At times, you may find yourself in a situation where you need to set your own DNS server to handle name resolution for a specific domain name. In this scenario, you may be required to set up an authoritative DNS server that provides answers to resolvers such as 8.8.8.8 or 1.1.1.1.
A Domain Name System commonly abbreviated as DNS is an internet service that resolves an IP address to a domain name and vice-versa. Humans access sites over the internet using domain names that are usually easier to memorize such as neveropen.co.za e.t.c. The web servers interact using the IP addresses, DNS now translates the addresses to allow the browsers to load the pages.
DNS servers are divided into two main categories
- Recursor DNS: does not have any knowledge of domains and consults other DNS servers such as authoritative, root, and TLD nameservers to provide answers to questions directed to it.
- Authoritative DNS: it has information for specific domains and only responds to queries about domains it knows and ignores queries about domains it doesn’t know about
BIND and abbreviation of Berkeley Internet Name Domain is an open-source and extensive DNS software that can be used to provide all DNS-related service functions. This tool was originally written in the 1980s at the University of California’s Berkeley.
BIND offers the following features and capabilities:
- Authoritative DNS: it allows one to publish the DNS zones and records under the server’s authoritative control as the primary or secondary server.
- Recursive DNS (caching resolver): It is able to obtain data from other DNS servers on behalf of client systems.
- Split DNS: the ability to publish multiple views of the DNS namespace
- Efficient data replication: you can copy data from the primary to secondary servers in a timely and efficient manner.
- Support for IPv6: it supports IPv6 by publishing IPv6 addresses for names and by participating directly in IPv6 networking
- Transaction Signatures (TSIG) and Keys (TKEY): ability to sign messages cryptographically using a pre-shared key or a dynamically negotiated key as well as validating the signatures.
The BIND DNS server can be set to perform master or slave functions where:
- Master BIND DNS: has the zone data kept in a cache for a given time and is used to serve DNS queries.
- Slave BIND DNS: receives the copy of the data from the master/primary DNS server using the zone transfer method
The below diagram illustrates the BIND DNS master-slave architecture
In this guide, we will chew over how to configure Master BIND DNS on Rocky Linux 9 / AlmaLinux 9.
Step 1 – Install BIND DNS Server
BIND DNS exists in the default repositories and can be installed using the command:
sudo dnf install bind bind-utilsDependency Tree:
Transaction Summary
============================================================================================================================================
Install 5 Packages
Total download size: 820 k
Installed size: 2.5 M
Is this ok [y/N]: yStep 2 – Configure Master BIND DNS Server
BIND DNS stores its configuration file at /etc/named*. This directory holds both the zone lookup file as well as the configuration files.
Create Zones on BIND DNS
For this guide, we will have the following:
- DNS zone: neveropen.local
- Managed subnet: 192.168.205.0/24
- BIND DNS server IP: 192.168.205.12
To create zones, edit the below file:
sudo vim /etc/named.confBegin by making the below changes:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
.......
allow-query { any; };
......
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Proceed and create the forward zone:
sudo vim /etc/named.rfc1912.zonesAdd your zones at the end of the file:
- Forward Zone
zone "neveropen.local" IN {
type master;
file "neveropen.forward";
allow-update { none; };
};- Reverse zone:
zone "205.168.192.in-addr.arpa" IN {
type master;
file "neveropen.reverse";
allow-update { none; };
};In the above file, 205.168.192.in-addr.arpa is the name of the reverse DNS for the network 192.168.205.X
Create the Zone lookup Files
In the above file, we have specified our forward and reverse zone files as neveropen.forward and neveropen.reverse respectively. In the files, we have several DNS record acronyms such as:
- A – A record
- SOA – Start of Authority
- MX – Mail for Exchange
- NS – Name Server
- CN – Canonical Name
- SRV – Services Record
- PTR – Pointer
There are also other parameters in the zone lookup Files:
- Serial number – numbering system to show the changes made to the DNS Zone. This number is provided in the YYYYMMDDnn format. This number increases whenever changes are made to the zone file. For example, if we have 2022080800 and a change is made to the file, the number becomes 2022080801
- Refresh – time in seconds taken by the slave to refresh from the master
- Retry – time in seconds taken by the slave to get back to the master in case the connection/refresh failed.
- Expiry – time in seconds that a slave server will keep a cached zone file as valid.
- Minimum – time in seconds that the slave servers should cache the Zone file.
The zone lookup files are created in the /var/named directory. We will begin with the forward zone lookup file:
sudo vim /var/named/neveropen.forwardAdd the below lines replacing where required:
$TTL 86400
@ IN SOA ns1.neveropen.local. root.ns1.neveropen.local. (
2022080800 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
; Set your Name Servers here
@ IN NS ns1.neveropen.local.
;Mail Exchanger
neveropen.local. IN MX 10 mail.neveropen.local.
;CNAME record
ftp IN CNAME www.neveropen.local.
;SRV example for LDAP
;_ldap._tcp.neveropen.local. SRV 0 0 389 ldap.neveropen.local.
; Set each IP address of a hostname. Sample A records.
ns1 IN A 192.168.205.12
www IN A 192.168.205.13
mail IN A 192.168.205.14Create the Reverse zone lookup file.
sudo vim /var/named/neveropen.reverseAdd the below lines to the file:
$TTL 86400
@ IN SOA ns1.neveropen.local. root.ns1.neveropen.local. (
2022080800 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
; Set Name Server
@ IN NS ns1.neveropen.local.
; Set each IP address of a hostname. Sample PTR records.
12 IN PTR ns1.neveropen.local.
13 IN PTR www.neveropen.local.
14 IN PTR mail.neveropen.local.Now set the correct permissions for the files:
sudo chown root:named /var/named/neveropen.forward
sudo chown root:named /var/named/neveropen.reverse
sudo chmod 644 /var/named/neveropen.forward
sudo chmod 644 /var/named/neveropen.reverseCheck the Syntax of the Files
Check the syntax of the files:
For the forward zone
$ sudo named-checkzone neveropen.local /var/named/neveropen.forward
zone neveropen.local/IN: loaded serial 2022080800
OKFor the reverse zone
$ sudo named-checkzone 205.168.192.in-addr.arpa /var/named/neveropen.reverse
zone 205.168.192.in-addr.arpa/IN: loaded serial 2022080800
OKUpdate the DNS settings
Update the DNS settings and include the IP address of the BIND DNS server
$ sudo vim /etc/resolv.conf
nameserver 192.168.205.12Allow DNS service through the Firewall
Allow the DNS service through the firewall using the commands:
sudo firewall-cmd --add-service=dns --permanent
sudo firewall-cmd --reloadStart and Enable the BIND DNS service
Once the desired configurations have been made, start and enable the BIND DNS service on Rocky /AlmaLinux 9 using the command:
sudo systemctl enable --now named.serviceVerify if the service is running:
$ systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2022-08-08 11:59:00 CEST; 4s ago
Process: 32285 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; el>
Process: 32287 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 32288 (named)
Tasks: 4 (limit: 23441)
Memory: 11.8M
CPU: 33ms
CGroup: /system.slice/named.service
└─32288 /usr/sbin/named -u named -c /etc/named.confStep 3 – Testing Bind DNS Server
To test if the Bind DNS Server on Rocky /AlmaLinux 9 is working correctly, we will use a client machine and add the IP address of the BIND DNS server in /etc/resolv.conf as shown:
$ sudo vim /etc/resolv.conf
nameserver 192.168.205.12Save the changes and use dig or any other preferred tool such as dog to verify the DNS server.
dig www.neveropen.localSample Output:
Also confirm, the reverse lookup;
dig -x 192.168.205.13Sample Output:
At this point, it is safe to assume that the Master BIND DNS is working perfectly since it has provided answers to queries about domains it knows.
Step 4 – Secure Bind DNS with SSL
Securing the BIND DNS is important since it precludes attackers from tampering with the DNS response or manipulating your DNS cache. The DNS Security Extensions abbreviated as DNSSEC allow one to maintain the data integrity of DNS responses. It signs all the DNS records such as A, MX, CNAME e.t.c. of a zone using the Public Key Infrastructure(PKI).
This can be done using the aid captured in the guide:
Conclusion
That marks the end of this guide on how to configure Master BIND DNS on Rocky Linux 9 / AlmaLinux system. You now have an authoritative DNS set up to provide answers to resolvers. I hope this was significant to you.
Interested in more?
- Running PowerDNS and PowerDNS Admin in Docker Containers
- Configure BIND Master DNS Server on Debian
- Configure BIND Slave DNS Server on Debian
