BIND (Berkely Internet Name Domain) is a popular software for
translating domain names into IP addresses and usually found on Linux
servers. this blog post explain configure DNS Bind service Forwarders and Caching server in linux step by step for your local Network.
# Set hostname of server.
[root@localhost ~]# hostnamectl set-hostname master.zmailtech.com
[root@localhost ~]# hostname
master.zmailtech.com
[root@localhost ~]#
[root@localhost ~]# cat /etc/sysconfig/network
# Created by anaconda
HOSTNAME=master.zmailtech.com
[root@localhost ~]#
# Check ip address.
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:e0:d3:c5 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.2/24 brd 192.168.10.255 scope global dynamic enp0s3
valid_lft 736sec preferred_lft 736sec
inet6 fe80::61e1:d548:2e53:232b/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]#
# Install bind bind-utils packages via yum command.
[root@localhost ~]# yum install bind bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-50.el7 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-50.el7 for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: liblwres.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisccfg.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisccc.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisc.so.95()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libdns.so.100()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libbind9.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
---> Package bind-utils.x86_64 32:9.9.4-50.el7 will be installed
--> Running transaction check
---> Package bind-libs.x86_64 32:9.9.4-50.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
bind x86_64 32:9.9.4-50.el7 c7-media 1.8 M
bind-utils x86_64 32:9.9.4-50.el7 c7-media 203 k
Installing for dependencies:
bind-libs x86_64 32:9.9.4-50.el7 c7-media 1.0 M
Transaction Summary
================================================================================
Install 2 Packages (+1 Dependent package)
Total download size: 3.0 M
Installed size: 7.3 M
Is this ok [y/d/N]: y
Downloading packages:
--------------------------------------------------------------------------------
Total 149 MB/s | 3.0 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-libs-9.9.4-50.el7.x86_64 1/3
Installing : 32:bind-9.9.4-50.el7.x86_64 2/3
Installing : 32:bind-utils-9.9.4-50.el7.x86_64 3/3
Verifying : 32:bind-9.9.4-50.el7.x86_64 1/3
Verifying : 32:bind-libs-9.9.4-50.el7.x86_64 2/3
Verifying : 32:bind-utils-9.9.4-50.el7.x86_64 3/3
Installed:
bind.x86_64 32:9.9.4-50.el7 bind-utils.x86_64 32:9.9.4-50.el7
Dependency Installed:
bind-libs.x86_64 32:9.9.4-50.el7
Complete!
[root@localhost ~]#
# Now check named service is named status
[root@localhost ~]# systemctl status named
รข named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost ~]#
# check bind service file in /etc/ folder
[root@localhost ~]# ls -l /etc/named*
-rw-r-----. 1 root named 1705 Mar 22 2016 /etc/named.conf
-rw-r--r--. 1 root named 3923 Aug 4 13:43 /etc/named.iscdlv.key
-rw-r-----. 1 root named 931 Jun 21 2007 /etc/named.rfc1912.zones
-rw-r--r--. 1 root named 1587 May 22 2017 /etc/named.root.key
/etc/named:
total 0
[root@localhost ~]#
# Now Start named service.
[root@master ~]# systemctl start named
# Check DNS service via netstat command
[root@master ~]# netstat -ntpul | grep named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1173/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1173/named
tcp6 0 0 ::1:53 :::* LISTEN 1173/named
tcp6 0 0 ::1:953 :::* LISTEN 1173/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 1173/named
udp6 0 0 ::1:53 :::* 1173/named
[root@master ~]#
# Named is working on tcp / udp port number 53 and rndc work on 953
[root@master ~]# nc -v localhost 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to ::1:53.
^C
[root@master ~]#
# Forwarders and Caching dns /named configuration
Configuration of below in /etc/named.conf
[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.10.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.10.0/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@master ~]#
# After configure /etc/named.conf file need to restart named service
[root@master ~]# systemctl restart named
# Now lets check again the ports and ip via netstat command
[root@master ~]# netstat -ntpul | grep named
tcp 0 0 192.168.10.2:53 0.0.0.0:* LISTEN 10692/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 10692/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 10692/named
tcp6 0 0 ::1:53 :::* LISTEN 10692/named
tcp6 0 0 ::1:953 :::* LISTEN 10692/named
udp 0 0 192.168.10.2:53 0.0.0.0:* 10692/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 10692/named
udp6 0 0 ::1:53 :::* 10692/named
[root@master ~]#
# Add 53 port number in firewalld service
[root@master ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@master ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@master ~]# firewall-cmd --reload
success
[root@master ~]#
[root@master ~]# nc -v 192.168.10.2 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.10.2:53.
^C
[root@master ~]#
# Check DNS service Caching via dig command
[root@master ~]# dig @192.168.10.2 www.google.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @192.168.10.2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 300 IN A 172.217.26.196
;; AUTHORITY SECTION:
google.com. 172799 IN NS ns1.google.com.
google.com. 172799 IN NS ns4.google.com.
google.com. 172799 IN NS ns2.google.com.
google.com. 172799 IN NS ns3.google.com.
;; ADDITIONAL SECTION:
ns2.google.com. 172799 IN A 216.239.34.10
ns1.google.com. 172799 IN A 216.239.32.10
ns3.google.com. 172799 IN A 216.239.36.10
ns4.google.com. 172799 IN A 216.239.38.10
;; Query time: 1280 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Mon Dec 25 22:02:56 IST 2017
;; MSG SIZE rcvd: 195
[root@master ~]#
[root@master ~]# dig @192.168.10.2 www.google.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @192.168.10.2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16173
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 293 IN A 172.217.26.196
;; AUTHORITY SECTION:
google.com. 172792 IN NS ns4.google.com.
google.com. 172792 IN NS ns1.google.com.
google.com. 172792 IN NS ns3.google.com.
google.com. 172792 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
ns2.google.com. 172792 IN A 216.239.34.10
ns1.google.com. 172792 IN A 216.239.32.10
ns3.google.com. 172792 IN A 216.239.36.10
ns4.google.com. 172792 IN A 216.239.38.10
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Mon Dec 25 22:03:03 IST 2017
;; MSG SIZE rcvd: 195
[root@master ~]#
# Set hostname of server.
[root@localhost ~]# hostnamectl set-hostname master.zmailtech.com
[root@localhost ~]# hostname
master.zmailtech.com
[root@localhost ~]#
[root@localhost ~]# cat /etc/sysconfig/network
# Created by anaconda
HOSTNAME=master.zmailtech.com
[root@localhost ~]#
# Check ip address.
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:e0:d3:c5 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.2/24 brd 192.168.10.255 scope global dynamic enp0s3
valid_lft 736sec preferred_lft 736sec
inet6 fe80::61e1:d548:2e53:232b/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]#
# Install bind bind-utils packages via yum command.
[root@localhost ~]# yum install bind bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-50.el7 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-50.el7 for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: liblwres.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisccfg.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisccc.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisc.so.95()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libdns.so.100()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libbind9.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
---> Package bind-utils.x86_64 32:9.9.4-50.el7 will be installed
--> Running transaction check
---> Package bind-libs.x86_64 32:9.9.4-50.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
bind x86_64 32:9.9.4-50.el7 c7-media 1.8 M
bind-utils x86_64 32:9.9.4-50.el7 c7-media 203 k
Installing for dependencies:
bind-libs x86_64 32:9.9.4-50.el7 c7-media 1.0 M
Transaction Summary
================================================================================
Install 2 Packages (+1 Dependent package)
Total download size: 3.0 M
Installed size: 7.3 M
Is this ok [y/d/N]: y
Downloading packages:
--------------------------------------------------------------------------------
Total 149 MB/s | 3.0 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-libs-9.9.4-50.el7.x86_64 1/3
Installing : 32:bind-9.9.4-50.el7.x86_64 2/3
Installing : 32:bind-utils-9.9.4-50.el7.x86_64 3/3
Verifying : 32:bind-9.9.4-50.el7.x86_64 1/3
Verifying : 32:bind-libs-9.9.4-50.el7.x86_64 2/3
Verifying : 32:bind-utils-9.9.4-50.el7.x86_64 3/3
Installed:
bind.x86_64 32:9.9.4-50.el7 bind-utils.x86_64 32:9.9.4-50.el7
Dependency Installed:
bind-libs.x86_64 32:9.9.4-50.el7
Complete!
[root@localhost ~]#
# Now check named service is named status
[root@localhost ~]# systemctl status named
รข named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost ~]#
# check bind service file in /etc/ folder
[root@localhost ~]# ls -l /etc/named*
-rw-r-----. 1 root named 1705 Mar 22 2016 /etc/named.conf
-rw-r--r--. 1 root named 3923 Aug 4 13:43 /etc/named.iscdlv.key
-rw-r-----. 1 root named 931 Jun 21 2007 /etc/named.rfc1912.zones
-rw-r--r--. 1 root named 1587 May 22 2017 /etc/named.root.key
/etc/named:
total 0
[root@localhost ~]#
# Now Start named service.
[root@master ~]# systemctl start named
# Check DNS service via netstat command
[root@master ~]# netstat -ntpul | grep named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1173/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1173/named
tcp6 0 0 ::1:53 :::* LISTEN 1173/named
tcp6 0 0 ::1:953 :::* LISTEN 1173/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 1173/named
udp6 0 0 ::1:53 :::* 1173/named
[root@master ~]#
# Named is working on tcp / udp port number 53 and rndc work on 953
Let us check the default configuration access with nc from local and other remote computer.
Default configuration not allow to access 53 number port from remote computer
[root@master ~]# nc -v localhost 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to ::1:53.
^C
[root@master ~]#
# Forwarders and Caching dns /named configuration
Configuration of below in /etc/named.conf
[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.10.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.10.0/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@master ~]#
# After configure /etc/named.conf file need to restart named service
[root@master ~]# systemctl restart named
# Now lets check again the ports and ip via netstat command
[root@master ~]# netstat -ntpul | grep named
tcp 0 0 192.168.10.2:53 0.0.0.0:* LISTEN 10692/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 10692/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 10692/named
tcp6 0 0 ::1:53 :::* LISTEN 10692/named
tcp6 0 0 ::1:953 :::* LISTEN 10692/named
udp 0 0 192.168.10.2:53 0.0.0.0:* 10692/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 10692/named
udp6 0 0 ::1:53 :::* 10692/named
[root@master ~]#
# Add 53 port number in firewalld service
[root@master ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@master ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@master ~]# firewall-cmd --reload
success
[root@master ~]#
[root@master ~]# nc -v 192.168.10.2 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.10.2:53.
^C
[root@master ~]#
# Check DNS service Caching via dig command
[root@master ~]# dig @192.168.10.2 www.google.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @192.168.10.2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 300 IN A 172.217.26.196
;; AUTHORITY SECTION:
google.com. 172799 IN NS ns1.google.com.
google.com. 172799 IN NS ns4.google.com.
google.com. 172799 IN NS ns2.google.com.
google.com. 172799 IN NS ns3.google.com.
;; ADDITIONAL SECTION:
ns2.google.com. 172799 IN A 216.239.34.10
ns1.google.com. 172799 IN A 216.239.32.10
ns3.google.com. 172799 IN A 216.239.36.10
ns4.google.com. 172799 IN A 216.239.38.10
;; Query time: 1280 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Mon Dec 25 22:02:56 IST 2017
;; MSG SIZE rcvd: 195
[root@master ~]#
[root@master ~]# dig @192.168.10.2 www.google.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @192.168.10.2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16173
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 293 IN A 172.217.26.196
;; AUTHORITY SECTION:
google.com. 172792 IN NS ns4.google.com.
google.com. 172792 IN NS ns1.google.com.
google.com. 172792 IN NS ns3.google.com.
google.com. 172792 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
ns2.google.com. 172792 IN A 216.239.34.10
ns1.google.com. 172792 IN A 216.239.32.10
ns3.google.com. 172792 IN A 216.239.36.10
ns4.google.com. 172792 IN A 216.239.38.10
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Mon Dec 25 22:03:03 IST 2017
;; MSG SIZE rcvd: 195
[root@master ~]#
No comments:
Post a Comment