Domain Name Service is what translates websites name into an IP address so that the site may be accessed. This translation occurs when you are connecting to other systems on your network through their hostnames instead of their IP addresses.
1. Setting Up BIND
Install the required packages:
# yum install -y bind bind-utils bind-libs
There are two types of nameservers:
Authoritative – These nameservers answer to the resource records that are part of their zones only. This includes both primary (master) and secondary (slave) nameservers.
Recursive – These nameservers offer resolution services but are not authoritative for any zone. All query answers are cached in memory for a fixed period of time.
2. Firewall and SELinux Configuration
For your clients to be able to query the DNS server, you need to open a single port on the firewall. The DNS clients can use both TCP and UDP port 53.
# iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT
# iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT
You need to adjust SELinux for the DNS service to work properly
# setsebool -P named_disable_trans=1
3. Configuring a Master DNS Server
To begin configuring the DNS server, check out these key config files for a BIND server:
/etc/named.conf Main config file
/etc/rndc.key Key file
/etc/rndc.conf Key config file
Step 1. Backup main config file
# cp /etc/named.conf /etc/named.conf.bak
Step 2. make sure that your system has a static IP address and that /etc/resolv.conf file is poiting to localhost as the nameserver:
Step 3. create the necessary config files: named.conf, itbox4vn.com.zone, itbox4vn.com.revzone. You can add the localhost config files from sample directory:
Step 4. Start Master DNS Server
4. Configuring Slave DNS Server
Similar to a master DNS server, Slave server can help with loadblancing and provide redundancy should the master DNS server fail.
Step 1. Install the BIND packages
# yum install -y bind
Step 2. create /etc/named.conf file.
Step 3. start the slave DNS server.
Step 4. Check the /var/named/slaves directory to see if the zone files copies over from the master DNS server correctly. Besides, you can manually pull the zone files from the master DNS server by using the dig command to perform a zone transfer.
5. DNS Server Security
The BIND DNS server offers plenty of ways in which to make your DNS server more secure. The first option you can use is listen-on, which defines the port and IP address(es) that your server will listen on. You can also use the allow-query option to limit which subnets even have access to the DNS server to begin with. A third option, allow-transfer, defines the slave servers that allowed to query data from the master and transfer its zone file.
Here is part of the /etc/named.conf file:
Moreover, you can change the file ownership to help secure the BIND server. All the files should be owned by named user, which runs as a system user.
# chown root:named /var/named/*
# chown root:named /etc/named/*
# chcon -t named_conf_t /etc/named.conf
One of the most secure options for BIND server is using chroot environments. The security benefit to this is that if the system ever becomes hacked, the attacker has access to only that one service within the container and not the rest of your system.
# yum install -y bind-chroot
Then you need to edit the /etc/sysconfig/named directory and change it to a specific directory (such as /var/named/chroot). When this task complete, you copy all your files and directories into the /var/named/chroot directory as if it were the root (/) directory.
Have fun!