Run your own DNS Cache

Software & Operating Systems Linux
,
1

Roll your own DNS cache - Bypass your ISPs and Googles.

Using Root Servers

If you are having issues with DNS resolving and you don't want to use googles. Try this.
I used Ubuntu Server 16.04 for this.

I'm not going though the whole Ubuntu install, but I just enable SSH and went from there.
Also my is IPv4 Only as we don't have a need for IPv6 and also that was causing issues with DNS timeouts.

Lets Begin
SSH in to your server

I called my dns1

Do the updates first by "sudo apt-get update && sudo apt-get upgrade -y"

sudo apt-get update && sudo apt-get upgrade -y

Make sure you set a static IP address
done by "sudo nano /etc/network/interfaces"

sudo nano /etc/network/interfaces

change this line from "iface eth0 inet dhcp" to iface eth0 inet static
then add the following lines

iface eth0 inet static
address <ip you want the Machine to be >
netmask <Network Subnet Mask>
Gateway <Network Gateway>

image.png1074x310 2.65 KB

Now we will want disable IPv6 this is done by
editing "sudo nano /etc/sysctl.conf" and add the following lines to the bottom of the file

sudo nano /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

image.png1037x694 10.7 KB

Lets Install the DNS server, it BIND

sudo apt-get install bind9 bind9utils bind9-doc

Now lets configure BIND

so by default BIND accepts requests form all IP address, we want to tighten it up
I have add my OPENVPN clients and the local subnets

so we will need to edit named.conf.options found in /etc/bind/

sudo nano /etc/bind/named.conf.options

We will need to add the following section at the top.- Modify for your networks

//acl for good clients

acl goodclients{
        192.168.254.0/24; //local subnet
        10.196.89.0/24; // OPENVPN Clients
        localhost;
        localnets;
};

Now in the options section add

 recursion yes;
    allow-query { goodclients; };

image.png798x706 9.22 KB

Lets check the config is correct by running

sudo named-checkconf

If all is good it shouldn't return anything

Reboot and this should disable IPv6 and change it to the IP address you set.
Connect back to it on the IP address you set at the start, it should be resolving now.
you can do a "dig [domainname]" this will be slow for the first time.

dig l1teches.com

image.png1151x390 7.13 KB

i dig it again

image.png1156x358 7.75 KB

Now now you will need to update your host on the network to use this dns server.

8 Likes
2

1 Like
3

Doesent the computer keep a local DNS cache? Whats the benefit of running a cache on a local server?

4

You could also use DNSMASQ and get more features.
https://wiki.archlinux.org/index.php/dnsmasq

Of for a really nice setup use pi-hole

1 Like
5

I rate this 5 out of 5 Wendells

5 Likes
6

The benefit would be less about caching, which wouldn't matter much unless there were a lot of users as the cache doesn't last long before being refreshed. The benefit is that you're resolving your own DNS queries from the root servers rather than using your ISP's DNS server or google or whatever else, so you know that no one is interfering with your results.

Of course your ISP would still be able to see and potentially intercept/manipulate your DNS queries which is why I have combined this with dnscrypt to encrypt DNS requests on my network.

Another thing I do on my DNS server is block ads by taking this hosts file list of ad servers: http://winhelp2002.mvps.org/hosts.htm
and convert it to a bind zone file, that way any device on the network will not have any ads, there are fancier ways of doing it that replaces ads with a blank image, which gets rid of the big error message you get instead, but it works well enough for me.

3 Likes
7

Do you happen to know how this compares to https://github.com/quidsup/notrack ?

8

Yes but a Raspberry Pi has a slower Interface speed than my Internet.
Also My IPfire Firewall has a transparent Proxy that does alot of the grunt work with web filtering.

9

Yea i was having issues with using my ISPs DNS and i don't really trust google.
So the whole Roll you own seemed to fit. work still need to be done.

As the local names aren't being resolved, which makes sense as the DHCP server doesn't have authority to update the bind zone DB file.

So Might change the config of the network and point the firewall forwarders to the Local DNS server. and poit the clients DNS back the firewall.

But overall it has been a success

1 Like