DNS Server Configuration

on RHEL/CentOS 7
Step by Step Guide
This document provides quick configuration on the setup of BIND
(Berkeley Internet Name Domain) service named .

Yogesh Kumar
9/5/2016

Ver 1.0

Table of Contents
1

SETUP INFORMATION ................................................................................................................. 3

PRE-REQUISITE INFRASTRUCTURE CONFIGURATION .................................................................... 3

2.1

STATIC IP FOR DNS SERVER .................................................................................................................. 3

2.2

LOCAL HOST FILE ON THE DNS SERVER................................................................................................... 3

2.3

SELINUX STATUS ............................................................................................................................... 3

DNS SERVER SOFTWARE INSTALLATION ....................................................................................... 4

ENABLING DNS IP TO ACCESS THE DNS REQUESTS ........................................................................ 4

FIREWALL SETTINGS .................................................................................................................... 5

DNS SERVER CONFIGURATION..................................................................................................... 6

6.1

DNS ZONE FILES ................................................................................................................................. 6

CONFIGURE PERMISSIONS AND OWNERSHIPS ON BIND CONFIGURATION FILES ........................... 7

PERFORM SYNTAX CHECK VALIDATION ON THE CONFIG FILES ...................................................... 7

START THE BIND SERVICES........................................................................................................... 8

10

DNS SERVER TESTING ............................................................................................................... 8

Page 2 of 9

Setup Details

In this lab setup we are going to install and configure the BIND DNS service named. DNS server listen the
DNS requests on port 53, which is default port for name resolution service.
Operating System

RHEL or CentOS 7 (86_64)

Name Server Software

BIND (Berkeley Internet Name Domain)

Master DNS Server

master.opensky.home / 90.10.10.20

DNS Client

centos-client / 90.10.10.50

DNS Port

53

Platform

VMware Workstation

RPM Sources

CentOS Yum Repository

2
2.1

(Default)

Pre-Requisite Infrastructure Configuration

STATIC IP FOR DNS SERVER

This is must and recommended to have a static IP configured on the DNS NIC.

[root@master ~]# grep -w BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-eth0

BOOTPROTO=static
[root@master ~]#

2.2

LOCAL HOST FILE ON THE DNS SERVER

[root@master ~]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1

localhost localhost.localdomain localhost6 localhost6.localdomain6

90.10.10.20

master.opensky.home

master

[root@master ~]# hostname -i

90.10.10.20
[root@master ~]#

2.3

SELINUX STATUS

In my setup I have kept the selinux disabled, its upto you whether you want to keep it enabled or
disabled.
[root@master ~]# sestatus
SELinux status:

disabled

[root@master ~]#

Page 3 of 9

DNS Server Software Installation

To install DNS packages we will use the yum command, as yum takes care to install the dependency
packages by itself, if any.
[root@master ~]# yum install bind bind-utils
[root@master ~]# rpm -q bind bind-utils

Enabling DNS IP to accept the DNS requests

Once the DNS bind packages are installed, next step is to enable the DNS configuration to enable
named service to accept the request on DNS Server IP. In our lab setup it is 90.10.10.20. To perform
these changes manually edit the /etc/named.conf file.
Before
[root@master ~]# grep -w "listen-on port 53" /etc/named.conf
listen-on port 53 { 127.0.0.1; };
[root@master ~]# grep -w "allow-query" /etc/named.conf
allow-query

{ localhost; };

After Editing
[root@master ~]# grep -w "listen-on port 53" /etc/named.conf
listen-on port 53 { 127.0.0.1;90.10.10.20; };
[root@master ~]# grep -w "allow-query" /etc/named.conf
allow-query

{ any; };

[root@master ~]#

Once we have made the above changes, we can start the named service to ensure that changes
worked fine and service started without any problem.
[root@master ~]# systemctl enable named.service
[root@master ~]# systemctl start named.service
[root@master ~]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2016-07-10 03:42:58 AEST; 6s ago
Process: 31177 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
......
[root@master ~]#

Once the named service is started, we can check if named services are listening on DNS server IP on
Page 4 of 9

port 53 for both TCP and UDP protocols.

[root@master ~]# netstat -antu | grep -w 53
tcp

0 90.10.10.20:53

0.0.0.0:*

LISTEN

tcp

0 127.0.0.1:53

0.0.0.0:*

LISTEN

tcp6

0 ::1:53

:::*

LISTEN

udp

0 90.10.10.20:53

0.0.0.0:*

udp

0 127.0.0.1:53

0.0.0.0:*

udp6

0 ::1:53

:::*

[root@master ~]#

Above outputs confirms that DNS server is listening on loopback , DNS IP on port 53 for TCP and
UDP protocols.

Firewall Settings

In enterprise setup generally operating system firewall is kept off as enterprise firewalls are there to
keep the network secure. In this lab setup I am not going to disable the local firewall as we dont
have enterprise firewalls here.
We will create firewall rules to accept the tcp/udp requests on port 53 reload the firewall rules.
[root@master ~]# firewall-cmd --zone=public --add-port=53/tcp --permanent
success
[root@master ~]# firewall-cmd --zone=public --add-port=53/udp --permanent
success
[root@master ~]# firewall-cmd --reload
success
[root@master ~]#

Once firewall rules configured and loaded , we can test it using nmap command. Beauty of nmap
utility is we can test both tcp and udp connectivity.
[root@master ~]# nmap -p 53 90.10.10.20
Host is up (-2100s latency).
PORT STATE SERVICE
53/tcp open domain
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
[root@master ~]# nmap -sU -p 53 90.10.10.20
Host is up (0.00075s latency).
PORT STATE SERVICE
53/udp open domain
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
[root@master ~]#

Page 5 of 9

DNS Server Configuration

So now we have infrastructure configuration setup completed to run the DNS services. Lets define
our zone file for our opensky.home domain.

DNS ZONE FILES

6.1

First we will update the /etc/named.conf for the names of forward and reverse lookup files. To do
this vi the /etc/named.conf file and add the following entries before include statements.
zone "opensky.home" IN {
type master;
file "forward.opensky";
allow-update { none; };
};
zone "10.10.90.in-addr.arpa" IN {
type master;
file "reverse.opensky";
allow-update { none; };
};

Now create forward and reverse lookup files with the following contents
[root@master ~]# cat /var/named/forward.opensky
$TTL 86400
@ IN SOA master.opensky.home. root.opensky.home. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)

IN

NS

master.opensky.home.

IN

90.10.10.20

IN

90.10.10.50

master

IN

centos-client

IN

90.10.10.20
A

90.10.10.50

[root@master ~]# cat /var/named/reverse.opensky

$TTL 86400
@ IN SOA master.opensky.home. root.opensky.home. (
2011071001 ;Serial
3600 ;Refresh
Page 6 of 9

1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@

IN

NS

master.opensky.home.

IN

PTR

opensky.home.

master

IN

centos-client

IN

90.10.10.20
A

90.10.10.50

20

IN

PTR master.opensky.home.

50

IN

PTR centos-client.opensky.home.

[root@master ~]#

Configure permissions and ownerships on bind configuration files

[root@master ~]# chgrp named -R /var/named

[root@master ~]# chown -v root:named /etc/named.conf
ownership of /etc/named.conf retained as root:named
[root@master ~]# restorecon -rv /var/named
[root@master ~]# restorecon /etc/named.conf

Perform Syntax check Validation on the Config files

Use named-checkconf to validate the files for the syntax errors.

[root@master ~]# /usr/sbin/named-checkconf -z /etc/named.conf
zone opensky.home/IN: loaded serial 2011071001
zone 10.10.90.in-addr.arpa/IN: loaded serial 2011071001
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
[root@master ~]#

Page 7 of 9

Start the BIND services

Perform a clean start of the named service for these setting to take effect and ensure there are no
configuration issues
[root@master ~]# systemctl stop named.service
[root@master ~]# systemctl start named.service
[root@master ~]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2016-07-10 07:57:53 AEST; 10s ago
Redirecting to /bin/systemctl restart named.service
[root@master ~]#

10 DNS Server Testing

At this stage you we can use our DNS server to resolve the domain opensky.home
So test it externally , we will update the DNS resolver file on the client.
[root@centos-client /]# cat /etc/resolv.conf
search

opensky.home

nameserver 90.10.10.20
[root@centos-client /]#

[root@centos-client /]# nslookup centos-client

Server:
Address:

90.10.10.20
90.10.10.20#53

Name: centos-client.opensky.home
Address: 90.10.10.50

Page 8 of 9

[root@centos-client /]# nslookup 90.10.10.50

Server:

90.10.10.20

Address:

90.10.10.20#53

50.10.10.90.in-addr.arpa

name = centos-client.opensky.home.

[root@centos-client /]# dig @90.10.10.20 www.opensky.home

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @90.10.10.20 www.opensky.home
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47803
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.opensky.home.

IN

;; AUTHORITY SECTION:
opensky.home.
1800 604800 86400

86400 IN

SOA

master.opensky.home. root.opensky.home. 2011071001 3600

;; Query time: 0 msec

;; SERVER: 90.10.10.20#53(90.10.10.20)
;; WHEN: Sat Jul 9 01:28:03 2016;; MSG SIZE rcvd: 82
[root@centos-client /]#

These steps confirm configuration is working. Steps will same for RHEL 7.

Page 9 of 9