You are here

Home

Configuring Bind9 with ACL for Dynamic DNS Redirection

Configuring Bind9 with ACL for Dynamic DNS Redirection

When managing a local network, you may face challenges directing clients to the correct domain or resource. Whether it's ensuring local clients get a local address or external clients receive an external one, DNS configuration can be complex. Throw in multiple subnets and the challenge grows. Thankfully, a solution exists with Bind9's ACL lists. Let's dive into how this can be configured.

Setting Up Bind9 on Ubuntu Server 16.04

  1. Initial Setup:

  • Start with a fresh Ubuntu Server 16.04 installation.
  • Activate superuser mode and update the system:
sudo su
apt update
apt upgrade

  1. Install Bind9:

apt install bind9

  1. Organizing Configuration Files:

  • Create directories for both internal and external clients.

mkdir /etc/bind/internals mkdir /etc/bind/externals

Creating Zone Configurations

For internal clients:

  1. Edit zone configurations. Replace "test.loc" with your domain name.
nano /etc/bind/internals/test.loc
  1. Enter the following details:

; test.loc
$TTL    604800
@       IN      SOA     ns1.test.loc. root.test.loc. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      NS      ns1
        IN      A       192.168.1.201
ns1     IN      A       1.2.3.4
*       IN      A       192.168.1.201
@    IN    A    192.168.1.201

192.168.1.201 — internal resource address. 1.2.3.4 — real dns server address.

For external clients:

  1. Edit zone configurations:
nano /etc/bind/externals/test.loc
  1. Add the specified details:

; test.loc
$TTL    604800
@       IN      SOA     ns1.test.loc. root.test.loc. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      NS      ns1
        IN      A       1.2.3.5
ns1     IN      A       1.2.3.4
*       IN      A       1.2.3.5
@    IN    A    1.2.3.5

1.2.3.5 — external resource address.

Adjusting Bind for Client Address Resolution

  1. Modify the main configuration file:

nano /etc/bind/named.conf.local

  1. Update the content to the provided structure to handle both internal and external requests:

acl internals {
        127.0.0.0/8;
        192.168.1.121/32;
   };

view "internal" {
    match-clients { internals; };
    recursion yes;
        zone "test.loc" {
        type master;
        file "/etc/bind/internals/test.loc";
        };
};
view "external" {
    match-clients { any; };
    recursion no;
    zone "test.loc" {
        type master;
        file "/etc/bind/externals/test.loc";
    };
};

Here, acl internals is essentially our access list; there can be several such lists. In this section, we specify the addresses or networks for which we want to provide the local resource address.
view "internal" - processing for clients that are included in the internals list.
view "external" - processing for all other clients.
Also, pay attention to the parameters: recursion no; and recursion yes;. Be careful, as enabling recursive queries can be exploited for various attacks using your server. If you don't plan on setting your DNS server for clients, it's better to disable recursive queries.

Enabling Logging (Optional)

Logging can assist in troubleshooting. Here's how to enable it:

  1. Create log directories and initialize log files:
mkdir /var/log/named/
touch /var/log/named/misc.log
touch /var/log/named/query.log
chmod 664 /var/log/named/*
chown bind:bind /var/log/named/*
nano /etc/bind/named.conf
  1. Adjust the named.conf file for logging purposes:

logging {
          channel "misc" {
                    file "/var/log/named/misc.log" versions 4 size 4m;
                    print-time YES;
                    print-severity YES;
                    print-category YES;
          };

          channel "query" {
                    file "/var/log/named/query.log" versions 4 size 4m;
                    print-time YES;
                    print-severity NO;
                    print-category NO;
          };

          category default {
                    "misc";
          };

          category queries {
                    "query";
          };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";

  1. Restart Bind9 and check its status:
/etc/init.d/bind9 restart
systemctl status bind9
check bind9 status with systemctl

Takeaways

When using Bind9 for DNS redirection with multiple subnets, ACL offers a dynamic solution. Note that when a client uses third-party DNS servers, queries will route through them. Be cautious with recursive queries; leaving them open can expose your server to potential threats.

Tags:

0 0
09.07.2017

Share the article with your friends in social networks, maybe it will be useful to them.

If the article helped you, you can >>thank the author<<