[root@rhce-ryanrudolf]# rm -rf / 2> /dev/null

things I break/fix for fun and learning

Nov 17, 2018 - 7 minute read - Comments

Install and Configure BIND DNS for Domain Resolution and Adblocking

I am rebuilding my homelab environment and I’ve decided to start with the DNS server. DNS (domain name system) is critical, as its main purpose is to convert easy to understand hostnames into hard to memorize IP addresses. Without DNS, you have to know and memorize which IP address to connect to. Example, instead of typing google.com, you have to memorize and type in the IP address of google, which is 172.217.2.174.

These are the process I did and will serve as a guide if I need to break things again. I will be using hostnames from the Toy Story movies – Woody, Buzz, Jessie, Sid and so on.

Preliminary Steps:

  • Create a CentOS7 virtual machine using minimal ISO. (I’m using a spacewalk kickstart ISO to automate the install process and automatically registers to my spacewalk server.)

  • Once the VM is created, login as root and change the hostname. For this host, I will use the hostname sid. Sid is the unstable boy in Toy Story, modifying and destroying toys for fun.

    hostnamectl set-hostname sid
    
  • Change IP address from dynamic to static. For this server, I will use 192.168.1.99.

    nmcli con show
    nmcli con mod ens32 ipv4.method manual ipv4.address 192.168.1.99/24 ipv4.gateway 192.168.1.1 ipv4.dns 192.168.1.1
    systemctl restart network
    
  • Copy ssh keys for password-less logins using the new static IP.

    ssh-copy-id root@192.168.1.99
    
  • Install bind and bind-utils package.

    yum install bind bind-utils
    
  • Allow dns service in the firewall rules.

    systemctl enable firewalld
    systemctl start firewalld
    firewall-cmd --permanent --add-service=dns
    systemctl restart firewalld
    firewall-cmd --list-service
    
  • Once completed, it’s time to modify configuration files!

Screenshots here and here.

Steps to Configure DNS Server:

  • Edit /etc/named.conf and make the following adjustments.

    options {
            check-names master ignore;
        listen-on port 53 { any; };
            listen-on-v6 port 53 { ::1; };
            directory       "/var/named";
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
            allow-query     { any; };
    
        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;
    
        forward only;
        forwarders { 192.168.1.1; };
    
        dnssec-enable yes;
        dnssec-validation no;
    
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
    
        managed-keys-directory "/var/named/dynamic";
    
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
    };
    
    logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
    };
    
    zone "ryanrudolf.com" {
            type master;
            file "ryanrudolf.com.zone";
            allow-update { none; };
    };
    
    zone "1.168.192.in-addr.arpa" {
            type master;
            file "ryanrudolf.com.revzone";
            allow-update { none; };
    };
    
    zone "." IN {
            type hint;
            file "named.ca";
    };
    
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    
  • Create text file /var/named/ryanrudolf.com.zone. This will be the forward zone containing the hostnames / IP addresses.

    $TTL 86400
    @ IN SOA sid.ryanrudolf.com. sid.ryanrudolf.com. (
            2018111701 ; Serial
            1d ; refresh
            2h ; retry
            4w ; expire
            1h ); min cashe
    
        IN      NS      sid.ryanrudolf.com.
    
    sid             IN      A       192.168.1.99
    spacewalk       IN      A       192.168.1.100
    ansible         IN      A       192.168.1.101
    
  • Create text file /var/named/ryanrudolf.com.revzone. This will be the reverse loookup zone.

    $TTL 86400
    @ IN SOA sid.ryanrudolf.com. sid.ryanrudolf.com. (
            2018111701 ; Serial
            1d ; refresh
            2h ; retry
            4w ; expire
            1h ); min cashe
    
        IN      NS      sid.ryanrudolf.com.
    
    99      IN      PTR     sid.ryanrudolf.com.
    100     IN      PTR     spacewalk.ryanrudolf.com.
    101     IN      PTR     ansible.ryanrudolf.com.
    

Almost done!

  • Enable and start dns service. Pray that there are no errors.

    systemctl enable named
    systemctl start named
    
  • Reconfigure network connection to use the dns server.

    nmcli con mod ens32 ipv4.method manual ipv4.address 192.168.1.99/24 ipv4.dns 192.168.1.99 ipv4.gateway 192.168.1.1 ipv4.dns-search ryanrudolf.com
    systemctl restart network
    
  • Query the dns server using nslookup.

    [root@sid ~]# nslookup google.com
    Server:     192.168.1.99
    Address:    192.168.1.99#53
    
    Non-authoritative answer:
    Name:   google.com
    Address: 172.217.2.110
    
    [root@sid ~]# nslookup sid
    Server:     192.168.1.99
    Address:    192.168.1.99#53
    
    Name:   sid.ryanrudolf.com
    Address: 192.168.1.99
    
    [root@sid ~]# nslookup spacewalk
    Server:     192.168.1.99
    Address:    192.168.1.99#53
    
    Name:   spacewalk.ryanrudolf.com
    Address: 192.168.1.100
    
    [root@sid ~]# 
    
  • Use dig to get more info.

    [root@sid ~]# dig google.com
    
    ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> google.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19301
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;google.com.            IN  A
    
    ;; ANSWER SECTION:
    google.com.     60  IN  A   172.217.1.14
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.1.99#53(192.168.1.99)
    ;; WHEN: Sat Nov 17 22:02:40 EST 2018
    ;; MSG SIZE  rcvd: 55
    
    [root@sid ~]# dig spacewalk.ryanrudolf.com
    
    ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> spacewalk.ryanrudolf.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17035
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;spacewalk.ryanrudolf.com.  IN  A
    
    ;; ANSWER SECTION:
    spacewalk.ryanrudolf.com. 86400 IN  A   192.168.1.100
    
    ;; AUTHORITY SECTION:
    ryanrudolf.com.     86400   IN  NS  sid.ryanrudolf.com.
    
    ;; ADDITIONAL SECTION:
    sid.ryanrudolf.com. 86400   IN  A   192.168.1.99
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.1.99#53(192.168.1.99)
    ;; WHEN: Sat Nov 17 22:02:45 EST 2018
    ;; MSG SIZE  rcvd: 103
    
    [root@sid ~]# 
    
  • DNS server is now configured and working OK!

Configure adblocking

  • Download hosts files from https://github.com/StevenBlack/hosts.

  • Modify hosts files to be compatible with BIND. This script will download the host file and perform text manipulation and save the file in /var/named/adblock.zone.

    wget -q -O adblock.hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts
    cat adblock.hosts | grep '^0.0.0.0' | egrep -v '127.0.0.1|255.255.255.255|::1' | cut -d " " -f 2 >> adblock.temp
    cat adblock.temp | egrep -v '^$|#' | sort | uniq > adblock.hosts
    cat adblock.hosts | sed -r 's/(.*)/zone "\1" {type master; file "null.zone.file";};/' > adblock.zone
    cp adblock.zone /var/named/
    rm -rf adblock.hosts adblock.temp
    
  • Create a null.zone.file in /var/named with the following contents.

    $TTL    86400   ; one day
        
        @       IN      SOA     sid.ryanrudolf.com.  root.ryanrudolf.com. (
                        2018111701       ; serial number YYMMDDNN
                        28800   ; refresh  8 hours
                        7200    ; retry    2 hours
                        864000  ; expire  10 days
                        86400 ) ; min ttl  1 day
                        NS      sid.ryanrudolf.com.
    
                        A       192.168.1.99
    
        @       IN      A       192.168.1.99
        *       IN      A       192.168.1.99
    
  • Modify /var/named.conf and include the custom adblock.zone file.

    include "/var/named/adblock.zone";
    
  • Reload / restart the dns service.

    systemctl restart named
    
  • Ping offensive sites and it should redirect to our dns server.

    [root@sid ~]# ping pornhub.com
    PING pornhub.com (192.168.1.99) 56(84) bytes of data.
    64 bytes from sid.ryanrudolf.com (192.168.1.99): icmp_seq=1 ttl=64 time=0.034 ms
    64 bytes from sid.ryanrudolf.com (192.168.1.99): icmp_seq=2 ttl=64 time=0.072 ms
    ^C
    --- pornhub.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 999ms
    rtt min/avg/max/mdev = 0.034/0.053/0.072/0.019 ms
    [root@sid ~]# ping porn.com
    PING porn.com (192.168.1.99) 56(84) bytes of data.
    64 bytes from sid.ryanrudolf.com (192.168.1.99): icmp_seq=1 ttl=64 time=0.030 ms
    64 bytes from sid.ryanrudolf.com (192.168.1.99): icmp_seq=2 ttl=64 time=0.075 ms
    64 bytes from sid.ryanrudolf.com (192.168.1.99): icmp_seq=3 ttl=64 time=0.091 ms
    ^C
    --- porn.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2000ms
    rtt min/avg/max/mdev = 0.030/0.065/0.091/0.026 ms
    [root@sid ~]# 
    
  • Adblocking completed! To make it display a custom error on the blocked websites, we need to setup a webserver.

    yum install httpd openssl mod_ssl
    
  • Since most browsers and websites utilize https, we need to enable http and https in the firewall.

    firewall-cmd --permanent --add-service={http,https}
    systemctl restart firewalld
    
  • Generate private key and self-signed keys to be used by the webserver.

    openssl genrsa -out ca.key 2048 
    openssl req -new -key ca.key -out ca.csr
    openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
    
  • Copy the files to the correct location.

    cp ca.crt /etc/pki/tls/certs
    cp ca.key /etc/pki/tls/private/ca.key
    cp ca.csr /etc/pki/tls/private/ca.csr
    
  • Edit apache SSL configuration file in /etc/httpd/conf.d/ssl.conf to reflect the correct paths of the SSL certificates.

    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
    
  • Enable and start the webserver.

    systemctl enable httpd
    systemctl start httpd
    
  • Put custom HTML message in /var/www/index.html.

  • DONE!

This is how it looks like whenever a blocked site is accessed.

blocked

Like this page? Share it!