Scenario
Primary (Master) DNS Server Details:
Operating System: CentOS 7 minimal server
Hostname: ns1.scbd.com
IP Address: 192.168.5.180/24
Secondary (Slave) DNS Server Details:
Operating System: CentOS 7 minimal server
Hostname: ns2.scbd.com
IP Address: 192.168.5.181/24
Setup Primary (Master) DNS Server
Install bind9 packages on your server.
yum install bind bind-utils -y
1. Configure DNS Server
Edit ‘/etc/named.conf’ file.
vi /etc/named.conf
Add the lines as shown in bold:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.5.180;}; ### Master DNS IP ###
# listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { localhost; 192.168.5.0/24;}; ### IP Range ###
allow-transfer{ localhost; 192.168.5.181; }; ### Slave DNS IP ###
forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;
/*
– If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
– If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
– If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;
managed-keys-directory “/var/named/dynamic”;
pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
view “internal” {
match-clients {
localhost;
192.168.5.0/24;
};
zone “.” IN {
type hint;
file “named.ca”;
};
zone “scbd.com” IN {
type master;
file “/var/named/scbd.com.lan”;
allow-update { none; };
};
zone “5.168.192.in-addr.arpa” IN {
type master;
file “/var/named/5.168.192.lan”;
allow-update { none; };
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
};
2. Create Zone files
Create forward and reverse zone files which we mentioned in the ‘/etc/named.conf’ file.
2.1 Create Forward Zone
Create scbd.com.lan file in the ‘/var/named’ directory.
vi /var/named/scbd.com.lan
Add the following lines:
$TTL 86400
@ IN SOA ns1.scbd.com. root.scbd.com. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS ns1.scbd.com.
@ IN NS ns2.scbd.com.
@ IN A 192.168.5.180
@ IN A 192.168.5.181
ns1 IN A 192.168.5.180
ns2 IN A 192.168.5.181
2.2 Create Reverse Zone
Create 5.168.192.lan file in the ‘/var/named’ directory.
vi /var/named/5.168.192.lan
Add the following lines:
$TTL 86400
@ IN SOA ns1.scbd.com. root.scbd.com. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS ns1.scbd.com.
@ IN NS ns2.scbd.com.
@ IN PTR scbd.com.
@ MX 10 mail.example.com.
MX 20 mail2.example.com.
ns1 IN A 192.168.5.180
ns2 IN A 192.168.5.181
180 IN PTR ns1.scbd.com.
181 IN PTR ns2.scbd.com.
3. Start the DNS service
Enable and start DNS service:
systemctl enable named
systemctl start named
4. Firewall Configuration
We must allow the DNS service default port 53 through firewall.
firewall-cmd –permanent –add-port=53/tcp
firewall-cmd –permanent –add-port=53/udp
5. Restart Firewall
firewall-cmd –reload
6. Configuring Permissions, Ownership, and SELinux
Run the following commands one by one:
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
7. Test DNS configuration and zone files for any syntax errors
Check DNS default configuration file:
named-checkconf /etc/named.conf
If it returns nothing, your configuration file is valid.
Check Forward zone:
named-checkzone scbd.com /var/named/scbd.com.lan
Sample output:
zone scbd.com/IN: loaded serial 2011071001
OK
Check reverse zone:
named-checkzone scbd.com /var/named/5.168.192.lan
Sample Output:
zone scbd.com/IN: loaded serial 2011071001
OK
Add the DNS Server details in your network interface config file.
vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE=”Ethernet”
BOOTPROTO=”none”
DEFROUTE=”yes”
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”enp0s3″
UUID=”5d0428b3-6af2-4f6b-9fe3-4250cd839efa”
ONBOOT=”yes”
HWADDR=”08:00:27:19:68:73″
IPADDR0=”192.168.5.180″
PREFIX0=”24″
GATEWAY0=”192.168.5.1″
DNS=”192.168.1.180″
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
Edit file /etc/resolv.conf,
vi /etc/resolv.conf
Add the name server ip address:
nameserver 192.168.5.180
Save and close the file.
Restart network service:
systemctl restart network
8. Test DNS Server
dig masterdns.unixmen.local
Sample Output:
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> masterdns.unixmen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25179
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;masterdns.unixmen.local. IN A
;; ANSWER SECTION:
masterdns.unixmen.local. 86400 IN A 192.168.1.101
;; AUTHORITY SECTION:
unixmen.local. 86400 IN NS secondarydns.unixmen.local.
unixmen.local. 86400 IN NS masterdns.unixmen.local.
;; ADDITIONAL SECTION:
secondarydns.unixmen.local. 86400 IN A 192.168.1.102
;; Query time: 0 msec
;; SERVER: 192.168.1.101#53(192.168.1.101)
;; WHEN: Wed Aug 20 16:20:46 IST 2014
;; MSG SIZE rcvd: 125
nslookup unixmen.local
Sample Output:
Server: 192.168.1.101
Address: 192.168.1.101#53
Name: unixmen.local
Address: 192.168.1.103
Name: unixmen.local
Address: 192.168.1.101
Name: unixmen.local
Address: 192.168.1.102
Now the Primary DNS server is ready to use.
It is time to configure our Secondary DNS server.
Setup Secondary(Slave) DNS Server
Install bind packages using the following command:
yum install bind bind-utils -y
1. Configure Slave DNS Server
Edit file ‘/etc/named.conf’:
vi /etc/named.conf
Make the changes as shown in bold.
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.1.102; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { localhost; 192.168.1.0/24; };
.
.
.
.
zone “.” IN {
type hint;
file “named.ca”;
};
zone “unixmen.local” IN {
type slave;
file “slaves/unixmen.fwd”;
masters { 192.168.1.101; };
};
zone “1.168.192.in-addr.arpa” IN {
type slave;
file “slaves/unixmen.rev”;
masters { 192.168.1.101; };
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
2. Start the DNS Service
systemctl enable named
systemctl start named
Now the forward and reverse zones are automatically replicated from Master DNS server to ‘/var/named/slaves/’ in Secondary DNS server.
ls /var/named/slaves/
Sample Output:
unixmen.fwd unixmen.rev
3. Add the DNS Server details
Add the DNS Server details in your network interface config file.
vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE=”Ethernet”
BOOTPROTO=”none”
DEFROUTE=”yes”
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”enp0s3″
UUID=”5d0428b3-6af2-4f6b-9fe3-4250cd839efa”
ONBOOT=”yes”
HWADDR=”08:00:27:19:68:73″
IPADDR0=”192.168.1.102″
PREFIX0=”24″
GATEWAY0=”192.168.1.1″
DNS1=”192.168.1.101″
DNS2=”192.168.1.102″
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
Edit file /etc/resolv.conf,
vi /etc/resolv.conf
Add the name server ip address:
nameserver 192.168.1.101
nameserver 192.168.1.102
Save and close the file.
Restart network service:
systemctl restart network
4. Firewall Configuration
We must allow the DNS service default port 53 through firewall.
firewall-cmd –permanent –add-port=53/tcp
5. Restart Firewall
firewall-cmd –reload
6. Configuring Permissions, Ownership, and SELinux
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
7. Test DNS Server
dig masterdns.unixmen.local
Sample Output:
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> masterdns.unixmen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;masterdns.unixmen.local. IN A
;; ANSWER SECTION:
masterdns.unixmen.local. 86400 IN A 192.168.1.101
;; AUTHORITY SECTION:
unixmen.local. 86400 IN NS masterdns.unixmen.local.
unixmen.local. 86400 IN NS secondarydns.unixmen.local.
;; ADDITIONAL SECTION:
secondarydns.unixmen.local. 86400 IN A 192.168.1.102
;; Query time: 0 msec
;; SERVER: 192.168.1.102#53(192.168.1.102)
;; WHEN: Wed Aug 20 17:04:30 IST 2014
;; MSG SIZE rcvd: 125
dig secondarydns.unixmen.local
Sample Output:
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> secondarydns.unixmen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60819
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;secondarydns.unixmen.local. IN A
;; ANSWER SECTION:
secondarydns.unixmen.local. 86400 IN A 192.168.1.102
;; AUTHORITY SECTION:
unixmen.local. 86400 IN NS masterdns.unixmen.local.
unixmen.local. 86400 IN NS secondarydns.unixmen.local.
;; ADDITIONAL SECTION:
masterdns.unixmen.local. 86400 IN A 192.168.1.101
;; Query time: 0 msec
;; SERVER: 192.168.1.102#53(192.168.1.102)
;; WHEN: Wed Aug 20 17:05:50 IST 2014
;; MSG SIZE rcvd: 125
nslookup unixmen.local
Sample Output:
Server: 192.168.1.102
Address: 192.168.1.102#53
Name: unixmen.local
Address: 192.168.1.101
Name: unixmen.local
Address: 192.168.1.103
Name: unixmen.local
Address: 192.168.1.102
Overwriting /etc/resolv.conf
tell NetworkManager to not modify the DNS settings:
/etc/NetworkManager/NetworkManager.conf
[main]
dns=none
***If the resolv.conf file changed after reboot you can change the attribute the file. It will block file modification.
Chattr +i /etc/resolv.conf
My name is Rayhan and I’m an IT professional with over 10 years of experience in the field. I’m passionate about all things tech, and I love helping people solve their IT problems. In my free time, I enjoy tinkering with new gadgets and software, and I’m always on the lookout for the latest tech trends. I believe that technology has the power to make our lives easier and more enjoyable, and I’m excited to be a part of this ever-evolving field. Thank you for taking the time to visit my page.