how to configure dns server in rhel 7 step by step. dns server configuration in linux step by step centos. bind chroot. dns server configuration in linux step by step centos. how to configure dns server in rhel 7 step by step. named chroot. bind allow query. install bind centos 7. Configure forward zone file and reverse zone file using named chroot using centos or rhel 7. Sample forward zone file and reverse zone file on rhel 7 linux. Verify bind dns server configuration files using named-checkconf. Do not copy chroot contents to /var/named/chroot. dns configuration step by step. setup dns server on red hat.

Step-by-Step Tutorial: Configure DNS Server using bind chroot (CentOS/RHEL 7)

 

Install Bind Chroot RPM

To install BIND running in a chroot environment, you have to install the bind-chroot package.

NOTE:
If you do not have an active repository then download rpms with all the list of dependencies using which then you can create an offline repository.
[root@node3 ~]# yum install -y bind-chroot

Verify the list of available bind packages installed with bind chroot via yum:

[root@node3 ~]# rpm -qa| grep bind
bind-license-9.9.4-74.el7_6.1.noarch
bind-chroot-9.9.4-74.el7_6.1.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-libs-9.9.4-74.el7_6.1.x86_64
bind-utils-9.9.4-74.el7_6.1.x86_64
bind-libs-lite-9.9.4-74.el7_6.1.x86_64
bind-9.9.4-74.el7_6.1.x86_64
rpcbind-0.2.0-47.el7.x86_64

Below list of directories and files will be created with bind chroot package on your RHEL 7 Linux host:

[root@node3 ~]# ls -l /var/named/chroot/
total 20
drwxr-x---. 2 root named 4096 Jun 21 16:11 dev
drwxr-x---. 4 root named 4096 Jun 21 16:11 etc
drwxr-x---. 3 root named 4096 Jun 21 16:11 run
drwxr-xr-x. 3 root root  4096 Jun 21 16:11 usr
drwxr-x---. 5 root named 4096 Jun 21 16:11 var

Turn ON the bind chroot environment, with this all your Bind DNS server related files and directories will be mount on /var/named/chroot

[root@node3 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

Next verify the list of mount paths on /var/named/chroot

[root@node3 ~]# mount | grep chroot
/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/localtime type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.root.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.conf type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.rfc1912.zones type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/rndc.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.iscdlv.key type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/protocols type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/services type ext4 (rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4 (rw,relatime,data=ordered)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755)
/dev/mapper/centos-root on /var/named/chroot/var/named type ext4 (rw,relatime,data=ordered)

We will note our IP Address which we will use to configure our BIND DNS in chroot environment

[root@node3 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.32/8 brd 10.255.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fedf:8741/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff

 

Configure DNS Server (named.conf)

To configure DNS server first thing is to update our /etc/named.conf file. We have made the below highlighted changes in our named.conf file:

[root@node3 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any; };
        allow-query-cache { localhost; any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

Add zone records

Next we need to add zone records for forward zone file and reverse zone file location in /etc/named.rfc1912.zones file. here example.com contains details for our forward zone file and 2.0.10.in-addr.arpa contains information about reverse zone file.

zone "example.com" IN {
        type master;
        file "example.com.zone";
        allow-update { none; };
};

zone "2.0.10.in-addr.arpa" IN {
        type master;
        file "example.com.rzone";
        allow-update { none; };
};
NOTE:
For the reverse zone, here since our IP is 10.0.2.32, I have used 2.0.10.in-addr.arpa as the zone name, similarly if your IP is 192.168.0.XX then your reverse zone name syntax would be 0.168.192.in-addr.arpa

We will create our forward and reverse zone files in the next steps.

 

Create Forward Zone File

Navigate to /var/named where we will have some default templates which can be used to configure our forward zone file.

[root@node3 ~]# cd /var/named/

List the content of /var/named

[root@node3 named]# ls -l
total 32
drwxr-x---. 2 root  named 4096 Jun 21 16:12 chroot
drwxrwx---. 2 named named 4096 Jun  5 00:56 data
drwxrwx---. 2 named named 4096 Jun  5 00:56 dynamic
-rw-r-----. 1 root  named 2281 May 22  2017 named.ca
-rw-r-----. 1 root  named  152 Dec 15  2009 named.empty
-rw-r-----. 1 root  named  152 Jun 21  2007 named.localhost
-rw-r-----. 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---. 2 named named 4096 Jun  5 00:56 slaves

Create forward zone file using named.localhost

[root@node3 named]# cat named.loopback > example.com.zone

Change the permission and ownership of the forward zone file (example.com.zone) as shown below:

[root@node3 named]# chmod 644 example.com.zone
[root@node3 named]# chown root:named example.com.zone

[root@node3 named]# ls -l example.com.zone
-rw-r--r--. 1 root named 260 Jun 21 16:28 example.com.zone

Update the forward zone file with the details from your setup and environment. Below is my sample forward zone file:

[root@node3 named]# cat example.com.zone
$TTL 1D
@       IN SOA  example.com       root (
                                        1       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                IN NS   localhost
localhost       IN A    127.0.0.1
node1           IN A    10.0.2.30
node2           IN A    10.0.2.31
node3           IN A    10.0.2.32

 

Create Reverse Zone File

Similarly create a reverse zone file using named.localhost.

[root@node3 named]# cat named.localhost > example.com.rzone

Change the permission and ownership of the reverse zone file (example.com.rzone) as shown below:

[root@node3 named]# chmod 644 example.com.rzone
[root@node3 named]# chown root:named example.com.rzone

[root@node3 named]# ls -l example.com.rzone
-rw-r--r--. 1 root named 260 Jun 21 16:28 example.com.rzone

Next update the values of your reverse zone file depending upon your environment. Below is my sample reverse zone file:

[root@node3 named]# cat example.com.rzone
$TTL 1D
@       IN SOA  example.com.    root.example.com. (
                                        1       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN NS   localhost.
30      IN PTR  node1.example.com.
31      IN PTR  node2.example.com.
32      IN PTR  node3.example.com.
NOTE:
Update the serial number every time you modify the zone file.

 

Verify the bind chroot configuration

Before you start the named-chroot service, it is important that you verify your bind chroot configuration file for any syntax errors:

[root@node3 named]# named-checkconf -t /var/named/ /etc/named.conf

Here -t means chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named.

 

Start named-chroot service

To configure dns server on Red Hat Enterprise Linux 7 the installation of bind-chroot does NOT change how the named service is run. On the contrary it installs new named-chroot service that needs to be started using systemctl command, if you want to run named service in a chroot environment.

But before, make sure to stop and disable any named service which is available and running on your RHEL 7 Linux host:

[root@node3 named]# systemctl stop named
[root@node3 named]# systemctl disable named

Next start named-chroot service using systemctl:

[root@node3 named]# systemctl start named-chroot

[root@node3 ~]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-06-21 17:00:25 IST; 1min 1s ago
  Process: 5321 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 5319 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 5323 (named)
    Tasks: 4
   CGroup: /system.slice/named-chroot.service
           └─5323 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

Jun 21 17:00:25 node3.example.com named[5323]: zone 2.0.10.in-addr.arpa/IN: loaded serial 1
Jun 21 17:00:25 node3.example.com named[5323]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jun 21 17:00:25 node3.example.com named[5323]: zone localhost.localdomain/IN: loaded serial 0
Jun 21 17:00:25 node3.example.com named[5323]: zone example.com/IN: loaded serial 1
Jun 21 17:00:25 node3.example.com named[5323]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0....ial 0
Jun 21 17:00:25 node3.example.com named[5323]: zone localhost/IN: loaded serial 0
Jun 21 17:00:25 node3.example.com named[5323]: all zones loaded
Jun 21 17:00:25 node3.example.com named[5323]: running
Jun 21 17:00:25 node3.example.com named[5323]: zone example.com/IN: sending notifies (serial 1)
Jun 21 17:00:25 node3.example.com named[5323]: zone 2.0.10.in-addr.arpa/IN: sending notifies (serial 1)
Hint: Some lines were ellipsized, use -l to show in full.

Now our configure dns server steps are almost done, enable the named-chroot service to start the service automatically after every reboot:

[root@node3 ~]# systemctl enable named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.

 

Configure DNS server using resolv.conf

Now the last step to configure dns server is to update our /etc/resolv.conf with our DNS server IP i.e. 10.0.2.32

[root@node3 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 10.0.2.32
nameserver 8.8.8.8

 

Verify Bind Chroot DNS Server

Now you can use different tools to verify your bind chroot DNS server configuration. In this example I am using nslookup and dig to verify my forward and reverse zone configuration

[root@node3 ~]# nslookup node1.example.com
Server:         10.0.2.32
Address:        10.0.2.32#53

Name:   node1.example.com
Address: 10.0.2.30

So the nslookup was able to get a response for node1.example.com using our bind chroot DNS server 10.0.2.32. Similarly look out for ANSWER SECTION using dig command for reverse zone file content.

[root@node3 ~]# dig -x 10.0.2.30

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -x 10.0.2.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55495
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;30.2.0.10.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
30.2.0.10.in-addr.arpa. 86400   IN      PTR     node1.example.com.

;; AUTHORITY SECTION:
2.0.10.in-addr.arpa.    86400   IN      NS      localhost.

;; ADDITIONAL SECTION:
localhost.              86400   IN      A       127.0.0.1
localhost.              86400   IN      AAAA    ::1

;; Query time: 0 msec
;; SERVER: 10.0.2.32#53(10.0.2.32)
;; WHEN: Fri Jun 21 17:02:28 IST 2019
;; MSG SIZE  rcvd: 149

 

Configure DNS Server on Client

To configure DNS server on a client you do not need to install any additional bind chroot related rpms, you only need to update the /etc/resolv.conf file on all the clients to use nameserver IP of the DNS server.

For example on my client node:

[root@node2 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 10.0.2.32

Let us verify the DNS server configuration by using nslookup:

[root@node2 ~]# nslookup node3.example.com
Server:         10.0.2.32
Address:        10.0.2.32#53

Name:   node3.example.com
Address: 10.0.2.32

As you see the client is properly able to get the response from the DNS server running on 10.0.2.32 rhel linux host.

 

Lastly I hope the steps from the article to configure DNS server using bind chroot environment on Linux (CentOS/RHEL 7) was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Reply

Your email address will not be published. Required fields are marked *