Setup a DNS Relay using BIND

I’ve had a few inquiries regarding how I setup BIND as a DNS relay for my remote offices. It’s really not as complicated as it sounds. I’ve standardized all my Linux stuff around Ubuntu LTS, so these instructions may need to be tweaked somewhat if you’re on a different platform. The BIND9 configuration stuff should be the same, but the location of the configuration files may (and probably will) differ.

I started with a clean install of Ubuntu Server 8.04 LTS inside a VMWare virtual machine. During the installation, I selected the “DNS Server” option and proceeded. Once the install was finished and the virtual instance had rebooted, I ran “apt-get update” and installed all updates and again, rebooted. If you already have a working Ubuntu system and want to add BIND, it should be as simple as typing “sudo apt-get install bind9″ on your terminal.

Now, here’s the good stuff. Open /etc/bind/named.conf.options in your favorite editor and make some adjustments. Here’s what my basic configuration looked like:

options {
directory “/var/cache/bind”;
allow-query { any; };
allow-recursion { any; };
query-source address * port 53;

forwarders {
172.17.0.5;
};

auth-nxdomain no;
listen-on-v6 { any; };
};

Make these changes to the config and restart BIND. Test that the lookups are being properly forwarded to the upstream nameserver. Once you verify it’s working, you can make additional changes, such as implementing a BIND access control list (ACL). Add something similar to this to your /etc/bind/named.conf.options file:

acl my-subnets {
172.17.0.0/16; //headquarters
172.18.1.0/24; //office01
172.18.2.0/24; //office02
};

Once you’ve added the definition for the ACL, change your allow-query and allow-recursion to the name of the ACL:

allow-query { my-subnets; };
allow-recursion { my-subnets; };

As usual, restart the BIND service and you’re all done!