Step-by-Step Tutorial: Configure DNS Server using bind chroot (CentOS/RHEL 7)
In this article I will share the list of steps to configure DNS server on RHEL 7 or CentOS 7.
For the demonstration of the steps I have used Red Hat Enterprise Linux 7.4
Our aim to create one A record and one PTR record for forward and reverse lookup respectively.
Firstly install the required rpms to configure your DNS server
My setup details
golinuxhub-client.example
My IP address is 192.168.1.7
inet 192.168.1.7/24 brd 192.168.1.255 scope global dynamic enp0s3
Since we will be using chroot environment disable the below services
# systemctl disable named
Next copy the required files inside chroot directory.
NOTE: Use -p argument along with cp command to preserve the permission and ownership of all the files and directories
‘/usr/share/doc/bind-9.9.4/sample/etc/named.conf’ -> ‘/var/named/chroot/etc/named.conf’
‘/usr/share/doc/bind-9.9.4/sample/etc/named.rfc1912.zones’ -> ‘/var/named/chroot/etc/named.rfc1912.zones’
Next copy the zone related files inside the new location
‘/usr/share/doc/bind-9.9.4/sample/var/named/data’ -> ‘/var/named/chroot/var/named/data’
‘/usr/share/doc/bind-9.9.4/sample/var/named/my.external.zone.db’ -> ‘/var/named/chroot/var/named/my.external.zone.db’
‘/usr/share/doc/bind-9.9.4/sample/var/named/my.internal.zone.db’ -> ‘/var/named/chroot/var/named/my.internal.zone.db’
‘/usr/share/doc/bind-9.9.4/sample/var/named/named.ca’ -> ‘/var/named/chroot/var/named/named.ca’
‘/usr/share/doc/bind-9.9.4/sample/var/named/named.empty’ -> ‘/var/named/chroot/var/named/named.empty’
‘/usr/share/doc/bind-9.9.4/sample/var/named/named.localhost’ -> ‘/var/named/chroot/var/named/named.localhost’
‘/usr/share/doc/bind-9.9.4/sample/var/named/named.loopback’ -> ‘/var/named/chroot/var/named/named.loopback’
‘/usr/share/doc/bind-9.9.4/sample/var/named/slaves’ -> ‘/var/named/chroot/var/named/slaves’
‘/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.ddns.internal.zone.db’ -> ‘/var/named/chroot/var/named/slaves/my.ddns.internal.zone.db’
‘/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.slave.internal.zone.db’ -> ‘/var/named/chroot/var/named/slaves/my.slave.internal.zone.db’
Lets start configuring our primary configuration file
Clear the existing named.conf and paste the below content
options {
listen-on port 53 { 127.0.0.1; any; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; any; };
allow-query-cache { localhost; any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view my_resolver {
match-clients { localhost; any; };
recursion yes;
include "/etc/named.rfc1912.zones";
};
The zone related content information must be added in /var/named/chroot/etc/named.rfc1912.zones, append the below entries.
Here example.zone is our forward zone file while example.rzone is our reverse zone file for reverse lookup entry
type master;
file "example.zone";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "example.rzone";
allow-update { none; };
};
The zone related files are available under below path
Next lets create our forward and reverse zone file, the filenames will be same as what we gave in our named.rfc1912.zones file above, we already have some default templates which we can use as below
# cp -p named.loopback example.rzone
As you see the existing permission of all the files and directories are owned by root
total 32
drwxr-xr-x. 2 root root 6 May 22 2017 data
-rw-r--r--. 1 root root 168 May 22 2017 example.rzone
-rw-r--r--. 1 root root 152 May 22 2017 example.zone
-rw-r--r--. 1 root root 56 May 22 2017 my.external.zone.db
-rw-r--r--. 1 root root 56 May 22 2017 my.internal.zone.db
-rw-r--r--. 1 root root 2281 May 22 2017 named.ca
-rw-r--r--. 1 root root 152 May 22 2017 named.empty
-rw-r--r--. 1 root root 152 May 22 2017 named.localhost
-rw-r--r--. 1 root root 168 May 22 2017 named.loopback
drwxr-xr-x. 2 root root 71 Feb 12 21:02 slaves
Change the permission of all the files under this location with root as user owner and named as the group owner
Although for the data partition the user and group owner must be 'named'
total 32
drwxr-xr-x. 2 named named 6 May 22 2017 data
-rw-r--r--. 1 root named 168 May 22 2017 example.rzone
-rw-r--r--. 1 root named 152 May 22 2017 example.zone
-rw-r--r--. 1 root named 56 May 22 2017 my.external.zone.db
-rw-r--r--. 1 root named 56 May 22 2017 my.internal.zone.db
-rw-r--r--. 1 root named 2281 May 22 2017 named.ca
-rw-r--r--. 1 root named 152 May 22 2017 named.empty
-rw-r--r--. 1 root named 152 May 22 2017 named.localhost
-rw-r--r--. 1 root named 168 May 22 2017 named.loopback
drwxr-xr-x. 2 root named 71 Feb 12 21:02 slaves
Append the below content for our forward zone file. Here we are creating A record for our localhost (golinuxhub-client) and one more for one of my server node (golinuxhub-server)
$TTL 1D
@ IN SOA example. root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
IN NS example.
IN A 192.168.1.7
golinuxhub-server IN A 192.168.1.5
golinuxhub-client IN A 192.169.1.7
Append the below content for our reverse zone file. Here we are creating PTR record for our localhost and one more for one of my server node (golinuxhub-server)
$TTL 1D
@ IN SOA example. root.example. (
1997022700 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ) ; minimum
IN NS example.
5 IN PTR golinuxhub-server.example.
7 IN PTR golinuxhub-client.example.
Before we start our named-chroot service, we will validate the zone file configuration
zone golinuxhub-client.example/IN: loaded serial 1
OK
[root@golinuxhub-client named]# named-checkzone golinuxhub-client.example example.rzone
zone golinuxhub-client.example/IN: loaded serial 1997022700
OK
All looks ok there, check the configuration file using below command
So our command executed successfully
0
Permissive
Everything looks fine so time to start our named-chroot service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2018-02-12 21:53:23 IST; 19s ago
Process: 5236 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 5327 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 5325 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 5330 (named)
CGroup: /system.slice/named-chroot.service
└─5330 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
Feb 12 21:53:23 golinuxhub-client.example named[5330]: managed-keys-zone/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 0.in-addr.arpa/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.0.0.127.in-addr.arpa/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.168.192.in-addr.arpa/IN/my_resolver: loaded serial 1997022700
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone example/IN/my_resolver: loaded serial 1
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone localhost/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone localhost.localdomain/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: all zones loaded
Feb 12 21:53:23 golinuxhub-client.example named[5330]: running
Make sure your resolv.conf contains the IP of your setup so that it can act as a DNS server
search example
nameserver 192.168.1.7
Lets validate our DNS server for our reverse zone file using dig
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.1.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40331
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;5.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
5.1.168.192.in-addr.arpa. 86400 IN PTR golinuxhub-server.example.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400 IN NS example.
;; ADDITIONAL SECTION:
example. 86400 IN A 192.168.1.7
;; Query time: 1 msec
;; SERVER: 192.168.1.7#53(192.168.1.7)
;; WHEN: Mon Feb 12 22:13:17 IST 2018
;; MSG SIZE rcvd: 122
As you see we do get a positive response with a ANSWER for our QUERY
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.1.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55804
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;7.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
7.1.168.192.in-addr.arpa. 86400 IN PTR golinuxhub-client.example.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400 IN NS example.
;; ADDITIONAL SECTION:
example. 86400 IN A 192.168.1.7
;; Query time: 1 msec
;; SERVER: 192.168.1.7#53(192.168.1.7)
;; WHEN: Mon Feb 12 22:12:54 IST 2018
;; MSG SIZE rcvd: 122
Similarly we can validate our forward zone file
Server: 192.168.1.7
Address: 192.168.1.7#53
Name: golinuxhub-client.example
Address: 192.169.1.7
Server: 192.168.1.7
Address: 192.168.1.7#53
Name: golinuxhub-server.example
Address: 192.168.1.5
I hope the article was useful.