Home » Security Bloggers Network » How to set up a DNS Server

How to set up a DNS Server

by Ross Thomas on June 21, 2019

A complete guide to spinning up your own DNS server.

Odds are, if you have a computer and you find yourself on
the interwebs Googling away, you have heard the term ‘DNS’. The fact is that
without DNS none of this would be possible: You wouldn’t be able to read this,
you wouldn’t be able to read information about the newly released OnePlus 7 Pro
(I’m not excited about it, you are) and you wouldn’t be able to read how in the
world the Tampa Bay Lightning got swept in the opening round of the 2019 NHL Eastern
Conference Playoffs (I’m not bitter about it, you are). In fact, none of the
internet or its many information and services would be unavailable without DNS.

A ‘Domain Name Server’s primary function is to translate
easily re(adable)memorable names, such as Amazon.com into an IP address that
are nearly possible to remember en masse. It provides other information, as
mentioned in some of my previous articles, such as (but not limited to) mail
domain information, as in which server to send mail to, and what IP addresses
are valid to send said mail (SPF). But without the simple A or AAAA record to
translate name into IP address, we’re not here reading this now.

There are DNS servers all over the place, the world even.
Many are public, some are private, some are for mass distribution and some are
top level (.com) that use Root Zone servers. Many people have a small DNS
service running in their homes and they might not even know it. Most
“all-in-one” routers contain a DNS service on it that can act as an
intermediary between the Candy Crush servers and their cell phone. That
router’s DNS service will query another server, typically from the ISP, and
that server has queried from another server and they tell 2 friends, and they
tell 2 friends, etc. It’s basically a game of Telephone without the element of
human error (which is, um, I guess the point of Telephone; maybe a bad
analogy).

So, it would stand to reason that most small businesses have
their own DNS server. But why? Basically, for all the right reasons. All the 2
reasons:

Performance – The DNS information is stored
locally and can be served to internal users at a much better time. There is no
need to bounce around the internet to get your information. Plus, you would not
be competing with other people for DNS requests on the external/publicly
available DNS servers.
Security – As you probably guessed by the
analogy of Telephone, and the “fun” of Telephone, it is possible for bad DNS
information to be propagated across the internet. Having your own DNS server
will likely result in the same but certain safeguards can be put in place to
prevent “poisoning” of DNS information.

Before
we move forward of setting up a DNS server, we have to address the question: is
it worth it? In short, the answer is probably yes but the shorter answer is
depends (I’m basing which is shorter simply by letter count). Again, there is a
chance your little router may be caching some DNS information, of popular or
most visited sites, so you are running a small DNS server without you really
knowing about it. The performance may not be great on a larger scale (small to
medium business) so it is almost definitely worth it for those cases.
Specifically and obviously for the 2 reasons outlined above. But also to help
map out internal, private networks that would otherwise not have access from
the public inbound. Many times, it is nice for users of a private network to
know each other by name and not by number and that all depends on the preferred
structure, particularly for security reasons.

Sponsorships Available

There
are so many options for DNS servers that it would be difficult to go through
all of the options. Because of this, we will be going over general concepts and
examine 2 quick walkthroughs of the most popular options.

The
2 options that we will look into will be Microsoft Server 2016 DNS server and
Bind, which is a popular choice among Linux servers.

Get In(terwebs)trawebs Bound with Bind

The
assumption here would be that you are on one of the most popular
distributions/flavors or Linux available: Ubuntu 16.04. But, most other
distributions of Linux will have nearly the exact same steps. Syntax would
likely be the same (also depending on the shell, BaSH assumed here) but
folder/file locations may vary.

Another
assumption is that you are signed into the shell with proper permissions that
would not require ‘sudo’.

With
that, here we go:

From the shell, type:
apt-get install bind9
Once installed, you should see a message
indicating that the DNS service Bind is starting up

Well, that was easy enough. Now, let’s look into some
configuration of the DNS server:

pico /etc/bind/named.conf.local
This will open the file ‘named.conf.local’ with the text editor ‘Pico’
Enter the following text:

 zone "yourDomainNameHere.com" { type master; file "/etc/bind/zones/yourDomainNameHere.com.db"; };   zone "3.2.1.in-addr.arpa" { type master; file "/etc/bind/zones/rev.3.2.1.in-addr.arpa"; }

You should replace ‘yourDomainNameHere.com’ to
your domain
The Reverse DNS name, ‘3.2.1.’ should probably
be the first 3 octets of your IP address in reverse. For example, if the IP
address for your server is, 10.2.1.67, you should list the name as
‘rev.1.2.10’.
Control + C will prompt to exit with the option
to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name
used to open the editor.
This will set the basic zone configuration of
the forward DNS service and will also set up the reverse DNS service.
We’ll create the correct folder where the DNS
database will live. Type the following:
mkdir /etc/bind/zones
Now, we’ll create the appropriate DB. Type the
following:

·         ; BIND data file for yourDomainNameHere.com
;
$TTL 14400
@ IN SOA ns1. yourDomainNameHere.com. host. yourDomainNameHere.com. (
201006601 ; Serial
7200 ; Refresh
120 ; Retry
2419200 ; Expire
604800) ; Default TTL
;
yourDomainNameHere.com. IN NS ns1. yourDomainNameHere.com.
yourDomainNameHere.com. IN NS ns2. yourDomainNameHere.com.
 
yourDomainNameHere.com. IN MX 10 mail. yourDomainNameHere.com.
yourDomainNameHere.com. IN A abc.def.ghi.jkl
 
ns1 IN A abc.def.ghi.jkl
ns2 IN A abc.def.ghi.jkl
www IN CNAME yourDomainNameHere.com.
mail IN A abc.def.ghi.jkl
ftp IN CNAME yourDomainNameHere.com.
yourDomainNameHere.com. IN TXT "v=spf1 ip4:abc.def.ghi.jkl a mx ~all"
mail IN TXT "v=spf1 a -all"

Replace ‘yourDomainNameHere’ with, guess what,
your domain name.
Replace ‘abc.def.ghi.jkl’ with your server’s IP
address.
Control + C will prompt to exit with the option
to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name
used to open the editor.
Now we will create the reverse DNS file. Type:

pico /etc/bind/zones/rev.3.2.1.in-addr.arpa
The Reverse DNS name, ‘3.2.1.’ should probably be the first 3 octets of your IP address in reverse. For example, if the IP address for your server is, 10.2.1.67, you should list the name as ‘rev.1.2.10’.
Add the following information:

 @ IN SOA yourDomainNameHere.com. host.yourDomainNameHere.com. ( 2010081401; 28800; 604800; 604800; 86400 );   IN NS ns1.yourDomainNameHere.com. 4 IN PTR yourDomainNameHere.com.

Guess what, replace ‘yourDomainNameHere’ with,
guess what, your domain name. Guess what.
Control + C will prompt to exit with the option
to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name
used to open the editor.
Now we’ll modify the local file that defines the
DNS servers. Type:

pico /etc/resolv.conf

Enter the following:

search yourDomainNameHere.com

Control + C will prompt to exit with the option
to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name
used to open the editor.
Now, we’ll restart the service to pull in the
new configuration. Type:

/etc/init.d/bind9 restart

The service should restart with the new
configuration and put you in a very basic configuration.

And Now, The Other One

Just as with Bind, the previous DNS server, listed, there
are assumptions to this installation guide. The big one being that you are
operating OS Microsoft Server 2016 whether Standard or Essentials (either of
which can be virtualized). Also, the need for a user with rights/permissions to
be able to make system changes such as installing the DNS server component as
well as configuration of the DNS Manager.

This will also be a little different than the Bind install
which we did exclusively through the command line (BaSH, in that case). This
Microsoft Server DNS install will be through the friendly GUI and not through
PowerShell. Everything can be done through PowerShell, FYI, but the Microsoft
GUI is friendly enough for basic configuration. Some more advanced stuff may
benefit using PowerShell.

Open the Server Manager in Windows Server 2016.
Select ‘Manage’ in the toppish right and click
on ‘Add Roles and Features’.
Click ‘Next’ through the ‘Installation Type’
Select the server to which you want to add the feature/role.
The current server should be listed but if there any other Windows Servers that
are tied to the current operating one, then they would be selectable, as well.
When the Roles page is loaded, it should list
the current roles that the server can provide. Locate ‘DNS Server’ and check
the box. Hit ‘Next’.
On the ‘Features’ page, any dependencies will be
checked but nothing else would need to be clicked to complete the DNS Server
install. Hit ‘Next’.
The next section, titled as ‘DNS Server’ just gives
some overview information but doesn’t require any action except for, of course,
and guess what, the ‘Next Button.’
The next screen will finalize the proposed
changes. There is a checkbox that will call for a reboot after the task is
performed, if necessary. In this case, it is necessary so if nothing else needs
to be immediately done, it can be checked and rebooted.

Not terribly difficult there. Let’s go ahead and get the
forward and reverse lookup zones created and configured.

Back in Server Manager, select ‘Tools’ and ‘DNS’
which will launch the ‘DNS Manager’.
On the left, there will be a listing of domain
servers. Right-click on the DNS server and select ‘Configure a DNS Server’. A
wizard has suddenly appeared!
When you click on ‘Next’, there is an option to
select what kind of zones you would like to create. The second selection should
be ‘Create Forward and Reverse Lookup Zones’. This is a good option but smaller
networks can probably get away with just creating a Forward lookup zone.
‘Next’.
The next screen will ask if the Forward Lookup
Zone should be configured now. Sure, let’s do that thing.
Set this zone as the ‘Primary Zone’. The name
should be set appropriately.
File
naming is next and it will use the Zone name set previously and add ‘.dns’ to
the end of it. There is no problem with this unless there is an existing DNS
file that should be used.
The next screen will get a bit into personal
preference but there are some guidelines that may help with your decision.
Dynamic updates indicate how DNS information should be populated into the DB.
- ‘Allow only secure dynamic updates’ would be fed
  from Active Directory integrated zones. This would severely limit what can be
  populated. If the DNS server is running just to manage the internal computers,
  this would be a good option.
- ‘Allow both nonsecure and secure dynamic
  updates’ would allow for the previously mentioned but also allow from untrusted
  sources. This is likely not ideal. 3^rd party domains can be trusted
  and this would extend to that but it is best to be in control of where DNS
  information comes from to evade route poisoning or exposure to DDoS.
- ‘Do not allow dynamic updates’ would force that
  all records are added manually. In order for this to work well, the network
  would have to be mostly statically assigned IP addresses which is a lot of
  overhead. Most servers should have a static IP but computers, IP phones, etc
  often work off DHCP as they come and go from the premises. This is a good
  option but has a ton of work with it. Are you prepared?
The next screen will ask if the Reverse Lookup Zone
should be configured now. Sure, let’s do that other thing.
Set this zone as the ‘Primary Zone’. ‘Next’
again.
The following screen will ask if you want to use
IPv4 or IPv6. Even though we exceedingly on borrowed time for IPv4 and should
be dealing with v6, let’s stick with v4. Unless you configure your network to
be on v6. Such a hipster thing to do. But, seriously, we should be on v6. And,
I apologize for the disparaging tone to hipsters.
The next screen will ask to type the first 3
octets of the IP address of that zone. I always thought this was strange
because of how subnet masks work but I guess it is the IP address of the subnet
identifier (first IP address in the subnet which is an unusable (unassignable)
IP).
The next screen will ask for a filename of the
DB that will, by default, name it the reverse of those first 3 octets and add
‘.in-addr.arpa.dns’. This is good but name it anything you want, you rebel you.
Next
screen is the dynamic update thing again that is 6 bullet points (the 3 sub-bullet
points) above this. Again, your decision but the recommendation would be
whatever you picked for the forward-y one.
The next screen is for forwarding when the DNS
server doesn’t have the answer. That will require a different DNS to be setup
that will have the answer (or potentially have more access and would have a
better chance to have the answer). If you’re not there yet, just click ‘Nah’.
If yes, provide the IP address of the other server and hope that the other
server is configured as such.
When you click ‘Next’, it will display the
proposed zone creation and you are done. Start adding records, or, if you
selected the Dynamic Updates, the records will populate on their own.

Here’s a Post amble

As stated, this is a very basic setup for each instance. There are a lot of options as well as features that can be implemented. This basic setup is mostly beneficial for internal networking (intranet) to help map internal computers, phones, etc to the IP addresses they are assigned. That way, you may know the naming format of different computers within the office and not have to know the IP address. It’s like DNS on the internet, but smaller scale. This is, uh, exactly what we are going for with this here. Anyway, this topic and walkthrough has nothing to do with scrutinizing, really but happy scrutinizing anyway!