HOWTO: InterWorx-CP as Recursive Resolve

about:

This HOWTO is meant to show you how to setup your InterWorx-CP server to serve recursive DNS queries for other servers. This tutorial is recommended as the map to get recursive resovlers working in an InterWorx-CP friendly manner. If you set it up differently it will work fine but if we ever add this functionality to InterWorx-CP your implementation won’t be “seen” by InterWorx-CP.

Recursive resolvers are setup on an IP by IP basis and they CANNOT live on the same IP as a iterative DNS resolver (i.e. the kind that server DNS for your sites from the IWorx-CP box).

PREREQS:

  • 1 IP with port 53 TCP/UDP unbound

PROCEDURE:

  1. Run the following command to create the base dir structure for the recursive resolver:

dnscache-conf dnscache dnslog /var/djbdns/dnscachex-x.x.x.x x.x.x.x

Where x.x.x.x is the IP that is bound to the system, has TCP/UDP 53 open and that you’d like to use for the resolver.

i.e.


dnscache-conf dnscache dnslog /var/djbdns/dnscachex-208.69.120.23 208.69.120.23

  1. Symlink this new directory (/var/djbdns/dnscachex-x.x.x.x) into the /services directory so that svscan will see it and start the service… and so that it will start on subsequent boots.

cd /service
ln -fs /var/djbdns/dnscachex-x.x.x.x dnscachex-x.x.x.x

ex:


cd /service
ln -fs /var/djbdns/dnscachex-208.69.120.23 dnscachex-208.69.120.23

Check with “netstat -lnp” that there is now a service on TCP and UPD port 53 for the x.x.x.x IP.

  1. The resolver will only work for those IPs you allow. To allow an IP you have to create a few with the prefix of the IP block or IP itself that you’d like to allow to use the recursive services. You do this in the /var/djbdns/dnscachex-x.x.x.x/root/ip directory

cd /var/djbdns/dnscachex-x.x.x.x/root/ip
touch 1.2.3
touch 2.3.4.5

The above will allow any IP in the 1.2.3 block and IP matching 2.3.4.5 to do recursive lookups.

That’s it!

NOTES:

  • If you add an IP to be used as a recursive resolver via the IP Management page you need to remove the iterative resolver that IWorx-CP puts on it automatically before doing this HOWTO. Simply go to the DNS Management page and remove the iterative services from the IP.

  • Make sure port 53 UDP/TCP is open on the firewall

Hope this helps :slight_smile:

Chris

Great !

Is it a good idea to do this for at least the resolver which are set in /etc/resolv.conf ?

For example if you have external resolvers not managed by you, set the dns-cache and allow these resolvers to access this cache would be best ?

Pascal