top of page
Recent Posts
Writer's pictureMunshi Hafizul Haque

How To Configure DNS (BIND) Server on Red Hat Enterprise Linux 7

Updated: Oct 3, 2021

Previously, we have explained "How DNS or Name Resolution Service Work". today let's do the DNS configuration on on Red Hat Enterprise Linux 7.


Step:1 To install DNS (BIND) server required packages.

# yum -y install bind bind-utils

Step:2 To configure BIND to listen on a IP addresses and will allow clients from the mentioned network can query the DNS for the name to ip translation.

# vi  /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl my-host { 192.168.122.144; };
acl my-net { 192.168.122.0/24; };
options {
	listen-on port 53 { 127.0.0.1; my-host; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { localhost; my-net; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Note: we can verify the configuration file by running this command

# named-checkconf /etc/named.conf

And the output should be none, if all good to go.


Step:3 To create zones entry, the forward zone entry for the example.com domain and the reverse zone entry for the IP network.

# vi /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "localhost" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "0.in-addr.arpa" IN {
	type master;
	file "named.empty";
	allow-update { none; };
};
# the forward zone entry for the example.com 
zone "example.com" IN {
        type master;
        file "named.example.com";
        allow-update { none; };
};
# the reverse zone entry for the 192.168.122.0/24 network.
zone "122.168.192.in-addr.arpa" IN {
        type master;
        file "named.122.168.192";
        allow-update { none; };
};

Step:4 To create forward and reverse lookup files (zone database files) under /var/named/ directory.

# cp /var/named/named.localhost /var/named/named.example.com
# cp /var/named/named.loopback /var/named/named.122.168.192

# vi /var/named/named.example.com 
$TTL 1D
@	IN SOA	dns1.example.com. root.dns1.example.com. (
					1000	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
;Name Server Information
@	NS	dns1.example.com. 
@       IN  A       192.168.122.144

;IP address of Name Server
dns1 IN  A       192.168.122.144

;Mail exchanger
example.com. IN  MX 10   mail.example.com.

;A - Record HostName To IP Address
www     IN  A       192.168.122.180
mail    IN  A       192.168.122.200

;CNAME record
ftp     IN CNAME        www.example.com.

# vi /var/named/named.122.168.192 
$TTL 1D
@	IN SOA	dns1.example.com. root.dns1.example.com. (
					1000	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
@	IN  NS	 dns1.example.com.

;Reverse lookup for Name Server
155        IN  PTR     dns1.example.com.

;PTR Record IP address to HostName
180      IN  PTR     www.example.com.
200      IN  PTR     mail.example.com.

# chgrp named /var/named/named.*

Note: we can check our zone database files as below:

# named-checkzone example.com /var/named/named.example.com

zone example.com/IN: loaded serial 1000

OK


# named-checkzone 122.168.192 /var/named/named.122.168.192

zone 122.168.192/IN: loaded serial 1000

OK


and make sure, whenever we update the zone lookup file, we need to change/increment the serial like 1001 ;Serial


Step:5 To start and enable bind(named) service on system startup.

# systemctl status named
# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

Step:6 If Firewalld service enabled and running, need to allow rule in the firewall to let clients can connect to the DNS server for name resolution.

# firewall-cmd --permanent --add-port=53/udp
# firewall-cmd --reload

Step:7 To verify the DNS server name resolution from the client system.

DNS Client configuration at the client system:

1. we can add add a DNS server ip address in /etc/resolv.conf in client and do not required any services restart.

# vi /etc/resolv.conf 
# Generated by NetworkManager
search example.com 
domain example.com 
nameserver 192.168.122.144

2. If Network Manager is managing the networking in the client system then need to add following entry in /etc/sysconfig/network-scripts/ifcfg-eXX file. and restart the NetworkManager service.

# vim /etc/sysconfig/network-scripts/ifcfg-eth0
:::::::::::: CUT SOME OUTPUT ::::::::::::: 
DNS1=192.168.122.144
:::::::::::: CUT SOME OUTPUT ::::::::::::: 

Using nslookup command for DNS query:

# nslookup 
> set type=mx
> example.com
Server:		192.168.122.144
Address:	192.168.122.144#53

example.com	mail exchanger = 10 mail.example.com.
> set type=ns
> example.com
Server:		192.168.122.144
Address:	192.168.122.144#53

example.com	nameserver = dns1.example.com.

Using dig command for DNS query:

# dig -x 192.168.122.180
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> -x 192.168.122.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45761
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;180.122.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
180.122.168.192.in-addr.arpa. 86400 IN	PTR	www.example.com.

;; AUTHORITY SECTION:
122.168.192.in-addr.arpa. 86400	IN	NS	dns1.example.com.

;; ADDITIONAL SECTION:
dns1.example.com.	86400	IN	A	192.168.122.144

;; Query time: 0 msec
;; SERVER: 192.168.122.144#53(192.168.122.144)
;; WHEN: Sat Jul 25 15:21:20 +08 2020
;; MSG SIZE  rcvd: 121

My DNS server has the internet connectivity and the recursion yes; (by default) has been configured, we can try the Non-authoritative DNS query, as below:

# nslookup www.jazakallah.info
Server:		192.168.122.144
Address:	192.168.122.144#53

Non-authoritative answer:
www.jazakallah.info	canonical name = www59.wixdns.net.
www59.wixdns.net	canonical name = balancer.wixdns.net.
Name:	balancer.wixdns.net
Address: 35.247.167.166

DNS lookup answer is Non-authoritative, Because, there is no jazakallah.info domain information in my zone database files, and this reply is coming from remote DNS servers (35.247.167.166).

644 views0 comments

Recent Posts

See All

Comments


Log In to Connect With Members
View and follow other members, leave comments & more.
bottom of page