This file simply sources the named. For a caching DNS server, we will only be modifying the named. Open this in your text editor with sudo privileges:. As a DNS server that will be used to resolve recursive queries, we do not want the DNS server to be abused by malicious users. An attack called a DNS amplification attack is especially troublesome because it can cause your server to participate in distributed denial of service attacks.
A DNS amplification attack is one way that malicious users try to take down servers or sites on the internet. To do so, they try to find public DNS servers that will resolve recursive queries. In doing so, the DNS server responds to a small request with a large payload directed at the victims server, effectively amplifying the available bandwidth of the attacker. Hosting a public, recursive DNS server requires a great deal of special configuration and administration.
To avoid the possibility of your server being used for malicious purposes, we will configure a list of IP addresses or network ranges that we trust. Above the options block, we will create a new block called acl. Create a label for the ACL group that you are configuring.
In this guide, we will call the group goodclients. We will also add localhost and localnets which will attempt to do this automatically:. Now that we have an ACL of clients that we want to resolve request for, we can configure those capabilities in the options block. Within this block, add the following lines:. We explicitly turned recursion on, and then configured the allow-query parameter to use our ACL specification. We could have used a different parameter, like allow-recursion to reference our ACL group.
If present and recursion is on, allow-recursion will dictate the list of clients that can use recursive services. However, if allow-recursion is not set, then Bind falls back on the allow-query-cache list, then the allow-query list, and finally a default of localnets and localhost only.
We are using it because it is the most general way of specifying the ACL. This is actually all that is required for a caching DNS server. If you decided that this is the server type you wish to use, feel free to skip ahead to learn how to check your configuration files, restart the service, and implement client configurations. If a forwarding DNS server is a better fit for your infrastructure, we can easily set that up instead. We will start with the configuration that we left off in the caching server configuration.
The named. However, we need to change the configuration so that the server no longer attempts to perform recursive queries itself. To do this, we do not change recursion to no.
The forwarding server is still providing recursive services by answering queries for zones it is not authoritative for. Instead, we need to set up a list of caching servers to forward our requests to.
First, we create a block inside called forwarders that contains the IP addresses of the recursive name servers that we want to forward requests to. One final change we should make is to the dnssec parameters. With the current configuration, depending on the configuration of forwarded DNS servers, you may see some errors that look like this in the logs:.
Save and close the file when you are finished. You should now have a forwarding DNS server in place. Continue to the next section to validate your configuration files and restart the daemon. Now that you have your Bind server configured as either a caching DNS server or a forwarding DNS server, we are ready to implement our changes. If there are no syntax errors in your configuration, the shell prompt will return immediately without displaying any output. If you have syntax errors in your configuration files, you will be alerted to the error and line number where it occurs.
If this happens, go back and check your files for errors. When you have verified that your configuration files do not have any syntax errors, restart the Bind daemon to implement your changes:.
Afterwards, keep an eye on the server logs while you set up your client machine to make sure that everything goes smoothly.
Leave this running on the server:. Now that you have your server up and running, you can configure your client machine to use this DNS server for queries. Log into your client machine. Otherwise the DNS server will refuse to serve requests for the client.
Changes made here will only last until reboot, which is great for testing. That is because the server will forward all requests and will not attempt to resolve requests on its own. This is quite easy — just change dnssec-validation to yes :. If no errors are found in the configuration files the shell prompt will return immediately without displaying any output. If you have an error in your configuration files you will be alerted about what file contains the error and in what line number the error occurred.
When you have verified that there are no errors in the configuration files go ahead and restart the service with the following command:. Now you can go ahead and configure some client machines to use the DNS server.
Remember to add them to the trustedclients if they are not on the same subnet. This site uses Akismet to reduce spam. Learn how your comment data is processed. Prerequisites A system running Ubuntu Open named. Open that file with this command: sudo nano named.
Do that with the following command: sudo service bind9 restart Configure forwarding DNS server If a forwarding DNS server fits your needs better we can set that up instead. Add forwarding DNS servers The server is still delivering recursive services for zones it is not authoritative for.
To verify the configuration run the following command: sudo named-checkconf If no errors are found in the configuration files the shell prompt will return immediately without displaying any output.
This event causes name resolution to fail or to be appropriated for subsequent queries in the specified domain. When you set the value for this parameter to True, the DNS server enables cache pollution protection and ignores the Host A record.
The additional query minimally affects DNS server performance. For more information about NS resource records, see Managing resource records. The default value is True.
Specifies the maximum number of concurrent operations that can be established to run the cmdlet. The throttle limit applies only to the current cmdlet, not to the session or to the computer. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info.
Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Module: DnsServer. Modifies cache settings for a DNS server.
0コメント