We use BIND as DNS.
In this article we will setup a Dynamic Domain Name System. So first the DNS- and second the DHCP-server are installed and configured.
# yum install named
Configuration takes many steps.
First we generate a key for the encryted communication between dhcp and dns. Enter:
rndc-confgen -a -b 256
The key is written in /etc/rndc.key.
When we look in the keyfile we see:
key "rndc-key" {
algorithm hmac-md5;
secret "e+LxyV0QEC6mUCNbBtujKidlMceQUye1qvJETRTbDM4=";
};
Don't copy this one, but make your own.
De zone files are stored in /var/named/dynamic.
We start with example.com.
If you don't have IPv6 you can use it with LAN-only fd00 addresses. If you have IPv6 use the prefix you got instead of fd00.
We start with making a static address system. We can add new addresses later. Delete the *.JNL file and restart named.
cd /var/named/dynamic # vi example.com
$ORIGIN .
example.com IN SOA ns.example.com. root.example.com. (
2019032016 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS server1.example.com.
MX 10 server1.example.com.
gate A 192.168.1.1
AAAA 2001:983:395:1:2665:11ff:fe82:6397
server1 A 192.168.1.11
AAAA 2001:983:395:1:21e:2aff:fe49:522c
mlp A 192.168.1.21
clp A 192.168.1.22
ftp CNAME server1
imap CNAME server1
ldap CNAME server1
mail CNAME server1
nfs CNAME server1
ns A 192.168.1.11
AAAA 2001:983:395:1:21e:2aff:fe49:522c
ntp CNAME server1
pop3 CNAME server1
smtp CNAME server1
sql CNAME server1
ssh CNAME server1
www CNAME server1
mlp is the monochromatic laser printer(b/w) and clp is the color laser jet.
The AAAA adresses should you change to your own. IPv6 don't use NAT. It's a new way of thinking, but this is how the inernet should work.
Now we create the reverse zone for IPv4.
# vi 1.168.192
$ORIGIN .
1.168.192.in-addr.arpa IN SOA ns.example.com. root.example.com. (
2019032011 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
@ NS ns.example.com.
1 PTR gate.example.com.
11 PTR server1.example.com.
21 PTR mlp.example.com.
22 PTR clp.example.com.
Now we create the reverse zone for IPv6. The host adresses must look like below, but with yours.
# vi lan.ip6.arpa
$ORIGIN 1.0.0.0.5.9.3.0.5.8.9.0.1.0.0.2.ip6.arpa.
@ IN SOA ns.example.com. root.example.com. (
2019030501 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.example.com.
7.9.3.6.2.8.e.f.f.f.1.1.5.6.6.2 IN PTR gate.example.com.
c.2.2.5.9.4.e.f.f.f.a.2.e.1.2.0 IN PTR server1.example.com.
# chown named:named *
We have the rndc-key and zones, so lets start with the configuration. Enter:
cd /etc # vi named.conf
Our DNS-server resolves all addresses to IP and does reverse lookup. So recursion yes. No forwarders are necessary.
We don't use DNSSEC at this moment.
Our server is the master DNS-server. There is no slave DNS.
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 {any;};
listen-on-v6 port 53 {any;};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {any;};
allow-transfer {none;};
recursion yes;
dnssec-enable no;
dnssec-validation no;
#dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "/var/log/named.log";
severity dynamic;
};
};
include "/etc/rndc.key";
zone "." {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
zone "example.com" {
type master;
file "dynamic/example.com";
allow-update { key rndc-key; };
notify no;
};
zone "1.168.192.in-addr.arpa" {
type master;
file "dynamic/1.168.192";
allow-update { key rndc-key; };
notify no;
};
zone "1.0.0.0.5.9.3.0.5.8.9.0.1.0.0.2.ip6.arpa" {
type master;
file "dynamic/lan.ip6.arpa";
allow-update { key rndc-key; };
notify no;
};
include "/etc/named.root.key";
Now we have a basic DNS.
# named-checkconf
When there are no failures then there is no output.
# chmod 777 /var/log # systemctl start named # systemctl enable named
# nslookup server1.robkalmeijer.nl Server: 192.168.1.11 Address: 192.168.1.11#53 Name: server1.robkalmeijer.nl Address: 192.168.1.11 Name: server1.robkalmeijer.nl Address: 2001:985:395:1::1:1
# nslookup 192.168.1.11 11.1.168.192.in-addr.arpa name = server1.robkalmeijer.nl.
#[root@server4 dynamic]# nslookup ::1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa name = localhost.
If you see something else than you made a type-error or the configuration went wrong.
# nslookup server3.robkalmeijer.nl Server: 192.168.1.11 Address: 192.168.1.11#53 ** server can't find server3: NXDOMAIN
Lets go outside.
[root@server4 ~]# nslookup www.google.com Server: 192.168.1.11 Address: 192.168.1.11#53 Non-authoritative answer: Name: www.google.com Address: 172.217.17.132 Name: www.google.com Address: 2a00:1450:400e:807::2004
Both network and host firewalls must allow incoming TCP and UDP traffic over port 53. Standard DNS requests occur over UDP port 53. However, if the response size is over 512 bytes, as the case may be with DNSSEC, the request will need to be sent over TCP port 53.
Add to the firewall rules.
# firewall-cmd --permanent --zone=public --add-port=53/tcp # firewall-cmd --permanent --zone=public --add-port=53/udp # firewall-cmd --reload
The DNS-server is ready for duty.
First make your dhcp-server and let your clients use this dns-server. Now you can test name-resolving on external users on your lan.
The domain name section will be declared long with the path to the file containing the zone information, that this is the master zone, and the IP address of the secondary server.
At the master dns:
zone "example.com" IN {
type master;
file "example.com";
allow-transfer { 192.168.1.19; };
};
Copy named.conf file to the slave server. Add the bold text to the zones. The address is the master address.
remove allow-update { key rndc-key; };
At the slave server modify the zones:
# cd /etc
# vi named.conf
zone "example.com" IN {
type slave;
file "slaves/example.com";
masters { 192.168.1.11; };
};
The following dig command can be run from either name server should return the records for the domain on that server.
# dig any example.com @localhost
You should also confirm results can be retrieved from a remote host that is able to connect to the name servers. This will confirm connectivity and that proper firewall rules are in place.dig any example.com @192.0.2.1 dig any example.com @192.0.2.2
Zone files can be modified on the master name servers. Once resource records have been added, modified, or removed, you must remember to increment the zone serial number.
Once the zone serial number has been incremented, the zone needs to be reloaded. This can be done without restarting the named process.
# rndc reload example.com
The reload will also initiate a zone transfer to the secondary server.