This guide will show how to install and configure a DNS Server in RHEL 8 / CentOS 8 in caching mode only or as single DNS Server, no master-slave configuration. A reverse and forward zone example is provided.
In this tutorial you will learn:
- How to install a DNS server in RHEL 8 / CentOS 8
- How to configure a server as caching only DNS Server
- How to configure a server as single DNS Server
Software Requirements and Conventions Used
Category | Networking |
---|---|
System | RHEL 8 / CentOS 8 |
Software | bind |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Prerequisites
Before starting it is assumed that:
- You or your organization has already created an account in Red Hat
- RHEL 8 / CentOS 8 has been already downloaded and installed
- The system has been already registered through the Subscription
Manager - You have already setup a local or remote repository
DNS Server installation
- Bind installation
We are going to install package BIND, the most famous Open Source DNS Server, through thednf
tool to which nowyum
is based.
The command to run is:# dnf -y install bind*
Which should install all these packages:
Common DNS Server Configuration
- Configuring the Firewall
We need enable the DNS service:# firewall-cmd --permanent --zone=public --add-service=dns
and reload the configuration:
# firewall-cmd --reload
- Backing up main configuration files
It is always a good habit to make an initial backup copy of the main bind config files; also before any change.# cp /etc/named.conf /etc/named.conf.org # cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.org
- Checking the network configuration
A DNS Server must have a static IP address, let’s verify is the case:$ cat /etc/sysconfig/network-scripts/ifcfg-enp0s3|egrep -i "boot|ipaddr|mask|gateway"
Which, for instance, yields the below results:
BOOTPROTO=static ONBOOT=yes IPADDR=10.0.0.63 NETMASK=255.255.255.0 GATEWAY=10.0.0.1
Of course your network configuration might be different, yet again the IP address must be static.
- Choosing the domain name
To set a Fully Qualified Domain Name or FQDN# hostnamectl set-host name dns-srv.vulcansys-local.com
You can of course choose another name, here I have invented a domain name which doesn’t appear to have been registered to any organization.
- Resolver configuration
We are going to configure theresolv.conf
file. The first lines must be:search vulcansys-local.com nameserver 10.0.0.63
This is both in the server and in any client querying our DNS; of course you need to add a second name server to resolve internet sites or any other domain.
- Disabling the Network Manager DNS auto-configuration
We don’t want the Network Manager to change theresolv.conf
file. To do that we simply add the
line:dns=none
in the file/etc/NetworkManager/NetworkManager.conf
, and we reload the service:# systemctl reload NetworkManager
- Enabling the bind service at startup
We need to make sure the DNS service is started with the system so:# systemctl enable named
DNS Server types
It is possible to configure a DNS server to work in one of the below modes, only one at time:
- Root Server
- Single Server
- Secondary Server
- Caching-only Server
- Forwarding Server
In this article we will only describe how to setup a Caching-only Server and a Single Server.
A caching-only DNS server does not host any zone and is not authoritative for a particular domain; when the server is initially started, it has no cached information and the information is obtained over time as client requests are
satisfied.
A primary or single DNS server is authoritative for a domain, but we have no high availability and therefore if it is down or unreachable no DNS query for the domain will work, unless cached or duplicated in the static file /etc/hosts
.
What we have configured so far is common whichever “configuration mode” we will choose.
- Caching only DNS Server
We make sure the following lines are changed/configured in thenamed.conf
file:listen-on port 53 { 127.0.0.1; 10.0.0.63; }; #listen-on-v6 port 53 { ::1; }; allow-query { 127.0.0.1; 10.0.0.0/24; }; recursion yes; allow-recursion { 127.0.0.1; 10.0.0.0/24; };
For simplicity here the server will not listen on an IPv6 address ( the relative line is therefore commented ). To check if the configuration is OK we can run the command:
# named-checkconf
if everything is fine no output is returned. Finally we need to have the service reload its configuration:
# systemctl reload named
- Single DNS server
In case we choose this type it will be our authoritative DNS server in charge for any name resolution in the domain we have chosen. Here also we are going to edit/etc/named.conf
:listen-on port 53 { localhost; 10.0.0.63; }; #listen-on-v6 port 53 { ::1; }; allow-query { 127.0.0.1; 10.0.0.0/24; }; recursion no;
In this guide, for simplicity, we are not setting the bind service to listen on an IPv6 address.
The option
recursion no
makes sure the DNS will not do all the job to provide an answer to a particular query, but will delegate to the root servers if necessary and to other authoritative servers the task for those unknown names or IP. In other words: an authoritative server must not be recursive.Afterwards we have to specify our zone files; here we will configure a forward zone (to resolve to an IP from a name) and a reverse zone (to resolve to a name given an IP address) each in its specific file, by appending the following lines to the file
named.rfc1912.zones
file:zone "vulcansys-local.com" IN { type master; file "forward.zone"; allow-update { none; }; }; zone "63.0.0.10.in-addr.arpa" IN { type master; file "reverse.zone"; allow-update { none; }; };
The option
allow-update
refers to DNS dynamic updates, that means an application in a host can add a DNS record; for security reasons this is disabled by default and therefore only the system administrator can add records and manually.Now we need to create the files
forward.zone
andreverse.zone
. Usually the zone files are inside the
directory/var/named
as we can infer from thedirectory
option in thenamed.conf
configuration file.Our
forward.zone
file will contain:$TTL 1D @ IN SOA dns-srv.vulcansys-local.com. root.vulcansys-local.com. ( 2019022400 ; serial 3h ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS dns-srv.vulcansys-local.com. dns-srv IN A 10.0.0.63
And the
reverse.zone
file:$TTL 1D @ IN SOA dns-srv.vulcansys-local.com. root.vulcansys-local.com. ( 2019022400 ; serial 3h ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS dns-srv.vulcansys-local.com. 63 IN PTR dns-srv.vulcansys-local.com
In the mentioned config files
SOA
(Start Of Authority) defines the global parameters for the zone (domain); only one Resource Record can be specified (the line with SOA keyword with our fully qualified domain name). The Time To Leave ($TTL) is by default 1 day (or 86400 seconds) and should be temporarily shortened if changing any entry in this config file as it tells the DNS server for how long to cache any information retrieved. Most important is to remember to end any Fully Qualified Domain Name in these configuration files with a dot.Here
root.vulcansys-local.com
is the e-mail address and2019022400
a serial field which in practice is there to track any change in the zone file and conventionally is in the formYYYYmmddss
, wheress
is a two-digit number.
In the reverse file you might have noticed everything looks the same except the last line. There we specify with
PTR
a reverse lookup which will resolve to10.0.0.63
; it is just needed to type the last digit63
which identifies the host (as netmask is255.255.255.0
).Now we make sure to have the correct permissions:
# chgrp named /var/named/reverse.zone # chgrp named /var/named/forward.zone
To check that the zone files are correctly configured you can issue the commands:
# named-checkzone vulcansys-local.com /var/named/forward.zone # named-checkzone 10.0.0.63 /var/named/reverse.zone
And to verify the overall configuration:
# named-checkconf -v
If everything’s fine we can reload the service:
# systemctl reload named
Client configuration
- Configuring the Firewall
We need to configure the firewall as explained above with the server. For simplicity I’m assuming the client is also a RHEL 7 or 8. - Resolver configuration
The first nameserver must be our server DNS, also here make sure the Network Manager doesn`t alter the resolv.conf file. - Setting the Hostname
For consistency any client in the domain would have a FQDN hostname assigned.
Finally we verify our DNS configuration is working, from a client, by trying to ping the DNS server by name.
Conclusion
Setting up a DNS Server is a task that any serious administrator should have done at least once and in RHEL 8 the way to do it is not difficult.