loading...

CentOS 7 – Implementing BIND as a DNS server

How to change the time zone on Windows Server 2019

BIND is the most widely used open source name server application. It helps implement the Domain Name System ( DNS) protocols for the Internet. It provides a robust and stable platform on which to build a distributed computing system, with knowledge that those systems are fully compliant with published DNS standards. It helps resolve queries about names by sending those questions to the appropriate servers and responding appropriately to the servers’ replies.

As an example of the implementation of BIND, we will set up an internal DNS server to resolve some public IP addresses inside the network to simplify the mapping inside a large environment.

We need the following prerequisites to implement BIND:

  • One server to have BIND installed and configured on it
  • Two machines, either servers or simple workstations, to test the DNS service
  • Root privilege to be able to set up BIND and configure the network to resolve from our internal DNS server

First, we will start by installing BIND on our DNS server:


$ sudo yum install bind bind-utils

After getting BIND installed, we start configuring our DNS server.

The BIND service has a bunch of configuration files that get included from its main configuration file, named.conf, which is associated with the process that BIND runs:


$ sudo nano /etc/named.conf

At the beginning of the file we need to add a block just before the options block, the acl "trusted" block, where we are going to define the list of clients allowed to do recursive DNS queries. Since our server will be serving two subnets we will add its two addresses:


acl "trusted" {
    192.168.8.12;  # Our DNS server inside the subnet 192.168.8.0/24
    10.0.1.1;  # Our DNS server inside the subnet 10.0.1.0/24
    192.168.8.5;    # Webserver
    10.0.1.2;    # client host
};

We need to make some modifications inside the options. Since we are using IPv4 only, we need to comment the IPv6 line:


# listen-on-v6 port 53 { ::1; }; 

And to make sure that the DNS server will listen in both subnets, we will add the following two addresses:


listen-on port 53 { 127.0.0.1; 192.168.8.12; 10.0.1.1; };

With the IP address 192.168.8.12 as the IP address of the DNS server.

Then we change the line allow-query from pointing to the localhost to point to the trusted clients ACL:


allow-query { trusted; };

Note

If we don’t fully rely on our DNS server to respond to all queries, we can use a secondary DNS server by typing this command inside the options:


allow-transfer { localhost; 192.168.8.1; };

And finally, at the end of the file we need to add the line that includes the local file configuration:


include "/etc/named/named.conf.local";

Then we save the file and move to the local file configuration to set the DNS zones:


$ sudo nano /etc/named/named.conf.local

The file will be empty since we are the ones who created it, so we need to fill it with the necessary zones.

First, we will add the forward zone. To do so we need to enter the following lines:


zone "packt.co.uk" {
type master;
file "/etc/named/zones/db.packt.co.uk";  # The location of the zone configuration file.
};

Now we will add the Reverse zone. Since our first LAN is at 192.168.8.0/ 24 we start with the Reverse zone name, which will be 8.168.192, the reverse of 192.168.8:


zone "8.168.192.in-addr.arpa" {
type master;
file "/etc/named/zones/db.8.168.192";  # The subnet of 192.168.8.0/24
};

Now we do same with our second LAN on 10.0.1.0/24, so its reverse zone name 1.0.10:


zone "1.0.10.in-addr.arpa" {
type master;
file "/etc/named/zones/db.1.0.10";  # The subnet of 10.0.1.0/24
};

We need to do the same thing for all the subnets in the network, then we save the file.

After finishing with setting the zones and the Reverse zones, we move on to create and fill up their corresponding files.

We start by creating the forwarding file, which is where we define DNS records for forward DNS lookups. We create the folder in which we are going to put all the zone files. Then we start creating our zone files inside it:


$ sudo chmod 755 /etc/named
$ sudo mkdir /etc/named/zones

Then we create the Forward zone file and fill it up:


$ sudo nano /etc/named/zones/db.packt.co.uk

We need to add the following lines. Starting with the SOA record by adding the domain of the DNS server, we need to increment the serial value every time we edit the zone file so the change can take effect after restarting the service:


$TTL    604800
@  IN  SOA  server.packt.co.uk.  admin.packt.co.uk.  (
3    ; Serial
604800    ; Refresh
86400    ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL

For the serial, we can make it more understandable by making it look like a date: {yyyymmmdddss} yyyy = year, mm = month, dd = day, ss = a sequence number.

Then we add the name server records:

; name servers - NS records

IN  NS  server.packt.co.uk.

Then we add the A records for the hosts that belong to this zone, which will include every machine, either a server or a workstation, which we want to address with our DNS server:


; name servers - A records
server.packt.co.uk.  IN  A  192.168.8.12

; 192.168.8.0/24 - A records
server2.packt.co.uk.  IN  A  192.168.8.5

; 10.0.1.0/24 - A records
client1.packt.co.uk.  IN  A  10.0.1.2
server.packt.co.uk.  IN  A  10.0.1.1

Now we create the Reverse zone files. It is where we define DNS PTR records for reverse DNS lookups.

We start with the first Reverse zone db.1.0.10:


$ sudo nano /etc/named/zones/db.1.0.10

As we have done for the first zone file, we need to define the SOA domain:


$TTL    604800
@  IN  SOA  server.packt.co.uk.  admin.packt.co.uk. (
                              3         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

Then the name-server records:


; name servers - NS records
IN  NS  server.packt.co.uk.

Finally, we add the PTR records that list all the machines with IP addresses that are on the subnet of the zone file:


; PTR Records
1  IN  PTR  server.packt.co.uk.  ; 10.0.1.1
2  IN  PTR  client1.packt.co.uk.  ; 10.0.1.2

Then we do the second Reverse zone file db.8.168.192:


$ sudo nano /etc/named/zones/db.8.168.192

We add the SOA domain:


$TTL    604800
@  IN  SOA  server.packt.co.uk.  admin.packt.co.uk. (
                              3         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

Then we add the name-server records:


; name servers - NS records
IN  NS  server.packt.co.uk.

And we finish with the PTR records:


; PTR Records
12  IN  PTR  server.packt.co.uk.  ; 192.168.8.12
5  IN  PTR  webserver.packt.co.uk.  ; 192.168.8.5

We save all files. And we check the BIND configuration by checking the syntax of the files named.conf*:


$ sudo named-checkconf

If no errors are shown, it means that all configuration files are well written with no syntax mistakes. Otherwise, try to track the errors and fix them using the error message.

Then check the zone files using the command named-checkzone in each zone if we have many:


$ sudo named-checkzone packt.co.uk /etc/named/zones/db.packt.co.uk

If the zone is successfully set we should see this kind of message:


zone packt.co.uk/IN: loaded serial 3
OK

We should see the same thing for the Reverse zones:


$ sudo named-checkzone 1.0.10.in-addr.arpa /etc/named/zones/db.1.0.10
$ sudo named-checkzone 8.168.192.in-addr.arpa /etc/named/zones/db.8.168.192

We should also see the same message if everything is well configured. Otherwise, we need to troubleshoot the following error message:


zone 8.168.192.in-addr.arpa/IN: loaded serial 3
OK

After checking all configurations, we are now ready to start the BIND service.

And just before that we need to make sure that our firewall allows us to do so. We need to open port 53 using the Firewalld service:


$ sudo firewall-cmd --permanent --add-port=53/tcp
$ sudo firewall-cmd --permanent --add-port=53/udp
$ sudo firewall-cmd --reload

After reloading the Firewall, the change will take effect and now we can start the DNS service:


$ sudo systemctl start named

Then we enable it so it can start at the system boot:


$ sudo systemctl enable named

With this step the DNS server is now ready to receive and respond to DNS queries.

Let’s now do a client configuration to test the DNS server. On a Linux server, we only need to modify the resolv.conf file by adding the name-server IP address and the search domain:


$ sudo nano /etc/resolv.conf

By adding the following lines, then saving:


search nyc3.example.   # Our domain
nameserver 10.0.1.1   # The DNS server IP address

Now we can start the test. We will use a simple ping and the command nslookup. The ping will only test whether we can reach the machine giving its domain name:


$ ping webserver.packt.co.uk
PING webserver.packt.co.uk (192.168.8.5): 56 data bytes
64 bytes from 192.168.8.5: icmp_seq=0 ttl=64 time=0.046 ms
64 bytes from 192.168.8.5: icmp_seq=1 ttl=64 time=0.092 ms
64 bytes from 192.168.8.5: icmp_seq=2 ttl=64 time=0.117 ms
64 bytes from 192.168.8.5: icmp_seq=3 ttl=64 time=0.092 ms

--- webserver.packt.co.uk ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.046/0.087/0.117/0.026 ms

There are also other tools that can give more detailed results when testing the DNS service such as dig and nslookup to do a simple DNS lookup:


$ nslookup webserver.packt.co.uk
Server:    10.0.1.1
Address:    10.0.1.1#53

Name:      webserver.packt.co.uk
Address:     192.168.8.5 webserver.packt.co.uk

After running the DNS lookup, we will try a reverse DNS lookup:


$ nslookup webserver.packt.co.uk
Server:    10.0.1.1
Address:    10.0.1.1#53

5.8.168.192.in-addr.arpa  name = webserver.packt.co.uk.

After running all these tests, we should check whether all the values are true, to confirm that we have a fully-working DNS server.

Comments are closed.

loading...