DNS server with RaspberryPi

If you want to install a DNS server on your Raspberry Pi, you need a few things in addition to the minicomputer:

  • SD card with Rasbian installed
  • Ethernet connection to the internet router
  • Power supply via micro-USB cable
  • SSH client (e.g. PuTTY)

As a basis for setting up DNS on Raspberry Pi, we’ll use BIND in this example. BIND is an open source software that loops back to the Berkeley Internet Name Domain server. The program is currently in its ninth version, and is developed further by the Internet Software Consortium (ISC).

First, you need to make sure that Raspberry Pi is assigned a static IP address within the local network. To do this, open the network configuration:

sudo nano /etc/network/interfaces
Once there, assign Raspberry Pi a unique IP address.
Tip

Nano is a simple Linux editor that you should always have installed on your Raspberry Pi.

Now you can install BIND. In addition to the actual program bind9, it’s also helpful to install the two packages bind9utils and dnsutils. These are by no means required, but they contain some useful tools for maintaining your new DNS server. Use the following command:

sudo apt-get install bind9 bind9utils dnsutils

bind9 is now installed on your system. But before you can use your Raspberry Pi as a DNS server, you still need to specify a couple of settings. Open the configuration file of bind9:

sudo nano /etc/bind/named.conf.local

Now set up two zones there: One for the forward lookup, where the domain’s IP address is searched, and a reverse lookup for the inverse query.

sudo nano /etc/bind/named.conf.local 

    zone "home.lan" IN {
            type master;
            file "/etc/bind/db.home.lan";
      };
    zone "1.168.192.in-addr.arpa" {
            type master;
            file "/etc/bind/db.rev.1.168.192.in-addr.arpa";
      };

The code shows that you are using two files (db.home.lan and db.rev.1.168.192.in-addr.arpa) to define the zones. But these need to be created first. Since you set up the files yourself, you can also name them however you want, as long as they’re also entered the same way in any relevant places. Create the file for the forward lookup first:

sudo nano /etc/bind/db.home.lan
  
    home.lan. IN SOA raspberry.home.lan. hostmaster.home.lan. (
       2017081401 ; serial
        8H ; refresh
        4H ; retry
        4W ; expire
        1D ; minimum
    )
    home.lan. IN NS raspberry.home.lan.
    home.lan. IN MX 10 raspberry.home.lan.
    localhost    IN A 127.0.0.1
    raspberry    IN A 192.168.1.31
    router       IN A 192.168.1.1

The last two entries in the file have to be customized. Enter the IP address of your Raspberry Pi (the static IP address that you assigned at the beginning) and of your router. Make sure that the domain names always end with a period. At the beginning of the file, after the serial number, set how much time there should be in between regular actions. The two declarations NS and MX specify that both the name server and the mail server are provided by the Raspberry Pi.

Tip

At the beginning of the file, always enter a serial number: It uses the format YYYYMMDDXX, the date (in the order of year, month, day) plus an ascending serial number – in case you create multiple versions in one day.

Now create the reverse zone file:

sudo nano /etc/bind/db.rev.1.168.192.in-addr.arpa

    @ IN SOA raspberry.home.lan. hostmaster.home.lan. (
        2017081401 ; serial
        8H ; refresh
        4H ; retry
        4W ; expire
        1D ; minimum
    )
               IN NS raspberry.home.lan.
    1         IN PTR router.home.lan.
    31        IN PTR raspberry.home.lan.
This example assumes that your local network address begins with 192.168.1. If this isn’t the case, then you need to enter the correct address in the file and define the file name. Remember that the other file name also needs to be entered in the corresponding position in /etc/bind/named.conf.local.

If you install a DNS server on your Raspberry Pi, then this functions as a cache of DNS queries. This means that as soon as you’ve queried a name resolution, the entry remains saved in your DNS server. For now, DNS queries are still forwarded to another server. The location of which can be set in /etc/bind/named.conf.options. Open the file and change the IP address in the “Forwarders” entry:

sudo nano /etc/bind/named.conf.options 

    forwarders {
      1.2.3.4;
      5.6.7.8;
    };
For example, you can enter the IP address of your internet provider’s DNS server here or of an open system. The Google server (8.8.8.8) is a popular choice. If you want to be independent from commercial providers, you can also use a free system like the Digitalcourage e.V. (85.214.20.141).

You’ve now configured a DNS server with BIND on your Raspberry Pi. For the changes to take effect, you should restart the program from this point:

sudo service bind9 restart

Or:

sudo service bind9 stop
sudo service bind9 start

If you encounter an error when starting the DNS server, it might be worthwhile to take a look at the log file under /var/log/syslog. So that you don’t have to restart the DNS server manually after restarting your Raspberry Pi, you can enter it into the system autostart:

sudo update-rc.d bind9 defaults

Now you just have to enter your new DNS server into your router’s settings, so that requests for name resolution run through your Raspberry Pi. In the device settings (usually accessed via the web interface), enter the IP address of the Raspberry Pi. Now you have control over the DNS entries and can block particular servers, for example to protect yourself from pages that want to harm you or gain access to your information. To do this, you have to set up DNS blocks. This is done in a file, which you enter first into the configuration file of bind9:

sudo nano /etc/bind/named.conf

The file is added as a new entry under the previously existing file, and closed with a semicolon:

include „/etc/bin/named.conf.blocked“;

In this file, only enter the domains that you want to block. To know which domains should be blocked, you can reference several different lists. In this example, we use a list from the DNS-BH Project, which has a premade zone file for BIND. This can be downloaded and opened with a text editor. The entries are already in the correct format, and so can simply be copied into your own block list. Entries must have this format – even when you’re using different sources:

zone "malware-example.ga"  {type master; file "/etc/namedb/blockeddomain.hosts";};

At the end of the line, a file is named to be used when the corresponding domain is called. This file is created as follows:

sudo nano /etc/namedb/blockeddomain.hosts

There, enter the following code:

$TTL    86400
@       IN      SOA     raspberry.home.lan. hostmaster.home.lan. (
                            2017081401 ; serial
                            8H ; refresh
                            2H ; retry
                            10D ; expire
                            1D ; minimum
)
  NS raspberry.home.lan.
  A 127.0.0.1
* IN      A       127.0.0.1

Make sure once again that you enter the correct values for your domain here (in this case, raspberry.home.lan). Restart bind9 again. Now your DNS server should be correctly configured and ready to start.

Based on idea found by www.ionos.com