How to Install and configure DNS-server (bind) in CentOS/RHEL 7
Bind (Berkeley Internet Name Daemon) is also known as the default – this is the best known and most used DNS server on the Internet. I will try to describe how to install and configure the service in the chrooted environment (chroot operation changes the root directory in Unix-like operating systems. program started with altered root directory will only have access to the files contained in this directory, so if you want to allow the program to access other directories or file systems (for example, /proc), it is necessary to mount the necessary directories in the target directory or device.).
- First, install the tools and related utilities:
$ yum -y install bind bind-utils bind-chroot
$ /usr/libexec/setup-named-chroot.sh /var/named/chroot on
$ chcon -u system_u /var/named/chroot/etc/localtime
$ chcon -u system_u /var/named/chroot/dev/null
$ chcon -u system_u /var/named/chroot/dev/random
$ chcon -u system_u /var/named/chroot/dev/zero
$ chmod g+w /var/named/chroot/var/named/
$ setsebool -P named_write_master_zones=1
$ nano -w /etc/sysconfig/named
OPTIONS="-4"
$ nano -w /var/named/chroot/etc/named.conf
acl "trusted" {
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
127.0.0.0/8;
::1/128;
};
acl "xfer" {
/*
* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
// relcom.ru and nic.ru
31.177.66.192/28;
91.217.20.0/26;
91.217.21.0/26;
193.124.22.65/32;
193.232.86.0/24;
194.226.96.192/28;
195.253.51.22/32;
195.253.54.22/32;
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
...
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
xfer;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
...
}
Note: in acl “xfer” I added the server IP addresses that will be secondary servers for zones. If you are on the domain name system (DNS) server to host any zones are not going to block – this can be left blank, or enter there IP address secondary servers for your zone.
$ firewall-cmd --permanent --zone=public --add-service=dns $ firewall-cmd --reload
$ systemctl start named-chroot.service $ systemctl enable named-chroot.service $ nano -w /etc/sysconfig/network-scripts/ifcfg-eth0 PEERDNS=no DOMAIN="example.com example.org" DNS1=127.0.0.1 DNS2=8.8.8.8 DNS3=8.8.4.4 $ systemctl restart network
Note: the 2-nd and 3-rd best DNS Server enter the IP address of your ISP’s DNS servers, so rezolving will run a little faster.
$ systemctl status named-chroot.service
named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled)
Active: active (running) since Thu 2014-11-20 13:45:06 MSK; 1h 32min ago
Process: 31335 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 24627 (named)
CGroup: /system.slice/named-chroot.service
└─24627 /usr/sbin/named -u named -t /var/named/chroot -4
Nov 20 14:28:09 example.com named[24627]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 20 14:28:09 example.com named[24627]: reloading configuration succeeded
Nov 20 14:28:09 example.com named[24627]: reloading zones succeeded
Nov 20 14:28:09 example.com systemd[1]: Reloaded Berkeley Internet Name Domain (DNS).
Nov 20 14:28:09 example.com named[24627]: all zones loaded
Nov 20 14:28:09 example.com named[24627]: running
$ cat /etc/resolv.conf
# Generated by NetworkManager
search example.com example.org
nameserver 127.0.0.1
$ dig ya.ru @localhost
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> ya.ru @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29241
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ya.ru. IN A
;; ANSWER SECTION:
ya.ru. 1706 IN A 213.180.193.3
ya.ru. 1706 IN A 213.180.204.3
ya.ru. 1706 IN A 93.158.134.3
;; AUTHORITY SECTION:
ya.ru. 340105 IN NS ns1.yandex.ru.
ya.ru. 340105 IN NS ns2.yandex.ru.
;; ADDITIONAL SECTION:
ns1.yandex.ru. 340105 IN A 213.180.193.1
ns1.yandex.ru. 340105 IN AAAA 2a02:6b8::1
ns2.yandex.ru. 340105 IN A 93.158.134.1
ns2.yandex.ru. 340105 IN AAAA 2a02:6b8:0:1::1
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 20 15:17:55 MSK 2014
;; MSG SIZE rcvd: 213
$ nano -w /var/named/chroot/etc/named.conf
...
include "/etc/named.zones";
$ nano -w /var/named/chroot/etc/named.zones
zone "example.com" {
type master;
file "named.example.com.zone";
/* Anybody is allowed to query but transfer should be controlled by the master. */
allow-query { any; };
allow-transfer { xfer; };
};
zone "example.org" {
type master;
file "named.example.org.zone";
/* Anybody is allowed to query but transfer should be controlled by the master. */
allow-query { any; };
allow-transfer { xfer; };
};
$ chown root:named /var/named/chroot/etc/named.zones
$ chmod 0640 /var/named/chroot/etc/named.zones
$ chcon -u system_u -t named_conf_t /var/named/chroot/etc/named.zones
$ ln -s /var/named/chroot/etc/named.zones /etc/named.zones
$ nano -w /var/named/chroot/var/named/named.example.com.zone
$ORIGIN .
$TTL 86400 ; 1 day
example.com IN SOA mail.example.com. admin.example.org. (
2014112001 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS mail.example.com.
NS ns8-l2.nic.ru.
NS ns4-l2.nic.ru.
A 10.20.30.40
MX 10 mail.example.com.
TXT "v=spf1 mx -all"
SPF "v=spf1 mx -all"
$ORIGIN example.com.
mail A 10.20.30.40
www CNAME mail
$ nano -w /var/named/chroot/var/named/named.example.org.zone
$ORIGIN .
$TTL 86400 ; 1 day
example.org IN SOA mail.example.com. admin.example.org. (
2014112001 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS mail.example.com.
NS ns8-l2.nic.ru.
NS ns4-l2.nic.ru.
A 10.20.30.40
MX 10 mail.example.org.
TXT "v=spf1 a mx mx:mail.example.org ?all"
SPF "v=spf1 a mx mx:mail.example.org ?all"
$ORIGIN example.org.
mail A 83.246.72.206
www CNAME mail
$ chown root:named /var/named/chroot/var/named/named.*.zone
$ chmod 0640 /var/named/chroot/var/named/named.*.zone
$ chcon -u system_u -t named_zone_t /var/named/chroot/var/named/named.*.zone
$ named-checkconf /etc/named.conf
$ named-checkzone example.com /var/named/chroot/var/named/named.example.com.zone
zone example.com/IN: loaded serial 2014112001
OK
$ named-checkzone example.org /var/named/chroot/var/named/named.example.org.zone
zone example.org/IN: loaded serial 2014112001
OK
$ systemctl reload named-chroot.service
$ systemctl status named-chroot.service
$ nano -w /var/named/chroot/etc/named.conf
...
include "/etc/named.zones";
$ nano -w /var/named/chroot/etc/named.zones
zone "example.com" {
type slave;
file "slaves/example.com.zone";
masters { 10.20.30.40; };
/* Anybody is allowed to query but transfer should be controlled by the master. */
allow-query { any; };
allow-transfer { xfer; };
/* The master should be the only one who notifies the slaves, shouldn't it? */
allow-notify { 10.20.30.40; };
notify no;
};
zone "example.org" {
type slave;
file "slaves/example.org.zone";
masters { 10.20.30.40; };
/* Anybody is allowed to query but transfer should be controlled by the master. */
allow-query { any; };
allow-transfer { xfer; };
/* The master should be the only one who notifies the slaves, shouldn't it? */
allow-notify { 10.20.30.40; };
notify no;
};
$ ln -s /var/named/chroot/etc/named.zones /etc/named.zones
$ named-checkconf /etc/named.conf
$ systemctl reload named-chroot.service
$ systemctl status named-chroot.service
That’s all, the DNS server is set up and ready to go!