How To Configure DNS (BIND) Server on Red Hat Enterprise Linux 7
Updated: Oct 3, 2021
Previously, we have explained "How DNS or Name Resolution Service Work". today let's do the DNS configuration on on Red Hat Enterprise Linux 7.
Step:1 To install DNS (BIND) server required packages.
# yum -y install bind bind-utils
Step:2 To configure BIND to listen on a IP addresses and will allow clients from the mentioned network can query the DNS for the name to ip translation.
# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl my-host { 192.168.122.144; };
acl my-net { 192.168.122.0/24; };
options {
listen-on port 53 { 127.0.0.1; my-host; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; my-net; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Note: we can verify the configuration file by running this command
# named-checkconf /etc/named.conf
And the output should be none, if all good to go.
Step:3 To create zones entry, the forward zone entry for the example.com domain and the reverse zone entry for the IP network.
# vi /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
# the forward zone entry for the example.com
zone "example.com" IN {
type master;
file "named.example.com";
allow-update { none; };
};
# the reverse zone entry for the 192.168.122.0/24 network.
zone "122.168.192.in-addr.arpa" IN {
type master;
file "named.122.168.192";
allow-update { none; };
};
Step:4 To create forward and reverse lookup files (zone database files) under /var/named/ directory.
# cp /var/named/named.localhost /var/named/named.example.com
# cp /var/named/named.loopback /var/named/named.122.168.192
# vi /var/named/named.example.com
$TTL 1D
@ IN SOA dns1.example.com. root.dns1.example.com. (
1000 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
;Name Server Information
@ NS dns1.example.com.
@ IN A 192.168.122.144
;IP address of Name Server
dns1 IN A 192.168.122.144
;Mail exchanger
example.com. IN MX 10 mail.example.com.
;A - Record HostName To IP Address
www IN A 192.168.122.180
mail IN A 192.168.122.200
;CNAME record
ftp IN CNAME www.example.com.
# vi /var/named/named.122.168.192
$TTL 1D
@ IN SOA dns1.example.com. root.dns1.example.com. (
1000 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns1.example.com.
;Reverse lookup for Name Server
155 IN PTR dns1.example.com.
;PTR Record IP address to HostName
180 IN PTR www.example.com.
200 IN PTR mail.example.com.
# chgrp named /var/named/named.*
Note: we can check our zone database files as below:
# named-checkzone example.com /var/named/named.example.com
zone example.com/IN: loaded serial 1000
OK
# named-checkzone 122.168.192 /var/named/named.122.168.192
zone 122.168.192/IN: loaded serial 1000
OK
and make sure, whenever we update the zone lookup file, we need to change/increment the serial like 1001 ;Serial
Step:5 To start and enable bind(named) service on system startup.
# systemctl status named
# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
Step:6 If Firewalld service enabled and running, need to allow rule in the firewall to let clients can connect to the DNS server for name resolution.
# firewall-cmd --permanent --add-port=53/udp
# firewall-cmd --reload
Step:7 To verify the DNS server name resolution from the client system.