Linux Help Desk

Linux Help Desk

Thursday, April 2, 2015

Setup DNS Server step by step in CentOS 6.5 RHEL 6.5

DNS (Domain Name System) is the core component of network infrastructure. The DNS service resolves hostname into ip address and vice versa. For example if we type example.com in browser, the DNS server translates the domain name into its corresponding ip address. So it makes us easy to remember the domain names instead of its ip address.

DNS Server Installation in CentOS 6.5
This how-to tutorial will show you how to install and configure Primary and Secondary DNS server. The steps provided here were tested in CentOS 6.5 edition, but it should work in RHEL 6.x too.

Scenario:


Here are my test setup scenario

[A] Primary(Master) DNS Server Details:

Operating System     : CentOS 6.5 (Minimal Server)
Hostname             : masterdns.example.com
IP Address           : 192.168.1.200/24

[B] Secondary(Slave) DNS Server Details:

Operating System     : CentOS 6.5 (Minimal Server)
Hostname             : slavedns.example.com
IP Address           : 192.168.1.201/24 

Setup Primary(Master) DNS Server

[root@masterdns ~]# yum install bind* -y

1. Configure DNS Server
The main configuration of the DNS will look like below. Edit and add the entries below which were marked as bold in this configuration files.

[root@masterdns ~]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.1.200;};                      ## Master DNS IP ##
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { localhost; 192.168.1.0/24; };                      ## IP Range ##
allow-transfer{ localhost; 192.168.1.201; };                        ## Slave DNS IP ## 
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
type hint;
file "named.ca";
};
zone"example.com" IN {
type master;
file "fwd.example.com";
allow-update { none; };
};
zone"1.168.192.in-addr.arpa" IN {
type master;
file "rev.example.com";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2. Create Zone files


Now we should create forward and reverse zone files which we mentioned in the ‘/etc/named.conf’ file.
[A] Create Forward Zone
Create ‘fwd.example.com’ file in the ‘/var/named’ directory and add the entries for forward zone as shown below.

[root@masterdns ~]# vi /var/named/fwd.example.com
$TTL 86400
@   IN  SOA     masterdns.example.com. root.example.com. (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
@IN  NS      masterdns.example.com.
@IN  NS     slavedns.example.com.masterdns     IN  A    192.168.1.200
slavedns     IN  A   192.168.1.201

[B] Create Reverse Zone
Create ‘rev.example.com’ file in the ‘/var/named’ directory and add the entries for reverse zone as shown below.

[root@masterdns ~]# vi /var/named/rev.example.com
$TTL 86400
@   IN  SOA     masterdns.example.com. root.example.com. (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
@IN  NS      masterdns.example.com.
@IN  NS      slavedns.example.com.
masterdnsIN  A   192.168.1.200
slavedns IN  A   192.168.1.201
200       IN  PTR     masterdns.example.com.
201      IN  PTR    slavedns.example.com.

3. Start the bind service

[root@masterdns ~]# service named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]
[root@masterdns ~]# chkconfig named on

4. Allow DNS Server through iptables
Add the lines shown in bold letters in ‘/etc/sysconfig/iptables’ file. This will allow all clients to access the DNS server.

[root@masterdns ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

5. Restart iptables to save the changes


[root@masterdns ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

6. Test syntax errors of DNS configuration and zone files
[A] Check DNS Config file

[root@masterdns ~]# named-checkconf /etc/named.conf
[root@masterdns ~]# named-checkconf /etc/named.rfc1912.zones

[B] Check zone files

[root@masterdns ~]# named-checkzone example.com /var/named/fwd.example.com
zone example.com/IN: loaded serial 2011071001
OK
[root@masterdns ~]# named-checkzone example.com /var/named/rev.example.com
zone example.com/IN: loaded serial 2011071001
OK
[root@masterdns ~]#

7. Test DNS Server

Method A:

[root@masterdns ~]# dig masterdns.example.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> masterdns.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11496
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;masterdns.example.com.INA
;; ANSWER SECTION:
masterdns.example.com. 86400INA192.168.1.200
;; AUTHORITY SECTION:
example.com.86400INNSmasterdns.example.com.
example.com.86400INNSslavedns.example.com.
;; ADDITIONAL SECTION:
slavedns.example.com.86400INA192.168.1.201
;; Query time: 5 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Mar  3 12:48:35 2013
;; MSG SIZE  rcvd: 110

Method B:


[root@masterdns ~]# dig -x 192.168.1.200
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> -x 192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40891
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;200.1.168.192.in-addr.arpa.INPTR
;; ANSWER SECTION:
200.1.168.192.in-addr.arpa. 86400 INPTRmasterdns.example.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa.86400INNSmasterdns.example.com.
1.168.192.in-addr.arpa.86400INNSslavedns.example.com.
;; ADDITIONAL SECTION:
masterdns.example.com. 86400INA192.168.1.200
slavedns.example.com.86400INA192.168.1.201
;; Query time: 6 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Mar  3 12:49:53 2013
;; MSG SIZE  rcvd: 150

Method C:

[root@masterdns ~]# nslookup masterdns
Server:192.168.1.200
Address:192.168.1.200#53
Name:masterdns.example.com
Address: 192.168.1.200

Thats it. Now the Primary DNS server is ready

Setup Secondary(Slave) DNS Server

[root@slavedns ~]# yum install bind* -y

1. Configure Slave DNS Server

Open the main configuration file ‘/etc/named.conf’ and add the lines as shown in bold letters.

[root@slavedns ~]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.1.201; };                    ## Slve DNS IP ##     
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { localhost; 192.168.1.0/24; };                     ## IP Range ##  
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
type hint;
file "named.ca";
};
zone"example.com" IN {
type slave;
file "slaves/ostechnix.fwd";
masters { 192.168.1.200; };
};
zone"1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/ostechnix.rev";
masters { 192.168.1.200; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2. Start the DNS Service

[root@slavedns ~]# service named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]
[root@slavedns ~]# chkconfig named on

Now the forward and reverse zones are automatically replicated from Master DNS server to Slave DNS server.
To verify, goto DNS database location(i.e ‘/var/named/slaves’) and use command ‘ls’.

[root@slavedns ~]# cd /var/named/slaves/
[root@slavedns slaves]# ls
ostechnix.fwd  ostechnix.rev

The forward and reverse zones are automatically replicated from Master DNS. Now check the zone files whether the correct zone files are replicated or not.
[A] Check Forward zone:

[root@slavedns slaves]# cat ostechnix.fwd
$ORIGIN .
$TTL 86400; 1 day
example.comIN SOAmasterdns.example.com. root.example.com. (
2011071001 ; serial
3600       ; refresh (1 hour)
1800       ; retry (30 minutes)
604800     ; expire (1 week)
86400      ; minimum (1 day)
)
NSmasterdns.example.com.
NSslavedns.example.com.
$ORIGIN example.com.
masterdnsA192.168.1.200
slavedns A192.168.1.201

[B] Check Reverse zone:

[root@slavedns slaves]# cat ostechnix.rev
$ORIGIN .
$TTL 86400; 1 day
1.168.192.in-addr.arpaIN SOAmasterdns.example.com. root.example.com. (
2011071001 ; serial
3600       ; refresh (1 hour)
1800       ; retry (30 minutes)
604800     ; expire (1 week)
86400      ; minimum (1 day)
)
NSmasterdns.example.com.
NSslavedns.example.com.
$ORIGIN 1.168.192.in-addr.arpa.
200PTRmasterdns.example.com.
201PTRslavedns.example.com.
masterdnsA192.168.1.200
slavedns A192.168.1.201

3. Add the DNS Server details to all systems


[root@slavedns ~]# vi /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.168.1.200
nameserver 192.168.1.201
nameserver 8.8.8.8

4. Test DNS Server

Method A:

[root@slavedns ~]# dig slavedns.example.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> slavedns.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39096
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;slavedns.example.com.INA
;; ANSWER SECTION:
slavedns.example.com.86400INA192.168.1.201
;; AUTHORITY SECTION:
example.com.86400INNSmasterdns.example.com.
example.com.86400INNSslavedns.example.com.
;; ADDITIONAL SECTION:
masterdns.example.com. 86400INA192.168.1.200
;; Query time: 7 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Mar  3 13:00:17 2013
;; MSG SIZE  rcvd: 110

Method B:

[root@slavedns ~]# dig masterdns.example.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> masterdns.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12825
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;masterdns.example.com.INA
;; ANSWER SECTION:
masterdns.example.com. 86400INA192.168.1.200
;; AUTHORITY SECTION:
example.com.86400INNSmasterdns.example.com.
example.com.86400INNSslavedns.example.com.
;; ADDITIONAL SECTION:
slavedns.example.com.86400INA192.168.1.201
;; Query time: 13 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Mar  3 13:01:02 2013
;; MSG SIZE  rcvd: 110

Method C:

[root@slavedns ~]# nslookup slavedns
Server:192.168.1.200
Address:192.168.1.200#53
Name:slavedns.example.com
Address: 192.168.1.201

Method D:

[root@slavedns ~]# nslookup masterdns
Server:192.168.1.200
Address:192.168.1.200#53
Name:masterdns.example.com
Address: 192.168.1.200

Method E:

[root@slavedns ~]# dig -x 192.168.1.201
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> -x 192.168.1.201
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56991
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;201.1.168.192.in-addr.arpa.INPTR
;; ANSWER SECTION:
201.1.168.192.in-addr.arpa. 86400 INPTRslavedns.example.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa.86400INNSmasterdns.example.com.
1.168.192.in-addr.arpa.86400INNSslavedns.example.com.
;; ADDITIONAL SECTION:
masterdns.example.com. 86400INA192.168.1.200
slavedns.example.com.86400INA192.168.1.201
;; Query time: 6 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Mar  3 13:03:39 2013
;; MSG SIZE  rcvd: 150

Method F:

[root@slavedns ~]# dig -x 192.168.1.200
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> -x 192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42968
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;200.1.168.192.in-addr.arpa.INPTR
;; ANSWER SECTION:
200.1.168.192.in-addr.arpa. 86400 INPTRmasterdns.example.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa.86400INNSslavedns.example.com.
1.168.192.in-addr.arpa.86400INNSmasterdns.example.com.
;; ADDITIONAL SECTION:
masterdns.example.com. 86400INA192.168.1.200
slavedns.example.com.86400INA192.168.1.201
;; Query time: 4 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Mar  3 13:04:15 2013
;; MSG SIZE  rcvd: 150

That’s it. Both Primary and Secondary DNS Server is ready to use. Have a Good day!!

No comments:

Post a Comment