Primary DNS Configuration in CentOS 6 (with chroot)

This tutorial is based on a previous article. The configuration of the DNS Servers using chroot and not using chroot are almost identical. Here's how it's done -

 

Objective

We would be configuring the primary DNS Server for the domain testdom.inv (yes, the top level domain is inv i.e. 'invalid').  The FQDN (Fully Qualified Domain Name) of the server is ns1.testdom.inv. This is a simulation, so you better get your Server off the Internet-
  1. make sure the Server does not have any real IP
  2. make sure that the file /etc/resolv.conf does not contain any IP address of a valid DNS Server.

Here is the IP Database
  • DNS Server 192.168.1.13
  • Web Server 192.168.1.12
  • FTP Server 192.168.1.11

Procedure

Phase1:

The first thing when it comes to configuring any Server is setting up the hostname of the Server properly. We have to modify the following lines in the mentioned files -

[root@centu ~]# vim /etc/sysconfig/network

HOSTNAME=ns1.testdom.inv


[root@centu ~]# vim /etc/hosts

192.168.1.13    ns1.testdom.inv   ns1

Changing hostname like this sometimes takes effect after a Server reboot. To avoid that, we also set the hostname as ns1.testdom.inv temporarily until the next reboot.

[root@centu ~]# hostname ns1.testdom.inv
[root@centu ~]# hostname
ns1.testdom.inv 

Finally, we set the resolver IP

[root@ns1 ~]# vim /etc/resolv.conf

nameserver 192.168.1.13

Phase 2:

We would be setting up the package bind to provide DNS service.The package can be easily installed using yum. First we remove any previous version of bind, bind-chroot and then we install the required packages.


[root@ns1 ~]# yum install bind bind-chroot
Loaded plugins: fastestmirror, presto
Determining fastest mirrors
 * base: ossm.utm.my
 * extras: ossm.utm.my
 * rpmforge: mirror.oscc.org.my
 * updates: ossm.utm.my
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Processing Dependency: bind-libs = 32:9.7.3-8.P3.el6_2.3 for package: 32:bin                                             d-9.7.3-8.P3.el6_2.3.i686
--> Processing Dependency: liblwres.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.                                             3.i686
--> Processing Dependency: libisccfg.so.62 for package: 32:bind-9.7.3-8.P3.el6_2                                             .3.i686
--> Processing Dependency: libisccc.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.                                             3.i686
--> Processing Dependency: libisc.so.62 for package: 32:bind-9.7.3-8.P3.el6_2.3.                                             i686
--> Processing Dependency: libdns.so.69 for package: 32:bind-9.7.3-8.P3.el6_2.3.                                             i686
--> Processing Dependency: libbind9.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.                                             3.i686
---> Package bind-chroot.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Running transaction check
---> Package bind-libs.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch       Version                       Repository     Size
================================================================================
Installing:
 bind              i686       32:9.7.3-8.P3.el6_2.3         updates       3.9 M
 bind-chroot       i686       32:9.7.3-8.P3.el6_2.3         updates        68 k
Installing for dependencies:
 bind-libs         i686       32:9.7.3-8.P3.el6_2.3         updates       851 k

Transaction Summary
================================================================================
Install       3 Package(s)
Upgrade       0 Package(s)

Total download size: 4.8 M
Installed size: 9.2 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
updates/prestodelta                                                                                   | 394 kB     00:13
Processing delta metadata
Package(s) data still to download: 4.8 M
(1/3): bind-9.7.3-8.P3.el6_2.3.i686.rpm                                                               | 3.9 MB     02:25
(2/3): bind-chroot-9.7.3-8.P3.el6_2.3.i686.rpm                                                        |  68 kB     00:01
(3/3): bind-libs-9.7.3-8.P3.el6_2.3.i686.rpm                                                          | 851 kB     00:27
-----------------------------------------------------------------------------------------------------------------------------
Total                                                                                         28 kB/s | 4.8 MB     02:56
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing     : 32:bind-libs-9.7.3-8.P3.el6_2.3.i686                                                                  1/3
  Installing     : 32:bind-9.7.3-8.P3.el6_2.3.i686                                                                       2/3
  Installing     : 32:bind-chroot-9.7.3-8.P3.el6_2.3.i686                                                                3/3

Installed:
  bind.i686 32:9.7.3-8.P3.el6_2.3                           bind-chroot.i686 32:9.7.3-8.P3.el6_2.3

Dependency Installed:
  bind-libs.i686 32:9.7.3-8.P3.el6_2.3

Complete!

Phase 3:

 Now we prepare the configuration file /var/named/chroot/etc/named.conf


[root@ns1 ~]# cp /usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones /var/named/chroot/etc/named.conf

[root@ns1 ~]# vim /var/named/chroot/etc/named.conf

#### Please add/modify the following lines ####

options {
        directory "/var/named"; // the path of the zone files
        forwarders {4.2.2.1; }; // in case of DNS query failure, the IP of the next DNS Server where the queries would be forwarded
};


// declaration of the forward zone
zone "testdom.inv" IN {
        type master;
        file "testdom-fz"; //forward zone file stored in /var/named
        allow-update { none; };
};

// declaration of reverse zone
zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "testdom-rz"; // reverse zone file stored in /var/named
        allow-update { none; };
};



Phase 4:

Now it's time to prepare the zone files. The zone files are stored in /var/named/chroot/var/named. The character '@' denotes a 'NULL' value in these files. Please be careful while writing as syntax errors in these files can easily occur. 
IMPORTANT: Every FQDN declared in the zone files has a '.' in the end.

Forward Zone

[root@ns1 ~]# cd /var/named/chroot/var/named
[root@ns1 named]# cp named.localhost testdom-fz
[root@ns1 named]# vim testdom-fz 

;Comment: this is the forward zone file

; IMPORTANT every FQDN has a trailing dot '.'

$TTL 1D
;Comment: FORMAT
;Comment: @      IN SOA  FQDN email (user.domain.tld) (

@       IN SOA  ns1.testdom.inv. admin.testdom.inv. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN NS      ns1.testdom.inv.
        IN A       192.168.1.13
ns1     IN A       192.168.1.13
www     IN A       192.168.1.12
ftp     IN A       192.168.1.11

Reverse Zone

[root@ns1 ~]# cd /var/named/chroot/var/named
[root@ns1 named]# cp testdom-fz testdom-rz
[root@ns1 named]# vim testdom-rz 

;this is the reverse zone file

; IMPORTANT every FQDN has a trailing dot '.'

$TTL 1D
;FORMAT
;@      IN SOA  FQDN email (user.domain.tld) (

@       IN SOA  ns1.testdom.inv. admin.testdom.inv. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.testdom.inv.
13      IN PTR  ns1.testdom.inv.
12      IN PTR  www.testdom.inv.
11      IN PTR  ftp.testdom.inv.


Now, we have to change the ownership of the zone files to match the permission of the other files in the directory.

[root@ns1 named]# cd /var/named/chroot/var/named
[root@ns1 named]# chgrp named testdom-*

[root@ns1 named]# ls -l test*
total 48
-rw-r----- 1 root  named  325 May 31 11:16 testdom-fz
-rw-r----- 1 root  named  318 May 31 11:12 testdom-rz



Finally it's time to start the DNS Service.

[root@ns1 named]# service named restart
Stopping named:                             [  OK  ]
Starting named:                             [  OK  ]
[root@ns1 named]# chkconfig named on


Phase 5:

Finally it's time for testing.
[root@ns1 named]# yum install bind-utils
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.i686 32:9.7.0-5.P2.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch         Version                    Repository     Size
================================================================================
Installing:
 bind-utils         i686         32:9.7.0-5.P2.el6          myyum         173 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 173 k
Installed size: 419 k
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 173 k
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : 32:bind-utils-9.7.0-5.P2.el6.i686                        1/1 

Installed:
  bind-utils.i686 32:9.7.0-5.P2.el6                                             

Complete!
[root@ns1 named]# 


We would be using the command dig for testing DNS configuration. The command dig sends a query and waits for answers. Here is a demo -

IMPORTANT: The first thing to look for is in the status NOERROR . If the value is anything other, then there is a problem i.e. NXDOMAIN - Non eXisting DOMAIN, SERVFAIL - SERVer FAILure

[root@ns1 named]# dig ns1.testdom.inv

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> ns1.testdom.inv
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37595
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.testdom.inv.        IN    A

;; ANSWER SECTION:
ns1.testdom.inv.    86400    IN    A    192.168.1.13

;; AUTHORITY SECTION:
testdom.inv.        86400    IN    NS    ns1.testdom.inv.

;; Query time: 1 msec
;; SERVER: 192.168.1.13#53(192.168.1.13)
;; WHEN: Thu May 31 11:39:52 2012
;; MSG SIZE  rcvd: 63


As we can see from the output, the ANSWER SECTION states that the A Record i.e. IP address of ns1.testdom.inv. is 192.168.1.13


[root@ns1 named]# dig -x 192.168.1.13

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> -x 192.168.1.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6969
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;13.1.168.192.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
13.1.168.192.in-addr.arpa. 86400 IN    PTR    ns1.testdom.inv.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa.    86400    IN    NS    ns1.testdom.inv.

;; ADDITIONAL SECTION:
ns1.testdom.inv.    86400    IN    A    192.168.1.13

;; Query time: 2 msec
;; SERVER: 192.168.1.13#53(192.168.1.13)
;; WHEN: Thu May 31 11:41:27 2012
;; MSG SIZE  rcvd: 102


Again, as we can see from the output, the ANSWER SECTION states that the IP address 192.168.1.13 points to i.e. PTR Record ns1.testdom.inv.

The DNS Server should also work for www or ftp servers in testdom.inv. You can also check using nslookup and ping.

Hope this helps.

Comments

  1. Thanks a lot..Very helpful and nice article..

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hello, I lost in Phase 3.
    Can you pls. check if your post in phase 3 is the same with mine.

    ***** My named.conf

    // named.rfc1912.zones:
    //
    // Provided by Red Hat caching-nameserver package
    //
    // ISC BIND named zone configuration for zones recommended by
    // RFC 1912 section 4.1 : localhost TLDs and address zones
    // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
    // (c)2007 R W Franks
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //

    options {
    directory "/var/named"; // the path of the zone files
    forwarders {4.2.2.1; }; // in case of DNS query failure, the IP of the next DNS Server where the queries would be forwarded
    };

    zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
    };

    zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
    };

    zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
    };

    // declaration of the forward zone
    zone "testdom.inv" IN {
    type master;
    file "testdom-fz"; //forward zone file stored in /var/named
    allow-update { none; };
    };

    // declaration of reverse zone
    zone "1.11.172.in-addr.arpa" IN {
    type master;
    file "testdom-rz"; // reverse zone file stored in /var/named
    allow-update { none; };

    };

    ReplyDelete
    Replies
    1. Sorry for the late response.

      As we are using chroot, we have to put all the relevant files under /var/named/chroot/...

      So, the paths would be-

      named.conf = /var/named/chroot/etc/named.conf
      zone files = /var/named/chroot/var/named

      Please make sure of this one first.

      Second, I had used the sample named configuration file from /usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones. This one is easier to work with compared to the actual named.conf provided by bind.

      Hope this helps.
      Sarmed

      Delete
  4. What about selinux? How do I relabel the newly created files in permissive or enforced configuration?

    ReplyDelete
  5. Here it is:

    cd /var/named
    restorecon -vFR *

    ReplyDelete
  6. And BTW: There is no need to create some files in /var/named/chroot/var/named, as they are automatically mounted into the chroot env on startup if they do not exist in the chroot dir.

    Those files and dirs are:
    /etc/named
    /etc/pki/dnssec-keys
    /var/named
    /etc/named.conf
    /etc/named.dnssec.keys
    /etc/named.rfc1912.zones
    /etc/rndc.conf
    /etc/rndc.key
    /usr/lib64/bind
    /usr/lib/bind
    /etc/named.iscdlv.key
    /etc/named.root.key

    See /etc/init.d/named for details.

    ReplyDelete
  7. If we want to setup a real DNS server for Internet users, will this tutorial helps? My server IP will be 180.178.XX.XX (Public IP)

    ReplyDelete
    Replies
    1. As long as you have your authoritative DNS servers registered (for both forward and reverse queries) under proper authorities, this will work.

      Delete
  8. This is a late comment but just for the record...

    First, many thanks to the author for this very simple but nice and helpful tutorial. It was very useful to me.

    In my case I move named.conf and named.rfc1912.zones from /etc/ to /var/named/chroot/etc and create symbol-links in /etc/
    example: [root@zeus ~]# ln -s /var/named/chroot/etc/named.conf /etc/named.conf
    Then, I edited named.rfc1912.zones and added my forward and reverse zones. In named.conf, I added forwarders IP addresses.

    Similarly, you can move all named.* from /var/named/ to /var/named/chroot/var/named/ and create symbol-links in /var/named/.

    In both cases, you have to make sure the group ownership is named. This can achieved by using:

    [root@ns1 named]# chgrp named named.*

    There was no need for me to create named.conf from the sample as stated above!!!

    ReplyDelete

Post a Comment