Hello all,

I am back from the land of RHCE/RHCSA training and back on with my server projects. The one i wanted to get nailed down this week is local DNS for caching (speed) and also so i can setup my servers and routers etc on there so SSH is even easier (“server” instead of 192.168….).

First step is obviously packages!

yum install bind

Once done,  we need to allow DNS through the firewall, so add a few rules, similar to below:

iptables -t filter -I INPUT -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT
iptables -t filter -I INPUT -s 192.168.0.0/24 -p udp--dport 53 -j ACCEPT

Next, we need to get configuring. The majority of the work is done in “/etc/named.conf”, so lets look there first.

There are a few things we need to add or modify in here, so that our configuration file looks similar to below:

/etc/named.conf
...
options {
 listen-on port 53 { any; };
 listen-on-v6 port 53 { ::1; };
 directory "/var/named/";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query { 192.168.0.0/24; };
 recursion yes;
...

We need to modify the listen-on port 53 to {any}, and we also need to modify which IP’s / subnet we are allowing to query this DNS server – allow-query. Dont forget the semi colons!

Once we have modified this section, we next need to add the line:

/etc/named.conf
...
forwarders {8.8.8.8; };
...

This line tells our BIND server where to go for DNS lookups, so it can cache them for the future. At this stage we now have a caching-only DNS server which is great. After restarting bind (service named restart), we can start to do some dig’s and make sure we are cooking with gas.

1. Dig against Google’s DNS Servers:

[root@server etc]# dig @8.8.8.8 google.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35220
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
...
google.com. 292 IN A 173.194.41.168
google.com. 292 IN A 173.194.41.166
google.com. 292 IN A 173.194.41.169
;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 22 13:29:43 2013
;; MSG SIZE rcvd: 204

2. Dig against Local Server (after an initial lookup):

[root@server etc]# dig @192.168.0.10 google.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> @192.168.0.10 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9477
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 294 IN A 173.194.41.169
...
google.com. 294 IN A 173.194.41.174
;; AUTHORITY SECTION:
. 18162 IN NS k.root-servers.net.
...
. 18162 IN NS g.root-servers.net.
. 18162 IN NS c.root-servers.net.
. 18162 IN NS e.root-servers.net.
;; Query time: 1 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Mon Apr 22 13:27:03 2013
;; MSG SIZE rcvd: 415

We can see straight away that we are taking 1ms, instead of 26ms, to resolve google.com – so this should enhance our end-user experience no-end.

Setting up local DNS

Now that we have DNS working, we need to add our master zone and start adding our own records (Server = 192.168.0.10, for example). To do this, we need to first add our zone in our config file:

/etc/named.conf
zone "sam-marsh.net" IN {
 type master;
 file "/var/named/chroot/var/named/sam-marsh.net.hosts";
};

This basically tells our BIND server that we have a new “master” zone, called “sam-marsh.net”, and its file is at the above location. I havent had enough time to read up fully on getting this working, but using “sam-marsh.net.hosts” failed, but giving it the FQDN into the chroot (probably a rather big faux pas!) seemed to get it working for me. One of those “Lets just get it working!” examples.

Next, after adding the above section, we need to create our “sam-marsh.net.hosts” file, containing information as below:

[root@server etc]# cat /var/named/chroot/var/named/sam-marsh.net.hosts
$ttl 38400
sam-marsh.net. IN SOA server.localdomain. sam.default.com. (
 1366632342
 10800
 3600
 604800
 38400 )
sam-marsh.net. IN NS server.localdomain.
server.sam-marsh.net. IN A 192.168.0.10
opsview.sam-marsh.net. IN A 192.168.0.35
router.sam-marsh.net. IN A 192.168.0.254

This is all we need to do. Obviously if you have more and more records, MX / TXT / C’s, then add them here accordingly. Finally, lets do a “service named restart”, and that should get our service running with our new zone and new records as above. We can then do “ssh [email protected]”, and this will resolve it (magically!) to our 192.168.0.10 IP Address, as below:

[root@server etc]# ssh [email protected]
###############################################################
# Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions Will be monitored and recorded #
###############################################################
[email protected]'s password:

And that, is the basic “how-to” for setting up BIND!

Sam