A DNS cache is a temporary database that stores information about previous DNS lookups. In other words, whenever you visit a website, your OS and web browser will keep a record of the domain and the corresponding IP address. This eliminates the need for repeated queries to remote DNS servers and allows your OS or browser to quickly resolve website URLs.

However, in some situations, such as troubleshooting network problems or after changing DNS resolvers, you need to clear the DNS cache. This will clear cached DNS records and perform subsequent lookups to resolve the domain based on the newly configured DNS settings.

This article provides instructions for clearing the DNS cache on different operating systems and web browsers.

Clear/delete DNS cache in Windows

The process for clearing the DNS cache is the same for all versions of Windows. You need to open a command prompt with administrator rights and run ipconfig /flushdns.

Windows 10 and Windows 8

To clear the DNS cache on Windows 10 and 8, follow these steps:

1. Type cmd in the Windows search bar.

2. ipconfig /flushdns

   Windows 7

   To clear the DNS cache in Windows 7, follow these steps:

   1. Click on the Start button.
   2. Type cmd into the Start menu search text box.
   3. Right-click on Command Prompt and select Run as administrator. This will open a command prompt window.
   4. At the command prompt, type the following line and press Enter:

      ipconfig /flushdns

      If successful, the system will return the following message:

      Windows IP Configuration Successfully flushed the DNS Resolver Cache.

   Clear/delete DNS cache in Linux

   Linux does not have OS-level DNS caching unless a caching service such as Systemd-Resolved, DNSMasq, or Nscd is installed and running. The process for clearing the DNS cache differs depending on the distribution and caching service you use.

   Systemd Resolved

   Most modern Linux distributions, such as , use a system enabled service to cache DNS records.

   To find out if the service is running, run:

   sudo systemctl is-active systemd-resolved.service

   If the service is running the command will print active, otherwise you will see inactive.

   To clear the Systemd Resolved DNS cache, you must enter the following command.

   sudo systemd-resolve --flush-caches

   If successful, the command does not return any message.

   Dnsmasq

   Dnsmasq is a lightweight DHCP and DNS name caching server.

   If your system uses DNSMasq as a caching server, to clear the DNS cache you need to restart the Dnsmasq service:

   sudo systemctl restart dnsmasq.service

   sudo service dnsmasq restart

   Nscd

   Nscd is a caching daemon and is the DNS caching system of choice for most RedHat-based distributions.

   If your system uses Nscd, you will need to restart the Nscd service to clear the DNS cache:

   sudo systemctl restart nscd.service

   sudo service nscd restart

   Clear/delete DNS cache on MacOS

   The command to clear the cache in MacOS is slightly different depending on the version you are using. The command must be run as a user with system administrator rights (sudo user).

   To clear the DNS cache on MacOS, follow these steps:

   1. Open Finder.
   2. Go to Applications > Utilities > Terminal. This will open a terminal window.
   3. At the command prompt, type the following line and press Enter:

      sudo killall -HUP mDNSResponder

      Enter your sudo password and press Enter again. If successful, the system does not return any messages.

   For earlier versions of MacOS, the command to clear the cache is different.

   MacOS versions 10.11 and 10.9

   sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder

   MacOS version 10.10

   sudo discoveryutil mdnsflushcache sudo discoveryutil udnsflushcaches

   MacOS versions 10.6 and 10.5

   sudo dscacheutil -flushcache

   Clear/delete browser DNS cache

   Most modern web browsers have a built-in DNS client that prevents duplicate queries each time you visit a website.

   Google Chrome

   To clear Google Chrome's DNS cache, follow these steps:

   1. Open a new tab and type into the Chrome address bar: chrome://net-internals/#dns.
   2. Click the Clear Host Cache button.

   If this doesn't work for you, try clearing your cache and cookies.

   1. Press CTRL+Shift+Del to open the Clear Browsing Data dialog box.
   2. Select a time range. Select "All Time" to delete everything.
   3. Check the "Cookies and other site data" and "Cached images and files" boxes.
   4. Click the "Clear data" button.

   This method should work for all Chrome-based browsers, including Chromium, Vivaldi, and Opera.

   FireFox

   To clear Firefox's DNS cache, follow these steps:

   1. In the top right corner, click the hamburger icon ☰to open the Firefox menu:
   2. Click on the ⚙ Options (Preferences) link.
   3. Click on the "Privacy and Security" or "Confidentiality" tab on the left.
   4. Scroll down to the History section and click on the Clear History...button.
   5. Select a time range to clear. Select "All" to delete everything.
   6. Select all fields and click Clear Now.

   If this doesn't work for you, try the next method and temporarily disable the DNS cache.

   1. Open a new tab and type about:config into the Firefox address bar.
   2. Find network.dnsCacheExpiration, temporarily set the value to 0 and click OK. After that, change the default value and click OK.
   3. Find network.dnsCacheEntries, temporarily set the value to 0 and click OK. After that, change the default value and click OK.

   Conclusion

   You have learned how to clear or flush the DNS cache on Windows, Linux, and MacOS operating systems.

   Linux and MacOS can use the dig command to query DNS and troubleshoot DNS issues.

   If you have any questions or feedback, feel free to leave a comment.

Every year, the speed of the Internet - both the last mile and the main channels - is becoming higher. Only one thing is constant - latency has already hit physical limits: the speed of light in optical fiber is about 200 thousand kilometers per second, and accordingly, faster than ~150ms, a response from a server across the Atlantic Ocean cannot be received in the foreseeable future (although of course there are delights, like optical fiber with air core or radio relay communication, but this is hardly accessible to mere mortals).

When we try, for example, from Russia to open a website located in the USA (its NS servers are probably there), and the domain is not found in the DNS cache of your provider, we will have to wait a long time even on a gigabit Internet, perhaps even a whole second: while we across the ocean we will receive the names of the NS servers of the domain, while we will resolve their IP, while we will send and receive the DNS request itself...

A couple of years ago, Google launched its public DNS servers, and to promote the transition to them, they developed a utility called NameBench, which runs DNS tests on your surfing history and shows how much faster Google DNS is than your provider’s DNS server.

But I managed to make my own DNS server that works faster than Google Public DNS, and in this short note I want to share the results.

PDNSD

pdnsd- caching DNS proxy. In addition to the banal caching of DNS requests (with the ability to strictly set the minimum TTL - this may be necessary on a very poor Internet), it can send a request simultaneously to several “parent” DNS servers, and give the client the first returned response.

It is the inclusion of parallel polling that gives us the main advantage in speed, because when a result is found in the cache of any of the providers, we get the result very quickly, and do not wait for a complete and slow resolution if the first provider does not have an answer in the cache.

Installed in Ubuntu using banal apt-get.

A couple of points in the config

global ( perm_cache=10240; //Maximum cache size in kilobytes. //By default it was 1024, all my records didn’t fit. cache_dir="/var/cache/pdnsd"; [...] min_ttl=60m; // Minimum time for storing an entry in the cache. //Even if the TTL arrives less than 60 minutes, it will be 60 minutes max_ttl=1w; // Maximum time for saving an entry in the cache neg_ttl=5m; //Time for caching negative responses (i.e. if the domain is not found) [..] par_queries=3; //Number of simultaneously polled "parent" DNS servers) server ( label = "main"; ip = 85.21.192.5 //There are 4 servers, if the first 3 do not respond, then a request will be sent to 4 th, 213.234.192.7 //The first 2 servers are the server of your provider, and some neighboring one, 8.8.4.4 //This is Google Public DNS - they cache everything rare and they resolve quickly, 8.8.8.8 ; [.. ] )

In principle, caching can be made less aggressive (min_ttl=1m for example), but over the course of a year of operation no special problems have arisen. In case of problems, you can optionally erase one entry from the cache:
sudo pdnsd-ctl record 3.14.by delete or all at once:
sudo pdnsd-ctl empty-cache

Test results in NameBench

We see that for 50% of requests we receive a response in less than 10ms, for 85% Google Public DNS is faster, and then the results naturally coincide with Google.

Based on the test results, NameBench happily reports to us:

8.8.8.8 Slower replica of SYS-192.167.0.98 8.8.4.4 Slower replica of SYS-192.167.0.98

Thus, a smart caching DNS proxy with parallel queries allows you to speed up even a 100-megabit Internet. And for slow (radio) links with high latency and packet loss, the difference can be like heaven and earth.

Imagine what it would be like if we had to remember IP-addresses of all websites that we use on a daily basis. Even if we had amazing memory, the process of navigating to a website would be ridiculously slow and laborious.

What about if we need to visit multiple websites or use multiple applications that reside on the same computer or virtual host? This will be one of the worst headaches imaginable - not to mention the possibility of change IP-addresses associated with the website or application without prior notice.

Just the thought of it would be enough reason to stop using the Internet or intranets after a while.

This is what a world without the Domain Name System (also known as DNS). Fortunately, this service solves all the problems mentioned above, even if the connection between IP-address and domain name changes.

For this reason, in this article we will learn how to set up and use a simple DNS-server, a service that will allow you to translate domain names into IP-addresses and vice versa.

DNS name resolutions

For small networks that are not subject to frequent changes, the file /etc/hosts can be used as a rudimentary method for determining the domain name to resolve IP-addresses.

This file, using a very simple syntax, allows you to associate a name (and/or alias) with IP-address. This is done as follows:

For example,

192.168.0.1 gateway gateway.mydomain.com 192.168.0.2 web web.mydomain.com

This way you can contact the web machine either by name web.mydomain.com, or according to her IP-address.

For large networks or those that are subject to frequent changes, using the file /etc/hosts to resolve domain names on IP-addresses will not be an acceptable solution. This is where the need for a special service arises.

Let's go behind the scenes of work DNS. DNS-server requests a large database in the form of a tree, which starts from the root ( «.» ) zones.

The following figure will help us understand what we are talking about:

The image above shows the root zone (.) contains com, edu And net first level domains. Each of these domains is (or could be) managed by different organizations to avoid dependence on one large central one. This allows you to correctly distribute queries across the hierarchy.

Let's see what happens:

1. When a client makes a request for DNS-server for web1.sales.me.com, the server sends a request to the top (root) DNS-server that forwards the request to the name server in the zone .com.

This in turn sends a request to the next level nameserver (in the zone me.com), and then to sales.me.com. This process is repeated as many times as necessary until the fully qualified domain name (FQDN, web1.sales.me.com in this example) will not be returned by the name server of the zone in which it resides.

2. In this example, the name server in sales.me.com responsible for the address web1.sales.me.com and returns the desired association for the domain name - IP and other information (if it is configured for this).

All this information is sent to the source DNS-server, which then passes it back to the client that requested it. To avoid repeating the same steps for future identical queries, the query results are stored on DNS-server. This is the important aspect for which such a setting is usually called recursive caching DNS server setup.

Installing and configuring a DNS server

IN Linux most used DNS-the server is bind(short for Berkeley Internet Name Daemon), which can be installed as follows:

# yum install bind bind-utils # zypper install bind bind-utils # aptitude install bind9 bind9utils

After we have installed bind and associated utilities, make a copy of the configuration file before making any changes:

# cp /etc/named.conf /etc/named.conf.orig # cp /etc/bind/named.conf /etc/bind/named.conf.orig

Then let's open named.conf and move on to the parameters block, where we need to specify the following settings for the recursive caching server with IP 192.168.0.18/24, which can only be accessed by hosts on the same network (as a security measure).

The forward zone options are used to specify which nameservers to query first (in the following example we're using Google's nameservers) for hosts outside of our domain:

Options ( ... listen-on port 53 ( 127.0.0.1; 192.168.0.18); allow-query ( localhost; 192.168.0.0/24; ); recursion yes; forwarders ( 8.8.8.8; 8.8.4.4; ); ... )

Outside the options block we will define our zone sales.me.com(on Ubuntu this is usually done in a separate file called named.conf.local), which displays the domain with the given IP-address and reverse zone for matching IP-addresses to the corresponding area.

However, the actual configuration of each zone will take place in separate files, as specified in the file directive ("master" means that we will only use one DNS server).

Add the following lines to the file named.conf:

Zone "sales.me.com." IN (type master; file "/var/named/sales.me.com.zone"; ); zone "0.168.192.in-addr.arpa" IN ( type master; file "/var/named/0.162.198.in-addr.arpa.zone"; );

note that inaddr.arpa(for IPv4 addresses) and ip6.arpa(for IPv6) are conventions for reverse zone configurations.

After saving the above changes to named.conf we can check for errors like this:

# named-checkconf /etc/named.conf

If any errors are found, the above command produces an informational message with the reason and the line where they are found. Otherwise it won't return anything.

Setting up DNS zones

In files /var/named/sales.me.com.zone And /var/named/0.168.192.in-addr.arpa.zone we will configure the forward (domain → IP address) and reverse (IP address → domain) zones.

Let's look at the direct configuration first:

1. At the top of the file you will find a line starting with TTL(short for Time To Live), which specifies how long a cached response should live before being replaced by the results of a new request.

In the line below we will link to our domain and indicate the email address from which notifications should be sent (please note that root.sales.me.com means ).

2. Recording SOA(Start of Authority) indicates that this system is the authoritative name server for machines within the domain sales.me.com.

If you have two nameservers (one master and one slave), the following settings are required for each domain (although this is not our case as it is not required in the exam, they are presented here for reference):

Serial used to separate one version of the zone definition file from the previous one (where parameters may have been changed). If the cached response points to an output with a different Serial, the request is executed again instead of being returned to the client.

In a setup with a slave (secondary) name server Refresh specifies the time during which the secondary server should check for a new serial number from the primary server.

Besides, Retry tells the server how often the secondary should try to contact the primary if no response is received from the primary, whereas Expire indicates when a zone definition in secondary mode is no longer valid after it is no longer possible to receive a response from the primary server, and negative TTL is the time during which a non-existent domain is not cached ( NXdomain).

3. N.S.-the entry indicates that it is authoritative DNS-server for our domain (which is indicated by the @ sign at the beginning of the line).

4. Recording A(for IPv4 addresses) or AAAA(for IPv6 addresses) resolves names to IP-addresses.

In the example below:

Dns: 192.168.0.18 (the DNS server itself) web1: 192.168.0.29 (a web server inside the sales.me.com zone) mail1: 192.168.0.28 (a mail server inside the sales.me.com zone) mail2: 192.168 .0.30 (another mail server)

5. Recording MX specifies the names of the authorized mail transfer agents (MTAs) for this domain. The hostname must be preceded by a number indicating the priority that the current mail server should have if there are two or more MTA for a domain (the lower the value, the higher the priority) in the following example, mail1 is basic, while mail2 is secondary MTA).

6. Recording CNAME sets an alias (www.web1) for the host (web1).

IMPORTANT: the presence of a point is important (.) at the end of names.

$TTL 604800 @ IN SOA sales.me.com. root.sales.me.com. (2016051101; Serial 10800; Refresh 3600; Retry 604800; Expire 604800) ; Negative TTL ; @ IN NS dns.sales.me.com. dns IN A 192.168.0.18 web1 IN A 192.168.0.29 mail1 IN A 192.168.0.28 mail2 IN A 192.168.0.30 @ IN MX 10 mail1.sales.me.com. @ IN MX 20 mail2.sales.me.com. www.web1 IN CNAME web1

Let's look at the reverse zone configuration (/var/named/0.168.192.in-addr.arpa.zone). Record SOA the same as in the previous file, while the last three lines with the entry PTR(pointer) indicate the last octet in the host address IPv4 mail1, web1 And mail2(192.168.0.28, 192.168.0.29, and 192.168.0.30, respectively).

$TTL 604800 @ IN SOA sales.me.com. root.sales.me.com. (2016051101; Serial 10800; Refresh 3600; Retry 604800; Expire 604800) ; Minimum TTL @ IN NS dns.sales.me.com. 28 IN PTR mail1.sales.me.com. 29 IN PTR web1.sales.me.com. 30 IN PTR mail2.sales.me.com.

You can check the zone files for errors:

# named-checkzone sales.me.com /var/named/sales.me.com.zone # named-checkzone 0.168.192.in-addr.arpa /var/named/0.168.192.in-addr.arpa.zone

The following screenshot shows what the expected output is:

Otherwise, you will receive an error message and advice on how to resolve it:

Once you have verified the main configuration file and zone files, restart the named service to apply the changes.

IN CentOS And openSUSE do:

# systemctl restart named

And don't forget to also include it:

# systemctl enable named

IN Ubuntu:

$ sudo service bind9 restart

Finally, you will need to edit the configuration of the main network interfaces:

In /etc/sysconfig/network-scripts/ifcfg-enp0s3 for CentOS and openSUSE ---- DNS1=192.168.0.18 ---- In /etc/network/interfaces for Ubuntu ---- dns-nameservers 192.168.0.18

Now restart the network service to apply the changes.

DNS server testing

At this point we are ready to request our DNS-server for local and external names and addresses. The following commands will return IP-address associated with the host web1:

# host web1.sales.me.com # host web1 # host www.web1

How can we find out who processes emails for sales.me.com? It's easy to find out - just request records MX for domain:

# host -t mx sales.me.com

Likewise, let's do the reverse query. This will help us find out the name IP-addresses:

# host 192.168.0.28 # host 192.168.0.29

You can try the same operations for external hosts:

To ensure that requests actually go through our DNS-server, let's enable logging:

# rndcquerylog

And check the file /var/log/messages(on CentOS and openSUSE):

# host -t mx linux.com # host 8.8.8.8

To disable logging DNS, enter again:

# rndcquerylog

IN Ubuntu To enable logging you will need to add the following independent block (same level as the options block) to /etc/bind/named.conf:

Logging ( channel query_log ( file "/var/log/bind9/query.log"; severity dynamic; print-category yes; print-severity yes; print-time yes; ); category queries ( query_log; ); );

Note that the log file must exist and be writable by name.

Results

In this article, we explained how to set up a basic recursive, caching DNS-server and how to configure zones for a domain.

To ensure the correct operation of your DNS-server, be sure to enable this service in your firewall (TCP port 53) as described in ("Configuring Iptables Firewall to Enable Remote Access to Services").

.

Cisco and Linux courses with employment!

Hurry up to apply! There are a couple of places left. Groups start July 22, and the next one August 19, September 23, October 21, November 25, December 16, January 20, February 24.

What will you get?

• We will help you become an expert in network administration and obtain international certificates Cisco CCNA Routing & Switching or Linux LPI.
• We offer a proven program and textbook from experts from Cisco Networking Academy and Linux Professional Institute, certified instructors and a personal mentor.
• We will help you find employment and build a career. 100% of our graduates are employed.

How is the training going?

• We conduct evening online lectures on our platform or study in person at the Kyiv office.
• We will ask you about a convenient time for practice and adjust: we understand that there is little time to study.
• If you want an individual schedule, we will discuss and implement it.
• We will set clear deadlines for self-organization. A personal supervisor will be in touch to answer questions, advise and motivate you to adhere to exam deadlines.

We will also help you:

The purpose of DNS is to translate domain names that are easy for humans to remember into IP addresses that computers can understand, a process called name resolution. What will installing our own caching DNS server give us? This will speed up the response of sites a little + Linux does not take NetBios names very well, but sometimes you have to find computers or printers within a local network, but you want to do it by name.

Remembering IP addresses is not convenient, and constantly looking at the log of the DHCP server is also not our method. It is for such cases that you need DNS on the local network. The installation of the bind9 package itself is not difficult; glitches usually arise at the stage of its configuration, because After easily readable system configuration files, a person is faced with an incomprehensible syntax, which, by the way, is very similar to the S programming language. the server will work inside the local network, it makes no sense to transfer it to a chroot environment and the entire setup takes very little time. With this, the lyrical part can be completed, let’s move on to installation and configuration.

Let's install the Bind9 DNS server:

# apt - get install bind9

After completion, downloading and installation, we need to edit its configuration file:

#vim /etc/bind/named. conf. options

We find the section, it is located at the very beginning of the configuration file, except for it there is nothing else there...

options ( directory "/var/cache/bind" ; // If there is a firewall between you and nameservers you want// to talk to, you may need to fix the firewall to allow multiple// ports to talk. See http://www.kb.cert.org/vuls/id/800113// If your ISP provided one or more IP addresses for stable// nameservers, you probably want to use them as forwarders.// Uncomment the following block, and insert the addresses replacing// the all-0"s placeholder. // forwarders ( // 0.0.0.0; // ); auth - nxdomain no ; # conform to RFC1035 listen - on - v6 ( any ; ); );

The forwarders section is responsible for where the DNS request for name resolution will be sent if it is not in its own database. Lately I have not been happy at all, the work of these servers with the provider is why you can connect third-party ones, for example Google ones, it is very easy to remember the IP 8.8.8.8, I will use its example to configure it, but no one bothers you to use the ones you like best.

We edit the section, first you need to remove comments from it and add third-party DNS, if there is a need to add several servers, for example, in case the Google server cannot withstand your requests and breaks down :), then the IP of other servers can be written in a column, then you can achieve greater fault tolerance.

forwarders(8.8.8.8; 193.58.251.251; //Russian DNS service -SkyDNS};

In this section it is better to enter the IP of the server that you have specified in the file /etc/resolv.conf or enter it in the section nameserver this IP. Save the changes and exit. Restart the server and check. We type in the command line nslookup mail.ru
Should output:

Non-authoritative answer: Name: mail. ru Addresses: 94.100.191.202

This suggests that our server is not the main one in servicing this zone (mail.ru), but added requests to the cache!
Now we need to create a DNS zone for our network so that machines can find various network services - there could be, for example, network printers, they can be either independent or shared on other workstations.
Our zone can be called orgname – i.e. Name of the organization.
First of all, we create a zone, for this we will edit named.conf.local

#vim /etc/bind/named. conf. local

and add the following to it:

zone "orgname" ( type master ; file "/etc/bind/db.orgname" ; );

Save and exit
Now we need to create a zone configuration file

# vim / etc / bind / db . orgname

and paste the following into it:
(Please pay close attention to the syntax of the configuration file, even the dots have meaning)

@IN SOA orgname. root. orgname. (20101015 4h; update time - 4 hours 1h; repeat every hour 1w; how long to store information - 1 week 1d); TTL (time to live) of a record is 1 day @ IN NS orgname. ; nameservername @ IN A 192.168.10.1 ; A - record - the IP address of our DNS server that serves this zone, @ means that this is the root zone. * IN CNAME @ printer IN A 192.168.10.25 ; You can create a DNS record for a network printer located at 192.168.10.25

Now, when adding a new network device, you need to do 2 things:
1) Reserve an IP address on a DHCP server, you can read about how to do this in the article - Setting up a DHCP server
2) Create a DNS zone for this IP, type devicename IN A XXX.XXX.XXX.XXX. Where: devicename is the network name of the device; XXX.XXX.XXX.XXX is its IP address which is reserved on the DHCP server.

now we need to edit the resolv.conf file

# vim / etc / resolv . conf

and enter there:

nameserver 127.0.0.1

everything that was there can be commented out by putting #
server restarts

# reboot

This was done so that the server searches for everything in its own database, and only then BIND will redirect requests to the server 8.8.8.8 IP whose IP is included in the directive forwarders.
Now you can check the functionality:
If testing takes place under Windows:

ping devicename. orgname

If we test from Linux:

ping devicename. orgname - c 4

Pings should go to the IP that you specified instead of XXX.XXX.XXX.XXX

You can also check the speed of processing requests with the command dig

# dig @127.0.0.1 tut.by ;<<>> DiG 9.9.5-9+deb8u6-Debian<<>> @127.0.0.1 tut.by ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63893 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 13, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tut.by. IN A ;; ANSWER SECTION: tut.by. 103 IN A 178.172.160.5 tut.by. 103 IN A 178.172.160.4 tut.by. 103 IN A 178.172.160.2 tut.by. 103 IN A 178.172.160.3 ;; AUTHORITY SECTION: . 6029 IN NS i.root-servers.net. . 6029 IN NS b.root-servers.net. . 6029 IN NS m.root-servers.net. . 6029 IN NS k.root-servers.net. . 6029 IN NS e.root-servers.net. . 6029 IN NS d.root-servers.net. . 6029 IN NS j.root-servers.net. . 6029 IN NS g.root-servers.net. . 6029 IN NS l.root-servers.net. . 6029 IN NS f.root-servers.net. . 6029 IN NS h.root-servers.net. . 6029 IN NS a.root-servers.net. . 6029 IN NS c.root-servers.net. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 22 16:46:24 MSK 2016 ;; MSG SIZE rcvd: 310

DNS (Domain Name System) is an important and rather difficult to configure component necessary for the operation of websites and servers. Many users use DNS servers provided by their hosting provider, but owning your own DNS servers has some advantages.

In this tutorial, you will learn how to install Bind9 and configure it as a caching or forwarding DNS server on an Ubuntu 14.04 server.

Requirements

• Understanding the basic types of DNS servers. You can find out more details at.
• Two machines, at least one of which is running Ubuntu 14.04. The first machine will be configured as a client (IP address 192.0.2.100), and the second as a DNS server (192.0.2.1).

You will learn how to configure a client machine to send queries through a DNS server.

Caching DNS server

Servers of this type are also called resolvers because they process recursive queries and can typically look up DNS data from other servers.

When a caching DNS server monitors the response to a client query, it returns the response to the client and also stores it in cache for the period of time allowed by the TTL value of the corresponding DNS records. The cache can then be used as a source of responses to subsequent requests to speed up the overall request processing time.

Almost all DNS servers in your network configuration will be caching servers. A caching DNS server is a good choice for many situations. If you don't want to rely on your hosting provider's DNS servers or other public DNS servers, set up your own caching DNS server. The shorter the distance from the DNS server to the client machines, the shorter the time it takes to service DNS requests.

Forwarding DNS server

From a client's perspective, a forwarding DNS server will look almost identical to a caching server, but the mechanisms and workload are completely different.

A forwarding DNS server has the same benefits as a caching server. However, it doesn't actually perform any recursive queries. Instead, it forwards all requests to an external resolution server and then caches the results for subsequent requests.

This allows the redirect server to serve requests from its cache without having to process recursive requests. Thus, this server only processes single requests (redirected client requests) and not the entire recursion procedure. This can be an advantage in environments with limited external bandwidth, where caching servers need to be changed frequently, and in situations where local requests need to be routed to one server and external requests to another.

1: Install Bind on the DNS server

The Bind package can be found in the official Ubuntu repository. Update your package index and install Bind using the apt manager. You also need to install a couple of dependencies.

sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc

After this, you can begin setting up the server. The caching server configuration can be used as a template for configuring the forwarding server, so you must configure the caching DNS server first.

2: Setting up a caching DNS server

First you need to configure Bind as a caching DNS server. This configuration will force the server to recursively look for answers to client requests on other DNS servers. It will sequentially query all matching DNS servers until it finds an answer.

Bind configuration files are stored in the /etc/bind directory.

Most files do not need to be edited. The main configuration file is called named.conf (named and bind are two names for the same application). This file references the named.conf.options, named.conf.local, and named.conf.default-zones files.

To configure a caching DNS server, you only need to edit named.conf.options.

sudo nano named.conf.options

This file looks like this (comments omitted for simplicity):

options (
directory "/var/cache/bind";
dnssec-validation auto;

listen-on-v6 ( any; );
};

To set up a caching server, you need to create an access control list, or ACL.

You need to protect the DNS server that processes recursive queries from attackers. DNS amplification attacks are especially dangerous because they can involve the server in distributed denial of service attacks.

DNS amplification attacks are one way to bring down servers and websites. To do this, attackers try to find public DNS servers that process recursive queries. They spoof the victim's IP address and send a request that will return a very large response to the DNS server. In this case, the DNS server returns too much data to the victim's server in response to a small request, increasing the attacker's available bandwidth.

Hosting a public recursive DNS server requires careful configuration and administration. To prevent your server from being hacked, configure a list of IP addresses or network ranges that the server can trust.

Before the options block, add an acl block. Create a label for the ACL group (in this tutorial the group is called goodclients).

acl goodclients (
};
options (
. . .

In this block, list the IP addresses or networks that will have access to this DNS server. Since the server and client are running on the /24 subnet, you can restrict access to this subnet. You also need to unblock localhost and localnets, which connect automatically.

acl goodclients (
192.0.2.0/24;
localhost;
localnets;
};
options (
. . .

You now have a secure client ACL. You can start setting up request resolution in the options block. Add the following lines to it:

options (
directory "/var/cache/bind";
recursion yes;

. . .

The options block explicitly enables recursion and then configures the allow-query option to use the ACL. You can also use another parameter, such as allow-recursion, to refer to the ACL group. When recursion is enabled, allow-recursion will define a list of clients that can use recursive services.

However, if allow-recursion is not set, Bind falls back to the allow-query-cache list, then to the allow-query list, and finally to the default localnets and localhost lists. Since we're only setting up a caching server (it doesn't have its own zones and doesn't forward queries), the allow-query list will only ever apply to recursion. This is the most common way to define an ACL.

Save and close the file.

These are all the settings that need to be added to the caching DNS server configuration file.

Note: If you only want to use this type of DNS, proceed to check configurations, restart the service and configure your client.

3: Setting up a forwarding DNS server

If your infrastructure is more suited to a forwarding DNS server, you can adjust the setup a bit.

Currently the named.conf.options file looks like this:

acl goodclients (
192.0.2.0/24;
localhost;
localnets;
};
options (
directory "/var/cache/bind";
recursion yes;
allow-query(goodclients;);
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 ( any; );
};

You can use the same ACL to restrict the DNS server to a specific list of clients. However, this requires a slight configuration change so that the server no longer tries to execute recursive queries.

Don't change recursion to no. The redirecting server still supports recursive services. To configure a redirection server, you need to create a list of caching servers to which it will redirect requests.

This is done in the options() block. First, you need to create a new forwarders block in it, where the IP addresses of the recursive name servers to which you want to redirect requests will be stored. In this case, these will be Google DNS servers (8.8.8.8 and 8.8.4.4):

. . .
options (
directory "/var/cache/bind";
recursion yes;
allow-query(goodclients;);
forwarders (

8.8.8.8;

8.8.4.4;

};
. . .

The resulting configuration looks like this:

acl goodclients (
192.0.2.0/24;
localhost;
localnets;
};
options (
directory "/var/cache/bind";
recursion yes;
allow-query(goodclients;);
forwarders (
8.8.8.8;
8.8.4.4;
};
forward only;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 ( any; );
};

The last change concerns the dnssec parameter. With the current configuration and depending on the settings of the DNS servers to which requests are redirected, the following errors may appear in the logs:

Jun 25 15:03:29 cache named: error (chase DS servers) resolving "in-addr.arpa/DS/IN": 8.8.8.8#53
Jun 25 15:03:29 cache named: error (no valid DS) resolving "111.111.111.111.in-addr.arpa/PTR/IN": 8.8.4.4#53

To avoid them, you need to change the dnssec-validation parameter to yes and explicitly enable dnssec.

. . .
forward only;
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
. . .

Save and close the file. The forwarding DNS server setup is complete.

4: Check settings and restart Bind

Now you need to make sure that the settings work as expected.

To check the syntax of the configuration files, enter:

sudo named-checkconf

If there are no errors in the files, the command prompt will not display any output.

If you receive an error message, correct it and test again.

You can then restart the Bind daemon to update the settings.

sudo service bind9 restart

Then you need to check the server logs. Run the command on the server:

sudo tail -f /var/log/syslog

Now open a new terminal and start setting up the client machine.

5: Client Setup

Login to the client machine. Verify that the client was listed in the ACL group of the configured DNS server. Otherwise, the DNS server will refuse to serve requests from this client.

Edit the /etc/resolv.conf file to point the server to a nameserver.

Changes made here will only persist until a reboot, which is great for testing. If you are satisfied with the results of the test settings, you can make these settings permanent.

Open the file with sudo in a text editor:

sudo nano /etc/resolv.conf

The file needs to list the DNS servers that will be used to resolve queries. To do this, use the nameserver directive. Comment out all current entries and add a nameserver line pointing to your DNS server:

nameserver 192.0.2.1
# nameserver 8.8.4.4
# nameserver 8.8.8.8
# nameserver 209.244.0.3

Save and close the file.

You can now send a test request to make sure it resolves correctly.

You can use ping for this:

ping -c 1 google.com
PING google.com (173.194.33.1) 56(84) bytes of data.
64 bytes from sea09s01-in-f1.1e100.net (173.194.33.1): icmp_seq=1 ttl=55 time=63.8 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 63.807/63.807/63.807/0.000 ms