Set up DNS on Red Hat Linux 6

Let us see in this article, how we can configure DNS server on Red Hat Linux 6.

For those who have configured DNS on versions earlier than Red Hat Linux 6 must note that caching-nameserver now comes with bind package and hence does not require caching-nameserver anymore. In fact, you will not see caching-nameserver rpm in the Packages directory in the installation media.

Comment out the /etc/hosts entries

The purpose of using DNS server if for a centralized name resolution. Hence, you should not use /etc/hosts file for name resolution. I've commented out the entries in this file. # is used to comment /etc/hosts entries.

cat /etc/hosts
localhost 127.0.0.1
# 192.168.1.21 node1.prajeeth.com
# 192.168.1.22 node2.prajeeth.com
Set hostname

Edt /etc/sysconfig/network file and set HOSTNAME parameter to appropriate name.

cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=node1.prajeeth.com
GATEWAY=192.168.1.1

Use the hostname command to set the new name to the running instance.

# hostname node1.prajeeth.com
Install Packages

Bind is the software that runs DNS server on Linux systems. To run DNS server, you need to install two packages :

To install bind and bind-chroot, navigate to directory where RPM packages are present on your installation media. For me it is /media/RHEL_6.5 x86_64 Disc 1/Packages. Install the two packages using rpm :

# rpm -ivh bind-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm
warning: bind-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing...                ########################################### [100%]
   1:bind                   ########################################### [100%]

# rpm -ivh bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm
warning: bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing...                ########################################### [100%]
   1:bind-chroot            ########################################### [100%]
New Directories

To shed light on new directories that are created by these bind and bind-chroot packages, I've put below all of them.

Installation of these two packages creates a directory called named under /etc and under /var directories.

# cd /var

# ls -ld */ | grep -i named
drwxr-x---.  2 root named 4096 Aug 14  2013 named/

The following are the directories created under /var/named

# ls -l
total 32
drwxr-x---. 6 root  named 4096 Nov 12 16:31 chroot
drwxrwx---. 2 named named 4096 Aug 14  2013 data
drwxrwx---. 2 named named 4096 Aug 14  2013 dynamic
-rw-r-----. 1 root  named 1892 Feb 18  2008 named.ca
-rw-r-----. 1 root  named  152 Dec 15  2009 named.empty
-rw-r-----. 1 root  named  152 Jun 21  2007 named.localhost
-rw-r-----. 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---. 2 named named 4096 Aug 14  2013 slaves

chroot is created by bind-chroot package.

The following are the directories created under /var/named/chroot

# cd chroot/
# ls -l
total 16
drwxr-x---. 2 root named 4096 Nov 12 16:31 dev
drwxr-x---. 4 root named 4096 Nov 12 16:31 etc
drwxr-x---. 3 root named 4096 Nov 12 16:31 usr
drwxr-x---. 6 root named 4096 Nov 12 16:31 var

The following are the directories created under /var/named/chroot/var

# ls -l var/
total 16
drwxrwx---. 2 named named 4096 Aug 14  2013 log
drwxr-x---. 2 root  named 4096 Aug 14  2013 named
drwxr-x---. 3 root  named 4096 Nov 12 16:31 run
drwxrwx---. 2 named named 4096 Aug 14  2013 tmp

The following are the directories created under /var/named/chroot/etc

# cd /var/named/chroot/etc

# ls -l
total 12
-rw-r--r--. 1 root root   265 Nov 12 16:31 localtime
drwxr-x---. 2 root named 4096 Aug 14  2013 named
drwxr-x---. 3 root named 4096 Nov 12 16:31 pki
Copy Configuration files to new directories

Bind depends on two configuration files :

Sample of these two configuration files are present under /usr/share/doc/bind-9.8.2/sample/etc. Copy them to /var/named/chroot/etc

cd /var/named/chroot/etc
cp /usr/share/doc/bind-9.8.2/sample/etc/named.conf .
cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones .
Edit named.rfc1912.zones

In this file, you set up zones. Zone can be thought of as a domain. The zones that you define in this file will be resolved by your DNS server. In this set up, I want all the hostnames under the domain prajeeth.com to be resolved.

# cat /var/named/chroot/etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "prajeeth.com" IN {
        type master;
        file "for";
        allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "rev";
        allow-update { none; };
};

This DNS server is configured to run as master. The name resolution depends on two types of files :

Forward Lookup Zone
Used for hostname to IP address translation. This file can have any name, but should be present in /var/named directory.
Reverse Lookup Zone
Used for IP address to hostname translation. This file can have any name, but should be present in /var/named directory.

First zone definition zone "prajeeth.com" IN is for forward lookup and the second zone definition zone "1.168.192.in-addr.arpa" IN is for reverse lookup

My Forward Lookup Zone file is for and Reverse Lookup Zone file is rev.

Forward Lookup Zone file
cd /var/named
cp -p named.localhost for
cp -p named.loopback rev

http://www.zonefile.org/

My Forward Lookup Zone file is /var/named/for and is below :

$TTL 1D
@       IN            SOA      prajeeth.com. root.prajeeth.com. (
                               201611121     ; serial
                               86400         ; refresh
                               1H            ; retry
                               1W            ; expire
                               3H )          ; minimum
                      NS      node1.prajeeth.com.
node1.prajeeth.com.   A       192.168.1.21
localhost             A       127.0.0.1           

Reverse Lookup Zone file

My Reverse Lookup Zone file is /var/named/rev and is below :

$TTL 1D
@       IN            SOA      prajeeth.com. root.prajeeth.com. (
                               201611121     ; serial
                               86400         ; refresh
                               1H            ; retry
                               1W            ; expire
                               3H )          ; minimum
                       NS      node1.prajeeth.com.
21        PTR     node1.prajeeth.com.
Edit named.conf file

The most complex part of DNS configuration is the setting up of named.conf file.

cat /var/named/chroot/etc/named.conf
/*
 Sample named.conf BIND DNS server 'named' configuration file
 for the Red Hat BIND distribution.

 See the BIND Administrator's Reference Manual (ARM) for details, in:
   file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
 Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
 its manual.
http://ftp.isc.org/isc/bind/9.8.0-P1/doc/arm/Bv9ARM.ch06.html
*/

options
{

        directory               "/var/named";
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        listen-on port 53       { 127.0.0.1; 192.168.1.21; any; };

        listen-on-v6 port 53    { ::1; };

        allow-query             { localhost; any; };
        allow-query-cache       { localhost; any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

logging
{
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

        include "/var/named/chroot/etc/named.rfc1912.zones";

Set Permission for Forward Lookup Zone and Reverse Lookup Zone files
# chown root:named for
# chown root:named rev
Set the DNS server IP Address

Add the IP address of the DNS server. This has to be done on all the machines that depend on DNS for name resolution.

# cat /etc/resolv.conf
search prajeeth.com
nameserver 192.168.1.21
Start the DNS daemon

Start the daemon using service command as root user.

# service named start
Starting named:                                            [  OK  ]

To start this service upon server reboots, enable this service using chkconfig command.

# chkconfig named on
# chkconfig --list named
named           0:off   1:off   2:on    3:on    4:on    5:on    6:off

This shows that named will be available on run-levels 2, 3, 4 and 5

Verification

If all is well, then nslookup should give the response.

# nslookup node1.prajeeth.com
Server:         192.168.1.21
Address:        192.168.1.21#53

Name:   node1.prajeeth.com
Address: 192.168.1.21

Use ping to check you are getting response. The IP address used with ping is the IP address of DNS server.

Caution : Make sure that ping does not use /etc/hosts file . This is done by commenting the entries in the file.

# ping node1.prajeeth.com
PING node1.prajeeth.com (192.168.1.21) 56(84) bytes of data.
64 bytes from node1.prajeeth.com (192.168.1.21): icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from node1.prajeeth.com (192.168.1.21): icmp_seq=2 ttl=64 time=0.081 ms
64 bytes from node1.prajeeth.com (192.168.1.21): icmp_seq=3 ttl=64 time=0.065 ms
64 bytes from node1.prajeeth.com (192.168.1.21): icmp_seq=4 ttl=64 time=0.065 ms

Use named-checkzone command to see if the correct serial number is being displayed.

# named-checkzone prajeeth.com node1.prajeeth.com
zone prajeeth.com/IN: loaded serial 201611121
OK

The first parameter prajeeth.com is the name of the zone and the second parameter node1.prajeeth.com is the name of the host. The serial that is displayed is from your Forward Lookup Zone file.

Do a forward lookup and reverse lookkup using host command.

# host 192.168.1.21
21.1.168.192.in-addr.arpa domain name pointer node1.prajeeth.com.

# host 192.168.1.22
22.1.168.192.in-addr.arpa domain name pointer node2.prajeeth.com.

# host node1.prajeeth.com
node1.prajeeth.com has address 192.168.1.21
Caveats

If the network is managed by NetworkManager, you will find that your entry in /etc/resolv.conf will be re-written with DNS entry in /etc/sysconfig/network-scripts/ifcfg-eth0 file. So, set the DNS1 parameter in this file with your DNS server IP address.

NM_CONTROLLED=yes in /etc/sysconfig/network-scripts/ifcfg-eth0 implies that network is managed by NetworkManager.

# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
UUID=2b83aefc-4cc7-4851-bbe2-be3bf3452c1f
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
HWADDR=00:0C:29:98:CD:A7
IPADDR=192.168.1.22
PREFIX=24
GATEWAY=192.168.1.1
DNS1=192.168.1.21
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME=eth0

Check if NetworkManager is turned on.

[root@node2 network-scripts]# chkconfig --list NetworkManager
NetworkManager  0:off   1:off   2:on    3:on    4:on    5:on    6:off

You can disable NetworkManager using chkconfig :

# chkconfig NetworkManager off
Note

If you do not set up DNS1 to your DNS server IP, restarting network will reset your nameserver in /etc/resolv.conf to what is specified for DNS1 in /etc/sysconfig/network-scripts/ifcfg-eth0.

Allow Firewall to accept TCP and UDP on port 53

If client's nslookup complains as below

# nslookup node2
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

or your ping says

# ping node2
ping: unknown host node2

you should looking into firewall and enable port 53 for tcp and udp protocols by adding below two lines.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
Comments