Building A DNS Sandbox

I’m developing some automation around DNS. Its imperative that I don’t break anything that might impact any users. This post documents the process I went through to build a DNS sandbox, and serves as a crash-course in DNS, which is, like most technology that’s been around since the dawn of time, a lot simpler than it seems at first glance.

Use Case

When a new machine is brought up, I need to register it with my internal DNS server. The DNS server doesn’t allow remote updating, and there’s no DHCP server in play (for the record, I’m bringing up machines in AWS). I have access to the machine via SSH, so I can edit the zone files directly. As SOP, we use hostdb and a git repository. This works really well for manual updates, but it’s a bit clunky to automate, and has one fatal flaw: there can be parity between what’s in DNS and what’s in the git repo. My hope is to eliminate this by using the DNS server as the single source of truth, using other mechanisms for auditing and change-management.

So the point of the DNS sandbox is to make testing/debugging of hostdb easier and to facilitate rapid development of new tools.


Please be aware that this setup is designed strictly for experimentation and testing – it’s not secure, or terribly useful outside of basic DNS functionality. Please take the time to really understand what it takes to run a DNS server before you try to set something like this up outside of a laboratory setting.

Contributions Welcome

If you have any trouble using this post setting up your own DNS sandbox, please leave a comment.

If you have any suggestions or corrections, again, leave a comment!

Together we can make this better, and help make it easier to put together infrastructure for testing for everybody.

Coming Soon

There are a lot of features of DNS that this setup doesn’t take into account. I’m planning on following up this post as I add the following to my sandbox setup (suggestions for other things are welcome!)

  • Remote updates (being able to speak DNS directly to the server from a script)
  • Chrooting the bind installation for security.
  • DNS Security (DNSSEC) – makes remote updates secure.
  • Slaves – DNS can be configured so that when one server is updated, the changes propagate to n number of servers.

Server Setup

I started with stock Ubuntu 12.04 server instance.

I installed bind9 using apt, and created a couple of directories for log and zone files.

$ sudo apt-get install bind9
$ sudo mkdir -p /var/log/named
$ sudo chown bind:bind /var/log/named
$ sudo mkdir /etc/bind/zones

Zone Files



  • Zone files have a header section called the SOA
  • Fully-qualified domain names end with a period (e.g., subdomains relative to an FDQN do not (e.g. my, www).
  • Zone files have an origin – a base added to every name in the file. The origin is defined using the $ORIGIN directive (see:
  • The @ symbol is used as a shortcut for $ORIGIN.
  • Each zone file is referenced in the named.conf file (see Configuration below for details)
  • The name of the file itself is immaterial – there are many standards in the wild – I’m opting to keep them consistent with the name of the zone in named.conf.
  • Zone files have a serial number, which consists of the current date and an increment number. Example: 20131226000 (YYYYMMDDXXX). This number must be incremented every time you make a change to a zone file, or bind will ignore the changes.
  • Comments start with a semi-colon (;) and run to the end of the line.

DNS lookups can happen in two directions: forward and reverse. Forward lookups resolve a doman name to an IP address ( -> Reverse lookups resolve an IP address to a domain name ( -> Each type of lookup is controlled from a separate zone file, with different types of records.

See for details about the different types of records. This post only deals with SOA, NS, A, CNAME and PTR records.

Note that reverse lookup is not required for a functioning DNS setup, but is recommended.

Forward Lookup


Our domain name is example.test.

$ORIGIN example.test.
$TTL 1h

@    IN    SOA    ns.example.test.    hostmaster.example.test. (
    20131226000  ; serial number
             1d  ; refresh
             2h  ; update retry
             4w  ; expiry
             1h  ; minimum

@               NS     ns

ns               A
box1             A
alt              CNAME  box1

  • Line 1 sets the origin. All entries will be a subdomain of example.test. You can put whatever you want in this stanza, but keep it consistent in the other areas.
  • Line 2 sets the Time To Live for records in this zone.
  • Lines 4-10 are the SOA.
  • On line 5, We use @ to stand in for the $ORIGIN directive defined on line 1. We specifify the authoritative server (ns.example.test.), which we will define in an A record later. Finally, we specify the e-mail address of a person responsible for this zone, replacing the at symbol (@) with a period.
  • Line 5 contains the serial number. This will need to be incremented every time we make a change. In this example, I’m starting with the current date and 000, so we’ll get 999 updates before we have to increment the date.
  • Line 12 is a requirement of Bind – we must specify at least one NS record for our DNS server. The @ symbol is used again here to avoid typing the origin again. The hostname for the NS record is ns, which means ns.example.test, defined in an A record on line 14.
  • Line 14 defines our DNS server for the NS record on line 12. We’re using localhost here to point back to the default setup we got from using the ubuntu packages.
  • Line 15 is an example of another A record, for a box named box1.example.test. Its IP address is Note that the actual IP addresses here do not need to be routable to the DNS server; all it’s doing is translating a hostname to an IP address. For testing purposes, this can be anything. Just be aware that reverse lookups are scoped to a given address range, so things will need to be consistent across the two zones.
  • Finally on line 16, we have an example of a CNAME record. This aliases the name alt.example.test to box1.example.test, and ultimately resolves to
  • Reverse Lookup


    We’re setting up reverse lookups for the 192.168.0.x subnet (CIDR

    $TTL 1h
    @   IN  SOA     ns.example.test     hostmaster.example.test (
            20131226000  ; serial number
                     1d  ; refresh
                     2h  ; update retry
                     4w  ; expiry
                     1h  ; minimum
        IN      NS      ns.example.test.
    1   IN      PTR     box1.example.test
    • Lines 1-10 are the SOA, and are formatted the exact same way as in our forward zone file.

      Note that the $ORIGIN is now The domain is special; used for reverse lookups. The numbers before the top level domain are simply the subnet octets, reversed (192.168.0 becomes 0.168.192).

      Remember, this serves as shorthand for defining the entry records below the SOA.

    • Line 12 is the required NS record, pointing at the one that we set up an A record for in the forward zone file.
    • Finally, line 13 is a typical PTR record. It associates with box1.example.test.


    In the default ubuntu setup, local configuration is handled in /etc/bind/named.conf.local (this is just simply included into /etc/bind/named.conf).

    See for details about the named.conf format and what the directives mean.

    zone "example.test." {
            type master;
            file "/etc/bind/zones/example.test";
            allow-update { none; };
    zone "" {
            type master;
            file "/etc/bind/zones/";
            allow-update { none; };
      channel simple_log {
        file "/var/log/named/bind.log" versions 3 size 5m;
        severity debug;
        print-time yes;
        print-severity yes;
        print-category yes;
      category default{
    • Lines 1-5 set up our forward zone “example.test.”. Note that allow-update is set to none. This simplifies our configuration and prevents updates to this zone from other servers.
    • Lines 7-11 set up the reverse zone “”.
    • Lines 13-24 set up simple (and verbose) logging to /var/log/named/bind.log. See for details about the setting here.


    Configuration Syntax Check

    We can use the named-checkzone utility to verify our zone file syntax before reloading the configuration.

    You specify the name of the zone and then the filename (the -k fail parameter causes it to return a failed return code when an error is found, useful for automated scripts):

    $ named-checkzone -k fail example.test /etc/bind/zones/example.test
    zone example.test/IN: loaded serial 2951356816

    In the case of a reverse zone file:

    $ named-checkzone -k fail /etc/bind/zones/
    zone loaded serial 2951356817

    Reloading Config

    Configuraiton can be reloaded with the rndc reload command.

    $ sudo rndc reload

    It’s helpful to run tail -f /var/log/named/bind.log in another terminal window during testing.

    Testing DNS Queries

    The definitive tool is dig. nslookup is also useful for basic queries.

    With both tools, its possible to specify a specific DNS server to query. In this case, it’s assumed that we’re logged in to the sandbox DNS server, so we’ll use for the server to query.

    With dig

    Note: remove the +short parameter from the end of the query to get more info.

    Forward Lookup

    The A record:

    $ dig @ box1.example.test +short

    The CNAME:

    $ dig @ alt.example.test +short

    Reverse Lookup

    $ dig @ -x +short

    With nslookup

    Forward Lookup

    The A record:

    $ nslookup box1.example.test
    Name:	box1.example.test

    The CNAME:

    $ nslookup alt.example.test
    alt.example.test	canonical name = box1.example.test.
    Name:	box1.example.test

    Reverse Lookup

    $ nslookup
    Address:	name =

    Using Your Sandbox

    Now that the DNS sandbox is built and working correctly, you may want to add it
    to your list of DNS servers.

    This process will vary depending on what operating system you use, and is an
    exercise best left to the user. However, here are some pointers:

    Note: depending on your setup, you will likely need to put your sandbox DNS server
    first in the list.

    Mac OS X:


This entry was posted in Uncategorized. Bookmark the permalink.