Router – Managing a DNS on a Local Private WAN Network

binddomain-name-systemrouterwide-area-network

I am in need of some assistance figuring out how to set up a DNS on my private WAN network. I currently use a Linksys e4200 wireless router to connect all of my computers, servers, and other devices on a WAN. I would like to be able to set up a name server so that I can talk to all of my servers/computers without having to use IP addresses. As far as I have found I have three options, some of which are more straightforward and clear than others. All of the options I realize will require setting up static IP addresses for any devices I would like to assign a name to:

Edit the host files on all of my machines to resolve my chosen names to specific IP addresses.
- The issue with this choice is that I would have to do perform this action on all of my devices, and maintaining consistency would be difficult. I could provision all of my devices using Ansible, which would make it much simpler, but I'd ideally like to avoid this route.
Flash DD-WRT to my e4200 and use DNSMasq to run a DNS on the router.
- I will likely flash DD-WRT to my router even if I don't choose this option, but I would prefer my third choice.
Set up a DNS server running BIND9 to resolve all of my local domain names, and forward unknown names to an external DNS server and cache completed resolutions to external websites.
- This would give me the most flexibility, practice for performing DNS setups, and is my preferred method.
- The only issue with this approach is that I have no clue where this DNS server should be in my network, or how to point requests to it without modifying all of my devices to use it's local IP address as their DNS server. Please forgive me if that assumption is incorrect, as I am definitely fumbling around here in this approach. The setup of BIND9 seems like something I could work through, I just don't know where to hook in the DNS server, and I'd love some assistance/advice.

Best Answer

I'd go with the third option, you can place it anywhere you'd like on your network, I usually set networks up in a similar manner, .1 as the router, .2 as the first DNS server, so on. Plus it's easier to type if you're assigning the address to more than a few PCs :)

You will have to add the IP to your machines to allow them to resolve domain names locally, or you could distribute the address via DHCP, if you decided to use DHCP to distribute IPs mapped to MAC addresses, so the same IP will always be assigned to the same computer, meaning it will always have the same hostname, etc. It would probably be less work just to add the IP to whatever method the computer uses for defining DNS server though.

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Router – DNS for private network – should router be the DNS server

It doesn't matter where you run it as long as it is reachable from the internal machines.

DNS is a very lightweight service, which can easily coexist with many others on a machine.

However, make sure it keeps working. When DNS fails, dozens of things will stop working and you'll be wondering what the heck is going on before you figure out DNS is down.

Best Answer

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

Router – DNS for private network – should router be the DNS server

Related Topic