Documents

Howtos — DNS

This document describes the procedure on how to install and configure a domain name server.

OS used: Linux (Fedora 9); tools used: bind and iptables.

• Get and install bind:
  [1] Download the package at:
  http://download.fedora.redhat.com/pub/fedora/linux/releases/9/Fedora/x86_64/os/Packages,
  and install it by executing:
  # rpm -ivh bind-x.x.x.rpm; or
  
  [2] If Fedora 9 DVD is present, install the package by executing these:
  # mount /dev/cdrom /mnt
  # rpm -ivh /mnt/Packages/bind-x.x.x.rpm; or
  
  [3] If internet is availble, do the easy way by executing this:
  # yum install bind
• Create /etc/named.conf file, and add this entry:
  acl "trusted-subnet"
  {
     a.b.c.d/26; // public subnet (from provider)
     192.168.0.0/24; // local
  };
  options
  {
     directory "/var/named";
     pid-file "/var/run/named/named.pid";
     query-source address * port 53;
     transfer-source * port 53;
     notify-source * port 53;
     version "0";
     dnssec-enable yes;
  };
  view "internal"
  {
     match-clients { localnets; localhost; "trusted-subnet"; };
     match-destinations { localnets; localhost; "trusted-subnet"; };
     recursion yes;
     zone "." {
         type hint;
         file "named.root";
     };
     zone "localhost" {
       type master;
       file "named.localhost";
       allow-update { none; };
     };
     zone "0.0.127.in-addr.arpa" {
       type master;
       file "named.127-0-0-1";
       allow-update { none; };
     };
     // prevent lookups for broadcast addresses ending in .255
     zone "255.in-addr.arpa" {
       type master;
       file "named.255";
       allow-update { none; };
     };
     // prevent lookups for network addresses ending in .0
     zone "0.in-addr.arpa" {
       type master;
       file "named.0";
       allow-update { none; };
     };
     // primary server for MU.edu.ph
     zone "mu.edu.ph" {
       type master;
       file "named.mu-edu-ph";
       allow-query { any; };
       allow-update { none; };
     };
     // slave server for x.x.x.x/26 subnet, requires redelegation from provider
     zone "0/z.y.x.w.in-addr.arpa" {
       type slave;
       masters { w.x.y.z; };
       file "named.a-b-c-d";
       allow-query { any; };
     };
  };
  view "external"
  {
     match-clients { any; };
     match-destinations { any; };
     recursion no;
     // root
     zone "." {
       type hint;
       file "named.root";
     };
     // primary server for MU.edu.ph
     zone "mu.edu.ph" {
       type master;
       file "named.mu-edu-ph";
       allow-query { any; };
       allow-update { none; };
     };
     // slave server for x.x.x.x/26 subnet, requires redelegation from provider
     zone "0/z.y.x.w.in-addr.arpa" {
       type slave;
       masters { w.x.y.z; };
       file "named.a-b-c-d";
       allow-query { any; };
     };
  };
• Set up port randomization by modifying /etc/sysconfig/iptables file, and add these entries:
  -A POSTROUTING -o ! lo -p udp --dport 53 -j MASQUERADE --to-ports 1024-65535 --random
  -A POSTROUTING -o ! lo -p tcp --dport 53 -j MASQUERADE --to-ports 1024-65535 --random
  
• Add bind during boot-up sequence. How? Execute these:
  # /sbin/chkconfig --add named
  # /sbin/chkconfig --level 12345 named off
  # /sbin/chkconfig --level 3 named on