Localhost resolver - jhu-information-security-institute/infrastructure GitHub Wiki
Resolver on Kali
$ sudo apt-get install bind9 bind9utils bind9-doc bind9-host dnsutils resolvconf
Ensure /etc/default/named contains:
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-u bind -4"
Ensure /etc/bind/named.conf contains:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//localhost,netsec-docker.isi.jhu.edu,netsec.isi.jhu.edu,mssi-lab.isi.jhu.edu
acl internals { 127.0.0.0/8; 192.168.25.0/24; 172.16.0.0/24; 192.168.200.0/24; };
Ensure /etc/bind/named.conf.options contains (make sure to replace 192.168.50.1 with your internet gateway):
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
auth-nxdomain no;
forward only;
forwarders{ 192.168.50.1; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
allow-query { internals; };
querylog yes;
listen-on port 53 {
127.0.0.1;
};
//listen-on-v6 { any; };
};
Ensure /etc/bind/named.conf.default-zones contains:
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "netsec.isi.jhu.edu" {
type forward;
forward only;
forwarders { 172.16.0.10; }; # ns private IP address - secondary
};
zone "mssi-lab.isi.jhu.edu" {
type forward;
forward only;
forwarders { 192.168.200.10; }; # ns private IP address - secondary
};
zone "netsec-docker.isi.jhu.edu" {
type forward;
forward only;
forwarders { 192.168.25.10; }; # ns private IP address - secondary
};
Update configuration via $ sudo systemctl daemon-reload
Enable services:
$ sudo systemctl enable named-resolvconf named
$ sudo systemctl start named-resolvconf named
Resolver on CentOS
- install packages:
$ sudo dnf update
$ sudo dnf install bind bind-utils dhcp-client
- turn off the firewall:
$ sudo systemctl stop firewalld - check firewall is off:
$ sudo firewall-cmd --state
contents of /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl internals { 127.0.0.0/8; 192.168.25.0/24; };
options {
listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { internals; };
forward only;
forwarders{192.168.11.2; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
allow-recursion{ internals; };
allow-transfer { internals; };
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "netsec-docker.isi.jhu.edu" {
type forward;
forward only;
forwarders { 192.168.25.10; }; # ns private IP address - secondary
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Update contents of /etc/NetworkManager/NetworkManager.conf should have (disabling NetworkManager control of /etc/resolv.conf):
[main]
#plugins=keyfile,ifcfg-rh
dns=none
Update contents of /etc/resolv.conf:
search localdomain
nameserver 127.0.0.1
Enable and start named:
systemctl enable named
systemctl start named
Useful links
- https://www.linuxbabe.com/debian/dns-resolver-debian-10-buster-bind9
- https://www.perfacilis.com/blog/systeembeheer/linux/setup-a-public-dns-server.html
- https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html
- https://bind9.readthedocs.io/en/latest/reference.html
- https://wiki.debian.org/Bind9
- https://netbeez.net/blog/linux-how-to-resolve-a-host-and-test-dns-servers/
- https://linuxconfig.org/how-to-view-and-clear-bind-dns-server-s-cache-on-linux
- https://www.linuxbabe.com/redhat/bind-9-dns-resolver-centos-8