Page 1 of 1

caching-nameserver Setup

Posted: Fri Apr 17, 2009 9:04 am
by jaoudestudios
How can I setup my server to run as a DNS server? (yum install caching-nameserver)

And is there any downside in doing so?

Thanks

Re: caching-nameserver Setup

Posted: Fri Apr 17, 2009 12:46 pm
by VladSun
What are you trying to do? What do you need?

Re: caching-nameserver Setup

Posted: Fri Apr 17, 2009 1:14 pm
by jaoudestudios
Well our work DNS keeps having issues, and I keep losing internet, so I thought if it was not too hard to setup my own one?

Re: caching-nameserver Setup

Posted: Fri Apr 17, 2009 4:26 pm
by VladSun
No, it's not :)
Just install it, set it as a primary DNS in your workstations and it will work.
A chrooted DNS setup is better, so you may try it, but it's not obligatory.

Re: caching-nameserver Setup

Posted: Fri Apr 17, 2009 4:53 pm
by jaoudestudios
Cool, thanks :)

Is it a security risk? or does it take lots of resources? Basically I am asking if there is any reason not to have it?

Re: caching-nameserver Setup

Posted: Mon Apr 20, 2009 1:20 pm
by VladSun
Basically, if it's setup properly there are no security or performance issues. You need to make sure that only your client subnet/s is/are allowed to make DNS queries and these queries must be allowed to be recursive (in order the DNS cache is fully used).

Chrooted setup will jail your BIND user, so if there are any future bugs/exploits the attacker will be jailed with the permissions/directory of BIND.
You can even use some iptables rules to "stealth" your DNS service from Internet, but you should be careful how it's done (i.e. established/related UDP sessions must be accepted). If you wish, I could help you with this.

Re: caching-nameserver Setup

Posted: Mon Apr 20, 2009 7:33 pm
by Doug G
VladSun wrote:Basically, if it's setup properly there are no security or performance issues. You need to make sure that only your client subnet/s is/are allowed to make DNS queries and these queries must be allowed to be recursive (in order the DNS cache is fully used).

Chrooted setup will jail your BIND user, so if there are any future bugs/exploits the attacker will be jailed with the permissions/directory of BIND.
You can even use some iptables rules to "stealth" your DNS service from Internet, but you should be careful how it's done (i.e. established/related UDP sessions must be accepted). If you wish, I could help you with this.
Thanks for the info. If you're only running a caching DNS server for your local network, does the DNS server need to be exposed to the internet at all? I've never tried setting up a caching server in linux, but my W2003 DNS server does recursive external lookups for my lan clients, and it isn't accessible at all from outside my LAN.

I haven't done much with DNS servers of my own, but I'm interested in setting up an internal server that I can configure to handle 'bogus' internal names.

Re: caching-nameserver Setup

Posted: Mon Apr 20, 2009 11:51 pm
by jaoudestudios
VladSun wrote:If you wish, I could help you with this.
Cheers, I will give it a go, any probs I will let you know. Thanks again :)

Re: caching-nameserver Setup

Posted: Tue Apr 21, 2009 3:03 am
by VladSun
Doug G wrote:If you're only running a caching DNS server for your local network, does the DNS server need to be exposed to the internet at all? I've never tried setting up a caching server in linux, but my W2003 DNS server does recursive external lookups for my lan clients, and it isn't accessible at all from outside my LAN.

I haven't done much with DNS servers of my own, but I'm interested in setting up an internal server that I can configure to handle 'bogus' internal names.
The DNS service needs to have Internet access in order to connect to the root and domain DNS servers. So, it must be "exposed" somehow to the Internet. For caching-only DNS there are only outgoing Internet connections.
There are some directives that are useful in this context: allow-query, allow-recursion, listen-on.

Take a look at http://www.debian.org/doc/manuals/netwo ... -bind.html for defining "bogus" domain zones.

Re: caching-nameserver Setup

Posted: Tue Apr 21, 2009 11:21 am
by Doug G
Thanks