BIND forwarding and caching DNS server

bind

For my recent exam I had to study how to setup a BIND caching DNS server. Since this was too easy, I decided to make it a full featured primary and secondary DNS server, but that’s for the next post.

I mentioned the BIND setup with a colleague of mine and he, somewhat jokingly, asked “Does that still exist, BIND?”, referring to it as being ancient technology. But besides unbound and PowerdDNS I couldn’t find many widely used alternatives, so here’s a walkthrough anyway.

I’ll be setting up 3 scenarios:

  1. A forwarding DNS server
  2. A caching DNS server
  3. A full primary and secundary DNS server

Scenario 1 and 2 are very similar and will be configured in this post. I’m setting it up on Ubuntu 18.04.

Install the software:

# apt install bind9

We have to create / modify our config in 2 main locations: /etc/bind/ and /var/cache/bind (scenario 3 only). Check out everything that is installed:

# dpkg -L bind9

Now this is important: while testing, after setting everything up, I found that my server seemed not to resolve reliable 100% of the time. I checked the logs with

# journalctl --unit bind9

and found a lot of ‘network unreachable resolving’ errors. Long stort short: this was caused by an incorrect IPv6 setup. For my test setup, I do not need IPv6 for sure, so I just let BIND start for IPv4 only, thus solving the problem. To do so, make sure you’re editing /etc/default/bind9 to read:

OPTIONS="-u bind -4"

So anyway, the first scenario, the forwarding server, just forwards requests to Google DNS servers and caches nothing. It does require almost the same configuration as the caching server though, and we need to secure it so that not the entire world can make requests or exploit the server for a DNS amplification attack.

Edit the /etc/bind/named.conf.options file. I’m pasting my whole file and commented on the sections so that it should be self explanatory (192.168.33.10 is the IP of my DNS server):

# Create an access control list (ACL)
acl localauthorized {
	127.0.0.1;
	192.168.33.0/24;
};

# Server options
options {
	# Default options
	directory "/var/cache/bind";
	auth-nxdomain no;
	listen-on-v6 { any; };

	# ACL config
	recursion yes;
        listen-on { 127.0.0.1; 192.168.33.10; };
	allow-recursion { localauthorized; };
        allow-transfer { none; };  

	# Setup forwarding only mode
	forwarders {
	 	8.8.8.8;
		8.8.4.4;
	};
	forward only;
	
	# Enable DNSSec
	dnssec-enable yes;
	dnssec-validation yes;
};

Restart the service and test:

# systemctl restart bind9
# dig www.google.com @127.0.0.1
# dig -x 8.8.4.4 @127.0.0.1
# journalctl --unit bind9

Test from another test machine:

# dig www.google.com @192.168.33.10
# dig -x 8.8.4.4 @192.168.33.10

It’s that simple and running. You can confirm the listening ports easily with the below command:

# ss -tulpen | grep :53

Next step is the caching server, where we are actually caching requests, instead of just forwarding it. For caching we just need to take out the forwarders and/or forward only section, like so:

# Create an access control list (ACL)
acl localauthorized {
	127.0.0.1;
	192.168.33.0/24;
};

# Server options
options {
	# Default options
	directory "/var/cache/bind";
	auth-nxdomain no;
	listen-on-v6 { any; };

	# ACL config
	recursion yes;
        listen-on { 127.0.0.1; 192.168.33.10; };
	allow-recursion { localauthorized; };
        allow-transfer { none; };  
	
	# Enable DNSSec
	dnssec-enable yes;
	dnssec-validation yes;
};

Check your config (only errors will be displayed):

# named-checkconf

Restart the service and test:

# systemctl restart bind9
# dig www.slashdot.org @127.0.0.1
# dig -x 35.164.83.91 @127.0.0.1
# journalctl --unit bind9

Next week I’ll be setting up the fully fledged primary and secondary DNS server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.