Latest

Saturday, 10 August 2019

Configure Authoritative DNS Server using BIND in CentOS 7

Configure Authoritative DNS Server using BIND in CentOS 7

BIND is most widely used DNS (Domain Name Server) software. Its name originates as an acronym of Berkeley Internet Name Domain. BIND is also called by it service name i.e. named (or Name Daemon). BIND latest version 9 is available now and distributed under Mozilla Public License (MPL). BIND is developed and maintained by Internet Systems Consortium (ISC).

Almost every Internet connection starts with a DNS lookup. Hostname to IP resolution is necessary before sending an email or browsing a website and BIND is the preferred DNS server for Unix/Linux operating systems.

In this article, we are configuring Primary (Master) and Secondary (Slave) DNS servers using BIND 9 on CentOS 7. This article will let you configure a working DNS server (Master/Slave). To start learning BIND and to build a strong foundation, we recommend you to read DNS and BIND (5th Edition) by O'Reilly Media.

 

Table of Contents:

Configure Authoritative DNS Server using BIND in CentOS 7

Environment Specifications:

We are using two CentOS 7 virtual machines in this article.

Primary (Master) DNS Server:

  • CPU - 3.4 Ghz (1 Core)
  • Memory - 1 GB
  • Storage - 20 GB
  • Hostname - dns-01.example.com
  • IP Address - 192.168.116.4 /24
  • Operating System – CentOS 7.6

Secondary (Slave) DNS Server:

  • CPU - 3.4 Ghz (1 Core)
  • Memory - 1 GB
  • Storage - 20 GB
  • Hostname - dns-02.example.com
  • IP Address - 192.168.116.5 /24
  • Operating System – CentOS 7.6

 

Installing BIND 9 DNS Server on CentOS 7:

Connect with dns-01.example.com using ssh as root user.

BIND 9 is available through CentOS 7 official yum repository. Therefore, we can easily install it using yum command.

# yum install -y bind bind-utils

BIND 9 has been installed on CentOS 7 server.

 

Configure Primary (Master) DNS Server on CentOS 7:

By default named.service run on localhost. Since, we are configuring an authoritative DNS server for our Domain, therefore, we need to configure this service to run on the interface that was connected with our network.

# vi /etc/named.conf

Under options directive set following parameter to allow named.service to run on our network interface.

listen-on port 53 { 127.0.0.1; 192.168.116.4; };

We are also required to enable our named.service to allow client queries. Therefore, find and set following parameter in options directives.

allow-query     { localhost; 192.168.116.0/24; };

To keep the named.conf file clean, we are defining our DNS zones in a separate file.

# vi /etc/named.conf.local

and add following directives in this file.

zone "example.com" {
   type master;
   file "/var/named/example.com";
};

zone "116.168.192.in-addr.arpa" {
   type master;
   file "/var/named/116.168.192.in-addr.arpa";
};

We have defined two DNS zones here, one is a Forward DNS zone and the other is Reverse DNS zone.

Include our named.conf.local file in the default named.conf file, so it will be called at the time of service startup.

# echo 'include "/etc/named.conf.local";' >> /etc/named.conf

Configure forward zone for our Domain.

# vi /var/named/example.com

and add following settings therein.

$TTL 1h
@       IN      SOA     example.com.    root.example.com. (
        2019080901      ; Serial YYYYMMDDnn
        24h             ; Refresh
        2h              ; Retry
        28d             ; Expire
        2d )            ; Minimum TTL

;Name Servers
@       IN      NS              dns-01

;Mail Servers
@       IN      MX      0       mail-01

;Other Servers
dns-01  IN      A               192.168.116.4
mail-01 IN      A               192.168.116.6
web-01  IN      A               192.168.116.3

;Canonical Names
www     IN      CNAME           web-01
mail    IN      CNAME           mail-01

Check forward zone file for any possible error.

# named-checkzone example.com /var/named/example.com
zone example.com/IN: loaded serial 2019080901
OK

Configure a reverse zone for our Domain.

# vi /var/named/116.168.192.in-addr.arpa

and add following settings therein.

$TTL 1h
@       IN      SOA     116.168.192.in-addr.arpa    root.example.com. (
        2019080901      ; Serial YYYYMMDDnn
        24h             ; Refresh
        2h              ; Retry
        28d             ; Expire
        2d )            ; Minimum TTL

;Name Servers
@       IN      NS              dns-01

;Other Servers
dns-01  IN      A       192.168.116.4

;PTR Records
4               IN      PTR             dns-01
6               IN      PTR             mail-01
3               IN      PTR             web-01

Check reverse zone file for any possible errors.

# named-checkzone example.com /var/named/116.168.192.in-addr.arpa
zone example.com/IN: loaded serial 2019080901
OK

Adjust file ownership of zone files.

# chgrp named /var/named/example.com
# chgrp named /var/named/116.168.192.in-addr.arpa

Enable and start named.service.

# systemctl enable --now named.service
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

Allow DNS service in Linux firewall.

# firewall-cmd --permanent --add-service=dns
success
# firewall-cmd --reload
success

Add our Primary (Master) DNS Server to client's resolve.conf.

# nmcli c m ens33 ipv4.dns-search example.com ipv4.dns 192.168.116.4

Restart interface to apply changes.

# nmcli c down ens33 ; nmcli c up ens33
Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

Verify DNS Server settings.

# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.168.116.4

Query our Primary (Master) DNS server using dig command.

# dig www.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2020
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.               IN      A

;; ANSWER SECTION:
www.example.com.        3600    IN      CNAME   web-01.example.com.
web-01.example.com.     3600    IN      A       192.168.116.3

;; AUTHORITY SECTION:
example.com.            3600    IN      NS      dns-01.example.com.

;; ADDITIONAL SECTION:
dns-01.example.com.     3600    IN      A       192.168.116.4

;; Query time: 1 msec
;; SERVER: 192.168.116.4#53(192.168.116.4)
;; WHEN: Fri Aug 09 23:15:51 PKT 2019
;; MSG SIZE  rcvd: 118

Our Primary (Master) DNS Server has been configured on CentOS 7.

 

Configure Secondary (Slave) DNS Server on CentOS 7:

We have a working Primary (Master) DNS Server. We are now going to add a Secondary (Slave) DNS Server.

Connect with dns-02.example.com using ssh as root user.

Follow the above section "Install BIND 9 DNS Server on CentOS 7" to install BIND 9 packages on our Secondary DNS Server.

Configure named.service settings of our Secondary DNS Server.

# vi /etc/named.conf

Under option directives set following parameters.

listen-on port 53 { 127.0.0.1; 192.168.116.5; };
allow-query     { localhost;192.168.116.0/24; };

Just like we did with our Primary DNS Server, we are defining our zones in a separate configuration file.

# vi /etc/named.conf.local

and define following zones therein.

zone "example.com" {
   type slave;
   masters { 192.168.116.4; };
   file "/var/named/example.com";
};

zone "116.168.192.in-addr.arpa" {
   type slave;
   masters { 192.168.116.4; };
   file "/var/named/116.168.192.in-addr.arpa";
};

Include our named.conf.local file in the default named.conf file, so it will call our settings on service startup.

# echo 'include "/etc/named.conf.local";' >> /etc/named.conf

Start and enabled named.service.

# systemctl enable --now named.service
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

Allow DNS service in Linux firewall.

# firewall-cmd --permanent --add-service=dns
success
# firewall-cmd --reload
success

Set SELinux boolean, so our Secondary DNS server can accept zone transfers and update local zone files.

# setsebool -P named_write_master_zones on

Now, connect to dns-01.example.com and add settings for our Secondary DNS server.

Configure zone transfers by editing named.conf.local file as follows.

# vi /etc/named.conf.local

Add following directives under both zones.

allow-transfer {192.168.116.5; };
also-notify {192.168.116.5; };

Add our Secondary name server record in our forward and reverse zones.

# vi /var/named/example.com

and add Secondary (Slave) DNS server NS and A records as follows:

$TTL 1h
@       IN      SOA     example.com.    root.example.com. (
        2019080901      ; Serial YYYYMMDDnn
        24h             ; Refresh
        2h              ; Retry
        28d             ; Expire
        2d )            ; Minimum TTL

;Name Servers
@       IN      NS              dns-01
@       IN      NS              dns-02

;Mail Servers
@       IN      MX      0       mail-01

;Other Servers
dns-01  IN      A               192.168.116.4
dns-02  IN      A               192.168.116.5
mail-01 IN      A               192.168.116.6
web-01  IN      A               192.168.116.3

;Canonical Names
www     IN      CNAME           web-01
mail    IN      CNAME           mail-01

Add Secondary name server records in Reverse Zone.

# vi /var/named/116.168.192.in-addr.arpa

and add  NS, A and PTR records of our Secondary (Slave) DNS as follows.

$TTL 1h
@       IN      SOA     116.168.192.in-addr.arpa    root.example.com. (
        2019080901      ; Serial YYYYMMDDnn
        24h             ; Refresh
        2h              ; Retry
        28d             ; Expire
        2d )            ; Minimum TTL

;Name Servers
@       IN      NS              dns-01
@       IN      NS              dns-02

;Other Servers
dns-01  IN      A       192.168.116.4
dns-02  IN      A       192.168.116.5

;PTR Records
4               IN      PTR             dns-01
5               IN      PTR             dns-02
6               IN      PTR             mail-01
3               IN      PTR             web-01

Restart named.service to apply changes.

# systemctl restart named.service

Check /etc/named directory at dns-02.example.com.

# ls /var/named
116.168.192.in-addr.arpa  dynamic      named.ca     named.localhost  slaves
data                      example.com  named.empty  named.loopback

The zone files are automatically replicating to secondary domain name server.

Now add this Secondary DNS server to client's resolve.conf file.

# nmcli c m ens33 +ipv4.dns 192.168.116.5
# nmcli c down ens33 ; nmcli c up ens33
Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

Check resolv.conf contents.

# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.168.116.4
nameserver 192.168.116.5

Check Secondary DNS settings by query a hostname.

# dig @192.168.116.5 mail.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> @192.168.116.5 mail.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21668
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.example.com.              IN      A

;; ANSWER SECTION:
mail.example.com.       3600    IN      CNAME   mail-01.example.com.
mail-01.example.com.    3600    IN      A       192.168.116.6

;; AUTHORITY SECTION:
example.com.            3600    IN      NS      dns-02.example.com.
example.com.            3600    IN      NS      dns-01.example.com.

;; ADDITIONAL SECTION:
dns-01.example.com.     3600    IN      A       192.168.116.4
dns-02.example.com.     3600    IN      A       192.168.116.5

;; Query time: 2 msec
;; SERVER: 192.168.116.5#53(192.168.116.5)
;; WHEN: Sat Aug 10 13:09:59 PKT 2019
;; MSG SIZE  rcvd: 157

Our Secondary (Slave) DNS Server has been configured and working fine.

We have successfully configured authoritative DNS server using BIND 9 on CentOS 7.

If you find this article useful? Don't you mind support us by Buy Me A Coffee


8 comments:

  1. Hi Thanks for this nice tutorial. Would you please create a tutorial about Dual Stack (IPv6 & IPv4) DNS Server as well with DNSSec.

    //BR
    WAHID

    ReplyDelete
    Replies
    1. Hi,
      You request has been noted and will work on it a.s.a.p.

      Delete
  2. Hello Mansoor,
    Thanks for the good recipes. However it would be great if you add comments to configuration files(meaning of the parameters,values,etc)
    Thanks in Advance

    ReplyDelete
    Replies
    1. Thanks for the advice. I really appreciate it and I will follow it on my future articles.

      Delete
  3. Hi Ahmer Mansoor,

    Great documents for new guys, can we install caching DNS also in this?, if yes please advice

    ReplyDelete
    Replies
    1. Thanks for your feedback. I will consider your advice.

      For now, you can try the Unbound Caching Only DNS Server in CentOS 7.

      Delete
  4. hello is it authoritative or non authoritative will it cache all request or not ?

    ReplyDelete
    Replies
    1. yes, it is Authoritative and Caching DNS server.

      Delete

© 2022 CentLinux. All Rights Reserved.