Tag Archives: ddos

Running your own DNS server (Part 1)

Somewhere over time I seem to have acquired 82 ( yes, eighty-two ) domain names, a small number have been bought on behalf of other people ( relatives, friends & children ) – some have been bought sensibly ( business related ) and some have been bought on a whim as I thought that I might get around to doing something with them at some point. I’ve made use of the rather good ( and cheap ) service at 123reg – which in terms of registration is great, and, I’m sure if you are managing the DNS of one or two domains is probably a pretty good admin interface for that too – however, for the full 82 it is excessively painful.

Cover of the O'Reilly book on the subject.

Cover of the O’Reilly Book on the subject

The recent – “I’m going to move everything to Linux” – decision has left me thinking that I should get on and tidy up everything else. The company website runs on Linux already – and I’m planning to point all of the pertinent domains at it. At some point I’ll be migrating the e-mail from the hosted MS Exchange server as well – although I have to admit that’s one thing that I don’t fancy doing – partially because other people rely on that one beyond me.

So, as part of this “phase” I’m going to take back control of my domains and host my own DNS servers ( yes, plural, for redundancy purposes ) on Digital Ocean droplets across two data centres – one in Frankfurt the other in London. ( I figure that I’ll remain in Europe for these, rather than the US or Middle/Far East ).

As is my wont, I’m going to be using Fedora Core 21 x64 as the base OS – this isn’t to bad-mouth any other distros ( except Ubuntu – I don’t like Ubuntu, or Debian … ) – I just like Fedora ! This could / would work equally as well with CentOS, which is the other sane option on Digital Ocean – FreeBSD is pretty cool, but it isn’t Linux, so doesn’t count … [ please address hate mail to /dev/null ]

I used to work in an ISP, it was my first job when I was still at University, and managing DNS on BIND was one of my roles back then. I have now, forgotten absolutely everything that I ever know about it. So this is going to be a little bit of a learning curve !

We begin0:

First off – are we up-to-date ? Just installed, so unlikely – a quick:

yum update -y

To bring it all up to speed and make sure that all the packages are at their latest and greatest.

Then, you need to install BIND, BIND tools and, for the sake of security BIND chroot1:

yum install bind bind-utils bind-chroot -y

The main configuration file for bind is in /etc/named.conf, so using your editor of choice ( which will, of course be vi ) edit th options section to look like the following:

[ replacing aaa.bbb.ccc.ddd with the ip of your secondary if you have one, and removing it if you don’t ]

 options {
 listen-on-v6 port 53 { ::1; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query { any; };
 allow-transfer { localhost; aaa.bbb.ccc.ddd; };
 recursion no;

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

 managed-keys-directory "/var/named/dynamic";
 pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";

One of the important things here is that – if you are running an authoratitive DNS server for your domain(s) – you _turn off recursion_ – this prevents your server being made part of a Distributed Denial of Service (DDoS) attack.2

N.B. Watch your “;”s BIND is painfully picky about syntax !

Once you’ve got this part configured, it is time to start adding domains !

Further down in the named.conf file are a list of all the “zones” that your nameserver will know about.

zone "." IN {
 type hint;
 file "named.ca";

zone "security-intelligence.uk" IN {
 type master;
 file "security-intelligence.uk.zone";
 allow-update { none; };

The first zone is the default for the server, the second has been added by me for the domain “security-intelligence.uk”- the syntax above makes it the master for the zone ( the definitive record ), the file is where the actual information about the zone is held, and the allow-update relates to which machines are allowed to make dynamic updates to the DNS entries for this domain – for use in DHCP scenarios. You can repeat this as many times as you like ( in my case it will be 82 by the time I’m finished ! Although I suspect that a script may well come into play to take the downloadable CSV file from 123reg and do the majority of this for me !3 )

At this point we move on to create the associated zone file … Ok, so again, using vi your editor of choice, create the file that you gave your zone above in /var/named/ e.g.

vi /var/named/security-intelligence.uk.zone

And then populate it 🙂

$TTL 86400
@ IN SOA ns1.security-intelligence.uk. root.security-intelligence.uk. (
     2015140501 ;Serial
     3600 ;Refresh
     1800 ;Retry
     604800 ;Expire
     86400 ;Minimum TTL
; Specify our two nameservers
                IN     NS     ns1.security-intelligence.uk.
                IN     NS     ns2.security-intelligence.uk.

; Resolve nameserver hostnames to IP, replace with your two DNS server IP addresses.
ns1             IN     A      www.xxx.yyy.zzz
ns2             IN     A      aaa.bbb.ccc.ddd

; Define hostname -> IP pairs which you wish to resolve
@               IN     A      qqq.rrr.sss.ttt
www             IN     A      qqq.rrr.sss.ttt

I’m not going to go through this in detail at the moment – will come back to that later, but there are a few things here that you need to consider:

(1) The Serial : this needs to be changed each time you make an update to the record, incrementing with each modification, sadly this is a point where the use of the American date format makes sense as yyyy-mm-dd will always increment. If you are making changes more than once a day then append an additional couple of digits so that you can run through 99 changes before requiring a new date …

(2) Change the bits that refer to my domain to refer to yours …

(3) Change the IP address “www.xxx.yyy.zzz” to your main DNS server, “aaa.bbb.ccc.ddd” to your secondary ( if you have one – remove the second name server from the list as well if you are only doing one ) and “qqq.rrr.sss.ttt” with whatever you want your domain records to point at. In this case they both point at my webserver, so a URL of “security-intelligence.info” or “www.security-intelligence.info” will both go to the website.

Once that’s all done for your domain, you are actually good to go. Kick off BIND by entering the following command:

service named restart

If you get an error at this point ( like I did :-/ ) then:

systemctl status named.service

May well point you in the direction of your missing “;” !

Assuming that, unlike me, you can get it right – you should now have your primary/master nameserver up and running.

Give it a quick test:

nslookup - www.xxx.yyy.zzz

This will put you into nslookup’s interactive mode, querying your server at the ip “www.xxx.yyy.zzz” ( what your server’s actual IP is here … ). Enter one of the domain names that you are serving, in my case “www.security-intelligence.uk” and you should see back the response with the correct IP address as specified in your zone file.

The other thing that you’ll want to be doing is setting up BIND to start on each reboot, so a quick:

chkconfig named on

Will sort this out for you.

Well Done !

Part 2 along shortly detailing the configuration of the secondary …



0. All commands here need to be run as root … so either get a root prompt or sudo your way through them …

1. chroot – changed root – running in a limited environment so if compromised access to system is limited. May write more on that later !

2. https://blogs.akamai.com/2013/06/dns-reflection-defense.html

3. Which if it does, I’ll post more about later !

Tagged , , ,