FUTO 06 DNS und DHCP (EN)

FUTO 06 DNS and DHCP

A functioning network requires reliable name resolution and automatic IP address assignment. In this module, you will learn how to set up and configure a DNS server with Unbound that is suitable for both internal and external requests. In parallel, you will configure a DHCP server for automatic assignment of IP addresses, subnet masks, and default gateways in your network.

You will understand the differences between various DNS record types and learn how to manage zones for your domains. The practical implementation includes installation, configuration, and securing of both services, as well as troubleshooting common problems.

Concepts and Background

DNS (Domain Name System)

A hierarchical, distributed naming system that translates human-readable domain names like example.com into machine-readable IP addresses like 93.184.216.34. It uses various record types such as A, AAAA, MX, and PTR to store specific information.

DHCP (Dynamic Host Configuration Protocol)

A network protocol that enables the automatic assignment of IP addresses and other network configuration parameters to devices in a network. It reduces manual configuration effort and minimizes errors.

Unbound

A validating, recursive, and caching DNS resolver from the Dutch nonprofit organization NLnet Labs. Unlike BIND, it is designed as a stub resolver and offers high performance and protection against DNS spoofing attacks through its modularity and security.

Zone Transfer

A process in which DNS zone data is synchronized between a primary (master) and secondary (slave) DNS server. This enables redundancy and load distribution in DNS operations.

Records

Entries in a DNS zone that store specific information about a domain. Most important types: A (IPv4 address), AAAA (IPv6 address), MX (Mail Exchange), PTR (Pointer for Reverse-Lookup), CNAME (Canonical Name).

Architecture Diagram

flowchart LR
  A[Internet] --> B(Firewall/Router)
  B --> C[LAN]
  B --> D[DMZ]
  C --> E[DHCP-Server]
  C --> F[Unbound DNS-Server]
  D --> G[Webserver]
  D --> H[Mailserver]

Practical Steps

1. Install Unbound with the command

   apt install unbound

   . This installs the DNS resolver and the necessary configuration files.
2. Configure Unbound as a local resolver by executing

   echo "server: interface: 127.0.0.1" > /etc/unbound/unbound.conf.d/my.conf

   . This secures the server for local requests.
3. Create a zone file for your domain with A and MX records, for example

   $TTL 86400
   @ IN SOA ns.example.com. admin.example.com. (
     2023081501 ; serial
     3600       ; refresh
     1800       ; retry
     604800     ; expire
     86400 )    ; minimum
   IN NS ns.example.com.
   IN MX 10 mail.example.com.
   ns IN A 192.168.1.10
   mail IN A 192.168.1.20
   www IN A 192.168.1.30

4. Configure ISC DHCP server with

   apt install isc-dhcp-server

   and edit the main configuration file

   vi /etc/dhcp/dhcpd.conf

   .
5. Add the following configuration for your LAN subnet:

   subnet 192.168.1.0 netmask 255.255.255.0 {
     range 192.168.1.100 192.168.1.200;
     option routers 192.168.1.1;
     option domain-name-servers 192.168.1.10;
     option domain-name "example.com";
   }

6. Enable the DHCP service with

   systemctl enable isc-dhcp-server

   and start it with

   systemctl start isc-dhcp-server

   .
7. Configure Reverse-Lookup zones for your network in Unbound by creating a new configuration file with PTR records.
8. Test DNS resolution with

   dig @127.0.0.1 example.com

   and DHCP functionality by having a device in the network request an IP address.
9. Secure your configuration by implementing firewall rules for port 53 (TCP/UDP) for Unbound and ports 67/68 for DHCP.

Common Pitfalls

Further Resources

• Official Unbound Documentation
• ISC DHCP Server Handbook
• BIND 9 Administrator Reference Manual
• DNS and Bind by O'Reilly
• Arch Linux Wiki: Unbound

Knowledge Check

Four questions for self-assessment. Click on each question to see the correct answer and explanation.

What is the main difference between Unbound and BIND as DNS servers?

• A) Unbound only supports IPv4, while BIND also supports IPv6
• B) Unbound is designed as a stub resolver and offers higher security through protection against DNS spoofing
• C) BIND is open-source, while Unbound is commercial software
• D) Unbound cannot perform zone transfers, while BIND supports this

Correct Answer: B. Unbound is designed as a stub resolver and offers high protection against DNS spoofing attacks through its modularity and security. BIND is a full-featured DNS server, while Unbound is specifically optimized for resolution and not primarily serves as an authoritative server.

Which DNS record type is used for mapping a domain to another domain?

• A) A-Record
• B) MX-Record
• C) CNAME-Record
• D) PTR-Record

Correct Answer: C. The CNAME record (Canonical Name) is used to point an alias domain to another domain. A-Records map domains directly to IP addresses, MX-Records define mail servers, and PTR-Records are used for reverse-lookups of IP addresses to domain names.