Skip to end of metadata
Go to start of metadata

Symptom:

Request: what is the best configuration for a caching only DNS Server (BIND) 

Problem:

there is no "on size fits all" preferred configuration for any DNS Server, including a caching-only nameserver.

The configuration depends on the version of the BIND nameserver that is used, if there are any local zones that need to be configured using stub-zones or forwarding zones.

As a general rule for a caching DNS Server:

  • no authoritative zones except empty zones to block local traffic (the exact names and number of these zones depend on the Version of BIND, as newer version block RFC 1918 reverse zones by default, and the use of any "local" domain space in your organization such as ".local" for DNS-SD/Ahavi/Bonjour/mDNS)
  • stub zones or forward zones to redirecting traffic to any local authoritative zones that are not delegated from the Internet Root down
  • restrict recursion to a list of internal network
  • configuration of DNSSEC trust anchors
  • disable notify and zonetransfer (not needed on caching nameserver)

below is an example template named.conf for an caching only DNS Server. This files must be customized for your environment. This template assumes a recent BIND nameserver.

 

Solution

acl "trusted" { 
   // Place our internal and DMZ subnets in here so that 
   // intranet and DMZ clients may send DNS queries.  This 
   // also prevents outside hosts from using our name server 
   // as a resolver for other domains. 
   192.0.2.0/24; 
   localhost; 
}; 


logging {
   channel mmsuite_log { file "/var/named/mmsuite.log" size 200M versions 10; severity notice; print-category yes; print-severity yes; print-time yes; };
   channel mmsuite_syslog { syslog daemon; severity info; print-category yes; print-severity yes; print-time yes; };
   channel dnssec_log { file "/var/named/dnssec.log" size 200m versions 10; print-time yes; print-category yes; print-severity yes; severity debug 3; };
   category dnssec { dnssec_log; };
   category client { mmsuite_log; };
   category config { mmsuite_log; };
   category database { mmsuite_log; };
   category default { mmsuite_log; mmsuite_syslog; };
   category dispatch { null; };
   category dnssec { mmsuite_log; };
   category general { mmsuite_log; };
   category lame-servers { null; };
   category network { null; };
   category notify { mmsuite_log; };
   category queries { null; };
   category resolver { mmsuite_log; };
   category security { mmsuite_log; };
   category unmatched { null; };
   category update { mmsuite_log; };
   category update-security { mmsuite_log; mmsuite_syslog; };
   category xfer-in { mmsuite_log; };
   category xfer-out { mmsuite_log; };
};

// Set options for security 
options { 
    directory "/var/named"; 
    pid-file "/var/named/named.pid"; 
    statistics-file "/var/named/named.stats"; 
    memstatistics-file "/var/named/named.memstats"; 
    dump-file "/var/adm/named.dump"; 
    zone-statistics yes; 

    // enable DNSSEC
    dnssec-enable yes; 
    dnssec-validation auto; // will use the compiled in trustanchor

    // Prevent DoS attacks by generating bogus zone transfer 
    // requests.  This will result in slower updates to the 
    // slave servers (e.g. they will await the poll interval 
    // before checking for updates). 
    notify no; 

    // Generate more efficient zone transfers.  This will place 
    // multiple DNS records in a DNS message, instead of one per 
    // DNS message. 
    transfer-format many-answers; 

    // Set the maximum zone transfer time to something more 
    // reasonable.  In this case, we state that any zone transfer 
    // that takes longer than 60 minutes is unlikely to ever 
    // complete.  WARNING:  If you have very large zone files, 
    // adjust this to fit your requirements. 
    max-transfer-time-in 60; 

    allow-transfer { 
none; };
recursion yes; allow-recursion { // Accept queries from our "trusted" ACL. We will // allow anyone to query our master zones below. // This prevents us from becoming a free DNS server // to the masses. trusted; }; }; zone "0.0.127.in-addr.arpa" in { // Allow queries for the 127/8 network, but not zone transfers. // Every name server, both slave and master, will be a master // for this zone. type master; file "master/db.127.0.0"; };
zone "internal.ournetwork.com" in { // Our internal A RR zone. There may be several of these. // because this is a caching only DNS Server, we've forwarding to the // authoritative DNS Servers type forward; forward only; forwarders { 192.0.2.10; 192.0.2.100; }; }; zone "7.7.7.in-addr.arpa" in {
// Our internal PTR RR zone. Again, there may be several of these. // because this is a caching only DNS Server, we've forwarding to the // authoritative DNS Servers type forward; forward only; forwarders { 192.0.2.10; 192.0.2.100; }; }; zone "local" in { // special "empty" zone to stop traffic that only appears local to be // leaked into the Internet. The exact names and numbers of this zones // need to be evaluated by using DNS monitoring tools, such as the // dnstop or tcpdump
// .local should not be used anymore as it's reserved for multicast DNS
// see RFC6762, but as it's still in use in so many companies... type master; file "hosts/masters/empty-zone.hosts"; }; -------- (empty-zone.hosts) -------------- ;; special "empty" zonefile to be used to stop local traffic on caching nameservers ;; to be leaked into the Internet ;; adjust the hostnames according to your environment $TTL 86400 @ IN SOA hostname.of.master.nameserver hostmaster.example.com. 2010011501 30d 1d 40w 8h @ IN NS hostname.of.master.nameserver @ IN NS hostname.of.secondary.nameserver