Primary DNS Configuration in CentOS 6 (with chroot)
This tutorial is based on a previous article. The configuration of the DNS Servers using chroot and not using chroot are almost identical. Here's how it's done -
Here is the IP Database
Changing hostname like this sometimes takes effect after a Server reboot. To avoid that, we also set the hostname as ns1.testdom.inv temporarily until the next reboot.
Finally, we set the resolver IP
IMPORTANT: Every FQDN declared in the zone files has a '.' in the end.
Now, we have to change the ownership of the zone files to match the permission of the other files in the directory.
Finally it's time to start the DNS Service.
We would be using the command dig for testing DNS configuration. The command dig sends a query and waits for answers. Here is a demo -
IMPORTANT: The first thing to look for is in the status NOERROR . If the value is anything other, then there is a problem i.e. NXDOMAIN - Non eXisting DOMAIN, SERVFAIL - SERVer FAILure
As we can see from the output, the ANSWER SECTION states that the A Record i.e. IP address of ns1.testdom.inv. is 192.168.1.13
Again, as we can see from the output, the ANSWER SECTION states that the IP address 192.168.1.13 points to i.e. PTR Record ns1.testdom.inv.
The DNS Server should also work for www or ftp servers in testdom.inv. You can also check using nslookup and ping.
Hope this helps.
Objective
We would be configuring the primary DNS Server for the domain testdom.inv (yes, the top level domain is inv i.e. 'invalid'). The FQDN (Fully Qualified Domain Name) of the server is ns1.testdom.inv. This is a simulation, so you better get your Server off the Internet-- make sure the Server does not have any real IP
- make sure that the file /etc/resolv.conf does not contain any IP address of a valid DNS Server.
Here is the IP Database
- DNS Server 192.168.1.13
- Web Server 192.168.1.12
- FTP Server 192.168.1.11
Procedure
Phase1:
The first thing when it comes to configuring any Server is setting up the hostname of the Server properly. We have to modify the following lines in the mentioned files -[root@centu ~]# vim /etc/sysconfig/network
HOSTNAME=ns1.testdom.inv
[root@centu ~]# vim /etc/hosts
192.168.1.13 ns1.testdom.inv ns1
Changing hostname like this sometimes takes effect after a Server reboot. To avoid that, we also set the hostname as ns1.testdom.inv temporarily until the next reboot.
[root@centu ~]# hostname ns1.testdom.inv
[root@centu ~]# hostname
ns1.testdom.inv
Finally, we set the resolver IP
[root@ns1 ~]# vim /etc/resolv.conf
nameserver 192.168.1.13
Phase 2:
We would be setting up the package bind to provide DNS service.The package can be easily installed using yum. First we remove any previous version of bind, bind-chroot and then we install the required packages.[root@ns1 ~]# yum install bind bind-chroot
Loaded plugins: fastestmirror, presto
Determining fastest mirrors
* base: ossm.utm.my
* extras: ossm.utm.my
* rpmforge: mirror.oscc.org.my
* updates: ossm.utm.my
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Processing Dependency: bind-libs = 32:9.7.3-8.P3.el6_2.3 for package: 32:bin d-9.7.3-8.P3.el6_2.3.i686
--> Processing Dependency: liblwres.so.60 for package: 32:bind-9.7.3-8.P3.el6_2. 3.i686
--> Processing Dependency: libisccfg.so.62 for package: 32:bind-9.7.3-8.P3.el6_2 .3.i686
--> Processing Dependency: libisccc.so.60 for package: 32:bind-9.7.3-8.P3.el6_2. 3.i686
--> Processing Dependency: libisc.so.62 for package: 32:bind-9.7.3-8.P3.el6_2.3. i686
--> Processing Dependency: libdns.so.69 for package: 32:bind-9.7.3-8.P3.el6_2.3. i686
--> Processing Dependency: libbind9.so.60 for package: 32:bind-9.7.3-8.P3.el6_2. 3.i686
---> Package bind-chroot.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Running transaction check
---> Package bind-libs.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
bind i686 32:9.7.3-8.P3.el6_2.3 updates 3.9 M
bind-chroot i686 32:9.7.3-8.P3.el6_2.3 updates 68 k
Installing for dependencies:
bind-libs i686 32:9.7.3-8.P3.el6_2.3 updates 851 k
Transaction Summary
================================================================================
Install 3 Package(s)
Upgrade 0 Package(s)
Total download size: 4.8 M
Installed size: 9.2 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
updates/prestodelta | 394 kB 00:13
Processing delta metadata
Package(s) data still to download: 4.8 M
(1/3): bind-9.7.3-8.P3.el6_2.3.i686.rpm | 3.9 MB 02:25
(2/3): bind-chroot-9.7.3-8.P3.el6_2.3.i686.rpm | 68 kB 00:01
(3/3): bind-libs-9.7.3-8.P3.el6_2.3.i686.rpm | 851 kB 00:27
-----------------------------------------------------------------------------------------------------------------------------
Total 28 kB/s | 4.8 MB 02:56
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : 32:bind-libs-9.7.3-8.P3.el6_2.3.i686 1/3
Installing : 32:bind-9.7.3-8.P3.el6_2.3.i686 2/3
Installing : 32:bind-chroot-9.7.3-8.P3.el6_2.3.i686 3/3
Installed:
bind.i686 32:9.7.3-8.P3.el6_2.3 bind-chroot.i686 32:9.7.3-8.P3.el6_2.3
Dependency Installed:
bind-libs.i686 32:9.7.3-8.P3.el6_2.3
Complete!
Phase 3:
Now we prepare the configuration file /var/named/chroot/etc/named.conf[root@ns1 ~]# cp /usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones /var/named/chroot/etc/named.conf
[root@ns1 ~]# vim /var/named/chroot/etc/named.conf
#### Please add/modify the following lines ####
options {
directory "/var/named"; // the path of the zone files
forwarders {4.2.2.1; }; // in case of DNS query failure, the IP of the next DNS Server where the queries would be forwarded
};
// declaration of the forward zone
zone "testdom.inv" IN {
type master;
file "testdom-fz"; //forward zone file stored in /var/named
allow-update { none; };
};
// declaration of reverse zone
zone "1.168.192.in-addr.arpa" IN {
type master;
file "testdom-rz"; // reverse zone file stored in /var/named
allow-update { none; };
};
Phase 4:
Now it's time to prepare the zone files. The zone files are stored in /var/named/chroot/var/named. The character '@' denotes a 'NULL' value in these files. Please be careful while writing as syntax errors in these files can easily occur.IMPORTANT: Every FQDN declared in the zone files has a '.' in the end.
Forward Zone
[root@ns1 ~]# cd /var/named/chroot/var/named
[root@ns1 named]# cp named.localhost testdom-fz
[root@ns1 named]# vim testdom-fz
;Comment: this is the forward zone file
; IMPORTANT every FQDN has a trailing dot '.'
$TTL 1D
;Comment: FORMAT
;Comment: @ IN SOA FQDN email (user.domain.tld) (
@ IN SOA ns1.testdom.inv. admin.testdom.inv. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.testdom.inv.
IN A 192.168.1.13
ns1 IN A 192.168.1.13
www IN A 192.168.1.12
ftp IN A 192.168.1.11
Reverse Zone
[root@ns1 ~]# cd /var/named/chroot/var/named
[root@ns1 named]# cp testdom-fz testdom-rz
[root@ns1 named]# vim testdom-rz
;this is the reverse zone file
; IMPORTANT every FQDN has a trailing dot '.'
$TTL 1D
;FORMAT
;@ IN SOA FQDN email (user.domain.tld) (
@ IN SOA ns1.testdom.inv. admin.testdom.inv. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.testdom.inv.
13 IN PTR ns1.testdom.inv.
12 IN PTR www.testdom.inv.
11 IN PTR ftp.testdom.inv.
Now, we have to change the ownership of the zone files to match the permission of the other files in the directory.
[root@ns1 named]# cd /var/named/chroot/var/named
[root@ns1 named]# chgrp named testdom-*
[root@ns1 named]# ls -l test*
total 48
-rw-r----- 1 root named 325 May 31 11:16 testdom-fz
-rw-r----- 1 root named 318 May 31 11:12 testdom-rz
Finally it's time to start the DNS Service.
[root@ns1 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@ns1 named]# chkconfig named on
Phase 5:
Finally it's time for testing.[root@ns1 named]# yum install bind-utils
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.i686 32:9.7.0-5.P2.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
bind-utils i686 32:9.7.0-5.P2.el6 myyum 173 k
Transaction Summary
================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 173 k
Installed size: 419 k
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 173 k
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 32:bind-utils-9.7.0-5.P2.el6.i686 1/1
Installed:
bind-utils.i686 32:9.7.0-5.P2.el6
Complete!
[root@ns1 named]#
We would be using the command dig for testing DNS configuration. The command dig sends a query and waits for answers. Here is a demo -
IMPORTANT: The first thing to look for is in the status NOERROR . If the value is anything other, then there is a problem i.e. NXDOMAIN - Non eXisting DOMAIN, SERVFAIL - SERVer FAILure
[root@ns1 named]# dig ns1.testdom.inv
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> ns1.testdom.inv
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37595
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.testdom.inv. IN A
;; ANSWER SECTION:
ns1.testdom.inv. 86400 IN A 192.168.1.13
;; AUTHORITY SECTION:
testdom.inv. 86400 IN NS ns1.testdom.inv.
;; Query time: 1 msec
;; SERVER: 192.168.1.13#53(192.168.1.13)
;; WHEN: Thu May 31 11:39:52 2012
;; MSG SIZE rcvd: 63
As we can see from the output, the ANSWER SECTION states that the A Record i.e. IP address of ns1.testdom.inv. is 192.168.1.13
[root@ns1 named]# dig -x 192.168.1.13
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> -x 192.168.1.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6969
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;13.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
13.1.168.192.in-addr.arpa. 86400 IN PTR ns1.testdom.inv.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400 IN NS ns1.testdom.inv.
;; ADDITIONAL SECTION:
ns1.testdom.inv. 86400 IN A 192.168.1.13
;; Query time: 2 msec
;; SERVER: 192.168.1.13#53(192.168.1.13)
;; WHEN: Thu May 31 11:41:27 2012
;; MSG SIZE rcvd: 102
Again, as we can see from the output, the ANSWER SECTION states that the IP address 192.168.1.13 points to i.e. PTR Record ns1.testdom.inv.
The DNS Server should also work for www or ftp servers in testdom.inv. You can also check using nslookup and ping.
Hope this helps.
Thanks a lot..Very helpful and nice article..
ReplyDeleteglad to know it was helpful ^_^
ReplyDeleteno problemo
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHello, I lost in Phase 3.
ReplyDeleteCan you pls. check if your post in phase 3 is the same with mine.
***** My named.conf
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
directory "/var/named"; // the path of the zone files
forwarders {4.2.2.1; }; // in case of DNS query failure, the IP of the next DNS Server where the queries would be forwarded
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
// declaration of the forward zone
zone "testdom.inv" IN {
type master;
file "testdom-fz"; //forward zone file stored in /var/named
allow-update { none; };
};
// declaration of reverse zone
zone "1.11.172.in-addr.arpa" IN {
type master;
file "testdom-rz"; // reverse zone file stored in /var/named
allow-update { none; };
};
Sorry for the late response.
DeleteAs we are using chroot, we have to put all the relevant files under /var/named/chroot/...
So, the paths would be-
named.conf = /var/named/chroot/etc/named.conf
zone files = /var/named/chroot/var/named
Please make sure of this one first.
Second, I had used the sample named configuration file from /usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones. This one is easier to work with compared to the actual named.conf provided by bind.
Hope this helps.
Sarmed
What about selinux? How do I relabel the newly created files in permissive or enforced configuration?
ReplyDeleteHere it is:
ReplyDeletecd /var/named
restorecon -vFR *
And BTW: There is no need to create some files in /var/named/chroot/var/named, as they are automatically mounted into the chroot env on startup if they do not exist in the chroot dir.
ReplyDeleteThose files and dirs are:
/etc/named
/etc/pki/dnssec-keys
/var/named
/etc/named.conf
/etc/named.dnssec.keys
/etc/named.rfc1912.zones
/etc/rndc.conf
/etc/rndc.key
/usr/lib64/bind
/usr/lib/bind
/etc/named.iscdlv.key
/etc/named.root.key
See /etc/init.d/named for details.
If we want to setup a real DNS server for Internet users, will this tutorial helps? My server IP will be 180.178.XX.XX (Public IP)
ReplyDeleteAs long as you have your authoritative DNS servers registered (for both forward and reverse queries) under proper authorities, this will work.
DeleteThis is a late comment but just for the record...
ReplyDeleteFirst, many thanks to the author for this very simple but nice and helpful tutorial. It was very useful to me.
In my case I move named.conf and named.rfc1912.zones from /etc/ to /var/named/chroot/etc and create symbol-links in /etc/
example: [root@zeus ~]# ln -s /var/named/chroot/etc/named.conf /etc/named.conf
Then, I edited named.rfc1912.zones and added my forward and reverse zones. In named.conf, I added forwarders IP addresses.
Similarly, you can move all named.* from /var/named/ to /var/named/chroot/var/named/ and create symbol-links in /var/named/.
In both cases, you have to make sure the group ownership is named. This can achieved by using:
[root@ns1 named]# chgrp named named.*
There was no need for me to create named.conf from the sample as stated above!!!
thanks for the input.
Delete