Step-by-Step Tutorial: Configure DNS Server using bind chroot (CentOS/RHEL 7/8)


DNS, Linux

how to configure dns server in rhel 7 or rhel 8 step by step. dns server configuration in linux step by step centos. bind chroot. dns server configuration in linux step by step centos. how to configure dns server in rhel 7 step by step. named chroot. bind allow query. install bind centos 7 or centos 8. Configure forward zone file and reverse zone file using named chroot using centos or rhel 7 or centos 8. Sample forward zone file and reverse zone file on rhel 7 or rhel 8 linux. Verify bind dns server configuration files using named-checkconf. Do not copy chroot contents to /var/named/chroot. dns configuration step by step. setup dns server on red hat.

Step-by-Step Tutorial: Configure DNS Server using bind chroot (CentOS/RHEL 7)

 

Install Bind Chroot RPM

To install BIND running in a chroot environment, you have to install the bind-chroot package.

NOTE:
If you do not have an active repository then download rpms with all the list of dependencies using which then you can create an offline repository.
[root@centos-8 ~]# yum install -y bind-chroot

Verify the list of available bind packages installed with bind chroot via yum:

[root@centos-8 ~]# rpm -qa| grep bind
bind-license-9.9.4-74.el7_6.1.noarch
bind-chroot-9.9.4-74.el7_6.1.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-libs-9.9.4-74.el7_6.1.x86_64
bind-utils-9.9.4-74.el7_6.1.x86_64
bind-libs-lite-9.9.4-74.el7_6.1.x86_64
bind-9.9.4-74.el7_6.1.x86_64
rpcbind-0.2.0-47.el7.x86_64

Below list of directories and files will be created with bind chroot package on your CentOS/RHEL 7/8 Linux host:

[root@centos-8 ~]# ls -l /var/named/chroot/
total 20
drwxr-x---. 2 root named 4096 Jun 21 16:11 dev
drwxr-x---. 4 root named 4096 Jun 21 16:11 etc
drwxr-x---. 3 root named 4096 Jun 21 16:11 run
drwxr-xr-x. 3 root root  4096 Jun 21 16:11 usr
drwxr-x---. 5 root named 4096 Jun 21 16:11 var

Turn ON the bind chroot environment, with this all your Bind DNS server related files and directories will be mount on /var/named/chroot

[root@centos-8 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

Next verify the list of mount paths on /var/named/chroot

[root@centos-8 ~]# mount | grep chroot
/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/localtime type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.root.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.conf type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.rfc1912.zones type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/rndc.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.iscdlv.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/protocols type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/services type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4 (rw,relatime,data=ordered)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755)
/dev/mapper/centos-root on /var/named/chroot/var/named type ext4 (rw,relatime,data=ordered)

We will note our IP Address which we will use to configure our BIND DNS in chroot environment

[root@centos-8 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.32/8 brd 10.255.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fedf:8741/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff

 

Configure DNS Server (named.conf)

To configure DNS server first thing is to update our /etc/named.conf file. We have made the below highlighted changes in our named.conf file:

[root@centos-8 ~]# cat /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any; };
        allow-query-cache { localhost; any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

Add zone records

Next we need to add zone records for forward zone file and reverse zone file location in /etc/named.rfc1912.zones file. here example.com contains details for our forward zone file and 2.0.10.in-addr.arpa contains information about reverse zone file.

zone "example.com" IN {
        type master;
        file "example.com.zone";
        allow-update { none; };
};

zone "2.0.10.in-addr.arpa" IN {
        type master;
        file "example.com.rzone";
        allow-update { none; };
};
NOTE:
For the reverse zone, here since our IP is 10.0.2.32, I have used 2.0.10.in-addr.arpa as the zone name, similarly if your IP is 192.168.0.XX then your reverse zone name syntax would be 0.168.192.in-addr.arpa

We will create our forward and reverse zone files in the next steps.

 

Create Forward Zone File

Navigate to /var/named where we will have some default templates which can be used to configure our forward zone file.

[root@centos-8 ~]# cd /var/named/

List the content of /var/named

[root@centos-8 named]# ls -l
total 32
drwxr-x---. 2 root  named 4096 Jun 21 16:12 chroot
drwxrwx---. 2 named named 4096 Jun  5 00:56 data
drwxrwx---. 2 named named 4096 Jun  5 00:56 dynamic
-rw-r-----. 1 root  named 2281 May 22  2017 named.ca
-rw-r-----. 1 root  named  152 Dec 15  2009 named.empty
-rw-r-----. 1 root  named  152 Jun 21  2007 named.localhost
-rw-r-----. 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---. 2 named named 4096 Jun  5 00:56 slaves

Create forward zone file using named.localhost

[root@centos-8 named]# cat named.loopback > example.com.zone

Change the permission and ownership of the forward zone file (example.com.zone) as shown below:

[root@centos-8 named]# chmod 644 example.com.zone
[root@centos-8 named]# chown root:named example.com.zone

[root@centos-8 named]# ls -l example.com.zone
-rw-r--r--. 1 root named 260 Jun 21 16:28 example.com.zone

Update the forward zone file with the details from your setup and environment. Below is my sample forward zone file:

[root@centos-8 named]# cat example.com.zone
$TTL 1D
@       IN SOA  example.com       root (
                                        1       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                   IN NS   localhost
localhost          IN A    127.0.0.1
centos-7           IN A    10.0.2.30
rhel-8             IN A    10.0.2.31
centos-8           IN A    10.0.2.32

 

Create Reverse Zone File

Similarly create a reverse zone file using named.localhost.

[root@centos-8 named]# cat named.localhost > example.com.rzone

Change the permission and ownership of the reverse zone file (example.com.rzone) as shown below:

[root@centos-8 named]# chmod 644 example.com.rzone
[root@centos-8 named]# chown root:named example.com.rzone

[root@centos-8 named]# ls -l example.com.rzone
-rw-r--r--. 1 root named 260 Jun 21 16:28 example.com.rzone

Next update the values of your reverse zone file depending upon your environment. Below is my sample reverse zone file:

[root@centos-8 named]# cat example.com.rzone
$TTL 1D
@       IN SOA  example.com.    root.example.com. (
                                        1       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN NS   localhost.
30      IN PTR  centos-7.example.com.
31      IN PTR  rhel-8.example.com.
32      IN PTR  centos-8.example.com.
NOTE:
Update the serial number every time you modify the zone file.

 

Verify the bind chroot configuration

Before you start the named-chroot service, it is important that you verify your bind chroot configuration file for any syntax errors:

[root@centos-8 named]# named-checkconf -t /var/named/ etc/named.conf

Here -t means chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named. Make sure all the content of /var/named/ are mounted on /var/named/chroot before you execute this command or else you may get open: etc/named.conf: file not found error.

Check the /etc/mtab content using mount command

[root@centos-8 ~]# mount | grep chroot
/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/localtime type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.root.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.conf type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.rfc1912.zones type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/rndc.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.iscdlv.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/protocols type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/services type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4 (rw,relatime,data=ordered)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755)
/dev/mapper/centos-root on /var/named/chroot/var/named type ext4 (rw,relatime,data=ordered)

If you do not see these paths mounted on /var/named/chroot then turn off the chroot mount using

[root@centos-8 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot off

and then turn it back ON

[root@centos-8 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

Next re-verify the mount | grep chroot command output. You should see that all required devices are mounted on /var/named/chroot. This is important to refresh all the changes what you have performed recently should be visible under /var/named/chroot

Now you can run below command to verify your chroot config files

[root@centos-8 named]# named-checkconf -t /var/named/ etc/named.conf

 

Start named-chroot service

To configure dns server on Red Hat Enterprise Linux 7 the installation of bind-chroot does NOT change how the named service is run. On the contrary it installs new named-chroot service that needs to be started using systemctl command, if you want to run named service in a chroot environment.

But before, make sure to stop and disable any named service which is available and running on your RHEL 7 Linux host:

[root@centos-8 named]# systemctl stop named
[root@centos-8 named]# systemctl disable named

Next start named-chroot service using systemctl:

[root@centos-8 named]# systemctl start named-chroot

[root@centos-8 ~]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-06-21 17:00:25 IST; 1min 1s ago
  Process: 5321 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 5319 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 5323 (named)
    Tasks: 4
   CGroup: /system.slice/named-chroot.service
           └─5323 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

Jun 21 17:00:25 centos-8.example.com named[5323]: zone 2.0.10.in-addr.arpa/IN: loaded serial 1
Jun 21 17:00:25 centos-8.example.com named[5323]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jun 21 17:00:25 centos-8.example.com named[5323]: zone localhost.localdomain/IN: loaded serial 0
Jun 21 17:00:25 centos-8.example.com named[5323]: zone example.com/IN: loaded serial 1
Jun 21 17:00:25 centos-8.example.com named[5323]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0....ial 0
Jun 21 17:00:25 centos-8.example.com named[5323]: zone localhost/IN: loaded serial 0
Jun 21 17:00:25 centos-8.example.com named[5323]: all zones loaded
Jun 21 17:00:25 centos-8.example.com named[5323]: running
Jun 21 17:00:25 centos-8.example.com named[5323]: zone example.com/IN: sending notifies (serial 1)
Jun 21 17:00:25 centos-8.example.com named[5323]: zone 2.0.10.in-addr.arpa/IN: sending notifies (serial 1)
Hint: Some lines were ellipsized, use -l to show in full.

Now our configure dns server steps are almost done, enable the named-chroot service to start the service automatically after every reboot:

[root@centos-8 ~]# systemctl enable named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.

 

Configure DNS server using resolv.conf

Now the last step to configure dns server is to update our /etc/resolv.conf with our DNS server IP i.e. 10.0.2.32

[root@centos-8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 10.0.2.32
nameserver 8.8.8.8

 

Verify Bind Chroot DNS Server

Now you can use different tools to verify your bind chroot DNS server configuration. In this example I am using nslookup and dig to verify my forward and reverse zone configuration

[root@centos-8 ~]# nslookup centos-7.example.com
Server:         10.0.2.32
Address:        10.0.2.32#53

Name:   centos-7.example.com
Address: 10.0.2.30

So the nslookup was able to get a response for centos-7.example.com using our bind chroot DNS server 10.0.2.32. Similarly look out for ANSWER SECTION using dig command for reverse zone file content.

[root@centos-8 ~]# dig -x 10.0.2.30

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -x 10.0.2.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55495
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;30.2.0.10.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
30.2.0.10.in-addr.arpa. 86400   IN      PTR     centos-7.example.com.

;; AUTHORITY SECTION:
2.0.10.in-addr.arpa.    86400   IN      NS      localhost.

;; ADDITIONAL SECTION:
localhost.              86400   IN      A       127.0.0.1
localhost.              86400   IN      AAAA    ::1

;; Query time: 0 msec
;; SERVER: 10.0.2.32#53(10.0.2.32)
;; WHEN: Fri Jun 21 17:02:28 IST 2019
;; MSG SIZE  rcvd: 149

 

Configure DNS Server on Client

To configure DNS server on a client you do not need to install any additional bind chroot related rpms, you only need to update the /etc/resolv.conf file on all the clients to use nameserver IP of the DNS server.

For example on my client node:

[root@rhel-8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 10.0.2.32

Let us verify the DNS server configuration by using nslookup:

[root@rhel-8 ~]# nslookup centos-8.example.com
Server:         10.0.2.32
Address:        10.0.2.32#53

Name:   centos-8.example.com
Address: 10.0.2.32

As you see the client is properly able to get the response from the DNS server running on 10.0.2.32 rhel linux host.

 

Lastly I hope the steps from the article to configure DNS server using bind chroot environment on Linux (CentOS/RHEL 7/8) was helpful. So, let me know your suggestions and feedback using the comment section.

 

Deepak Prasad

Deepak Prasad

Deepak Prasad is the founder of GoLinuxCloud, bringing over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, Networking, and Security. His extensive experience spans development, DevOps, networking, and security, ensuring robust and efficient solutions for diverse projects.

Certifications and Credentials:

  • Certified Kubernetes Application Developer (CKAD)
  • Go Developer Certification
  • Linux Foundation Certified System Administrator (LFCS)
  • Certified Ethical Hacker (CEH)
  • Python Institute PCAP (Certified Associate in Python Programming)
You can connect with him on his LinkedIn profile and join his Facebook and LinkedIn page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

9 thoughts on “Step-by-Step Tutorial: Configure DNS Server using bind chroot (CentOS/RHEL 7/8)”

  1. It would be nice to have a section for how to go about updating an existing chroot’d environment to add records or update the named.conf.

    Reply
    • I have modified this section in the article. Actually it should be named-checkconf -t /var/named/chroot etc/named.conf but there are certain pre-requisites before executing this step or you may get unwanted errors.

      Reply
      • I did not see this updated in the article. It took me a while to figure out what was wrong. Also, perhaps should mention that the chroot environment needs to be recycled after any changes to the config files. Thanks!

        Reply

Leave a Comment