Running DNS Server at Home

[intermediatelinux]

Three months ago, I set up a caching-only DNS server on a CentOS 6.6 (as it is now), and pointed all of the machines on my internal LAN at it. That's been working nicely, but of late, there are a lot of VMs and devices getting added, and I can't keep up with updating /etc/hosts (or the Windows equivalent). So now, I quite fancy the idea of having an internal DNS server to handle that for me.

I have a 'real' domain name, registered and publicly available. On my registrar's website console, I've added a couple of A records, such as for MX and WWW etc, pointing at my external IP.

All of the machines inside my LAN have machinename.mydomain.com, and I would like to be able to keep these hostnames, have them in internal DNS without any adverse effect on DNS for my domain in the 'real world'.

Can someone tell me if this is possible, and if so, how I go about it?

Thanks.

EDIT: even if this means adding a VM to test it first

[aks]

You wish to connect your DNS server to the global DNS namespace on the Internet? Or not?
Otherwise, how to configure DNS server: https://www.digitalocean.com/community/ ... n-centos-7

[TrevorH]

Yes, it perfectly possible and within your own LAN and you don't need glue records from your DNS provider - they would be for others outside your LAN to find ip addresses within your domain name. For what you want to do, you just need to set up a couple of zone files, one for reverse lookups and one for name lookups and make your DNS server authoritative for your chosen domain name. Your DNS clients will use your server first and it will tell them the ip addresses of your hosts - there's no need for it to need to go in search of glue records as it already knows that it is authoritative for your domain name.

[intermediatelinux]

Yes, it perfectly possible and within your own LAN and you don't need glue records from your DNS provider - they would be for others outside your LAN to find ip addresses within your domain name. For what you want to do, you just need to set up a couple of zone files, one for reverse lookups and one for name lookups and make your DNS server authoritative for your chosen domain name. Your DNS clients will use your server first and it will tell them the ip addresses of your hosts - there's no need for it to need to go in search of glue records as it already knows that it is authoritative for your domain name.

Thanks for that. And there will be no 'leakage' onto the Internet at large? I ask because my internal hosts and VMs have FQDN which are in fact nameofmachine.mydomain.com even though none of the names can actually be resolved from outside of my domain.

I might fire up a test VM to see how this woks. Is there a HOWTO anywhere? Or what about in the O'Reilly book, which I have? Which chapter?

[intermediatelinux]

Yes, it perfectly possible and within your own LAN and you don't need glue records from your DNS provider - they would be for others outside your LAN to find ip addresses within your domain name. For what you want to do, you just need to set up a couple of zone files, one for reverse lookups and one for name lookups and make your DNS server authoritative for your chosen domain name. Your DNS clients will use your server first and it will tell them the ip addresses of your hosts - there's no need for it to need to go in search of glue records as it already knows that it is authoritative for your domain name.

Thanks for that. And there will be no 'leakage' onto the Internet at large? I ask because my internal hosts and VMs have FQDN which are in fact nameofmachine.mydomain.com even though none of the names can actually be resolved from outside of my domain.

I might fire up a test VM to see how this woks. Is there a HOWTO anywhere? Or what about in the O'Reilly book, which I have? Which chapter?

What I mean is, when reading this ..

https://www.digitalocean.com/community/ ... untu-14-04

(as an example), it provides instructions on how to make a DNS server authoritative for example.com. I use my registrant's DNS servers, and so don't want or need my DNS server to be authoritative *EXCEPT* for inside my local network. In other words, if for example db1.mydomain.com needs to hit jira.mydomain.com, it points to dns.mydomain.com. If it needs to hit http://www.cnn.com (not that it ever needs to), it points to my registrant's DNS. If someone outside needs to hit jira.mydomain.com, it points to my registrant's DNS, which then sends it to my external IP and apache does the rest, but that's another story.

In short, I need it to be 'authoritative' *ONLY* inside my lAN.

[TrevorH]

If you don't open UDP and TCP port 53 to the internet at large then your internal DNS server will be unreachable to others.

Your DNS server already knows which zones it is authoritative for so doesn't need to consult glue records to discover which DNS server to ask for correct answers. It's only for others that these are required.

[intermediatelinux]

If you don't open UDP and TCP port 53 to the internet at large then your internal DNS server will be unreachable to others.

Your DNS server already knows which zones it is authoritative for so doesn't need to consult glue records to discover which DNS server to ask for correct answers. It's only for others that these are required.

Thanks for the help! I'm doing this on a test VM first...

[gerald_clark]

For small networks, dnsmasq might be what you are looking for.
It can serve your LAN's DHCP, DNS, and TFTP needs.

[intermediatelinux]

If you don't open UDP and TCP port 53 to the internet at large then your internal DNS server will be unreachable to others.

Your DNS server already knows which zones it is authoritative for so doesn't need to consult glue records to discover which DNS server to ask for correct answers. It's only for others that these are required.

Thanks for this. So the second DNS server is up and I have put it into the network configuration of my Mac, and the zone file is there, with all of my hosts.

From my Mac, I can ping:

Code: Select all

ping dns1
PING dns1.mydomain.com (192.168.1.15): 56 data bytes
64 bytes from 192.168.1.15: icmp_seq=0 ttl=64 time=0.343 ms
64 bytes from 192.168.1.15: icmp_seq=1 ttl=64 time=0.362 ms
^C
--- dns1.mydomain.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.343/0.353/0.362/0.009 ms

All looks good. But in the messages log of the dns2 ...

Code: Select all

Jul 23 17:10:36 dns2 named[12853]: error (network unreachable) resolving '14.1.168.192.in-addr.arpa/PTR/IN': 2001:503:ba3e::2:30#53

What am I doing wrong?