Technitium Blog: DNS Server

Showing posts with label DNS Server. Show all posts

Wednesday, October 2, 2024

How To Configure Catalog Zones For Automatic Provisioning Of Secondary Zones

Technitium DNS Server v13 adds support for Catalog Zones [RFC 9432] that allows automatic provisioning of DNS zones to one or more secondary name servers. This implementation has support for Primary, Stub, and Conditional Forwarder zones such that their respective secondary zones are automatically created by the catalog zone setup, greatly reducing the manual task that a DNS administrator would have to perform otherwise.

Catalog zones are just normal, regular DNS zones which use various DNS records to codify information related to the member zones hosted on the primary name server. A Secondary Catalog zone, that needs to be manually created once on each participating secondary name server, uses standard Zone Transfer (AXFR) or Incremental Zone Transfer (IXFR) mechanisms to sync the records from the Catalog zone. The Secondary Catalog zone processes this coded information in the synced DNS records to add/remove zones on the secondary name server as well as update their properties. The current implementation supports Query Access and Zone Transfer options to be automatically synced to all secondaries.

Now that you know what Catalog zones are capable of, lets see how you can create and configure them to use on your setup. For this, you will need to have two DNS server instances such that one of them will be your primary DNS server, where you will create primary zones, and the second DNS server instance will be your secondary DNS server which will host the corresponding secondary zones.

Creating Catalog Zone

To create a catalog zone, you will first need to login to the primary DNS server's admin web console and navigate to the Zone section. Use the Add Zone button in the Zones section and enter a domain name to be used for identifying the catalog zone, select the type as Catalog Zone, and click on Add button to create the catalog zone.

Creating Catalog Zone

Note that the catalog zone's domain name must be unique such that it does not block resolution of any valid domain name. It is recommended to use a subdomain name of the domain name that you already own to avoid any conflicts or use extensions like ".invalid" which will ensure that the catalog zone name does not conflict with any other domain name.

Once the catalog zone is added, you will need to go to the Zone Options, and configure the Zone Transfer and Notify sections to allow secondary DNS servers to sync their secondary zones and get notified whenever updates are available. But before that, you need to configure a TSIG key to secure the zone transfer between the servers so as to prevent an attacker from taking over your secondary DNS servers.

To configure TSIG key, go to the Settings > TSIG section, click on the Add button to add a row, enter a Key Name to identify the key, enter a Shared Secret (or keep it empty to auto generate), select HMAC-SHA256 Algorithm, and click on Save Settings button. You can use the same catalog zone's domain name as the key name to make it easier to identify it later.

Catalog Zone TSIG Configuration

Once the TSIG key is configured, you can switch back to the Zones section and open the Zone Options dialog for configuring the Zone Transfer and Notify options.

Catalog Zone Transfer Options

To configure Zone Transfer option, you will need to select the "Use Specified Network Access Control List (ACL)" option and enter the IP addresses of all the secondary DNS servers one below the other. Scroll a bit below and specify the Zone Transfer TSIG Key Names option with the name of the TSIG key that was configured earlier. You can use the Quick Add drop down to select the TSIG key name.

Catalog Zone Transfer TSIG Key Names

To configure Notify option, select the "Specified Name Servers" option and enter the IP addresses of all the secondary DNS servers one below the other. Once done, click on the Save button to complete the configuration for the catalog zone.

Catalog Zone Notify Options

Creating Secondary Catalog Zone

Login to the secondary DNS server's admin web console and navigate to the Settings > TSIG section to configure the same TSIG key in your secondary DNS server. To do that, click on the Add button to add a row, enter the same Key Name that was used in the primary DNS server's TSIG config, enter the same Shared Secret, select the same Algorithm, and click on Save Settings button.

Now switch to the Zones section, use the Add Zone button and enter the same domain name you had used to create the Catalog zone in your primary DNS server. Select the type as Secondary Catalog Zone, enter the IP address of the primary DNS server for the Primary Name Server Addresses option, keep the default Zone Transfer Protocol, select the TSIG Key Name that was added earlier, and click on Add button to create the secondary catalog zone.

Create Secondary Catalog Zone

Once the Secondary Catalog zone is added, it will automatically sync up the zone by performing zone transfer and process the zone records to apply the available properties. If you see the zone's status as Expired, just click on the refresh icon next to the zone's domain name to refresh it. If the zone is still Expired after a few minutes, go to the Logs > View Logs section and click on the latest log file to see if there were any errors logged. The error message, if any, will help to understand what went wrong and help you fix the issue.

If you have more than one secondary DNS server, repeat the steps described above to add Secondary Catalog zone for all of them.

Adding Member Zones

With the setup of Catalog zone and the Secondary Catalog zone, the main configuration is complete and you can now add any existing or new zones as member zones in the catalog. To add an existing zone, switch to your primary DNS server's admin web console and open Zone Option dialog for the primary zone that you wish to add. You will find a new General section in there with an option to select a catalog zone. Use the drop down option in there to select the catalog zone that you had created earlier and click Save button. The primary zone has now become a member zone of the catalog and DNS records codifying this information will get automatically added into the selected catalog zone. Within roughly 10 seconds, these records would get synced to the Secondary Catalog zone and get processed to automatically add a Secondary zone on the secondary DNS server.

Adding Existing Zone As Catalog Member Zone

While adding a new zone, you will now see an option to select a Catalog zone to add the new zone as its member zone. When a catalog zone is selected, the newly added zone immediately becomes a member zone and within a few seconds, its corresponding secondary zone would get automatically provisioned in your secondary DNS server.

Adding New Zone As Catalog Member Zone

When you disable or delete a primary zone that is a member of Catalog zone, it would automatically cause its corresponding secondary zone to be removed from the secondary DNS servers too. If you enable the primary zone back, then the corresponding secondary zone would again get automatically provisioned. Deleting the catalog zone itself would have no effect on the secondary DNS servers however, deleting the Secondary Catalog zone would remove all the secondary zones that were provisioned via it.

Along with Primary zones, a catalog zone can similarly be used with Stub and Conditional Forwarder zones. The Secondary Catalog zone would create a Stub zone itself as a "secondary" in the secondary DNS server, and it would create a Secondary Forwarder zone as a secondary for the Conditional Forwarder zone.

Member zones of a catalog automatically use all the options that are configured in the catalog zone's Zone Options dialog. It may be required that a certain primary zone needs to use some custom options. In that case, the Zone Options dialog has override options to allow overriding them with specific configuration which will automatically reflect in its respective secondary zone. However, using a common configuration provided in the Catalog zone is convenient to manage and if needed, you can have two or more catalog zones with different sets of configuration that are commonly required.

Conclusion

Catalog zones are powerful tools to automate zone provisioning across two or more secondary name servers. They also make it easier to update properties of zones from a single place minimizing chances of misconfiguration across the setup. Its possible to organize your setup by creating multiple catalog zones as per required common configuration and also allows you to provision zones on different set of secondary DNS servers per catalog zone.

Technitium DNS Server is planned to have full clustering support in upcoming major updates that would allow managing two or more DNS server instances from a single admin web console. The catalog zones feature added in this current update is an important part and will be used to provide support for the upcoming full clustering feature.

If you have any comments or queries, do let me know in the comments section below or send an email to support@technitium.com.

Sunday, September 22, 2024

Technitium DNS Server v13 Released!

I am happy to announce the release of Technitium DNS Server v13, a cross-platform, free, open source software that can be used by anyone, be it a novice or an expert user. It features an easy to use web based GUI and works with default config that allows the server to run out-of-the-box.

Download the latest update for Windows, Linux, macOS, or Raspberry Pi!

Technitium DNS Server v13

This major release adds support for Catalog Zones which allows automatic DNS zone provisioning to one or more secondary name servers. This allows you to have clustering support for the Zones section of the DNS server where you can add Primary, Stub, or Conditional Forwarder zone to a catalog and their respective secondary zones would get automatically provisioned on all the secondary DNS server running Secondary Catalog zone for the same catalog.

Another exciting update is with the recursive resolver that now supports concurrency allowing it to query more than one name server at a time. The resolver will select the fastest, DNSSEC validating response, and use it for further processing. The resolver also implements latency based name server selection algorithm that will measure latency and always select the fastest name server or forwarder. Both these concurrency and latency based server selection combined has significantly improved resolution performance.

Read the change log to know full details about this latest update.

Any comment or feedback is really appreciated and helps a lot in adding new features and fixing bugs. Send your feedback or support requests to support@technitium.com. You can also post on /r/technitium on Reddit for community support. For any feature request or reporting bugs, create an issue on GitHub.

The DNS Server source code is available under GNU General Public Licence (GPL) v3 on GitHub.

Make a contribution to the project and help in developing new software, updates and adding more features possible.
Donate Now!

Sunday, February 4, 2024

Technitium DNS Server v12 Released!

I am happy to announce the release of Technitium DNS Server v12, a cross-platform, free, open source software that can be used by anyone, be it a novice or an expert user. It features an easy to use web based GUI and works with default config that allows the server to run out-of-the-box.

Download the latest update for Windows, Linux, macOS, or Raspberry Pi!

Technitium DNS Server v12

This is a major release that now runs on ASP.NET Core 8 Runtime and adds many new features and options. This release also adds two new DNS apps. The DNS Rebinding Protection app protects your networks from DNS rebinding attacks. The NX Domain Override app allows you to override NX domain response with custom A/AAAA answer response.

The release also adds Newly Registered Domains Community Feed by Shreshta. You can read more on Newly Registered Domains to understand how it protects you better.

Read the change log to know full details about this latest update.

The DNS Server source code is available under GNU General Public Licence (GPL) v3 on GitHub.

Make a contribution to the project and help in developing new software, updates and adding more features possible.
Donate Now!

Saturday, March 25, 2023

How To Auto Renew SSL Certificates With Certbot Using DNS Challenge

If you have used certbot for automatic renewal of SSL certificates for your website using the HTTP challenge and are also running Technitium DNS Server to host your domain names then you can use certbot with DNS challenge to auto renew your SSL certificates. DNS challenge for certificate renewal has many advantages over HTTP challenge:

DNS challenge allows renewing wildcard certificate for your domain like *.example.com. This allows hiding your subdomain names such that they are not listed in publicly available Certificate Transparency logs. If you are not familier with this then do check your domain name on crt.sh website.
It allows renewing certificates for your internal servers i.e. servers in private LAN that are not accessible over the Internet to use the HTTP challenge. In fact, you do not even need to have a web server running to get the certificate issued.

The only constraint with using DNS challenge is to have either API access or Dynamic Updates (RFC 2136) access to your DNS provider. If you are using Technitium DNS Server to host your domain names, you have access to both. In this post we will discuss both the options you have and their pros and cons.

This post is written for Ubuntu Linux but, you can easily follow similar steps on your favorite distro.

Using HTTP API

Technitium DNS Server provides HTTP API which can be used to perform all the tasks that you can perform using the DNS web console. In fact, the DNS web console itself uses the same HTTP API. Certbot provides manual option for certificate renewal which also includes auth hook and cleanup hook options that you can utilize to create DNS records and remove them during the renewal process. We will be using these options to run a small bash script that will use the DNS server's HTTP API.

Follow the steps below to setup certbot that will use the DNS HTTP API to handle DNS challenge:

Generate an API Token for the DNS Server HTTP API from the web console. To do that, login to the web console, click on the top right user menu and click the Create API Token menu item. Enter the user's password, give an appropriate token name to help you identify it later, and click Create button. The API token will be generated and displayed immediately.

Note! The API token is displayed only once and not available later. Thus, copy the token string somewhere temporarily to use in the later steps.

Warning! It is recommended that you do not generate the API token for the DNS web console's "admin" user. Instead, create a separate user and edit the zone's permissions to give View and Modify access to it. This is necessary since in an event of the API token getting compromised the impact will be limited.
Login using SSH on your web server (for which you wish to setup certbot) as the root user or use sudo su to get root user access before proceeding.

Create a /root/certbot-auth.sh bash script using your favourite text editor with contents as shown below:

#!/bin/bash

# Generate API token from DNS web console
API_TOKEN="your-api-token"

# Create challenge TXT record
curl "http://dns-server:5380/api/zones/records/add?token=$API_TOKEN&domain=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&ttl=60&text=$CERTBOT_VALIDATION"

# Sleep to make sure the change has time to propagate from primary to secondary name servers
sleep 25

Similarly create a /root/certbot-cleanup.sh bash script using your favourite text editor with contents as shown below:

#!/bin/bash

# Generate API token from DNS web console
API_TOKEN="your-api-token"

# Delete challenge TXT record
curl "http://dns-server:5380/api/zones/records/delete?token=$API_TOKEN&domain=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&text=$CERTBOT_VALIDATION"

Make both the bash scripts executable and only accessible to the root user as shown below:
```
chmod 700 /root/certbot-auth.sh
chmod 700 /root/certbot-cleanup.sh
```
Install certbot if you do not have it already installed.
```
apt update
apt install certbot
```

Run the certbot command as shown below to start the initial certificate request for your domain name.

certbot certonly \
    --manual \
    --preferred-challenges=dns \
    --manual-auth-hook /root/certbot-auth.sh \
    --manual-cleanup-hook /root/certbot-cleanup.sh \
    -d example.com \
    -d *.example.com

Once the certbot command completes successfully, you will find the generated certificates in /etc/letsencrypt/live/example.com folder.

The HTTP API provides powerful ways to automate tasks as shown above but it has some issues that needs to be considered:

Using the HTTP API requires that the DNS server's web console needs to be accessible so that it can be used with automation scripts which may not be desirable in all scenarios.
The sample certbot auth/cleanup bash scripts that use the HTTP API uses HTTP links which are not secure. Thus you need to setup SSL certificate for the DNS server's web console before deploying certbot as described above in production.
If the API token saved in the bash scripts is compromised, an attacker will be able to perform all HTTP API calls with the priviledge of the API token's user. Thus its needed to be made sure that the user has limited access to only the zones that are required.
The API token allows modifying all the records in the zone since there is no granular permission available for each record. So, any compromise of the token can cause issues for the entire zone.

Using Dynamic Updates (RFC 2136)

Technitium DNS Server supports Dynamic Updates (RFC 2136) for primary zones which can be used with Certbot's certbot-dns-rfc2136 plugin.

Dymamic Updates is a DNS standard which means it uses the DNS protocol itself to work and thus there is no requirement for configuring SSL certificate for your DNS server's web console like in the case of HTTP API.

Also a special thing about Dynamic Updates is that it allows authentication using TSIG standard and allows specifying a Security Policy wherein you can explicitly configure which record and record type can be created/modified/deleted using the TSIG key.

This means that Dynamic Updates option is much better compared to the HTTP API option from security perspective. Thus its recommended to be used in production over the HTTP API option described earlier.

Follow the steps below to setup certbot to use certbot-dns-rfc2136 plugin to handle DNS challenge:

Login using SSH on your web server (for which you wish to setup certbot) as the root user or use sudo su to get root user access before proceeding.
Install certbot and python3-pip if you do not have it already installed.
```
apt update
apt install certbot python3-pip -y
```
Install the certbot-dns-rfc2136 plugin as shown below.
```
python3 -m pip install certbot-dns-rfc2136
```
Login to the DNS server's web console and navigate to Settings > TSIG section. Click on the Add button on the top right side to add a new entry. Enter an appropriate TSIG key name to help you identify it later, keep the Shared Secret empty, select the algorithm as HMAC-SHA256, and click Save Settings button at the bottom left corner. This will generate a TSIG key with a randomly generated Shared Secret which will be shown after you have saved the settings. Use the TSIG key name and the generated Shared Secret in the next step.

Create a /root/certbot-rfc2136.ini text file using your favourite text editor with contents as shown below:

# Target DNS server (IPv4 or IPv6 address, not a hostname)
dns_rfc2136_server = 192.168.10.2
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = YOUR-TSIG-KEY-NAME.
# TSIG key secret
dns_rfc2136_secret = YOUR-TSIG-SHARED-SECRET
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA256

Set file permissions so that the ini file is only accessible to the root user.
```
chmod 600 /root/certbot-rfc2136.ini
```
Configure the zone, for which you wish to generate the SSL certificate, to enable Dynamic Updates. To do so, switch to the DNS server's web console and navigate to the Zones section. Find your zone and click on it to open the zone edit view. Find the Options button at the top and click it to open the Zone Options dialog. Navigate to the Dynamic Updates (RFC 2136) tab to configure it. In there select the "Allow" option to allow Dynamic Updates then scroll down to create a Security Policy. Click on the Add button to add a new security policy entry. Here select the TSIG key name that you had created earlier, enter "_acme-challenge.example.com" as the domain name, enter "TXT" as the Allowed Record Types, and click Save button to complete the config.

Run the certbot command as shown below to start the initial certificate request for your domain name.

certbot certonly \
  --dns-rfc2136 \
  --dns-rfc2136-credentials /root/certbot-rfc2136.ini \
  --dns-rfc2136-propagation-seconds 25 \
  -d example.com \
  -d *.example.com

Once the certbot command completes successfully, you will find the generated certificates in /etc/letsencrypt/live/example.com folder.

Testing Auto Renewal

Once you have the SSL certificate generated with certbot, it will be automatically renewed using the same config that you used to request the initial certificate. To test the certbot renewal process, you can try the dry run command shown below. If there are no errors reported during the dry run then it means the renewal mechanism is working as expected.

sudo certbot renew --dry-run

Configuring Your Web Server

You can now configure your web server or any other server that requires the SSL certificate to complete the setup. When the SSL certificate is renewed, your web server may need to be reloaded to allow it to load the new certificate. To do that you can create a /etc/letsencrypt/renewal-hooks/post/reload.sh bash script using your favourite text editor with the sample script below that will reload nginx web server in this example.

#!/bin/sh

systemctl reload nginx
echo "nginx reloaded!"

Make the reload script executable as shown below.

chmod +x /etc/letsencrypt/renewal-hooks/post/reload.sh

The above script will be automatically executed by certbot when the SSL certificate is renewed.

If you have any queries do let me know in the comments section below or send an email to support@technitium.com.

Sunday, February 19, 2023

Configuring DNS-over-QUIC and HTTPS/3 For Technitium DNS Server

Updated: 19 Apr 2024

Technitium DNS Server is a cross-platform, free, open source software that is easy to deploy and use yet pack powerful features. Starting with the version 11.0 release, the DNS server now supports DNS-over-QUIC encrypted DNS protocol in addition to existing DNS-over-TLS and DNS-over-HTTPS encrypted DNS protocols. With this update, you will be able to use DNS-over-QUIC protocol with a forwarder or connditional forwarder, or host your own DNS-over-QUIC service.

The DNS server has also added support for HTTP/3 for both its web console and DNS-over-HTTPS service. Since HTTP/3 also uses QUIC tranport protocol, the requirements and configuration mentioned in this post also applies to it.

Let's see how to configure the DNS server to use the new QUIC transport protocol.

Requirements

The DNS-over-QUIC protocol uses a very new QUIC transport protocol which is not yet available on all platforms. Currently it is available only on Windows and Linux platforms. The .NET Runtime relies on the msquic library which is an implementation of QUIC protocol by Microsoft.

For Windows

The support for QUIC on Windows is only available on following Windows versions:

Windows 11 (build 22000 or later)
Windows Server 2022

The above supported Windows version have msquic already installed and thus there is no additional installation needed. There is no option yet to use the QUIC protocol on Windows 10 or older versions. However, it is possible to use it on Windows 10 by using docker container deployments.

For Linux

On Linux, you need to install libmsquic to enable QUIC protocol support. You can install it using Microsoft Software Repository for Linux. You can follow the instructions given in the link to add the software repository on your distro as shown in examples below:

Ubuntu

source /etc/os-release
wget https://packages.microsoft.com/config/$ID/$VERSION_ID/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
sudo apt update

Debian / Raspberry Pi OS

wget https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
sudo apt update

Once you have the Microsoft Software Repository installed on your distro, you can proceed to install libmsquic library as shown below:

sudo apt install libmsquic -y

Now restart the DNS server so that it loads the newly installed libmsquic library. Once the DNS server is available, you can use the DNS-over-QUIC protocol with forwarder or conditional forwarder configuration, or with the DNS Client tab in the DNS server web console. If you wish to run your own DNS-over-QUIC service, you can enable it from the Settings > Optional Protocols section similar to how you would enable the other encrypted DNS protocols.

If you have enabled HTTPS and HTTP/3 options, and configured a TLS certificate for the DNS web console, the web service will enable HTTP/3 support which will be available on UDP port 443.

If you have any comments or queries, do let me know in the comments section below or send an email to support@technitium.com.

Saturday, February 18, 2023

Technitium DNS Server v11 Released!

I am happy to announce the release of Technitium DNS Server v11, a cross-platform, free, open source software that can be used by anyone, be it a novice or an expert user. It features an easy to use web based GUI and works with default config that allows the server to run out-of-the-box.

Download the latest update for Windows, Linux, macOS, or Raspberry Pi!

Technitium DNS Server v11

This is a major release that now runs on ASP.NET Core 7 Runtime as the DNS server now uses Kestrel web server for both its web console and also for DNS-over-HTTPS service. With this change, the DNS server now supports HTTP/2 and HTTP/3 for both DNS-over-HTTPS service and also for the DNS web console. It also now supports DNS-over-QUIC encrypted DNS protocol and many new features.

Read the change log to know full details about this latest update.

The DNS Server source code is available under GNU General Public Licence (GPL) v3 on GitHub.

Make a contribution to the project and help in developing new software, updates and adding more features possible.
Donate Now!

Saturday, November 26, 2022

Technitium DNS Server v10 Released!

I am happy to announce the release of Technitium DNS Server v10, a cross-platform, free, open source software that can be used by anyone, be it a novice or an expert user. It features an easy to use web based GUI and works with default config that allows the server to run out-of-the-box.

Download the latest update for Windows, Linux, macOS, or Raspberry Pi!

Technitium DNS Server v10

This is a major release that now runs on .NET 7 Runtime and adds a lot of features like Dynamic Updates Security Policy, DANE TLSA record, SSHFP record, EDNS Client Subnet, DNS64, and more.

Read the change log to know more details about this latest update.

The DNS Server source code is available under GNU General Public Licence (GPL) v3 on GitHub.

You can make a contribution to the project by becoming a Patron and help in developing new software, updates and adding more features possible. Become a Patron now!

Saturday, September 24, 2022

Technitium DNS Server v9 Released!

I am happy to announce the release of Technitium DNS Server v9, a cross-platform, free, open source software that can be used by anyone, be it a novice or an expert user. It features an easy to use web based GUI and works with default config that allows the server to run out-of-the-box.

This is a major release that adds multi-user role based access support.

Download the latest update for Windows, Linux, macOS, or Raspberry Pi!

Technitium DNS Server v9

Read the change log to know more details about this latest update.

The DNS Server source code is available under GNU General Public Licence (GPL) v3 on GitHub.

You can make a contribution to the project by becoming a Patron and help in developing new software, updates and adding more features possible. Become a Patron now!

Saturday, June 25, 2022

How To Self Host Your Own Domain Name

A lot of people self host their own blogs or websites but its rare for someone to host their own domain name. For most people, the domain name hosting provided by the domain name registrar is sufficient for their use case. People who need more control and features usually use popular services like AWS, Cloudflare, etc. In this blog post, we will see how to host and configure your own name servers for self hosting all your domain names.

Technitium DNS Server Is Both Authoritative And Recursive DNS Server

Should You Really Self Host?

The first question that may come to your mind is that if you should really be self hosting your own domain names? Self hosting is not a solution for everyone and you need to evaluate your reasons before coming to a decision on it.

You should self host your own domain name if:

You are looking to learn how to self host domain names so doing it will make sure that you learn all the aspects that come with it. This will help you learn how DNS works in general in a practical way.
You are a hobbyist and interested in self hosting but don't have anything critical being hosted.
You are an advanced user and want full control over your setup. You know exactly what you are looking for and are capable to handle any operational issues that may occur.

Pros And Cons Of Self Hosting

Self hosting your domain name gives you complete control over its setup and can use advanced features that may not be available elsewhere. But, like always this comes with its own pros and cons.

Some of the cons to self host your domain names that you may need to consider are:

You are solely responsible for your name servers. Which means you need to regularly monitor the setup to make sure things are working well. Any failure can cause your website to stop resolving and your email from from being delivered and received.
You need to have redundancy such that when your primary name server hosting your domain name fails, you have secondary name servers that can keep your domain name working.
Someone can easily take down your name servers with a DDoS attack. This equally applies to other self hosted services like web servers running your blog or website. But there are mitigations available that we will discuss.
Your name servers can be used for DNS amplification attacks. But for this too, there are mitigations like query rate limiting available to make such attacks useless.

But these pros to self host your domain names may want you to go ahead with it:

You get absolute control over your domain name and can configure it to work anyway you wish.
You get access to advanced features not available otherwise. You can also develop custom plugins that answer for your domain names as per your own business logic.
Unlike hosting web servers, if one of your names servers is down, your domain name will still resolve. With web servers its a bit complex to manage this but with DNS, you don't have to worry about it that much. This is since, you need at least one of your name servers to be online so that your domain name resolves.
You can sign your domain name for DNSSEC which may not be available with your current DNS provider. But not all Top Level Domain (TLD) names support DNSSEC so you may want to check that first. While this blog post does not cover DNSSEC signing, this subsequent blog post explains how to sign your domain name with DNSSEC.
You get access to DNS logs and live stats which may not be available with your current DNS provider.

Minimum Requirements

Now that you have made a decision to proceed, lets see the minimum requirements for the complete setup. To host you own name server, you need a server with a static IP address. You can host the server in-house but its recommended to use a cloud hosting provider like Digital Ocean (referral link). This is since, hosting a server in-house requires you to have an Uninterrupted Power Supply (UPS) setup to make sure the server keeps running during power outage and also have a stable Internet connection, which may be one of the most challenging thing to have in your region. Using a cloud hosting provider, all these challenges are outsourced so that you do not have to worry about downtime and backups.

A server with basic config like single core CPU and 1GB RAM can be sufficient for most cases. Such a server will will cost as low as $5/mo with Digital Ocean (referral link).

For redundancy, you should have at least one secondary name server so that if your primary name server does down for any reason, your domain keeps resolving via your secondary name servers. Ideally, the secondary name server must be in a different region so that any issue affecting the primary name server does not affect the secondary name server too. There are some free and paid secondary DNS hosting options available too that you can choose from which we will see later.

Another important requirement is that your domain's Top Level Domain (TLD) must support configuring "child name servers". A child name server is a feature that allows you to register a subdomain name of your own domain to be used as your own name server. For example, if your domain name is "example.com", a child name server domain will be something like "ns1.example.com" or "ns2.example.com". This allows you to use something like "ns1.example.com" as the domain name for your primary name server that is hosting your "example.com" zone.

If you have a .com or .net domain name then these TLDs support this feature but other TLDs may not support it. In such case, you need to buy a domain name whose TLD supports child name servers and use that domain for all you other domain names as the name server. To know if your TLD supports child name servers, just login to your domain registrar's DNS panel and find if there is a "child name server" or "register name server" option to configure in your domain's advanced settings.

The Plan

In this blog post, we will setup one primary name server and optionally another one to act as the secondary name server for redundancy. You can add any number of secondary name servers as you wish depending on your requirements or plan to get a secondary DNS hosting provider.

To move further with installation and the configuration, its important and helpful that you understand how DNS servers do recursive resolution. There are different types of DNS servers that perform different functions but, a single DNS server software can support to perform all of these functions.

The common types of DNS servers are:

Authoritative Name Servers
These are the DNS servers that host a domain name. The domain name is hosted as a zone which means that any request for the domain name and its subdomain names can be answered by this server. Which is why its called as the authoritative name server for that domain. To self host your domain name, we are going to setup authoritative name servers.

An authoritative name server will respond with an answer to request only for the domain names it has a zone hosted for. A zone is a collection of DNS records that the authoritative name server must answer to. Any request with domain name not hosted will be responded with a REFUSED response code to indicate that the authoritative name server does not know an answer for the question.

There can be one or more authoritative name server for a domain name. One of them is the primary name server while the rest of the other are secondary name servers. You can update DNS records only on the primary name servers and any changes you make are automatically synced to the secondary name servers.
Recursive Name Servers
These are the DNS servers that are commonly hosted by ISPs or public DNS providers like Google DNS, Cloudflare DNS, or Quad9. Internet client devices send a request to these servers when they want to resolve a specific domain name. Its the task of these servers to perform recursive resolution which is a process to discover the list of authoritative name servers for the domain name and then query them to find the answers requested by the client.

A recursive name server has a preconfigured list of 13 root servers. These root servers are spread across the world and contain list of all Top Level Domains (TLDs) with their authoritative name server domain names and their IP addresses (known as glue addresses). The recursive resolution process first queries one of the root servers for the domain name to be resolved for which it receives a list of authoritative name servers for the domain's TLD. The recursive resolver then proceeds by sending a 2nd request to these new list of authoritative name servers for which it now receives another list of authoritative name servers for the domain name in the request. The recursive resolver again proceeds by sending a 3rd request to these authoritative name servers for the domain name to receive the final answer to the original question. This answer is cached to avoid repeating the recursive resolution process over and over again.
Stub Resolvers
These are the DNS servers that are commonly running on your WiFi routers and also on your device's operating system. These DNS servers forward any request they receive to Recursive Name Servers and cache the responses in memory to avoid frequent queries over network and to improve performance.

So, when you enter a website's address in your web browser, the domain resolution request is first received by the stub resolver running on your device which then forwards the request to the DNS server IP addresses that are configured on your network adapter which usually will be the IP address of your Internet WiFi router. This router's stub resolver then forwards the request to the DNS server IP address configured in its WAN settings by your ISP which are the Recursive name servers.

Now that you have a fair understanding of the plan and some basic concepts that we can proceed with the installation.

Installation

We will install Technitium DNS Server on your server and call it as the primary name server. You can optionally choose to create one or more secondary name servers by following the exact same installation steps.

We will be using Ubuntu server here but you can choose any distro of your choice and follow similar instructions. You can choose to use a different OS for your server but its recommended to use a Linux based OS to keep the hosting costs to a minimum.

Connect to your server using SSH and run the single line installation command given below to install the DNS server. You can also install it as a docker image or manually install the DNS server by following the detailed install instructions.

$ curl -sSL https://download.technitium.com/dns/install.sh | sudo bash

Once the installation is complete, you can access the DNS server's web console at http://<server-ip-address>:5380/ and quickly setup a strong admin password.

Configuration

Before proceeding with the configuration, you must decide the domain names to be used for your primary and secondary name servers (if any). For example, if your domain name is "example.com" then you should select something like "ns1.example.com" as the domain name for your primary name server, "ns2.example.com" as the domain name for your secondary name server, and so fourth if you wish to have more than one secondary name servers.

If your domain's TLD does not support registering child name servers, then you need to first host a domain name which supports it. If you don't own such a domain name then you need to buy one before proceeding.

Make a list of the selected domain names for your name servers with their corresponding IP addresses as shown in the example below to help with the configuration:

ns1.example.com		<primary name server's ip address>
ns2.example.com		<secondary name server's ip address>

If your server hosting provider supports IPv6 then enable IPv6 for your server and enter the IPv6 address too in the above said list.

Configuring Primary Name Server:

We will now proceed to configure the primary name server. Login to the primary name server's DNS web console and follow the steps below:

Go to the Settings > General section, set the selected primary name server's domain name as the "DNS Server Domain", and click on Save Settings button at the bottom.
Go to the Zones section, and click on the Add Zone button. Enter your domain name that you want to self host in the Add Zone window, keep the Type as Primary Zone and click on Add button to create a primary zone for your domain name.
Once you have created the primary zone, you will see only one NS record and an SOA record. Edit the SOA record and enter a valid email address as the "Responsible Person" on which you can receive emails and save the record.
Add NS records for all of the secondary name servers that you have planned. You do not need to enter any glue address for adding the NS records.
Add A records for all the name servers based on the list of name servers you prepared before starting the configuration. Each NS record's domain name must have a corresponding A record in the zone. If your name servers have IPv6 address, add AAAA records too for them corresponding to each NS record.
Add all the other records for the primary zone manually by referring at your existing DNS provider's panel. Once you have added all the records, the primary zone is ready for the next step.

Switching Domain's Name Servers:

Now that the primary zone is ready with all the records, we can proceed to make it live so that other recursive name servers on the Internet can find it to resolve the domain name. To do that, login to your domain registrar's DNS panel and follow the steps below:

Find your domain name in the registrar's DNS panel and click on it to see the details section.
Find option in the domain details section that says something like "Nameserver Registration" or "Child Nameservers". Once you find the correct option, enter the child name server domain names from the list of name servers (e.g. ns1.example.com) and their corresponding static IP addresses. Once you save the changes, the registrar will update your TLD's name servers with the details of the child name servers and their IP addresses (glue addresses).
Find option in the domain details section that says something like "Manage Nameservers". Once you find the correct option, enter the domain names of all your name servers that were registered in the previous step. Remove any previously existing name server entries that you see in there and keep just the ones you have entered. Once you save these changes, you will start seeing traffic coming on your primary name server as soon as the the name server (NS) records changes are updated to your TLD name servers. This can be as quick as a few seconds or may take a while for some TLDs depending on how they have implemented the update process.

Testing Primary Name Server:

You can test your setup to confirm if your primary name server is indeed answering requests for your domain using the DNS Client website. Just go to dnsclient.net, keep the Server option to Recursive Query, enter your domain name, and click on Resolve button. In the response that you get, you should see the "Metadata.NameServer" set with the domain name of your primary name server. If its still showing you one of the the domain names of your old name servers then it means that the changes have still not updated and you should wait for some more time to test it again.

Configuring Secondary Name Servers:

Once you have made sure that the primary name server is resolving the domain name, you can then configure one or more optional secondary name servers. Its recommended to have at least one secondary name server but if you do not wish to have one, you can skip this part. Login to the secondary name server's DNS web console and follow the steps below:

Go to the Settings > General section, set the secondary domain name as the "DNS Server Domain", and click on Save Settings button at the bottom.
Go to the Zones section, and click on the Add Zone button. Enter your domain name in the Add Zone window, select the type as Secondary Zone, and click on Add button to create the secondary zone. To add secondary zone, primary name server addresses were not needed since the domain name is publicly resolvable and so the DNS server will find out the primary name server automatically.
Once the zone is created, the DNS server will try to perform zone transfer to sync all the DNS records from the primary zone into the secondary zone. The zone status will show as Expired till the records are synced. You can click on the refresh icon next to the domain name in the zone to check if the records have been synced. If the records didn't sync and the zone status is still Expired after a minute, you should check the DNS server's logs from the web console to see if there are any errors.

When you see the records populate in the secondary zone, the configuration for it is completed. Repeat the same steps for any other secondary name servers that you may have planned. Since, we had added registered all the name server domain names in the domain registrar's panel, the secondary name server will too start seeing traffic for your domain name soon.

Self Hosting Another Domain Name

Now that you have one of your domain names self hosted, you can add one or more of your other domain names to self host. Follow the steps below for self hosting your other domain names:

Login to your primary name server's DNS web console.
Go to Zones section and add a new primary zone for your second domain name.
Once the primary zone is created, you will see one NS and an SOA record. Edit the SOA record with a valid email address that you can receive emails on.
Add NS records for your secondary name servers that you wish to be used for this second domain name. You do not need to provide any glue addresses for these NS records.
Add all other records in the primary zone to complete the primary zone configuration.
Login to your secondary name server's DNS web console.
Go to the Zones section and add a new secondary zone for your second domain name.
The secondary name server will perform automatic zone transfer to sync all the records from your primary name server.
Login to your domain registrar's web panel.
Find the second domain name and click on it to see the details section.
Find option in the domain details section that says something like "Manage Nameservers". In this option, remove the existing name servers and add the domain names of your primary and secondary name servers. Once you save these changes, you will soon start seeing traffic coming on your primary and secondary name servers for your second domain name.

Additional Configuration

Apart from the configuration to host the zones, there are a few things that must be configured too:

Enable HTTPS for DNS Web Console
You should enable HTTPS for the DNS web console for security reasons. The bare minimum option is to enable HTTPS with self signed TLS certificate option in Settings > Web Service section. A better option is to configure certbot to renew Let's Encrypt certificate and configure it in the Settings > Web Service section.
Query Rate Limiting
To mitigate from attacks that use your DNS server for DNS amplification attacks, you should configure the Queries Per Minute (QPM) options in Settings > General section to rate limit queries per client subnet.
Drop Requests App
Install the Drop Requests DNS App from the Apps section's App Store option. This app will allow you to drop requests that match from the given list of names and/or types. Take a look at the app's json config to see how certain names or types can be blocked.
Backup
Once all the config is complete you should take backup for the entire DNS server from Backup Settings option in the bottom right of the Settings section. It is recommended to take regular backups this way so that you can quickly restore from the latest backup when your DNS server requires rebuilding due to any issues. Enabling backup option with your cloud hosting provider is also highly recommended.

Configuring 3rd Party Secondary DNS Provider

There are 3rd party DNS hosting providers that allow you to host secondary zones with them. Most of them are paid services but if you are hosting your personal project domain names then you can use the free secondary DNS service provided by NS-Global. Follow the sign-up instructions on their website to add a secondary name server for your domain names. Note, that you will need to use the Zone Options to configure zone transfer and notify for setting up the secondary zone with NS Global.

Once you have the secondary zone created with NS Global, you can update the name servers for your domain from the domain registrar's panel to allow discovering the new secondary name server.

Conclusion

With some efforts to learn DNS concepts, its possible for anyone determined to self host their own domain names. Technitium DNS Server allows easy installation, configuration, and maintenance of DNS zones with minimal efforts. With 3rd party secondary DNS service, you can add more redundancy and reliability to your setup.

If you have any comments or queries, do let me know in the comments section below or send an email to support@technitium.com.

Saturday, March 26, 2022

Technitium DNS Server v8 Released!

I am happy to announce the release of Technitium DNS Server v8, a cross-platform, free, open source software that can be used by anyone, be it a novice or an expert user. It features an easy to use web based GUI and works with default config that allows the server to run out-of-the-box.

This is a major release that adds many core DNS features like support for DNSSEC validation and signed zones.

Download the latest update for Windows, Linux, macOS, or Raspberry Pi!

Technitium DNS Server v8

Some of the notable features that were added to this latest update are:

DNSSEC validation support for both recursive resolution, forwarders, and conditional forwarders.
DNSSEC validation support for all DNS transport protocols (Do53, DoT, DoH, & DoH JSON).
Support to allow hosting primary and secondary DNSSEC signed zones.
Support for all RSA and ECDSA DNSSEC algorithms.
EDNS(0) [RFC 6891] support.
Extended DNS Errors [RFC 8914] support.
Codebase upgrade to .NET 6 runtime.

Read the change log to know more details about this latest update.

The DNS Server source code is available under GNU General Public Licence (GPL) v3 on GitHub.

You can make a contribution to the project by becoming a Patron and help in developing new software, updates and adding more features possible. Become a Patron now!

Sunday, July 25, 2021

[Updated] Running A Root Server Locally On Your DNS Resolver

Update (Oct 20, 2024): DNS server v13.1 now includes "Secondary ROOT Zone (RFC 8806)" option in Add Zone dialog reducing this entire blog post into a single click operation.

Update (Sept 28, 2024): With the release of v13 of DNS server, there is no need to follow this blog post's requirement to create a separate DNS server instance to run the secondary ROOT zone. The v13 update now supports ZONEMD validation and the ROOT zone also includes ZONEMD record making it possible to validate the ROOT zone directly. You can now create the secondary ROOT zone on your existing DNS server instance and enable the ZONEMD validation to automatically validate the ROOT zone contents after each zone transfer.

Update (June 11, 2022): The previous blog post instructed how to run a secondary root zone locally without DNSSEC considerations since the Technitium DNS Server version before v8.0 did not support DNSSEC. Now that DNSSEC is supported, it is highly recommended to update your local root zone deployments as per the the new instructions in this blog post. The new configuration changes comply with all the requirements in RFC 8806.

Introduction

A DNS recursive resolver is typically primed with a list of Root Servers which it uses to resolve queries. When the recursive resolver receives a query, it queries to one of the root servers to get back a list of top level domain (TLD) name servers. It then queries those TLD name servers to get back another list of name servers hosting the domain name. This process is done recursively until the an answer for the query is resolved.

The DNS recursive resolver maintains a cache to avoid frequent queries and thus improving its performance. However, when the cache expires or is flushed, the recursive resolution process is performed again.

During the recursive resolution process, there is a possibility that the response from root server is delayed due to network issues or other events like the root server being under a Denial of Service (DoS) attack. There could also be passive monitoring of DNS requests going to root servers by an on path actor compromising privacy.

To prevent these issues and to improve resiliency there is a good option to run a Root Server locally on your DNS resolver.

There are several advantages of running a Root Server locally:

The Root zone contains all the TLD name servers and their IP addresses. This allows the DNS resolver to skip the initial query to the Root Server and directly query to the TLD name servers saving time.
Since the Root zone is running locally, queries for non existent top level domain (TLD) names are resolved locally.
This also improves resiliency since the Root zone is local and thus there is no immediate dependency on the Root Servers for recursive resolution.

There are a few disadvantages too:

If there are any updates to the Root zone, it will take slightly longer for those changes to sync to your local Root zone. Though there wont be much of a noticeable issue.
If your local Root zone is not updating due to any reason and it was not detected, then the local Root zone will expire after 7 days (as per Root SOA Expiry). This may cause some DNS resolvers to fail to resolve any queries when cache expires. Technitium DNS Server however will fall back to root hints in such a case.

Considering both the advantages and disadvantages, its good to have a Root zone locally for a recursive resolver.

Sourcing The Root Zone

The root zone is available from ICANN DNS servers via zone transfer (AXFR-over-TCP):

xfr.cjr.dns.icann.org (192.0.47.132, 2620:0:2830:202::132)
xfr.lax.dns.icann.org (192.0.32.132, 2620:0:2d0:202::132)

The following Root Servers also support zone transfer (AXFR-over-TCP):

b.root-servers.net (199.9.14.201, 2001:500:200::b)
c.root-servers.net (192.33.4.12, 2001:500:2::c)
d.root-servers.net (199.7.91.13, 2001:500:2d::d)
f.root-servers.net (192.5.5.241, 2001:500:2f::f)
g.root-servers.net (192.112.36.4, 2001:500:12::d0d)
k.root-servers.net (193.0.14.129, 2001:7fd::1)

It is recommended to have DNSSEC enabled on your DNS resolver. Use recursive ACL to make sure that your DNS resolver accepts queries only from known clients to protect from DNS amplification attacks.

Configuration

It is assumed here that you already have Technitium DNS Server installed and running on your server. To run the root zone locally, we need to run another instance of Technitium DNS Server on the same server. This second, local instance of the DNS server will answer requests only on loopback interface and thus wont be accessible from the network. The second DNS server instance will host the root secondary zone. Your currently running DNS server instance will query this second DNS server instance when root zone records are required.

While this blog post focuses on running the root server instance locally on the same server that is currently running your DNS server instance, it is possible to run it on a different server such that two or more DNS servers can be configured to use that single root server instance. The only thing that must be taken care of is to make sure that the root server instance is not used as a DNS server for normal domain lookups.

Note: Before proceeding, make sure to take a backup of the DNS server instance that you already have running in case you want to start over. You can create a backup zip file by clicking Backup Settings at the bottom right of the Settings section.

Creating A Second Local DNS Server Instance

Since, we need two DNS server instances running, the admin web console which runs by default on TCP 5380 port will cause a conflict. To prevent this, the second instance needs to be configure to run on a different port so we choose TCP 5381 for it. Follow the steps below to get the second instance running.

On Linux Installation:

Create a systemd service for running the second DNS server instance by following the steps below:
Copy the systemd.service template as a new dns2.service systemd service:

$ sudo cp /opt/technitium/dns/systemd.service /etc/systemd/system/dns2.service

Edit the dns2.service file in nano:

$ sudo nano /etc/systemd/system/dns2.service

Explicitly specify a different config folder to use /etc/dns2 as shown below:

[Unit]
Description=Technitium DNS Server

[Service]
WorkingDirectory=/opt/technitium/dns
ExecStart=/usr/bin/dotnet /opt/technitium/dns/DnsServerApp.dll /etc/dns2
Restart=always
# Restart service after 10 seconds if the dotnet service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=dns-server-2

[Install]
WantedBy=multi-user.target

Exit nano saving the dns2.service file.

Login to the first DNS server instance by opening the url http://<server-ip-address>:5380/, go to Settings > Web Service section and change the Web Service HTTP Port to 5379 so that the default port is available temporarily for the second instance. Click on Save Settings button and the web console will automatically redirect you to the new DNS web console URL. Keep this tab open for later use.

Start the second DNS server instance:

$ sudo systemctl enable dns2.service
$ sudo systemctl start dns2.service

Open the url http://<server-ip-address>:5380/ to access the web console of the second instance. Go to Settings > General section and set 127.0.0.2 as the DNS Server Local End Points replacing any existing values. Go to Settings > Web Service section and edit the Web Service HTTP Port to 5381 and click on Save Settings. The web console will automatically redirect you to the new URL.
Switch to the first DNS server's web console tab that was kept open. Go to Settings > General section and set 127.0.0.1 and <server-ip-address> (use your actual server's IP address) as the DNS Server Local End Points replacing any existing values. Go to Settings > Web Service section and change the Web Service HTTP Port back to 5380 now that the second DNS server instance is running on port 5381. Click on Save Settings button and the web console will automatically redirect you to the new DNS web console URL.

On Windows Installation:

Click on Start, type cmd, right click on the command prompt item and click Run as administrator to open CMD as an administrator.
Run the following command in CMD to create a Windows service for running the second DNS server instance and explicitly provide the path to a different config folder C:\Program Files (x86)\Technitium\DNS Server\config2\ for use:
```
C:\Windows\system32> sc create DnsService2 binPath= "C:\Program Files (x86)\Technitium\DNS Server\DnsService.exe \"C:\Program Files (x86)\Technitium\DNS Server\config2\"" DisplayName= "Technitium DNS Server 2" start= auto
```
Login to the first DNS server instance by opening the url http://<server-ip-address>:5380/, go to Settings > Web Service section and change the Web Service HTTP Port to 5379 so that the default port is available temporarily for the second instance. Click on Save Settings button and the web console will automatically redirect you to the new DNS web console URL. Keep this tab open for later use.

Start the second DNS server instance:

C:\Windows\system32> sc start DnsService2

Open the url http://localhost:5380/ to access the web console of the second instance. Go to Settings > General section and set 127.0.0.2 as the DNS Server Local End Points replacing any existing values. Go to Settings > Web Service section and edit the Web Service HTTP Port to 5381 and click on Save Settings. The web console will automatically redirect you to the new URL.
Switch to the first DNS server's web console tab that was kept open. Go to Settings > General section and set 127.0.0.1 and <server-ip-address> (use your actual server's IP address) as the DNS Server Local End Points replacing any existing values. Go to Settings > Web Service section and change the Web Service HTTP Port back to 5380 now that the second DNS server instance is running on port 5381. Click on Save Settings button and the web console will automatically redirect you to the new DNS web console URL.

Note: On Windows Server 2022, ensure that you do not enable the HTTP/3 protocol option from Settings > Web Service section. This is since the DNS server keeps thousands of UDP sockets open and it may happen that the port used for HTTP/3 may clash with an open UDP socket from the root zone instance causing the main DNS instance to fail to bind the web service on the same port when HTTP/3 is enabled.

On Docker:

Create a docker-compose.yml file in a folder with contents as show below to create the first DNS server instance:

version: "3"
services:
  dns-server:
    container_name: dns-server
    hostname: dns-server
    image: technitium/dns-server:latest
    ports:
      - "5380:5380/tcp" #DNS web console
      - "127.0.0.1:53:53/udp" #DNS service
      - "127.0.0.1:53:53/tcp" #DNS service
      - "<server-ip-address>:53:53/udp" #DNS service
      - "<server-ip-address>:53:53/tcp" #DNS service
    environment:
      - DNS_SERVER_DOMAIN=dns-server #The primary domain name used by this DNS Server to identify itself.
    volumes:
      - config:/etc/dns
    restart: unless-stopped
volumes:
    config:

Note: You can edit your existing docker-compose.yml file that you used to run your existing container with above port changes and rebuild it.

Click on Start, type cmd, right click on the command prompt item and click Run as administrator to open CMD as an administrator. Navigate to the folder where the docker-compose.yml exists using the CD <folder-path> command. Run the following command to create the docker container:
```
docker-compose up -d
```

Create a docker-compose.yml file in another folder with contents as show below to create the second DNS server instance:

version: "3"
services:
  dns-server:
    container_name: dns-server-2
    hostname: dns-server-2
    image: technitium/dns-server:latest
    ports:
      - "5381:5380/tcp" #DNS web console
      - "127.0.0.2:53:53/udp" #DNS service
      - "127.0.0.2:53:53/tcp" #DNS service
    environment:
      - DNS_SERVER_DOMAIN=dns-server-2 #The primary domain name used by this DNS Server to identify itself.
    volumes:
      - config2:/etc/dns    
    restart: unless-stopped
volumes:
    config2:

Click on Start, type cmd, right click on the command prompt item and click Run as administrator to open CMD as an administrator. Navigate to the folder where the docker-compose.yml exists using the CD <folder-path> command. Run the following command to create the docker container:
```
docker-compose up -d
```

Configuring The Root Zone

To configure the root zone, open the second instance web console at http://<server-ip-address>:5381/ and go to the Zones section. Click on the Add Zone button to create a secondary zone for . as the zone name. Enter the primary name server addresses as shown in the screenshot below:

Configuring Local Secondary Root Zone

Once you have the secondary zone created, wait for a few seconds for the DNS server to perform the zone transfer. The Root zone meanwhile will show as expired. If its taking a lot of time, do check the DNS server logs to see if there are any errors being logged.

After the secondary zone is synced, you will see all the root zone records. There are thousands of records and it may take a couple of seconds for the DNS panel to list all of them. Here is what you should see in the DNS zone:

Local Secondary Root Zone

Now, open the first instance web console at http://<server-ip-address>:5380/ and go to the Zones section. Click on the Add Zone button to create a Conditional Forwarder Zone for . as the zone name and with the Use "This Server" option enabled. Once the zone is created, click Add Record to add a record of NS type, with localhost as the Name Server, and 127.0.0.2 as the Glue Address. You can now delete the FWD record that you see. Once done, you should have the conditional forwarder zone config as shown below:

Local Static Stub Root Zone

This NS record will now make the conditional forwarder zone act as a static stub zone such that it will now query the specified name server when performing recursive resolution.

In case you had decided to run the root server instance on another server, just use its domain name as the name server and it's IP address as the glue address for the NS record to complete the configuration.

References

RFC 8806 - Running a Root Server Local to a Resolver

If you have any queries do write in the comments section below or send an email to support@technitium.com.

Mesh

mesh.im/

Technitium Mesh is a secure, anonymous, peer-to-peer, open source instant messenger with end-to-end encryption. Download now!

DNS Client

dnsclient.net/

Technitium DNS Client is an online domain name lookup service to quickly query any name server including root servers. Try now!

DNS Server

technitium.com/dns/

Technitium DNS Server is an open source tool that can be used for self hosting a local network DNS server or, used for experimentation/testing by software developers on their computer. Download now!

MAC Address Changer

technitium.com/tmac/

Technitium MAC Address Changer (TMAC) is a popular freeware utility to change or spoof MAC address of wired or wi-fi network adapters for Windows. Download now!