Introduction
This guide will walk you through the steps you’ll require to configure BIND DNS server on CentOS 8 / RHEL 8 Linux – Master / Slave Bind DNS Setup on CentOS 8 / RHEL 8. The Domain Name System is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. (Wikipedia). It acts as a phonebook of the internet because it gives an address to every computer with an FQDN associated with it.
As part of the application layer of the TCP/IP reference model DNS is very important in day to day operation of computers all over the world. We are going to install an Authoritative BIND DNS Master and Slave on CentOS8 and do configurations such as adding PTR, A/AAAA records among others.
For Windows users, check: Install and Configure DNS Server on Windows Server 2019
Install Bind DNS Server on CentOS 8 / RHEL 8
Run the following commands to install Bind DNS server packages on CentOS 8 / RHEL 8 Linux server.
$ dnf -y install bind bind-utils vim CentOS-8 - AppStream 1.3 kB/s | 4.3 kB 00:03 CentOS-8 - Base 1.2 kB/s | 3.9 kB 00:03 CentOS-8 - Extras 467 B/s | 1.5 kB 00:03 Dependencies resolved
In this setup, we’ll keep SELinux in enforcing mode.
$ getenforce Enforcing THE REASON FOR THIS IS THAT (Source: RedHat) SELinux helps mitigate the damage made by configuration mistakes. Domain Name System (DNS) servers often replicate information between each other in what is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the Berkeley Internet Name Domain (BIND) as a DNS server in Red Hat Enterprise Linux, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files from being updated using zone transfers, by the BIND named daemon itself, and by other processes (Source: RedHat).
Configure BIND DNS Authoritative server on CentOS 8 / RHEL 8
Let us configure our BIND DNS Authoritative server. Open the config file /etc/named.conf.
Our DNS server has the following settings.
- computingforgeeks.com Zone (Domain name)
- 192.168.154.0 – Managed subnet
- 192.168.154.94 IP of slave server
- 192.168.154.88 – IP of the master server
Here is the named.conf configuration file.
$ sudo vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; }; ## Listen on any since it is an authoritative DNS Publicly available.
listen-on-v6 port 53 { any; }; ## You can also set the same for IPv6
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
## Since this will be an authoritative Nameserver, allow query from any host
allow-query { any; };
allow-transfer {192.168.154.94; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface.
*/
recursion no; ## Following Advice from above.
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
## Set your ZONE details as shown below for different domains. Set the forward and reverse details. You can set the names of files as you like
zone "computingforgeeks.com" IN {
type master;
file "computingforgeeks.forward";
allow-update { none; };
};
## Make sure you follow the rule for reverse zone (154.168.192.in-addr.arpa). [If your IP is 192.168.10.10, It will be 10.168.192.in-addr.arpa]
zone "154.168.192.in-addr.arpa" IN {
type master;
file "computingforgeeks.reverse";
allow-update { none; };
};
Master server 192.168.154.88. Please note that your IP Should be a Public one because this is an Authoritative DNS Server.
Create Zone Files
After you set the files in named.conf, we have to create the Zone files and place all the records that you would wish to add such as A/AAAA, MX, PTR and others. Create the files in /var/named/ directory
$ sudo vim /var/named/computingforgeeks.forward
$TTL 86400
@ IN SOA dns1.computingforgeeks.com. root.computingforgeeks.com. (
# You can use any numerical values for serial number but it is recommended to use [YYYYMMDDnn]
2019112201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
# Set your Name Servers here
IN NS dns1.computingforgeeks.com.
IN NS dns2.computingforgeeks.com.
# define Name Server's IP address
IN A 192.168.154.88
# Set your Mail Exchanger (MX) Server here
IN MX 10 dns1.computingforgeeks.com.
# Set each IP address of a hostname. Sample A records.
dns1 IN A 192.168.154.88
dns2 IN A 192.168.154.94
mail1 IN A 192.168.154.97
Create corresponding reverse records for the same domain we had defined in named.conf config file.
$ sudo vim /var/named/computingforgeeks.reverse
$TTL 86400
@ IN SOA dns1.computingforgeeks.com. root.computingforgeeks.com. (
2019112201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
# Set Name Server
IN NS dns1.computingforgeeks.com.
## Set each IP address of a hostname. Sample PTR records.
88 IN PTR dns1.computingforgeeks.com.
94 IN PTR dns2.computingforgeeks.com.
97 IN PTR mail1.computingforgeeks.com.
Alter DNS settings on Master Server
Make our new DNS Server as the default Name Server. Open file /etc/resolv.conf and add the lines below. Make sure to replace the IP to match your environment.
$ sudo vim /etc/resolv.conf nameserver 192.168.154.88
Allow dns service on the firewall
Configure firewall to allow dns service.
sudo firewall-cmd --add-service=dns --permanent
sudo firewall-cmd --reloadCheck if your configurations are okay, start and enable bind:
sudo named-checkconf
sudo systemctl start named
sudo systemctl enable named We are done with the Master BIND DNS Server. Let us proceed to configure our Slave server.
Configure Slave DNS Server – 192.168.154.94
On the slave server, install bind and bind-utils:
sudo dnf -y install bind bind-utils vimConfigure the slave server. Open /etc/named.conf and edit accordingly
$ sudo vim /etc/named.conf
//
// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; ## Allows hosts to query Slave DNS
allow-transfer { none; }; ## Disable zone transfer
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
## Since this is a slave, lets allow recursion.
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
## Let us create zone definitions for both forward and reverse dns lookups.
# The files will be created automatically on the slave.
zone "computingforgeeks.com" IN {
type slave;
file "slaves/computingforgeeks.forward";
masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from
};
zone "154.168.192.in-addr.arpa" IN {
type slave;
file "slaves/computingforgeeks.reverse";
masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from
};
Alter DNS settings on Slave Server
Make our new DNS Servers (Both Master and Slave) as the default Name Servers. Open file /etc/resolv.conf and add the lines below. Make sure to replace the IPs to match your environment
$ sudo vim /etc/resolv.conf nameserver 192.168.154.88 nameserver 192.168.154.94
Check if your configurations are okay, start and enable bind:
sudo named-checkconf
sudo systemctl start named
sudo systemctl enable namedCheck /var/named/slaves directory is the Zone files have been transferred from the master
$ ll /var/named/slaves/ total 12 -rw-r--r-- 1 named named 480 Nov 23 14:16 computingforgeeks.forward -rw-r--r-- 1 named named 492 Nov 23 14:45 computingforgeeks.reverse
Proving that our DNS works
Testing if our DNS Server resolves. We are going to use a Windows machine to test our BIND DNS Server.
Change the network details of your windows as shown below. Let the DNS reflect your new DNS Servers.
Open up PowerShell or command prompt, type nslookup and test our DNS Services.
And our BIND DNS works!!. If you’re doing on a Linux client machine, edit the /etc/hosts file to change DNS configuration settings.
Conclusion
Now we have our BIND DNS Master and Slave working well. We hope the guide is comprehensive and has been beneficial to you. Thank you for visiting and continue to other captivating guides below.
How To Create CentOS 8 Local Repository Mirrors With Rsync & Nginx
Install WildFly (JBoss) Server on CentOS 8 / CentOS 7
How To Sync CentOS 8 repositories on Satellite / Katello / Foreman
How To Install Prometheus on RHEL 8 / CentOS 8
How To Create CentOS 8 KVM Image Template on OpenStack
Install and Configure Ghost CMS on CentOS 8 / RHEL 8
How To Install Zabbix Server on CentOS 8 / RHEL 8
What are CentOS 8 New features?
Install and Configure NFS Server on RHEL 8 / CentOS 8
How To Configure iSCSI Initiator on CentOS 8 / RHEL 8
How To Configure iSCSI Target and Initiator on CentOS 8 / RHEL 8
