DNS Server

March 6, 2016 Colin
0 Comment
Raspberry PI

This post is part of a series that starts here.  It assumes that you have already configured your Raspberry PI using the instructions in that post.

The next step in central network server is to install a DNS Server.  As my network is a home network the amount of DNS traffic should be fairly light, however to get the benefit of a local DNS server it is important that the lookup tables are stored in memory.  My PI has only 250Mb of ram, so this might be an issue over time.  This is something that I will have to monitor.  If it becomes a problem, I could always switch out my original PI with a PI 3, with will give me 1024MB of ram.  Also, I was considering combining this server with my VPN server.  However, I do think that would be unwise.

 

To help me out with installing a DNS Server, I’m using a this post with looks like it’s simple and suits a simple setup.

 

 

The code that I’ll be placing below is specifical for a Raspberry PI running Rasbian Jessie, so there might be some differences from the post that I’m using as a guide.

 

aptget -y install bind9 bind9utils dnsutils

 

before we being configuring the DNS we need to open the firewall

nano /usr/local/bin/firewall.sh

Add this script to the file, change the SERVER_IP to the ip address of your PI.
SERVER_IP=”192.168.1.6″
iptables -A INPUT -p udp -s 0/0 –sport 1024:65535 -d $SERVER_IP –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP –sport 53 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 –sport 53 -d $SERVER_IP –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP –sport 53 -d 0/0 –dport 53 -m state –state ESTABLISHED -j ACCEPT

 

ctrl-x,y then Enter

chmod +x /usr/local/bin/firewall.sh

 

We can run it now, so that you don’t have to reboot your Pi.

/usr/local/bin/firewall.sh

 

And to have the firewall implemented on a reboot.

nano /etc/rc.local

then add this line before the exit 0 line

/usr/local/bin/firewall.sh

 

Open up the BIND local configuration file:

 

First lets get Bind setup to listen for IPV4.

nano /etc/bind/named.conf.options

add the following item to the file before the }; at the end.

listen-on { any; };

forwarders {
8.8.8.8; //google-public-dns-a.google.com;
8.8.4.4; //google-public-dns-b.google.com;
};

Then change the line that reads

dnssec-validation auto;

to read

dnssec-validation no;

 

 

nano /etc/bind/named.conf.local

Add this to the file.

zone “lan.cjdawson.com” {
type master;
file “/etc/bind/db.lan.cjdawson.com”;
allow-update { key rndc-key; };
};

zone “1.168.192.in-addr.arpa” {
type master;
file “/etc/bind/db.lan.cjdawson.com.inv”;
allow-update { key rndc-key; };
};

 

 

For the first zone I’ve made the decision to have my machines on the subdomain lan.cjdawson.com.  This is fine for me as I own the cjdawson.com domain.  Because of this I know that no one else is doing to buy that domain and start using it.  As ICANN have opened up all the top level domains, some crazy things will start appearing, so whilst 10 years ago it was safe to use something like .local or .lan.  that’s not the case anyone as someone can theoretically buy it and start selling domains based on that.   lan.cjdawson.com on the other hand won’t have that problem, so it’s perfectly safe for my home network to use that.    You should chose a domain that you own, or if you won’t own one, just be aware of the possibility of something actually using it.

The reverse zone needs to match the subnet in which the IP’s of the machines you want to add to the zone file, for example 192.168.1.x becomes 1.168.192.in-addr-arpa.

 

Add the forward lookup zone file and add the Resource Records

nano /etc/bind/db.lan.cjdawson.com

Here’s the content – you’ll need to change this for your network.

 

$ORIGIN .
$TTL 3600 ; 1 hour
lan.cjdawson.com IN SOA home.lan.cjdawson.com. root.lan.cjdawson.com. (
1 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
86400 ; expire (1 day)
600 ; minimum (10 minutes)
)
NS home.lan.cjdawson.com.
$ORIGIN lan.cjdawson.com.
home A 192.168.1.5
dlinkrouter1 A 192.168.1.1
dlinkrouter2 A 192.168.1.1

Ctrl-X, Y then enter.

The bit at the bottom you’ll need to modify for the machines that you wish to be able to lookup.

 

nano /etc/bind/db.lan.cjdawson.com.inv

Here’s the content
$ORIGIN .
$TTL 600 ; 10 minutes
1.168.192.in-addr.arpa IN SOA home.lan.cjdawson.com. root.cjdawson.com. (
1 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
86400 ; expire (1 day)
600 ; minimum (10 minutes)
)
NS home.lan.cjdawson.com.
$ORIGIN 1.168.192.in-addr.arpa.
5 PTR home.lan.cjdawson.com.

 

Again the bit at the bottom will need to be modified for your configuration, the number is the last part of the IP Address.

Ctrl-X, Y then enter.

You can check the configuration files by running

 

Configure BIND to run at boot and start

systemctl enable bind9

systemctl start bind9

 

Next we need to switch the network settings to use our new domain name server.

 

nano /etc/dhcpcd.conf

 

now scroll to the end of the file and comment out this line

static domain_name_servers=192.168.1.1

with a #

Then add this line

static domain_name_servers=127.0.0.1

 

ctrl-x, y then enter.

Now type

reboot

to restart your PI.

 

Now for a quick test

 

dig home.lan.cjdawson.com

if it’s working you’ll see the answer in the answer section, in my case I see

dhcpserver.lan.cjdawson.com. 3600 IN A 192.168.1.6

and in the Authority section, it reads like this.

lan.cjdawson.com. 3600 IN NS dhcpserver.lan.cjdawson.com.

 

If it’s wrong, it’ll be using dns servers other than your DNS server.

 

let’s try a reverse lookup

dig -x 192.168.1.6

And again, you’ll get a good answer.

Next test is to see if you can use the domain server properly.

ping vpnserver.lan.cjdawson.com

 

If that works, then you should have a properly working DNS Server, yay.

 

Opening the Firewall.

There is a firewall in place, we need to open port 53 for the DNS Server, so that other computers on the lan can get to the DNS Server.

nano /usr/local/bin/firewall.sh

 

Add this to the file changing the IP address to the IP of your PI

 

SERVER_IP=”192.168.1.6″
iptables -A INPUT -p udp -s 0/0 –sport 1024:65535 -d $SERVER_IP –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP –sport 53 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 –sport 53 -d $SERVER_IP –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP –sport 53 -d 0/0 –dport 53 -m state –state ESTABLISHED -j ACCEPT

Enter this and you won’t need to restart you Pi.

/usr/local/bin/firewall.sh

 

And now to have the PI execute that script on reboot.

nano /etc/rc.local

Once the script is open, add the following before the line that reads “exit 0”

/usr/local/bin/firewall.sh

Raspberry PI
Raspberry PI

Leave a Reply

Your email address will not be published. Required fields are marked *