Every network communication between computers can only be made through the use of unique IP addresses to identify the exact endpoints of the communication. For the human brain, numbers are always harder to remember and work with than assigning names to things. Therefore, IT pioneers started in the early 70s to invent systems for translating names to physical network addresses using files and later simple databases. In modern computer networks and on the Internet, the relationship between the name of a computer and an IP address is defined in the Domain Name System (DNS) database. It is a worldwide distributed system and provides the domain name to IP address resolution and also the reverse, that is IP address to domain name resolution. DNS is a big subject, and it is the purpose of this process to provide the perfect starting point by showing you how to install and setup your own caching-only and forwarding nameserver. Here we will use Unbound, which is a highly secure and fast recursive and caching DNS server solution, and therefore our preferred choice. But you need to remember that Unbound cannot be used as a fully authoritative DNS server (which means that it provides its own domain name resolution records) we will use the popular BIND server for this in a later process. A caching-only DNS server will serve to forward all the name resolution queries to a remote DNS server. Such a system has the intention of speeding up general access to the Internet by caching the results of any domain resolution request made. When a caching DNS server tracks down the answer to a client’s query, it returns the answer to the client. However, it also stores the answer in its cache for a specific period of time. The cache can then be used as a source for subsequent requests in order to speed up the total round-trip time.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges, a static IP address, and a console-based text editor of your choice. An Internet connection will be required to download additional packages. In this example, our DNS server runs in a private network with the network address 192.168.1.0/24.
The Process
In this process, we will first configure a caching-only and then a forwarding only DNS server.
Configuring a caching-only Unbound DNS server
In this section, we will consider the role of Unbound as a caching-only nameserver, handling recursive DNS requests to the other remote DNS servers and caching the query for a certain time period to improve the response time when the server is asked for the same name resolution again:
- To begin, log in as root and install the required packages by typing:
yum install unbound bind-utils
- Now make a copy of the unbound configuration file so we can revert our changes later, and then open it in your favorite text editor:
cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.BAK
vi /etc/unbound/unbound.conf - Scroll down to find the following line: # interface: 0.0.0.0 Remove the # sign to uncomment it (activate it), so it reads as follows:
interface: 0.0.0.0
- Next, scroll down to find the line # access-control: 127.0.0.0/8 allow. Uncomment the line to activate it and change the network address to fit your needs:
access-control: 192.168.1.0/24 allow
- Save and close the file, and then create an RSA keypair with certificates for secure DNSSEC support before you check the correctness of the changed configuration file:
unbound-control-setup && unbound-checkconf
- Next, open the DNS service in your firewalld configuration on your server because we want to be able to use our new DNS service from other clients in the network for querying as well:
firewall-cmd --permanent --add-service dns && firewall-cmd --reload
- Now ensure the service will be available at boot and start it afterwards:
systemctl enable unbound && systemctl start unbound
- To test if we can reach our Unbound DNS server and make queries, execute the following command from the same server running our Unbound DNS service locally, which should give back the IP
address of www.packtpub.com :
nslookup www.packtpub.com 127.0.0.1 - For a more detailed view of the request you can also run locally on the DNS server:
unbound-host -d www.packtpub.com
- From any other client in the network (needs bind-utils installed), you can query any public domain name using our new DNS server as well. For example, if our DNS server has the IP 192.168.1.7:
nslookup www.packtpub.com 192.168.1.7
- Finally, let us use our new nameserver on the server itself. To do this, open the following file with your favorite text editor after you have made a backup copy:
cp /etc/resolv.conf /etc/resolv.conf.BAK; vi /etc/resolv.conf
- Remove all the current nameserver references and replace them with the following:
nameserver 127.0.0.1
Note
If you have set some DNS server information in your network-scripts interface (for example, when configuring a static IP address), you will want to review the /etc/sysconfig/network-scripts/ifcfg-XXX file and modify the current DNS reference to read as DNS1=127.0.0.1 as well.
Configuring a forwarding only DNS server
Now after we have successfully configured our first caching BIND DNS server, here we will show you how to transform it into a forwarding DNS server which will reduce the total bandwidth for resolving hostnames in comparison to the caching-only solution:
- Open BIND’s main configuration file again:
vi /etc/unbound/unbound.conf
- Add the following lines to the end of the file:
forward-zone: name: "." forward-addr: 8.8.8.8
- Next, check the correctness of your new configuration file and restart the service:
unbound-checkconf && systemctl restart unbound
- Finally, test your new forwarding DNS server using the tests from the preceding caching DNS server section.
How Does It Work?
In this process, we have installed a caching-only Unbound DNS server with the basic aim of improving the responsiveness of our overall network by caching the answers to any name-based queries. Using such a process will shorten the waiting time on any subsequent visit to the same location. It is a feature that is particularly useful in saving bandwidth if you happen to be managing a large, busy, or slow network. It does not have its own domain name resolution feature but uses its default root domain’s DNS servers in order to perform this task (to learn more about the root domain, see later). Also, as we have seen, you can easily transform your caching nameserver into a pure forwarding system as well. While a caching DNS server makes recursive requests to several associated DNS servers and constructs the complete name resolution result from those multiple requests, a forwarding DNS delegates the complete recursive DNS search to another resolving DNS server which executes the complete search instead. This saves even more bandwidth for our DNS server because only single network requests to communicate with the remote resolving server are made instead of multiple when using the caching-only DNS service.
So what did we learn from this experience?
We started this process by installing the necessary packages. This included the main DNS server program called Unbound and a reference to bind-utils, a small package that enables you to run many different DNS related network tasks, such as dig, nslookup, and host. The next step was to begin making the necessary configuration changes by editing Unbound’s main configuration after we made a simple backup of the original file. Since after installation the default DNS server is completely restricted to doing everything locally only, our main purpose was to adjust the server to make connections from the outside possible. We began this process by allowing the DNS server to listen to all the available network interfaces using the interface directive and afterwards defined who on the network was allowed to make requests to our DNS server by setting allow-query to our local network. This means we allowed anyone in our subnetwork to make DNS resolution requests to our server.
At this point we created the RSA keypair with the unbound-control-setup tool, which is needed for the unbound-checkconf command to work. The generated keys and certificate are important if we want to use Unbound’s DNS Security Extensions (DNSSEC) features which help protect DNS data by providing authentication of origin using digital signatures (configuring DNSSEC is outside the scope of this division. To learn more, consult the Unbound configuration manual: man unbound.conf). Afterwards, we used the unbound-checkconf command, which was necessary to confirm that Unbound’s configuration file was syntactically correct. If the output of the command is empty, there are no errors in the file. We then proceeded by adding the predefined dns firewalld service to our default firewall, thus allowing the other computer systems in our local network to access the DNS server using port 53. Finally, we activated Unbound at boot time and started the service.
Of course, to complete this process we then tested if our new DNS server worked as expected in resolving domain names to IP addresses. We ran a simple nslookup query locally on the server and also from the other computers in the same network to see if our new DNS service was reachable from the outside. When using nslookup without any additional parameters, the program will use the default DNS server resolver known to the system (on CentOS 7 this is defined in /etc/resolv.conf) to resolve our hostnames, so we added another parameter addressing our alternative DNS server we want to query instead (127.0.0.1). For successful testing, the output must contain the resolved IP address of the www.packtpub.com server. On the DNS server, you could also use the unbound-host -d command to get a more technical view of the DNS query within the Unbound service.
After we successfully finished these tests, we updated the current nameserver resolver information on our DNS server with our new DNS service running on localhost.
There's more…
Now we want to see how BIND will perform for caching DNS information. To do this, on your DNS server simply select a target website you have not visited before and use the dig command. For example:dig www.wikipedia.org
Having run this test, you may see a query time that results in something like the following:;; Query time: 223 msec
Now repeat this exercise by retesting the same URL. Depending on your networking environment, this may produce the following result:;; Query time: 0 msec
Now do it again for another website. On every repeat of the preceding command, you should not only see a reduced query time but also experience a faster response time in delivering the output. This same result will be evident in the browser refresh rate, and as a result, we can say that this simple exercise has not only introduced you to Unbound but it will ultimately serve to improve the speed of your local network when surfing the World Wide Web.