Using Bind as a local DNS-proxy

This page contains the basic instructions and links to more elaborate sites, explaining the basics of installing and starting a BIND9 DNS-caching service on your own Debian server.

Why?
Using your own DNS can be faster. It is also a good way of understanding how DNS works. For me, one other reason was that at some point my provider’s DNS was mailfunctioning for some hours. The network was clearly working, since i could just use IP-numbers to go to various site on the internet. I then decided to set up a DNS-cache to avoid such dependency.

How?
On Debian, installing Bind9 via Apt is done using:

apt-get install bind9 dnsutils bind9-doc resolvconf ufw

This installs BIND and some other utilities that can come in handy.
To start bind:

/etc/init.d/bind9 start

After the default installation BIND will be added to the default start-up sequence

After this the basic functionality should be installed.
To use the local version of BIND you should editing /etc/resolv.conf , and point it to the localhost 127.0.0.1.
BIND will automattically listen to port 53, the deafult DNS-port.
Test this using:

dig debian.org

This should give domain-information about debian.org (in this example), and it should list the local server (your server) in one of the last lines.

Example output:

/home# dig debian.org

; <<>> DiG 9.5.1-P2 <<>> debian.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<-- opcode: QUERY, status: NOERROR, id: 53825
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; QUESTION SECTION:
;debian.org. IN A

;; ANSWER SECTION:
debian.org. 544 IN A 194.109.137.218
debian.org. 544 IN A 128.31.0.51

;; AUTHORITY SECTION:

debian.org. 1744 IN NS raff.debian.org.
debian.org. 1744 IN NS rietz.debian.org.
debian.org. 1744 IN NS klecker.debian.org.

;; ADDITIONAL SECTION:
klecker.debian.org. 1744 IN AAAA 2001:888:2000:12::2

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 19 16:26:40 2009
;; MSG SIZE rcvd: 149

/home#

The query time ( in one of the last lines) is probably in the order of hunderds of milliseconds for the first query.
Repeating the same query will give a low query-time (0 or 1 ms), since the entry has now been cached locally; This is the easiest way to see that the BIND-cache works.

For more on the configuration you can look at this more extensive 'how-to' .

Switch Logging on:
To switch BIND9-log on in order to see all queries in your logfiles use:

rndc querylog

You can then view the system log( including the DNS queries) using:

cat /var/log/syslog

Allow other computers to use your dns server
To allow other computers to use your dns server, you have to add the following 'allow-query'-option in your /etc/bind/named.conf.options configuration-file ( replace by an IP address, or an IP range ):

allow-query { SomeIP ; 127.0.0.1; };

127.0.0.1 allows queries from your localhost. Adding other IP-addresses or ranges allows other computers to use your server. An obvious use is by adding 192.168.0.0/24, which allows other machines on your local network to use your local DNS-server.

Block others from using your dns server
In the same way, if the configuration is set to 'allow-query { any } ' , other can be blocked from using youe dns-server by removing 'any', and replacing it by individual IP-numbers or by for example the local IP-range.

This entry was posted in Linux, Networking. Bookmark the permalink.