Setting up a caching server for client local machines will reduce the load on the site’s primary server. A caching only name server will find the answer to name queries and remember the answer the next time we need it. This will shorten the waiting time the next time significantly. For security reasons, it is very important that DNS doesn’t exist between hosts on the corporate network and external hosts; it is far safer to simply use IP addresses to connect to external machines from the corporate network and vice-versa. This tutorial can be used for CentOS, RHEL, etc
In our configuration and installation we’ll run BIND/DNS as non root-user and in a chrooted environment. We can have three different configurations;
- one for a simple caching name server only client
- one for a slave secondary server
- one for a master name server primary server.
The simple caching name server configuration will be used for your servers that don’t act as a master or slave name server, and the slave and master configurations will be used for your servers that act as a master name server and slave name server. Usually one of your servers acts as master, another one acts as slave and the rest act as simple caching client name server.
This is a graphical representation of the DNS configuration we use in this tutorial. We try to show you different settings
- Caching Only DNS
- Master DNS
- Slave DNS
Caching-only name servers are servers not authoritative for any domains except 0.0.127.in-addr.arpa, the localhost. A caching-only name server can look up names inside and outside your zone, as can primary and slave name servers. The difference is that when a caching-only name server initially looks up a name within your zone, it ends up asking one of the primary or slave names servers for your zone for the answer.
To configure the /var/named/etc/named.conf file for a simple caching name server, use this for all servers that dont act as a master or slave name server. Setting up a simple caching server for local client machines will reduce the load on the network’s primary server. Many users on dialup connections may use this configuration along with bind for such a purpose. Create the named.conf file and add the following lines to the file:
Installing caching only name server
#yum install bind-chroot -yConfiguring caching only name server
# vi /var/named/etc/named.confoptions {
directory "/var/named";
forwarders { 208.164.186.1; 208.164.186.2; };
forward only;
};
//
// a caching only nameserver config
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
In the forwarders line, 208.164.186.1 and 208.164.186.2 are the IP addresses of your Primary Master and Secondary Slave DNS server. They can also be the IP addresses of your ISPs DNS server and another DNS server, respectively.
Important Note: To improve the security of your BIND/DNS server you can stop it from even trying to contact an off-site server if their forwarder is down or doesn’t respond. With the forward only option set in your named.conf file, the name server doesn’t try to contact other servers to find out information if the forwarder doesn’t give it an answer.
To configure the /var/named/db.127.0.0 file for a simple caching name server,you can use this configuration for all machines on your network that don’t act as a master or slave name server. The db.127.0.0 file covers the loopback network. Create the following file /var/named/db.127.0.0 and add the following lines in the file:
vi /var/named/db.127.0.0$TTL 345600
@ IN SOA localhost. root.localhost. (
00 ; Serial
86400 ; Refresh
7200 ; Retry
2592000 ; Expire
345600 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
Configure the /var/named/db.cache file for a simple caching name server before starting your DNS server. You must take a copy of db.cache file and copy this file to the /var/named/ directory. The db.cache tells your server where the servers for the root zone are.
Start named service
We will now start the named service and also enable it so that it can start automatically on reboot.
#systemctl enable named
#systemctl start namedUse the following commands on another Unix computer in your organization to query a new db.cache file for your DNS Server or pick one from your Red Hat Linux CD-ROM source distribution:
[root@makeuseoflinux]# dig @.aroot-servers.net . ns > db.cacheBIND/DNS in a chroot jail
The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support DNS, the programs related to ISC BIND/DNS available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.
Conclusion
Hence we have setup and configured caching only name server using Bind dns. This will help our clients to get name resoultion from the caching only server and not from the primary dns servers reducing load and queries to the Primary master dns server.
