A few days ago, I gave a presentation on fosscomm 2015 about DNS, OpenNic Project and DNScrypt
So without further ado, here it is: dns_opennic_dnscrypt.pdf
First rule of DNS: Always keep in separted machines your authoritative and recursor DNS server.
Disclaimer: The below notes are made on a fresh centos7 server. This is not an openresolver, is just for personal use. You need to adjust your settings.
PowerDNS is an amazing product. Has two flavors, one for Authoritative NS and one for Recursor. I always use @KeesMonshouwer RPMs for two reasons:
a. Works perfectly
b. I trust his work
- Installation
Let’s start, by installing the pdns-recursor:
# rpm -ivh https://www.monshouwer.eu/download/3rd_party/pdns-recursor/el7/x86_64/pdns-recursor-3.7.2-1.el7.MIND.x86_64.rpm
- User/Group
Verify that you have the pdns User/Group, if not create them:
# grep pdns /etc/group pdns-recursor:x:996: # grep pdns /etc/passwd pdns-recursor:x:996:996:PowerDNS Recursor:/dev/null:/sbin/nologin
- root hint
Create the hint (root NS) zone:
# dig NS . @a.root-servers.net. | grep -vE '^;|^$' | sort -V > /etc/pdns-recursor/root.hint
I prefer to use and work with the opennicproject cause it’s an amazing community open DNS project. They also provide their own gTLDs and the majority of them dont have any logs at all or they anonymize the dns logs. In the times we are living, I prefer my DNS queries NOT to be obtained and recorded by companies.
I strongly suggest to participate to this amazing community project.
So my root.hint file is the result of this:
# dig . NS @75.127.96.89 | grep -v '^;' | sort -u -V > /etc/pdns-recursor/root.hint
Dont forget to edit your /etc/pdns-recursor/recursor.conf so that you tell pdns where is your root hint file:
hint-file=/etc/pdns-recursor/root.hint
- ACL
As i mentioned above, I dont want (at the current moment) to create an openresolver. So I need to create an ACL.
That can be done by two ways (combined or separated).
- iptables
The first one is via iptables. My iptables default policy is DROP, so I need to ACCEPT tcp/udp traffic from the networks I want to provide dns recursion. The below example are for a specific IP and a class C (/24) network
# TCP -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -s XXX.XXX.XXX.XXX -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -s YYY.YYY.YYY.0/24 -j ACCEPT # UDP -A INPUT -p udp -m state --state NEW -m udp --dport 53 -s XXX.XXX.XXX.XXX -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -s YYY.YYY.YYY.0/24 -j ACCEPT
Dont forget to restart your iptable service.
- ACL in pdns
The second way is by configure the allow-from pdns setting accordingly:
# vim /etc/pdns-recursor/recursor.conf allow-from=127.0.0.0/8, XXX.XXX.XXX.XXX, YYY.YYY.YYY.0/24
- Listen IP address
PowerDNS Recursor will start on your local IP address. To change it to your public IP, you need to edit the below entry:
# vim /etc/pdns-recursor/recursor.conf local-address=127.0.0.1, XXX.XXX.XXX.XXX
At this point you are ready to start and use your own DNS recursor.
# systemctl status pdns-recursor.service # systemctl enable pdns-recursor.service
- Testing
Before you exit your machine, you need to test your DNS server.
# dig soa powerdns.com @127.0.0.1
and from a machine inside your ACL:
# dig soa powerdns.com @XXX.XXX.XXX.XXX
Everything must work just fine.