In house DNS server

Question

We are currently using the DNS of our ISP but I would like to setup our own in house DNS server so that we could manage local names, and in short use this in house DNS server instead of .hosts file on all of our computers.

I would like the DNS server to resolve DNS only to certain IP's (so this way I could filter internet access in a way, by providing DNS resolution only to domains that are of use to our business and accordingly to IP's -something like openDns) I know I could setup a transparent squid to do filtering, but I've been interested in setting up a local DNS server and could not find the necessary resources online.

I am interested in a Unix, Debian, friendly app (Windows is acceptable also).

score 6 · Answer 1 · answered May 30 '09 at 20:49

6

I can tell you on the Linux side that BIND is probably the most common and most powerful solution you could find. However, DNSmasq is a great lightweight DNS app that you actually might have some experience with since it's installed on many linux-based SOHO routers.

answered May 30 '09 at 20:49

scotthere

487
3
7

BIND i am considering, but has anyone got any substantial how-to out there.... i would really appreciate this. i have not been able to setup this so far. – s.mihai May 30 '09 at 20:56
It's not a simple project, but this is a good place to start: http://www.bind9.net/links – scotthere May 31 '09 at 17:41

score 6 · Answer 2 · answered May 30 '09 at 20:50

6

I would recommend Linux + BIND or PowerDNS.

The setup is fairly easy with lots of HOWTOs on the web. I use this setup for 3 years now without any problem.

HOWTO for BIND an internal and external DNS server

answered May 30 '09 at 20:50

Alakdae

1,213
8
21

power dns seems interesting... i'll look into that :-? – s.mihai May 30 '09 at 20:55

mikl · Accepted Answer · 2009-06-01T09:28:58.830

4

I'd recommend PowerDNS highly, if you just want a no-frills recursing DNS server to enable Internet usage, pdns-recursor requires close to zero configuration to be used on a local network. I use it on our FreeBSD server on the office, and basically, I just installed it, added the server's IP address to /usr/local/etc/pdns/recursor.conf and started the service.

If you want to provide your own DNS information, PowerDNS has some very powerful features, mainly in its ability to use a relational database as backend, which makes it a lot easier to make some sort of web interface or configuration system, and also makes it a lot easier to do replication, since you can just use the database server's replication system instead of AXFR or similar things.

edited Jun 01 '09 at 09:28

answered Jun 01 '09 at 08:21

mikl

612
1
11
17

3

Storing production DNS data in an SQL database adds additional risk to a piece of critical infrastructure. Unless the system has a process to cope with the failure of the SQL server, I would implement something that uses traditional flat files. – Matt Jun 02 '09 at 21:17
3

Well, all systems have risks. Flat files might get corrupted, databases might go down. There's performance tradeoffs to flat files, especially if your zones change a lot or have a lot of records. So if you only have a few simple zones, I'd agree that having an RDBMS might be overkill. – mikl Jun 06 '09 at 20:38

score 3 · Answer 4 · answered May 30 '09 at 20:51

3

DJBDNS - easy, works! :)

answered May 30 '09 at 20:51

3

I'm not going to go so far as to vote you down, but DJBDNS has to be the most convoluted piece of software I've used since Qmail. The kludges it takes to install DJBDNS are just wrong. The only thing going for it is the (too) simple configuration. – Matt Simmons May 30 '09 at 20:57
How's that? I see your point for distro's on which you have to manually install daemontools etc. but it does have to be like that. Both daemontools and djbdns are in Lenny's default repo. It's still a bit non-standard, but its configuration beats the hell out of binds. – wzzrd Jun 01 '09 at 09:15

score 3 · Answer 5 · answered May 30 '09 at 20:52

I thought about doing the same thing, and came across OpenDNS.

I'm a new user, so I can't add the link, but google will allow you to find them.

I don't work for/with them, I just use their service and I like it. Its free and allows for customizing access like you requested. As far as local DNS is concerned, I run a localized nameserver for all hostnames of of a Fedora install. As far as the local DNS goes, as long as you are running a DNS server on the network, and have your DHCP configured correctly to spit it out, it'll work. I simply don't allow DNS traffic originating from my exterior firewall, and it seems to do the trick.

yes, i've tried OpenDNS but i can not allow access only to whitelisted websites and deny access to blacklisted. This is what i am trying to do. — s.mihai, May 30 '09 at 21:01

score 1 · Answer 6 · answered May 30 '09 at 20:57

1

Small sites often hand-edit zone files and BIND configurations which leads to inconsistencies and errors. Instead use HostDB to take a /etc/hosts file and uses it to generate your files. More info at everythingsysadmin.com/hostdb

It generates files for BIND which comes with all Linux distros.

answered May 30 '09 at 20:57

TomOnTime

7,567
6
28
51

it's not for my webserver, but i am interested in securing web access in our network this way. – s.mihai May 30 '09 at 21:07

JJ01 · Answer 7 · 2009-05-30T22:51:43.647

1

Using a DNS Server for local/internet name resolution is the best and most managmenable solution. With that having been said I would suggest you do not use DNS for filtering. Use something that was designed for web content filtering like squid.

If using a windows server then use Windows DNS Server if using a Linux server use something like Bind or dnsmasq.

edited May 30 '09 at 22:51

answered May 30 '09 at 21:09

JJ01

451
5
17

1. at the moment i am using the DNS provided by my ISP 2. centralized file sharing (no centralized auth) 3. we already have a DHCP in place. only DNS required. – s.mihai May 30 '09 at 21:29
What operating system on the server and workstations ? – JJ01 May 30 '09 at 22:43
the stations are windows based. the server... i have both linux based, and windows based servers around, i'ld like to use someting cheap (open source) and user friendly – s.mihai May 31 '09 at 04:51

Snipper · Answer 8 · 2009-05-31T04:27:28.147

I use an internal DNS server for that purpose exactly.

Windows DNS Services is an added component to their systems. The application is easy to use, but as difficult as DNS is to understand. How to Install and Configure Microsoft DNS Server

I also use Simple DNS. This application runs in windows as it's own DNS service. There are much more features for configuration, and the web API is worth the price alone. Consider using a DNS web API for DNS management outside of the IT realms.

score 1 · Answer 9 · answered Jun 02 '09 at 21:10

1

djbdns: easy configuration and syntax, top notch security.

answered Jun 02 '09 at 21:10

user4843

31
1

score 0 · Answer 10 · answered May 30 '09 at 22:58

0

Aptitude install bind9 will provide a caching nameserver out of the box. From there you're only a hop, skip and a jump away from adding your own zone files to control your networks DNS as you wish.

answered May 30 '09 at 22:58

pete

296
1
2

score 0 · Answer 11 · answered May 31 '09 at 00:30

I have no experience with anything else then BIND and the Microsofts AD integrated one.

What you want is quite possible, for BIND this would mean that you clear out the root hints and configure forwards to the domains you do allow to their authoritative DNS server.

Though as said here, I would not go that way, I override the DHCP's proclaimed DNS server with my own preference, so if I would be on your network I could happily browse where I want to, unless you have another restriction, but then it would be a waste of time to cripple your DNS server in the first place.

In house DNS server

11 Answers11

Linked