Bind9 caching DNS server on Ubuntu 20.04 LTS or Ubuntu 18.04 LTS

Author: Paul Sueno
Created: 5/17/2020 // Updated: 7/25/2020

 

Set up your own personal DNS for web browing with peace of mind. This will prevent others from knowing where/how you browse the web.

A personal domain name system (or DNS) server may not seem useful, but there are many things you can do with it. For me, it's primarily to have control over who gets to have my browsing history. I'd rather not give it to Google or my ISP. And so here, I show you how to set up your own DNS server.

If you have followed along in several of my tutorials, then you know that I base my servers on Ubuntu. If you haven't already, go ahead and install a fully encrypted Ubuntu 20.04 (Focal) or Ubuntu 18.04 (Bionic) server on the cloud.

Name servers

What is a name server? It's a way for world wide web to know what IP address a host (or computer, smart phone, tablet, etc) uses. All hosts connected to the world wide web have an IP address. Resources that are commonly used on the internet (like a website) need an alias (or fully qualified domain name) that points to an IP address. Otherwise, it's too hard for people to remember a set of numbers, rather than a name. A name server is pretty much like that archaic thing called a phone book. Look up a name, and you get a number.

There are two main modes of DNS servers: caching and forwarding. A caching server scours the internet and stores IP addresses for as many hostnames that have been registered elsewhere. It's always working in the background. The other mode is different in when and how it looks up an IP address. When a client asks a forwarding DNS server for a web site's IP address, the forwarding server will ask another DNS server for the address and store it in its cache. It doesn't do much in the background, until a client asks it to do work. If you don't want another DNS server know what you're doing (whether it be your ISP, OpenDNS, Cloudflare, Google, etc), then you probably want a caching server. I will show you how to set up a caching server for your own use.

Basic server settings

Name your host something like ns or dns. Do this by running sudo nano /etc/hostname and entering the name. Also be sure to set up host addresses appropriately by running sudo nano /etc/hosts.

We also have to allow name server traffic into our server. Modify your iptables by adding the rule in the appropriate place. I advise running sudo iptables -L -v -n --line-numbers to find the right places in the INPUT table. If you used my tutorial with the formatted iptables, you can also run sudo nano /etc/iptables/rules.v4 to edit the tables; then sudo iptables-restore</etc/rules.v4. I will show the lines I addended into the rules.v4 and rules.v6 method.

-A INPUT -p tcp --dport 53 --syn -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Now that the server is ready to accept traffic as a domain name system server, let's set it up.

Bind9 DNS caching server

We will use Bind9 as our name server. Let's update the apt repositories and install the package.

sudo apt update
sudo apt install bind9 bind9utils bind9-doc

Back up and modify the configuration file to set up a caching DNS server.

sudo cp /etc/bind/named.conf.options /etc/bind/named.conf.options.bak

We will be adding a white-listed group of clients. These are the hosts allowed to use our DNS server. Unless you are capable of full time monitoring for the inevitable DNS attack, don't open up your server to the public.

We will use Bind9's ACL (or access control list) functionality. The acl block will need a label (e.g., whitelist) and must be at the beginning of the file, above the options block. Inside the acl whitelist block, we then add our allowed hosts. You can use standard subnet notation for ranges of IP addresses or specific ip addresses (among other options). For the DNS server to be caching, the line recursion yes needs to be included. The line allow-query { whitelist; }; specifies the hosts allowed access to the caching name server. Let's edit the file by running sudo nano /etc/bind/named.conf.options.

acl whitelist {
        192.168.0.2;
        10.0.4.20.10;
        localhost;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { whitelist; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

I don't want any rascals poking around my server. I know all my known clients use IPv4. And so I will turn off IPv6 for bind9. The file is different between Ubuntu 20.04 LTS (Focal) and Ubuntu 18.04 LTS (Bionic).

For Ubuntu 20.04:

sudo cp /etc/default/named /etc/default/named.bak
sudo nano /etc/default/named

For Ubuntu 18.04:

sudo cp /etc/default/bind9 /etc/default/bind9.bak
sudo nano /etc/default/bind9

Modify the line to do IPv4 only: OPTIONS="-u bind -4".

Now that your configuration file is set up, go ahead and restart the service by running sudo service named restart for Ubuntu 20.04 and sudo service bind9 restart for Ubuntu 18.04.

Client machines

Now it's time to set up the client machines. Be sure to point your Linux, Mac, Windows, Android or whatever device to your new DNS server. In Windows, open up Control Panel and search for Network and Sharing Center. Click on Change adapter settings on the left. Right-click on the network device and click Properties. Double-click on Internet Protocol Version 4 (TCP/Pv4). Select Use the following DNS server addresses: and type in your DNS server's IP address. If you are on a home router, you can just change your router's DNS so that you don't have to change it for all the home devices.

In Ubuntu 18, you modify it in sudo nano /etc/netplan/[your file].yaml. Look for nameservers: and add the line addresses: [x.x.x.x], where x.x.x.x is your DNS server's IP address. The square brackets must be there. Be mindful of the spaces in this file. Once you're done editing, run sudo netplan try.

To verify, just point your browser to whatdnsamiusing.com.

Monitor DNS client look ups

Be careful of your cloud host service provider. If you gobble up too much network traffic, they may restrict or even suspend your account. Periodically, run cat /var/log/syslog | grep named. If you see a lot of denied traffic, then this is a problem. An advanced method of ensuring only your whitelisted ACL traffic is allowed, is to modify your iptables and chaining

Iptables and chains

Back up your iptables rules file by running sudo cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak. Now let's edit it by running sudo nano /etc/iptables/rules.v4. First we add the chain block. Put this somewhere up top; it needs to be defined before we add a line in the INPUT table regarding this chain. In the formatted iptables file by @jirutka, I placed the new DNS chain right below the 1. COMMON HEADER section. Addend iptables with a separate line for each whitelisted IP address above. You can add logging functionality. My log files got too cumbersome due to all the unnecessary traffic to my DNS server. If you want to log people trying to access your DNS server, just copy the SSHBRUTE and modify it for the DNS chain.

# DNS Chain
-N DNS
-A DNS -s 192.168.0.2/32 -j ACCEPT
-A DNS -s 10.0.4.20.10/32 -j ACCEPT
-A DNS -j DROP

Now we have to tell the INPUT chain when to forward traffic to the DNS chain. I put mine before the related and established traffic. You can put yours after or wherever makes sense for you. So in the iptables formatted file, the few lines pertinent would look like this. Note the lines before and after the ones pertaining to the DNS chain.

# Don't attempt to firewall internal traffic on the loopback device.
-A INPUT -i lo -j ACCEPT

# Forward traffic on port 53 to DNS chain
-A INPUT -p tcp --dport 53 --syn -m conntrack --ctstate NEW,ESTABLISHED -j DNS
-A INPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j DNS

# Continue connections that are already established or related to an established
# connection.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Be sure to delete the two lines we added into iptables early on in the tutorial. Once it's all done, run sudo iptables-restore</etc/iptables/rules.v4.

And that's it. You now have your own DNS server — your own phonebook for the world wide web.

 
 
media,300x250,319613138
media,300x250,381582771
media,300x250,679590568
media,300x250,669884805
media,300x250,527130407
media,300x250,187248896
media,320x50,868573402
media,320x50,612612008

Suenotek Blog

Seattle, Washington

Cookies | Privacy | Policy

About | Contact Us