Setting up a recursive DNS server.
Before you continue please consider clicking on one of the horrible ads. I know they are a pain but they help me pay for the hosting of this site. It owes me a lot of money. Sob story over.
What is a recursive DNS server?
Its a DNS server that will look up a name by discovering and querying the authoritive name servers for that particular domain.
Don't I already have that?
Well if you're a nerd like me then, you might have but its far more likely that what your DNS server is doing is simply forwarding all DNS traffic to something like 8.8.8.8 and then caching the results. In this instance 8.8.8.8 is the recursive server that does all the work.
Why do I need a recursive DNS server on my network?
Well you don't. No one does really. The internet ones we all use are fine (Mostly).
However there are a few things to consider:
- Every time you browse the internet your DNS provider is logging all the DNS requests you make. Even if your in "incognito" mode. It's nothing nefarious They have to be able to see this information otherwise they wouldn't be able to provide you with the IP address but they could, if asked, provide a list of DNS queries a particular IP has made in a given period.
- There have been actual DNS poison attacks seen out there in the wild, so the chances of you falling foul of one are no longer zero, just nearly zero.
- It's nice to know how to do stuff like this. Knowing stuff is always good.
So with all this in mind this is how you use 'unbound' to create a recursive DNS server on your very own network.
We are going to install this on a Centos VM for no reason other than its my favoured flavour of Linux.
- Build a VM as per my previous article
So you have VM built and are logged in either via root (naughty) or a user that has root privileges.
How to install Unbound
run the following:
sudo yum install unbound
and click 'y' to install. This should be quick. Its not massive.
How to configure Unbound
Unbound is a very powerful tool and can do all sorts of magical things I'm not going to even remotely touch here.
All we are going to do is:
- Only listen for queries from the local subnet on port 25
- Listen for both UDP and TCP requests
- Verify DNSSEC signatures
Open the config file in your file editor of choice. I am a nano man myself.
sudo nano /etc/unbound/unbound.conf
The default config is actually OK and you could use it right now as is but we want to tweak it a little. Skip right to the end of the file and add the following.
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
harden-glue: yes
harden-dnssec-stripped: yes
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8