Setting up a Caching Nameserver

Some people think it is a great idea to run a local DNS server as a caching nameserver. I like the idea and am going to give it a go.

The first step is to be sure bind is installed (vi yum install bind). I also recommend installing bind-chroot (via yum install bind-chroot), this will improve security by running bind in a chroot environment, limiting possible damage to your system should bind be compromised. (take a look at /etc/sysconfig/named after the install).

Clean up the dnssec file mess

Somehow the "unbound" alternative to bind got installed on my system and the files related to dnssec got screwed up. The first symptom of this was that "service named restart" would not work, and the following message appeared in /var/log/messages:

named: /etc/pki/dnssec-keys//named.dnssec.keys:1: open: /etc/pki/dnssec-keys//production/bg.conf: file not found

The first thing I tried was:

yum erase bind bind-chroot
yum erase unbound
yum install bind bind-chroot

This still didn't fix things, so what I did next was to edit named.conf and comment out or disable the following lines.

 dnssec-enable no;
 dnssec-validation no;
 // dnssec-lookaside . trust-anchor dlv.isc.org.;

And, near the bottom of the file:

// include "/etc/pki/dnssec-keys//named.dnssec.keys";
// include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";

It would be nice, perhaps, to utilize dnssec, but until fedora packages supply a working set of files, I don't have the time to sort this out.

Configure the caching nameserver

Next, go to /var/named/chroot/etc and edit named.conf. This is the heart of the matter, you may even find a file called named.caching-nameserver.conf which you can rename to named.conf in that directory and make some edits to. I am being lazy and not telling you all the details, there are lots of tutorials online for that. In general you edit the forwarders list to add the nameservers that you would usually place into /etc/resolv.conf. You may also add your host IP to the listen-on list and to the allow-query list, but I think it suffices to just leave 127.0.0.1 there (localhost).

Note that, in general, you cannot edit /etc/named.conf since named runs in a chroot environment and ignores that file. In light of that, I really don't know what purpose the named.conf file serves, unless it is a link to /var/named/chroot/etc/named.conf, which it may well be. Watch out for other ways the chroot environment can confuse you.

Also note that the package you install is called bind, but the service you start and stop is called named (and they perform the dns server service for you). More opportunities for confusion and frustration. After you edit named.conf to your satisfaction, do this:

service named start
chkconfig named on

I got all kinds of errors until I commented out this line:

// include "/etc/named.rfc1912.zones";

Edit resolv.conf

None of this does you any good until you put the IP address for localhost into your resolv.conf file. Edit /etc/resolv.conf and put 127.0.0.1 at the top of the list of nameservers (and curse networkmanager and remove it, otherwise it will be along soon to rewrite this file).

Test it

Use "dig host" twice to verify that this is working. The first request should show a query time of 70-150 milliseconds (well, that is what I see), but subsequent queries should be 0 or 1 milliseconds.

Have any comments? Questions? Drop me a line!

Adventures in Computing / tom@mmto.org