Install and configure DNS & Reverse DNS Server with BIND in CentOS

Hi, I'm going to show you how to install and configure Domain Name System in CentOS. that is not straight forward process and it's might be done with different type of configuration based on your needs. so let's have some agreements on Basics

Definition of DNS : The DNS (Domain Name System) is a distributed system, used for translate domain names to IP address and vice a versa (Reverse DNS to translate IP address to domain name).For example when we type domain name in browser url like “google.com”, Our computer sends a request to DNS and get an ip address of domain.

What is Reverse DNS (rDNS) : Reverse DNS (rDNS) is a method of resolving an IP address into a domain name. exactly reverse scenario of DNS. you may ask what the use: One of the applications of reverse DNS is as a spam filter. for example spammer uses invalid IP address for sending mails that does not match used domain name. once the request reaches to destination server, server will run reverse DNS lookup against incoming message IP address to DNS system and check the validity of message by finding domain name match, if it doesn't find any match, server will block the message or mark it as spam.

ok, now we now what is what. let's assume below network scenario.

  • DNS Server IP: 181.212.94.37
  • DNS Server Name: ns1.mydomain.com, ns2.mydomain.com
  • Domain Name: mydomain.com

what we are going to do? : we have 1 stand-alone server with IP address 181.212.94.37 and we are going to point our domain(mydomain.com) to this server and then create DNS server with these NS records (ns1.mydomain.com, ns2.mydomain.com) on the same server.

First step : let's point our domain to server IP address and NS records that we are going to create. for this action, depend on your domain control panel, you have to update your DNS to (ns1.mydomain.com and ns2.mydomain.com) and then create two child-host with these names.

ns1.mydomain.com => pointing to server IP 181.212.94.37 ns2.mydomain.com => pointing to server IP 181.212.94.37 after this change, it will take a bit of time to propagate your changes to network.but for checking the status you can use intodns.com or nslookup command in your terminal.

Second Step: we need to log-in to our server and install the requirement and make some configuration. I'm considering that we have CentOS 7 as server OS. so after log-in run below commands.

1. update yum packages

yum update

2. install bind (Bind packages are available under default yum repositories)

yum install bind

3. enabling network ports

after installation, if you have active firewall on your OS, we need to enable bind ports on the firewall. bind is using port number 53 on tcp/udp, so we need to enable these ports in our firewall.

run the below command in terminal for this activity.

[root@rhel7 ~]# firewall-cmd --zone=public --add-port=53/tcp --permanent
success
[root@rhel7 ~]# firewall-cmd --zone=public --add-port=53/udp --permanent
success
[root@rhel7 ~]# firewall-cmd --reload
success

note: if you have iptables, then you need to do this action based on iptables commands rule. for verifying that the port is open, run below command.

netstat -ant | grep -w 53
and you will get something like this.
[root@rhel7 ~]# netstat -ant | grep -w 53
tcp        0      0 181.212.94.37:53        0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:53                  :::*                    LISTEN

as you can see, the port is open now.

4. change the configuration

after installing the bind, it will add one service to your OS, called "named" which is bind service. and this service has configuration file, stored under this path /etc/named.conf .

you can use vim or any other editor that you want to modify the configuration file, but please take a back-up before any changes. after modification you would have the below file, which I'll describe you the changes.

// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
    listen-on port 53 { 127.0.0.1; 181.212.94.37; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    allow-transfer { none; };
    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion no;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

acl "trusted-servers"  {
        181.212.94.37;  //ns1 and ns2
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "mydomain.com" IN {
    type master;
    file "/var/named/mydomain.com.zone";
    allow-update { "trusted-servers"; };
};

zone "94.212.181.in-addr.arpa" IN {
        type master;
        file "/var/named/94.212.181.in-addr.arpa.zone";
        allow-update { none; };
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

what is the change?

first add your server IP address here listen-on port 53 { 127.0.0.1; 185.94.99.27; }; , this will tell bind to listen on which IP.

change allow-query to any, this will allow every computer to query your DNS. allow-query { any; }; since we are configuring authoritative DNS server , make sure recursion is no , recursion no;

set dnssec setting as below, what is dnssec? click Here

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

now it's time to create zone file and load it, what is zone file? ( click Here ).

we are going to create one zone file for our domain name, and an other one for our reverse DNS and then load it in our config.

loading domain name zone:

zone "mydomain.com" IN {
    type master;
    file "/var/named/mydomain.com.zone";
    allow-update { "trusted-servers"; };
};

load reverse DNS zone

zone "99.94.185.in-addr.arpa" IN {
        type master;
        file "/var/named/94.212.181.in-addr.arpa.zone";
        allow-update { none; };
};

content of each zone file : note: lines starting with ; are comments. mydomain.com.zone

$TTL 86400
@   IN  SOA     www.mydomain.com. hostmaster.mydomain.com. (
        2017082701  ;Serial
        14400       ;Refresh
        3600        ;Retry
        1209600     ;Expire
        3600        ;Minimum TTL
)
; Specify our nameservers
                IN      NS              ns1.mydomain.com.
                IN      NS              ns2.mydomain.com.

; and mail exchange servers
;                IN      MX      10      smtp.mydomain.com.

; Define hostname
mydomain.com    IN    A        181.212.94.37
ns1        IN    A        181.212.94.37
ns2        IN    A        181.212.94.37
@               IN      A               181.212.94.37
www             IN      A        181.212.94.37

94.212.181.in-addr.arpa.zone content:

$TTL    604800
94.212.181.in-addr.arpa.      IN      SOA     ns1.mydomain.com. hostmaster.mydomain.com. (
                          1        ; Serial
                          3h       ; Refresh after 3 hours
                          1h       ; Retry after 1 hour
                          1w       ; Expire after 1 week
                          1h )     ; Negative caching TTL of 1 day

94.212.181.in-addr.arpa.       IN      NS      ns1.mydomain.com.
94.212.181.in-addr.arpa.       IN      NS      ns2.mydomain.com.

37.94.212.181.in-addr.arpa.   IN      PTR     mydomain.com.

now we are almost done.

5. check the configuration and restarting bind

Before we attempt to start a bind name server with a new zone and configuration here are some tools to check if we have not done some typo or misconfiguration. To check a configuration files run a following command: named-checkconf With this named-checkconf command the rule is: no news are good news. If no output had been produced your config files looks OK. now let's check zone files with named-checkzone

named-checkzone mydomain.com /var/named/mydomain.com.zone
zone mydomain.com.zone/IN: loaded serial 2017082701
OK
amed-checkzone 94.212.181.in-addr.arpa /var/named/94.212.181.in-addr.arpa.zone
zone 94.212.181.in-addr.arpa/IN: loaded serial 1
OK

now seems everything is fine and we just need to restart the bind service.

service named restart

6. verifying the DSN server

to verify that DNS server is working properly, run below command in your system terminal.

nslookup mydomain.com 181.212.94.37

result

Server:         181.212.94.37
Address:        181.212.94.37#53

Name:   mydomain.com
Address: 181.212.94.37

Above output is showing that DNS server has successfully resolved domain mydomain.com. and we are finished, hope to be useful.

Cheers.

No Comments Yet