DNS Configuration

This document describes the procedure on how to install and configure a domain name server./ OS used: Linux (Fedora 9); tools used: bind and iptables. by: Mr. Howard Bagcat

  • Get and install bind:
    [1] Download the package at:
    http://download.fedora.redhat.com/pub/fedora/linux/releases/9/Fedora/x86_64/os/Packages,
    and install it by executing:
    # rpm -ivh bind-x.x.x.rpm; or

    [2] If Fedora 9 DVD is present, install the package by executing these:
    # mount /dev/cdrom /mnt
    # rpm -ivh /mnt/Packages/bind-x.x.x.rpm; or

    [3] If internet is availble, do the easy way by executing this:
    # yum install bind
  • Create /etc/named.conf file, and add this entry:
    acl "trusted-subnet"
    {
       a.b.c.d/26; // public subnet (from provider)
       192.168.0.0/24; // local
    };
    options
    {
       directory "/var/named";
       pid-file "/var/run/named/named.pid";
       query-source address * port 53;
       transfer-source * port 53;
       notify-source * port 53;
       version "0";
       dnssec-enable yes;
    };
    view "internal"
    {
       match-clients { localnets; localhost; "trusted-subnet"; };
       match-destinations { localnets; localhost; "trusted-subnet"; };
       recursion yes;
       zone "." {
           type hint;
           file "named.root";
       };
       zone "localhost" {
         type master;
         file "named.localhost";
         allow-update { none; };
       };
       zone "0.0.127.in-addr.arpa" {
         type master;
         file "named.127-0-0-1";
         allow-update { none; };
       };
       // prevent lookups for broadcast addresses ending in .255
       zone "255.in-addr.arpa" {
         type master;
         file "named.255";
         allow-update { none; };
       };
       // prevent lookups for network addresses ending in .0
       zone "0.in-addr.arpa" {
         type master;
         file "named.0";
         allow-update { none; };
       };
       // primary server for MU.edu.ph
       zone "mu.edu.ph" {
         type master;
         file "named.mu-edu-ph";
         allow-query { any; };
         allow-update { none; };
       };
       // slave server for x.x.x.x/26 subnet, requires redelegation from provider
       zone "0/z.y.x.w.in-addr.arpa" {
         type slave;
         masters { w.x.y.z; };
         file "named.a-b-c-d";
         allow-query { any; };
       };
    };
    view "external"
    {
       match-clients { any; };
       match-destinations { any; };
       recursion no;
       // root
       zone "." {
         type hint;
         file "named.root";
       };
       // primary server for MU.edu.ph
       zone "mu.edu.ph" {
         type master;
         file "named.mu-edu-ph";
         allow-query { any; };
         allow-update { none; };
       };
       // slave server for x.x.x.x/26 subnet, requires redelegation from provider
       zone "0/z.y.x.w.in-addr.arpa" {
         type slave;
         masters { w.x.y.z; };
         file "named.a-b-c-d";
         allow-query { any; };
       };
    };
  • Set up port randomization by modifying /etc/sysconfig/iptables file, and add these entries:
    -A POSTROUTING -o ! lo -p udp --dport 53 -j MASQUERADE --to-ports 1024-65535 --random
    -A POSTROUTING -o ! lo -p tcp --dport 53 -j MASQUERADE --to-ports 1024-65535 --random
  • Add bind during boot-up sequence. How? Execute these:
    # /sbin/chkconfig --add named
    # /sbin/chkconfig --level 12345 named off
    # /sbin/chkconfig --level 3 named on