DNS for Dummies: Part 3
Suhesh Kasti
Networking, Practical lab
January 14, 2025
0%

Navigate Content

Est. reading time: 5 min

DNS for Dummies: Part 3

In this part we will be getting our hands dirty and setting up our own personal DNS server using an ubuntu virtual machine.

Setting Up a DNS Server

This section guides you in setting up a DNS server using BIND (Berkeley Internet Name Domain) on Ubuntu. By the end of this lab, you’ll be able to configure a DNS server and write a custom zone file that resolves services in a network. The steps cover essential concepts we discussed earlier, giving practical insight into DNS.

Lab Overview

  • Objective:
    Install and configure a DNS server to manage domain resolutions for services in a lab network.

  • Lab Environment: Note: This is how I have my lab setup. You can have different services running in your lab environment. You can refer here to understand about virtual machines.

    • Ubuntu Server IP: 192.168.180.226 (This will be our BIND server)
    • Services to Manage:
      • Insecure DVWA: 192.168.180.226:9998
      • Insecure Juice Shop: 192.168.180.226:3000
      • Secure DVWA: 192.168.180.31
      • Secure Juice Shop: 192.168.180.22
      • F5 BigIP devices: 192.168.190.133 and 192.168.190.134
      • ELK Stack: 192.168.180.112:5777

  • Requirements:

    • Basic understanding of Linux commands.
    • Ubuntu 20.04 or later installed with sudo privileges.
    • Internet access for downloading packages.

Introduction to BIND

  • What is BIND?
    BIND is one of the most widely used DNS server implementations. It supports all major DNS functionalities, making it a go-to choice for organizations and labs.

  • Why Use BIND?

    • Offers extensive customization for zone files.
    • Suitable for managing internal networks (split-horizon DNS).
    • Supports advanced DNS features like delegation and failover.

Step 1: Lab Setup

  1. Ensure the Server Environment:
    • Update and upgrade packages:
      sudo apt update && sudo apt upgrade -y
    • Install essential tools for networking and text editing:
      sudo apt install net-tools vim -y

I am using vim as my text editor, you can use nano as well. After modifying the file if you are unable to write to the file or quit vim, I suggest killing the terminal or rebooting the PC.

Step 2: Installing BIND on Ubuntu

  1. Install BIND:

    sudo apt install bind9 bind9-utils bind9-doc -y

  2. Verify Installation: Check if BIND is running:

    sudo systemctl status bind9

Bind Status The bind service is working as we got active(running) status.

  1. Enable BIND to Start on Boot:
    sudo systemctl enable bind9

Step 3: Configuring named.conf

The named.conf file specifies BIND’s global configuration. Modify it as follows:

  1. Edit the named.conf.options file:
    sudo vim /etc/bind/named.conf.options
    Add or modify:
    options {
    directory "/var/cache/bind";

    // Forwarders
    forwarders {
        8.8.8.8; // Google DNS
        1.1.1.1; // Cloudflare DNS
    };

    allow-query { any; };
    recursion yes;

    dnssec-validation auto;
    auth-nxdomain no;    // Conforms to RFC1035
    listen-on { any; };
};

File Location: /etc/bind/named.conf.options

This file contains global settings for the BIND DNS server, such as forwarders, query restrictions, and DNSSEC settings. Here’s what each section means:

  • directory "/var/cache/bind";
    Defines the directory where BIND stores its cache files.

  • forwarders { 8.8.8.8; 1.1.1.1; };
    Lists upstream DNS servers used for resolving queries outside of local zones.

  • allow-query { any; };
    Permits DNS queries from any IP address. For restricted networks, this can be limited (e.g., allow-query { 192.168.0.0/24; };).

  • recursion yes;
    Enables recursive queries, allowing the server to resolve non-authoritative domains.

  • dnssec-validation auto;
    Configures DNSSEC to validate responses automatically, ensuring authenticity.

  • auth-nxdomain no;
    Specifies that the server won’t falsely advertise itself as authoritative for non-existent domains.

  • listen-on { any; };
    Makes the server listen on all available network interfaces.

  1. Add Zones:
    Create a file for your DNS zones. Open named.conf.local:
    sudo vim /etc/bind/named.conf.local
    Add:
    zone "lab.local" {
    type master;
    file "/etc/bind/zones/db.lab.local";
};

zone "180.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168.180";
};

File Location: /etc/bind/named.conf.local

This file defines custom DNS zones for your domains. We use this file to declare forward and reverse lookup zones.

  • Forward Lookup Zones: Allows hostname-to-IP resolution.

  • Reverse Lookup Zones: Allows IP-to-hostname resolution.

  • zone "lab.local"
    Declares the forward lookup zone for lab.local.

    • type master;
      Indicates this server is the primary authoritative server for the zone.

    • file "/etc/bind/zones/db.lab.local";
      Specifies the location of the zone file containing records for lab.local.

  • zone "180.168.192.in-addr.arpa"
    Declares the reverse lookup zone for IP range 192.168.180.0/24.

Step 4: Creating Zone Files

  1. Create Zone Directory:

    sudo mkdir /etc/bind/zones

  2. Write the Forward Zone File:

    sudo vim /etc/bind/zones/db.lab.local

    Example Content:

    $TTL 3600
@       IN      SOA     ns.lab.local. admin.lab.local. (
        2025011501 ; Serial
        3600       ; Refresh
        1800       ; Retry
        604800     ; Expire
        3600 )     ; Minimum TTL

; Name servers
        IN      NS      ns.lab.local.

; Records
ns      IN      A       192.168.180.226
dvwa    IN      A       192.168.180.226
juiceshop IN    A       192.168.180.22
f5-1    IN      A       192.168.190.133
f5-2    IN      A       192.168.190.134
elk     IN      A       192.168.180.112

File Location: /etc/bind/zones/db.lab.local

This file contains the resource records for the lab.local domain.

  • $TTL 3600
    Time-to-live (in seconds) for all records, controlling caching by resolvers.

  • SOA Record
    The Start of Authority (SOA) record contains key administrative details:

    • ns.lab.local. Primary nameserver.
    • admin.lab.local. Email of the administrator.
    • 2025011501 Serial number, incremented for each zone file change.
    • 3600 Refresh interval for secondary servers to check updates.
    • 1800 Retry interval after a failed refresh attempt.
    • 604800 Expiry time after which the secondary stops using zone data.
    • 3600 Minimum TTL for negative caching (e.g., non-existent records).

  • NS Record
    Declares ns.lab.local. as the authoritative name server.

  • A Records
    Maps domain names (dvwa.lab.local, elk.lab.local) to IPs.

  1. Write the Reverse Zone File:
    sudo vim /etc/bind/zones/db.192.168.180
    Example Content:
    $TTL 3600
@       IN      SOA     ns.lab.local. admin.lab.local. (
        2025011501 ; Serial
        3600       ; Refresh
        1800       ; Retry
        604800     ; Expire
        3600 )     ; Minimum TTL

; Name servers
        IN      NS      ns.lab.local.

; PTR Records
226     IN      PTR     dvwa.lab.local.
22      IN      PTR     juiceshop.lab.local.
112     IN      PTR     elk.lab.local.

File Location: /etc/bind/zones/db.192.168.180

This file contains reverse lookup records to map IPs back to hostnames.

  • PTR Records
    Define mappings from IP addresses to domain names.
    For example, 226 IN PTR dvwa.lab.local. means 192.168.180.226 resolves to dvwa.lab.local.

Note: Keeping forward and reverse zones explicit simplifies troubleshooting and updates.

Step 5: Test the Configuration

  1. Check Configuration Syntax:
    sudo named-checkconf
  2. Verify Zone Files:
    sudo named-checkzone lab.local /etc/bind/zones/db.lab.local
sudo named-checkzone 180.168.192.in-addr.arpa /etc/bind/zones/db.192.168.180
  3. Restart BIND:
    sudo systemctl restart bind9

Exercise: Test Your DNS Server

  1. Set the DNS on a Client Machine:
    Change the resolver to 192.168.180.226.
    sudo vim /etc/resolv.conf
    Add:
    nameserver 192.168.180.226
  2. Test Queries:
    dig dvwa.lab.local
dig -x 192.168.180.226
The entire DNS Series Explore DNS Cheat Sheet

Tags

Word Quiz

Correct := 0 | Wrong := 0

Question?

Fill the Answer

Correct:= 0 | Wrong:= 0

Question

Comments

comments powered by Disqus
Previous ← DNS for Dummies: Part 2

You May Also Like