top of page
Recent Posts

How To Configure DNS (BIND) Server on Red Hat Enterprise Linux 7

Updated: Oct 3, 2021

Previously, we have explained "How DNS or Name Resolution Service Work". today let's do the DNS configuration on on Red Hat Enterprise Linux 7.


Step:1 To install DNS (BIND) server required packages.

# yum -y install bind bind-utils

Step:2 To configure BIND to listen on a IP addresses and will allow clients from the mentioned network can query the DNS for the name to ip translation.

# vi  /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl my-host { 192.168.122.144; };
acl my-net { 192.168.122.0/24; };
options {
	listen-on port 53 { 127.0.0.1; my-host; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { localhost; my-net; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Note: we can verify the configuration file by running this command

# named-checkconf /etc/named.conf

And the output should be none, if all good to go.


Step:3 To create zones entry, the forward zone entry for the example.com domain and the reverse zone entry for the IP network.

# vi /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "localhost" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "0.in-addr.arpa" IN {
	type master;
	file "named.empty";
	allow-update { none; };
};
# the forward zone entry for the example.com 
zone "example.com" IN {
        type master;
        file "named.example.com";
        allow-update { none; };
};
# the reverse zone entry for the 192.168.122.0/24 network.
zone "122.168.192.in-addr.arpa" IN {
        type master;
        file "named.122.168.192";
        allow-update { none; };
};

Step:4 To create forward and reverse lookup files (zone database files) under /var/named/ directory.

# cp /var/named/named.localhost /var/named/named.example.com
# cp /var/named/named.loopback /var/named/named.122.168.192

# vi /var/named/named.example.com 
$TTL 1D
@	IN SOA	dns1.example.com. root.dns1.example.com. (
					1000	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
;Name Server Information
@	NS	dns1.example.com. 
@       IN  A       192.168.122.144

;IP address of Name Server
dns1 IN  A       192.168.122.144

;Mail exchanger
example.com. IN  MX 10   mail.example.com.

;A - Record HostName To IP Address
www     IN  A       192.168.122.180
mail    IN  A       192.168.122.200

;CNAME record
ftp     IN CNAME        www.example.com.

# vi /var/named/named.122.168.192 
$TTL 1D
@	IN SOA	dns1.example.com. root.dns1.example.com. (
					1000	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
@	IN  NS	 dns1.example.com.

;Reverse lookup for Name Server
155        IN  PTR     dns1.example.com.

;PTR Record IP address to HostName
180      IN  PTR     www.example.com.
200      IN  PTR     mail.example.com.

# chgrp named /var/named/named.*

Note: we can check our zone database files as below:

# named-checkzone example.com /var/named/named.example.com

zone example.com/IN: loaded serial 1000

OK


# named-checkzone 122.168.192 /var/named/named.122.168.192

zone 122.168.192/IN: loaded serial 1000

OK


and make sure, whenever we update the zone lookup file, we need to change/increment the serial like 1001 ;Serial


Step:5 To start and enable bind(named) service on system startup.

# systemctl status named
# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

Step:6 If Firewalld service enabled and running, need to allow rule in the firewall to let clients can connect to the DNS server for name resolution.

# firewall-cmd --permanent --add-port=53/udp
# firewall-cmd --reload

Step:7 To verify the DNS server name resolution from the client system.