I am trying to set up a basic public DNS server in Azure using Ubuntu and Bind9.
I want it to be accessible over the internet and forward all requests to Cloudflare or Google except one custom zone.
I have two problems currently:
I can get it to work on the local network, setting up a client on the same subnet and doing nslookup to public sites the forwarding works perfectly, but when pointing internet client to the DNS server it times out.
The custom zones don't work, even on the local network. I try to set up not existing domain to point to an IP and set up the separate zone file, but nothing happens. Even on the dns server itself I can't get it to work.
I don't think issue 1 is a firewall issue, for testing I have allowed all ports and IPs to be open and also opened port 53 on the DNS server firewall.
I think both issues are related to the Bind9 configuration and I have little understanding of it. Perhaps you guys can help out.
Here's the config files:
/etc/bind/named.conf.local:
zone "fakehostname.com" {
type master;
file "/etc/bind/zone.fakehostname.com";
};
/etc/bind/named.conf.options:
options {
directory "/var/cache/bind";
forwarders {
1.1.1.1; // Cloudflare
8.8.8.8; // Google
};
allow-query { any; };
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
recursion yes;
querylog yes;
version "not available";
};
/etc/bind/zone.fakehostname.com:
$TTL 604800
# IN SOA fakehostname.com. admin.fakehostname.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
# IN NS localhost.
# IN A 10.10.10.10
mail IN A 10.10.10.10
# IN MX 10 mail.fakehostname.com.
# IN TXT "hello"
Sorry this was a mistake, the config was correct and issue was in Azure NSG firewall config. I thought I had allowed all ports for testing but UDP 53 was not open. After opening it everything works.
Related
i need your advices for a DNS architecture.
DNS architecture proposal
In my company, every desktops/laptops are configured with DNS of the LAN (10.1.1.1), which is a Microsoft AD/DNS and i don't have the hand on it.
Others DNS are Bind9 where i am admin.
My purpose is to add other DNS servers for new projects (in a separated network) without change anything on laptops and on the LAN DNS and of course, i want developpers laptops (in LAN) can query and receive answer for fqdn of those new projects.
From DNS (fqdn) point of vue, there is ONE domain (project.com) and MANY sub-domains (subX.project.com). And each sub-domain is in a separated network.
Example: on each vlan, i will have a web server and i want it answers to its DNS sub-domain:
web.project.com for the web server of the project zone.
web.sub1.project.com for the web server of the sub-project zone
web.sub2.project.com ...
So, my understanding of Bind9 let me think that the LAN DNS server (10.1.1.1) can forward requests to the project DNS server (10.100.1.1).
And project DNS can forward requests to sub-project DNS servers (10.200.1.1 / 10.250.1.1).
Endly, all VMs of a network, can resolve public fqdn if the zone DNS forward their requests to the upper level DNS.
I just want to resaid that i don't have the hand on the main DNS (in the LAN).
Bellow, you will find the named.conf.options file which represents the architecture describes in the schema:
DNS project.com (10.100.1.1/10.100.1.2)
{
allow-query { 127.0.0.1; 10.1.1.1; 10.1.1.2; 10.200.1.1; 10.200.1.2; 10.250.1.1; 10.250.1.2; 10.100.1.0/24; };
recursion yes;
notify yes;
allow-transfer { 10.100.1.2; }; # the slave
forwarders {
10.1.1.1;
10.1.1.2;
};
}
DNS sub1.project.com (10.200.1.1/10.200.1.2)
{
allow-query { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.200.1.0/24; }; queries from VMs in this network and DNS from upper zone
recursion yes;
notify yes;
allow-transfer { 10.200.1.2; };
forwarders {
10.100.1.1;
10.100.1.2;
};
}
DNS sub2.project.com (10.250.1.1/10.250.1.2)
{
allow-query { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.250.1.0/24; }; queries from VMs in this network and DNS from upper zone
recursion yes;
notify yes;
allow-transfer { 10.250.1.2; };
forwarders {
10.100.1.1;
10.100.1.2;
};
}
What do you think about this architecture ? Do you see any drawbacks or mistakes or mis-understanding ?
Regards.
You will want to start by taking control of the 'first hop DNS servers'
Create DNS forwarders that you control (bind)
Map out every zone in your environment, and their authoritative nameservers
Create Forwarded zones in Bind, for each zone/subzone and send it to the IP of the authoritative nameserver
Next, make sure all your DNS traffic is directed to your 'first hop DNS servers'.
This means updating any DHCP server options, as well as all statically configured DNS IPs on servers.
Lastly, build a process such that any time a new zone or subzone is added to the environment, that they also get added to your 'first hop servers' as additional forwarded zones.
Note : You can do all of this without making any changes to the Windows DNS servers.
Hopefully someone can help clarify this.
I have a domain ie example.com registered with Go Daddy. I host the website with TSOHost so in my domain configuration, I have set the following NS records.
Nameserver 1: ns1.tsohost.co.uk
Nameserver 2: ns2.tsohost.co.uk
I am now able to serve the website both www and non www from this hosting package. I simply have an A record for example.com and a CNAME for www.example.com to point to example.com (this is being configured in the cpanel Advanced DNS Zone Editor). So now we have the website showing as expected and required.
I would also like to setup a kind of DDNS service using a different server entirely, (this will hold DNS records that I will create on the fly using a Radius database).
So I want to use the subdomain ddns.example.com for this DDNS service, ie bob.ddns.example.com for Bob (so that when I ping bob.ddn.example.com, I can alter the IP to 8.8.8. say). In Cpanel I have an A record for ddns.example.com and an A record for *.ddns.example.com to point to my server that will manage this, for example 85.214.214.214.
I have installed Bind on the server (currently using a digital ocean server for this, to which I have added ddns.exmaple.com as an A record to the droplet and *.ddns.example.com also), I have created a zone for ddns.example.com, within this I have set the ns record as the digital ocean details.
I have then added the following to my file /var/named/ddns.example.com.hosts
$ttl 38400
ddns.example.com. IN SOA ns1.digitalocean.com. jon#example.com. (
1414575123
10800
3600
604800
38400 )
ddns.example.com. IN NS ns1.digitalocean.com.
bob.ddns.example.com. IN A 8.8.8.8
When I ping bob.ddns.example.com on the server with bind installed I get 8.8.8.8, but when pinging for anywhere else I get the bind server IP.
Can I ask if what I am doing is possible ie, going from godaddy to tso, to another server and if so what NS records should I specify for bind? or is there something in the named config I need to change, I have set the following options in named.conf in an attempt to solve this issue.
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query { any; };
recursion yes;
I am aware that recursion may leave me open to DOS attacks and I intend to turn this to no eventually, but for the moment during testing I have left this to yes.
Any help or information would be greatly appreciated, I have been trying different variations of zone files etc without success, I am really though unsure as to if I am going in the right direction.
Hopefully I have made sense, but any further info I can provide, please let me know.
My first question would be - Are you sure you've updated the Registrar with this server as the DNS nameserver for this domain?
Use nslookup to find out:
# nslookup
> set querytype=NS
> server 4.2.2.1 (a DNS server on the Internet)
> ddns.example.com. (a closing dot helps avoid lookups using preferred search domains.)
and confirm that the Internet knows who to communicate with, and that your NS host is authoritative for the domain.
Next would be - Do you have any other nameservers up to "answer" for that subdomain, causing other problems?
BTW - glad to hear you fixed this issue!
There's tutorials galore out there, but I'm having a hard time getting BIND to provide local network DNS lookup.
Aims:
Requests can be made from anywhere on the local network. (I haven't included any listen on statements, so this should be covered - I think!)
*.demo requests should go to 192.168.0.64
Anything else should be forwarded to google's 8.8.8.8 and 8.8.4.4
Here's my config:
# /etc/named.conf
options {
directory "/var/named";
# Hide version string for security
version "not currently available";
# Forward all unknown DNS queries to the Google Public DNS. (Does it?)
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
zone "demo." IN {
type master;
file "zone.demo";
};
And the zone file:
; /var/named/zone.demo
$ORIGIN demo.
$TTL 1D
# IN SOA demo. hostmaster (
201312041 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ) ; minimum
*. IN A 192.168.0.64
I then run named-checkconf (no output) and named -f (which blocks - all looks well!)
To check that the server is doing what I expect, I run dig:
$ dig #127.0.0.1 A test.demo
; <<>> DiG 9.8.3-P1 <<>> #127.0.0.1 test.demo
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Any ideas as to what I'm doing wrong here?
First thing you'll need is an NS record:
# IN NS ns.demo.
This needs an associated A record as it is essentially a CNAME which in this case would be in your zone. So you'll need:
ns.demo. IN A <Your DNS server IP here>
Then, as you're wildcard has a dot at the end you are specifying one 'level' of DNS record (e.g. com, net, or demo) and not including your zone's origin. You need to either ditch the dot:
* IN A 192.168.0.64
or do:
*.demo. IN A 192.168.0.64
This is because the final dot in a bind zone file denotes the end of the field. If you don't put the dot on the end of the field then bind will add the origin. This does not apply to IP addresses.
As for the forwarding, that should work, but you'll probably want to have multiple nameservers set up on your clients, in case this one is down for any reason, etc. In this case you won't need the forwarding.
If you want to secure the server to only respond to clients on the local network you can use the allow-query statement to limit it to certain IP ranges. But if your server is not accessible on the internet you should be fine. One thing to check is that the server isn't listening on the loopback interface, meaning that you will only be able to reach it from the machine named is running on and not other machines on your network.
Hope this helps. Let me know if anything isn't clear.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
So I've delved into the world of running a server without a control panel for the first time, doing everything through the terminal and occasionally logging into the desktop gui if I need to.
I've got nearly everything working as far as I can tell, the firewall was a hassle but I think i've got it now.
The last thing I can't quite work out is how to get the domain name I purchased pointing correctly to my server (I've always done this through a control panel before which automated most of it).
These are the steps I've taken so far (These may be wrong, I've been googling the thing like mad but everywhere tells me to do something different, so please let me know if something is wrong).
Purchased name name, for sake of example "mydomain.com"
Have server running Ubuntu 64 bit. IP address for sake of example "1.2.3.4"
The host has provided me with 3 "DNS Resolvers", for sake of example: "1.1.1.1", "1.1.1.2", "1.1.1.3"
I've set the hostname on my server
Running "hostname" in the terminal outputs: mydomain
Checking /etc/hostname outputs: mydomain.com
I've added those 3 DNS resolvers to my /etc/resolv.conf file like so:
domain mydomain.com
search mydomain.com
nameserver 1.1.1.1
nameserver 1.1.1.2
nameserver 1.1.1.3
I've set the virtual host up in my httpd.conf file:
<VirtualHost 1.2.3.4:80>
ServerName mydomain.com
ServerAlias mydomain
DocumentRoot /var/www/mysite
</VirtualHost>
Now from here on I've just been palying around with different things. At the moment I've gone into my domain registrar panel and set three nameservers as "ns1.mydomain.com", "ns2.mydomain.com", "ns3.mydomain.com".
I've installed webmin to try and set the DNS zone records and this is what I've got at the moment on the output of various commands:
(where 1.1.1.1, 1.1.1.2, 1.1.1.3 are those DNS resolvers)
[b]nslookup -sil localhost[/b]
conn#duckfusion:~$ nslookup -sil localhost
;; Got SERVFAIL reply from 1.1.1.2, trying next server
;; Got SERVFAIL reply from 1.1.1.3, trying next server
;; connection timed out; no servers could be reached
[b]nslookup -sil mydomain.com[/b]
conn#duckfusion:~$ nslookup -sil mydomain.com
;; Got SERVFAIL reply from 1.1.1.2, trying next server
;; Got SERVFAIL reply from 1.1.1.3, trying next server
;; connection timed out; no servers could be reached
Here is my "named.conf" file:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
[u]named.conf.options[/u]
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
1.1.1.1; 1.1.1.2; 1.1.1.3; 208.67.222.222; 208.67.220.220;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-query {
any;
};
listen-on port 53 {
any;
};
};
[u]named.conf.local[/u]
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "mydomain.com" {
type master;
file "/var/lib/bind/mydomain.com.hosts";
};
[u]/var/lib/bind/mydomain.com.hosts[/u] (Where 1.2.3.4 is my server's IP)
$ttl 38400
mydomain.com. IN SOA mydomain.com. me.myemail.com. (
1366054515
10800
3600
604800
38400 )
mydomain.com. IN NS mydomain.com.
mydomain.com. IN A 1.2.3.4
www.mydomain.com. IN A 1.2.3.4
mail.mydomain.com. IN A 1.2.3.4
ftp.mydomain.com. IN A 1.2.3.4
ns1.mydomain.com. IN A 1.2.3.4
ns2.mydomain.com. IN A 1.2.3.4
ns3.mydomain.com. IN A 1.2.3.4
mydomain.com. IN NS ns1.mydomain.com.
mydomain.com. IN NS ns2.mydomain.com.
mydomain.com. IN NS ns3.mydomain.com.
mydomain.com. IN MX 10 mail.mydomain.com.
That's as far as I've got.
I can obviously get to the server via IP address as URL, but as of yet not by domain name.
Could anyone let me know:
A) Where I've gone wrong
B) What I need to do to achieve this?
Thank you very much.
Running your own named is overkill and not needed. Here's what a valid setup looks like:
Your web server hosting provider (where your website lives) gave you some DNS resolvers. These are intended to provide DNS resolution to your web server, so it can find OTHER hosts on the Internet. These resolvers have nothing to do with hosting YOUR domain, and you cannot make changes to their domain definitions.
Your DNS Hosting Provider has their own DNS servers, which are used by default to host your DNS "A" record. If you truly reconfigured your DNS hosting account to use the web provider's DNS servers, this is an error. You cannot add your DNS record to those servers.
On your DNS Hosting Provider's control panel, first set it back to using their DNS servers; then create an "A" record for your domain, pointing to the IP of your web server host.
In summary:
DNS Hosting Provider
DNS Server(s) contain:
www.yourserver.com A 1.2.3.4
alias.yourserver.com CNAME www.yourserver.com (maybe)
yourserver.com MX where.you.receive.mail (maybe)
Web Hosting Provider
Your web server at 1.2.3.4
/etc/resolv.conf
nameserver 1.1.1.1
nameserver 1.1.1.2
nameserver 1.1.1.3
That's all you need to do for other people to be able to find your server.
The only reason to run your own DNS would be to host an entire network consisting of multiple machines, behind a firewall, or hosting an entire Class C or greater set of IP addresses. To do this you'd need peering and routing agreements with other providers, which I don't think you have.
EDIT
$ dig duckfusion.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> duckfusion.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32080
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 17
;; QUESTION SECTION:
;duckfusion.com. IN A
;; ANSWER SECTION:
duckfusion.com. 1800 IN A 87.117.219.53
duckfusion.com. 1800 IN A 192.31.186.140
;; AUTHORITY SECTION:
duckfusion.com. 172800 IN NS dns4.registrar-servers.com.
duckfusion.com. 172800 IN NS dns5.registrar-servers.com.
duckfusion.com. 172800 IN NS dns3.registrar-servers.com.
duckfusion.com. 172800 IN NS dns1.registrar-servers.com.
duckfusion.com. 172800 IN NS dns2.registrar-servers.com.
So, the IT department decided to change a bunch of domain names and it broke a bunch of stuff in my lab network. I have a suse linux dns server (which I didn't setup and don't know much about). I was wondering if there was a way I could make it manually resolve ip addresses to the old domain names.
Simply modifying the software in my lab to point to the new domain names wont work (because there are other labs at other sites that will still be using the old domain names).
here are some relevant quotes from this tutorial:
Examples Corporation has been assigned the network 192.0.2.0/24 and internally we are using 10.0.0.0/24.
Let's start serving the external names and IPs, we edit /etc/bind/named.conf.local4 and add:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
and then we create /etc/bind/db.example.com with the following contents:
; example.com
$TTL 604800
# IN SOA ns1.example.com. root.example.com. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
# IN NS ns1
IN MX 10 mail
IN A 192.0.2.1
ns1 IN A 192.0.2.1
mail IN A 192.0.2.128 ; We have our mail server somewhere else.
www IN A 192.0.2.1
client1 IN A 192.0.2.201 ; We connect to client1 very often.
So what you want to do is replace "example.com" with whatever domain your programs access, replace "192.0.2.whatever" with your destination ip and remove the "ns1", "mail", "www", "clien1" lines and replace it with
*.yourdomain.com. IN A your.ip.address.255