Thursday, 30 June 2011

DNS -- Configure a caching-only name server

I must confess, yet again, that I'm not 100% sure what this objective refers to. My understanding is as follows: A caching server is, as its name indicates, used to cache queries, therefore an authoritative server is needed to first provide the actual answer that will be cached by this server, so far so good. I think this is geared towards having a single DNS server within an organization, so that internet name queries are cached on this server.

My RHEL6 boxes don't have internet access, so this has been a little bit awkward for me to test. I essentially set up a master DNS server and then modified the /var/named/named.ca file in the caching name server, where I changed the ip address of one the servers to be my master dns server, like this:

M.ROOT-SERVERS.NET.     3600000 IN      A       10.168.20.233
I think I might be getting a little bit ahead of myself. Let's start from the beginning and install Bind:
yum install bind -y
You'll now need to edit the bind configuration file /etc/named.conf and make a few changes:
listen-on port 53 { any; };
allow-query     { any; };
Given the fact that I had not configured DNSSec properly I also commented the dnssec lines out.
/*      dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
*/
Ensure that the Bind daemon is set to run at boot time:
chkconfig named on
Open up the firewall and save the changes:
iptables -I INPUT -p udp --dport 53 -j ACCEPT; iptables -I INPUT -p tcp --dport 53 -j ACCEPT;service iptables save
You can now start named:
service named start
The best way to test this is to use dig and look at the times it takes to run a query. In my case, I can just turn off the master dns server and if the results are cached, then I will get a response, e.g.:
dig myserver.domain.com
;; Query time: 2 msec
;; SERVER: 10.168.20.234#53(10.168.20.234)
dig myserver.domain.com
;; Query time: 0 msec
;; SERVER: 10.168.20.234#53(10.168.20.234)
This feels a little bit unsatisfying, so I used the tc command to add a 200 milisecond delay to all traffic on eth0 (note that this is done in the master dns server)

tc qdisc add dev eth0 root netem delay 200ms
I bounced the caching server and tried again with dig:
dig myserver.domain.com
;; Query time: 202 msec
;; SERVER: 10.168.20.234#53(10.168.20.234)
dig myserver.domain.com
;; Query time: 0 msec
;; SERVER: 10.168.20.234#53(10.168.20.234)
A lot better this time :). It now makes a bit more sense to have a caching name server.

Note that the cache is stored in memory and therefore will disappear after a reboot of the server or of named itself, see here.

Also note, that there are no SELinux settings related to this objective and that in order to prevent hosts from accessing the service you should use an iptables rule.

No comments:

Post a Comment