DNS Server Configuration on CentOS 7 (Caching DNS with BIND)
DNS (Domain Name System) Server is an essential part to any computer network. Today web communication cannot imagine without DNS Server. DNS is a client server protocol where DNS Client requests for the domain name resolution and DNS Server response on it. Every network should have a DNS Server because local DNS Server improves network performance by caching DNS information and serving DNS request locally. DNS Server can be configured either Windows or Linux operating system. In this article, I will discuss how to configure a caching DNS Server on CentOS 7/ RedHat 7 Linux with BIND9 Service.
Domain Name System (DNS) and How It Works
Communication between a workstation (PC) and a Server are always done by IP address. So, to get any information from any Web Server, you have to remember the IP address of that Server. But remembering a huge number of public IP addresses is almost impossible for the human being. To solve this issue, DNS technique is introduced in computer networking. The DNS technique can be best compared to a phone book where a user finds a phone number listed by the easier-to-remember name. So, the DNS can be defined as a mapper between human readable names (such as mikrotik.com) and their associated IP Addresses (such as 159.148.147.196). A DNS Server listens on port 53, both UDP and TCP connection.
When a user types a domain name (such as www.mikrottik.com) in his browser’s navigation bar, the browser first sends a request to the DNS server to get the IP Address of that domain name. The DNS Server replies with the associated IP address of that domain. Getting IP address, the browser is now able to communicate with the Web Server to get requested information.
Now if we use a public DNS server, every time a user request for any domain; the request goes through your WAN connection using paid bandwidth as well as it will make latency. On the other hand, if we use a local DNS Server, the Server will cache the DNS information in memory from the root DNS Server and reply DNS query to the connected clients. This is obviously faster and save paid bandwidth.
BIND9 DNS Server Configuration on CentOS7
The BIND (Berkeley Internet Name Domain) is an open source and most commonly used DNS Service. It is also default DNS Service in UNIX like operating system. So, we can easily install and configure BIND DNS service on CentOS 7. Complete DNS Server configuration on CentOS 7 Linux with BIND Service can be divided into the following 14 steps.
- Setting static IP address
- SELINUX and Firewall Configuration
- Putting local resolver entry and setting static hostname
- Installing BIND package from YUM repository
- Resetting DNS IP address and verifying resolver configuration
- Allowing DNS Server IP and Network in configuration file
- Setting Forward and Reverse Zones
- Creating Forward and Reverse Zone Files
- Setting Ownership to Forward and Reverse Zone Files
- Editing Forward Zone File
- Editing Reverse Zone File
- Restarting DNS service and enabling auto start at boot time
- Checking DNS
- Viewing and flushing DNS cache
Step 1: Setting Static IP Address
The first step is to setup a static IP address on CentOS 7. It is assumed that you have already installed a fresh CentOS 7 with GNOME Desktop. How to configure static IP address on CentOS 7 with nmtui tool was discussed in my previous article. Configure static IP address following that article according to your IP information. For this configuration, I am using the following IP information.
- DNS Server IP: 192.168.40.100/25
- Gateway: 192.168.40.1
- DNS: 8.8.8.8 (public DNS IP until BIND installation)
At the time of setting these IP information with nmtui tool, the state looks like the below image.
Step 2: SELINUX and Firewall Configuration
For simplicity, we do nothing in SELINUX. So, we will first disable SELINUX. To disable SELINUX, open SELINUX configuration file with vim editor and change SELINUX enforcing to disabled and save configuration file.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
Now we will configure CentOS 7 Firewall so that our DNS server accepts DNS request. The dedicated port for DNS request is 53 (both TCP and UDP). So, we have to allow port 53 in CentOS 7 firewall. Adding DNS service in active Firewall Zone, the 53 port can be allowed in CentOS 7 Firewall.
My active firewall zone is public. So, the following commands will add DNS service in public zone.
[root@localhost ~]# firewall-cmd –zone=public –add-service=dns –permanent
Step 3: Putting Local Resolver Entry and Setting Static Hostname
We will now put local resolver entry in hosts file. For this configuration, I am using domain name systemzone.net and hostname ns1. So, open hosts file and put the below line at the bottom and then save and exit.
192.168.40.100 ns1.systemzone.net ns1
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.40.100 ns1.systemzone.net ns1
We will also put static hostname in hostname file. So, open /etc/hostname name file and put ns1.systemzone.net in it and save the file.
ns1.systemzone.net
Now reboot your CentOS 7 Server with reboot command. After rebooting, we will start BIND installation.
Step 4: Installing BIND Package from YUM Repository
After restarting, we are now ready to install BIND Package from YUM repository. So, open command prompt and run the following command to install BIND package from YUM repository.
This command will install all the necessary packages those are required for BIND DNS service from CentOS 7 repository.
Step 5: Resetting DNS IP Address and Verifying Resolver Configuration
We have put public DNS IP at the time of static IP setting. We will now replace it with our DNS Server IP (192.168.40.100). So, replace current DNS IP with your DNS Server IP using nmtui tool.
After replacing DNS IP address, restart network service to update network information.
After restarting network service, verify that the resolver configuration file (/etc/resolv.cof) contains information like the following entry.
# Generated by NetworkManager
search systemzone.net
nameserver 192.168.40.100
If everything is OK, NetworkManager will update the resolver information like the above output. If you find that the resolver information is like the above output, follow the next step. Otherwise, follow the below noted instruction.
Note: If you don’t find the above information in resolver file, put information like the above output where search value will be your domain name and nameserver value will be your DNS Server IP address and then reboot your CentOS 7 Server.
Step 6: Allowing DNS Server IP and Local Network in DNS Configuration File
The daemon for BIND package is named. The main configuration of named service is named.conf which is located in etc directory. We will assign DNS Server IP address (192.168.40.100) as well as LAN block (192.168.40.0/25) in this configuration so that LAN IP addresses are able to DNS query from this DNS Server. But before editing any configuration file, we should keep a backup of the original file. So, to keep backup, issue the following command.
Now open the configuration file and find options directive and put DNS Server IP address in listen-on port 53 option, disable listen-on-v6 by hash mark (#) and put LAN block in allow-query option and save and exit from the file. The options directive looks like below.
options {
listen-on port 53 { 127.0.0.1;192.168.40.100; };
#listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
recursing-file “/var/named/data/named.recursing”;
secroots-file “/var/named/data/named.secroots”;
allow-query { localhost;192.168.40.0/25; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file “/etc/named.iscdlv.key”;
managed-keys-directory “/var/named/dynamic”;
pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
};
Step 7: Setting Forward and Reverse Zones
The default zone file is named.rfc1912.zones (located in etc directory) that contains zone information. We will create a forward zone directive for our domain (systemzone.net) and a reverse zone directive for our LAN block (192.168.40.0/24). So, first keep a backup copy and open the named.rfc1912.zones file and put the following forward and reverse zone directives at the bottom and then save and exit from the file.
zone “systemzone.net” IN {
type master;
file “systemzone.net.for”;
allow-update { none; };
};
#Reverse zone for 192.168.40.0/24 block
zone “40.168.192.in-addr.arpa” IN {
type master;
file “systemzone.net.rev”;
allow-update { none; };
};
If you have another domain and LAN block, create another forward zone and reverse zone directive for them respectively.
The zone directive has the following options.
| Options | Description |
| type | Defines the role of this server for the zone. As it is our master DNS Server, I have set it to Master, which means this server is the authoritative owner of the zone. If this were the second server to host the zone, it would be set to slave. A slave is allowed to host the zone’s database, but in only in read-only. |
| file | The name of the zone’s database file. Unless an absolute path is included, the file will need to be in the directory set using the directory option at the top of the Bind configuration file. By default, all files for CentOS 7 are kept in /var/named. |
| allow-query | This option defines which hosts or subnets are allowed to query this server for the zone. As we want that anyone can query this zone, I have set it to any. |
Step 8: Creating Forward and Reverse Zone Files
In zone file, we have declared that our forward zone file is systemzone.net.for and reverse zone file is systemzone.net.rev. As the default directory location (defined in named.conf file) is /var/named, we have to create forward and reverse zone files in this directory. So, go to /var/named directory and create these two files.
[root@ns1 ~]# touch systemzone.net.for systemzone.net.rev
Step 9: Setting Ownership to Forward and Reverse Zone Files
As we have created forward and reverse zone files with root user, the user and group ownership of these files will be root and the named service cannot access the forward and reverse zone files. So, we will change the group ownership of these files to named so that named service be able to read forward and reverse zone files. To change group ownership, issue the following command.
-rw-r—–. 1 root root 152 Mar 21 13:59 systemzone.net.for
-rw-r—–. 1 root root 168 Mar 21 13:59 systemzone.net.rev
[root@ns1 named]# chgrp named systemzone.net.*
[root@ns1 named]# ll systemzone.net.*
-rw-r—–. 1 root named 152 Mar 21 13:59 systemzone.net.for
-rw-r—–. 1 root named 168 Mar 21 13:59 systemzone.net.rev
Step 10: Editing the Forward Zone File
Now open the forward zone file and add the following lines in this file and then save and exit from the file.
$TTL 1D
$ORIGIN systemzone.net.
@ IN SOA ns1.systemzone.net. root.systemzone.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns1.systemzone.net.
@ IN A 192.168.40.100
ns1 IN A 192.168.40.100
The $TTL (Time-to-Live) directive at the first line defines the duration in seconds that the record may be cached by any resolver. The default value is 1D. You can change as your requirement.
The $ORIGIN directive at the second line defines a base name from which ‘unqualified’ names (those without a terminating dot) substitutions are made when processing the zone file. Zone files which do not contain an $ORIGIN directive, while being perfectly legitimate, can also be highly confusing. In general, we should always define an $ORIGIN directive explicitly unless there is a very good reason not to do. The $ORIGIN values must be ‘qualified’ (they end with a ‘dot’).
The third line called the Start of Authority (SOA) has the following meaning.
| @ | The first value is the fully qualified domain name of the zone. The ‘@’ character is an alias for the domain name, which was defined in the Bind configuration file, to save admins from having to type the entire name. |
| IN | Sets the adjacent record type as Internet. |
| SOA | This is the domain record for the zone’s Start of Authority. It defines who the authoritative name server is, contact info for the administrator, and a few other values. |
| ns1.systemzone.net. | The fully qualified domain name of the authoritative name server for the zone. (Don’t forget to put the ending ‘dot’) |
| root.systemzone.net. | The email account of the administrator of the zone. The @ character is replaced by a period. (Don’t forget to put the ending ‘dot’) |
| Serial | The serial number of version number of the zone file. This value is essential for secondary DNS servers who keep a replica of the zone and need to know if changes have been made. |
| Refresh | How often a slave (secondary) Bind DNS server should do a zone transfer from the master (primary) server. |
| Retry | How often a slave should retry a failed zone transfer. |
| Expire | The duration a slave (secondary) server should answer client query requests after it lost contact with the master (primary) server. |
| Minimum | The default time-to-live value each record will have, unless specified otherwise by a record. |
The third line contains the name server records for the domain (systemzone.net). Every zone requires at least one name server. The name server record has the following options.
| Options | Description |
| @ | The ‘@’ character is an alias for the domain name, which was defined in the Bind configuration file. The NS record requires this or the fully-typed out domain name of the zone. |
| IN | Sets the adjacent record type as Internet. |
| NS | Sets the record as a Name Server record |
| ns1.systemzone.net. | The fully qualified domain name of the name server. (Don’t forget to put the ending ‘dot’) |
The fourth line contains the Host Record of the domain name (systemzone.net) because we want to resolve our domain also. The Host Record has the following options.
| Options | Description |
| @ | The ‘@’ character is an alias for the domain name, which was defined in the Bind configuration file. The NS record requires this or the fully-typed out domain name of the zone. |
| IN | Sets the adjacent record type as Internet. |
| A | Sets the record as a Host record |
| 192.168.40.100 | The IP address of the Host |
The fifth line contains the Host Record of the name sever (ns1.systemzone.net) because every NS record needs a Host Record and clients require this for them to resolve the IP address of the name server.This Host Record has the following meaning.
| Options | Description |
| ns1 | Hostname of the Server |
| IN | Sets the adjacent record type as Internet. |
| A | Sets the record as a Host record |
| 192.168.40.100 | The IP address of the Host |
Now if you have another server such as FTP Server (IP address is 192.168.40.101) and want to resolve with its hostname (ftp), put the following Host Record at the bottom of the above Host Record.
ftp IN A 192.168.40.101
Step 11: Editing Reverse Zone File
The reverse zone file is required to resolve IP address to name. Open the reverse zone file and put the following lines in this file and then save and exit from the file.
$TTL 1D
$ORIGIN 40.168.192.in-addr.arpa.
@ IN SOA ns1.systemzone.net. root.systemzone.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.systemzone.net.
100 IN PTR ns1.systemzone.net.
This file has the similar options like the forward zone file. The only new option is PTR record (at the bottom line) which is the main purpose of reverse zone file. The PTR record is specially required for outgoing server because some mail servers do not allow message without valid PTR record of the outgoing mail server. A PTR record has the following options.
| Options | Description |
| 100 | The value ‘100’is actually a name and it will be the last octet value of an IP address. |
| IN | Sets the adjacent record type as Internet. |
| PTR | Sets the record as a Reverse DNS record |
| ns1.systemzone.net. | The fully qualified domain name of a Host. (Don’t forget to put the ending ‘dot’) |
Now if you have another server such as FTP Server (whose IP address is 192.168.40.101 and FQDN is ftp.systemzone.net) and want to resolve reverse DNS, put the following PTR Record at the bottom of the above PTR Record.
101 IN PTR ftp.systemzone.net.
Step 12: Starting DNS Service and Enabling Auto Start at Boot Time
DNS Server configuration is now complete. Start DNS Service with the following command.
To enable auto start the DNS service at the boot time, issue the following command.
If you get any error in DNS configuration, issue the status command to view the error message.
Step 13: Checking DNS
The nslookup tool is used to view name to IP address or IP address to name resolution. So, issue the nslookup command to view whether your configured DNS Server can resolve DNS request or not.
Server: 192.168.40.100
Address: 192.168.40.100#53
Name: systemzone.net
Address: 192.168.40.100
If your output is like the above output, DNS server is able to resolve name to IP address. Issue the following command to view IP address to name resolution.
Server: 192.168.40.100
Address: 192.168.40.100#53
100.40.168.192.in-addr.arpa name = ns1.systemzone.net.
If you get the above output, DNS server is also capable to resolve IP address to name.
The dig tool can also be used to know the status of your forward and reverse zone service. Issue the following dig command to view the status of your forward zone service.
If you find status=NOERROR, your forward DNS service is completely ready to function. Now issue the following command to view the status of the reverse zone service.
If you find status=NOERROR, reverse DNS service is also ready to function. Now issue the ping command from your server or assign your DNS Server IP to any other workstation and issue the ping command from there. If everything is OK, your will get name resolution result.
Step 14: Viewing and Flushing DNS Cache
DNS name resolution cache is stored in RAM and served from the RAM if any similar request is found. Stored DNS cache can be viewed executing the following command.
The above command will store DNS cache into cached_dump.db file which will be found in /var/named/data directory. So, to view cached DNS records simply cat or grep the resulting dumb file. For example:
google.com. 86499 NS ns2.google.com.
86499 NS ns1.google.com.
86499 NS ns3.google.com.
86499 NS ns4.google.com.
ns1.google.com. 86499 A 216.239.32.10
ns2.google.com. 86499 A 216.239.34.10
ns3.google.com. 86499 A 216.239.36.10
ns4.google.com. 86499 A 216.239.38.10
googlevideo.com. 171031 NS ns2.google.com.
171031 NS ns1.google.com.
171031 NS ns3.google.com.
171031 NS ns4.google.com.
Sometimes you may need to flush cached DNS records. To flush cached DNS records, issue the following command.
Once done, reload DNS/BIND with the following command.
server reload successful
If there were no DNS queries after you flushed bind’s cache and reloaded DNS, your new cache dump file (with rndc dumpdb -cache) will be empty.
If you face any confusion to follow the above steps properly, watch the following video about BIND DNS Configuration on CentOS 7. I hope it will reduce your confusion.
How to configure BIND DNS Server on CentOS 7 has been discussed in this article. I hope you will now be able to configure your local DNS Server with BIND Service. However, if you face any confusion to install and configure BIND DNS Service on CentOS 7,feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?
