Every network communication between computers can only be made through the use of unique IP addresses to identify the exact endpoints of the communication. For the human brain, numbers are always harder to remember and work with than assigning names to things. Therefore, IT pioneers started in the early 70s to invent systems for translating names to physical network addresses using files and later simple databases. In modern computer networks and on the Internet, the relationship between the name of a computer and an IP address is defined in the Domain Name System (DNS) database. It is a worldwide distributed system and provides domain name to IP address resolution and also the reverse, that is IP address to domain name resolution. DNS is a big subject, and it is the purpose of this recipe to provide the perfect starting point by showing you how to install and setup your own caching-only and forwarding nameserver. Here we will use Unbound, which is a highly secure and fast recursive and caching DNS server solution, and therefore our preferred choice. But you need to remember that Unbound cannot be used as a fully authoritative DNS server (which means that it provides its own domain name resolution records) we will use the popular BIND server for this in a later recipe. A caching-only DNS server will serve to forward all the name resolution queries to a remote DNS server. Such a system has the intention of speeding up general access to the Internet by caching the results of any domain resolution request made. When a caching DNS server tracks down the answer to a client's query, it returns the answer to the client. However, it also stores the answer in its cache for a specific period of time. The cache can then be used as a source for subsequent requests in order to speed up the total round-trip time.
To complete this recipe, you will require a working installation of the CentOS 7 operating system with root privileges, a static IP address, and a console-based text editor of your choice. An Internet connection will be required to download additional packages. In this example, our DNS server runs in a private network with the network address 192.168.1.0/24
.
In this recipe, we will first configure a caching-only and then a forwarding only DNS server.
In this section, we will consider the role of Unbound as a caching-only nameserver, handling recursive DNS requests to the other remote DNS servers and caching the query for a certain time period to improve the response time when the server is asked for the same name resolution again:
yum install unbound bind-utils
unbound
configuration file so we can revert our changes later, and then open it in your favorite text editor:cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.BAK vi /etc/unbound/unbound.conf
# interface: 0.0.0.0
Remove the #
sign to uncomment it (activate it), so it reads as follows:interface: 0.0.0.0
# access-control: 127.0.0.0/8 allow
. Uncomment the line to activate it and change the network address to fit your needs:access-control: 192.168.1.0/24 allow
unbound-control-setup && unbound-checkconf
firewall-cmd --permanent --add-service dns && firewall-cmd --reload
systemctl enable unbound && systemctl start unbound
nslookup www.packtpub.com 127.0.0.1
unbound-host -d www.packtpub.com
bind-utils
installed), you can query any public domain name using our new DNS server as well. For example, if our DNS server has the IP 192.168.1.7
:nslookup www.packtpub.com 192.168.1.7
cp /etc/resolv.conf /etc/resolv.conf.BAK; vi /etc/resolv.conf
nameserver 127.0.0.1
If you have set some DNS server information in your network-scripts interface (for example, when configuring a static IP address, see Chapter 2, Configuring the System), you will want to review the /etc/sysconfig/network-scripts/ifcfg-XXX
file and modify the current DNS reference to read as DNS1=127.0.0.1
as well.
Now after we have successfully configured our first caching BIND DNS server, here we will show you how to transform it into a forwarding DNS server which will reduce the total bandwidth for resolving hostnames in comparison to the caching-only solution:
vi /etc/unbound/unbound.conf
forward-zone: name: "." forward-addr: 8.8.8.8
unbound-checkconf && systemctl restart unbound
In this recipe, we have installed a caching-only Unbound DNS server with the basic aim of improving the responsiveness of our overall network by caching the answers to any name-based queries. Using such a process will shorten the waiting time on any subsequent visit to the same location. It is a feature that is particularly useful in saving bandwidth if you happen to be managing a large, busy, or slow network. It does not have its own domain name resolution feature but uses its default root domain's DNS servers in order to perform this task (to learn more about the root domain, see later). Also, as we have seen, you can easily transform your caching nameserver into a pure forwarding system as well. While a caching DNS server makes recursive requests to several associated DNS servers and constructs the complete name resolution result from those multiple requests, a forwarding DNS delegates the complete recursive DNS search to another resolving DNS server which executes the complete search instead. This saves even more bandwidth for our DNS server because only single network requests to communicate with the remote resolving server are made instead of multiple when using the caching-only DNS service.
So what did we learn from this experience?
We started this recipe by installing the necessary packages. This included the main DNS server program called Unbound and a reference to bind-utils
, a small package that enables you to run many different DNS related network tasks, such as dig
, nslookup
, and host
. The next step was to begin making the necessary configuration changes by editing Unbound's main configuration after we made a simple backup of the original file. Since after installation the default DNS server is completely restricted to doing everything locally only, our main purpose was to adjust the server to make connections from the outside possible. We began this process by allowing the DNS server to listen to all the available network interfaces using the interface
directive and afterwards defined who on the network was allowed to make requests to our DNS server by setting allow-query
to our local network. This means we allowed anyone in our subnetwork to make DNS resolution requests to our server.
At this point we created the RSA keypair with the unbound-control-setup
tool, which is needed for the unbound-checkconf
command to work. The generated keys and certificate are important if we want to use Unbound's DNS Security Extensions (DNSSEC) features which help protect DNS data by providing authentication of origin using digital signatures (configuring DNSSEC is outside the scope of this chapter. To learn more, consult the Unbound configuration manual: man unbound.conf
). Afterwards, we used the unbound-checkconf
command, which was necessary to confirm that Unbound's configuration file was syntactically correct. If the output of the command is empty, there are no errors in the file. We then proceeded by adding the predefined dns
firewalld service to our default firewall, thus allowing the other computer systems in our local network to access the DNS server using port 53
. Finally, we activated Unbound at boot time and started the service.
Of course, to complete this recipe we then tested if our new DNS server worked as expected in resolving domain names to IP addresses. We ran a simple nslookup
query locally on the server and also from the other computers in the same network to see if our new DNS service was reachable from the outside. When using nslookup
without any additional parameters, the program will use the default DNS server resolver known to the system (on CentOS 7 this is defined in /etc/resolv.conf
) to resolve our host names, so we added another parameter addressing our alternative DNS server we want to query instead (127.0.0.1
). For successful testing, the output must contain the resolved IP address of the www.packtpub.com server. On the DNS server you could also use the unbound-host -d
command to get a more technical view of the DNS query within the Unbound service.
After we successfully finished these tests, we updated the current nameserver resolver information on our DNS server with our new DNS service running on localhost.
Now we want to see how BIND will perform for caching DNS information. To do this, on your DNS server simply select a target website you have not visited before and use the dig
command. For example:
dig www.wikipedia.org
Having run this test, you may see a query time that results in something like the following:
;; Query time: 223 msec
Now repeat this exercise by retesting the same URL. Depending on your networking environment, this may produce the following result:
;; Query time: 0 msec
Now do it again for another website. On every repeat of the preceding command, you should not only see a reduced query time but also experience a faster response time in delivering the output. This same result will be evident in the browser refresh rate, and as a result we can say that this simple exercise has not only introduced you to Unbound but it will ultimately serve to improve the speed of your local network when surfing the World Wide Web.