Domain Name System
The Domain Name System (DNS) is the crucial glue that keeps
computer networks in harmony by converting human-friendly hostnames to the
numerical IP addresses computers require to communicate with each other. DNS is
one of the largest and most important distributed databases the world depends
on by serving billions of DNS requests daily for public IP addresses. Most
public DNS servers today are run by larger ISPs and commercial companies but
private DNS servers can also be useful for private home networks. This article
will explore some advantages of setting up various types of DNS servers in the
home network.
Why set up a private DNS server?
This question is valid and the answer may vary depending on
your home network environment. Maintaining a host file on each client with
IP/hostname mappings in a home network that contains a router and a few
machines may be sufficient for most users. If your network contains more than a
few machines, then adding a private DNS server may be more attractive and worth
the setup effort. Some advantages may include:
- Maintenance: keeping track of the host file for every client in your network can be tedious. In fact, it may not even be feasible for roaming DHCP laptops or your occasional LAN party guests. Maintaining host information in one central area and allowing DNS to manage host names is more efficient.
- Cache performance: DNS servers can cache DNS information, allowing your clients to acquire DNS information internally without the need to access public nameservers. This performance improvement can add up for tasks such as web browsing.
- Prototyping: A private internal DNS server is an excellent first step to eventually setting up a public accessible DNS server to access a web server or other services hosted on your internal network. Learning from mistakes on an internal network can help prevent duplicate errors on a public DNS server that could result in loss of service for external users. Note: Some ISPs require customers to have a static IP or business subscription when hosting services in a home network environment.
- Cool factor: Ok, I may be stretching it, but the "cool" factor did have some influence when I set up my first home network DNS server. Creating an internal domain that reflects an individual's personality without paying a domain registrar and issuing hostnames to your clients is cool. The cool factor doubles when your customized hostname glows from your friend's laptop screen.
Let's start out simply by setting up a caching-only
nameserver to handle client DNS requests. A caching-only nameserver won't allow
references to internal clients by hostname, but it does allow clients to take
advantage of frequently requested domains that are cached.
Caching nameserver
Fortunately, setting up a caching nameserver is easy using
RHEL (Red Hat Enterprise Linux) or Fedora RPMs. The following RPMs need to be
installed on the machine acting as the nameserver (use rpm -q to determine if
these packages are installed):
bind (includes DNS server, named)
- bind-utils (utilities for querying DNS servers about host information)
- bind-libs (libraries used by the bind server and utils package)
- bind-chroot (tree of files which can be used as a chroot jail for bind)
- caching-nameserver (config files for a simple caching nameserver)
A caching nameserver forwards queries to an upstream
nameserver and caches the results. Open the file
/var/named/chroot/etc/named.conf and add the following lines to the global
options section:
forwarders {
xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; }; #IP of upstream ISP nameserver(s)
forward only;
#rely completely on our upstream nameservers
The block above will
cause the caching name server to forward DNS requests it can't resolve to your
ISP nameserver. Save the named.conf file and then assign 644 permissions:
chmod 644 named.conf
Check the syntax using the named-checkconf utility provided
by the bind RPM:
named-checkconf named.conf
Correct any syntax errors (watch those semicolons)
named-checkconf reports. Monitoring the /var/log/messages file may also be
helpful in debugging any errors.
We now need to set the local resolver to point to itself for
DNS resolution. Modify the /etc/resolv.conf file to the following:
nameserver 127.0.0.1
If you are running a DHCP server on your router make sure
your /etc/resolv.conf file does not get overwritten whenever your DHCP lease is
renewed. To prevent this from happening, modify
/etc/sysconfig/network-scripts/ifcfg-eth0 (replace eth0 with your network
interface if different) and make sure the following settings are set:
BOOTPROTO=dhcp
PEERDNS=no
TYPE=Ethernet
Go ahead and start
the nameserver as root and configure to start in runlevels 2-5:
service named start
chkconfig named on
Testing
The bind-utils RPM contains tools we can use to test our
caching nameserver. Test your nameserver using host or dig and querying
redhat.com:
dig redhat.com
.
.
;; Query time: 42 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
From the above dig
query you can see it took 42 msec to receive the DNS request. Now test out the
caching ability of your nameserver by running dig again on the redhat.com
domain:
dig redhat.com
.
.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
We dropped from 42
msec to 1 msec after the previous DNS query was cached. Caching is working!
Let's now put the cache to work by configuring the clients to use the new
caching nameserver.
Client Configuration
For Linux and Windows clients you may have a couple of
options for your resolver configuration depending on your network environment:
- If you have a router and your client's IP address is assigned via DHCP from the router, then you can use the router to assign the primary nameserver during the DHCP lease requested from the client. Log in to your router and make sure your primary nameserver points to your caching nameserver IP address in the router DHCP settings.
- For Linux clients, you can set up the resolver in the same procedure as the nameserver by modifying the /etc/resolv.conf file. For Windows clients you will need to set the nameserver IP address in the Control Panel -> Network Connections -> TCP/IP -> Properties -> Use the DNS Server Address option. NOTE: The Windows DNS server option may vary depending on your version.
Test your new client configuration(s) using dig. You can use
the nslookup command for Windows clients. Your DNS requests should have similar
response times as we saw earlier when testing the nameserver directly.
NOTE: If you are running a firewall on the nameserver
system, make sure clients have access to port 53. An example iptables rule for
the 192.168.15.0/24 subnet would be:
iptables -A INPUT -s 192.168.15.0/24 -p udp --dport 53 -j
ACCEPT
service iptables save
Summary
Your new caching nameserver offers a performance improvement
with a minimal amount of set up effort. Clients can now ask the caching
nameserver for DNS information, and it only needs to ask the upstream ISP
nameserver for cache misses. In the next issue we will setup a master
nameserver that is responsible for the authoritative information for our
internal client hostnames. An authoritative nameserver also caches by default
but additionally allows managing both static and DHCP clients using personalized
hostnames set up in zone files. In the meantime, enjoy your new caching
nameserver and be thinking about a creative domain and hostname theme for your
future authoritative nameserver.
No comments:
Post a Comment