Setup DNS server Bind chroot CentOS 6


I. Edit /etc/hosts
# vi /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.99.5 ns1.bachem.local ns1

II. Install & Setting Bind chroot for DNS Server
-Install Bind
# yum -y install bind bind-chroot


-Setting iptables open DNS port
# system-config-firewall-tui

or

# iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
# service iptables save
# service iptables restart

-Konfigurasi awal
# cp -R /usr/share/doc/bind-9.8.2/sample/var/named/* /var/named/chroot/var/named/
# cp -R /usr/share/doc/bind-9.8.2/sample/etc/* /var/named/chroot/etc/
# touch /var/named/chroot/var/named/data/cache_dump.db
# touch /var/named/chroot/var/named/data/named_stats.txt
# touch /var/named/chroot/var/named/data/named_mem_stats.txt
# touch /var/named/chroot/var/named/data/named.run
# mkdir /var/named/chroot/var/named/dynamic
# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
# chmod -R 777 /var/named/chroot/var/named/data
# chmod -R 777 /var/named/chroot/var/named/dynamic

-Set if you don’t use IPv6(if use, don’t set it)
# echo 'OPTIONS="-4"' >> /etc/sysconfig/named

-Setting RNDC
# rndc-confgen -a -c /etc/rndc.key
# chmod 755 /etc/rndc.key

-Konfigurasi /var/named/chroot/etc/named.conf
# touch /var/named/chroot/etc/named.conf
# vi /var/named/chroot/etc/named.conf

include "/etc/rndc.key";
options {
// Put files that named is allowed to write in the data/ directory:
directory "/var/named";
// "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
pid-file "/var/run/named/named.pid";

/* Path to ISC DLV key */
bindkeys-file "etc/named.iscdlv.key";

/* Specify listenning interfaces. You can use list of addresses (';' is delimiter) or keywords "any"/"none" */
//listen-on port 53 { any; };
listen-on port 53 { localhost; 192.168.99.5; };

//listen-on-v6 port 53 { any; };
listen-on-v6 port 53 { ::1; };

//these are the ISP DNS or public DNS servers (optional)
forwarders {
203.130.208.18;
202.134.0.155;
203.130.193.74;
8.8.8.8;
8.8.4.4;
};

/* Access restrictions

There are two important options:
allow-query { argument; };
- allow queries for authoritative data

allow-query-cache { argument; };
- allow queries for non-authoritative data (mostly cached data)

You can use address, network address or keywords "any"/"localhost"/"none" as argument
Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
*/

allow-query { localhost; 192.168.99.0/24; };
allow-query-cache { localhost; 192.168.99.0/24; };

// Enable/disable recursion - recursion yes/no;
recursion yes;
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative and recursive servers DNSSEC aware servers */
//dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
//dnssec-validation yes;
/* Enable DLV by default, use built-in ISC DLV key. */
//dnssec-lookaside auto;
};

logging {
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

/* Views let a name server answer a DNS query differently depending on who is asking.

By default, if named.conf contains no "view" clauses, all zones are in the "default" view, which matches all clients.
Views are processed sequentially. The first match is used so the last view should match "any" - it's fallback and the most restricted view.

If named.conf contains any "view" clause, then all zones MUST be in a view.
*/

view "internal" {
/* This view will contain zones you want to serve only to "internal" clients that connect via your directly attached LAN interfaces - "localnets".
*/

match-clients { localhost; 192.168.99.0/24; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :

/* NOTE for dynamic DNS zones and secondary zones:

DO NOT USE SAME FILES IN MULTIPLE VIEWS!

If you are using views and DDNS/secondary zones it is strongly recommended to read FAQ on ISC site (www.isc.org), section
"Configuration and Setup Questions", questions
"How do I share a dynamic zone between multiple views?" and
"How can I make a server a slave for both an internal and an external
view at the same time?"
*/

zone "bachem.local" IN {
type master;
file "bachem.local.zone";
//allow-update { none; };
//we assume we have a slave dns server with the IP 192.168.99.6
allow-transfer { 192.168.99.6; };
notify yes;
also-notify { 192.168.99.6; };
};

zone "0.99.168.192.in-addr.arpa" IN {
type master;
file "192.168.99.0.zone";
//allow-update { none; };
//we assume we have a slave dns server with the IP 192.168.99.6
allow-transfer { 192.168.99.6; };
notify yes;
also-notify { 192.168.99.6; };
};
};

-Setting Forward Lookup Zone
# cd /var/named/chroot/var/named
# touch bachem.local.zone
# vi bachem.local.zone

$TTL 86400
@ IN SOA ns1.bachem.local. admin.bachem.local. (
2012113001 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
@ IN NS ns1.bachem.local.
ns1 IN A 192.168.99.5
ayam IN CNAME ns1
cumi IN A 192.168.99.11
ns2 IN A 192.168.99.6
kucing IN CNAME ns2

-Setting Reverse Lookup Zone
# cd /var/named/chroot/var/named
# touch 192.168.99.0.zone
# vi 192.168.99.0.zone

$TTL 86400
@ IN SOA ns1.bachem.local. admin.bachem.local. (
2012113002
10800
900
604800
3600 )
IN NS ns1.bachem.local.
5 IN PTR ns1.bachem.local.
11 IN PTR cumi.bachem.local.
6 IN PTR ns2.bachem.local.

-Edit /etc/resolv.conf
# vi /etc/resolv.conf

search bachem.local
nameserver 127.0.0.1
nameserver 192.168.99.5

-Restart Bind service & Setting run level
# service named restart
# chkconfig named on

Make sure it’s running:
# rndc status

-Testing DNS Query

References:
http://www.server-world.info/en/note?os=CentOS_6&p=dns&f=1
http://www.ehowstuff.com/how-to-configure-bind-chroot-dns-server-on-centos-6-2/
http://blog.wains.be/2007/12/13/centos-5-chroot-dns-with-bind/
http://adlinux.blogspot.com/2010/04/chroot-dns-with-bind-centos-5.html
http://www.digitalpeer.com/id/configuringa
http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_15.htm


Related posts:

3 thoughts on “Setup DNS server Bind chroot CentOS 6

  1. labradorg13

    hello, thanks for your great post. It help to me.
    but, I get an error after the service named restart command.

    [root@rpidvoproxy rpidavao]# service named restart
    Stopping named: [ OK ]
    Starting named:
    Error in named configuration:
    zone localhost.localdomain/IN: loaded serial 0
    zone localhost/IN: loaded serial 0
    zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
    zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
    zone 0.in-addr.arpa/IN: loaded serial 0
    zone rpilinux.com/IN: loading from master file rpidvoproxy.rpilinux.com failed: file not found
    zone rpilinux.com/IN: not loaded due to errors.
    internal/rpilinux.com/IN: file not found
    zone 0.1.11.172.in-addr.arpa/IN: loaded serial 2012113002
    [FAILED]
    [root@rpidvoproxy rpidavao]#

    give some advice that is this error.

    Thanks.

    Reply
      1. labradorg13

        hello bachem.

        thanks your time to reply.

        I repeat your instruction “-Konfigurasi awal” , then copy from your named.conf and paste into my named.conf and some editing information of hostname, ip’s, slave ip.

        After repeating those instrucition, then named restart…. wow! its running now, then dig 172.11.56.
        I thinks there is mistake of my named.conf….

        Again, thanks for your time.
        labradorg

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *