Introduction

This guide will walk you through the steps you’ll require to configure BIND DNS server on CentOS 8 / RHEL 8 Linux – Master / Slave Bind DNS Setup on CentOS 8 / RHEL 8. The Domain Name System is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. (Wikipedia). It acts as a phonebook of the internet because it gives an address to every computer with an FQDN associated with it.

As part of the application layer of the TCP/IP reference model DNS is very important in day to day operation of computers all over the world. We are going to install an Authoritative BIND DNS Master and Slave on CentOS8 and do configurations such as adding PTR, A/AAAA records among others.

For Windows users, check: Install and Configure DNS Server on Windows Server 2019

Install Bind DNS Server on CentOS 8 / RHEL 8

Run the following commands to install Bind DNS server packages on CentOS 8 / RHEL 8 Linux server.

$ dnf -y install bind bind-utils vim
CentOS-8 - AppStream                                   1.3 kB/s | 4.3 kB     00:03    
CentOS-8 - Base                                        1.2 kB/s | 3.9 kB     00:03    
CentOS-8 - Extras                                      467  B/s | 1.5 kB     00:03    
Dependencies resolved

In this setup, we’ll keep SELinux in enforcing mode.

$ getenforce
Enforcing
THE REASON FOR THIS IS THAT  (Source: RedHat) 
SELinux helps mitigate the damage made by configuration mistakes. Domain Name System (DNS) servers often replicate information between each other in what is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the Berkeley Internet Name Domain (BIND) as a DNS server in Red Hat Enterprise Linux, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files from being updated using zone transfers, by the BIND named daemon itself, and by other processes  (Source: RedHat). 

Configure BIND DNS Authoritative server on CentOS 8 / RHEL 8

Let us configure our BIND DNS Authoritative server. Open the config file /etc/named.conf.

Our DNS server has the following settings.

  • computingforgeeks.com Zone (Domain name)
  • 192.168.154.0 – Managed subnet
  • 192.168.154.94 IP of slave server
  • 192.168.154.88 – IP of the master server

Here is the named.conf configuration file.

$ sudo vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
 
options {
         listen-on port 53 { any; }; ## Listen on any since it is an authoritative DNS Publicly available. 
         listen-on-v6 port 53 { any; }; ## You can also set the same for IPv6
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         secroots-file   "/var/named/data/named.secroots";
         recursing-file  "/var/named/data/named.recursing";
 ## Since this will be an authoritative Nameserver, allow query from any host 
        allow-query     { any; };          
        allow-transfer  {192.168.154.94; };     

/*

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.                    - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.       - If your recursive DNS server has a public IP address, you MUST enable access       control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface.
 */     
       recursion no; ## Following Advice from above.     
       dnssec-enable yes;     
       dnssec-validation yes;     
       managed-keys-directory "/var/named/dynamic";     
       pid-file "/run/named/named.pid";     
       session-keyfile "/run/named/session.key";     

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */     include "/etc/crypto-policies/back-ends/bind.config";
};
 

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

zone "." IN {
         type hint;
         file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

## Set your ZONE details as shown below for different domains. Set the forward and reverse details. You can set the names of files as you like
 
zone "computingforgeeks.com" IN {
        type master;
        file "computingforgeeks.forward";
        allow-update { none; };
};

## Make sure you follow the rule for reverse zone (154.168.192.in-addr.arpa). [If your IP is 192.168.10.10, It will be 10.168.192.in-addr.arpa]
 
zone "154.168.192.in-addr.arpa" IN {
        type master;
        file "computingforgeeks.reverse";
        allow-update { none; };
};

Master server 192.168.154.88. Please note that your IP Should be a Public one because this is an Authoritative DNS Server.

Create Zone Files

After you set the files in named.conf, we have to create the Zone files and place all the records that you would wish to add such as A/AAAA, MX, PTR and others. Create the files in /var/named/ directory

$ sudo vim /var/named/computingforgeeks.forward

$TTL 86400
 @   IN  SOA     dns1.computingforgeeks.com. root.computingforgeeks.com. (
 # You can use any numerical values for serial number but it is recommended to use [YYYYMMDDnn]
         2019112201  ;Serial
         3600        ;Refresh
         1800        ;Retry
         604800      ;Expire
         86400       ;Minimum TTL
)
         # Set your Name Servers here
         IN  NS      dns1.computingforgeeks.com.
         IN  NS      dns2.computingforgeeks.com.
         # define Name Server's IP address
         IN  A       192.168.154.88
         # Set your Mail Exchanger (MX) Server here
         IN  MX 10   dns1.computingforgeeks.com.

# Set each IP address of a hostname. Sample A records.
dns1     IN  A       192.168.154.88
dns2     IN  A       192.168.154.94
mail1    IN  A       192.168.154.97

Create corresponding reverse records for the same domain we had defined in named.conf config file.

$ sudo vim /var/named/computingforgeeks.reverse

$TTL 86400
 @   IN  SOA     dns1.computingforgeeks.com. root.computingforgeeks.com. (
         2019112201  ;Serial
         3600        ;Refresh
         1800        ;Retry
         604800      ;Expire
         86400       ;Minimum TTL
 )
         # Set Name Server
         IN  NS      dns1.computingforgeeks.com.
## Set each IP address of a hostname. Sample PTR records.
88      IN  PTR     dns1.computingforgeeks.com.
94      IN  PTR     dns2.computingforgeeks.com.
97      IN  PTR     mail1.computingforgeeks.com.

Alter DNS settings on Master Server

Make our new DNS Server as the default Name Server. Open file /etc/resolv.conf and add the lines below. Make sure to replace the IP to match your environment.

$ sudo vim /etc/resolv.conf  
nameserver 192.168.154.88

Allow dns service on the firewall

Configure firewall to allow dns service.

sudo firewall-cmd --add-service=dns --permanent
sudo firewall-cmd --reload

Check if your configurations are okay, start and enable bind:

sudo named-checkconf
sudo systemctl start named
sudo systemctl enable named 

We are done with the Master BIND DNS Server. Let us proceed to configure our Slave server.

Configure Slave DNS Server – 192.168.154.94

On the slave server, install bind and bind-utils:

sudo dnf -y install bind bind-utils vim

Configure the slave server. Open /etc/named.conf and edit accordingly

$ sudo vim /etc/named.conf
//
// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
         listen-on port 53 { any; };
         listen-on-v6 port 53 { any; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         recursing-file  "/var/named/data/named.recursing";
         secroots-file   "/var/named/data/named.secroots";
         allow-query     { any; }; ## Allows hosts to query Slave DNS
         allow-transfer { none; }; ## Disable zone transfer
          
          /* 
          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
          - If you are building a RECURSIVE (caching) DNS server, you need to enable 
            recursion.
          - If your recursive DNS server has a public IP address, you MUST enable access 
            control to limit queries to your legitimate users. Failing to do so will
            cause your server to become part of large scale DNS amplification 
            attacks. Implementing BCP38 within your network would greatly
            reduce such attack surface 
         */
## Since this is a slave, lets allow recursion.
    recursion yes;     
    dnssec-enable yes;     
    dnssec-validation yes;
/* Path to ISC DLV key */
     bindkeys-file "/etc/named.root.key";
    managed-keys-directory "/var/named/dynamic";     
    pid-file "/run/named/named.pid";     
    session-keyfile "/run/named/session.key";
};

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

zone "." IN {
         type hint;
         file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

## Let us create zone definitions for both forward and reverse dns lookups.
# The files will be created automatically on the slave.

zone "computingforgeeks.com" IN {
         type slave;
         file "slaves/computingforgeeks.forward";
         masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from
};

zone  "154.168.192.in-addr.arpa" IN {
         type slave;
         file "slaves/computingforgeeks.reverse";
         masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from
};

Alter DNS settings on Slave Server

Make our new DNS Servers (Both Master and Slave) as the default Name Servers. Open file /etc/resolv.conf and add the lines below. Make sure to replace the IPs to match your environment

$ sudo vim /etc/resolv.conf
nameserver 192.168.154.88
nameserver 192.168.154.94

Check if your configurations are okay, start and enable bind:

sudo named-checkconf
sudo systemctl start named
sudo systemctl enable named

Check /var/named/slaves directory is the Zone files have been transferred from the master

$ ll /var/named/slaves/
total 12
-rw-r--r-- 1 named named 480 Nov 23 14:16 computingforgeeks.forward
-rw-r--r-- 1 named named 492 Nov 23 14:45 computingforgeeks.reverse

Proving that our DNS works

Testing if our DNS Server resolves. We are going to use a Windows machine to test our BIND DNS Server.

Change the network details of your windows as shown below. Let the DNS reflect your new DNS Servers.

Open up PowerShell or command prompt, type nslookup and test our DNS Services.

And our BIND DNS works!!. If you’re doing on a Linux client machine, edit the /etc/hosts file to change DNS configuration settings.

Conclusion

Now we have our BIND DNS Master and Slave working well. We hope the guide is comprehensive and has been beneficial to you. Thank you for visiting and continue to other captivating guides below.

How To Create CentOS 8 Local Repository Mirrors With Rsync & Nginx

Install WildFly (JBoss) Server on CentOS 8 / CentOS 7

How To Sync CentOS 8 repositories on Satellite / Katello / Foreman

How To Install Prometheus on RHEL 8 / CentOS 8

How To Create CentOS 8 KVM Image Template on OpenStack

Install and Configure Ghost CMS on CentOS 8 / RHEL 8

How To Install Zabbix Server on CentOS 8 / RHEL 8

What are CentOS 8 New features?

Install and Configure NFS Server on RHEL 8 / CentOS 8

How To Configure iSCSI Initiator on CentOS 8 / RHEL 8

How To Configure iSCSI Target and Initiator on CentOS 8 / RHEL 8