Linux Firewall (Part 3) : DNS

Intro

So far, we have installed RHEL on our hardware, setup network bridges, static and dynamic leases and some firewall rules. In this post, we will add a DNS server to our network so we can resolve local and remote host names.

Install

We will use Unbound as our DNS server. Unbound is a validating, recursive, caching DNS resolver.

Install from RPM repository

dnf install unbound

DNSSec

DNSSec authenticates responses to domain name lookups. Read about DNSSec and unbound here

Create an initial anchor. This needs to be run as unbound user so the created file has the right permissions

sudo -u unbound unbound-anchor -a "/var/lib/unbound/root.key"

Add auto updating trust anchor file under server section in /etc/unbound/unbound.conf

server:
	auto-trust-anchor-file: "/var/lib/unbound/root.key"

Performance

Create a file for performance settings, /etc/unbound/performance.conf

# performance optimizations
so-reuseport: yes
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs:4
infra-cache-slabs:4
key-cache-slabs: 4

# upstream connections
outgoing-range: 200
# client queries
num-queries-per-thread: 100

# cache size
msg-cache-size: 100m
rrset-cache-size: 200m

Add file for performance settings under server section in /etc/unbound/unbound.conf

server:
	include: /etc/unbound/performance.conf

Local Addresses

For resolving local addresses, we can add another file /etc/unbound/conf.d/10-local-addresses.conf

Add interfaces and ports

# interfaces
interface: 127.0.0.1
interface: 10.1.1.1
interface: 10.1.2.1
port: 53

Add the private subnets and only allow queries from these subnets

# private addresses to protect
private-address: 127.0.0.1/8
private-address: 10.1.1.0/24
private-address: 10.1.2.0/24

# allow queries from these subnets
access-control: 127.0.0.1/8 allow
access-control: 10.1.1.0/24 allow
access-control: 10.1.2.0/24 allow

Add local domains (replace example.com with your local domain name). Host name resolution is done by adding local-data and reverse resolution is done by adding local-data-prt. We can add multiple root domains as well as subdomains

# local addresses
local-zone: "example.com" typetransparent

# local domain room root
local-data: "example.com A 10.1.1.1"
local-data: "example.com A 10.1.2.1"
local-data-ptr: "10.1.1.1 example.com"
local-data-ptr: "10.1.2.1 example.com"

# kvm on aa
local-data: "aa.example.com IN A 10.1.1.10"
local-data-ptr: "10.1.1.10 aa.example.com"

# aa
local-data: "aa.example.com IN A 10.1.1.11"
local-data-ptr: "10.1.1.11 aa.example.com"

# desktop
local-data: "desktop.example.com IN A 10.1.2.10"
local-data-ptr: "10.1.1.10 desktop.example.com"

Make sure either the file or the parent folder is added in /etc/unbound/unbound.conf

include: /etc/unbound/conf.d/*.conf

Start DNS Server

With all things configured, we can enable and start the server

systemctl enable --now unbound

Check if the DNS server is working with

dig @127.0.0.1 google.ca
dig @<other-bound-ips> google.ca

We can also run dig commands on other devices that are using this DNS

dig @10.1.1.1 google.ca

Thank you for reading. Check out the other parts in the series below.