Name choice

Sun 08 December 2013

[caption id="" align="alignright" width="300"]English: James Bond films what's your name? (Photo credit: Wikipedia)[/caption]

After seeing a post on a blog I follow, I decided to use my own. For me, the most important is not running your own DNS server (but it is the funniest), but the fact that you can choose the nameserver you want to ask. My case is:

  • a laptop  that can be connected on many different LAN
  • a UNIX-like environment (archlinux)
  • a DNS server running on my computer (be carefull when doing that! you must consider the implication on wordlwild cache mecanism)
  • the possibility to not be able to run my own DNS server or to reach a publicly available one (e.g. overfiltered network for UDP/53 and/or TCP/53)

Autoconfig overwrite

When I speak of autoconfiguration, I think of DHCP and Neigbor discovery. The issue is that this mecanisms overwrite your /etc/resolv.conf. In this configuration file, there is the DNS server you will contact to perform resolution (in order of preference). The trick is to edit your /etc/resolv.conf.head. it will be read just before /etc/resolv.conf (as if the resolv.conf is the result of cat /etc/resolv.conf.head /etc/resolv.conf /etc.resolv.conf.tail)
mine looks like
# mine nameserver 127.0.0.1 # OpenDNS nameserver 208.67.222.222 nameserver 208.67.220.220 # Google nameservers nameserver 8.8.8.8 nameserver 8.8.4.4

DNS server installation

Quite simple. Your distribution should provide you packages. I choose bind. It is available in package for the most important GNU/Linux distribution (archlinux, debian, ...). then you can restart the named deamon like for every deamon.

DNS configuration

I update my /etc/named.conf to add the following options

options {
[...]// defaults options
listen-on {127.0.0.1;};
dnssec-enable yes;
dnssec-lookaside auto;
dnssec-validation auto;
rate-limit {
responses-per-second 5; //RRL, limit amplification DDoS if needed
};
};
EDIT:
if you're using the same bind server for both pu lic authoritative server and local recursive resolver, you can use acl and allow-recursion directive:
acl internals { 127.0.0.1/24; 192.168.0.0/16; ::1/64; }; // IP allowed for recursive resolution, named 'internals'
options {
    [...] // defaults
    allow-query { any; };
    allow-recursion { internals; };
};

don't forget the semicolon inside the brace of the listen-to directive. you can check your config file with named-checkconf.

Verify it works with dig +dnssec @localhost www.google.com

(Non-)Related articles

EDIT: a non-exhaustive list of public recursive DNS can be found here. the resolv.conf could contain:

# Level3
nameserver  209.244.0.3
nameserver  209.244.0.4
#Google
nameserver  8.8.8.8
nameserver  8.8.4.4
#Securly
nameserver  184.169.143.224
nameserver  184.169.161.155
#Comodo Secure DNS
nameserver  8.26.56.26
nameserver  8.20.247.20
#OpenDNS Home
nameserver  208.67.222.222
nameserver  208.67.220.220
#DNS Advantage
nameserver  156.154.70.1
nameserver  156.154.71.1
#Norton ConnectSafe
nameserver  198.153.192.40
nameserver  198.153.194.40
#GreenTeamDNS
nameserver  81.218.119.11
nameserver  209.88.198.133
#SafeDNS
nameserver  195.46.39.39
nameserver  195.46.39.40
#OpenNIC
nameserver  216.87.84.211
nameserver  23.90.4.6
#Public-Root
nameserver  199.5.157.131
nameserver  208.71.35.137
#SmartViper
nameserver  208.76.50.50
nameserver  208.76.51.51
#Dyn
nameserver  216.146.35.35
nameserver  216.146.36.36
#censurfridns.dk
nameserver  89.233.43.71
nameserver  89.104.194.142
#Hurricane Electric
nameserver  74.82.42.42
#puntCAT
nameserver  109.69.8.51

Enhanced by Zemanta

Related articles (or not):

Category: tools Tagged: DNS Domain Name System Dynamic Host Configuration Protocol Local area network Name server OpenDNS public recursive DNS Resolv.conf