How to Configure BIND Named Service on Enterprise Linux 7

  • by
Since we are running on CentOS 7.1 Minimal which has no default named service, so we need to install it either by yum install bind bind-utils or yum groupinstall "DNS Name Server".
[root@primary-dns ~]# yum -y install bind bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.cs.nctu.edu.tw
 * extras: centos.cs.nctu.edu.tw
 * updates: centos.cs.nctu.edu.tw
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-18.el7_1.3 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-18.el7_1.3 for package: 32:bind-9.9.4-18.el7_1.3.x86_64
--> Processing Dependency: liblwres.so.90()(64bit) for package: 32:bind-9.9.4-18.el7_1.3.x86_64
--> Processing Dependency: libisccfg.so.90()(64bit) for package: 32:bind-9.9.4-18.el7_1.3.x86_64
--> Processing Dependency: libisccc.so.90()(64bit) for package: 32:bind-9.9.4-18.el7_1.3.x86_64
--> Processing Dependency: libisc.so.95()(64bit) for package: 32:bind-9.9.4-18.el7_1.3.x86_64
--> Processing Dependency: libdns.so.100()(64bit) for package: 32:bind-9.9.4-18.el7_1.3.x86_64
--> Processing Dependency: libbind9.so.90()(64bit) for package: 32:bind-9.9.4-18.el7_1.3.x86_64
---> Package bind-utils.x86_64 32:9.9.4-18.el7_1.3 will be installed
--> Running transaction check
---> Package bind-libs.x86_64 32:9.9.4-18.el7_1.3 will be installed
--> Processing Dependency: bind-license = 32:9.9.4-18.el7_1.3 for package: 32:bind-libs-9.9.4-18.el7_1.3.x86_64
--> Running transaction check
---> Package bind-license.noarch 32:9.9.4-18.el7 will be updated
--> Processing Dependency: bind-license = 32:9.9.4-18.el7 for package: 32:bind-libs-lite-9.9.4-18.el7.x86_64
---> Package bind-license.noarch 32:9.9.4-18.el7_1.3 will be an update
--> Running transaction check
---> Package bind-libs-lite.x86_64 32:9.9.4-18.el7 will be updated
---> Package bind-libs-lite.x86_64 32:9.9.4-18.el7_1.3 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch        Version                     Repository    Size
================================================================================
Installing:
 bind                x86_64      32:9.9.4-18.el7_1.3         updates      1.8 M
 bind-utils          x86_64      32:9.9.4-18.el7_1.3         updates      199 k
Installing for dependencies:
 bind-libs           x86_64      32:9.9.4-18.el7_1.3         updates      1.0 M
Updating for dependencies:
 bind-libs-lite      x86_64      32:9.9.4-18.el7_1.3         updates      712 k
 bind-license        noarch      32:9.9.4-18.el7_1.3         updates       80 k

Transaction Summary
================================================================================
Install  2 Packages (+1 Dependent package)
Upgrade             ( 2 Dependent packages)

Total download size: 3.7 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/updates/packages/bind-license-9.9.4-18.el7_1.3.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for bind-license-9.9.4-18.el7_1.3.noarch.rpm is not installed
(1/5): bind-license-9.9.4-18.el7_1.3.noarch.rpm            |  80 kB   00:03
(2/5): bind-utils-9.9.4-18.el7_1.3.x86_64.rpm              | 199 kB   00:06
(3/5): bind-libs-9.9.4-18.el7_1.3.x86_64.rpm               | 1.0 MB   00:09
(4/5): bind-libs-lite-9.9.4-18.el7_1.3.x86_64.rpm          | 712 kB   00:09
(5/5): bind-9.9.4-18.el7_1.3.x86_64.rpm                    | 1.8 MB   00:10
--------------------------------------------------------------------------------
Total                                              370 kB/s | 3.7 MB  00:10
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 Package    : centos-release-7-1.1503.el7.centos.2.8.x86_64 (@anaconda)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : 32:bind-license-9.9.4-18.el7_1.3.noarch                      1/7
  Installing : 32:bind-libs-9.9.4-18.el7_1.3.x86_64                         2/7
  Installing : 32:bind-utils-9.9.4-18.el7_1.3.x86_64                        3/7
  Installing : 32:bind-9.9.4-18.el7_1.3.x86_64                              4/7
  Updating   : 32:bind-libs-lite-9.9.4-18.el7_1.3.x86_64                    5/7
  Cleanup    : 32:bind-libs-lite-9.9.4-18.el7.x86_64                        6/7
  Cleanup    : 32:bind-license-9.9.4-18.el7.noarch                          7/7
  Verifying  : 32:bind-libs-lite-9.9.4-18.el7_1.3.x86_64                    1/7
  Verifying  : 32:bind-utils-9.9.4-18.el7_1.3.x86_64                        2/7
  Verifying  : 32:bind-license-9.9.4-18.el7_1.3.noarch                      3/7
  Verifying  : 32:bind-9.9.4-18.el7_1.3.x86_64                              4/7
  Verifying  : 32:bind-libs-9.9.4-18.el7_1.3.x86_64                         5/7
  Verifying  : 32:bind-license-9.9.4-18.el7.noarch                          6/7
  Verifying  : 32:bind-libs-lite-9.9.4-18.el7.x86_64                        7/7

Installed:
  bind.x86_64 32:9.9.4-18.el7_1.3     bind-utils.x86_64 32:9.9.4-18.el7_1.3

Dependency Installed:
  bind-libs.x86_64 32:9.9.4-18.el7_1.3

Dependency Updated:
  bind-libs-lite.x86_64 32:9.9.4-18.el7_1.3
  bind-license.noarch 32:9.9.4-18.el7_1.3

Complete!

Let's see what we have installed.
[root@primary-dns ~]# rpm -qa | grep bind
bind-libs-9.9.4-18.el7_1.3.x86_64
bind-9.9.4-18.el7_1.3.x86_64
bind-license-9.9.4-18.el7_1.3.noarch
bind-utils-9.9.4-18.el7_1.3.x86_64
bind-libs-lite-9.9.4-18.el7_1.3.x86_64

Configure named service by adding two zone blocks.
[root@primary-dns ~]# vi /etc/named.conf
...
        listen-on port 53 { 127.0.0.1; 192.168.0.0/16;};
...
        forwarders {
            8.8.8.8;
            168.95.1.1;
        };

        allow-query     { localhost; 192.168.0.0/16;};
...
zone "example.com" IN {
        type master;
        file "example.com.zone";
        allow-update { none; };
};

zone "168.192.in-addr.arpa" IN {
        type master;
        file "168.192.zone";
        allow-update { none; };
};
...

Let's validate the configuration file.
[root@primary-dns named]# named-checkconf /etc/named.conf
The configuration is correctly set.

Edit the first zone "example.com" as the following.
[root@primary-dns ~]# vi /var/named/example.com.zone

$ORIGIN example.com.

$TTL    86400   ; time-to-live   - (1 day)

primary-dns     IN      A       192.168.15.199

@       IN      SOA     primary-dns.example.com.        hostmaster.example.com. (
        201508061       ; serial number  - (yyyymmdd+s)
        7200    ; refresh        - (2 hours)
        300     ; retry          - (5 minutes)
        604800  ; expire         - (1 week)
        60      ; minimum        - (1 minute)
)
        IN      NS      primary-dns.example.com.

; Oracle RAC Nodes
primary01       IN      A       192.168.15.11
primary02       IN      A       192.168.15.12
primary01-priv  IN      A       192.168.24.11
primary02-priv  IN      A       192.168.24.12
primary01-vip   IN      A       192.168.15.111
primary02-vip   IN      A       192.168.15.112

; Network Storage Server
primary-nas     IN      A       192.168.15.101

; Single Client Access Name (SCAN) virtual IP
primary-cluster-scan    IN      A       192.168.15.81
primary-cluster-scan    IN      A       192.168.15.82
primary-cluster-scan    IN      A       192.168.15.83

Validate the first zone "example.com".
[root@primary-dns ~]# named-checkzone example.com /var/named/example.com.zone
zone example.com/IN: loaded serial 201508061
OK

The hostname zone file is correctly set.

Edit the second zone "168.192.in-addr.arpa".
[root@primary-dns ~]# vi /var/named/168.192.zone

$TTL 86400      ; time-to-live   - (1 day)

@       IN      SOA     primary-dns.example.com.        hostmaster.example.com. (
        201508061   ; serial number  - (yyyymmdd+s)
        7200        ; refresh        - (2 hours)
        300         ; retry          - (5 minutes)
        604800      ; expire         - (1 week)
        60          ; minimum        - (1 minute)
)
@       IN      NS      primary-dns.example.com.

; Oracle RAC Nodes
11.15   IN      PTR     primary01.example.com.
12.15   IN      PTR     primary02.example.com.
11.24   IN      PTR     primary01-priv.example.com.
12.24   IN      PTR     primary02-priv.example.com.
111.15  IN      PTR     primary01-vip.example.com.
112.15  IN      PTR     primary02-vip.example.com.

; Network Storage Server
101.15  IN      PTR     primary-nas.example.com.

; Single Client Access Name (SCAN) virtual IP
81.15   IN      PTR     primary-cluster-scan.example.com.
82.15   IN      PTR     primary-cluster-scan.example.com.
83.15   IN      PTR     primary-cluster-scan.example.com.

Validate the second zone "168.192.in-addr.arpa".
[root@primary-dns ~]# named-checkzone 168.192.in-addr.arpa /var/named/168.192.zone
zone 168.192.in-addr.arpa/IN: loaded serial 201508061
OK

The arpa zone file is correctly set.

Open port 53 for public persistently.
[root@primary-dns ~]# firewall-cmd --permanent --zone=public --add-port=53/tcp
success
[root@primary-dns ~]# firewall-cmd --permanent --zone=public --add-port=53/udp
success
[root@primary-dns ~]# firewall-cmd --reload
success

If you're running on Enterprise Linux 6, you may refer to the post:
How to Open Ports on IPTables and Survives Through Reboots on Enterprise Linux 6 and 7

Enable named.service
[root@primary-dns ~]# systemctl enable named
ln -s '/usr/lib/systemd/system/named.service' '/etc/systemd/system/multi-user.target.wants/named.service'

Start named.service right away.
[root@primary-dns ~]# systemctl start named
Let's see the status in normal situations.
[root@primary-dns ~]# systemctl status named -l
named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled)
   Active: active (running) since Thu 2015-08-06 19:48:59 CST; 2min 38s ago
  Process: 10238 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 10250 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 10248 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
 Main PID: 10252 (named)
   CGroup: /system.slice/named.service
           â””─10252 /usr/sbin/named -u named

Aug 06 19:48:59 primary-dns.example.com named[10252]: zone 0.in-addr.arpa/IN: loaded serial 0
Aug 06 19:48:59 primary-dns.example.com named[10252]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Aug 06 19:48:59 primary-dns.example.com named[10252]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Aug 06 19:48:59 primary-dns.example.com named[10252]: zone localhost/IN: loaded serial 0
Aug 06 19:48:59 primary-dns.example.com named[10252]: zone example.com/IN: loaded serial 201508061
Aug 06 19:48:59 primary-dns.example.com named[10252]: zone localhost.localdomain/IN: loaded serial 0
Aug 06 19:48:59 primary-dns.example.com named[10252]: zone 168.192.in-addr.arpa/IN: loaded serial 201508061
Aug 06 19:48:59 primary-dns.example.com named[10252]: all zones loaded
Aug 06 19:48:59 primary-dns.example.com named[10252]: running
Aug 06 19:48:59 primary-dns.example.com systemd[1]: Started Berkeley Internet Name Domain (DNS).

Test the service by nslookup specific domain name, e.g. primary01-priv.example.com from clients.
[root@primary01 ~]# nslookup primary-cluster-scan.example.com
Server:         192.168.15.199
Address:        192.168.15.199#53

Name:   primary-cluster-scan.example.com
Address: 192.168.15.83
Name:   primary-cluster-scan.example.com
Address: 192.168.15.81
Name:   primary-cluster-scan.example.com
Address: 192.168.15.82

Three possible IP addresses are returned in this case. We're done.

Leave a Reply

Your email address will not be published. Required fields are marked *