{"id":2267,"date":"2010-01-18T17:37:19","date_gmt":"2010-01-18T17:37:19","guid":{"rendered":"http:\/\/t.motd.kr\/articles\/2267\/setting-up-a-forwarding-dns-server-or-dns-proxy-with-isc-bind"},"modified":"2022-12-28T01:44:53","modified_gmt":"2022-12-27T16:44:53","slug":"setting-up-a-forwarding-dns-server-or-dns-proxy-with-isc-bind","status":"publish","type":"post","link":"https:\/\/vault.motd.kr\/wordpress\/posts\/2267\/setting-up-a-forwarding-dns-server-or-dns-proxy-with-isc-bind\/","title":{"rendered":"Setting up a Forwarding DNS Server (or DNS Proxy) with ISC BIND"},"content":{"rendered":"\n
When you are connected to VPN<\/span>, all DNS<\/span> queries in your system often goes to the DNS<\/span> server that your company runs. This is inefficient because most DNS<\/span> queries can be resolved by faster public DNS<\/span> servers such as Google Public DNS<\/span><\/a>. If only the domain names related with your company are resolved by the private name servers, you won\u2019t have a problem browsing public web sites due to an unstable VPN<\/span> connection. If you are connected to your company VPN<\/span> and you want to forward some DNS<\/span> queries for certain domains to different name servers, you can override the default settings by adding the zones for your company domains:<\/p>\n\n\n\n If you don\u2019t want to forward some subdomain of the overridden zones to the private DNS<\/span> servers, you can insert another zone before<\/strong> the zone definitions above to override the override:<\/p>\n\n\n\n Here\u2019s my complete configuration. Please note that I replaced the domain names and the private DNS<\/span> server addresses with bogus values.<\/p>\n\n\n\n At last but not least, make sure to set the DNS<\/span> settings in your operating system to point to the DNS<\/span> server you\u2019ve just configured (i.e. 127.0.0.1). In Linux, you should update \/etc\/resolv.conf<\/tt> or your NetworkManager settings. In Windows, you know what to do \u2013 mess with the Control Panel. \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":" When you are connected to VPN, all DNS queries in your system often goes to the DNS server that your company runs. This is inefficient because most DNS queries can be resolved by faster public DNS servers such as Google Public DNS. If only the domain names related with your company are resolved by the… Continue reading
To address this issue, you can install a forwarding DNS<\/span> server (a.k.a. proxy DNS<\/span> server) in your machine or local area network. There are dedicated DNS<\/span> proxy servers such as pdnsd<\/a> and dnsmasq<\/a>, but I recommend to use BIND<\/span><\/a> because it was more reliable than others from my experience. Unlike the first impression, BIND<\/span> is very easy to configure into a forwarding DNS<\/span> server. Moreover, BIND<\/span> works fine on both Windows<\/a> and Linux.
First, let\u2019s say we want to forward all DNS<\/span> queries to Google Public DNS<\/span><\/a> (8.8.8.8 and 8.8.4.4):<\/p>\n\n\n\n# \/etc\/named.conf\noptions {\n directory \"\/var\/named\";\n # Hide version string for security\n version \"not currently available\";\n # Listen to the loopback device only\n listen-on { 127.0.0.1; };\n listen-on-v6 { none; }; # No IPv6\n # Do not query from the specified source port range\n # (Adjust depending your firewall configuration)\n\u00a0\u00a0\u00a0 use-v4-udp-ports { range 32768 65535; };\n\u00a0\u00a0\u00a0 use-v6-udp-ports { range 32768 65535; };\n # Forward all DNS queries to the Google Public DNS.\n forwarders { 8.8.8.8; 8.8.4.4; };\n forward only;\n # Expire negative answer ASAP.\n # i.e. Do not cache DNS query failure.\n max-ncache-ttl 3; # 3 seconds\n # Disable non-relevant operations\n allow-transfer { none; };\n allow-update-forwarding { none; };\n allow-notify { none; };\n};\n# Disable the control channel.\ncontrols { };<\/code><\/pre>\n\n\n\n
... (continuing from the named.conf above) ...\n\nzone \"abc.com\" in {\n # matches:\n # abc.com\n # intranet.abc.com\n type forward;\n forwarders { 192.168.1.1; 192.168.2.2; };\n};\n\nzone \"private.def.com\" in {\n # matches:\n # private.def.com\n # mail.private.def.com\n type forward;\n forwarders { 172.10.1.1; 172.10.2.2; };\n};<\/code><\/pre>\n\n\n\n
zone \"www.abc.com\" in {\n type forward;\n forwarders { 8.8.8.8; 8.8.4.4; };\n}\n\nzone \"abc.com\" in { ... }<\/code><\/pre>\n\n\n\n
options {\n # I am running BIND on Windows without a problem. :)\n directory \"C:\\Program Files (x86)\\BIND\\etc\";\n version \"not currently available\";\n listen-on { 127.0.0.1; };\n listen-on-v6 { none; };\n \u00a0\u00a0\u00a0use-v4-udp-ports { range 32768 65535; };\n\u00a0\u00a0\u00a0 use-v6-udp-ports { range 32768 65535; };\n forwarders { 8.8.8.8; 8.8.4.4; };\n forward only;\n max-ncache-ttl 3;\n allow-transfer { none; };\n allow-update-forwarding { none; };\n allow-notify { none; };\n};\ncontrols { };\n# We can't resolve the VPN server names with the private\n# DNS servers before we join the VPN, so we should use\n# the public DNS to initiate VPN connection successfully.\nzone \"vpn.abc.com\" in {\n type forward;\n forwarders { 8.8.8.8; 8.8.4.4; };\n};\n# Our company has two top level domains: abc.com and def.com\nzone \"abc.com\" in {\n type forward;\n forwarders { 172.10.1.1; 10.10.2.2; };\n};\nzone \"def.com\" in {\n type forward;\n forwarders { 172.10.1.1; 10.10.2.2; };\n};<\/code><\/pre>\n\n\n\n