How to set up a DNS Server
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

How to set up a DNS Server

A complete guide to spinning up your own DNS server.

Odds are, if you have a computer and you find yourself on the interwebs Googling away, you have heard the term ‘DNS’. The fact is that without DNS none of this would be possible: You wouldn’t be able to read this, you wouldn’t be able to read information about the newly released OnePlus 7 Pro (I’m not excited about it, you are) and you wouldn’t be able to read how in the world the Tampa Bay Lightning got swept in the opening round of the 2019 NHL Eastern Conference Playoffs (I’m not bitter about it, you are). In fact, none of the internet or its many information and services would be unavailable without DNS.

A ‘Domain Name Server’s primary function is to translate easily re(adable)memorable names, such as Amazon.com into an IP address that are nearly possible to remember en masse. It provides other information, as mentioned in some of my previous articles, such as (but not limited to) mail domain information, as in which server to send mail to, and what IP addresses are valid to send said mail (SPF). But without the simple A or AAAA record to translate name into IP address, we’re not here reading this now.

There are DNS servers all over the place, the world even. Many are public, some are private, some are for mass distribution and some are top level (.com) that use Root Zone servers. Many people have a small DNS service running in their homes and they might not even know it. Most “all-in-one” routers contain a DNS service on it that can act as an intermediary between the Candy Crush servers and their cell phone. That router’s DNS service will query another server, typically from the ISP, and that server has queried from another server and they tell 2 friends, and they tell 2 friends, etc. It’s basically a game of Telephone without the element of human error (which is, um, I guess the point of Telephone; maybe a bad analogy).

So, it would stand to reason that most small businesses have their own DNS server. But why? Basically, for all the right reasons. All the 2 reasons:

  1. Performance – The DNS information is stored locally and can be served to internal users at a much better time. There is no need to bounce around the internet to get your information. Plus, you would not be competing with other people for DNS requests on the external/publicly available DNS servers.
  2. Security – As you probably guessed by the analogy of Telephone, and the “fun” of Telephone, it is possible for bad DNS information to be propagated across the internet. Having your own DNS server will likely result in the same but certain safeguards can be put in place to prevent “poisoning” of DNS information.

Before we move forward of setting up a DNS server, we have to address the question: is it worth it? In short, the answer is probably yes but the shorter answer is depends (I’m basing which is shorter simply by letter count). Again, there is a chance your little router may be caching some DNS information, of popular or most visited sites, so you are running a small DNS server without you really knowing about it. The performance may not be great on a larger scale (small to medium business) so it is almost definitely worth it for those cases. Specifically and obviously for the 2 reasons outlined above. But also to help map out internal, private networks that would otherwise not have access from the public inbound. Many times, it is nice for users of a private network to know each other by name and not by number and that all depends on the preferred structure, particularly for security reasons.

There are so many options for DNS servers that it would be difficult to go through all of the options. Because of this, we will be going over general concepts and examine 2 quick walkthroughs of the most popular options.

The 2 options that we will look into will be Microsoft Server 2016 DNS server and Bind, which is a popular choice among Linux servers.

Get In(terwebs)trawebs Bound with Bind

The assumption here would be that you are on one of the most popular distributions/flavors or Linux available: Ubuntu 16.04. But, most other distributions of Linux will have nearly the exact same steps. Syntax would likely be the same (also depending on the shell, BaSH assumed here) but folder/file locations may vary.

Another assumption is that you are signed into the shell with proper permissions that would not require ‘sudo’.

With that, here we go:

  • From the shell, type:
  • apt-get install bind9
  • Once installed, you should see a message indicating that the DNS service Bind is starting up

Well, that was easy enough. Now, let’s look into some configuration of the DNS server:

  • pico /etc/bind/named.conf.local
  • This will open the file ‘named.conf.local’ with the text editor ‘Pico’
  • Enter the following text:
 zone "yourDomainNameHere.com" {
 type master;
 file "/etc/bind/zones/yourDomainNameHere.com.db";
 };
  
 zone "3.2.1.in-addr.arpa" {
 type master;
 file "/etc/bind/zones/rev.3.2.1.in-addr.arpa";
 } 
  • You should replace ‘yourDomainNameHere.com’ to your domain
  • The Reverse DNS name, ‘3.2.1.’ should probably be the first 3 octets of your IP address in reverse. For example, if the IP address for your server is, 10.2.1.67, you should list the name as ‘rev.1.2.10’.
  • Control + C will prompt to exit with the option to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name used to open the editor.
  • This will set the basic zone configuration of the forward DNS service and will also set up the reverse DNS service.
  • We’ll create the correct folder where the DNS database will live. Type the following:
  • mkdir /etc/bind/zones
  • Now, we’ll create the appropriate DB. Type the following:
·         ; BIND data file for yourDomainNameHere.com
;
$TTL 14400
@ IN SOA ns1. yourDomainNameHere.com. host. yourDomainNameHere.com. (
201006601 ; Serial
7200 ; Refresh
120 ; Retry
2419200 ; Expire
604800) ; Default TTL
;
yourDomainNameHere.com. IN NS ns1. yourDomainNameHere.com.
yourDomainNameHere.com. IN NS ns2. yourDomainNameHere.com.
 
yourDomainNameHere.com. IN MX 10 mail. yourDomainNameHere.com.
yourDomainNameHere.com. IN A abc.def.ghi.jkl
 
ns1 IN A abc.def.ghi.jkl
ns2 IN A abc.def.ghi.jkl
www IN CNAME yourDomainNameHere.com.
mail IN A abc.def.ghi.jkl
ftp IN CNAME yourDomainNameHere.com.
yourDomainNameHere.com. IN TXT "v=spf1 ip4:abc.def.ghi.jkl a mx ~all"
mail IN TXT "v=spf1 a -all"
 
  • Replace ‘yourDomainNameHere’ with, guess what, your domain name.
  • Replace ‘abc.def.ghi.jkl’ with your server’s IP address.
  • Control + C will prompt to exit with the option to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name used to open the editor.
  • Now we will create the reverse DNS file. Type:
  • pico /etc/bind/zones/rev.3.2.1.in-addr.arpa
  • The Reverse DNS name, ‘3.2.1.’ should probably be the first 3 octets of your IP address in reverse. For example, if the IP address for your server is, 10.2.1.67, you should list the name as ‘rev.1.2.10’.
  • Add the following information:
 @ IN SOA yourDomainNameHere.com. host.yourDomainNameHere.com. (
 2010081401;
 28800;
 604800;
 604800;
 86400 );
  
 IN NS ns1.yourDomainNameHere.com.
 4 IN PTR yourDomainNameHere.com. 
  • Guess what, replace ‘yourDomainNameHere’ with, guess what, your domain name. Guess what.
  • Control + C will prompt to exit with the option to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name used to open the editor.
  • Now we’ll modify the local file that defines the DNS servers. Type:
  • pico /etc/resolv.conf
  • Enter the following:
  • search yourDomainNameHere.com
  • Control + C will prompt to exit with the option to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name used to open the editor.
  • Now, we’ll restart the service to pull in the new configuration. Type:
  • /etc/init.d/bind9 restart
  • The service should restart with the new configuration and put you in a very basic configuration.

And Now, The Other One

Just as with Bind, the previous DNS server, listed, there are assumptions to this installation guide. The big one being that you are operating OS Microsoft Server 2016 whether Standard or Essentials (either of which can be virtualized). Also, the need for a user with rights/permissions to be able to make system changes such as installing the DNS server component as well as configuration of the DNS Manager.

This will also be a little different than the Bind install which we did exclusively through the command line (BaSH, in that case). This Microsoft Server DNS install will be through the friendly GUI and not through PowerShell. Everything can be done through PowerShell, FYI, but the Microsoft GUI is friendly enough for basic configuration. Some more advanced stuff may benefit using PowerShell.

  • Open the Server Manager in Windows Server 2016.
  • Select ‘Manage’ in the toppish right and click on ‘Add Roles and Features’.
  • Click ‘Next’ through the ‘Installation Type’
  • Select the server to which you want to add the feature/role. The current server should be listed but if there any other Windows Servers that are tied to the current operating one, then they would be selectable, as well.
  • When the Roles page is loaded, it should list the current roles that the server can provide. Locate ‘DNS Server’ and check the box. Hit ‘Next’.
  • On the ‘Features’ page, any dependencies will be checked but nothing else would need to be clicked to complete the DNS Server install. Hit ‘Next’.
  • The next section, titled as ‘DNS Server’ just gives some overview information but doesn’t require any action except for, of course, and guess what, the ‘Next Button.’
  • The next screen will finalize the proposed changes. There is a checkbox that will call for a reboot after the task is performed, if necessary. In this case, it is necessary so if nothing else needs to be immediately done, it can be checked and rebooted.

Not terribly difficult there. Let’s go ahead and get the forward and reverse lookup zones created and configured.

  • Back in Server Manager, select ‘Tools’ and ‘DNS’ which will launch the ‘DNS Manager’.
  • On the left, there will be a listing of domain servers. Right-click on the DNS server and select ‘Configure a DNS Server’. A wizard has suddenly appeared!
  • When you click on ‘Next’, there is an option to select what kind of zones you would like to create. The second selection should be ‘Create Forward and Reverse Lookup Zones’. This is a good option but smaller networks can probably get away with just creating a Forward lookup zone. ‘Next’.
  • The next screen will ask if the Forward Lookup Zone should be configured now. Sure, let’s do that thing.
  • Set this zone as the ‘Primary Zone’. The name should be set appropriately.
  •  File naming is next and it will use the Zone name set previously and add ‘.dns’ to the end of it. There is no problem with this unless there is an existing DNS file that should be used.
  • The next screen will get a bit into personal preference but there are some guidelines that may help with your decision. Dynamic updates indicate how DNS information should be populated into the DB.
    • ‘Allow only secure dynamic updates’ would be fed from Active Directory integrated zones. This would severely limit what can be populated. If the DNS server is running just to manage the internal computers, this would be a good option.
    • ‘Allow both nonsecure and secure dynamic updates’ would allow for the previously mentioned but also allow from untrusted sources. This is likely not ideal. 3rd party domains can be trusted and this would extend to that but it is best to be in control of where DNS information comes from to evade route poisoning or exposure to DDoS.
    • ‘Do not allow dynamic updates’ would force that all records are added manually. In order for this to work well, the network would have to be mostly statically assigned IP addresses which is a lot of overhead. Most servers should have a static IP but computers, IP phones, etc often work off DHCP as they come and go from the premises. This is a good option but has a ton of work with it. Are you prepared?
  • The next screen will ask if the Reverse Lookup Zone should be configured now. Sure, let’s do that other thing.
  • Set this zone as the ‘Primary Zone’. ‘Next’ again.
  • The following screen will ask if you want to use IPv4 or IPv6. Even though we exceedingly on borrowed time for IPv4 and should be dealing with v6, let’s stick with v4. Unless you configure your network to be on v6. Such a hipster thing to do. But, seriously, we should be on v6. And, I apologize for the disparaging tone to hipsters.
  • The next screen will ask to type the first 3 octets of the IP address of that zone. I always thought this was strange because of how subnet masks work but I guess it is the IP address of the subnet identifier (first IP address in the subnet which is an unusable (unassignable) IP).
  • The next screen will ask for a filename of the DB that will, by default, name it the reverse of those first 3 octets and add ‘.in-addr.arpa.dns’. This is good but name it anything you want, you rebel you.
  •  Next screen is the dynamic update thing again that is 6 bullet points (the 3 sub-bullet points) above this. Again, your decision but the recommendation would be whatever you picked for the forward-y one.
  • The next screen is for forwarding when the DNS server doesn’t have the answer. That will require a different DNS to be setup that will have the answer (or potentially have more access and would have a better chance to have the answer). If you’re not there yet, just click ‘Nah’. If yes, provide the IP address of the other server and hope that the other server is configured as such.
  • When you click ‘Next’, it will display the proposed zone creation and you are done. Start adding records, or, if you selected the Dynamic Updates, the records will populate on their own.

Here’s a Post amble

As stated, this is a very basic setup for each instance. There are a lot of options as well as features that can be implemented. This basic setup is mostly beneficial for internal networking (intranet) to help map internal computers, phones, etc to the IP addresses they are assigned. That way, you may know the naming format of different computers within the office and not have to know the IP address. It’s like DNS on the internet, but smaller scale. This is, uh, exactly what we are going for with this here. Anyway, this topic and walkthrough has nothing to do with scrutinizing, really but happy scrutinizing anyway!