DNS with MaraDNS - dns maradns network
Networks
30.06.2010
8513
Introduction
MaraDNS is a lightweight and secure DNS server. It's easy to use and in addition is a very powerful DNS software.
In this guide we will install and configure it as authoritative and caching / recursive DNS server.
Installation
Please install MaraDNS with the packages manager shipped with your distro. You have to look for the package named maradns.
Alternatively you can download MaraDNS from the website: http://www.MaraDNS.org/download/1.4/1.4.03/MaraDNS-1.4.03.tar.bz2
Uncompress it:
tar xvf maradns-1.4.03.tar.bz2
And then compile it:
cd maradns-1.4.03
make
make install
MaraDNS is also available as port for OpenBSD here: ftp://ftp.openbsd.org/pub/OpenBSD/4.7/packages/i386/
How to control MaraDNS
The daemon of MaraDNS can be controlled using a classic /etc/init.d/maradns start | stop | restart file under Linux platform.
Note that MaraDNS is daemonized by the duende command (it manages also log generated by MaraDNS), included with a default installation of the software.
Under OpenBSD, you must first create the /etc/maradns/logger folder in order to run duende, then you can control MaraDNS executing this command:
duende maradns -f /etc/mararc
For restart the daemon and force re-read configuration file:
pkill -HUP maradns
Configuration
MaraDNS can be configured with the /etc/mararc file. In this file you have to put all the configurations for the daemon.
Authoritative server
We can start configure MaraDNS as authoritative server for the zone green.local..
We have to put only this four lines in /etc/mararc to enable the authoritiative DNS server:
ipv4_bind_addresses = "192.168.1.36"
chroot_dir = "/etc/MaraDNS"
csv2 = {}
csv2["green.local."] = "db.green.local"
First line tells the server which IP address to bind.
The second line specifies the folder that contains the zone configuration file. /etc/MaraDNS is the default directory.
The third line is used to enable authoritative mode. We must write this before any lines that specifies where zone files are located.
In the fourth line is declared the name of the zone file for green.local..
Note that if you want to use the DNS even in your local network you must enable recursion, otherwise you will be not able to resolve queries to internet.
You can enable it by adding the following line to /etc/mararc:
recursive_acl = "192.168.1.0/24, 127.0.0.1"
This is used to enable recursion for 192.168.1.0/24 network and for loopback interface. With this we're able to resolve all DNS queries directed to the internet, such as google.com.
PS: This configuration is for the green.local. zone on a local scope. If you want to put it on the internet you must first obtain a static IP address, register the name of your zone (eg.: .com, .org, .net, ...) with a registrar and then configure in the administration panel of the registrar your DNS as a preferred server for resolve your domain.
Zone file for green.local.
Now we must configure the zone file "db.green.local".
In the zone file we have to write all the directives about the resource records (RR) that we need.
In our example we will configure the zone for a web server, a primary and secondary DNS and two mail server.
Here is the configuration:
green.local. SOA green.local. dnsadmin@green.local. 1 7200 3600 604800 1800 ~
green.local. NS ns1.green.local. ~
green.local. NS ns2.green.local. ~
ns1.green.local. A 192.168.1.36 ~
ns2.green.local. A 192.168.1.37 ~
www.green.local. A 192.168.1.27 ~
www.green.local. A 192.168.1.28 ~
green.local. MX 10 mail1.green.local. ~
mail1.green.local. A 192.168.1.40 ~
green.local. MX 20 mail2.green.local. ~
mail2.green.local. A 192.168.1.41 ~
The first line is the SOA (Start of authority) record. The SOA records are used to manage the DNS zone. If you don't specify a SOA, MaraDNS will generate the values below for you(zone name are not generated).
Here the explanation of parameters:
green.local. name of the zone where the SOA record is located
SOA the type of record
green.local. name of the master DNS for the zone
dnsadmin@green.local. Email of the zone administrator
1 Serial number. This must be increased every time the configuration is modified.
Slave servers will check this for see if zone file has changed and then
update it.
7200 Refresh time. Slave server will check changes in serial number every 7200 seconds.
3600 Retry time. Slave DNS will check every 3600 seconds if the master is up after a
possible down.
604800 Expire time. The slave server will wait 604800 seconds before not consider valid the
zone if the master server is down. Please insert a large value here.
1800 Minimum time. This is the TTL value in seconds for the records inside
the configuration file. If a record has an higher TTL this will be ignored.
Lines 2-3
These are the lines for the primary and secondary DNS of the green.local zone. The resource record for the DNS server is NS, note that ns1.green.local is the primary server.
Lines 4-5
We associate the name ns1.green.local. and ns2.green.local. to their respective addresses. This can be done with the resource record A.
Lines 6-7
Still with an A RR, the address www.green.local. is pointed to the web server 192.168.1.27 and 192.168.1.28.
With this configuration MaraDNS acts as a kind of load balancer, because every query to www.green.local will always return a different IP address from those we've specified above.
It's possible to specifiy more than two ip for a single name.
Lines 8-11
These lines are responsible for the mail server RR, also known as MX.
We associate the mail1.green.local. to our zone green.local with the MX record with a 10 priority. The record with the lowest priority will be the first choice.
We write the same for the mail2.green.local. and change priority to 20.
Configuration notes
Pay attention to the tilde (~) at the end of every line and of the trailing dot (.) after a domain name. This only apply to zone files.
The percent sign
When we have many time the name of the zone written in our configuration file, it's possible to replace it with the "%" sign. MaraDNS will convert automatically "%" in the name of our zone when parsing the file.
The new configuration is:
% SOA % dnsadmin@% 1 7200 3600 604800 1800 ~
% NS ns1.% ~
% NS ns2.% ~
ns1.% A 192.168.1.36 ~
ns2.% A 192.168.1.37 ~
www.% A 192.168.1.27 ~
www.% A 192.168.1.28 ~
% MX 10 mail1.% ~
mail1.% 192.168.1.40 ~
% MX 20 mail2.% ~
mail2.% 192.168.1.41 ~
Caching only
A caching only or recursive DNS is a server that depends on other DNS server in order to resolve queries. If a query is resolved correctly this will be cached to avoid the recursion process and provide a faster access in the future.
We need only to set up the /etc/mararc for this purpose:
ipv4_bind_addresses = "192.168.1.36"
chroot_dir = "/etc/MaraDNS"
recursive_acl = "192.168.1.0/24, 127.0.0.1"
maximum_cache_elements = 1024
min_ttl = 300
The first three lines are the same of the authoritative configuration.
The fourth line is the number of maximum cached elements that MaraDNS will handle.
Each item in the cache uses about 1536 bytes of memory therefore set this value depending on your hardware configuration and how many client you will serve.
The last line is the minimum time-to-live for a cached object. This value expressed in seconds, will keep a single item for 300 seconds (5 minutes) in our example.
This is it. Only this five lines are necessarie to build a caching only DNS solutions.
Test
We can do some test using dig to check our DNS.
Zone test
bash-4.1# dig green.local
; DiG 9.4.3-P4 green.local
;; global options: printcmd
;; Got answer:
;; HEADER opcode: QUERY, status: NOERROR, id: 20356
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;green.local. IN A
;; AUTHORITY SECTION:
green.local. 86400 IN SOA green.local. dnsadmin.green.local. 1 7200 3600 604800 1800
;; Query time: 1 msec
;; SERVER: 192.168.1.36#53(192.168.1.36)
;; WHEN: Wed Jun 30 01:58:56 2010
;; MSG SIZE rcvd: 74
NS test
bash-4.1# dig ns1.green.local
; DiG 9.4.3-P4 ns1.green.local
;; global options: printcmd
;; Got answer:
;; HEADER opcode: QUERY, status: NOERROR, id: 32333
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ns1.green.local. IN A
;; ANSWER SECTION:
ns1.green.local. 86400 IN A 192.168.1.36
;; AUTHORITY SECTION:
green.local. 86400 IN NS ns1.green.local.
green.local. 86400 IN NS ns2.green.local.
;; ADDITIONAL SECTION:
ns1.green.local. 86400 IN A 192.168.1.36
ns2.green.local. 86400 IN A 192.168.1.37
;; Query time: 1 msec
;; SERVER: 192.168.1.36#53(192.168.1.36)
;; WHEN: Wed Jun 30 02:20:24 2010
;; MSG SIZE rcvd: 113
MX test
bash-4.1# dig mail1.green.local
; DiG 9.4.3-P4 mail1.green.local
;; global options: printcmd
;; Got answer:
;; HEADER opcode: QUERY, status: NOERROR, id: 4270
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mail1.green.local. IN A
;; ANSWER SECTION:
mail1.green.local. 86400 IN A 192.168.1.40
;; AUTHORITY SECTION:
green.local. 86400 IN NS ns1.green.local.
green.local. 86400 IN NS ns2.green.local.
;; ADDITIONAL SECTION:
ns1.green.local. 86400 IN A 192.168.1.36
ns2.green.local. 86400 IN A 192.168.1.37
;; Query time: 1 msec
;; SERVER: 192.168.1.36#53(192.168.1.36)
;; WHEN: Wed Jun 30 02:21:47 2010
;; MSG SIZE rcvd: 119
Utility
queryperf - A useful benchmark tool for DNS, you will find it in bind sources.
dig - tool used for query DNS server and get very important infos.
nslookup - the same thing of dig, but a bit functionless.
askmara - tool shipped with maradns, it simply does DNS queries for records
Previous