Setup your private DNS server
People cannot remember all IP addresses related to web services they used in day to day life. DNS is using to identify your web application via a name.
If you want to go to myexample.lan, DNS will be resolved and then you will be directed to the relevant IP address. The combination (IP and domain) is kept in DNS.
There are multiple types of DNS servers available (Caching name servers, Authoritative name servers… etc). Let me go through configurations of the DNS server. In linux operating systems, there’s an open-sourced system called BIND (Berkely Internet Name Domain).
This is capable of performing the main DNS server role and acting as an authoritative name server as well. It contains a Name Server, Name Server Tools, Lightweight Resolver. I’ve used 3 centos VMs. Two servers to set up the DNS server, web portal and one to check and verify the configurations
Domain: myexample.lan
Primary DNS server IP: 192.168.10.11 dns-primary.myexample.lan
Web service hosted server IP: 192.168.10.13
Client IP: 192.168.10.15
Let’s install BIND and it’s utilities on the server. dig, nslookup commands will be installed with bind-utils
yum install bind bind-utils
Let’s start the DNS server now
systemctl start named
Using the below command, we do ensure DNS service is up and running even after there’s a reboot happened at the VM OS level.
systemctl enable named
If you have installed it correctly, you will get below screen capture when you run the command
systemctl status named
Now let’s configure DNS service. Usually, these configuration files can be found on /etc/named.conf
Let’s take a copy of the existing files before we do any changes
cp /etc/named.conf /etc/named.conf.new
Now let’s open the named.conf file using your favorite text editor
vim /etc/named.conf or vi /etc/named.conf
You can install vim simply by typing yum install vim-enhanced -y in your terminal. It’s the improved version of vi
Let’s comment on the below lines. It’ll allow using this as a DNS server. If we don’t comment out them, it’ll listen on port 53 for relevant name queries and from local IPs.
options {
#listen-on port 53 { 127.0.0.1; };
#listen-on-v6 port 53 { ::1; };
}
Let’s add the below line. The IP range can different in your configurations. Using this will limit the request received to the DNS server. Since I’m setting up a local DNS server, I’ve used relevant IP ranges.
allow-query {localhost; 192.168.10.0/24}
Let’s create the zones in DNS configurations. We need to have two zone files.
Forward zone: Hostname to IP address relationship will be stored here. It’ll return the IP address when you send the hostname.
Reverse zone: Return the hostname(FQDN) of a host, when you have the IP address.
forward zone
zone "myexample.lan" IN {
type master; //Defines the relevant role of this server for zone.
file "myexample.lan.db"; //Mentioning zone's DB file
allow-update { none; }; //specifies the hosts which allowed to submit Dynamic DNS updates
allow-query {any; }
};
backward zone
zone "192.168.10.in-addr.arpa" IN {
type master;
file "myexample.lan.rev";
allow-update { none; };
allow-query { any; }
};
Now we need to create forward and backward zone files. Since we have mentioned the file directory to refer, as /var/named/, I’ll be creating my DB here.
vim /var/named/myexample.lan.db
Above command will create the forward zone file by
$TTL 86400
@ IN SOA dns-primary.myexample.lan. admin.myexample.lan. (
2019061800 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS dns-primary.myexample.lan.
;IP for Name Server
dns-primary IN A 192.168.10.11
;A Record for IP address to Hostname
@ IN A 192.168.10.13
www IN A 192.168.10.13
mail IN A 192.168.10.13
docs IN A 192.168.10.13
Now we are done with forwarding zone file
vim /var/named/myexample.lan.rev
As per above command, Let’s create the reverse zone file as well
$TTL 86400
@ IN SOA dns-primary.myexample.lan. admin.myexample.lan. (
2019061800 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS dns-primary.myexample.lan.
;Reverse lookup for Name Server
100 IN PTR dns-primary.myexample.lan.
;PTR Record IP address to HostName
5 IN PTR www.myexample.lan.
10 IN PTR mail.myexample.lan.
20 IN PTR docs.myexample.lan.
Now you need to give relevant permission on zone files. Otherwise, they won’t be able to execute.
chown :named /var/named/myexample.lan.db
chown :named /var/named/myexample.lan.rev
In the last phase, you need to verify all relevant DNS configurations and zone files are in place. You can verify them by
named-checkconf
named-checkzone myexample.lan /var/named/myexample.lan.db
named-checkzone 192.168.10.11 /var/named/myexample.lan.rev
Once you have done that, it’s time to restart the named service by
systemctl restart named
You may need to allow DNS services from firewall. It can be done via
firewall-cmd — permanent — zone=public — add-service=dnsfirewall-cmd — reload
If you have your own firewall, then you need to verify the above commands in that as well.
Let’s change the /etc/resolv.conf file and add
nameserver 192.168.10.11
Now you should be able to access the myexample.lan from client-server 192.168.10.15. You may try out
nslookup myexample.lan
Going forward, we need to consider next-Gen DNS solutions as well. If you consider DNS spoofing/flooding attacks, you need to built-in security when you set up this. Otherwise, it’ll be too costly to implement countermeasures once we go live. Certain theories like DNSSEC can be implemented to secure your DNS queries.
Also, Cloudflare DNS, AWS route 53 are popular DNS solutions that can be used. Since it’s a free solution, Cloudflare is one of the most popular DNS service providers among developers. Also, they do provide a reverse proxy itself. That would help if you don’t want to expose your original IP to the DNS query.