Bind Operations - Set Up DNS Server
External
- Red Hat Support Solution (used to write the procedure below) https://access.redhat.com/solutions/40683
- Red Hat Enterprise Linux 7 Networking Guide - Chapter 11 DNS Servers https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-DNS_Servers.html
- Red Hat Enterprise Linux 6 Deployment Guide - DNS Servers https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-DNS_Servers.html
- Step by Step how to setup a DNS Server in RHEL 6 Using Bind https://github.com/blackyboy/RedHat-Centos-Common-Stuffs/blob/master/Step-by-Step-how-to-setup-a-DNS-Server-in-RHEL-6.2-6.4-6.5-Using-Bind.md
Internal
Overview
This is a step by step guide on installing and configuring a bind DNS server. We needed it during the deployment of an OpenShift environment. During this procedure, we will create a new "openshift35.local" zone file and all OpenShift hosts will get names within the "*.openshift35.local" DNS domain. Additional zone files/local domains can be added later.
Relevance
- RHEL 7.1
- Centos 7.3
Binary Installation
Intall bind binaries:
yum install bind* -y
DO NOT yum remove bind*, it will remove dhclient and related libraries, and that might render your host inoperable.
Starting and Stopping the Server
Installing binaries will deploy a bind server with a basic configuration that can be started and stopped.
Starting the Server
You can start the server right away, it should start fine. See Troubleshooting the Server.
systemctl start named
Stopping the Server
systemctl stop named
Startup Options
named startup options are specified in /etc/sysconfig/named as follows:
OPTIONS="-4 -d 10"
where:
-4
Instructs the server to use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive.
-6
Instructs the server to use IPv6 only even if the host machine is capable of IPv4. -4 and -6 are mutually exclusive.
-d <debug-level>
Specifies the debug level. Usually 10l.
Edit /etc/named.conf
/etc/named.conf is the main configuration file.
Use the default and modify the following:
listen-on
Specifies the IPv4 network interface on which to listen for queries.
On a DNS server that acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv4 interfaces are used by default.
options { ... listen-on port 53 { any; }; ... }
Alternatively, to specify a single interface:
listen-on port 53 { 172.30.0.3; };
or several:
listen-on port 53 { 127.0.0.1;172.30.0.3; };
listen-on-v6
Specifies the IPv6 network interface on which to listen for queries.
On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv6 interfaces are used by default.
options { ... listen-on-v6 port 53 { any; }; ... }
To prevent listening on IPv6 ports:
listen-on-v6 port 53 { none; }; }
allow-query
Specifies which hosts are allowed to query the nameserver for authoritative resource records.
It accepts an access control list, a collection of IP addresses, or networks in the CIDR notation. All hosts are allowed by default.
options { ... allow-query { any; }; ... }
Alternatively, an "acl" can be specified as follows:
... acl allowed-to-query { 172.30.0.0/16; localhost; localnets; }; options { ... allow-query { allowed-to-query; }; ... }
Configuring Recursive Resolution
If a name cannot be resolved by the current bind server, the query is forwarded to parent DNS servers. This makes the DNS server a recursive DNS server.
Recursion is enabled by using "recursion" keyword:
options { ... recursion yes; ... }
If the recursive DNS server has a public IP address, then access control MUST be enabled to limit queries to legitimate users. Failing to do so will cause the server to become part of large scale DNS amplification attacks.
Configuring Specific Forwarders
If recursion is enabled and the name to be resolved is not in the zone, the DNS server process forwards the request to other DNS servers. By default, it makes the request over UDP on port 53, to root name servers. However, these connections are blocked by some networks, so an alternative is to configure a small set of "forwarders" - like Google's name servers - to query. This is done in the "options" block as follows:
options { ... forwarders { 8.8.8.8; 8.8.4.4; }; forward only; ... }
To configure this server to forward all non-local request and not attempt to resolve requests over the normal protocol, on its own, set the "forward" directive to "only".
Domain Name System Security Extensions (DNSSEC) Configuration
options { ... dnssec-enable yes; dnssec-validation yes; /* dnssec-lookaside auto; */ /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; ... }
Note that uncommenting "dnssec-lookaside auto" leads to "broken trust chain" error.
Adding a Zone
Add a zone in /etc/named.conf, as follows. Conventionally, place it between the zone "." declaration and "include", as shown below.
More than one zone file can be declared.
In case of sub-domains, a separate zone file should be added for each sub-domain, as shown below for "openshift.external" and "apps.openshift.external".
... zone "." IN { type hint; file "named.ca"; }; zone "openshift.local" IN { type master; file "openshift.local.zone"; }; zone "openshift.external" IN { type master; file "openshift.external.zone"; }; zone "apps.openshift.external" IN { type master; file "apps.openshift.external.zone"; }; zone "172.20.2.in-addr.arpa" IN { type master; file "openshift.local.rzone"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; ...
"zone" Statement Syntax
zone "<zone-name>" <zone-class> { type master; file "<file-name>"; };
<zone-name> - is the name of the zone. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the associated zone file. If the result matches the name in the query, the associated address is returned. If the zone file contains "*", then any name in the query that ends in <zone-name> matches and the address associated to "*" in the zone file is returned. This is how wildcard DNS domains are configured.
<zone-class> is optional and if not mentioned, IN is assumed. IN refers to 'Internet' while the only other option in common use is CH for 'CHAOS'.
type master - designates this name server as authoritative for this zone. A zone should be set as the master if the zone's configuration files reside on the system.
file - specifies the name of the file in the named working directory, by default /var/named, which contains the zone's configuration data.
A zone has usually an associated reverse zone, which is declared as follows:
zone "<first-three-blocks-of-the-ip-address-reversed>.in-addr.arpa" <zone-class> { type master; file "<file-name>"; allow-update { node; }; };
The reverse name resolution zone requires the first three blocks of the IP address reversed followed by ".in-addr.arpa".
Zone File
Zone files contain information about a domain. The zone files are stored in /var/named. Each zone file is named according to the "zone"/"file" option in /etc/named.conf. Each zone file contains directives and resource records. Directives tell the nameserver to perform tasks or apply special settings to the zone. Resource records define the parameters of the zone and assign identities to individual hosts. All directives and resource records should be entered on individual lines. Comments can be placed after semicolon characters (;).
Zone File Directives
$ORIGIN
Appends the domain name to unqualified records in the zone file, such as those with the hostname and nothing more. For example, a zone file may contain the following line:
$ORIGIN example.com.
Any names used in resource records that do not end in a trailing period (.) are appended with example.com.
The use of the $ORIGIN directive is unnecessary if the zone is specified in /etc/named.conf because the zone name declared in /etc/named.conf is used as the value for the $ORIGIN directive by default.
$TTL
Sets the default Time to Live (TTL) value for the zone. This is the length of time, in seconds, that a zone resource record is valid. Each resource record can contain its own TTL value, which overrides this directive. Increasing this value allows remote nameservers to cache the zone information for a longer period of time, reducing the number of queries for the zone.
Zone File Resource Records
SOA
The Start Of Authority resource record, which contains authoritative information about the namespace. The SOA resource record is the first resource record in a zone file.
@ IN SOA <primary-name-server>. <hostmaster-email>. ( <serial-number> <time-to-refresh> <time-to-retry> <time-to-expire> <minimum-TTL> )
The @ symbol places the zone name, as defined in the "zone" named.conf statement, as the namespace being defined by this SOA resource record. The hostname of the primary nameserver that is authoritative for this domain is the <primary-name-server> directive, and the email of the person to contact about this namespace is the <hostmaster-email> directive. Both elements must end in "."
The <serial-number> directive is a numerical value incremented every time the zone file is changed. This indicates it is time for named to reload the zone. The <time-to-refresh> directive is the numerical value slave servers use to determine how long to wait before asking the master nameserver if any changes have been made to the zone. The slave servers use <serial-number> to determine if they are using outdated zone data and should therefore refresh it.
The <time-to-retry> directive is a numerical value used by slave servers to determine the length of time to wait before issuing a refresh request in the event that the master nameserver is not answering. If the master has not replied to a refresh request before the amount of time specified in the <time-to-expire> directive elapses, the slave servers stop responding as an authority for requests concerning that namespace.
The <minimum-TTL> directive is the amount of time other nameservers cache the zone's information.
All times are specified in seconds, unless M (minutes), H (hours), D (days) or W (weeks) are specified.
NS
Is the NameServer record, which announces the authoritative nameservers for this zone.
IN NS <nameserver-name-1>. IN NS <nameserver-name-2>.
<nameserver-name> should be an FQDN.
A
Defines an Address record, which specifies an IP address to assign to a name.
<host> IN A <IP-address>
If the <host> value is omitted, then an A record points to a default IP address for the top of the namespace. This system is the target for all non-FQDN requests.
CNAME
Defines a Canonical Name record, which maps one name to another. This type of record can also be referred to as an alias record.
<alias-name> IN CNAME <real-name>
Example:
server1 IN A 10.0.1.5 www IN CNAME server1
MX
This refers to the Mail eXchange record, which tells where mail sent to a particular namespace controlled by this zone should go.
IN MX <preference-value> <email-server-name>
PTR
This refers to a pointer record, which is designed to point to another part of the namespace. It is primarily used for reverse name resolution, pointing IP addresses back to a particular name.
Example
Make sure the file has the same ownership and permissions as the rest of the files in the directory:
chown root:named openshift.local.zone
Assigning the ownership is critical. The file won't be read and names from the file will not be resolved otherwise.
/var/named/openshift.local.zone example:
$TTL 3600 @ IN SOA ns.openshift.local. root. ( 2015092101 ; serial 3600 ; refresh 15M ; retry 1W ; expire 1D ) ; minimum IN NS ns.openshift.local. ns IN A 172.20.2.10 openshift-master1 IN A 172.20.2.1 openshift-node1 IN A 172.20.2.2 openshift-node2 IN A 172.20.2.3 nfs IN CNAME ns ansible IN CNAME ns
PTR (Inverse Record) File
A reverse name resolution zone file is used to translate an IP address in a particular namespace into an FQDN. It looks very similar to a standard zone file, except that PTR resource records are used to link the IP addresses to a fully qualified domain name.
Example
Make sure the file has the same ownership as the rest of the files in the directory:
chown root:named openshift.local.rzone
Assigning the ownership is critical. The file won't be read and names from the file will not be resolved otherwise.
$TTL 3600 @ IN SOA ns.openshift.local. root. ( 2015092101 ; serial 3600 ; refresh 15M ; retry 1W ; expire 1D ) ; minimum IN NS ns.openshift.local. 1 IN PTR openshift-master1.openshift.local. 2 IN PTR openshift-node1.openshift.local. 3 IN PTR openshift-node2.openshift.local. 10 IN PTR ns.openshift.local.
Verify Configuration Files
named-checkconf /etc/named.conf
named-checkzone <zone-name> <zone-file> named-checkzone openshift.local /var/named/openshift.local.zone named-checkzone 122.168.192.in-addr.arpa /var/named/ocp36.local.rzone
Configure iptables
Add the following rules to your iptables configuration /etc/sysconfig/iptables:
... -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT ...
systemctl restart iptables systemctl status iptables
For more details on the iptables configuration, see
Make sure the correct rules are in place with iptables -F:
Also see
Declare a Wildcard DNS Domain
A wildcard DNS sub-domain is a domain that resolves all the host and subdomains under it to the same IP address.
Note that the sub-domains are logically hierarchical, a different zone file is required for each sub-domain. The zone files are separate entities and do not have a hierarchical structure. For more details see
This is an example of a zone file for the "apps.openshift35.external" wildcard subdomain. The content goes to /var/named/apps.openshift35.external.zone:
$TTL 3600 @ IN SOA ns.openshift35.external. root. ( 2017052401 ; serial 3600 ; refresh 15M ; retry 1W ; expire 1D ) ; minimum IN NS ns.openshift35.external. IN A 172.23.0.12 * IN A 172.23.0.12
Make sure the file has a "root:named" ownership:
chown root:named apps.openshift35.external.zone
Assigning the ownership is critical. The file won't be read and names from the file will not be resolved otherwise.
The /etc/named.conf declaration of the zone file:
... zone "apps.openshift35.external" IN { type master; file "apps.openshift35.external.zone"; }; ...
An untested alternative is to declare an A record, as shown below:
*.apps.openshift35.external. 300 IN A 1.2.3.4
Starting at Boot
systemctl enable named
Test:
systemctl is-enabled named enabled
Configure The Local DNS Resolver
Same as configuring clients on other machines in the network. See:
Configure DNS Resolver on Other Hosts
Reboot and Test
Local Tests
Configure the local resolver to the name server that has just been configured.
For each of the names in your zone file:
nslookup <name> nslookup <name>.<domain>
Also a random (but valid) name must be resolved
nslookup www.google.com Server: 172.20.2.10 Address: 172.20.2.10#53 Non-authoritative answer: Name: www.google.com Address: 172.217.5.100
Remote Tests
Adding a New Host to the Zone File
Go to the corresponding zone file (example if the domain is openshift.local, the zone file is /var/named/openshift.local.zone)
... master31-1 IN A 172.20.2.11
Also modify the inverse record file /var/named/openshift.local.rzone (if exists)
172.20.2.11 IN PTR master31-1.openshift.local.
Then reboot the name server.
After reboot, run nslookup from the name server itself, an old host and the newly setup host:
[openshift@ns ~]$ nslookup master31-1.openshift.local Server: 172.20.2.10 Address: 172.20.2.10#53 Name: master31-1.openshift.local Address: 172.20.2.11
Troubleshooting the Server
systemctl status named
Logs are generated in two places, and the content is different:
journalctl -f -u named tail -f /var/named/data/named.run
Debug verbosity can be changed by adding the following in /etc/sysconfig/named:
OPTIONS="-d 10"
Troubleshooting Situations
Network Unreachable
error (network unreachable) resolving 'www.cnn.com/A/IN': 2001:7fe::53#53
Got this on a network that prevented UDP DNS traffic. The server resumed working find immediately after I connected to a different network.
Broken Trust Chain
Got these in the server log trying to resolve external names:
validating @0x7f347c10b3c0: www.cnn.com A: bad cache hit (www.cnn.com.dlv.isc.org/DLV) error (broken trust chain) resolving 'www.cnn.com/A/IN': 8.8.8.8#53
Worked around by commenting "dnssec-lookaside auto". See Domain Name System Security Extensions (DNSSEC) Configuration.