Deploying ISC Bind DNS Server Using OpenBSD 7 5

For those of you who have slow internet, DNS server caching is a smart solution to increase internet browsing speed. In general, the DNS server application functions to convert names into numbers. Every website name that you type will be converted into an IP address so that it will display the web page as you see it in Google Chrome or Firefox.

In general, there are several types of DNS servers. The caching type is the type that does not contain a raw mapping from name to address, this type is called an authoritative DNS server which can be further divided into master, slave and stealth. DNS servers caching too is called a recursive server. Any type of DNS server can be titled a server name.

The way a DNS caching server works is that when the DNS server finds the DNS address you requested, it immediately sends it to you who requested the DNS address, and then stores the DNS address in its database. In the future, when a friend of yours asks for the same DNS address, the DNS caching server will retrieve the DNS address from its database. So it can speed up the processing time of DNS requests.

The slower your internet connection, the more useful the DNS server caching will be for improving internet access. To maintain accuracy, there is a configurable expiration time (time to live/TTL) on the server data that forces it to return to the internet periodically for updates.


1. Install ISC Bind

One of the advantages of ISC Bind is that it can be installed on all operating systems, such as Windows, MacOS, Linux and BSD including OpenBSD. However, different systems have different ways of configuring them. In this section we will learn how to install, configure and use ISC Bind on an OpenBSD server.

Because DNS Bind is so familiar, just like other operating systems, in OpenBSD ISC Bind is already available in the pkg_add repository. You can run the command below to install ISC Bind on OpenBSD.

Install ISC Bind
foo# pkg_add isc-bind-9.18.25v3
When the installation process is complete, by default the ISC Bind application creates a user and group named _bind:_bind. This user will be very useful when configuring. The location of the ISC Bind directory on OpenBSD is slightly different from FreeBSD. OpenBSD places the ISC Bind application in /var/named. All configuration files are stored in that directory.

By default the /var/named directory contains two folders, namely /etc and /tmp, during the configuration process we will add several folders to this directory, such as /master, /standard and others.


2. Configuration Process

In this section we will discuss the steps for configuring ISC Bind. The ISC Bind configuration file is named "named.conf. You can set all your DNS server caching needs in that file. 

a. Enable ISC Bind

Before you configure ISC Bind, activate the Bind DNS server first by running the command below.

Enable Bind DNS Server
foo# rcctl enable isc_named
foo# rcctl restart isc_named
isc_named(ok)
isc_named(ok)
The command above to enable ISC Bind and generate the rndc.key file. Try opening the contents of the rndc.key script file with the cat command.

View the contents of the rndc.key script file
foo# cat /var/named/etc/rndc.key
key "rndc-key" {
        algorithm hmac-sha256;
        secret "sLhSyJAo609lksFnU2Z0y5MbiSnoVJfTMz21foPVv3g=";
};

b. Edit the configuration file named.conf

We will use the entire contents of the rndc.key script file to configure the named.conf file. Now you open the named.conf file, then you delete the entire contents of the script and replace it with the script below.

/var/named/etc/named.conf
foo# nano /var/named/etc/named.conf
key "rndc-key" {
	algorithm hmac-sha256;
	secret "sLhSyJAo609lksFnU2Z0y5MbiSnoVJfTMz21foPVv3g=";
};

 
 controls {
 	inet 127.0.0.1 port 953
 		allow { 127.0.0.1; } keys { "rndc-key"; };
 };

acl clients {
	192.168.7.0/24;
	127.0.0.1;
};
acl IP_LAN { 192.168.7.3; };

options {
	directory "/tmp";
	version "dns foo.kursor.my.id";
	listen-on port 53 { IP_LAN; };
	#listen-on-v6 { any; };
	allow-recursion { clients; };
	allow-query { clients; };
	allow-query-cache { clients; };
        allow-transfer { none; };
	empty-zones-enable yes;
	recursion yes;
	auth-nxdomain no;
	dnssec-validation yes;
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { 127.0.0.1; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { 127.0.0.1; };
};

zone "." {
  type forward;
  forward first;
  forwarders { 1.1.1.1; 8.8.8.8; };
};

zone "kursor.my.id" in {
        type master;
        file "master/internal.lan";
};

zone "7.168.192.in-addr.arpa" in {
        type master;
        file "master/insternal.rev";
};

c. Add the zone settings

In the named.conf file script above, there are several zones that ISC Bind will use. We will adjust the zone creation according to the script above. The first step is to create a directory for the zone.

Create directory and zone file
foo# mkdir -p /var/named/standard
foo# mkdir -p /var/named/master
foo# touch /var/named/standard/localhost
foo# touch /var/named/standard/loopback
foo# touch /var/named/master/internal.lan
foo# touch /var/named/master/internal.rev
After that, in the zone file you add a script like the example below. As usual we use the nano text editor.

Add script in zone file
foo# nano /var/named/standard/localhost
$ORIGIN localhost.
$TTL 6h

@       IN      SOA     localhost. root.localhost. (
                        1       ; serial
                        1h      ; refresh
                        30m     ; retry
                        7d      ; expiration
                        1h )    ; minimum

                NS      localhost.
                A       127.0.0.1
                AAAA    ::1
Add script in zone file
foo# nano /var/named/standard/loopback
$ORIGIN 127.in-addr.arpa.
$TTL 6h

@       IN      SOA     localhost. root.localhost. (
                        1       ; serial
                        1h      ; refresh
                        30m     ; retry
                        7d      ; expiration
                        1h )    ; minimum

                NS      localhost.
1.0.0           PTR     localhost.
Add script in zone file
foo# nano /var/named/master/internal.lan
$ORIGIN .
$TTL    86400   ; 24 hours
kursor.my.id    IN SOA  foo.kursor.my.id. root.foo.kursor.my.id. (
                        2010022201 ; Serial
                        86400           ; Refresh (24 hours)
                        3600             ; Retry (1 hour)
                        172800         ; Expire (48 hours)
                        3600             ; Minimum (1 hour)
                )
kursor.my.id.		IN	NS      foo.kursor.my.id.

$ORIGIN kursor.my.id.
foo.kursor.my.id.	IN	A       192.168.7.3

Add script in zone file
foo# nano /var/named/master/insternal.rev
$ORIGIN .
$TTL    86400   ; 24 hours
7.168.192.in-addr.arpa	IN	SOA	foo.kursor.my.id. root.foo.kursor.my.id. (
                                2010022201      ; Serial
                                86400           ; Refresh (24 hours)
                                3600            ; Retry (1 hour)
                                172800          ; Expire (48 hours)
                                3600            ; Minimum (1 hour)
                                )
	IN	NS      foo.kursor.my.id.

$ORIGIN 7.168.192.in-addr.arpa.
100	IN     PTR     foo.kursor.my.id.


d. Change permission and ownership

As we explained above, by default ISB Bind running on OpenBSD has the user and group "_bind". Run the command below for file permissions and ownership.

Add script in zone file
foo# cd /var/named
foo# chown -R _bind:_bind master standard var tmp

e. Root hints

The Root hints file is a file containing the names and IP addresses of the authoritative name servers for the root zone, so that the software can bootstrap the DNS resolution process. You must download this file from the official Iana site repository.

Download named.root
foo# wget https://www.internic.net/domain/named.root -P /var/named/etc

f. Edit resolv.conf

The resolv.conf file in OpenBSD is used to connect the OpenBSD server with the domain name system (DNS). You must fill in this file with the DNS that will be used. Because you are using ISC Bind as a caching DNS server, we will fill this file with the private IP address of the OpenBSD server.

/etc/resolv.conf
foo# nano /etc/resolv.conf
domain kursor.my.id
nameserver 192.168.7.3

g. Check zone

To ensure that there are no errors in each zone you have created, check with the command below. First, we check the main configuration file named.conf.

Check named.conf
foo# named-checkconf /var/named/etc/named.conf
Then, you continue by checking the zone you have created above.

Check zone
foo# named-checkzone kursor.my.id /var/named/master/internal.lan
zone kursor.my.id/IN: loaded serial 2010022201
OK
foo# named-checkzone 7.168.192.in-addr.arpa /var/named/master/internal.rev
zone 7.168.192.in-addr.arpa/IN: loaded serial 2010022201
OK

i. Check DNS name servers

If nothing is wrong, we continue with checking the DNS name servers. This check aims to ensure whether the ISB Bind DNS server is working correctly. We use the dig command to check the DNS name servers. Pay attention to the example command below.

Check DNS server
foo# dig yahoo.com

; <<>> dig 9.10.8-P1 <<>> yahoo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59861
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yahoo.com.                     IN      A

;; ANSWER SECTION:
yahoo.com.              1800    IN      A       74.6.231.21
yahoo.com.              1800    IN      A       98.137.11.163
yahoo.com.              1800    IN      A       74.6.143.25
yahoo.com.              1800    IN      A       74.6.231.20
yahoo.com.              1800    IN      A       98.137.11.164
yahoo.com.              1800    IN      A       74.6.143.26

;; Query time: 27 msec
;; SERVER: 192.168.7.3#53(192.168.7.3)
;; WHEN: Wed Apr 17 16:40:48 WIB 2024
;; MSG SIZE  rcvd: 134
Below are some dig commands that you can use to check the ISC Bind DNS server.

Check DNS server
foo# dig @192.168.7.3 azion.com
foo# dig facebook.com +trace
foo# dig -x 172.217.14.238
foo# dig google.com +short
forcesafesearch.google.com.
216.239.38.120
Apart from using the dig command, you can also use the nslookup command. Below we provide an example of using nslookup.

Check DNS server
foo# nslookup -type=ns google.com
Server:         192.168.7.3
Address:        192.168.7.3#53

Non-authoritative answer:
google.com      nameserver = ns2.google.com.
google.com      nameserver = ns3.google.com.
google.com      nameserver = ns4.google.com.
google.com      nameserver = ns1.google.com.

Authoritative answers can be found from:
ns1.google.com  internet address = 216.239.32.10
ns2.google.com  internet address = 216.239.34.10
ns3.google.com  internet address = 216.239.36.10
ns4.google.com  internet address = 216.239.38.10
ns1.google.com  has AAAA address 2001:4860:4802:32::a
ns2.google.com  has AAAA address 2001:4860:4802:34::a
ns3.google.com  has AAAA address 2001:4860:4802:36::a
ns4.google.com  has AAAA address 2001:4860:4802:38::a
Check DNS server
foo# nslookup -type=mx yahoo.com
foo# nslookup -type=soa facebook.com
foo# nslookup -type=txt google.com
foo# nslookup google.com ns1.google.com
By following this tutorial, you can use ISB Bind as your personal DNS server. You can use it for your Windows computer by setting the DNS server IP to the IP address 192.168.7.3. Now feel the speed of accessing the internet with the ISC Bind DNS server. Surely you will feel the difference.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post