Linux Firewall (Part 3) : DNS
Intro
So far, we have installed RHEL on our hardware, setup network bridges, static and dynamic leases and some firewall rules. In this post, we will add a DNS server to our network so we can resolve local and remote host names.
Install
We will use Unbound as our DNS server. Unbound is a validating, recursive, caching DNS resolver.
Install from RPM repository
dnf install unbound
DNSSec
DNSSec authenticates responses to domain name lookups. Read about DNSSec and unbound here
Create an initial anchor. This needs to be run as unbound
user so the created file has the right permissions
sudo -u unbound unbound-anchor -a "/var/lib/unbound/root.key"
Add auto updating trust anchor file under server section in /etc/unbound/unbound.conf
server:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
Performance
Create a file for performance settings, /etc/unbound/performance.conf
# performance optimizations
so-reuseport: yes
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs:4
infra-cache-slabs:4
key-cache-slabs: 4
# upstream connections
outgoing-range: 200
# client queries
num-queries-per-thread: 100
# cache size
msg-cache-size: 100m
rrset-cache-size: 200m
Add file for performance settings under server section in /etc/unbound/unbound.conf
server:
include: /etc/unbound/performance.conf
Local Addresses
For resolving local addresses, we can add another file /etc/unbound/conf.d/10-local-addresses.conf
Add interfaces and ports
# interfaces
interface: 127.0.0.1
interface: 10.1.1.1
interface: 10.1.2.1
port: 53
Add the private subnets and only allow queries from these subnets
# private addresses to protect
private-address: 127.0.0.1/8
private-address: 10.1.1.0/24
private-address: 10.1.2.0/24
# allow queries from these subnets
access-control: 127.0.0.1/8 allow
access-control: 10.1.1.0/24 allow
access-control: 10.1.2.0/24 allow
Add local domains (replace example.com with your local domain name). Host name resolution is done by adding local-data
and reverse resolution is done by adding local-data-prt
. We can add multiple root domains as well as subdomains
# local addresses
local-zone: "example.com" typetransparent
# local domain room root
local-data: "example.com A 10.1.1.1"
local-data: "example.com A 10.1.2.1"
local-data-ptr: "10.1.1.1 example.com"
local-data-ptr: "10.1.2.1 example.com"
# kvm on aa
local-data: "aa.example.com IN A 10.1.1.10"
local-data-ptr: "10.1.1.10 aa.example.com"
# aa
local-data: "aa.example.com IN A 10.1.1.11"
local-data-ptr: "10.1.1.11 aa.example.com"
# desktop
local-data: "desktop.example.com IN A 10.1.2.10"
local-data-ptr: "10.1.1.10 desktop.example.com"
Make sure either the file or the parent folder is added in /etc/unbound/unbound.conf
include: /etc/unbound/conf.d/*.conf
Start DNS Server
With all things configured, we can enable and start the server
systemctl enable --now unbound
Check if the DNS server is working with
dig @127.0.0.1 google.ca
dig @<other-bound-ips> google.ca
We can also run dig commands on other devices that are using this DNS
dig @10.1.1.1 google.ca
Thank you for reading. Check out the other parts in the series below.