Hack 78 Setting Up Caching DNS with Authority for Local Domains

Get BIND running quickly with a forwarding, caching server

Running BIND can be very tricky business if you have a particularly complex network topology. Multiple DMZs, public versus private IP addresses, and delegated subdomains can make DNS administration a full time job for a large site. If you're looking for a way to alleviate some of the complexity, see [Hack #77]. Or if you're feeling particularly adventurous, try wildcard domain matching and delegation, as described in [Hack #100].

But in the majority of small to medium installations, BIND is really only needed for two things: to act as the authoritative source for a domain or two and provide forwarding to another DNS server for all other requests.

Here is a simple (but complete) named.conf that does exactly that:

options {
directory "/var/named";
pid-file "/var/run/named.pid";
statistics-file "/var/named/named.stats";
};

logging {
channel default_out {
file "/var/log/named.log";
};

category default { default_out; };
category config { default_out; };
category xfer-in { default_out; };
category xfer-out { default_out; };
category lame-servers { null; };
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "data/localhost.rev";
};

zone "." {
type hint;
file "rootservers.cache";
};

// Authoritative domains go here

zone "nocat.net" {
type master;
file "data/nocat.net";
};

This makes us authoritative for the domain nocat.net, with its data stored in the file /var/named/data/nocat.net. Requests made for domains other than nocat.net (or for the loopback network 127.0.0.0) are automatically forwarded along according to the root servers contained in rootservers.cache. A suitable rootserver cache should have shipped with BIND, but if you can't find it, try something like this:

# dig @a.root-servers.net > rootservers.cache

If your network doesn't have unrestricted access to the Internet (e.g., you are behind a restrictive firewall), then forwarding to authoritative servers may not work. If that's the case, try an explicit forwarding rule in place of the hint entry above:

zone "." {
type forward;
forward only;
forwarders { 192.168.1.1; };
}

Naturally, replace 192.168.1.1 with the IP address of a valid name server for your network. This will direct all DNS traffic to your network's DNS server, which presumably has permission to do domain lookups through the firewall.

78.1 See also:

• [Hack #77]

• [Hack #100]

• DNS & BIND, 4th Edition (O'Reilly)