Today we are going to cover the installation & configuration of BIND DNS Server on CentOS / RHEL 8. DNS as you all know is used to name the all computers connected to the Internet. It assigns the address to every computer with a FQDN associated with it. It’s importance goes high due to the part of Application layer of the TCP / IP reference model. So , in this tutorial we are going to install an Authoritative BIND DNS Master & Slave on CentOS 8 and also we’ll cover its configuration like adding PTR, A /AAAA records among others.
Step 1: Installing Bind DNS Server on CentOS 8 / RHEL 8
You can install the bind DNS server on CentOS / RHEL 8 by running the below command
$ dnf -y install bind bind-utils vim
CentOS-8 - AppStream 1.3 kB/s | 4.3 kB 00:03
CentOS-8 - Base 1.2 kB/s | 3.9 kB 00:03
CentOS-8 - Extras 467 B/s | 1.5 kB 00:03
Dependencies resolved
Make sure to keep SELinux in Enforcing mode.
$ getenforce
Step 2: Configure BIND DNS Authoritative Server on CentOS 8 / RHEL 8
Now you can configure the BIND DNS Authoritative server by opening the configuration file. You can find out the config file in the /etc/named.conf.
In my case I’ll add the following settings to my DNS, you can set up as you required.
- osradar.com Zone (Domain Name)
- 192.168.109.0 Managed subnet
- 192.168.109.75 IP of slave server
- 192.168.109.59 IP of the master server
Edit the /etc/named.conf file by running below command and apply the settings.
$ sudo vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; }; ## Listen on any since it is an authoritative DNS Publicly available.
listen-on-v6 port 53 { any; }; ## You can also set the same for IPv6
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
## Since this will be an authoritative Nameserver, allow query from any host
allow-query { any; };
allow-transfer {192.168.109.75; };
/*
If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface.
*/
recursion no; ## Following Advice from above.
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Set your ZONE details as shown below for different domains. Set the forward and reverse details. You can set the names of files as you like
zone "osradar.com" IN {
type master;
file "osradar.forward";
allow-update { none; };
};
Make sure you follow the rule for reverse zone (109.168.192.in-addr.arpa). [If your IP is 192.168.10.10, It will be 10.168.192.in-addr.arpa]
zone "109.168.192.in-addr.arpa" IN {
type master;
file "osradar.reverse";
allow-update { none; };
};
Make sure that your IP is Public one as this is an Authoritative DNS Server.
Step 3: Creating Zone Files
After finishing configuring in named.conf you will have to create the Zone files & place all the records that you would wish to add such as A/AAAA, MX,PTR & others.
Create the zone files in the /var/named/ directory.
$ sudo vim /var/named/osradar.com.forward
$TTL 86400
@ IN SOA dns1.osradar.com. root.osradar.com. (
# You can use any numerical values for serial number but it is recommended to use [YYYYMMDDnn]
2019112201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
# Set your Name Servers here
IN NS dns1.osradar.com.
IN NS dns2.osradar.com.
# define Name Server's IP address
IN A 192.168.109.59
# Set your Mail Exchanger (MX) Server here
IN MX 10 dns1.osradar.com.
Set each IP address of a hostname. Sample A records.
dns1 IN A 192.168.109.59
dns2 IN A 192.168.109.75
mail1 IN A 192.168.109.78
Now create the corresponding reverse records for the same domain we had defined in the named.conf file.
$ sudo vim /var/named/osradar.reverse
$TTL 86400
@ IN SOA dns1.osradar.com. root.osradar.com. (
2019112201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
# Set Name Server
IN NS dns1.osradar.com.
Set each IP address of a hostname. Sample PTR records.
88 IN PTR dns1.osradar.com.
94 IN PTR dns2.osradar.com.
97 IN PTR mail1.osradar.com.
Step 4: Alter DNS Settings on Master Server
Now make our new DNS Server as the default Name Server. Edit the file /etc/resolv.conf & add the below lines into it.
$ sudo vim /etc/resolv.conf
nameserver 192.168.109.59
Note: Replace the IP Address with your one.
Step 5: Firewall
Allow dns service on the firewall
Run the below lines to allow dns service on the firewall
sudo firewall-cmd --add-service=dns --permanent
sudo firewall-cmd --reload
Make sure you’ve done the correct configuration. Double check the configuration by typing
sudo named-checkconf
Start and Enable bind services
sudo systemctl start named
sudo systemctl enable named
So far, we’ve configured our Master BIND DNS server. Let’s move toward our Slave server.
Step 6: Configuring Slave DNS Server
Run the below command on Slave server to install bind & bind utils.
sudo dnf -y install bind bind-utils vim
Now edit the file /etc/named.conf and edit it accordingly to configure the slave server.
$ sudo vim /etc/named.conf
//
// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; ## Allows hosts to query Slave DNS
allow-transfer { none; }; ## Disable zone transfer
/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */
Since this is a slave, lets allow recursion.
recursion yes; dnssec-enable yes; dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Let us create zone definitions for both forward and reverse dns lookups.
The files will be created automatically on the slave.
zone "osradar.com" IN {
type slave;
file "slaves/osradar.forward";
masters { 192.168.109.59; }; ## Master server it is receiving DNS Records from
};
zone "109.168.192.in-addr.arpa" IN {
type slave;
file "slaves/osradar.reverse";
masters { 192.168.109.59; }; ## Master server it is receiving DNS Records from
};
Step 7: Alter DNS Settings on Slave Server
Open the file /etc/resolv.conf & add the IP of slave
$ sudo vim /etc/resolv.conf
nameserver 192.168.109.59
nameserver 192.168.109.75
Now double check the configurations & start and enable bind services
sudo named-checkconf
sudo systemctl start named
sudo systemctl enable named
Check that zone files have transferred from the master.
$ ll /var/named/slaves/
total 12
-rw-r--r-- 1 named named 480 Dec 14 14:16 osradar.forward
-rw-r--r-- 1 named named 492 Dec 14 14:45 osradar.reverse
Congratulations! You have successfully Configured Master / Slave Server on CentOS 8.