Setup your private DNS server

Thilina Viraj
5 min readJan 12, 2020

--

People cannot remember all IP addresses related to web services they used in day to day life. DNS is using to identify your web application via a name.

If you want to go to myexample.lan, DNS will be resolved and then you will be directed to the relevant IP address. The combination (IP and domain) is kept in DNS.

There are multiple types of DNS servers available (Caching name servers, Authoritative name servers… etc). Let me go through configurations of the DNS server. In linux operating systems, there’s an open-sourced system called BIND (Berkely Internet Name Domain).

This is capable of performing the main DNS server role and acting as an authoritative name server as well. It contains a Name Server, Name Server Tools, Lightweight Resolver. I’ve used 3 centos VMs. Two servers to set up the DNS server, web portal and one to check and verify the configurations

Domain: myexample.lan

Primary DNS server IP: 192.168.10.11 dns-primary.myexample.lan

Web service hosted server IP: 192.168.10.13

Client IP: 192.168.10.15

Let’s install BIND and it’s utilities on the server. dig, nslookup commands will be installed with bind-utils

yum install bind bind-utils

Let’s start the DNS server now

systemctl start named

Using the below command, we do ensure DNS service is up and running even after there’s a reboot happened at the VM OS level.

systemctl enable named

If you have installed it correctly, you will get below screen capture when you run the command

systemctl status named

Now let’s configure DNS service. Usually, these configuration files can be found on /etc/named.conf

Let’s take a copy of the existing files before we do any changes

cp /etc/named.conf /etc/named.conf.new

Now let’s open the named.conf file using your favorite text editor

vim /etc/named.conf or vi /etc/named.conf

You can install vim simply by typing yum install vim-enhanced -y in your terminal. It’s the improved version of vi

Let’s comment on the below lines. It’ll allow using this as a DNS server. If we don’t comment out them, it’ll listen on port 53 for relevant name queries and from local IPs.

options {
#listen-on port 53 { 127.0.0.1; };
#listen-on-v6 port 53 { ::1; };
}

Let’s add the below line. The IP range can different in your configurations. Using this will limit the request received to the DNS server. Since I’m setting up a local DNS server, I’ve used relevant IP ranges.

allow-query {localhost; 192.168.10.0/24}

Let’s create the zones in DNS configurations. We need to have two zone files.

Forward zone: Hostname to IP address relationship will be stored here. It’ll return the IP address when you send the hostname.

Reverse zone: Return the hostname(FQDN) of a host, when you have the IP address.

forward zone

zone "myexample.lan" IN {
type master; //Defines the relevant role of this server for zone.
file "myexample.lan.db"; //Mentioning zone's DB file
allow-update { none; }; //specifies the hosts which allowed to submit Dynamic DNS updates
allow-query {any; }
};

backward zone

zone "192.168.10.in-addr.arpa" IN {
type master;
file "myexample.lan.rev";
allow-update { none; };
allow-query { any; }
};

Now we need to create forward and backward zone files. Since we have mentioned the file directory to refer, as /var/named/, I’ll be creating my DB here.

vim /var/named/myexample.lan.db

Above command will create the forward zone file by

$TTL 86400
@ IN SOA dns-primary.myexample.lan. admin.myexample.lan. (
2019061800 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS dns-primary.myexample.lan.
;IP for Name Server
dns-primary IN A 192.168.10.11
;A Record for IP address to Hostname
@ IN A 192.168.10.13
www IN A 192.168.10.13
mail IN A 192.168.10.13
docs IN A 192.168.10.13

Now we are done with forwarding zone file

vim /var/named/myexample.lan.rev

As per above command, Let’s create the reverse zone file as well

$TTL 86400
@ IN SOA dns-primary.myexample.lan. admin.myexample.lan. (
2019061800 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS dns-primary.myexample.lan.
;Reverse lookup for Name Server
100 IN PTR dns-primary.myexample.lan.
;PTR Record IP address to HostName
5 IN PTR www.myexample.lan.
10 IN PTR mail.myexample.lan.
20 IN PTR docs.myexample.lan.

Now you need to give relevant permission on zone files. Otherwise, they won’t be able to execute.

chown :named /var/named/myexample.lan.db
chown :named /var/named/myexample.lan.rev

In the last phase, you need to verify all relevant DNS configurations and zone files are in place. You can verify them by

named-checkconf
named-checkzone myexample.lan /var/named/myexample.lan.db
named-checkzone 192.168.10.11 /var/named/myexample.lan.rev

Once you have done that, it’s time to restart the named service by

systemctl restart named

You may need to allow DNS services from firewall. It can be done via

firewall-cmd — permanent — zone=public — add-service=dnsfirewall-cmd — reload

If you have your own firewall, then you need to verify the above commands in that as well.

Let’s change the /etc/resolv.conf file and add

nameserver 192.168.10.11

Now you should be able to access the myexample.lan from client-server 192.168.10.15. You may try out

nslookup myexample.lan

Going forward, we need to consider next-Gen DNS solutions as well. If you consider DNS spoofing/flooding attacks, you need to built-in security when you set up this. Otherwise, it’ll be too costly to implement countermeasures once we go live. Certain theories like DNSSEC can be implemented to secure your DNS queries.

Also, Cloudflare DNS, AWS route 53 are popular DNS solutions that can be used. Since it’s a free solution, Cloudflare is one of the most popular DNS service providers among developers. Also, they do provide a reverse proxy itself. That would help if you don’t want to expose your original IP to the DNS query.

--

--

Thilina Viraj
Thilina Viraj

Written by Thilina Viraj

Technical Lead at Sysco LABS Sri Lanka

No responses yet