Building a DNS cache with BIND ------------------------------ 1. Configure your AUTH1 host to accept queries from neighbors ------------------------------------------------------------- Log in to your AUTH1 host if you haven't already done so (auth1.grpX.dns.nsrc.org). ssh tldadmin@10.192.X.1 2. Check the version of BIND which is installed ----------------------------------------------- $ named -v BIND 9.x.x (you could also do: dig chaos txt version.bind @10.192.X.1) Become root sudo bash Edit the file /etc/bind/named.conf (using vi or emacs) If it still exsist, find the line: listen-on { 127.0.0.1; }; ... and REMOVE. Remove or comment out the line recursion no; Add the following lines: allow-recursion { 127.0.0.1; 10.0.0.0/8; }; empty-zones-enable no; Double check to see that there aren't any zones configured in your DNS. For instance, if you see a line like follows: zone "10.in-addr.arpa" { type master; file "/etc/bind9/master/empty.db"; }; ... remove them BUT leave zone "." { type hint; file "/etc/bind/db.root"; }; and save the file. NOTE: Be careful about the semicolons ';' and braces { } - BIND will complain if they are not placed correctly By removing the line "listen-on ..." and adding the line "allow-recursion", we are telling BIND: - please listen to the network for queries, not only on the local interface "127.0.0.1"; - please allow clients in the 10.0.0.0/8 to send queries to me, as well as myself; 3. Restart bind and check it is running -------------------------------------------- Then run these commands: # service bind9 stop # service bind9 start # ps auxwww | grep named # tail /var/log/syslog Check for successful startup with no error messages (you can ignore errors about missing `master/localhost.rev` and `master/localhost-v6.rev`, as well as messages regarding managed-keys-zone) 4. Test resolution ------------------ Issue a query, for instance: $ dig @127.0.0.1 google.com NS $ dig @127.0.0.1 noc.ws.nsrc.org. a $ dig @127.0.0.1 www.othertld a For each query: 1. Is the server responding ? 2. How do you know that you are talking to your OWN server ? 3. What do you notice ? If your neighbour has got their cache working, then try sending some queries to their cache: $ dig @10.192.Z.1 somedomain.name ... where Z is the group number of your neighbour and "somedomain.name" is the query you would like to perform. Try and make some of the same queries you did before. Do the nameservers of the other machines answer you ? Are you getting answers ? What about for monitor.dnssek.org ? Why ? Help your neighbours to get their cache working if required. 5. Watch the cache in operation ------------------------------- You can take a snapshot of the cache contents like this: # rndc dumpdb # less /var/cache/bind/named_dump.db (Don't do this on a busy cache - you will generate a huge dump file!) You can watch the cache making queries to the outside world using `tcpdump` in a different window (log in again via SSH): # tcpdump -n -s1500 -i eth0 udp port 53 If your ethernet interface isn't named `eth0`, then use the name of your ethernet interface - e.g. `em0` or `bge0` - run "ifconfig" to find out what your ethernet interface is named. CTRL-C to exit tcpdump. While tcpdump is running, in the first window flush your cache (so it forgets all existing data) and then issue some queries from another window. # rndc flush # dig @127.0.0.1 noc.ws.nsrc.org. -- and watch tcpdump output. What do you see? # dig @127.0.0.1 noc.ws.nsrc.org. -- watch tcpdump again. This time? NOTE: that we now have enabled BIND to be recursive! So we will want to remember this, and maybe turn off recursion later, since we have explained that running recursive and authoritative on the same server is not a good idea. From named.conf remove: allow-recursion { 127.0.0.1; 10.0.0.0/8; }; and add: recursion no; close the editor and restart the server: # service bind9 restart 6. [OPTIONAL] Test BIND's response rate limiting capabilities by modifying named.conf with the following: - - - - - - - - - - - - - - - cut below - - - - - - - - - - - - - options { ... rate-limit { responses-per-second 2; }; ... }; - - - - - - - - - - - - - - - cut above - - - - - - - - - - - - - then executing: # service bind9 restart From another terminal window you can then test rate limiting by executing multiple queries using something like: # cnt=1; while [ $cnt -lt 100 ]; do echo -n "$cnt "; \ dig +short @10.192.X.1 www.othertld.; cnt=$(( $cnt + 1 )); done What do you see? The "general" log file may provide some insight.