How to install VyOS Router/Appliance as DNS Server

//
//
Hi there guys,

I have already covered on my last two posts how to install VyOS Router/Appliance on Hyper-V, see here:

How to install VyOS Router/Appliance on Hyper-V – Part 1: Setup and Install

How to install VyOS Router/Appliance on Hyper-V – Part 2: Configuration

 

I run my Lab’s on Hyper-V and VyOS is a fundamental piece to simulate real network environments. Sometimes I need to simulate a Public facing DNS Server and for that I will turn VyOS into my Public DNS Server.

You can’t do this by default on VyOS as the DNS Server packages are not available on the VyOS repository.

The following process will explain how to ground up a DNS Server on VyOS.

 

1. Install DNS Server packages on VyOS

We need to install the DNS Server packages (Bind9) from the Squeeze repository.

1.1. Adding Debian Squeeze repository to VyOS Sources List

Bind9 package is not available on VyOS source, so you’ll need to add the Debian Squeeze repository to the sources list (VyOS is based on Squeeze…).

# configure
# set system package repository squeeze components ‘main contrib non-free’
# set system package repository squeeze distribution ‘squeeze’
# set system package repository squeeze url ‘
http://mirrors.kernel.org/debian’
# commit
# save
# exit

You can validate the above configuration on the apt sources.list:

# sudo nano /etc/apt/sources.list

VyOS_Sources_list_thumb3

On the second line you can see the new apt repository (squeeze):

deb http://mirrors.kernel.org/debian stable main contrib non-free # squeeze #

To exit Press [CONTROL]+[X] Keys.

1.2 Update the packages list

To update the packages list from the new Squeeze Source make sure your Internet router (my router IP 192.168.1.1) is turned on so that from now on VyOS can access the Internet and update and download packages.

# sudo apt-get update

VyOS-apt-get

1.3 Install DNS Bind9 package:

# sudo apt-get install bind9 bind9-doc dnsutils

2. Chroot (jail) Bind9

It is not a good idea to run Bind9 as “root”, the following process explains how to chroot (jail) Bind9.

We will automate the whole process with a Shell script.

2.1 Create a Scripts folder and Shell script

Create a Scripts Folder and shell script named “chroot-bind9.sh” with the following:

# mkdir -p $HOME/scripts
# sudo nano $HOME/scripts/chroot-bind9.sh

Insert the following code to the Script and when finished type [CONTROL] + [X] keys to exit and save the file.

#!/bin/bash

sudo /etc/init.d/bind9 stop

sudo mkdir -p /var/chroot/bind9/{etc,dev,var/cache/bind,var/run/bind/run}
sudo chown -R bind:bind /var/chroot/bind9/var/*

sudo mknod /var/chroot/bind9/dev/null c 1 3
sudo mknod /var/chroot/bind9/dev/random c 1 8
sudo chmod 666 /var/chroot/bind9/dev/{null,random}

sudo mv /etc/bind /var/chroot/bind9/etc
sudo ln -s /var/chroot/bind9/etc/bind /etc/bind

sudo chown -R bind:bind /etc/bind/*
sudo chmod -R g+w /etc/bind/

sudo echo “$AddUnixListenSocket /var/chroot/bind9/dev/log” > /etc/rsyslog.d/bind-chroot.conf

sudo sed -e ‘s,”-u bind”,”-u bind -t /var/chroot/bind9″,’ /etc/default/bind9 > /tmp/x && mv /tmp/x /etc/default/bind9

sudo /etc/init.d/bind9 start

 

2.2 Run the Shell Script to chroot Bind9

We need to make the script executable and run it with the following:

# cd $HOME/scripts
# sudo chmod u+x chroot-bind9.sh
# sudo ./chroot-bind9.sh

 

2.3 Fix “managed-keys.bind” file not found

If you check the syslog you will notice that there is an issue while loading the file “managed-keys.bind”, you can check the syslog with the following command:

# tail –f /var/log/messages

You will notice this entry:

managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found

After confirming the failure on the syslog entries you can exit tail by pressing [CONTROL] + [C] keys.

 

To fix this first let’s announce the bind.keys location by editing “named.conf”.

# sudo nano /etc/bind/named.conf

Append to the last line the following entry:

include “/etc/bind/bind.keys”;

Here is a print screen with the output:

VyOS_Bind-keys

The file “managed-keys.bind” does not exist, we can create an empty one with touch and give the appropriate rights, for that do the following:

# sudo touch /etc/bind/managed-keys.bind
# sudo chown bind:bind /etc/bind/managed-keys.bind

 

3. Configuring DNS Zones files

Finally we can configure the DNS forward and reverse lookup zones and a DNS Forwarder.

I will create a forward lookup zone for the domain name “labdom.com”, a reverse lookup zone for the network segment “192.168.1.0/24” and a DNS Forwarder to my 3G ISP Router (192.168.1.1) so that the DNS Server can resolve public DNS names.

3.1 Create a DNS Configuration file

Go to the bind folder:

# cd /var/chroot/bind9/etc/bind

Create a backup of ”named.conf.local” to “named.conf.local_ORIGINAL”:

# sudo cp named.conf.local named.conf.local_ORIGINAL

3.2 Create a Forward Lookup zone file

Create the forward lookup file “labdom.com” from the default template file “db.local”:

# sudo cp db.local labdom.com

3.3 Create a Reverse lookup zone file

Create the reverse lookup file “labdom.com.loopback” from the default template file “db.127”:

# sudo cp db.127 labdom.com.loopback

3.4 Configure the DNS Zone configuration file “named.conf.local”

Now lets configure “name.conf.local”, for that start editing the file:

# sudo nano named.conf.local

Add the following entries to the “named.conf.local”, to configure the forward and reverse lookup zone and their location, at the end Press [CONTROL]+[X] Keys to Save the file and Exit:

#Public Zone
Zone “labdom.com” IN {
type master;
file “/etc/bind/labdom.com”;
allow-update {none;};
};

#Reverse zone
Zone “1.168.192.in-addr.arpa” IN {
type master;
file “/etc/bind/labdom.com.loopback”;
allow-update {none;};
};

3.5 Configure the DNS Forward lookup zone “labdom.com”

Edit the forward lookup zone file “labdom.com” with the following:

# sudo nano labdom.com

Add the following entries to the “labdom.com” and at the end Press [CONTROL]+[X] Keys to Save the file and Exit:

$TTL 604800
@ IN SOA labdom.com. root.labdom.com. (
2 ;Serial
604800 ;Refresh
86400 ;Retry
2419200 ;Expire
604800 ) ;Negative Cache TTL
;

@ IN NS labdom.com.
@ IN A 192.168.1.254
@ IN AAAA ::1
DA IN A 192.168.1.50

On the forward lookup “labdom.com” zone we added the “A” record for the host name “DA” with the IP 192.168.1.50.

The arrangement for the forward lookup file can be something like this:

VyOS_forward_lookup

 

3.6 Configure the DNS reverse loopback zone “1.168.192.in-addr.arpa

Edit the reverse lookup zone or loopback file “labdom.com.loopback” with the following:

# sudo nano /etc/bind/labdom.com.loopback

Add the following entries to the “labdom.com.loopback” and at the end Press [CONTROL]+[X] Keys to Save the file and Exit:

$TTL 604800
@ IN SOA labdom.com. root.labdom.com. (
1 ;serial
604800 ;refresh
86400 ;retry
2419200 ;expire
604800 ) ;negative cache TTL
;
@ IN NS labdom.com.
50 IN PTR DA.labdom.com.

On the loopback “labdom.com.loopback” zone we added the “PTR” record for “DA.labdom.com”.

The arrangement for loopback file can be something like this in the final output:

VyOS_reverse_lookup

 

3.7 Configure the DNS cd Forwarders for public name resolution

Edit the dns options file “named.conf.options” with the following:

# sudo nano named.conf.options

Add the following entries and press [CONTROL]+[X] to save and exit

forwarders {
192.168.1.1;
};

VyOS_DNS-forwarder

 

Restart the bind9 daemon:

# sudo /etc/init.d/bind9 restart

 

R-Tape Loading error,
Luís Rato
//
//

Anúncios

~ por Luis Rato em 17 de Junho de 2014.

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da WordPress.com

Está a comentar usando a sua conta WordPress.com Terminar Sessão / Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão / Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão / Alterar )

Google+ photo

Está a comentar usando a sua conta Google+ Terminar Sessão / Alterar )

Connecting to %s

 
%d bloggers like this: