Posted in Virtualization

Build a home lab using your local PC – Part 3 – Setting up a DNS Server with PhotonOS

   19 March 2022

In my concept for the home lab, I was going to install Windows VM and run DNS from there. However, I got an idea from one of VMware related forums on Facebook, to run DNS on PhotonOS. I thought to myself, it is a brilliant idea.

Step-by-step video. Subscribe to my channel: https://bit.ly/3vY16CT

What do we need:

  • PhotonOS OVA file -> bit.ly/3Jlslev
  • Configuration file for DNS
  • Configuration file for resolved.conf

DNS:

server:
        interface: 0.0.0.0
        do-ip4: yes
        do-udp: yes
        do-tcp: yes
        access-control: 0.0.0.0/0 allow
        verbosity: 1
        local-zone: "angrysysops.com." static
        local-data: "aso-esx-n001.angrysysops.com A 192.168.1.101"
        local-data: "aso-esx-n002.angrysysops.com A 192.168.1.102"
        local-data: "aso-vcsa-aps01.angrysysops.com A 192.168.1.120"
        local-data: "aso-dns-ap01.angrysysops.com A 192.168.1.53"
        local-data-ptr: "192.168.1.101 aso-esx-n001.angrysysops.com"
        local-data-ptr: "192.168.1.102 aso-esx-n002.angrysysops.com"
        local-data-ptr: "192.168.1.120 aso-vcsa-aps01.angrysysops.com"
        local-data-ptr: "192.168.1.53 aso-dns-ap01.angrysysops.com"

forward-zone:
        name: "."
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4

Let’s have a look at this config file:

  • interface: 0.0.0.0 -> will force the server to listen on all IP addresses
  • do-ip4, do-udp, do-tcp -> allownig IPv4, UDP, TCP
  • access-control: 0.0.0.0/0 allow -> allow to query DNS from all IP addresses
  • local-zone -> domain name
  • local-data -> A record
  • local-data-ptr -> PTR record

resolved.conf:

[Resolve]
DNS=127.0.0.1
FallbackDNS=1.0.0.1
MulticastDNS=no
DNSStubListener=no

The DNSStubListener the directive is essential to ensure it does not listen for DNS queries. You may actually want MulticastDNS if you do not use avahi-daemon for multicast-DNS purposes.

Let’s deploy PhotonOS VM

  • Login to your ESXi host via URL using IP address
  • Once logged in, click on Virtual Machines
  • Click on Create/Register VM
  • New Virtual Machine wizard will open
  • Select Deploy a virtual machine from an OVF or OVA file
  • Click Next
  • Enter a name for the virtual machine
  • Drag and drop OVA file
  • Click Next
  • Select datastore (in my case I have only local storage)
  • Click Next
  • Agree to End User Licence
  • Click Next
  • Select Network
  • Select Disk provisioning
  • Select if VMshould be power on automatically or not
  • Click Next
  • Read Ready to complete page
  • Click Finish

System start to provisioning VM. It will take a few moments. Once the provisioning task is finished you can see your new VM under Virtual Machines in the Navigator pane. Click on the VM and open the console. Now it is time to log in.

Use credentials:

  • Username: root
  • Password: changeme

After successful login, the system will require to change the root password.

As this machine is designated to serve as DNS, we need to assign a static IP. To do so we need to create the file. There are two (or maybe more) ways to do it:

  1. vi /etc/systemd/network/10-static-en.network
  2. cat > /etc/systemd/network/10-static-en.network << "EOF"

Regardless of which command you will use, you need to add those values (remember to add your network IP addresses , not mine which are used as examples, unless you have same IP schema)

[Match]
Name=eth0

[Network]
Address=192.168.1.53/24
Gateway=192.168.1.254
EOF

Change the new file’s mode bits by running the chmod command:

chmod 644 10-static-en.network

Apply the configuration by running the following command:

systemctl restart systemd-networkd

Verify if IP has been changed by running the following command:

ifconfig

Once we have IP set, we can SSH to our machine instead of using the console. This is handy if you want to copy and paste commands. As I am on a Windows host machine, I will use a command prompt (cmd) to access my DNS server. 

ssh root@192.168.1.53

Now we need to update our new system. You can do it by running this command:

tdnf update

Once the update is done, it is time to install unbound. Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. In late 2019, Unbound has been rigorously audited, which means that the code base is more resilient than ever.

To install unbound run this command:

tdnf install unbound

DNS configuration

  • Firstly we need to change DNS config file in the way of adding our own configuration.
  • Open config file by running this command:
vi /etc/unbound/unbound.conf
  • Find section with keyword server:
  • Add you own DNS configuration
  • Save the file by pressing Esc, :, wq
  • Check your config by running this command:
unbound-checkconf
  • If you have errors, please correct config as save again, if no errors, proceed
  • Now you need to ensure that systemd-resolved is not occupying the DNS port. You can do this by giving it the following configuration file:
vi /etc/systemd/resolved.conf

[Resolve]
DNS=127.0.0.1
FallbackDNS=1.0.0.1
MulticastDNS=no
DNSStubListener=no
  • Save the file by pressing Esc, :, wq
  • Restart systemd-resolved with systemctl restart systemd-resolved.service
  • Start unbound service by running this command:
systemctl start unbound.service
  • Enable unbound to make it start on every boot by running this command:
systemctl enable unbound.service
  • Check if unbound started with no errors:
systemctl status unbound.service
  • Let’s add port 53 to firewall
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
  • Make sure you save iptables:
iptables-save >/etc/systemd/scripts/ip4save
  • Reboot your server

Test your DNS server:

Once the server is up after reboot, open the command prompt and make a query to DNS using nslookup.

NOTE: Do not try to ping your DNS server, ping will fail, as we did not add ICMP to the firewall. We will do that later on

Issue the command:

nslookup 192.168.1.101 192.168.1.53

Where the first IP is the IP we want to get information about, the second IP is our DNS server IP. Once you will get the response it means DNS is working.

In the next article, I will show you how to point your ESXi servers to this DNS and how to perform the check. If you do not wait, and you want to know now, please view the video, where all the steps are presented step-by-step:

Please like and share to spread the knowledge in the community.

If you want to chat with me please use Twitter: @AngrySysOps

Join my  VMware Knowledge Base Group: https://bit.ly/3w54tbc

Visit my FB page: https://www.facebook.com/AngrySysOps

Read my blog: https://angrysysops.com

Subscribe to my channel : https://bit.ly/3vY16CT


Please leave the comment