Install and Setup BIND DNS server on Rocky Linux 8

0
241

Follow through to learn how to install and setup BIND DNS server on Rocky Linux 8.

Packages such as  BINDdnsmasq, and unbound can be configured to function as DNS nameservers. In this tutorial, we are going to use BIND package to configure our local DNS server. BINDBerkeley Internet Name Domain, is an open-source software that is used to implement DNS protocols that defines how networked devices can locate one another based on their hostnames.

Install and Setup BIND DNS server on Rocky Linux 8

In this tutorial, we will be using three Rocky Linux 8 servers configured as follows:

  • Server1
    • Hostname: ns1.kifarunix-demo.com
    • IP Address: 192.168.60.19
    • Role: Master DNS server
  • Server2
    • Hostname: client.kifarunix-demo.com
    • Ip Address: 192.168.60.18
    • Role: client server

Install BIND and BIND Utilities on Rocky Linux 8

Run the command below to Install BIND and required utilities;

dnf install -y bind bind-utils

Setup BIND DNS server on Rocky Linux 8

BIND’s main configuration file is /etc/named.conf.

You need to open this file and make some configuration adjustments to setup your DNS server.

vim /etc/named.conf

Define BIND Access Control Lists

BIND ACL gives you a finer control over who can access the name server and thus help prevent spoofing and denial of service (DoS) attacks against the server.

Therefore, create an Access Control List called allowed containing IP addresses of the hosts to be allowed before the options configuration sections in the configuration file.

In the example configuration below, we only allow hosts in the network, 192.168.60.0/24 use our DNS server.

# Create an access control list called allowed 
acl "allowed" {
        192.168.60.0/24;
};
...

Define Global BIND Options

The options statement sets up global options to be used by BIND.

There are only a few changes we will make to the default options statement;

  • Specify the BIND DNS server non-loopback IP on the listen-on line.
  • Specify the hosts allowed to query DNS server, defined by the ACL statement on the allow-query line.
options {
        listen-on port 53 { 127.0.0.1; 192.168.60.19; };
        listen-on-v6 port 53 { ::1; };
        directory   "/var/named";
        dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; allowed; };
...

Define BIND DNS Zone Statements

Create Forward zone statement which can be used to resolve domain names into IP addresses (Forward look up zones).

# Zone statement for forward DNS lookup
zone "kifarunix-demo.com" IN {
        type master;                           # type of zone
        file "/var/named/forward.kifarunix-demo.com"; # location of forward zone file
        allow-update { none; };
};
...

Create BIND reverse DNS zone statement which defines how to resolve IP addresses into their hostnames, (Reverse look up zones).

# Zone statement for reverse DNS lookup
zone    "60.168.192.in-addr.arpa" IN {
        type master;                    
        file "/var/named/reverse.kifarunix-demo.com"; # location of reverse zone file
        allow-update { none; };
};

After that, save the configuration file and exit.

This is how our configuration file looks like with comment lines and blank lines/white spaces removed!

acl "allowed" {
        192.168.60.0/24;
};

options {
	listen-on port 53 { 127.0.0.1; 192.168.60.19; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
	allow-query     { localhost; allowed; };

	recursion yes;
	dnssec-enable yes;
	dnssec-validation yes;
	managed-keys-directory "/var/named/dynamic";
	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
	include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
	type hint;
	file "named.ca";
};
zone "kifarunix-demo.com" IN {
        type master;                           # type of zone
        file "/var/named/forward.kifarunix-demo.com"; # location of forward zone file
        allow-update { none; };
};
zone    "60.168.192.in-addr.arpa" IN {
        type master;                    
        file "/var/named/reverse.kifarunix-demo.com"; # location of reverse zone file
        allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Create BIND DNS Zone Files

Zone files define various types of Resource Records.

Create Zone files for both the forward and reverse zone statements defined in the /etc/named.conf

Creating a Forward zone file

As specified in the zone statement in the /etc/named.conf file, forward zone file is located /var/named/forward.kifarunix-demo.com.

Create this file and configure it as follows;

cat > /var/named/forward.kifarunix-demo.com << 'EOL'
$ORIGIN kifarunix-demo.com.
$TTL 86400
@   IN  SOA ns1.kifarunix-demo.com. admin.kifarunix-demo.com. (
        2021062301   ; serial
        3600         ; refresh
        1800         ; retry
        604800       ; expire
        86400 )      ; minimum TTL
;
; define nameservers
    IN  NS  ns1.kifarunix-demo.com.
;
; DNS Server IP addresses and hostnames
ns1 IN  A   192.168.60.19
;
;client records
client IN  A   192.168.60.18
EOL
Creating a reverse zone file.
cat > /var/named/reverse.kifarunix-demo.com << 'EOL'
$ORIGIN 60.168.192.in-addr.arpa.
$TTL    86400
@   IN  SOA  ns1.kifarunix-demo.com. admin.kifarunix-demo.com. (
        2021062302  ; serial
        3600        ; refresh
        1800        ; retry
        604800      ; expire
        86400 )     ; minimum TTL
;
;nameservers
    IN  NS  ns1.kifarunix-demo.com.
;
;nameserver IP addresses
    IN  A   192.168.60.19
;
; client IP Address
    IN  A   192.168.60.18
; nameserver PTR records
19  IN  PTR ns1.kifarunix-demo.com.
;
; client PTR records
18  IN  PTR client.kifarunix-demo.com.
EOL

Validate BIND configuration Syntax

Before starting BIND i.e named service, check that there are no syntactic errors in your configuration files using the following command;

named-checkconf

If the configuration file has no error, the command will return nothing and exit status is 0.

To verify the syntax of the forward zone file run the following command;

named-checkzone kifarunix-demo.com /var/named/forward.kifarunix-demo.com

Sample output;

zone kifarunix-demo.com/IN: loaded serial 2021062301
OK

To verify the syntax of the reverse zone file, run the command.

named-checkzone 60.168.192.in-addr.arpa /var/named/reverse.kifarunix-demo.com
zone 60.168.192.in-addr.arpa/IN: loaded serial 2021062302
OK

If there are no errors, start BIND and enable it to start on boot.

systemctl enable --now named

If firewall is running, enable DNS service through it and reload the firewall.

firewall-cmd --add-service=dns --permanent;firewall-cmd --reload 

Verifying BIND DNS Server Resolution

Change DNS server of the DNS server to its own IP by editing the /etc/resolv.conf file and adding the nameserver IP address

echo "nameserver 192.168.60.19"  >  /etc/resolv.conf 

Change the dns server details on the network interface. My network interface is enp0s8.

ip add
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:3e:fe:0e brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
       valid_lft 58976sec preferred_lft 58976sec
    inet6 fe80::689b:622:1eaf:287a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp0s8:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:02:b9:8c brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.19/24 brd 192.168.60.255 scope global dynamic noprefixroute enp0s8
       valid_lft 473sec preferred_lft 473sec
    inet6 fe80::301d:abeb:ad8b:6c56/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Update the DNS;

nmcli con mod enp0s8 ipv4.dns 192.168.60.19
nmcli con down enp0s8; nmcli con up enp0s8

After that, test to check if the hostnames or IP addresses are being resolved.

To check name resolution:

dig ns1.kifarunix-demo.com

Sample Output;

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> ns1.kifarunix-demo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25000
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7086456c0747f91d9a6baf9160d379d78db89f52c45e867f (good)
;; QUESTION SECTION:
;ns1.kifarunix-demo.com.		IN	A

;; ANSWER SECTION:
ns1.kifarunix-demo.com.	86400	IN	A	192.168.60.19

;; AUTHORITY SECTION:
kifarunix-demo.com.	86400	IN	NS	ns1.kifarunix-demo.com.

;; Query time: 0 msec
;; SERVER: 192.168.60.19#53(192.168.60.19)
;; WHEN: Wed Jun 23 21:13:43 EAT 2021
;; MSG SIZE  rcvd: 109

To check reverse DNS resolution;

dig -x 192.168.60.19
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -x 192.168.60.19
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6772
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: be2acb0f5766be389b24d55260d37a3f1c3c8466a7248483 (good)
;; QUESTION SECTION:
;19.60.168.192.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
60.168.192.in-addr.arpa. 86400	IN	SOA	ns1.kifarunix-demo.com. admin.kifarunix-demo.com. 2021062302 3600 1800 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.60.19#53(192.168.60.19)
;; WHEN: Wed Jun 23 21:15:27 EAT 2021
;; MSG SIZE  rcvd: 146

Configuring the client for BIND DNS Resolution

Update the DNS Settings

Log into the client and edit the /etc/resolv.conf file.

Set the DNS server IP addresses.

echo -e "search kifarunix-demo.com\nnameserver 192.168.60.19" > /etc/resolv.conf

Install BIND Utils/Tools on CentOS

To install BIND utils on CentOS/RHEL based derivatives;

dnf install bind-utils

Install BIND Utils on Ubuntu

apt install dnsutils

Verify DNS forward lookup;

nslookup client
Server:		192.168.60.19
Address:	192.168.60.19#53

Name:	client.kifarunix-demo.com
Address: 192.168.60.18

Verify DNS reverse lookup

nslookup 192.168.60.18

Sample output;

18.60.168.192.in-addr.arpa	name = client.kifarunix-demo.com.

Magnificent, your local DNS server is now set up and operational. And that is marks the end of our guide on install and setup BIND DNS server on Rocky Linux 8.

Other Rocky Linux Tutorials

Install Nagios Plugins on Rocky Linux 8

Install Nagios Server on Rocky Linux 8

Install Google Chrome on Rocky Linux 8

Install VNC Server on Rocky Linux 8

LEAVE A REPLY

Please enter your comment!
Please enter your name here