Part 2 of setting up a Linux home lab environment with VirtualBox. Check this blog post for more info.
BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. The name BIND stands for “Berkeley Internet Name Domain”.
Software
Software used in this article:
- CentOS 6
- Bind 9.8
Before We Begin
We are going to to set up a general purpose DNS server, which:
- Acts as master for two internal zones, and
- Acts as cache server for all other requests.
BIND server’s info:
- Hostname: spacewalk,
- IP: 10.8.8.2,
- LAN: 10.8.8.0/24.
Two internal DNS zones will be setup:
- hl.local – a forward zone, translates domain names into IP addresses,
- 8.8.10 – a reverse zone, translates IP addresses into domain names.
The hl.local domain stands for “home lab” in our case.
DNS server will be secured by:
- Running BIND with less privileges,
- Limiting queries to LAN only,
- Limiting zone transfers to LAN only,
- Hiding the BIND version number and hostname from being disclosed,
- Configuring iptables to allow access to TCP/UDP ports 53 from LAN only,
Installation
Install BIND packages:
# yum install -y bind bind-utils
Start BIND on boot:
# chkconfig named on
Update the /etc/resolv.conf file:
search hl.local nameserver 127.0.0.1 nameserver 10.8.8.2
We have peerdns set to “no”.
Configuration
Create a log directory:
# mkdir /var/log/named # chown named:named /var/log/named
/etc/named.conf
Some comments are provided. Please check BIND v9.8 documentation for more info.
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; # Limiting access to local networks only acl "clients" { 127.0.0.0/8; 10.8.8.0/24; }; options { listen-on port 53 { any; }; listen-on-v6 { none; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; # Maximum number of simultaneous client TCP connections to accept tcp-clients 50; # Disable built-in server information zones version none; hostname none; server-id none; # Attempt to do all the work required to answer the query recursion yes; recursive-clients 100; allow-recursion { clients; }; allow-query { clients; }; # Only LAN users are allowed to receive zone transfers from the server allow-transfer { clients; }; auth-nxdomain no; notify no; dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; # Path to ISC DLV key bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; # Specifications of what to log, and where the log messages are sent logging { channel "common_log" { file "/var/log/named/named.log" versions 10 size 5m; severity error; print-category yes; print-severity yes; print-time yes; }; category default { "common_log"; }; category general { "common_log"; }; category queries { "common_log"; }; category client { "common_log"; }; category security { "common_log"; }; category query-errors { "common_log"; }; category lame-servers { null; }; }; # Internal zone definitions zone "hl.local" { type master; file "/etc/named/db.hl.local"; allow-update { none; }; }; zone "8.8.10.in-addr.arpa" { type master; file "/etc/named/db.8.8.10"; allow-update { none; }; };
/etc/named/db.hl.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
2015101000 ; Serial
86400 ; Refresh
3600 ; Retry
604800 ; Expire
7200 ) ; Negative Cache TTL
@ IN NS localhost.
@ IN A 10.8.8.2
dhcp IN A 10.8.8.2
dns IN A 10.8.8.2
ntp IN A 10.8.8.2
puppet IN A 10.8.8.2
smtp IN A 10.8.8.2
spacewalk IN A 10.8.8.2
/etc/named/db.8.8.10
$TTL 86400
@ IN SOA localhost. root.localhost. (
2015101000 ; Serial
86400 ; Refresh
3600 ; Retry
604800 ; Expire
7200 ) ; Negative Cache TTL
@ IN NS localhost.
2 IN PTR dhcp.hl.local. ;10.8.8.2
2 IN PTR dns.hl.local. ;10.8.8.2
2 IN PTR ntp.hl.local. ;10.8.8.2
2 IN PTR puppet.hl.local. ;10.8.8.2
2 IN PTR smtp.hl.local. ;10.8.8.2
2 IN PTR spacewalk.hl.local. ;10.8.8.2
Verify BIND Configuration
# named-checkconf /etc/named.conf
Restart the service if no errors were raised:
# /etc/init.d/named restart
Configure Iptables on the BIND Server to Allow LAN Access
Iptables will be configured via Puppet. The lines below are used for the time being only:
# iptables -A INPUT -s 10.8.8.0/24 -p tcp -m state --state NEW --dport 53 -j ACCEPT # iptables -A INPUT -s 10.8.8.0/24 -p udp -m state --state NEW --dport 53 -j ACCEPT
Troubleshooting
Check logs:
# tail /var/log/messages # tail /var/log/named/named.log
I think I am missing how you created this host to install DNS/bind on. I am thinking it is the first VM built but not sure if this is the puppet server?
Check the first part of the series where I set up VirtualBox, create a template and install a VM. You’re right, the Puppet server provides DHCP, DNS, NTP and SMTP services.
The first vm created is VM=”CentOS_6″; #name of the virtual machine
In part 2 at the begining you write:
BIND server’s info:
Hostname: spacewalk
Since I do not see where you built and named the physical server that gets VirtualBox installed on could it be the one named spacewalk and has DNS, DHCP etc installed on?
Guessing it too was CentOS 6 or 7 minimal to begin with?
The first part covers VirtualBox: how to deploy it on a headless machine (no GUI), and how to create a CentOS virtual machine. The name of the physical server is irrelevant in this case.
Once you have VirtualBox installed and a CentOS guest deployed, you can follow parts two to eight to create the management server (Spacewalk/Puppet/DNS etc). The hostname of the guest is “spacewalk”. I hope that this clarifies things.
category lame-servers { null; };
Should this be name-server?
No, the category name is correct. We want to send these messages to the null channel.