In this article, you will learn how to set up DNS (Domain Name System) on a Linux/Unix based system. DNS is mainly used to resolve hostnames, so it can translate IP addresses into fully qualified domain names (FQDNs), such as 172.217.166.110 into www.linuxteck.com. It is one of the basements of the internet. When you type a domain name in your browser, it sends a query across the internet to get a look at the corresponding IP address. After finding the IP address, it retrieves the website's information. The whole process only takes a few milliseconds. The term DNS is used by many names, such as name servers, domain name systems, and nameservers.
Throughout this chapter, we will discuss the Master/Slave DNS concept. A master DNS server is also referred to as a Primary DNS Server, whereas a slave DNS server is known as a Secondary DNS Server, which acts as either a backup server or a load balancer. Slave DNS retrieves all DNS zone records from the Master DNS Server. This is a replica of the Master DNS Server. The advantage of using slave servers is that they will provide redundant services if the Master Server is unavailable for some reason. Because slaves handle all requests, users are not able to identify whether they are using a slave or a master DNS.
To set up a DNS server on Linux, we use the BIND package. BIND stands for Berkeley Internet Name Domain, which is a service or protocol that converts domain names into IP addresses and IP addresses into domain names.
This step-by-step guide will help you to set up a Master-Slave DNS Server CENTOS/RHEL 7.x
My Lab Setup :
For the lab setup, I am using 3 machines in total. 2 for the server setup (Master-&-Slave) and 1 for the client to connect to the DNS server
BIND Packages :
DNS Port :
Note:
In case you need a Caching DNS Server, check out my previous article. This tutorial will explain how to setup a Caching DNS Server in RHEL/CentOS 7.x.
Step 1 : Installing BIND9 on CentOS 7.6
In Terminal you can use either the direct root or sudo to execute the commands.
#:- prompt shows that you can execute the command with root privileges or used by sudo command
$:- prompt shows that you can execute the command as a regular user (non-privileged user)
Make sure you have configured the hostname and IP address for your machines. To cross verify execute the below command
Master DNS Server
Slave DNS Server
Client - Machine
Let's move forward and Install the BIND package on Master-Slave (CentOS 7.6)
# yum install bind bind-utils -y
Once your BIND applications are installed, you need to start the service and enable it to begin automatically after each reboot, so that you don’t have to start manually each time.
# systemctl enable named
# systemctl start named
# systemctl status named
Use the below command to check the version of BIND running on your server
# /usr/sbin/named -v
BIND 9.9.4-RedHat-9.9.4-73.el7_6 (Extended Support Version)
Step 2 : BIND Server Configurations
It’s a time to edit the main configuration file of the DNS server is called ‘named.conf’ . It will be located under ‘/etc/’ directory.
#vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.100; }; ### Master DNS IP ##
// listen-on-v6 port 53 { ::1; }
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.0.0/24; }; ### IP Range ###
allow-transfer { localhost; 192.168.0.101; }; ### Slave DNS IP ###
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
# New entries added for the forward zone and reverser zone #
zone "." IN {
type hint;
file "named.ca";
};
zone "linuxteck.com" IN {
type master;
file "forward.linuxteck";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "reverse.linuxteck";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
The following is a short explanation of the entries added/highlighted in the '/etc/named.conf' file to setup Master:
Note: save and close the file using ‘:wq!’ .If you have missed any semicolon or braces in the ‘etc/named.conf’ file an error message will popup during the startup in bind service.
Step 3 : Creating BIND Zones
Now we have to build our zones file (forward and reverse) as we declared in named.conf above. The default location of the zone lookup files is located in the '/var/named' directory.
Note: The easiest way to create two zone files can be taken as a copy from the sample file of the default location of the zone.
# cd /var/named/
# cp named.localhost forward.linuxteck
# cp named.localhost reverse.linuxteck
Make sure both the zone files (forward.linuxteck and reverse.linuxteck) are to be kept under /var/named/ directory. First, edit the forward.linuxteck zone file.
# vi /var/named/forward.linuxteck
Before editing the forward.linuxteck zone file let us have a look at the sample zone file
After defining the required entires into the forward.linuxteck zone file
$TTL 86400
@ IN SOA masterdns.linuxteck.com. root.linuxteck.com. (
2011071001 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum
@ IN NS masterdns.linuxteck.com. ;Our Name Server
@ IN NS slavedns.linuxteck.com.
@ IN A 192.168.0.100 ;Name Server to IP resolve
@ IN A 192.168.0.101
masterdns IN A 192.168.0.100
slavedns IN A 192.168.0.101 ;Hosts
lt001 IN A 192.168.0.200 ;Client
Note: save and close the file using ‘:wq!’
Special keywords for Zone Files used above :
- A – A record point host names. We also use (www, ftp, mail) to one or more IP addresses.
- NS – Name Server, specify the servers which are providing DNS services for that domain name.
Next, create a new zone file for the reverse zone under ‘/var/named/’ directory, to create a reverse pointer to the above forward zone entries.
$TTL 86400
@ IN SOA masterdns.linuxteck.com. root.linuxteck.com. (
2011071001 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum
@ IN NS masterdns.linuxteck.com.
@ IN NS slavedns.linuxteck.com. ; Name Server's
@ IN PTR linuxteck.com.
masterdns IN A 192.168.0.100 ; Record (IP) points to hostname
slavedns IN A 192.168.0.101
100 IN PTR masterdns.linuxteck.com.
101 IN PTR slavedns.linuxteck.com. ; Hosts
200 IN PTR lt001. ;Client
Note: save and close the file using ‘:wq!’
That’s it, we have successfully configured our BIND Server. We all need it to start DNS services, but before starting the service we must check a few more things.
Step 4 : SELinux
Just for additional information. Today, most Linux systems are imposing SELinux -- a far-reaching protection enhancement that modifications the persona of machine protection then again requires that we deal with some more complexity in managing our systems.
For machines running with SELinux, all strategies and files are labeled in a way that represents security-relevant information. This information is referred to as the SELinux context. There are 4 phases and every phase of the security context is separated by means of a colon (:)"SELinux user, SELinux role, the type, multilevel safety or MLS". This rule will complete "Allow access, Prevent get entry to or Denied" which will guard your server more than the regular way. For any newly created files that will set the permit to get entry to else it will prevent writing/executing to the file. Please see the SELinux documentation for more information
For files, this is viewed using the ls -Z command:
cd /var/named/
# ls -Z
The results of the newly created files are highlighted above which show the wrong SELinux context, so to change the security context. There are more than one instruction for managing the SELinux context for files, such as “chcon, semanage fcontext, and restorecon”.
Here I use ‘chcon ‘
# chown named:named -R /var/named ; restorecon -rv /var/named
# chcon system_u:object_r:named_zone_t:s0 /var/named/forward.linuxteck
# chcon system_u:object_r:named_zone_t:s0 /var/named/reverse.linuxteck
Now we have modified the security context of (forward.linuxteck & reverse.linuxteck) file, which is the right one.
Now, restart the BIND Services
# systemctl restart named
Step 5 : Firewall Configuration
We want to permit (TCP & UDP port 53) in firewall rule to use DNS port
#firewall-cmd --permanent --add-port=53/tcp
# firewall-cmd --permanent --add-port=53/udp
Reload the firewall service
# firewall-cmd --reload
If you want to know more about firewalld services, have a look at this article on 15 basic useful firewall-cmd commands in Linux.
Step 6 : Test my bind configuration for any syntax errors
Run the following command:
# named-checkconf /etc/named.conf
If there is 'NO OUTPUT', then the configuration file is treated as valid.
Similarly, test the Forward &Reverse zone files as well.
Forward :
# named-checkzone linuxteck.com /var/named/forward.linuxteck
Output :
If you see “OK” as above, the forward zone file is properly configured.
Reverse:
# named-checkzone linuxteck.com /var/named/reverse.linuxteck
Output :
If you see “OK” as above, the reverse zone file is also properly configured.
Step 7 : Add DNS Server details in your interface config file
Now we need to add our DNS IP to the network interface
# vi /etc/sysconfig/network-scripts/ifcfg-enp1s0
Add DNS IP as highlighted below :
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp1s0
UUID=11b2bf56-a0d8-4282-bf6f-d59be143f8e9
DEVICE=enp1s0
ONBOOT=yes
IPADDR=192.168.0.100
PREFIX=24
GATEWAY=192.168.0.1
DNS1=192.168.0.100
IPV6_PRIVACY=no
Note : save and close the file using ‘:wq!’
Step 8 : Add DNS name servers address into /etc/resolv.conf
# vi /etc/resolv.conf
Add the name server IP address:
nameserver 192.168.0.100
Restart network service
# systemctl restart network
Step 9 : Test DNS Server with ‘dig & nslookup’
# dig masterdns.linuxteck.com
# dig -x 192.168.0.100
# nslookup masterdns.linuxteck.com
Finally, our Primary (Master) DNS Server is ready!. We can now cross ahead and configure our Secondary (Slave) DNS Server
Step 10 : Slave Server setup
The BIND Package and the Installation part of the Slave DNS Server is the same as of Master. To configure the Slave DNS Server, it need to edit /etc/named.conf’ and start the Bind service, then the zone files (forward and reverse) transfer automatically.
Install bind packages using the following command:
# yum install bind bind-utils -y
Step 11 : Edit slave bind configuration file /etc/named.conf :
# vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.101; }; ##Slave Server IP
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.0.0/24; }; ##Add the network address
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
## Add two zone files ###
zone "linuxteck.com" IN {
type slave;
file "slaves/linuxteck.fwd.zone";
masters { 192.168.0.100; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "slaves/linuxteck.rev.zone";
masters { 192.168.0.100; };
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
As you can see, the configuration is pretty comparable in assessment with the master. The slave’s configuration also carries the same zones as on the master and they are configured as type slave. Zone files don’t want to be created because they must be replicated from the master.
Note: save and exit the file using ‘:wq!’ .If you have missed any semicolon or brasses in the ‘etc/named.conf’ file an error message will pop-up throughout the Startup Blink service.
Step 12 : start the bind service and enable it for the next reboot:
# systemctl enable named
# systemctl start named
If all goes well, the slave have replicated the zone records from the master and created it’s zone files to ‘/var/named/slaves/’ in Slave DNS server.
# ls -l /var/named/slaves/
linuxteck.fwd.zone
linuxteck.rev.zone
Step 13 : Add DNS Server details in the slave interface config file
# vi /etc/sysconfig/network-scripts/ifcfg-enp1s0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp1s0
UUID=15f2bf56-a0d8-4286-bf8f-d59be258f8p9
DEVICE=enp1s0
ONBOOT=yes
IPADDR=192.168.0.102
PREFIX=24
GATEWAY=192.168.0.1
DNS1=192.168.0.100
DNS2=192.168.0.102
IPV6_PRIVACY=no
Note : save and close the file using ‘:wq!’
Step 14 : Add DNS name servers address into /etc/resolv.conf
Add the name server (Master & Slave)IP address:
# vi /etc/resolv.conf
nameserver 192.168.0.100
nameserver 192.168.0.101
Note : save and close the file using ‘:wq!’
Step 15 : Firewall Configuration
# firewall-cmd --permanent --add-port=53/tcp
# firewall-cmd --permanent --add-port=53/udp
Reload Firewall service :
# firewall-cmd --reload
Step 16 : SELinux
Use the following command for the security context of Selinux:
# chgrp named -R /var/named
# chown -v root:named /etc/named.conf
# restorecon -rv /var/named
# restorecon /etc/named.conf
That's it ! for the SLAVE configuration.
Step 17 : Setup DNS configuration to the client
Edit your client /etc/resolve.conf file and add the IP address of both the Master and Slave DNS servers.
# vi /etc/resolv.conf
nameserver 192.168.0.100
nameserver 192.168.0.101
Now we can test our forward and reverse look using "dig and nslookup" as below :
# nslookup lt001.linuxteck.com
# nslookup 192.168.0.200
The setup of the Master and Slave DNS server has been configured successfully, I believe this article will help those who are looking to setup the same on your end. Drop me your feedback/comments.
Thank you!!
1 reply on “How to Install and configure Master /Slave DNS in Centos /RHEL 7.6 - LinuxTeck”
Please show how to configure dnssec