How To Install And Configure Master /Slave DNS In Centos /RHEL 7.6 - LinuxTeck

This article will help you to set up DNS (Domain Name System) on Linux/Unix based system. DNS is mainly used for resolves host-names, which means it can easily bind IP addresses into a fully qualified domain name (FQDN) like www.linuxteck.com or www.google.com to Ip addresses like 166.62.27.62 / 172.217.166.110. It is one of the basements of the internet. When you look for a domain name in a browser, it sends a question over the net to take a look at the domain with its corresponding IP address. Once identified, it uses the IP address to retrieve the website’s information. This whole technique takes simply milliseconds. The DNS term is used by many names, like name server, domain name system and nameserver.

Here we are going to see the Master/Slave DNS concepts. Master DNS server is also known as the Primary DNS Server. In Linux, we will be using popular software to install DNS named BIND. It stands for ( Berkely Internet Name Domain ) It implements DNS Service/Protocol used to translate the Domain Name to IP address and IP address into Domain Name.

Slave DNS Server is also known as a Secondary DNS Server, which will act as a Backup server or a Load Balancer of the Main DNS Server i.e,(Master). It will fetch all the DNS zone records from the Master DNS Server. The Slave server is a typical copy of the Master DNS Server. The main advantage of using Slave Server is that when the Master server goes down due to some reason or unavailable then it can provide redundancy. This means it will accept all the queries from the end users. And the user may not know whether his request is going through the Master or Slave DNS. They will get the output.

This step by step guide will help you to setup Master-Slave DNS Server CENTOS/RHEL 7.6

Table of Contents show

My Lab Setup :

For the Lab setup, I am using 3 machines in total. 2 for server setup (Master-&-Slave) and 1 for a client to connect the DNS server

BIND Packages :

DNS Port :

Step 1 : Installing BIND9 on CentOS 7.6

In Terminal you can use either the direct root or sudo to execute the commands.

#:- prompt shows that you can execute the command with root privileges or used by sudo command

$:- prompt shows that you can execute the command as a regular user (non-privileged user)

Make sure you have configured the hostname and IP address to your machines. To cross verify execute the below command

Master DNS Server

Slave DNS Server

Client-Machine

Let us move forward and Install the BIND packages on Master-Slave (CentOS 7.6)

# yum install bind bind-utils -y

Once your BIND applications are installed, you need to start the service and enable it to begin automatically after each reboot, so that you don’t have to start manually each time.

# systemctl enable named

# systemctl start named

# systemctl status named

Use the below command to check the version of BIND running on your server

# /usr/sbin/named -v
BIND 9.9.4-RedHat-9.9.4-73.el7_6 (Extended Support Version)

Step 2 : BIND Server Configurations

It’s a time to edit the main configuration file of the DNS server is called ‘named.conf’ . It will be located under ‘/etc/’ directory.

#vi /etc/named.conf

options {
listen-on port 53 { 127.0.0.1; 192.168.0.100; }; ### Master DNS IP ##
// listen-on-v6 port 53 { ::1; }
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.0.0/24; }; ### IP Range ###
allow-transfer { localhost; 192.168.0.101; }; ### Slave DNS IP ###

recursion no;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

# New entries added for forward zone and reverser zone #

zone "." IN {
type hint;
file "named.ca";
};
zone "linuxteck.com" IN {
type master;
file "forward.linuxteck";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "reverse.linuxteck";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

The followings are the short explanation of the entries added/highlighted in the '/etc/named.conf' file to setup Master:

Note: save and close the file using ‘:wq!’ .If you have missed any semicolon or braces in the ‘etc/named.conf’ file an error message will be popup during the startup of bind service.

Step 3 : Creating BIND Zones

Now we have to build our zones file (forward and reverse )as we declared in named.conf above. The default location of the zone lookup files is placed in '/var/named' directory.

Note: The easiest way to create the two zone files can be taken a copy from the sample file of the default location of the zone.

# cd /var/named/
# cp named.localhost forward.linuxteck
# cp named.localhost reverse.linuxteck

Make sure, both of the zone files (forward.linuxteck and reverse.linuxteck) are to be kept under /var/named/ directory. First, edit the forward.linuxteck zone file.

# vi /var/named/forward.linuxteck

Before editing the forward.linuxteck zone file let us have a look on the sample zone file

After defined the required entires into the forward.linuxteck zone file

$TTL 86400
@            IN SOA masterdns.linuxteck.com. root.linuxteck.com. (
2011071001 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum

@          IN         NS         masterdns.linuxteck.com.                  ;Our Name Server
@          IN         NS         slavedns.linuxteck.com.

@          IN         A            192.168.0.100                                   ;Name Server to IP resolve
@          IN         A            192.168.0.101

masterdns        IN         A        192.168.0.100
slavedns           IN         A        192.168.0.101                            ;Hosts
lt001                   IN         A         192.168.0.200                           ;Client

Note: save and close the file using ‘:wq!’

Special keywords for Zone Files used above :

A – A record point host names. Also, we use (www, ftp, mail) to one or more IP addresses.
NS – Name Server, specify the servers which are providing DNS services for that domain name.

Next create a new zone file for the reverse zone under ‘/var/named/’ directory, to create a reverse pointer to the above forward zone entries.

$TTL 86400
@                  IN           SOA                   masterdns.linuxteck.com.              root.linuxteck.com. (
2011071001 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum

@          IN             NS                       masterdns.linuxteck.com.
@          IN             NS                       slavedns.linuxteck.com.              ; Name Server's
@          IN             PTR                      linuxteck.com.

masterdns         IN         A              192.168.0.100                                     ; Record (IP) points to hostname
slavedns      IN         A               192.168.0.101

100                 IN PTR          masterdns.linuxteck.com.
101                     IN     PTR           slavedns.linuxteck.com.              ; Hosts
200                     IN     PTR           lt001.                                                            ;Client

Note: save and close the file using ‘:wq!’

That’s it, we have successfully configured our BIND Server. All we need it to start the DNS services, but before starting the service we must check a few more things.

Step 4 : SELinux

Just for additional information. Today, most Linux systems are imposing SELinux -- a far-reaching protection enhancement that modifications the persona of machine protection then again requires that we deal with some more complexity in managing our systems.

The machines running with SELinux, all strategies and files are labeled in a way that represents security-relevant information. This information is referred to as the SELinux context. There are 4 phases and every phase of the security context is separated by means of a colon (:)"SELinux user, SELinux role, the type, multilevel safety or MLS". This rule will complete "Allow access, Prevent get entry to or Denied" which will guard your server more than the regular way. For any newly created files will be set the permit get entry to else it will prevent writing/executing to the file.

For files, this is viewed the use of the ls -Z command:

cd /var/named/

# ls -Z

The result of the newly created files is highlighted above which shows the wrong SELinux context, so, to change the security context. There are more than one instructions for managing the SELinux context for files, such as “chcon, semanage fcontext, and restorecon”.

Here I use ‘chcon ‘

# chown named:named -R /var/named ; restorecon -rv /var/named

# chcon system_u:object_r:named_zone_t:s0 /var/named/forward.linuxteck

# chcon system_u:object_r:named_zone_t:s0 /var/named/reverse.linuxteck

Now we have modified the security context of (forward.linuxteck & reverse.linuxteck) file, which is the right one.

Now, restart the BIND Services

# systemctl restart named

Step 5 : Firewall Configuration

We want to permit (TCP & UDP port 53) in firewall rule to use DNS port

#firewall-cmd --permanent --add-port=53/tcp

# firewall-cmd --permanent --add-port=53/udp

Reload the firewall service

# firewall-cmd --reload

If you want to know more about firewalld service, have a look at this article on 15 basic useful firewall-cmd commands in Linux.

Step 6 : Test my bind configuration for any syntax errors

Run command as follows:

# named-checkconf /etc/named.conf

If there is 'NO OUTPUT', then the configuration file is treated as valid.

Similarly test the Forward &Reverse zone files as well.

Forward :

# named-checkzone linuxteck.com /var/named/forward.linuxteck

Output :

If you see “OK” as above, the forward zone file is properly configured.

Reverse:

# named-checkzone linuxteck.com /var/named/reverse.linuxteck

Output :

If you see “OK” as above, the reverse zone file is also properly configured.

Step 7 : Add DNS Server details in your interface config file

Now we need to add our DNS IP into the network interface

# vi /etc/sysconfig/network-scripts/ifcfg-enp1s0

Add the DNS IP as highlighted below :

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp1s0
UUID=11b2bf56-a0d8-4282-bf6f-d59be143f8e9
DEVICE=enp1s0
ONBOOT=yes
IPADDR=192.168.0.100
PREFIX=24
GATEWAY=192.168.0.1
DNS1=192.168.0.100
IPV6_PRIVACY=no

Note : save and close the file using ‘:wq!’

Step 8 : Add DNS name servers address into /etc/resolv.conf

# vi /etc/resolv.conf

Add the name server ip address:

nameserver 192.168.0.100

Restart network service

# systemctl restart network

Step 9 : Test DNS Server with ‘dig & nslookup’

# dig masterdns.linuxteck.com

# dig -x 192.168.0.100

# nslookup masterdns.linuxteck.com

Finally our Primary (Master) DNS Server is ready!. Now we can cross ahead to configure our Secondary (Slave)DNS Server

Step 10 : Slave Server setup

The BIND Package and the Installation part of the Slave DNS Server is same as of Master. To configure the Slave DNS Server, it need to edit /etc/named.conf’ and start the Bind service , then the zone files (forward and reverse) transfer automatically.

Install bind packages using the following command:

# yum install bind bind-utils -y

Step 11 : Edit slave bind configuration file /etc/named.conf :

# vi /etc/named.conf

options {
listen-on port 53 { 127.0.0.1; 192.168.0.101; };              ##Slave Server IP
//           listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.0.0/24; };                ##Add the network address

recursion no;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

## Add two zone files ###

zone "linuxteck.com" IN {
type slave;
file "slaves/linuxteck.fwd.zone";
masters { 192.168.0.100; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "slaves/linuxteck.rev.zone";
masters { 192.168.0.100; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

As you can see, the configuration is pretty comparable in assessment with the master. The slave’s configuration also carries the same zones as on the master and they are configured as type slave. Zone files don’t want to be created because they must be replicated from the master.

Note: save and exit the file using ‘:wq!’ .If you have missed any semicolon or brasses in the ‘etc/named.conf’ file an error message will be popup all through the startup of bind service.

Step 12 : start the bind service and enable it for the next reboot :

# systemctl enable named

# systemctl start named

If all goes well, the slave have replicated the zone records from the master and created it’s zone files to ‘/var/named/slaves/’ in Slave DNS server.

# ls -l /var/named/slaves/

linuxteck.fwd.zone

linuxteck.rev.zone

Step 13 : Add DNS Server details in the slave interface config file

# vi /etc/sysconfig/network-scripts/ifcfg-enp1s0

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp1s0
UUID=15f2bf56-a0d8-4286-bf8f-d59be258f8p9
DEVICE=enp1s0
ONBOOT=yes
IPADDR=192.168.0.102
PREFIX=24
GATEWAY=192.168.0.1
DNS1=192.168.0.100
DNS2=192.168.0.102
IPV6_PRIVACY=no

Note : save and close the file using ‘:wq!’

Step 14 : Add DNS name servers address into /etc/resolv.conf

Add the name server (Master & Slave)IP address:

# vi /etc/resolv.conf

nameserver 192.168.0.100
nameserver 192.168.0.101

Note : save and close the file using ‘:wq!’

Step 15 : Firewall Configuration

# firewall-cmd --permanent --add-port=53/tcp

# firewall-cmd --permanent --add-port=53/udp

Reload the Firewall service :

# firewall-cmd --reload

Step 16 : SELinux

Do the following command to security context of Selinux:

# chgrp named -R /var/named

# chown -v root:named /etc/named.conf

# restorecon -rv /var/named

# restorecon /etc/named.conf

That's it ! for the SLAVE configuration.

Step 17 : Setup DNS configuration to the client

Edit your client /etc/resolve.conf file and add the IP address of both the Master and Slave DNS server.

# vi /etc/resolv.conf
nameserver 192.168.0.100
nameserver 192.168.0.101

Now we can test our forward and reverse look using "dig and nslookup" as below :

# nslookup lt001.linuxteck.com

# nslookup 192.168.0.200

The setup of Master and Slave DNS server has configured successfully , I believe this article will help those who are looking to setup the same at your end. Drop me your feedback/comment.

Thank you!!

LinuxTech