How to Deploy a CentOS 6 BIND DNS Server

Overview

Although there are many different naming services available, Bind is one of the most popular used. It’s so widely used that even Microsoft uses it as a base for their Windows DNS role found the server operating system. And chances are even your ISP is using it.

This tutorial will help you prepare your CentOS server to be a DNS server. The server will not host any domains, but in later tutorials I’ll guide you through setting them up using this base server.

Goal

  • Create a base DNS server that is can be used for recursive lookups and caching queries.
  • Prepare a master DNS server to be used for hosting domain zones.

System Configuration

The lab server used had the following configuration. Some of the information will be referenced in tutorial and is presented here to make following along easier.

Hostname Operating System IP Address Role Bind Version
ns01 CentOS 6.4 172.30.1.5 Bind Master 9.x

Bind Server Roles

Before you install Bind, you should have a good idea of how it’s going to be used in your environment. There are a few options to choose from, and depending on which you use the configuration will differ.

Cache-Only This role doesn’t contain and domains or zones. It exists purely as a caching system to improve name resolution performance. Every lookup is forwarded to another DNS server. The results returned from server are cached locally.
Master A master server is the owner of domains or zones hosted in your network. It is the only readwrite DNS server in the environment.
Slave The slave is a read-only naming server that hosts zones owned by a master. These are typically used for redundancy, allowing your name resolution service to continue if the master goes down for maintenance.

Installing Bind

We need to the prequisite packages installed before you we can continue.

  1. Install BIND using Yum and the CentOS repositories.
    yum install bind
  2. Start Bind
    service named start
  3. Configure Bind to start at boot.
    chkconfig named on

Configuring Bind

When open Bind’s configuration file, you are first presented with global options that affect the server and every zone you may add to host domains. I’ve detailed the default options you will encounter below.

Global Options and Settings

  1. Open Bind’s configuration file into a text editor.
    nano /etc/named.conf
  2. Look for the options directive. It’s located at the top of the configuration file and should look like the example below, on a CentOS server.
    options {
            listen-on port 53 { 127.0.0.1; };
            listen-on-v6 port 53 { ::1; };
            directory       "/var/named";
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
            allow-query     { localhost; };
            recursion yes;
    
            dnssec-enable yes;
            dnssec-validation yes;
            dnssec-lookaside auto;
    
            /* Path to ISC DLV key */
            bindkeys-file "/etc/named.iscdlv.key";
    
            managed-keys-directory "/var/named/dynamic";
    };
  3. As can be seen in the output above, there are quite a few default options. The four we need to understand for now are the following.
    listen-on port 53 Define the port Bind listens on for IPv4.
    listen-on-v6 port 53 Define the port Bind listens on for IPv6.
    directory Default directory root for DNS zone files and stats.
    allow-guery IP addresses or subnets allowed to query this server.
  4. Assign either a single IP address or multiple IP addresses which Bind will listen to requests on. We’re going to assign both eth0’s address and the local loopback.
    listen-on port 53 { 172.30.1.5; 127.0.0.1; }; Alternatively, to allow Bind to listen on all available IP addresses assigned to the server, enter any; instead of an IP address.
  5. To allow clients to query your DNS server, we need to modify the allow-query option. By default, it only allows queries from the localhost. We’re going modify it to also allow queries from the same network the Bind server is on.
    allow-query { 172.30.1.0/24; 127.0.0.1; }; You can assign as many values as you like, howerver, each must terminate with a semi-colon. As with the listen-on option, you can enter any; to allow anyone permissions to submit queries.
  6. Save your changes and exit the text editor.
  7. Load the new configuration in Bind.
    service named reload

Configure Firewall

Our clients will not be able to connect to our server until we open the appropriate ports. We use the values defined by the listen-on options in the named.conf file to determine which ports to open. By default, we use 53 for both IPv4 and IPv6.

  1. Launch the System-config-firewall-tui tool.
    system-config-firewal-tui
  2. Navigate to the Customize button by pressing Tab.
  3. Scroll down the list of trusted services and enable DNS.
  4. Navigate to the Close button by pressing Tab.
  5. Navigate to the OK button by pressing Tab.

Point DNS Server to Itself for Lookups

Unless you point the server to itself for DNS lookups in its network setting, it will not be able to respond to queries – both from clients and its own lookups. Before clients can use this server, we need to configure where it goes for DNS name resolution.

  1. Open the resolv.conf file into a text editor.
    nano /etc/resolv.conf
  2. Clear any existing options and then add the following. We do this because it is the only DNS server in the environment, for now, and this server isn’t yet a member of any domains.
    nameserver 127.0.0.1
  3. Save your changes and exit the text editor.
  4. The changes apply immediately. You do not need to restart any services.

Test the Server

To verify all is well, we should preform some DNS queries. There are a few tools we can use to do this, such as nslookup, ping, or dig. Since the server doesn’t currenlty host any domains, we will have to test against a public domain, like Google. In our example, we will use the dig tool to check name resolution.

dig google.com

If all is well, you should see a similar output, which display each record for the fully qualified domain name we just queried.

[root@slns01 named]# dig google.com

; >><< DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 >><< google.com
;; global options: +cmd
;; Got answer:
;; ->><<HEADER>><<- opcode: QUERY, status: NOERROR, id: 28565
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       74.125.226.134
google.com.             300     IN      A       74.125.226.128
google.com.             300     IN      A       74.125.226.131
google.com.             300     IN      A       74.125.226.129
google.com.             300     IN      A       74.125.226.136
google.com.             300     IN      A       74.125.226.137
google.com.             300     IN      A       74.125.226.133
google.com.             300     IN      A       74.125.226.130
google.com.             300     IN      A       74.125.226.135
google.com.             300     IN      A       74.125.226.142
google.com.             300     IN      A       74.125.226.132

;; AUTHORITY SECTION:
google.com.             11184   IN      NS      ns1.google.com.
google.com.             11184   IN      NS      ns3.google.com.
google.com.             11184   IN      NS      ns4.google.com.
google.com.             11184   IN      NS      ns2.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         183984  IN      A       216.239.34.10
ns1.google.com.         183984  IN      A       216.239.32.10
ns3.google.com.         183984  IN      A       216.239.36.10
ns4.google.com.         183984  IN      A       216.239.38.10

;; Query time: 44 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar  8 10:10:56 2014
;; MSG SIZE  rcvd: 340

Notice the highlighted SERVER value above. This verifies that our query was made from our DNS server and not some other server.

Conclusion

We now have a base DNS server that can continue to be used as a cache-only server or can be configured to host our own DNS domains. Follow the other tutorials in the BIND series as they are released to learn how to add domains and other BIND related activities.

Tutorials in this Series

  1. How to Deploy a CentOS 6 BIND DNS Server
  2. How to Add Forward Lookup Zones to Bind
  3. Register DNS Records into a Bind Domain
  4. How to Add Reverse Lookup Zones to Bind
  5. How to Configure Logging in Bind