building an ubuntu 10.10 recursive DNS server

DNS servers are pretty simple things from a service standpoint, but can be annoyingly difficult to setup and configure if you aren’t used to it. the variety of packages, and options within those packages, makes this even more daunting. with that in mind, i’m going to cover just a couple of what i think are pretty useful options using bind9 on ubuntu 10.10, though the bind and OS version here aren’t too important and what i provide here will likely work with little change on similarly versioned platforms.

since i’m dealing with a recursive DNS server instead of an authoritative one, we won’t need to worry about many of the more complex options for bind, and we can have a pretty stock install work for us.

to get started, just do the old apt-get…
sudo apt-get install bind9
the ubuntu bind install throws everything into ‘/etc/bind’, but also splits the configuration file into a bunch of smaller ones by default. for the purposes of this writeup, i’m assuming you’re cool with that and won’t be changing it.

and you’re done. seriously. unless you want to do some cool stuff, which is really what this is all about.

first of all, let us assume that you want this nameserver to feed off answers from another server you have available. this could be one provided by your ISP, or maybe this server is only supposed to handle answers for a limited network segment and making root queries would be wasteful. in that case, open up ‘/etc/bind/named.conf.options’ and add the following lines to the ‘options’ block (where and are the nameservers you want to reference):

forwarders {;

so now whenever your server gets a request, it will ask those guys and return/cache the answer.

now lets say that for some reason you want/need to limit the clients that can talk to your server. this could be for security or auditing purposes, or even just because you want to be a jerk. regardless of the reason, here’s how to do it :

open up the ‘/etc/bind/named.conf’ file and add the following lines :

acl ournets {;;;

obviously replace those values with the networks/addresses you want ot grant access to. i recommend always leaving in there just in case you want to actually test your server.

in the ‘/etc/bind/named.conf.options’ file, add the following lines to the ‘options’ block :

allow-recursion { ournets; };
allow-query { ournets; };

and there you go. you’ve got access locked down to just the clients you want.

now suppose you want to start seeing some usage on the server to see if those people are actually using it. the bind logging options are somewhat magical, and pumping things to syslog is what a lot of docs recommend. for now we are assuming that this is some information that you want dumped someplace special for short term use. in fact, the logging we are turning on will chew up disk space and other resources like crazy.

add the following lines to ‘/etc/bind/named.conf.options’ OUTSIDE of the ‘options’ block. here we will assume your log is ‘/var/log/named/dnsaccess.log’ and that you’ve handled getting those permissions setup and happy.

logging {
category queries { access_log_file; };
channel access_log_file {
file "/var/log/named/dnsaccess.log" size 5M versions 3;
severity info;

that’ll keep up to 3 versions with a limit of 5MB each. this should be enough for timely troubleshooting and debugging.

and if you plug all of that into place you’ve got a decent secondary recursive DNS server that could, with the right hardware, easily server thousands of users, but only the users you care about. my specific use-case for a setup like this is to put it in place of a soon-to-be-deprecated DNS server to make migration off of the old IP easier.

as always, i highly recommend reading the package docs for your situation. since bind has so many different ways it can install on a platform, i recommend reading both the bind docs AND the package details of whatever you install so you know where to make all the relevant changes.

building an ubuntu 10.10 recursive DNS server

Leave a Reply