LAB MANUAL : UBUNTU SERVER 14.

04 LTS
( DNS SERVER )

Parameters used in this example:

homelab.localwill be used as the lab domain name

10.1.100.0/24 is the private subnet

Make a Lab group that consist of 3 (three) computers, and setup with the following
parameters :

Host FQDN IPAddress

ns1 ns1.homelab.local 10.1.100.41

ns2 ns2.homelab.local 10.1.100.42

host1 host1.homelab.local 10.1.100.90

Editor choice : vi or nano

Configure Primary Server Networking

In order for the servers to reach the Ubuntu package repositories you need to edit the
network interfaces configuration file and hosts file.
1. Edit the network interfaces configuration file on the ns1 server:
$sudovi/etc/network/interfaces
1

2. When done editing it should look like:

ifaceloinetloopback
1
autolo
2

3
#primarynetworkinterface
4
autoeth0
5
ifaceeth0inetstatic
6
address10.1.100.41
7
netmask255.255.255.0
8
network10.1.100.0
9
broadcast10.1.100.255
10
gateway10.1.100.1
11
dnsnameservers8.8.8.88.8.4.4
12
 3. Then restart networking:
$/etc/init.d/networkingrestart
1

4. Edit the hosts file on the ns1 server:

$sudovi/etc/hosts
1

5. When done editing it should look like:

127.0.0.1localhost
1

2
#ThefollowinglinesaredesirableforIPv6capablehosts
3
::1localhostip6localhostip6loopback
4
ff02::1ip6allnodes
5
ff02::2ip6allrouters
6

7
10.1.100.41ns1.homelab.localns1
8

Configure Secondary Server Networking

Repeat the same process for the secondary server, ns2.
1. Edit the network interfaces configuration file on the ns2 server:
$sudovi/etc/network/interfaces
1

2. When done editing it should look like:

ifaceloinetloopback
1
autolo
2

3
#primarynetworkinterface
4
autoeth0
5
ifaceeth0inetstatic
6
address10.1.100.42
7
netmask255.255.255.0
8
network10.1.100.0
9
broadcast10.1.100.255
10
gateway10.1.100.1
11
dnsnameservers8.8.8.88.8.4.4
12

3. Then restart networking:

 $/etc/init.d/networkingrestart
1

4. Edit the hosts file on the ns2 server:

$sudovi/etc/hosts
1

5. When done editing it should look like:

127.0.0.1localhost
1

2
#ThefollowinglinesaredesirableforIPv6capablehosts
3
::1localhostip6localhostip6loopback
4
ff02::1ip6allnodes
5
ff02::2ip6allrouters
6

7
10.1.100.42ns2.homelab.localns2
8

Install BIND on the Primary DNS Server

1. On the ns1 host (10.1.100.41)
2. Download package lists and information of latest versions:
$sudoaptgetyupdate
1

3. Install BIND packages:

$sudoaptgetyinstallbind9bind9utilsbind9doc
1

4. Configure BIND to run in IPv4 mode by editing the bind9 service parameters file:
$sudovi/etc/default/bind9
1

5. Add 4 to the OPTIONS variable. It should look like the following:

#runresolvconf?
1
RESOLVCONF=no
2

3
#startupoptionsfortheserver
4
OPTIONS="4ubind"
5

6. Save the file and exit.

Configure the Primary DNS Server
The primary configuration file for the BIND DNS server named process is
/etc/bind/named.conf. It includes three additional configuration files:
named.conf.options,named.conf.local,and named.conf.defaultzones.
Configure Options File
1. On ns1, edit the named.conf.options file:

$sudovi/etc/bind/named.conf.options
1

2. By default the file should look like the following:

1 options{
2 directory"/var/cache/bind";
3
4 //Ifthereisafirewallbetweenyouandnameserversyouwant
5 //totalkto,youmayneedtofixthefirewalltoallowmultiple
6 //portstotalk.Seehttp://www.kb.cert.org/vuls/id/800113
7
//IfyourISPprovidedoneormoreIPaddressesforstable
8
//nameservers,youprobablywanttousethemasforwarders.
9
//Uncommentthefollowingblock,andinserttheaddressesreplacing
10
//theall0'splaceholder.
11

12 //forwarders{
13 //0.0.0.0;
14 //};
15
16 //========================================================================
17 //IfBINDlogserrormessagesabouttherootkeybeingexpired,
18 //youwillneedtoupdateyourkeys.Seehttps://www.isc.org/bindkeys
19 //========================================================================
20 dnssecvalidationauto;
21
22 authnxdomainno;#conformtoRFC1035
23 listenonv6{any;};
24 };
25

3. First we will define an access control list called trusted that will determine which
clients the DNS servers will allow recursive queries from. You can enter individual
client IP addresses to tightly control access but since this is a home lab we will use
subnets to permit recursive queries from the 10.1.100.0/24 network. Add the
ACL before the options block as follows:
//Labsubnetswewishtoallowrecursivequeriesfrom.
1 acl"trusted"{
2 10.1.100.0/24;#labnetwork
3 };
4

4. Edit the directory directive to read as follows:

1 options{
2 directory"/var/cache/bind";

3 recursionyes;#enablesresursivequeries
4 allowrecursion{trusted;};#allowsrecursivequeriesfrom"trusted"clients
5 listenon{10.1.100.41;};#ns1privateIPaddresslistenonprivate
6 networkonly
7 allowtransfer{none;};#disablezonetransfersbydefault
8
9 forwarders{
10 8.8.8.8;
11 8.8.4.4;
12 };
13
14 dnssecvalidationauto;
15
16 authnxdomainno;#conformtoRFC1035
listenonv6{any;};
17
};
18

5. Save the file and exit the editor.

Configure Local DNS Zones

We will define our local forward and reserve DNS zones in the named.conf.local file.
1. On ns1, open the file for editing:
$sudovi/etc/bind/named.conf.local
1

2. Add a forward zone for homelab.local:

zone"homelab.local"{
1
typemaster;
2 file"/etc/bind/zones/db.homelab.local";#zonefilepath
3 allowtransfer{10.1.100.42;};#ns2privateIPaddresssecondary
4 };
5

3. Add a reverse zone for the 10.1.100.0/24 subnet. The reverse mapping for
10.1.100 is entered as 100.1.10:
zone"100.1.10.inaddr.arpa"{
1
typemaster;
2 file"/etc/bind/zones/db.10.1.100";#10.1.100.0/24subnet
3 allowtransfer{10.1.100.42;};#ns2privateIPaddresssecondary
4 };
5

4. If your lab includes multiple subnets you want to provide DNS resolution for you
should add a zone and zonefile for each subnet. At this point the
/etc/bind/named.conf.local file should look like the following:
1 zone"homelab.local"{
2 typemaster;
3 file"/etc/bind/zones/db.homelab.local";#zonefilepath
4 allowtransfer{10.1.100.42;};#ns2privateIPaddresssecondary
5 };
6
 zone"100.1.10.inaddr.arpa"{
7
typemaster;
8 file"/etc/bind/zones/db.10.1.100";#10.1.100.0/24subnet
9 allowtransfer{10.1.100.42;};#ns2privateIPaddresssecondary
10 };
11

5. Save the file and exit the editor.

Create the Forward Zone File

Once the zones are specified in the BIND configuration file we need to create forward and
reverse zone files. We will start with the forward zone file which defines DNS records for
forward lookups. For example, if a client queries the DNS server for
host1.homelab.local the server will look in the homelab.local forward zone file for a
record mapping host1to its IP address.
The forward zone file is where we define DNS records for forward DNS lookups. That is,
when the DNS receives a name query, host1.homelab.local for example, it will look in
the forward zone file to resolve host1s corresponding private IP address.
1. In the named.conf.local file the default zone file location was specified to be
/etc/bind/zones. The directory must be created before we can store zone files:
$sudomkdir/etc/bind/zones
1

2. Create the
forward zone file for homelab.local based on the
/etc/bind/db.local sample:
$cd/etc/bind/zones
1
$sudocp../db.local./db.homelab.local
2

3. Edit the forward zone file:

$sudovi/etc/bind/zones/db.homelab.local
1

4. By default, it should match the following:

1 ;
2 ;BINDdatafileforlocalloopbackinterface
3 ;
4 $TTL604800
5 @INSOAlocalhost.root.localhost.(
6 2;Serial
7 604800;Refresh
8 86400;Retry
9 2419200;Expire
604800);NegativeCacheTTL
10
;
11
@INNSlocalhost.
12
@INA127.0.0.1
13
@INAAAA::1
14
 5. Edit the SOA record replacing localhost with ns1s FQDN, replacing
root.localhost with admin.homelab.local, and incrementing the serial
value:
@INSOAns1.homelab.local.admin.homelab.local.(
1 3;Serial
2

6. Delete the localhost.,127.0.0.1, and ::1records.

7. Add nameserver (NS) records for the ns1 and ns2 servers:
;nameserversNSrecords
1 INNSns1.homelab.local.
2 INNSns2.homelab.local.
3

8. Add A records for the hosts in your lab that you want to have *.homelab.local
FQDNs. For this example well create A records for ns1,ns2, and host1:
;nameserversArecords
1
ns1.homelab.local.INA10.1.100.41
2 ns2.homelab.local.INA10.1.100.42
3 ;
4 ;10.1.100.0/24Arecords
5 host1.homelab.local.INA10.1.100.90
6

9. At this point the file should look like the following:

1 $TTL604800
2 @INSOAns1.homelab.local.admin.homelab.local.(
3 3;Serial
604800;Refresh
4
86400;Retry
5
2419200;Expire
6
604800);NegativeCacheTTL
7
;
8 ;nameserversNSrecords
9 INNSns1.homelab.local.
10 INNSns2.homelab.local.
11 ;
12 ;nameserversArecords
13 ns1.homelab.local.INA10.1.100.41
14 ns2.homelab.local.INA10.1.100.42
15 ;
16 ;10.1.100.0/24Arecords
17 host1.homelab.local.INA10.1.100.90
18

10. Save and exit thedb.homelab.local file.

Create the Reverse Zone File
Next we will create a reverse zone file containing DNS PTR records for reverse DNS
lookups. For example, if a client queries the DNS server for 10.1.100.90 the server will
look in the 10.1.100 zone file for a record mapping 10.1.100.90 to the FQDN
host1.homelab.local.
1. In the named.conf.local file on ns1 the file for the reverse zone 100.1.10.in
addr.arpawas set to be /etc/bind/zones/db.10.1.100. Create the reverse
zone file based on the /etc/bind/db.127 sample:
$cd/etc/bind/zones
1
$sudocp../db.127./db.10.1.100
2

2. Edit the reverse zone file:

$sudovi/etc/bind/zones/db.10.1.100
1

3. By default, it should match the following:

1 ;
;BINDreversedatafileforlocalloopbackinterface
2
;
3
$TTL604800
4
@INSOAlocalhost.root.localhost.(
5
1;Serial
6 604800;Refresh
7 86400;Retry
8 2419200;Expire
9 604800);NegativeCacheTTL
10 ;
11 @INNSlocalhost.
12 1.0.0INPTRlocalhost.
13

4. As we did with the forward zone file edit the SOA record and increment the serial
value as follows:
@INSOAns1.homelab.local.admin.homelab.local.(
1 2;Serial
2

5. Delete the localhost. NS andlocalhost.PTR records.

6. Add nameserver (NS) records for the ns1 and ns2servers:
;nameserversNSrecords
1 INNSns1.homelab.local.
2 INNSns2.homelab.local.
3
 7. Add PTR records for each of the hosts in your lab. The first column will be the last
octet of the hosts IP addresses in reverse order. If you were using a /16 network
then you would enter the last two octets of the hosts IP addresses in reverse order.
For this example well create records for the ns1, ns2, and host1 hosts on the
10.1.100.0/24 subnet:
;PTRRecords
1 41INPTRns1.homelab.local.;10.1.100.41
2 42INPTRns2.homelab.local.;10.1.100.42
3 90INPTRhost1.homelab.local.;10.1.100.90
4

8. At this point the file should look like the following:

1 $TTL604800
2 @INSOAns1.homelab.local.admin.homelab.local.(
2;Serial
3
604800;Refresh
4
86400;Retry
5
2419200;Expire
6
604800);NegativeCacheTTL
7 ;
8 ;nameserversNSrecords
9 INNSns1.homelab.local.
10 INNSns2.homelab.local.
11 ;
12 ;PTRRecords
13 41INPTRns1.homelab.local.;10.1.100.41
14 42INPTRns2.homelab.local.;10.1.100.42
15 90INPTRhost1.homelab.local.;10.1.100.90
16

9. Save and exit the db.10.1.100 file.

10. Repeat these steps for any additional subnets used in your lab.
Check BIND Configuration File Syntax
1. Check the syntax of the configuration files that start with named.conf:
$sudonamedcheckconf
1
 2. If the configuration files have no syntax errors you wont see any error messages.
3. Check the syntax of the forward zone file:
$sudonamedcheckzonehomelab.localdb.homelab.local
1

4. If there are no syntax errors you should see something similar to the following:
zonehomelab.local/IN:loadedserial3
1
OK
2

5. Check the syntax of the reverse zone file:

$sudonamedcheckzone100.1.10.inaddr.arpa/etc/bind/zones/db.10.1.100
1

6. If there are no syntax errors you should see something similar to the following:
zone100.1.10.inaddr.arpa/IN:loadedserial2
1 OK
2

Restart BIND
Restart the BIND service:
$sudoservicebind9restart
1

Install BIND on the Secondary Server

1. On the ns2 host (10.1.100.42) .
2. Download package lists and information of latest versions:
$sudoaptgetyupdate
1

3. Install BIND packages:

$sudoaptgetyinstallbind9bind9utilsbind9doc
1

4. Configure BIND to run in IPv4 mode by editing the bind9 service parameters file:
$sudovi/etc/default/bind9
1

5. Add -4 to the OPTIONS variable. It should look like the following:

 #runresolvconf?
1
RESOLVCONF=no
2
3 #startupoptionsfortheserver
4 OPTIONS="4ubind"
5

6. Save the file and exit.

Configure the Secondary DNS Server

Configure Options File
1. On ns2, edit the named.conf.options file:
$sudovi/etc/bind/named.conf.options
1

2. By default the file should look like the following:

1 options{
2 directory"/var/cache/bind";
3
4 //Ifthereisafirewallbetweenyouandnameserversyouwant
5 //totalkto,youmayneedtofixthefirewalltoallowmultiple
6 //portstotalk.Seehttp://www.kb.cert.org/vuls/id/800113
7
//IfyourISPprovidedoneormoreIPaddressesforstable
8
//nameservers,youprobablywanttousethemasforwarders.
9
//Uncommentthefollowingblock,andinserttheaddressesreplacing
10
//theall0'splaceholder.
11

12 //forwarders{
13 //0.0.0.0;
14 //};
15
16 //========================================================================
17 //IfBINDlogserrormessagesabouttherootkeybeingexpired,
18 //youwillneedtoupdateyourkeys.Seehttps://www.isc.org/bindkeys
19 //========================================================================
20 dnssecvalidationauto;
21
22 authnxdomainno;#conformtoRFC1035
23 listenonv6{any;};
24 };
25

3. Add an ACL to permit recursive queries from the 10.1.100.0/24 network before the
options block as follows:

//Labsubnetswewishtoallowrecursivequeriesfrom.
1 acl"trusted"{
2 10.1.100.0/24;#labnetwork
3 };
4

4. Edit the directory directive to read as follows:

1 options{
2 directory"/var/cache/bind";
3
 recursionyes;#enablesresursivequeries
4 allowrecursion{trusted;};#allowsrecursivequeriesfrom"trusted"clients
5 listenon{10.1.100.42;};#ns2privateIPaddresslistenonprivate
6 networkonly
7 allowtransfer{none;};#disablezonetransfersbydefault
8
9 forwarders{
10 8.8.8.8;
11 8.8.4.4;
12 };
13
14 dnssecvalidationauto;
15
16 authnxdomainno;#conformtoRFC1035
17 listenonv6{any;};
};
18

5. Save the file and exit the editor.

Configure Local DNS Zones
We will define our local slave zones on the secondary DNS server that correspond to the
master zones defined on the primary. As you will see below the file parameter for zones of
type slave does not contain a path and there is a masters directive that is set to the IP
address of the primary DNS server.
1. On ns2, open the file for editing:
$sudovi/etc/bind/named.conf.local
1

2. Add a forward zone for homelab.local:

zone"homelab.local"{
1
typeslave;
2 file"db.homelab.local";
3 masters{10.1.100.41;};#ns1privateIP
4 };
5

3. Add a reverse zone for the 10.1.100.0/24 subnet. The reverse mapping for 10.1.100
is entered as 100.1.10:
zone"100.1.10.inaddr.arpa"{
1
typeslave;
2 file"db.10.1.100";
3 masters{10.1.100.41;};#ns1privateIP
4 };
5

4. The /etc/bind/named.conf.local file should look like the following:

1 zone"homelab.local"{
2 typeslave;
3 file"db.homelab.local";
4 masters{10.1.100.41;};#ns1privateIP
5 };
6
zone"100.1.10.inaddr.arpa"{
 7 typeslave;
8 file"db.10.1.100";
9 masters{10.1.100.41;};#ns1privateIP
10 };
11

5. Save the file and exit the editor.

Check BIND Configuration File Syntax
1. Check the syntax of the configuration files that start with named.conf:

$sudonamedcheckconf
1

2. If the configuration files have no syntax errors you wont see any error messages.
Restart BIND
Restart the BIND service:
$sudoservicebind9restart
1

Test DNS Using Ubuntu Client

The primary and secondary DNS servers have now been deployed, so it is time to test
name and IP address resolution. We will use a third Ubuntu 14.04 Server configured to
query our two new servers.
Configure Test Client Networking
1. On the host1 host (10.1.100.90)
2. Edit the network interfaces configuration file:
$sudovi/etc/network/interfaces
1

3. Look for the parameters. Remove the existing dns-nameservers and dns-search entries
and replace them with your private domain and ns1 and ns2 private IP addresses.
4. When done editing it should look like:

1 ifaceloinetloopback
autolo
2

3
#primarynetworkinterface
4
autoeth0
5
ifaceeth0inetstatic
6 address10.1.100.90
7 netmask255.255.255.0
8 network10.1.100.0
9 broadcast10.1.100.255
10 gateway10.1.100.1
11 dnssearchhomelab.local
12 dnsnameservers10.1.100.4110.1.100.42
13

5. Save and close the file.

 6. Bounce the interface to apply the changes:
$sudoifdowneth0&&sudoifupeth0
1

Test Forward Lookup

Run the following command to perform a forward lookup and retrieve the IP address of
host1.homelab.local:
$nslookuphost1
1

When you perform a DNS query for host1 it is expanded to host1.homelab.local because of the
dns-search homelab.local that is set in the network interfaces configuration file. The command
output should be:
dadung@host1:~$nslookuphost1
1
Server:10.1.100.41
2 Address:10.1.100.41#53
3
4 Name:host1.homelab.local
5 Address:10.1.100.90
6

Test Reverse Lookup

Run the following command to perform a reverse lookup of host1s IP address:
$nslookup10.1.100.90
1

The command output should be:

Server:10.1.100.41
1 Address:10.1.100.41#53
2
3 91.100.1.10.inaddr.arpaname=host1.homelab.local.
4

Query NS1 Using DIG

Run the following command to query the primary DNS server using DIG:
[email protected]
1

The command output should be:

1 ;<<>>DiG9.9.53ubuntu0.1Ubuntu<<>>[email protected]
2 ;;globaloptions:+cmd
3 ;;Gotanswer:
4 ;;>>HEADER<<opcode:QUERY,status:NOERROR,id:20320
5 ;;flags:qraardra;QUERY:1,ANSWER:3,AUTHORITY:0,ADDITIONAL:3
6
7 ;;OPTPSEUDOSECTION:
8 ;EDNS:version:0,flags:;udp:4096
 ;;QUESTIONSECTION:
9 ;homelab.local.INANY
10
11 ;;ANSWERSECTION:
12 homelab.local.604800INSOAns1.homelab.local.admin.homelab.local.360480086400
13 2419200604800
14 homelab.local.604800INNSns1.homelab.local.
15 homelab.local.604800INNSns2.homelab.local.
16
17 ;;ADDITIONALSECTION:
18 ns1.homelab.local.604800INA10.1.100.41
19 ns2.homelab.local.604800INA10.1.100.42
20
21 ;;Querytime:1msec
22 ;;SERVER:10.1.100.41#53(10.1.100.41)
;;WHEN:FriFeb1322:31:58EST2015
23
;;MSGSIZErcvd:152
24

Query NS2 Using DIG

Run the following command to query the secondary DNS server using DIG:
$ dig homelab.local any @ns2.homelab.local
1

The command output should be:

;<<>>DiG9.9.53ubuntu0.1Ubuntu<<>>[email protected]
1 ;;globaloptions:+cmd
2 ;;Gotanswer:
3 ;;>>HEADER<<opcode:QUERY,status:NOERROR,id:58763
4 ;;flags:qraardra;QUERY:1,ANSWER:3,AUTHORITY:0,ADDITIONAL:3
5
6 ;;OPTPSEUDOSECTION:
7 ;EDNS:version:0,flags:;udp:4096
8 ;;QUESTIONSECTION:
9 ;homelab.local.INANY
10
11 ;;ANSWERSECTION:
12 homelab.local.604800INNSns1.homelab.local.
13 homelab.local.604800INNSns2.homelab.local.
14 homelab.local.604800INSOAns1.homelab.local.admin.homelab.local.360480086400
15 2419200604800
16
17 ;;ADDITIONALSECTION:
18 ns1.homelab.local.604800INA10.1.100.41
ns2.homelab.local.604800INA10.1.100.42
19

20
;;Querytime:1msec
21
;;SERVER:10.1.100.42#53(10.1.100.42)
22
;;WHEN:FriFeb1322:32:04EST2015
23 ;;MSGSIZErcvd:152
24
If the command output from the forward and reverse lookups match the examples above it
means that your DNS servers are configured properly.

Summary
This Lab manual walks through setting up a private DNS environment with redundant DNS
servers running BIND. We also tested querying the DNS servers using a third Ubuntu
system to confirm that both work as expected.