These days, when using AWS, we usually use Amazon’s Route 53 service for DNS. It’s nearly free and super-simple. But there are several reasons why we might choose to use a DNS server of our own. These days, while bind9 continues to be an exceptional choice, when scripting or containerizing, dnsmasq is often far easier to automate against (although unless there are a crapload of domains, not as easy as route53). So let’s look at a basic setup real quick.
Before we start, it’s worth noting that for dns host resolvers to work in EC2 instances the security group for a vm needs to have 53 UDP open for ingress (so not just TCP 53). To configure that, being by clicking on Network & Security from the sidebar in the EC2 console:
Then click on the security group for the instance and Inbound rules:
Click on the Edit inbound rules button and then allow the traffic for the desired IP range (in this case it’s global for testing but should be configured more restively for most use cases).
Now that we’ve done that, let’s go ahead and start our instance and clear out the default resolv.conf information. To do so, first we’ll stop system-resolved:
sudo systemctl stop systemd-resolved
Then we’ll disable it from starting back up in the future:
sudo systemctl disable systemd-resolved
Then we can just delete the config file:
sudo rm -v /etc/resolv.conf
Then we can just echo some name servers in there:
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
If the interpreter throws an error, the file may have been recreated already. Check it though ’cause it likely pulled in the line getting echoed into it anyways:
cat /etc/resolv.conf
Now that we’re there, let’s update the package repository to make sure we’re dealing with the latest and greatest recipes:
sudo apt update
And then we can finally install dnsmasq:
sudo apt install dnsmasq
Now let’s ditch the old config file for dnsmasq so we don’t have so many weird settings:
sudo mv -v /etc/dnsmasq.conf /etc/dnsmasq.conf.OLDAnd create a new config:
sudo touch /etc/dnsmasq.conf sudo pico !$And then we can paste in a basic config:
port=53domain-needed
bogus-priv
strict-orderexpand-hosts
domain=kryptedwuzhere.com
Now let’s go ahead and restart the daemon:
sudo systemctl restart dnsmasq
Next, we’ll check the resolver first from the server then from a client. So on the server, let’s enter a name either in resolv.conf or in hosts.conf (in this case we’ll use kryptedwuznothere.com) starting on the server:
dig @127.0.0.1 kryptedwuznothere.comThat should point to what was entered. Next, let’s check it from a client using the dns server (which we’ll just call 100.200.200.100 for giggles):
dig @100.200.200.100 kryptedwuznothere.comProvided the response comes back as entered into hosts then everything is well. Sometimes we might have to restart – but not usually. If so do it either using the EC2 console or manually:
sudo rebootThere are a couple of good commands to know other than dig and the earlier using systemctl to restart dnsmasq.service. One is how to flush the cache resolver:
sudo systemd-resolve --flush-caches
Another is digging into the statistics on the resolver service for troubleshooting:
sudo systemd-resolve –statisticsAnd while flushing caches resolves most issues, sometimes a discrepancy between /etc/hosts content and /etc/resolv.conf can cause names to not resolve once the service is restarted. So we’ll just look at going a little lower-level by using init to run a dns-clean:
sudo /etc/init.d/dns-clean start
Finally, to get some of those containerization tools, for this example (and this won’t be needed for those just doing a basic dns service) we’ll go ahead and get npm and nodejs on the instance as well.
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash - ; npm --version ; sudo apt install nodejs ; node --version
Oh, one last thing – for my example, I also need to install pip3 for some of my python dependencies for the record automation pieces:
sudo apt-get -y install python3-pip
And just to check the version on pip3:
pip3 --version