Step by Step tutorial guide to configure BIND DNS server in chroot environment for Red Hat (RHEL/CentOS) 7
Step-by-Step Tutorial: Configure Master Slave DNS Server (RHEL/CentOS 7)
I will use chroot i.e.jail environment for configuring dns server as it is considered to be much more safer than normal bind.
You can also follow the below video which demonstrates the configuration of BIND DNS
NOTE: Please take a copy of the original configuration file before making any changes to it.
Pre-requisites:
Make sure you have all the required packages
# rpm -q bind-chroot package bind-chroot is not installed
Install the required package using yum
By default all the bind files would not be copied inside chroot so we will have to manually do that
Next copy the required files inside chroot directory.
NOTE: Use -p argument along with cp command to preserve the permission and ownership of all the files and directories
`/etc/named.conf' -> `/var/named/chroot/etc/named.conf'
`/etc/named.iscdlv.key' -> `/var/named/chroot/etc/named.iscdlv.key'
`/etc/named.rfc1912.zones' -> `/var/named/chroot/etc/named.rfc1912.zones'
`/etc/named.root.key' -> `/var/named/chroot/etc/named.root.key'
`/var/named/named.ca' -> `/var/named/chroot/var/named/named.ca'
`/var/named/named.empty' -> `/var/named/chroot/var/named/named.empty'
`/var/named/named.localhost' -> `/var/named/chroot/var/named/named.localhost'
`/var/named/named.loopback' -> `/var/named/chroot/var/named/named.loopback'
`/var/named/data/' -> `/var/named/chroot/var/named/data'
`/var/named/dynamic/' -> `/var/named/chroot/var/named/dynamic'
`/var/named/slaves/' -> `/var/named/chroot/var/named/slaves'
Now lets start editing our main configuration file
options {
listen-on port 53 { 127.0.0.1; 192.168.1.11; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Change the IP Address of your local machine in the resolv.conf file and ifcfg-eth file
search example
nameserver 192.168.1.11
NOTE: DNS entry has to made in ifcfg-eth file only for Red Hat Linux 6 and above. For Red Hat Linux 5 DNS entry is made only in resolv.conf file
DNS1=192.168.1.11
Verify your hostname
HOSTNAME=test2.example
Run this command on the terminal
test2.example
Restart your network services
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining if ip address 192.168.1.11 is already in use for device eth0...
[ OK ]
Stopping named: [ OK ]
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
NOTE: In case your system stucks at
Try this below command and again retry to restart your named services
Why the system gets stuck while generating rndc.key and solution?
Input from Thomas (in comment section)
If your system is getting stuck at generating the /etc/rndc.key file, it is because the random pool is starved for entropy. Which makes /dev/random block. You can check how much entropy you have in the pool using "cat /proc/sys/kernel/random/entropy_avail". Values under 300 indicate problems (but are unfortunately common on virtual machines).
One of the best solutions is to just wait for it to finish (it will take 5-15 minutes).
Other suggestions I have seen would be to ping the machine from multiple source machines (maybe even "ping -f address" to flood-ping). Or if there is a physical mouse/keyboard attached, the Linux kernel will grab entropy from typing / moving the mouse around.
Logging into the machine a second or third time and generating network traffic or running things like disk tests or CPU heavy workloads may also help generate more entropy at a faster rate.
Other options are things like hardware entropy keys or daemons like "haveged".
References
Generating rndc key
Verify your Internet Connection
PING google.com (74.125.236.71) 56(84) bytes of data.
64 bytes from maa03s05-in-f7.1e100.net (74.125.236.71): icmp_seq=1 ttl=56 time=223 ms
64 bytes from maa03s05-in-f7.1e100.net (74.125.236.71): icmp_seq=2 ttl=56 time=319 ms
^C --- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1349ms rtt min/avg/max/mdev = 223.861/271.853/319.846/47.995 ms
So our DNS server is working fine now let us configure forward and reverse zone
(Make new entry as shown below)
# Forward Zone Entry #
zone "example" IN {
type master;
file "example.zone";
allow-update { none; };
};
# Reverse Zone Entry #
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.zone";
allow-update { none; };
};
Create the zone files as mentioned in named.rfc1912.zones file above
Now if you view named.localhost and named.loopback file inside /var/named/chroot/var/named, then you will notice that they resemble to forward and reverse lookup file respectively. So instead of creating new file we will just copy the content from their respective duplicates
/var/named/chroot/var/named
# cp -p named.loopback 192.168.1.zone
# cp -p named.localhost example.zone
Forward Zone file
$TTL 1D @ IN SOA example. hostmaster.example. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS example.
IN A 192.168.1.11
test2 IN CNAME example.
mail.example. IN A 192.168.1.11
example. IN MX 10 mail.example.
Reverse Zone file
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS example. 11 IN PTR example.
Verify the permissions
total 36
-rw-r-----. 1 root named 207 Mar 14 18:36 192.168.1.zone
drwxrwx---. 2 named named 4096 Jan 20 23:10 data
drwxrwx---. 2 named named 4096 Jan 20 23:10 dynamic
-rw-r-----. 1 root named 242 Mar 14 18:32 example.zone
-rw-r-----. 1 root named 1892 Feb 18 2008 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Jan 20 23:10 slaves
Before you restart the named services verify if the changes you have made are reflecting using named-checkzone
zone example/IN: loaded serial 0 OK
zone test2.example/IN: loaded serial 0 OK
zone 192.168.1.11/IN: loaded serial 0 OK
So looks like all our zone field are reflecting correctly.
Restart named services
Stopping named: . [ OK ]
Starting named: [ OK ]
Verify both the zones
Server: 192.168.1.11
Address: 192.168.1.11#53
Name: example
Address: 192.168.1.11
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -x 192.168.1.11
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60861
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;11.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.1.168.192.in-addr.arpa. 86400 IN PTR example.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400 IN NS example.
;; ADDITIONAL SECTION:
example. 86400 IN A 192.168.1.11
;; Query time: 2 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Fri Mar 14 18:35:24 2014
;; MSG SIZE rcvd: 98
So we are getting outputs for forward and reverse lookup entries. Everything is working as expected.
Let me know your success and failures.
This is excellent blog for step by step dns setup.One more thing for this great blog, please add cd /var/named/ before the "cp -rvpf named.* chroot/var/named/" section. Otherwise it will be creating little confusion for newbie.
Nice catch. Appreciate your feedback. Article has been updated.
Worked Successfully.
If your system is getting stuck at generating the /etc/rndc.key file, it is because the random pool is starved for entropy. Which makes /dev/random block. You can check how much entropy you have in the pool using "cat /proc/sys/kernel/random/entropy_avail". Values under 300 indicate problems (but are unfortunately common on virtual machines).
One of the best solutions is to just wait for it to finish (it will take 5-15 minutes).
Other suggestions I have seen would be to ping the machine from multiple source machines (maybe even "ping -f address" to flood-ping). Or if there is a physical mouse/keyboard attached, the Linux kernel will grab entropy from typing / moving the mouse around.
Logging into the machine a second or third time and generating network traffic or running things like disk tests or CPU heavy workloads may also help generate more entropy at a faster rate.
Other options are things like hardware entropy keys or daemons like "haveged".
Thanks Thomas for your valuable info. I have updated the article with your input.
it is working thanks. But if i type dnsdomainname command i got reply as "(none)"
my question is with this settings can i add client to this server??? if it is more what are the services should i want to configure??
plz help me i'm beginner LINUX
I am not sure if I got your question correctly.
what command are you trying to use exactly?
By adding client to your server if you mean adding various records for multiple clients under the same domain name then yes you can use the zone files to add multiple clients but all those clients should use the same dns address as of the server for example which in my case above is 192.168.1.11
Once the client has this dns address all the hostnames under your zone files would work as expected.
Regards
Deepak
didn't work at all for me. Seems a lot of details missing
where problem are you facing?
What is your distro?
bind version?