Step by step tutorial to configure BIND-9.8 DNS server in Red Hat Linux

In my earlier post I had shown you the step by step configuration guide for BIND DNS server but since that time I had used older version of bind rpm so most of the parameters used in that tutorial would not work with bind 9.8 so I thought of posting another article for the same.

I have written an updated article to configure DNS Server without copying the files under chroot environment

Step by Step tutorial guide to configure BIND DNS server in chroot environment for Red Hat (RHEL/CentOS) 7
Step-by-Step Tutorial: Configure Master Slave DNS Server (RHEL/CentOS 7)

I will use chroot i.e.jail environment for configuring dns server as it is considered to be much more safer than normal bind.
You can also follow the below video which demonstrates the configuration of BIND DNS

NOTE: Please take a copy of the original configuration file before making any changes to it.

Make sure you have all the required packages

# rpm -q bind package bind is not installed
# rpm -q bind-chroot package bind-chroot is not installed

Install the required package using yum

# yum -y install bind bind-chroot

By default all the bind files would not be copied inside chroot so we will have to manually do that

Next copy the required files inside chroot directory.
NOTE: Use -p argument along with cp command to preserve the permission and ownership of all the files and directories

# cp -rvpf /etc/named.* /var/named/chroot/etc/
`/etc/named.conf' -> `/var/named/chroot/etc/named.conf'
`/etc/named.iscdlv.key' -> `/var/named/chroot/etc/named.iscdlv.key'
`/etc/named.rfc1912.zones' -> `/var/named/chroot/etc/named.rfc1912.zones'
`/etc/named.root.key' -> `/var/named/chroot/etc/named.root.key'

# cp -rvpf /var/named/named.* /var/named/chroot/var/named/
`/var/named/' -> `/var/named/chroot/var/named/'
`/var/named/named.empty' -> `/var/named/chroot/var/named/named.empty'
`/var/named/named.localhost' -> `/var/named/chroot/var/named/named.localhost'
`/var/named/named.loopback' -> `/var/named/chroot/var/named/named.loopback'

# cp -prvf /var/named/data/ /var/named/chroot/var/named/
`/var/named/data/' -> `/var/named/chroot/var/named/data'

# cp -prvf /var/named/dynamic/ /var/named/chroot/var/named/
`/var/named/dynamic/' -> `/var/named/chroot/var/named/dynamic'

# cp -prvf /var/named/slaves/ /var/named/chroot/var/named/
`/var/named/slaves/' -> `/var/named/chroot/var/named/slaves'

Now lets start editing our main configuration file

# cd /var/named/chroot/etc/

# vi named.conf
options {
         listen-on port 53 {;; };
         listen-on-v6 port 53 { ::1; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query     { localhost;; };
         recursion yes;

         dnssec-enable yes;
         dnssec-validation yes;
         dnssec-lookaside auto;

         /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";
         managed-keys-directory "/var/named/dynamic";

logging {
         channel default_debug {
file "data/";
severity dynamic;

zone "." IN {
         type hint;
         file "";

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Change the IP Address of your local machine in the resolv.conf file and ifcfg-eth file

# vi /etc/resolv.conf
search example

NOTE: DNS entry has to made in ifcfg-eth file only for Red Hat Linux 6 and above. For Red Hat Linux 5 DNS entry is made only in resolv.conf file

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

Verify your hostname

# vi /ets/sysconfig/network

Run this command on the terminal

# hostname

Restart your network services

# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:
Determining if ip address is already in use for device eth0...
                                                           [  OK  ]

# service named restart
Stopping named:                                            [  OK  ]
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]

NOTE: In case your system stucks at

Generating /etc/rndc.key:

Try this below command and again retry to restart your named services

# rndc-confgen -a -r /dev/urandom wrote key file "/etc/rndc.key"

Why the system gets stuck while generating rndc.key and solution?

Input from Thomas (in comment section)

If your system is getting stuck at generating the /etc/rndc.key file, it is because the random pool is starved for entropy. Which makes /dev/random block. You can check how much entropy you have in the pool using "cat /proc/sys/kernel/random/entropy_avail". Values under 300 indicate problems (but are unfortunately common on virtual machines).

One of the best solutions is to just wait for it to finish (it will take 5-15 minutes).

Other suggestions I have seen would be to ping the machine from multiple source machines (maybe even "ping -f address" to flood-ping). Or if there is a physical mouse/keyboard attached, the Linux kernel will grab entropy from typing / moving the mouse around.

Logging into the machine a second or third time and generating network traffic or running things like disk tests or CPU heavy workloads may also help generate more entropy at a faster rate.

Other options are things like hardware entropy keys or daemons like "haveged".

Generating rndc key

Verify your Internet Connection

# ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=56 time=223 ms
64 bytes from ( icmp_seq=2 ttl=56 time=319 ms
^C --- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1349ms rtt min/avg/max/mdev = 223.861/271.853/319.846/47.995 ms

So our DNS server is working fine now let us configure forward and reverse zone

# vi /var/named/chroot/etc/named.rfc1912.zones
(Make new entry as shown below)

# Forward Zone Entry #
zone "example" IN {
         type master;
         file "";
         allow-update { none; };

# Reverse Zone Entry #
zone "" IN {
         type master;
         file "";
         allow-update { none; };

Create the zone files as mentioned in named.rfc1912.zones file above

Now if you view named.localhost and named.loopback file inside /var/named/chroot/var/named, then you will notice that they resemble to forward and reverse lookup file respectively. So instead of creating new file we will just copy the content from their respective duplicates

# pwd
# cp -p named.loopback
# cp -p named.localhost

Forward Zone file

# vi
$TTL 1D @       IN SOA  example. hostmaster.example. (
                                         0       ; serial
                                         1D      ; refresh
                                         1H      ; retry
                                         1W      ; expire
                                         3H )    ; minimum

IN NS           example.
IN A  
test2           IN CNAME        example.
mail.example.   IN A  
example.        IN MX           10 mail.example.

Reverse Zone file

# vi $TTL 1D @       IN SOA  example.  hostmaster.example. (
                                         0       ; serial
                                         1D      ; refresh
                                         1H      ; retry
                                         1W      ; expire
                                         3H )    ; minimum       

IN NS   example. 11      IN PTR  example.

Verify the permissions

IMPORTANT NOTE: The permission on all the bind related files should be 640 and for all directories it should be 770 with root as user owner and named as group owner
# ls -al
total 36
-rw-r-----. 1 root  named  207 Mar 14 18:36
drwxrwx---. 2 named named 4096 Jan 20 23:10 data
drwxrwx---. 2 named named 4096 Jan 20 23:10 dynamic
-rw-r-----. 1 root  named  242 Mar 14 18:32
-rw-r-----. 1 root  named 1892 Feb 18  2008
-rw-r-----. 1 root  named  152 Dec 15  2009 named.empty
-rw-r-----. 1 root  named  152 Jun 21  2007 named.localhost
-rw-r-----. 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---. 2 named named 4096 Jan 20 23:10 slaves

Before you restart the named services verify if the changes you have made are reflecting using named-checkzone

# named-checkzone example
zone example/IN: loaded serial 0 OK

# named-checkzone test2.example
zone test2.example/IN: loaded serial 0 OK

# named-checkzone
zone loaded serial 0 OK

So looks like all our zone field are reflecting correctly.

Restart named services

# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

Verify both the zones

# nslookup example

Name:   example

# dig -x
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -x
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60861
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;     IN      PTR

;; ANSWER SECTION: 86400 IN     PTR     example.

;; AUTHORITY SECTION: 86400   IN      NS      example.

example.            86400   IN      A
;; Query time: 2 msec
;; WHEN: Fri Mar 14 18:35:24 2014
;; MSG SIZE  rcvd: 98

So we are getting outputs for forward and reverse lookup entries. Everything is working as expected.

Let me know your success and failures.