• RSS
  • Twitter
  • FaceBook

Appendix 3: Configuring a DNS Caching & Forwarding Nameserver

Your local DNS can be configured to function as a caching and forwarding nameserver. What this accomplishes is that instead of queurying the external nameservers each time host and domain information is needed, they will be queuried once, and the information will be cached locally for subsequent queuries.

named keeps it's cache in memory, not on disk. Over time, the cache will grow to contain more and more DNS information specific to your internet access patterns. This speeds up connections by avoiding external lookups once the information is stored locally.

18.1 Configuring DNS Caching in RedHat 5.1 and earlier

NOTE: The following applies to RedHat version 5.1 and below. The newer version of bind uses a different configuration file and syntax.

If you are running RedHat 5.1, most of the setup is done for you if you install caching-nameserver-5.1-1.noarch.rpm. Otherwise, here's how, based on the DNS-HOWTO and the DNS and Bind book by Paul Albitz and Cricket Liu.

Make a backup of /etc/named.boot/ first...

Edit named.boot to contain something like: 

; a caching only nameserver config
;
; named.ca: periodically update from ftp.rs.internic.net /domain/named.root
;           LAST DOWNLOAD:  10-17-98
; -----------------------------------------------------------------------
; SIGHUP Causes server to read named.boot and reload the database
; kill -HUP `cat /var/run/named.pid`
; -----------------------------------------------------------------------

directory                               /var/named

cache           .                       named.ca

primary         0.0.127.in-addr.arpa    named.local

; ISP name servers from /etc/resolv.conf
;forwarders     24.128.60.8 24.128.60.7 24.128.1.81
forwarders      24.128.60.8 24.128.60.7 24.128.1.81

; forward-only:  only query the listed forwarders
options forward-only

Edit /etc/sysconfig/network-scripts/ifdhcpc-done/.

Add the following two sections: 

#---------------------------------------------------------------------
# Update /etc/named.boot forwarders to be the original
# nameservers from /etc/resolv.conf.

forwarders=""
fgrep nameserver /etc/dhcpc/resolv.conf | sed -e "s/nameserver//" |
    while read naddr
    do
        forwarders=$forwarders" "$naddr
    done

sed -e "s/^forwarders.*$/forwarders     $forwarders/" /etc/named.boot > /var/tmp/named.boot
cp /var/tmp/named.boot /etc/named.boot
rm /var/tmp/named.boot

#---------------------------------------------------------------------
# Update /etc/resolv.conf for local caching nameserver.
# Replace the ISP nameservers with an entry for localhost.

domain=`fgrep domain /etc/dhcpc/resolv.conf | sed -e "s/domain//"`
echo "domain $domain" > /var/tmp/resolv.conf
echo "nameserver 127.0.0.1" >> /var/tmp/resolv.conf
cp /etc/dhcpc/resolv.conf /etc/dhcpc/resolv.conf.bak
cp /var/tmp/resolv.conf /etc/dhcpc/resolv.conf
rm /var/tmp/resolv.conf

# This applies to RedHat 5.+ only.
# Earlier releases used a symbolic link.
cp /etc/dhcpc/resolv.conf /etc

18.2 Configuring DNS Caching in RedHat 5.2 and later

NOTE: The following only applies to RedHat version 5.2 or above. The newer version of bind uses a different configuration file and syntax.

Make a backup of /etc/named.conf/ first...

Edit named.conf to contain something like: 

options {
        directory "/var/named";
        forward only;
        forwarders {
                24.128.60.8;
                24.128.60.7;
                24.128.1.81;
        };

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        query-source address * port 53;

        /*
         *  This makes named only listen for queuries from your LAN
         *  and localhost.
         */
        listen-on {
               your_internal_lan_ip_address_range
               127/8;
        };
};

// -----------------------------------------------------------------------
// SIGHUP Causes server to read  named.boot  and  reload  the database
// kill -HUP `cat /var/run/named.pid`
// -----------------------------------------------------------------------
zone "." {
        type hint;
        file "named.ca";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "named.local";
};

Edit /etc/sysconfig/network-scripts/ifdhcpc-done/.

Add the following two sections: 

#---------------------------------------------------------------------
# The following 2 sections support a caching-only nameserver.
# /etc/named.conf, /etc/dhcpc/resolv.conf and /etc/resolv.conf are modified.

# Update /etc/named.conf forwarders to be the original
# nameservers from /etc/resolv.conf.

# NOTE: this is for RedHat versions 5.2 and NEWER

let cnt=1
fgrep nameserver /etc/dhcpc/resolv.conf | sed -e "s/nameserver //" |
    while read naddr
    do
        case $cnt in
            1 ) forwarder1=$naddr ;;
            2 ) forwarder2=$naddr ;;
            3 ) forwarder3=$naddr ;;
        esac
        let cnt=$cnt+1
    done

awk '/forwarders {/ { active = 1; print }               \
                    /};/ {                              \
                        if ( active == 1 ) {            \
                            active = 0;                 \
                            print "\t\t" f1 ";";        \
                            print "\t\t" f2 ";";        \
                            print "\t\t" f3 ";";        \
                        }                               \
                    }                                   \
                                                        \
                    {                                   \
                        if ( active == 0 )              \
                            print;                      \
                    } '                                 \
    f1=$forwarder1 f2=$forwarder2 f3=$forwarder3 /etc/named.conf > /tmp/named.conf

cp /var/tmp/named.conf /etc/named.conf
rm /var/tmp/named.conf

#---------------------------------------------------------------------
# Update /etc/resolv.conf for local caching nameserver.
# Replace the ISP nameservers with an entry for localhost.

# Save the original
cp /etc/dhcpc/resolv.conf /etc/dhcpc/resolv.conf.bak

domain=`fgrep domain /etc/dhcpc/resolv.conf | sed -e "s/domain //"`
echo "domain $domain" > /var/tmp/resolv.conf
echo "nameserver 127.0.0.1" >> /var/tmp/resolv.conf

cp /var/tmp/resolv.conf /etc/dhcpc/resolv.conf
rm /var/tmp/resolv.conf

18.3 Configuring DNS Caching in All Versions

Download a copy of the root name servers file from ftp.rs.internic.net:domain/named.root/ and place it in /var/named/named.ca/.

Note that this file is provided in the RedHat 5.1 caching-nameserver package.

Create the file: /var/named/named.local/

Note that this file is provided in the RedHat 5.1 caching-nameserver package.

Add the following: 

@       IN      SOA     localhost.      root.localhost.  (
                                      1          ; Serial
                                      28800      ; Refresh after 8 hours
                                      3600       ; Retry 1 hour
                                      604800     ; Expire after 1 week
                                      86400 )    ; Minimum TTL of 1 day

        IN      NS      localhost.

1       IN      PTR     localhost.

Make a backup of /etc/dhcpc/resolv.conf/ (and /etc/resolv.conf/ if it's not a symbolic link). Change it to contain: 

domain Your_Domain
nameserver 127.0.0.1

Edit /etc/host.conf/ and make sure it contains: 

order hosts, bind

Edit /etc/rc.d/rc.firewall/ and enable the caching only rules. Re-run the script.

Restart the nameserver by: 

kill -HUP `cat /var/run/named.pid`

Check /var/log/messages/ for errors.

Test nslookup. You should see: 

Default Server:  localhost
Address:  127.0.0.1
>

Try a known address a few times. The first time you should just see the hostname and address list. The second time, you should also see a line that this is a "Non-authoritative answer".

The "Non-authoritative answer" means the information was provided by your local name server rather than your ISP's.

18.4 Configuring an Internal DHCP Server for the LAN

In the rc.firewall script, add the following lines.

In the section where variables are declared:

THIS_MACHINE="192.168.1.1/32" # used for local DHCP service

Substitute the IP address of the Linux firewall machine

Add the following sections:

# -------------------------------------------------------------- # Accept DHCP requests from Windows machines

ipfwadm -I -a accept -W $LOCAL_INTERFACE \ -S 0.0.0.0/32 \ -D 255.255.255.255/32

# -------------------------------------------------------------- # DHCP server to local net is valid

ipfwadm -O -a accept -W $LOCAL_INTERFACE \ -S $THIS_MACHINE \ -D 0.0.0.0/0

Add the following lines to /etc/rc.d/rc.local:

# Start DHCP daemon /sbin/route add -host 255.255.255.255 dev eth0 /usr/sbin/dhcpd eth0

Your local Ethernet interface is eth1, so make the appropriate changes. If you get an error with the route command, you may have to add a host to your /etc/hosts file:

255.255.255.255 all-ones.localdomain all-ones

There's a different route command to be entered if this is the case -- I'm sorry, I don't remember where on the web I found that information. The first case worked for me.

Edit or create /etc/dhcpd.conf to contain the following information:

aoption domain-name "your_domain"; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.1; option domain-name-servers 192.168.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.19; default-lease-time 3600; max-lease-time 7200; }

This assumes you're using the same Class C network I am using. This file provides the IP range 192.168.1.10 through 192.168.1.19 inclusive to any machine connected on the local net which requests an IP address.

Adjust the lease times (in seconds) to your preferences. My experience is that a Windows machine will request an extension of the lease after it's half expired. This adds two lines to /var/log/messages for every renewal.

Run the commands you added to /etc/rc.d/rc.local manually to start the DHCP server.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the WindowSecurity.com Monthly Newsletter, written by George Chetcuti, BSc in Computing & IS (Honors), containing news, the hottest tips, security links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Event Log Monitoring solution?