Monday, July 18, 2016

Setting up a DNS Server in Ubuntu

This month I have a student, Yannick Merckx, sitting next to me who is specializing in Artificial Intelligence and the goal is to leverage machine learning to detect malware using our DNS logs.

This DNS adventure gave me the idea to set up my own local DNS server up so I can block a bunch of things by making a sinkhole. The theory is simple, your local DNS server intercepts the request and does the lookup instead of the one given to you by the network/internet provider.

Installing bind9

The first step is to install a DNS server. I chose bind9 because that is one I used in the past and thus have some experience with.

sudo apt-get install bind9 bind9utils

Configuring bind9
Once the software is installed you need to configure it. The configuration lives in /etc/bind.

named.conf
named.conf is where your configuration starts. It contains a bunch of include statements.

named.conf.options
named.conf.options is where you configure the forwarders. The forwarders are the name servers your DNS server will use if it doesn't know the answer. If you want for example google's DNS servers to answer you set it like.

forwarders {
    8.8.8.8; 8.8.4.4
}

You can set multiple DNS servers, you can separate them with a semi-column (;). If you want to use other DNS servers than google you can for example use OpenDNS's servers which are 208.67.222.222 and 208.67.220.22

named.conf.local
In named.conf.local you configure what databases you want to use.

zone "xiobe.net" {
  type master;
  file "/etc/bind/db.xiobe.net";
};

zone "1.0.127.in-addr.arpa" {
  type master;
  file "/etc/bind/db.127";
};

logging {
  channel simple_log {
    file "/var/log/named/bind9.log" versions 3 size 5m;
    severity debug 10;
    print-time yes;
    print-severity yes;
    print-category yes;
  };

  category default {
    simple_log;
  };
};

 

I've set up a zone for xiobe.net, my domain, and said that the master database is located at /etc/bind/db.xiobe.net. The next zone I did exactly the same thing for the reverse lookup database.

The reason why I've set the severity to debug 10 is because this allows me to actually log the answer for the requested domain.


Finally I declared how the logging has to take place. The location of the log is specific since there is already an entry in the apparmor profile (/etc/apparmor.d/usr.sbin.named).

You have to create the directory named and the log file.
sudo mkdir /var/log/named
sudo touch /var/log/named/bind9.log
sudo chown -R bind:bind /var/log/named

The db.xiobe.net file are copies of the ones that come with /etc/bind and I just added the IP addresses for Xiobe's website so no further lookup needs to occur. In db.127 nothing changes since I want 127.0.0.1 to point to localhost.

named.conf.default-zones
In this file we don't need to change a thing. 

Testing the configuration
Testing the configuration was done by doing an nslookup.

nslookup www.linux.org

I got a reply and in the log it looked like

;; QUESTION SECTION:
;www.linux.org.            IN    A

;; ANSWER SECTION:
;www.linux.org.        4178    IN    CNAME    linux.org.
;linux.org.        2758    IN    A    104.225.135.13


In a next post I will explain how to set up the sinkhole

small update
I made a little mistake in the logging part above. I adapted the post.