How to install DNS server on RHEL 8 / CentOS 8 Linux

This guide will show how to install and configure a DNS Server in RHEL 8 / CentOS 8 in caching mode only or as single DNS Server, no master-slave configuration. A reverse and forward zone example is provided.

In this tutorial you will learn:

How to install a DNS server in RHEL 8 / CentOS 8
How to configure a server as caching only DNS Server
How to configure a server as single DNS Server

Client resolving a query through the DNS server.

Software Requirements and Conventions Used

Software Requirements and Linux Command Line
Conventions
Category	Networking
System	RHEL 8 / CentOS 8
Software	bind
Other	Privileged access to your Linux system as root or via the `sudo` command.
Conventions	# – requires given linux commands to be executed with root privileges either directly as a root user or by use of `sudo` command $ – requires given linux commands to be executed as a regular non-privileged user

Prerequisites

Before starting it is assumed that:

You or your organization has already created an account in Red Hat
RHEL 8 / CentOS 8 has been already downloaded and installed
The system has been already registered through the Subscription
Manager
You have already setup a local or remote repository

DNS Server installation

Bind installation
We are going to install package BIND, the most famous Open Source DNS Server, through the dnf tool to which now yum is based.
The command to run is:
```
#  dnf -y install bind*
```
Which should install all these packages:

List of bind packages

Common DNS Server Configuration

Configuring the Firewall
We need enable the DNS service:
```
# firewall-cmd --permanent --zone=public --add-service=dns
```
and reload the configuration:
```
# firewall-cmd --reload
```
Backing up main configuration files
It is always a good habit to make an initial backup copy of the main bind config files; also before any change.
```
#  cp /etc/named.conf /etc/named.conf.org
#  cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.org
```
Checking the network configuration
A DNS Server must have a static IP address, let’s verify is the case:
```
$  cat /etc/sysconfig/network-scripts/ifcfg-enp0s3|egrep -i "boot|ipaddr|mask|gateway"
```
Which, for instance, yields the below results:
```
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.0.0.63
NETMASK=255.255.255.0
GATEWAY=10.0.0.1
```
Of course your network configuration might be different, yet again the IP address must be static.
Choosing the domain name
To set a Fully Qualified Domain Name or FQDN
```
#  hostnamectl set-host name dns-srv.vulcansys-local.com
```
You can of course choose another name, here I have invented a domain name which doesn’t appear to have been registered to any organization.
Resolver configuration
We are going to configure the resolv.conf file. The first lines must be:
```
search vulcansys-local.com
nameserver 10.0.0.63
```
This is both in the server and in any client querying our DNS; of course you need to add a second name server to resolve internet sites or any other domain.
Disabling the Network Manager DNS auto-configuration
We don’t want the Network Manager to change the resolv.conf file. To do that we simply add the
line: dns=none in the file /etc/NetworkManager/NetworkManager.conf, and we reload the service:
```
#  systemctl reload NetworkManager
```
Enabling the bind service at startup
We need to make sure the DNS service is started with the system so:
```
#  systemctl enable named
```

DNS Server types

It is possible to configure a DNS server to work in one of the below modes, only one at time:

Root Server
Single Server
Secondary Server
Caching-only Server
Forwarding Server

In this article we will only describe how to setup a Caching-only Server and a Single Server.

A caching-only DNS server does not host any zone and is not authoritative for a particular domain; when the server is initially started, it has no cached information and the information is obtained over time as client requests are
satisfied.

A primary or single DNS server is authoritative for a domain, but we have no high availability and therefore if it is down or unreachable no DNS query for the domain will work, unless cached or duplicated in the static file /etc/hosts.

NOTE
What we have configured so far is common whichever “configuration mode” we will choose.

Caching only DNS Server
We make sure the following lines are changed/configured in the named.conf file:
```
listen-on port 53 { 127.0.0.1; 10.0.0.63; };
#listen-on-v6 port 53 { ::1; };
allow-query { 127.0.0.1; 10.0.0.0/24; };
recursion yes;
allow-recursion { 127.0.0.1; 10.0.0.0/24; };
```
For simplicity here the server will not listen on an IPv6 address ( the relative line is therefore commented ). To check if the configuration is OK we can run the command:
```
#  named-checkconf
```
if everything is fine no output is returned. Finally we need to have the service reload its configuration:
```
#  systemctl reload named
```
Single DNS server
In case we choose this type it will be our authoritative DNS server in charge for any name resolution in the domain we have chosen. Here also we are going to edit /etc/named.conf:
```
listen-on port 53 { localhost; 10.0.0.63; };
#listen-on-v6 port 53 { ::1; };
allow-query { 127.0.0.1; 10.0.0.0/24; };
recursion no;
```
In this guide, for simplicity, we are not setting the bind service to listen on an IPv6 address.

The option recursion no makes sure the DNS will not do all the job to provide an answer to a particular query, but will delegate to the root servers if necessary and to other authoritative servers the task for those unknown names or IP. In other words: an authoritative server must not be recursive.

Afterwards we have to specify our zone files; here we will configure a forward zone (to resolve to an IP from a name) and a reverse zone (to resolve to a name given an IP address) each in its specific file, by appending the following lines to the file named.rfc1912.zones file:
```
zone "vulcansys-local.com" IN {
               type master;
               file "forward.zone";
               allow-update { none; };
};

zone "63.0.0.10.in-addr.arpa" IN {
               type master;
               file "reverse.zone";
               allow-update { none; };
};
```
The option allow-update refers to DNS dynamic updates, that means an application in a host can add a DNS record; for security reasons this is disabled by default and therefore only the system administrator can add records and manually.

Now we need to create the files forward.zone and reverse.zone. Usually the zone files are inside the
directory /var/named as we can infer from the directory option in the named.conf configuration file.

Our forward.zone file will contain:
```
$TTL     1D
@        IN  SOA dns-srv.vulcansys-local.com. root.vulcansys-local.com. (
                      2019022400 ; serial
                      3h         ; refresh
                      15         ; retry
                      1w         ; expire
                      3h         ; minimum
                                                                            )

         IN  NS dns-srv.vulcansys-local.com.
dns-srv  IN  A  10.0.0.63
```
And the reverse.zone file:
```
$TTL     1D
@        IN  SOA dns-srv.vulcansys-local.com. root.vulcansys-local.com. (
                      2019022400 ; serial
                      3h         ; refresh
                      15         ; retry
                      1w         ; expire
                      3h         ; minimum
                                                                            )

         IN  NS dns-srv.vulcansys-local.com.
63       IN  PTR  dns-srv.vulcansys-local.com
```
In the mentioned config files SOA (Start Of Authority) defines the global parameters for the zone (domain); only one Resource Record can be specified (the line with SOA keyword with our fully qualified domain name). The Time To Leave ($TTL) is by default 1 day (or 86400 seconds) and should be temporarily shortened if changing any entry in this config file as it tells the DNS server for how long to cache any information retrieved. Most important is to remember to end any Fully Qualified Domain Name in these configuration files with a dot.

Here root.vulcansys-local.com is the e-mail address and 2019022400 a serial field which in practice is there to track any change in the zone file and conventionally is in the form YYYYmmddss, where ss is a two-digit number.

In the reverse file you might have noticed everything looks the same except the last line. There we specify with PTR a reverse lookup which will resolve to 10.0.0.63; it is just needed to type the last digit 63 which identifies the host (as netmask is 255.255.255.0).

Now we make sure to have the correct permissions:
```
#  chgrp named /var/named/reverse.zone
#  chgrp named /var/named/forward.zone
```
To check that the zone files are correctly configured you can issue the commands:
```
#  named-checkzone vulcansys-local.com /var/named/forward.zone
#  named-checkzone 10.0.0.63 /var/named/reverse.zone
```
And to verify the overall configuration:
```
#  named-checkconf -v
```
If everything’s fine we can reload the service:
```
#  systemctl reload named
```

Client configuration

Configuring the Firewall
We need to configure the firewall as explained above with the server. For simplicity I’m assuming the client is also a RHEL 7 or 8.
Resolver configuration
The first nameserver must be our server DNS, also here make sure the Network Manager doesn`t alter the resolv.conf file.
Setting the Hostname
For consistency any client in the domain would have a FQDN hostname assigned.

Finally we verify our DNS configuration is working, from a client, by trying to ping the DNS server by name.