroot/bind9/var/log/named/ && rmdir /var/log/named

Now BIND should start just fine:

service bind9 start

Let's see:

$ pwdx `pgrep named`
15321: /var/chroot/bind9/var/cache/bind

Knot

Installation

If no distribution packages are available[2], we can compile Knot DNS from source:[3]

git clone https://gitlab.labs.nic.cz/knot/knot-dns.git knot-dns-git
cd knot-dns-git

sudo dnf install gnutls-devel userspace-rcu-devel libedit-devel

./autogen.sh
./configure --prefix=/opt/knot --disable-documentation
make && sudo make install

Configuration

Minimal configuration to get things going:

$ cat knot.conf
server:
   # Listen on all configured IPv4 interfaces.
   listen: 0.0.0.0@53
   # Listen on all configured IPv6 interfaces.
   listen: ::@53
   # User for running the server.
   user: knot:knot

log:
   # Log info and more serious events to syslog.
 - target: syslog
   any: info

zone:
  - domain: example.net
    storage: "/etc/knot"
    file: "example.net.zone"

Note: both rundir and storage need to be writable by the user!

Zones

Zone file:

$ORIGIN example.net.
$TTL   7d

@              SOA     www.example.net. root.example.net. (
                        2018020501     ; Serial
                                7d     ; Refresh
                                1d     ; Retry
                               28d     ; Expire
                                7d )   ; Negative Cache TTL

               NS      ns1
               NS      ns2
               MX      10 mx.example.net

www            A       93.184.216.34
               AAAA    2606:2800:220:1:248:1893:25c8:1946

mx             A       93.184.216.34
               AAAA    2606:2800:220:1:248:1893:25c8:1946

ns1            A       93.184.216.34
               AAAA    2606:2800:220:1:248:1893:25c8:1946

ns2            A       93.184.216.34
               AAAA    2606:2800:220:1:248:1893:25c8:1946

example.net.   A       93.184.216.34
               AAAA    2606:2800:220:1:248:1893:25c8:1946
;              CAA 128 issue "letsencrypt.org"

Note: CAA records are only supported in Knot DNS 2.2.0 and later.[4]

Tests

Check that our newly configured name server is not an open resolver:

dig +short test.openresolver.com TXT @ns1.example.net

No output is expected here. An open resolver would answer like this:

$ dig +short test.openresolver.com TXT @1.1.1.1
"open-resolver-detected"


NSD

A very basic NSD configuration,[5][6] listening on 63/udp:

server:
       ip-address: 127.0.0.1@63
#      port: 63
       verbosity: 0
       username: nsd

       logfile: "/var/log/nsd.log"
       pidfile: "/run/nsd/nsd.pid"

zone:
       name: "example.net"
       zonefile: "/etc/nsd/example.net.zone"

zone:
       name: "0.3.0.10.in-addr-arpa"
       zonefile: "/etc/nsd/example.net.reverse"

Zones

See #Zones

systemd-resolved

With systemd-resolved we can configure[7] a DNS over TLS stub resolver quite easily:

$ grep -v ^\# /etc/systemd/resolved.conf 
[Resolve]
DNS=9.9.9.9#dns.quad9.net 1.1.1.1#cloudflare-dns.com
DNSOverTLS=yes

This will make systemd-resolved listen on 127.0.0.53 and we can point /etc/resolv to that:

nameserver 127.0.0.53

With that, all queries will be sent to 127.0.0.53 and then, over an encrypted connection, to the name servers configured.

Stubby

If we don't have access to a recent systemd-resolved package, we can use stubby to do the job:

$ cat /etc/stubby/stubby.yml
[...]
listen_addresses:
 - 127.0.0.53@853
 - 0::53@853
 
dnssec_trust_anchors: "/var/lib/unbound/root.key"
upstream_recursive_servers:
  [...]

With that in place, we can point e.g. dnsmasq - sometimes more complex setups like this are necessary:

$ cat /etc/resolv.conf 
nameserver 127.0.0.1
$ grep ^[a-z] /etc/dnsmasq.conf 
user=dnsmasq
group=dnsmasq
interface=lo
conf-dir=/etc/dnsmasq.d/,*.conf

$ grep ^[a-z] /etc/dnsmasq.d/work.conf
interface=lo
listen-address=127.0.0.1
bind-dynamic
read-ethers
log-queries
log-facility=/var/log/dnsmasq.log
server=127.0.0.53#853
server=/example.net/127.0.0.53
server=/foobar.corp/10.0.0.2
server=/foobar.group/10.0.0.2

DNSCrypt

A very basic dnscrypt-proxy configuration:

$ cat /etc/dnscrypt-proxy/dnscrypt-proxy.toml
[...]
listen_addresses = ['127.0.0.1:53']
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
require_dnssec = false
require_nolog = true
[...]

This will make dnscrypt-proxy on port 53 and we can point /etc/resolv.conf to it:

nameserver 127.0.0.1

Public Resolvers

Provider IPv4 IPv6
Quad9 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
Cloudflare 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
Google 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
OpenDNS 208.67.222.222 208.67.220.220 2620:119:35::35 2620:119:53::53

Use DuckDuckGo to show even more providers.

Links

References