In my concept for the home lab, I was going to install Windows VM and run DNS from there. However, I got an idea from one of VMware related forums on Facebook, to run DNS on PhotonOS. I thought to myself, it is a brilliant idea.
What do we need:
- PhotonOS OVA file -> bit.ly/3Jlslev
- Configuration file for DNS
- Configuration file for resolved.conf
DNS:
server:
interface: 0.0.0.0
do-ip4: yes
do-udp: yes
do-tcp: yes
access-control: 0.0.0.0/0 allow
verbosity: 1
local-zone: "angrysysops.com." static
local-data: "aso-esx-n001.angrysysops.com A 192.168.1.101"
local-data: "aso-esx-n002.angrysysops.com A 192.168.1.102"
local-data: "aso-vcsa-aps01.angrysysops.com A 192.168.1.120"
local-data: "aso-dns-ap01.angrysysops.com A 192.168.1.53"
local-data-ptr: "192.168.1.101 aso-esx-n001.angrysysops.com"
local-data-ptr: "192.168.1.102 aso-esx-n002.angrysysops.com"
local-data-ptr: "192.168.1.120 aso-vcsa-aps01.angrysysops.com"
local-data-ptr: "192.168.1.53 aso-dns-ap01.angrysysops.com"
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
Let’s have a look at this config file:
interface: 0.0.0.0
-> will force the server to listen on all IP addressesdo-ip4, do-udp, do-tcp
-> allownig IPv4, UDP, TCPaccess-control: 0.0.0.0/0 allow
-> allow to query DNS from all IP addresseslocal-zone
-> domain namelocal-data
-> A recordlocal-data-ptr
-> PTR record
resolved.conf:
[Resolve]
DNS=127.0.0.1
FallbackDNS=1.0.0.1
MulticastDNS=no
DNSStubListener=no
The DNSStubListener
the directive is essential to ensure it does not listen for DNS queries. You may actually want MulticastDNS
if you do not use avahi-daemon
for multicast-DNS purposes.
Let’s deploy PhotonOS VM
- Login to your ESXi host via URL using IP address
- Once logged in, click on Virtual Machines
- Click on Create/Register VM
- New Virtual Machine wizard will open
- Select Deploy a virtual machine from an OVF or OVA file
- Click Next
- Enter a name for the virtual machine
- Drag and drop OVA file
- Click Next
- Select datastore (in my case I have only local storage)
- Click Next
- Agree to End User Licence
- Click Next
- Select Network
- Select Disk provisioning
- Select if VMshould be power on automatically or not
- Click Next
- Read Ready to complete page
- Click Finish
System start to provisioning VM. It will take a few moments. Once the provisioning task is finished you can see your new VM under Virtual Machines in the Navigator pane. Click on the VM and open the console. Now it is time to log in.
Use credentials:
- Username:
root
- Password:
changeme
After successful login, the system will require to change the root password.
As this machine is designated to serve as DNS, we need to assign a static IP. To do so we need to create the file. There are two (or maybe more) ways to do it:
vi /etc/systemd/network/10-static-en.network
cat > /etc/systemd/network/10-static-en.network << "EOF"
Regardless of which command you will use, you need to add those values (remember to add your network IP addresses , not mine which are used as examples, unless you have same IP schema)
[Match]
Name=eth0
[Network]
Address=192.168.1.53/24
Gateway=192.168.1.254
EOF
Change the new file’s mode bits by running the chmod
command:
chmod 644 10-static-en.network
Apply the configuration by running the following command:
systemctl restart systemd-networkd
Verify if IP has been changed by running the following command:
ifconfig
Once we have IP set, we can SSH to our machine instead of using the console. This is handy if you want to copy and paste commands. As I am on a Windows host machine, I will use a command prompt (cmd) to access my DNS server.
ssh root@192.168.1.53
Now we need to update our new system. You can do it by running this command:
tdnf update
Once the update is done, it is time to install unbound. Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. In late 2019, Unbound has been rigorously audited, which means that the code base is more resilient than ever.
To install unbound run this command:
tdnf install unbound
DNS configuration
- Firstly we need to change DNS config file in the way of adding our own configuration.
- Open config file by running this command:
vi /etc/unbound/unbound.conf
- Find section with keyword server:
- Add you own DNS configuration
- Save the file by pressing Esc, :, wq
- Check your config by running this command:
unbound-checkconf
- If you have errors, please correct config as save again, if no errors, proceed
- Now you need to ensure that
systemd-resolved
is not occupying the DNS port. You can do this by giving it the following configuration file:
vi /etc/systemd/resolved.conf
[Resolve]
DNS=127.0.0.1
FallbackDNS=1.0.0.1
MulticastDNS=no
DNSStubListener=no
- Save the file by pressing Esc, :, wq
- Restart systemd-resolved with
systemctl restart systemd-resolved.service
- Start unbound service by running this command:
systemctl start unbound.service
- Enable unbound to make it start on every boot by running this command:
systemctl enable unbound.service
- Check if unbound started with no errors:
systemctl status unbound.service
- Let’s add port 53 to firewall
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
- Make sure you save iptables:
iptables-save >/etc/systemd/scripts/ip4save
- Reboot your server
Test your DNS server:
Once the server is up after reboot, open the command prompt and make a query to DNS using nslookup.
NOTE: Do not try to ping your DNS server, ping will fail, as we did not add ICMP to the firewall. We will do that later on
Issue the command:
nslookup 192.168.1.101 192.168.1.53
Where the first IP is the IP we want to get information about, the second IP is our DNS server IP. Once you will get the response it means DNS is working.
In the next article, I will show you how to point your ESXi servers to this DNS and how to perform the check. If you do not wait, and you want to know now, please view the video, where all the steps are presented step-by-step:
Please like and share to spread the knowledge in the community.
If you want to chat with me please use Twitter: @AngrySysOps
Join my VMware Knowledge Base Group: https://bit.ly/3w54tbc
Visit my FB page: https://www.facebook.com/AngrySysOps
Read my blog: https://angrysysops.com
Subscribe to my channel : https://bit.ly/3vY16CT