Tag Archives: dns

OpenWRT: Spinning up Authoritative DNS server


During last few months my small home infrastructure has grown in numbers. First there came a beefe virtualization host with 2x AMD Opteron CPUs and 48 GB RAM which runs all labs and is awesome for learning. I named it Sonic after the hedgehog. Then the idea for centralized storage was born, and Synology DS213J together with 2x WD 3TB REDs came on board and is packed with features. My popular ones are Download Station, File Station and Integrated IPSec VPN Server.

As the Internet of Things rises, I bought couple of Raspberry Pi, which one of them runs Openelec as home media center. The others are waiting for new exciting projects that will soon come.

Besides the physical infrastructure, the virtual one have grown even faster with more and more complex labs. Overall there was a need to manage all this stuff more easily and provide layer of abstraction, and home DNS service would make that happen.

After reading number of resources that explained the basics about DNS such as what is the difference between Authoritative, Cache and Forward server, I was confident enough to begin the process of changing the default combined DHCP+DNS service (dnsmasq) in my home router running Openwrt with more capable software. I have chosen bind for the job.

Installing packages

The installation process is very easy, first log into your router via SSH. I am running Barrier Breaker 14.07 on TP-LINK TL-WR941ND. Then using the package manager, install bind-server, bind-tools and isc-dhcp-server-ipv4.

By default, Openwrt includes vi test editor by default, if you are more a nano person, install that package as well. We will use to edit the configuration files later.

BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

  _______                     ________        __
 |       |.—–.—–.—–.|  |  |  |.—-.|  |_
 |   –   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 BARRIER BREAKER (14.07, r42625)
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao

root@soultrap:~# opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_base.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_luci.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_packages.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_routing.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/telephony/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_telephony.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_management.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_oldpackages.

root@soultrap:~# opkg install bind-server bind-tools Installing bind-server (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/oldpackages/bind-server_9.9.4-1_ar71xx.ipk. Installing bind-libs (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/oldpackages/bind-libs_9.9.4-1_ar71xx.ipk. Installing libopenssl (1.0.2-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/base/libopenssl_1.0.2-1_ar71xx.ipk. Installing zlib (1.2.8-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/zlib_1.2.8-1_ar71xx.ipk. Installing bind-tools (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/bind-tools_9.9.4-1_ar71xx.ipk. Configuring zlib. Configuring libopenssl. Configuring bind-libs. Configuring bind-tools. Configuring bind-server.
root@soultrap:~# opkg install isc-dhcp-server-ipv4 Installing isc-dhcp-server-ipv4 (4.2.4-3) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/isc-dhcp-server-ipv4_4.2.4-3_ar71xx.ipk. Configuring isc-dhcp-server-ipv4.

root@soultrap:~# opkg install nano
Installing nano (2.3.6-1) to root...
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/nano_2.3.6-1_ar71xx.ipk.
Configuring nano.

Dnsmasq is a combined DHCP and DNS server and it would interfere with bind by default. To still have DHCP capabilities, we will configure the isc-dhcp server. But first uninstall dnsmasq. Clean up by removing the old dhcp leases file.

root@soultrap:~# /etc/init.d/dnsmasq stop
root@soultrap:~# opkg remove dnsmasq
Removing package dnsmasq from root...
Not deleting modified conffile /etc/config/dhcp.
root@soultrap:~# mv /etc/config/dhcp /etc/config/dhcp.backup
root@soultrap:~# rm /var/dhcp.leases

Configuring dhcp and bind

After package installation, we are going to configure dhcpd daemon, and the right place to do that is at /etc/dhcpd.conf.

root@soultrap:~# nano /etc/dhcpd.conf
# dhcpd.conf


default-lease-time 3600;
max-lease-time 86400;

option domain-name-servers,;
option domain-search “papuckovo.home”;

subnet netmask {
  option routers;

Then enable automatic service start after reboot and start the service.

root@soultrap:~# /etc/init.d/dhcpd enable
root@soultrap:~# /etc/init.d/dhcpd start

We will now focus on bind configuration and the main file to look at is located under /etc/bind/ directory.  The file named.conf will be in our particular interest.

First we will configure DNS forwarders that will be used when looking for something outside our authoritative domain. Popular choices are OpenDNS servers or Google Public DNS Servers, I will use the later one.

Next, we will add one forward and one reverse zone for our home domain papuckovo.home. As you can see they will point to files that will hold our records, and we need to create them.

root@soultrap:~# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
acl “RFC1918” {;

options {
        directory “/tmp”;
        recursion yes;
        allow-recursion { RFC1918; };
        allow-transfer { none; };
        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing
        // the all-0’s placeholder.

        forwarders {

        auth-nxdomain no;    # conform to RFC1035
// prime the server with knowledge of the root servers
zone “.” {
        type hint;
        file “/etc/bind/db.root”;

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone “localhost” {
        type master;
        file “/etc/bind/db.local”;
zone “papuckovo.home” {
        type master;
        file “/etc/bind/zones/db.papuckovo.home”;
zone “127.in-addr.arpa” {
        type master;
        file “/etc/bind/db.127”;
zone “0.in-addr.arpa” {
        type master;
        file “/etc/bind/db.0”;
zone “255.in-addr.arpa” {
        type master;
        file “/etc/bind/db.255”;
zone “2.0.10.in-addr.arpa” {
        type master;
        file “/etc/bind/zones/db.2.0.10”;

Now we will create new folder zones and copy example files from main bind directory.

root@soultrap:~# mkdir /etc/zones
root@soultrap:~# cp /etc/bind/db.local /etc/bind/zones/db.papuckovo.home
root@soultrap:~# cp /etc/bind/db.127 /etc/bind/zones/db.2.0.10

Edit the copied files to suit your needs. The SOA record needs to include domain name and the administrator’s email. You should also increment the Serial number after each change to zone files.

root@soultrap:~# nano /etc/bind/zones/db.papuckovo.home
; BIND data file for local loopback interface
$TTL    604800
@       IN      SOA     papuckovo.home. root.papuckovo.home. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      soultrap.papuckovo.home.
@       IN      A
soultrap        IN     A
www01           IN     A

Do the same thing for reverse zone

root@soultrap:~# nano /etc/bind/zones/db.2.0.10
; BIND reverse data file for local loopback interface
$TTL    604800
@       IN      SOA     papuckovo.home. root.papuckovo.home. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      soultrap.papuckovo.home.
1       IN      PTR     soultrap.papuckovo.home.
2       IN      PTR     www01.papuckovo.home.

Finally, enable automatic service start after boot and start the service

root@soultrap:~# /etc/init.d/named start
Starting isc-bind
root@soultrap:~# /etc/init.d/named enable


You can verify the operations of DHCP server by jumping on an internal client and issues ipconfig /renew. Or directly from the router listing dhcpd leases.

root@soultrap:~# head /var/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.4

lease {
  starts 1 2015/02/23 08:19:57;
  ends 1 2015/02/23 08:21:57;
  tstp 1 2015/02/23 08:21:57;
  cltt 1 2015/02/23 08:19:57;
  binding state free;
  hardware ethernet 14:7d:c5:11:19:7f;

You can also verify that DNS server is operating correctly using nslookup or dig.

root@soultrap:~# dig ANY papuckovo.home @localhost
; <<>> DiG 9.9.4 <<>> ANY papuckovo.home @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53030
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

; EDNS: version: 0, flags:; udp: 4096
;papuckovo.home.                        IN      ANY

papuckovo.home.         604800  IN      SOA     papuckovo.home. root.papuckovo.home. 5 604800 86400 2419200 604800
papuckovo.home.         604800  IN      NS      soultrap.papuckovo.home.
papuckovo.home.         604800  IN      A

soultrap.papuckovo.home. 604800 IN      A

;; Query time: 74 msec
;; WHEN: Tue Feb 24 16:04:56 CET 2015
;; MSG SIZE  rcvd: 139


Sometimes, things do not go as we expected, it would be great to narrow down the problem.

root@soultrap:~# /etc/init.d/named start
Starting isc-bind
  isc-bind failed to start

The default error message is not very useful and you can investigate further in log file. In this case I have mistyped the allow-transfer keyword in the main configuration file.

root@soultrap:~# logread
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: BIND 9 is maintained by Internet Systems Consortium,
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: corporation.  Support and training for BIND 9 are
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: available at https://www.isc.org/support
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: —————————————————-
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: using 1 UDP listener per interface
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: using up to 4096 sockets
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: loading configuration from ‘/etc/bind/named.conf’
Tue Feb 24 16:20:30 2015 daemon.err named[13361]: /etc/bind/named.conf:10: unknown option ‘allow-trasfer’
Tue Feb 24 16:20:30 2015 daemon.crit named[13361]: loading configuration: failure
Tue Feb 24 16:20:30 2015 daemon.crit named[13361]: exiting (due to fatal error)

MACs – Moved Adds and Changes

When adding new records in reverse and forward zone files it is needed to increase the serial number and then reload bind with new configuration.

root@soultrap:~# /etc/init.d/named reload
Stopping isc-bind
Starting isc-bind


Adding name resolution service to your home router will give you great flexibility and easy to use, your everyday users won’t need to be bothered with IP addresses, they can simple type names.

Further Reading


Lost objects in vCenter

To realized how important is DNS for vSphere installation, try shutting down your DNS server, wait for cache to expire and log into vCenter again. You may be presented with this error which on the first sight might not look like that is related to DNS.


Could not connect to one or more vCenter Server Systems

And, you won’t have access to any objects:


You can find more evidence that this is related to DNS in vCenter main log which is located at /var/log/vmware/vpx/vpxd.log

Digging into DNS

For many years I have used CLI tool nslookup for grabbing any DNS related information. Recently I have switched to different tool called Domain Infromation Grabber or simply DIG. It is like a next gen nslookup as you will see it has many cool features. This short tutorial will show you how to install it under Windows machine.

First, you need to visit the ISC site at http://www.isc.org/downloads. Dig is part of bind installation package. At the time of writing this artice the current stable version is 9.9.6-P1. Choose you your architecture, I’ll go now with x64. Download & Unzip.

Dig requires to have MS C++ Redistributable installed, so install vcredist_x64 first. Now copy dig.exe and all .dll files into C:\Windows\System32\

Now when you are able to execute dig directly from command line:

dig-1Some basic task you can do with dig are standard IP name resolution.dig-3

As you see the output shows several sections. The information we are looking for is under ANSWER SECTION. This querry shows the IPv4 address of opendns.com. Without specifying any options the default DNS server is used. In this case it is

If you want to point the DNS querry to particular DNS server, use @ option. In next example I am asking opendns DNS server about the same domain.


To perform a reverse DNS querry, use -x option. Here I am asking the same server what does IPv4 address resolve to. The answer is api.opendns.com.


Last but not least, you can ask for mail server records MX. Which will return the mail server addresses that opendns.com domain uses.


Dig has many great features, but these few should keep you going for a while. There are also sites such as kloth.net that provide DIG services.