Saturday, March 10, 2012

Configure a Caching Only DNS Server

Caching-Only DNS Server

A caching-only name server is used for looking up zone data and caching (storing) the result which is returned. Then it can return the answers to subsequent queries by using the cached information.

A caching-only server is authoritative only for the local host i.e 0.0.127.in-addr.arpa, but it can automatically send requests to the Internet host handling name lookups for the domain in question.

In most situations, a caching-only name server sends queries directly to the name server that contains the answer. Because of its simplified nature, a DNS zone file is not created for a caching-only name server.

Running the Caching-only Name Server in an chroot environment is a secure approach. The chroot environment has more security compared to the normal environment.

To configure the /etc/named.conf file for a simple caching name server, use this configuration for all servers that don't act as a master or slave name server. Setting up a simple caching server for local client machines will reduce the load on the network's primary server. Many users on DSL connections may use this configuration along with bind for such a purpose. Ensure that the file /etc/named.conf highlights the entries below:

Terminal Window View
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
forwarders { 192.168.1.1; 192.168.1.100; };
forward only;
};
// a caching only nameserver config
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

With the forwarders option, 192.168.1.1 and 192.168.1.100 are the IP addresses of the Primary/Master and Secondary/Slave DNS server on the network in question. They can also be the IP addresses of the ISPs DNS server and another DNS server, respectively. With the forward only option set in the named.conf file, the name server doesn't try to contact other servers to find out information if the forwarders does not give it an answer.  To test this setup try the following commands

Terminal
[root@station1.example.com~] # chkconfig --levels 25 named on
[root@station1.example.com~] # service named restart

We have now turned on the named server for persistent reboots and started the service for the current session. Now to test whether the caching - named server is working or not lets see:

Terminal Window View
# nslookup
>Default
Server: localhost
Address: 127.0.0.1

> www.redhat.com
Server: localhost
Address: 127.0.0.1
Name: www.redhat.com
Address: 209.132.177.50

nslookup now asked the named to look for the machine www.redhat.com. It then contacted one of the name server machines named in the root.cache file, and asked it's way from there. It might take a while before the result is shown, as it searches all the domains the user entered in /etc/resolve.conf. When tried again, the result should be similar to this example:

Terminal Window View
> www.redhat.com
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: www.redhat.com
Address: 209.132.177.50

Note the Non-authoritative answer in the result this time. This means that named did not go out on the network to ask this time, it instead looked up in its cache and found it there. But the cached information might be out of date. So the user is informed of this danger by it saying Non-authoritative answer. When nslookup says this the second time when a user ask for a host, it is a sign that it caches the information and that it's working. Now exit nslookup by giving the command exit.

No comments:

Post a Comment