3.1.2 DNS Cache

Objective

To install bind9, a local DNS cache.

A caching only name server will find the answer to name queries and remember the answer the next time you need it. This will shorten the waiting time the next time significantly.

Installation

root@server:~# aptitude install bind9 bind9-doc dnsutils

Configuration

To speed up and lighten the name resolution, we can use other DNS caches from outside servers as well. Usually ISPs provides DNS caches, but there are other DNS cache services available, claiming to be faster and safer, like:

OpenDNS (http://www.opendns.com/)
Google Public DNS (http://code.google.com/speed/public-dns/)

Also, for security, our DNS server will only answer queries coming from internal addresses.

The configuration is stored in the file /etc/bind/named.conf.options:

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
             // OpenDNS servers
             208.67.222.222;
             208.67.220.220;
             // ADSL router
             192.168.1.1;
        };

        // Security options
        listen-on port 53 { 127.0.0.1; 192.168.1.100; };
        allow-query { 127.0.0.1; 192.168.1.0/24; };
        allow-recursion { 127.0.0.1; 192.168.1.0/24; };
        allow-transfer { none; };

        auth-nxdomain no;    # conform to RFC1035
        // listen-on-v6 { any; };
};

Check for possible syntax errors:

root@server:~# named-checkconf

Update /etc/resolv.conf, so DNS queries will be performed locally:

/etc/resolv.conf

nameserver 127.0.0.1

Also, /etc/nsswitch.conf, must look like this:

/etc/nsswitch.conf

# [...]
hosts:	files dns
# [...]

Restart the DNS service:

root@server:~#  /etc/init.d/bind9 restart

Verification

Perform a forward lookup test:

root@server:~# nslookup www.debian.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   www.debian.org
Address: 206.12.19.7
Name:   www.debian.org
Address: 128.31.0.51

A reverse lookup test:

root@server:~# nslookup 206.12.19.7
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
7.19.12.206.in-addr.arpa        name = bellini.debian.org.

Authoritative answers can be found from:
.       nameserver = c.root-servers.net.
.       nameserver = d.root-servers.net.
.       nameserver = h.root-servers.net.
.       nameserver = a.root-servers.net.
.       nameserver = m.root-servers.net.
.       nameserver = g.root-servers.net.
.       nameserver = f.root-servers.net.
.       nameserver = k.root-servers.net.
.       nameserver = i.root-servers.net.
.       nameserver = b.root-servers.net.
.       nameserver = l.root-servers.net.
.       nameserver = e.root-servers.net.
.       nameserver = j.root-servers.net.
a.root-servers.net      internet address = 198.41.0.4
b.root-servers.net      internet address = 192.228.79.201
c.root-servers.net      internet address = 192.33.4.12
d.root-servers.net      internet address = 128.8.10.90
e.root-servers.net      internet address = 192.203.230.10
f.root-servers.net      internet address = 192.5.5.241
g.root-servers.net      internet address = 192.112.36.4
h.root-servers.net      internet address = 128.63.2.53
i.root-servers.net      internet address = 192.36.148.17
j.root-servers.net      internet address = 192.58.128.30
k.root-servers.net      internet address = 193.0.14.129
l.root-servers.net      internet address = 199.7.83.42
m.root-servers.net      internet address = 202.12.27.33

Client configuration

Windows

Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog of the network adapter and type the IP address of our DNS server as the Preferred DNS server:

Linux

On Linux systems, just edit the /etc/resolv.conf file and add the IP address of our DNS server as the nameserver:

/etc/resolv.conf

# [...]
nameserver 192.168.1.100
# [...]

Automatic client configuration

DNS server address can also be automatically assigned using the DHCP protocol. In order to do this, just add the domain-name-servers option to the DHCP server configuration file /etc/dhcp/dhcpd.conf:

/etc/dhcp/dhcpd.conf

# [...]
option domain-name-servers 192.168.1.100;
# [...]

References

ISC Bind (http://www.isc.org/sw/bind/)
Wikipedia: Domain Name System (http://en.wikipedia.org/wiki/Domain_Name_System)
Linux Home Networking: Quick HOWTO: Ch18 Configuring DNS (http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS)
DNS Howto, 3. A resolving, caching name server (http://langfeldt.net/DNS-HOWTO/BIND-9/DNS-HOWTO-3.html)
Securing Debian Manual (http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-sec-bind)
OpenDNS (http://www.opendns.com/)
Google Public DNS (http://code.google.com/speed/public-dns/)