Buck DNS Monoculture with BIND Alternatives (Part 2)

Last week we learned how to set up MaraDNS as an authoritative DNS server. Today we’ll use MaraDNS for local name services, and for a local caching resolver. We’ll also cover doing zone transfers between primary and secondary servers.

Local DNS Cache
You can speed up Web surfing and other online services noticeably by using a local DNS cache. With MaraDNS it’s as easy as falling over. This example creates a cache for a single PC:

# /etc/maradns/mararc
hide_disclaimer = "YES"
ipv4_bind_addresses = ""
chroot_dir = "/etc/maradns"
recursive_acl = ""

Test it with the dig command:

$ dig @localhost enterprisenetworkingplanet.com
; <<>> DiG 9.3.2 <<>> @localhost enterprisenetworkingplanet.com
;enterprisenetworkingplanet.com.        IN      A
enterprisenetworkingplanet.com. 444503 IN A
;; Query time: 27 msec
;; WHEN: Mon Oct 30 18:18:18 2006
;; MSG SIZE  rcvd: 64

This shows that your local cache is working. You should also check with netstat to make sure it’s listening only on localhost, on port UDP 53:

$ netstat -untap
udp  0  0*

MaraDNS gives helpful error messages, so if it’s not working check the syslog with this command:

$ grep maradns /var/log/daemon.log 

LAN Caching DNS Server
This example shows how to open up MaraDNS for your LAN to use, and how to use your ISP’s nameservers, or whatever upstream nameservers you want to use:

# /etc/maradns/mararc
hide_disclaimer = "YES"
ipv4_bind_addresses = ","
chroot_dir = "/etc/maradns"
recursive_acl = ""
upstream_servers = {}
upstream_servers["."] = ","

The ipv4_bind_addresses option tells MaraDNS which IP addresses to listen to. recursive_acl defines the IP range of hosts that are allowed to access your MaraDNS server. You must include the upstream_servers = {} statement or it won’t work.

LAN Name Services
MaraDNS makes a nice LAN nameserver. Set up your zones just like in part 1. The one thing you’ll want to change is to add a recursive_acl directive limiting access to your LAN hosts.

When your LAN zones are configured, all you do is enter the MaraDNS’ server IP on your client PCs in the usual manner: /etc/resolv.conf for Linux, the network settings configurator in Windows, or on your DHCP server to deliver to clients automatically.

Separating DNS Caches and Authoritative Servers
While MaraDNS is designed very securely, it’s still a best practice to keep your recursive caching server and authoritative server separated. This means putting them on different IP addresses — the IP address that goes in /etc/resolv.conf should point only to the caching server.

Primaries and Secondaries
MaraDNS can function as a primary nameserver, and allow zone transfers to secondaries. You’ll need to enable the zoneserver daemon, which is done by adding the zone_transfer_acl option to mararc. These examples show how to add lists of IP addresses, or lists of IP address ranges:

zone_transfer_acl = ",,"
zone_transfer_acl = ","

Then add an SOA (Start of Authority) record at the top of the zone file. This tells the secondaries how often to update:

alrac.net. SOA alrac.net. [email protected] 1 7200 3600 604800 1800

“1” represents the serial number, which you must manually increment every single time you make any changes. This is a silly BIND holdover, so MaraDNS does something better: don’t even bother to write your own SOA and let MaraDNS automatically handle it for you. MaraDNS will generate a timestamp for every change, which takes the place of the serial number. But if you prefer to manually control the SOA and the values in it, MaraDNS won’t mind.

Then restart MaraDNS:

# /etc/init.d/maradns restart

The zoneserver daemon will start only when the zone_transfer_acl option is present.

Don’t leave your zone transfers open to the world, that’s just asking for trouble. Always put strict limits on who can perform zone transfers.

Rsync or SCP Zone Transfers
Another way to perform zone transfers is to use plain old rsync or scp. These are reliable, efficient, and secure. Another advantage is the complete contents of the zone files are copied, including comments, and the order of the entries are not changed. rsync copies only the changes, so it’s very efficient, and scp is a bit simpler to set up. But it’s fine for smaller files. The one disadvantage is they are not triggered automatically by changes, but this shouldn’t be an insurmountable obstacle. Just set up your rsync or scp script and remember to run the script- it’s no more difficult than remembering to update a serial number. This shows how to copy a zone file manually with scp:

[email protected]:~# scp /etc/maradns/db.alrac.net secondary:/etc/maradns/db.alrac.net

If you set up ssh public-key authentication, you’ll be able to automate transfers and not have to hassle with passwords.

MaraDNS can also be a secondary in the traditional sense, but it’s rather kludgy. If you prefer the traditional method of transferring only zone data, rather than copying complete zone files with rsync or scp, see Having MaraDNS be a slave DNS server.

The author of MaraDNS, Sam Trenholme, makes security a priority. He claims that MaraDNS is virtually immune to cache poisoning.. He does not claim that MaraDNS is perfectly secure &emdash; please read MaraDNS’ security to learn about steps he has taken to make MaraDNS as secure as possible. It’s an interesting read. Some of it is plain old fundamental smart programming: resistance to buffer overflows, and never allowing data to be in an undefined state. MaraDNS is also equipped with some ingenious methods to prevent spoofing and cache poisoning. MaraDNS tries to prevent spoofing by generating a unique ID for each recursive query. Attempted cache poisoning is handled by a set of rules designed for the different ways cache poisoning can happen.

Next week we’ll walk through a complete DNScache configuration for LAN name services, both DNS and DHCP. DNScache is a great option for local name services; it’s small, fast, and easy to configure. You can even use it to provide LAN name services, and then use something like MaraDNS for authoritative public name services.


Add to del.icio.us

Latest Articles

Follow Us On Social Media

Explore More