Agenda: dns-bind-caching-setup.txt

File dns-bind-caching-setup.txt, 3.7 KB (added by admin, 7 years ago)
Line 
1Building a DNS cache with BIND
2------------------------------
3
41. Check the version of BIND which is installed
5-----------------------------------------------
6
7    $ named -v
8    BIND 9.8.1
9
10
112. Configure your cache to accept queries from neighbors
12--------------------------------------------------------
13
14Edit the file /etc/namedb/named.conf (using vi or ee)
15
16Then find the line:
17
18        listen-on       { 127.0.0.1; };
19
20... and REMOVE IT.
21
22Instead, add another line:
23
24        allow-recursion { 127.0.0.1; 10.10.0.0/16; };
25
26Double check to see that there aren't any zones configured in your
27DNS. For instance, if you see a line like follows:
28
29        zone "10.in-addr.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
30
31... remove it, and save the file.
32
33
34Be careful about the semicolons ';' and braces { } - BIND
35will complain if they are not placed correctly
36
37By removing the line "listen-on ..." and adding the line
38"allow-recursion", we are telling BIND:
39
40- please listen to the network for queries, not only on
41  the local interface "127.0.0.1";
42
43- please allow clients in the 10.10.0.0/16 to send queries
44  to me, as well as myself;
45
463. Restart the cache and check it is running
47--------------------------------------------
48
49If you haven't done so earlier, edit `/etc/rc.conf` and add two lines saying:
50
51        named_chrootdir=""
52        named_enable="YES"
53
54Then run these commands:
55
56    # /etc/rc.d/named stop
57    # /etc/rc.d/named start
58    # ps auxwww | grep named
59    # tail /var/log/messages
60
61Check for successful startup with no error messages (you can ignore errors
62about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well
63as messages regarding managed-keys-zone)
64
65
664. Reconfigure your resolver to use your own cache only
67-------------------------------------------------------
68
69If you haven't done so earlier, edit `/etc/resolv.conf` as follows:
70
71Remove any existing 'nameserver' lines, or comment them out by inserting '#'
72at the front. 127.0.0.1 is the loopback address; that is, an IP address
73which means 'send the packet to myself', and we'll use it as our nameserver:
74
75    search ws.nsrc.org
76    nameserver 127.0.0.1
77
785. Test resolution
79------------------
80
81Issue a query, for instance:
82
83        $ dig google.com NS
84        $ dig noc.ws.nsrc.org A
85
86For each query:
87
881. Is the server responding ?
892. How do you know that you are talking to your OWN server ?
903. What do you notice ?
91
92If your neighbour has got their cache working, then try sending some queries
93to their cache:
94
95    $ dig @10.10.X.1 somedomain.name
96
97... where XXX is the IP of the machine in the class you want to send the
98query to, and "somedomain.name" is the query you would like to perform.
99
100Try and make some of the same queries you did before.  Do the nameservers
101of the other machines answer you ?
102
103Help your neighbours to get their cache working if required.
104
1056. Watch the cache in operation
106-------------------------------
107
108You can take a snapshot of the cache contents like this:
109
110    # ln -s /var/named/var/dump /var/dump
111    # /usr/sbin/rndc dumpdb
112    # less /var/named/var/dump/named_dump.db
113
114(Don't do this on a busy cache - you will generate a huge dump file!)
115
116You can watch the cache making queries to the outside world using
117`tcpdump` in a different window (log in again via SSH):
118
119    # tcpdump -n -s1500 -i eth0 udp port 53
120
121If your ethernet interface isn't named `eth0`, then use the name of
122your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out
123what your ethernet interface is named.
124
125While tcpdump is running, in the first window flush your cache (so it forgets
126all existing data) and then issue some queries.
127
128    # rndc flush
129    # dig www.tiscali.co.uk.   -- and watch tcpdump output. What do you see?
130
131    # dig www.tiscali.co.uk.   -- watch tcpdump again. This time?