We use BIND as DNS.
In this article we will setup a Dynamic Domain Name System. So first the DNS- and second the DHCP-server are installed and configured.
# dnf install bind bind-utils
Configuration takes many steps.
First we generate a key for the encryted communication between dhcp and dns. Enter:
rndc-confgen -a -b 256 cd /etc chmod 640 rndc.key chown root:named rndc.key chcon system_u:object_r:dnssec_t:s0 rndc.key
The key is written in /etc/rndc.key.
When we look in the keyfile we see:
key "rndc-key" { algorithm hmac-sha256; secret "e+LxyV0QEC6mUCNbBtujKidlMceQUye1qvJETRTbDM4="; };
Don't copy this one, but make your own.
If you need to create a new key, restart named and dhcpd after you created the new key.
Copy this key to the slave dns.
The dynamic zone files are stored in /var/named/dynamic.
For non-dynamic zones use /var/named/static.
Use yyyymmddxx. Where:
yyyy | year |
---|---|
mm | month |
dd | day |
xx | followup number. Start with 01. |
You can make 99 update per day.
We start with example.com.
If you don't have IPv6 you can use it with LAN-only fd00 addresses. If you have IPv6 use the prefix you got instead of fd00.
We start with making a static address system. We can add new addresses later. Delete the *.JNL file and restart named.
# cd /var/named/dynamic # vi example.com
$ORIGIN . example.com IN SOA ns.example.com. root.example.com. ( 2019032016 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) NS server1.example.com. MX 10 server1.example.com. gate A 192.168.1.1 AAAA 2001:983:395:1:2665:11ff:fe82:6397 server1 A 192.168.1.11 AAAA 2001:983:395:1:21e:2aff:fe49:522c mlp A 192.168.1.21 clp A 192.168.1.22 ftp CNAME server1 imap CNAME server1 ldap CNAME server1 mail CNAME server1 nfs CNAME server1 ns A 192.168.1.11 AAAA 2001:983:395:1:21e:2aff:fe49:522c ntp CNAME server1 pop3 CNAME server1 smtp CNAME server1 sql CNAME server1 ssh CNAME server1 www CNAME server1
mlp is the monochromatic laser printer(b/w) and clp is the color laser jet.
The AAAA adresses should you change to your own. IPv6 don't use NAT. It's a new way of thinking, but this is how the inernet should work.
# vi 1.168.192 $ORIGIN . 1.168.192.in-addr.arpa IN SOA ns.example.com. root.example.com. ( 2019032011 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) @ NS ns.example.com. 1 PTR gate.example.com. 11 PTR server1.example.com. 21 PTR mlp.example.com. 22 PTR clp.example.com.
The host adresses must look like below, but with yours.
# vi lan.ip6.arpa $ORIGIN 1.0.0.0.5.9.3.0.5.8.9.0.1.0.0.2.ip6.arpa. @ IN SOA ns.example.com. root.example.com. ( 2019030501 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns.example.com. 7.9.3.6.2.8.e.f.f.f.1.1.5.6.6.2 IN PTR gate.example.com. c.2.2.5.9.4.e.f.f.f.a.2.e.1.2.0 IN PTR server1.example.com.
After creating the zone files you need to change the owner.
# chown named:named *
We have the rndc-key and zones, so lets start with the configuration. Enter:
cd /etc # vi named.conf
Our DNS-server resolves all addresses to IP and does reverse lookup. So recursion yes. No forwarders are necessary.
We don't use DNSSEC at this moment.
Our server is the master DNS-server. There is no slave DNS.
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind/sample/ for example named configuration files. // acl "trusted" { 192.168.0.0/16; 2a02:a465:54ef::/48; }; options { listen-on port 53 {any;}; listen-on-v6 port 53 {any;}; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; managed-keys-directory "/var/named/dynamic"; geoip-directory "/usr/share/GeoIP"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; allow-query {localhost; trusted;}; recursion yes; allow-recursion {localhost; trusted;}; dnssec-validation yes; include "/etc/crypto-policies/back-ends/bind.config"; }; logging { channel default_debug { file "/var/log/named.log"; severity dynamic; }; }; include "/etc/named.root.key"; include "/etc/rndc.key"; zone "." { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; zone "example.com" { type master; file "dynamic/example.com"; allow-update { key rndc-key; }; allow-transfer {none;}; notify no; }; zone "1.168.192.in-addr.arpa" { type master; file "dynamic/1.168.192"; allow-update { key rndc-key; }; allow-transfer {none;}; notify no; }; zone "1.0.0.0.5.9.3.0.5.8.9.0.1.0.0.2.ip6.arpa" { type master; file "dynamic/lan.ip6.arpa"; allow-update { key rndc-key; }; allow-transfer {none;}; notify no; };
Now we have a basic DNS.
# cd /var # chown -R named:named named/
# named-checkconf
When there are no errors in the configuration files there is no output.
Check after (re)starting named in /var/log/named.log if all zones are loaded.
# cat /var/log/named.log ..... all zones loaded running managed-keys-zone: Initializing automatic trust anchor management for zone '.'; ...... resolver priming query complete #
# chmod 777 /var/log // Only once. # systemctl start named # systemctl enable named
# nslookup server1.robkalmeijer.nl Server: 192.168.1.11 Address: 192.168.1.11#53 Name: server1.robkalmeijer.nl Address: 192.168.1.11 Name: server1.robkalmeijer.nl Address: 2001:985:395:1::1:1
# nslookup 192.168.1.11 11.1.168.192.in-addr.arpa name = server1.robkalmeijer.nl.
#[root@server4 dynamic]# nslookup ::1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa name = localhost.
If you see something else than you made a type-error or the configuration went wrong.
# nslookup server3.robkalmeijer.nl Server: 192.168.1.11 Address: 192.168.1.11#53 ** server can't find server3: NXDOMAIN
Lets go outside.
# nslookup www.google.com Server: 192.168.1.11 Address: 192.168.1.11#53 Non-authoritative answer: Name: www.google.com Address: 172.217.17.132 Name: www.google.com Address: 2a00:1450:400e:807::2004
Both network and host firewalls must allow incoming TCP and UDP traffic over port 53. Standard DNS requests occur over UDP port 53. However, if the response size is over 512 bytes, as the case may be with DNSSEC, the request will need to be sent over TCP port 53.
Add to the firewall rules.
# firewall-cmd --permanent --zone=public --add-port=53/tcp # firewall-cmd --permanent --zone=public --add-port=53/udp # firewall-cmd --reload
The DNS-server is ready for duty.
NEVER open this port. Your DNS is private to your LAN and its VPN users. Set your public setiings at the ISPs DNS.
First make your dhcp-server and let your clients use this dns-server. Now you can test name-resolving on external users on your lan.
When done restart named.
The domain name section will be declared long with the path to the file containing the zone information, that this is the master zone, and the IP address of the secondary server.
At the master dns:
zone "example.com" IN { type primary; file "example.com"; allow-transfer { 192.168.1.19; }; };
192.168.1.19 is our slave server.
Copy named.conf file to the slave server or add the zones to it. Add the bold text to the zones. The address is the master address.
At the slave server modify the zones:
# cd /etc # vi named.conf zone "example.com" IN { type secondary; file "slaves/example.com"; masters { 192.168.1.11; }; allow-transfer { none; }; allow-update { none; }; };
A DNS server can be a master/primary for one domain and a slave/secondary of another one.
Add the slave dns to your DHCP configuration as first choice and the master as second.
The following dig command can be run from either name server should return the records for the domain on that server.
# dig any example.com @localhost
You should also confirm results can be retrieved from a remote host that is able to connect to the name servers. This will confirm connectivity and that proper firewall rules are in place.# dig any example.com @192.168.2.11 # dig any example.com @192.168.2.12
With dig you can test any DNS server in the internet.
# dig any example.com @8.8.8.8
Zone files can be modified on the master name servers. Once resource records have been added, modified, or removed, you must remember to increment the zone serial number.
First stop the dynamic updating of the zone files by:
# rndc freeze <zone>
Update the zone manually and update the zone serial.
Restart the rndc and named:
# rndc thaw <zone> # rndc sync <zone> # rndc sync <zone> -clean # systemctl restart named
Next step is setting up dnssec for your domains.
Setting up dnssec.