Setting up a Forwarding DNS Server (or DNS Proxy) with ISC BIND

When you are connected to VPN, all DNS queries in your system often goes to the DNS server that your company runs. This is inefficient because most DNS queries can be resolved by faster public DNS servers such as Google Public DNS. If only the domain names related with your company are resolved by the private name servers, you won’t have a problem browsing public web sites due to an unstable VPN connection.
To address this issue, you can install a forwarding DNS server (a.k.a. proxy DNS server) in your machine or local area network. There are dedicated DNS proxy servers such as pdnsd and dnsmasq, but I recommend to use BIND because it was more reliable than others from my experience. Unlike the first impression, BIND is very easy to configure into a forwarding DNS server. Moreover, BIND works fine on both Windows and Linux.
First, let’s say we want to forward all DNS queries to Google Public DNS (8.8.8.8 and 8.8.4.4):

# /etc/named.conf
options {
    directory "/var/named";

    # Hide version string for security
    version "not currently available";

    # Listen to the loopback device only
    listen-on { 127.0.0.1; };
    listen-on-v6 { none; }; # No IPv6

    # Do not query from the specified source port range
    # (Adjust depending your firewall configuration)
    use-v4-udp-ports { range 32768 65535; };
    use-v6-udp-ports { range 32768 65535; };

    # Forward all DNS queries to the Google Public DNS.
    forwarders { 8.8.8.8; 8.8.4.4; };
    forward only;

    # Expire negative answer ASAP.
    # i.e. Do not cache DNS query failure.
    max-ncache-ttl 3; # 3 seconds

    # Disable non-relevant operations
    allow-transfer { none; };
    allow-update-forwarding { none; };
    allow-notify { none; };
};
# Disable the control channel.
controls { };

If you are connected to your company VPN and you want to forward some DNS queries for certain domains to different name servers, you can override the default settings by adding the zones for your company domains:

... (continuing from the named.conf above) ...

zone "abc.com" in {
    # matches:
    #     abc.com
    #     intranet.abc.com
    type forward;
    forwarders { 192.168.1.1; 192.168.2.2; };
};

zone "private.def.com" in {
    # matches:
    #     private.def.com
    #     mail.private.def.com
    type forward;
    forwarders { 172.10.1.1; 172.10.2.2; };
};

If you don’t want to forward some subdomain of the overridden zones to the private DNS servers, you can insert another zone before the zone definitions above to override the override:

zone "www.abc.com" in {
    type forward;
    forwarders { 8.8.8.8; 8.8.4.4; };
}

zone "abc.com" in { ... }

Here’s my complete configuration. Please note that I replaced the domain names and the private DNS server addresses with bogus values.

options {
    # I am running BIND on Windows without a problem. :)
    directory "C:Program Files (x86)BINDetc";
    version "not currently available";

    listen-on { 127.0.0.1; };
    listen-on-v6 { none; };

    use-v4-udp-ports { range 32768 65535; };
    use-v6-udp-ports { range 32768 65535; };
    forwarders { 8.8.8.8; 8.8.4.4; };
    forward only;

    max-ncache-ttl 3;

    allow-transfer { none; };
    allow-update-forwarding { none; };
    allow-notify { none; };
};
controls { };

# We can't resolve the VPN server names with the private
# DNS servers before we join the VPN, so we should use
# the public DNS to initiate VPN connection successfully.
zone "vpn.abc.com" in {
    type forward;
    forwarders { 8.8.8.8; 8.8.4.4; };
};

# Our company has two top level domains: abc.com and def.com
zone "abc.com" in {
    type forward;
    forwarders { 172.10.1.1; 10.10.2.2; };
};

zone "def.com" in {
    type forward;
    forwarders { 172.10.1.1; 10.10.2.2; };
};

At last but not least, make sure to set the DNS settings in your operating system to point to the DNS server you’ve just configured (i.e. 127.0.0.1). In Linux, you should update /etc/resolv.conf or your NetworkManager settings. In Windows, you know what to do – mess with the Control Panel. 🙂

심호흡

방향을 잃은 듯 흔들리는 마음 때문일까? 새해가 되면 흔히 보이는 결심이라든지 하는 것들을 올해는 시야에서 찾아보기 힘들다. 잠깐 스쳐 지나가듯 그저 무디게만 느껴진다.

스스로를 감탄시킨 성취도 계속되는 일상 속에 묻혀 과거가 된다. 가끔은 그 속도가 놀라워서 묻힌다기보다는 매몰된다는 표현이 어울릴 정도다. 아니, 매몰‘시킨다‘고 하는 쪽이 더 정확할 것 같다. 나는 감격에 겨웠던 성공이나 깨달음의 순간들에 쉽게 싫증을 내고 대수롭지 않게 여기는 편이다.

더 성취하고 싶어서 마음이 앞서는 날이 있다. 하는 일 없이 반복되는 일상에 염증을 느낀다. 바꾸고 싶어도 마음처럼 되지 않아 화가 난다. 괜히 주변의 사람이 미워진다.

숨을 깊이 들이쉰다.