A DNS forwarder is a resolver system that forwards all queries to the configured caching-only DNS server. Forwarding DNS queries to a caching-only server is called DNS forwarding.
A DNS forwarder is similar to a caching-only name server. If we have a caching-only name server, we can easily convert it into a DNS forwarder. In the previous tutorial of this series, we configured a caching-only name server in our practice lab. In this tutorial, we will convert it into a DNS forwarder. Since a DNS forwarder forwards queries to a caching-only name server, we also need a caching-only name server. We will configure RHELServer2 as the caching-only name server. Currently, the DNS service is not running on this system.
The following image shows this lab setup.
Configuring the DNS forwarder
As mentioned earlier, a DNS forwarder is similar to a caching-only name server. To configure a DNS forwarder, we must follow all the configuration steps of a caching-only name server. I have already explained those steps in the previous tutorial. By following those steps, configure and verify a caching-only name server.
This tutorial is the thrid tutorial of the tutorial series "How to configure DNS name servers in Linux.". Other tutorial of this tutorial series are the following.
How to configure DNS Server in Linux
How to configure a caching only name server
How to configure a primary or master authoritative name server
How to configure a secondary or slave authoritative name server
Now, let us convert the caching-only name server into a DNS forwarder.
In our lab, we configured the caching-only name server on RHELServer1. Let us convert it into a DNS forwarder. Login from the root account and open the /etc/named.conf file.
The following image shows the current configuration of this file. With this configuration, the DNS service runs the caching-only name server on this system.
To convert this caching-only name server into a DNS forwarder, we need to configure the following two options.
forwarders {IP_address_of_the_caching_only_server;};
forward only;
The first option requires the IP address of the caching-only name server that will receive DNS queries from this system. In simple words, this system will forward DNS queries to the caching-only name servers configured in this option.
In our example, we will configure the caching-only DNS server on RHELServer2. RHELServer2's IP address is 192.168.29.101. Therefore, we will add this IP address to this option.
A DNS forwarder forwards DNS queries to the configured caching-only name server. If DNS queries fail because of a server error or timeout, a forwarder starts working as the caching-only name server.
This is the default behavior of the DNS forwarder. The second option overrides this behavior and configures the name server as a DNS forwarder-only server.
Configure both options and save the file.
Restart the named server.
Add an allow rule for the DNS service in the firewall.
Flush the DNS cache.
Configuring a DNS client for testing
We have already configured RHELClient as a DNS client system for testing. With the current configuration, it sends DNS queries to RHELServer1. Since we have configured RHELServer1 as a DNS forwarder, we do not need to make any changes to it.
Configuring the caching-only name server
The following steps configure RHELServer2 as the caching-only name server.
- Install the bind and bind-utils packages.
- Open the /etc/named.conf file.
- Add RHELServer2's IP address in the listen-on port 53 option and the network address 192.168.29.0/24 in the allow-query option.
- Restart the named service.
- Add an allow rule for the DNS service in the firewall.
- Flush the DNS cache.
I have already explained the above steps in the previous tutorial. You can check that tutorial if you need help with any configuration step.
The following image shows the configuration in /etc/named.conf you need on RHELServer2
The following image shows the command you need to allow the DNS service in the firewall.
Testing and verifying the DNS forwarding
To test and verify DNS forwarding, use the following command on RHELClient.
#dig google.com
Since we configured RHELServer1's IP address as the DNS server IP address on RHELClinet, this command sends a DNS query to RHELServer1. RHELServer1 is a DNS forwarder. It forwards this query to RHELServer2. RHELServer2 is a caching-only name server. It resolves this query, caches the answer, and replies to RHELServer1. RHELServer1 caches the answer and replies to RHELClient.
To verify the answer is cached on the DNS forwarder and the caching-only name server, we can view the DNS cache on both systems.
DNS saves the cache data in an encrypted format. The rndc dumpdb -cache command de-encrypts it and saves the output into the /var/named/data/cache_dump.db file.
We can use the grep command to find a record in the output file.
The following image shows how to verify the answer is cached on the DNS forwarder (RHELServer1).
The following image shows how to verify the answer is cached on the caching-only name server (RHELServer2).
To verify only the caching-only server is resolving queries, stop the named service on RHELServer2 and send ping requests to yahoo.com from RHELClient.
The following command stops the named service.
#systemctl stop named
Use this command on RHELServer2.
The following command sends ping requests to yahoo.com.
#ping yahoo.com
Use this command on RHELClient.
Now, use the following command to start the named service again.
#systemctl start named or #systemclt restart named
Send the ping requests to yahoo.com from RHELClient again.
When we stop the named service, RHELClient fails to get yahoo.com's IP address from the configured name server. When we start the named service, RHELClient gets yahoo.com's IP address from the configured name server. It verifies only the caching-only name server is resolving DNS queries in the network.