Microsoft DNS server – backup and restore AD integrated zone

1. Backup the existing zone to a zone file. Resulting file will always be placed in C:\Windows\system32\dns – this can’t be controlled:
dnscmd /zoneexport zone.local zone-backup-file.zone

2. To restore the zone, move the zone-backup-file.zone file back into C:\Windows\system32\dns then:
dnscmd /zoneadd zone.local /primary /file zone-backup-file.zone /load

And finally, convert it into an AD integrated zone:
dnscmd /zoneresettype zone.local /dsprimary

How To Configure BIND as a DNS Server

The aim is to setup two DNS servers:
Master DNS server – OpenWRT router -192.168.0.1 – FQDN: ns1.example.com
Slave DNS server – Debian server – 192.168.0.2 – FQDN: ns2.example.com
Web Server – 192.168.0.3 – FQDN: example.com

  1. Setting the Hostname on the Name Servers
  2. Install Bind on Both Name Servers
  3. Configure the Master Bind Server
  4. Configure the Slave Bind Server

1. Setting the hostname

Edit /etc/hosts file so it looks like this

127.0.0.1       localhost
192.168.0.1     ns1.example.com ns1

and for debian server:

127.0.0.1       localhost
192.168.0.2     ns2.example.com ns2

then edit the /etc/hostname so it looks like this:

ns1

and for debian box:

ns2

2. Instal BIND

On the OpenWRT router from the ssh run the following:
Uninstall preinstalled dnsmasq:

/etc/init.d/dnsmasq stop
opkg remove dnsmasq

then install BIND

opkg update
opkg install bind-server bind-tools

On a debian box run:

 sudo apt-get update
 sudo apt-get install bind9 bind9utils bind9-doc

3. Configure the Master Bind Server

On the OpenWRT box the bind directory structure is a bit different from the one on debian as there is only one file that holds all the config: /etc/bind/named.conf

We need to add few bits to it (highlighted in red)

// this section defines who is allow to submit queries to the server
acl goodclients {
        192.168.0.0/24;
        localhost;
        localnets;
};

options {
        directory "/tmp";

        recursion yes;
        allow-transfer { none; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

// here we define our zones

zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
    allow-transfer { 192.168.0.2; };
};

zone "0.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168.0";
    allow-transfer { 192.168.0.2; };
};

Create the Forward Zone File

In the /etc/bind folder create zones subfolder then create db.example.com file and paste this content:

$TTL 604800
@ IN SOA ns1.example.com. root.example.com. (
                        10 ; Serial
                    604800 ; Refresh
                     86400 ; Retry
                   2419200 ; Expire
                  604800 ) ; Negative Cache TTL
;

; Name servers
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.

; A records for name servers
ns1 IN A 192.168.0.1
ns2 IN A 192.168.0.2

; Other A records
@         IN A 192.168.0.3
www       IN A 192.168.0.3
computer1 IN A 192.168.0.4
printer   IN A 192.168.0.5

IMPORTANT bit to remember here is to change the serial number each time this file is edited!

 

Create the Reverse Zone File

In /etc/bind/zones create file: db.192.168.0 and paste this content:

 

$TTL    604800
@       IN      SOA     example.com. admin.example.com. (
                 10       ; Serial
           604800         ; Refresh
            86400         ; Retry
          2419200         ; Expire
           604800 )       ; Negative Cache TTL
;

; Name servers
IN      NS      ns1.example.com.
IN      NS      ns2.example.com.

; PTR Records
1               IN      NS      ns1.example.com.
2               IN      NS      ns2.example.com.
3               IN      NS      www.example.com.
5               IN      NS      printer.example.com.
4               IN      NS      computer1.example.com.

Testing

named-checkconf /etc/bind/named.conf

If there is a problem with the config this will tell you where to look in the config file. If the config is fine there is no output.
Next we check our zones:

named-checkzone example.com /etc/bind/zones/db.example.com

If your file has no problems, it should tell you that it loaded the correct serial number and give the “OK” message;

zone example.com/IN: loaded serial 10
OK

then we do the same thing to the reverse lookup zone file.

if everthing is OK the we enable and start the BIND service:

/etc/init.d/named enable
/etc/init.d/named start

With the server running run this:

dig ANY intra @localhost

and if everything is setup correctly you should get something like this:

root@wrt:/etc/bind/zones# dig any example.com @localhost

; <<>> DiG 9.9.6-P1 <<>> any example.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<

 

Configure the Slave Bind Server

Configuring the Options File

Now on our debian box we edit the config file

nano /etc/bind/named.conf.options

Edit the options section so it looks like this:

options {
directory "/var/cache/bind";
recursion no;
allow-transfer { none; };

dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

Save and close the file when you are finished.

Configuring the Local Configuration File

sudo nano /etc/bind/named.conf.local

We will create each of our zone specifications.

First, we will work on the forward zone:

zone "example.com" {
};

and edit it so it looks like this:

zone "example.com" {
type slave;
file "db.example.com";
masters { 192.168.0.1; };
};

This completes our forward zone setup.

We can use this same exact format to take care of our reverse zone config:

zone "0.168.192.in-addr.arpa" {
type slave;
file "db.192.168.0";
masters { 192.168.0.1; };
};

When you are finished, you can save and close the file.

To check that zone transfer was successful run:

sudo tail -f /var/log/syslog

That should have some entries to indicate that the zone files have been transferred correctly.

To configure DHCP follow here.

Good source of BIND config knowledge here.

Setting up ddclient on debian

I followed this to setup my namecheap ddclient:

So i’ve installed ddclient:

apt-get install ddclient

Then configured it:

nano /etc/ddclient.conf

 

ssl=yes
daemon=600
use=cmd, cmd=/root/publicip.sh
protocol=namecheapĀ  
server=dynamicdns.park-your-domain.com 
login=yourdomain.com
password=1b9aafgfgjh1865e024fabb629dbd1d9c462
@

Save and exit the file

Restart ddclient service using the following command

/etc/init.d/ddclient restart

But I was getting error saying that my ddclient was unable to obtain IP address.

To fix that I have created a script to fetch my public IP address:

nano publicip.sh

 

curl -s checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'

saved it and made it executable

chmod +x ./publicip.sh

Next step is to modify the ddclient config:

nano /etc/ddclient.conf

and added this line:

use=cmd, cmd=/root/publicip.sh

Restarted ddclient and run:

 ddclient -daemon 0 -debug -verbose -noquiet

and make sure all is looking good.

Setting up DNS server on Raspberry Pi with PowerDNS

Installing PowerDNS

apt-get install pdns-server

Configuring a recursor

Before we start setting up our zone file we need to configure our recursor. The recursor is the DNS server that will handle queries which our DNS server doesn’t have zone configurations for (microsoft.com, cisco.com, etc.). So in the next command we’re going to use sed to set the recursor in /etc/powerdns/pdns.conf to Google’s Public DNS (8.8.8.8) but preferably to your ISP DNS.

sed -i 's/# recursor=/recursor=8.8.8.8/g' /etc/powerdns/pdns.conf
sed -i 's/allow-recursion=127.0.0.1/allow-recursion=127.0.0.1,10.0.0.0\/24/g' /etc/powerdns/pdns.conf

Now restart the pdns service and also install dnsutils so we can test it.

service pdns restart
apt-get install dnsutils

To confirm that recursion against our DNS server we’ll execute the following query for google.com against it.

nslookup google.com localhost

If you get a list of names and addresses back then everything is configured and working properly:

Configuring a zone

So now we’ll move onto configuring our own zone. You can think of a zone as basically your domain name (MyDomain.net). PowerDNS uses /etc/powerdns/bindbackend.conf as it’s main configuration file for Bind9. So let’s open that up and we’ll create a zone like the following.

zone "MyDomain.net" {
        type master;
        file "/etc/powerdns/bind/MyDomain.net.zone";
        allow-update { none; };
};

You’ll want to replace MyDomain.net with whatever you want your domain to be. Now you’ll notice we made a reference to a file called /etc/powerdns/bind/MyDomain.net.zone, this is where our DNS records forĀ MyDomain.net will go. First we’ll create the /etc/powerdns/bind folder.

mkdir /etc/powerdns/bind

Next let’s go ahead and create /etc/powerdns/bind/MyDomain.net.zone with the following.

$ORIGIN MyDomain.net     ; base for unqualified names
$TTL 1h                 ; default time-to-live
@                       IN      SOA ns.mydomain.net hostmaster.mydomain.net (
                                1; serial
                                1d; refresh
                                2h; retry
                                4w; expire
                                1h; minimum time-to-live
                        )
                        IN      NS      ns
                        IN      A       10.0.0.50
ns                      IN      A       10.0.0.50

In this zone file we’ve setup a couple of basic things. The first record is the SOA (Start Of Authority) record. This tells the DNS server what the primary data source is for the zone and how it should propagate. After that we setup an NS (nameserver) record. The job of this record is to point to our authoritative DNS server for the zone, which happens to be this server. We then have an A record for the zone itself so that MyDomain.net -> 10.0.0.50. And then after that I have another A record so that ns.MyDomain.net -> 10.0.0.50.

Now if we restart PowerDNS and use nslookup we can verify that it’s working correctly.

service pdns restart
nslookup MyDomain.net localhost

A successful response should return the IP that you mapped MyDomain.net to.

Adding a new record

The basic zone and the DNS server are all setup at this point so in order to add a new record we can append a line like this to the zone file.

webserver               IN      A       10.0.0.10

Most of the time there are two types of records you’ll be adding. As we’ve already seen an A record always maps to an IP. A CNAME record is used when want to map an alias to another record. For example look at the following.

webserver               IN      A       10.0.0.10
www                     IN      CNAME   webserver

What I’ve done there is map webserver.MyDomain.net -> 10.0.0.10 and then mapped www.MyDomain.net -> webserver.MyDomain.net. It’s essential to learn to use CNAME records effectively because if the IP for webserver.MyDomain.net had changed and I had used two A records then I’d have to update both records. However, using an A and a CNAME I’d only have to update the IP for webserver.MyDomain.net.

After you’re done adding your records just restart the pdns service to bring in the changes.

Free Public DNS servers

Free Public DNS Server

=> Service provider: Google
Google public dns server IP address:

  • 8.8.8.8
  • 8.8.4.4

=> Service provider:Dnsadvantage
Dnsadvantage free dns server list:

  • 156.154.70.1
  • 156.154.71.1

=> Service provider:OpenDNS
OpenDNS free dns server list / IP address:

  • 208.67.222.222
  • 208.67.220.220

=> Service provider:Norton
Norton free dns server list / IP address:

  • 198.153.192.1
  • 198.153.194.1

=> Service provider: GTEI DNS (now Verizon)
Public Name server IP address:

  • 4.2.2.1
  • 4.2.2.2
  • 4.2.2.3
  • 4.2.2.4
  • 4.2.2.5
  • 4.2.2.6

=> Service provider: ScrubIt
Public dns server address:

  • 67.138.54.100
  • 207.225.209.66