How to configure BIND-9.8 DNS server in RHEL-6

How to configure BIND-9.8 DNS server in Red Hat Linux 6 (RHEL-6)


Step by Step ways to configure BIND-9.8 in RHEL-6

I will use chroot i.e.jail environment for configuring dns server as it is considered to be much more safer than normal bind.

NOTE: Please take a copy of the original configuration file before making any changes to it.

Pre-requisites:
Make sure you have all the required packages
# rpm -q bind
package bind is not installed
# rpm -q bind-chroot
package bind-chroot is not installed

Install the required package using yum
# yum -y install bind bind-chroot
By default all the bind files would not be copied inside chroot so we will have to manually do that

Next copy the required files inside chroot directory.
NOTE: Use -p argument along with cp command to preserve the permission and ownership of all the files and directories

# cp -rvpf /etc/named.* /var/named/chroot/etc/
`/etc/named.conf' -> `/var/named/chroot/etc/named.conf'
`/etc/named.iscdlv.key' -> `/var/named/chroot/etc/named.iscdlv.key'
`/etc/named.rfc1912.zones' -> `/var/named/chroot/etc/named.rfc1912.zones'
`/etc/named.root.key' -> `/var/named/chroot/etc/named.root.key'

# cp -rvpf named.* chroot/var/named/
`named.ca' -> `chroot/var/named/named.ca'
`named.empty' -> `chroot/var/named/named.empty'
`named.localhost' -> `chroot/var/named/named.localhost'
`named.loopback' -> `chroot/var/named/named.loopback'

# cp -prvf data/ chroot/var/named/
`data/' -> `chroot/var/named/data'

# cp -prvf dynamic/ chroot/var/named/
`dynamic/' -> `chroot/var/named/dynamic'

# cp -prvf slaves/ chroot/var/named/
`slaves/' -> `chroot/var/named/slaves'

Now lets start editing our main configuration file
# cd /var/named/chroot/etc/

# vi named.conf
options {
        listen-on port 53 { 127.0.0.1; 192.168.1.11; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.1.0/24; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Change the IP Address of your local machine in the resolv.conf file and ifcfg-eth file
# vi /etc/resolv.conf

search example
nameserver 192.168.1.11

NOTE: DNS entry has to made in ifcfg-eth file only for Red Hat Linux 6 and above. For Red Hat Linux 5

DNS entry is made only in resolv.conf file
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=192.168.1.11

Verify your hostname
# vi /ets/sysconfig/network

HOSTNAME=test2.example.com

Run this command on the terminal
# hostname test2.example.com

If you use the below command on the terminal your hostname should reflect as STD out
# hostname
test2.example.com

Restart your network services
# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  Determining if ip address 192.168.1.11 is already in use for device eth0...
                                                           [  OK  ]
# service named restart
Stopping named:                                            [  OK  ]
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]

NOTE: In case your system stucks at
Generating /etc/rndc.key:
Try this command
# rndc-confgen -a -r /dev/urandom
wrote key file "/etc/rndc.key"
and again retry to restart your named services

References
Generating rndc key
Verify your Internet Connection
# ping google.com
PING google.com (74.125.236.71) 56(84) bytes of data.
64 bytes from maa03s05-in-f7.1e100.net (74.125.236.71): icmp_seq=1 ttl=56 time=223 ms
64 bytes from maa03s05-in-f7.1e100.net (74.125.236.71): icmp_seq=2 ttl=56 time=319 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1349ms
rtt min/avg/max/mdev = 223.861/271.853/319.846/47.995 ms

So our DNS server is working fine now let us configure forward and reverse zone

# vi /var/named/chroot/etc/named.rfc1912.zones
(Make new entry as shown below)

# Forward Zone Entry #
zone "example.com" IN {
        type master;
        file "example.com.zone";
        allow-update { none; };
};

# Reverse Zone Entry #
zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.1.zone";
        allow-update { none; };
};
Create the zone files as mentioned in named.rfc1912.zones file above

Now if you view named.localhost and named.loopback file inside /var/named/chroot/var/named, then you will notice that they resemble to forward and reverse lookup file respectively. So instead of creating new file we will just copy the content from their respective duplicates

# pwd
/var/named/chroot/var/named

# cp -p named.loopback 192.168.1.zone

# cp -p named.localhost example.com.zone
Forward Zone file
# vi example.com.zone
$TTL 1D
@       IN SOA  example.com. hostmaster.example.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                IN NS           example.com.
                IN A            192.168.1.11
test2           IN CNAME        example.com.
www             IN CNAME        example.com.
Reverse Zone file
# vi 192.168.1.zone
$TTL 1D
@       IN SOA  example.com.  hostmaster.example.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN NS   example.com.
11      IN PTR  example.com.
Verify the permissions

IMPORTANT NOTE:
The permission on all the bind related files should be 640 and for all directories it should be 770 with root as user owner and named as group owner
# ll
total 36
-rw-r-----. 1 root  named  207 Mar 14 18:36 192.168.1.zone
drwxrwx---. 2 named named 4096 Jan 20 23:10 data
drwxrwx---. 2 named named 4096 Jan 20 23:10 dynamic
-rw-r-----. 1 root  named  242 Mar 14 18:32 example.com.zone
-rw-r-----. 1 root  named 1892 Feb 18  2008 named.ca
-rw-r-----. 1 root  named  152 Dec 15  2009 named.empty
-rw-r-----. 1 root  named  152 Jun 21  2007 named.localhost
-rw-r-----. 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---. 2 named named 4096 Jan 20 23:10 slaves

Restart named services
# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

Verify both the zones
# nslookup example.com
Server:         192.168.1.11
Address:        192.168.1.11#53

Name:   example.com
Address: 192.168.1.11

# dig -x 192.168.1.11
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -x 192.168.1.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60861
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;11.1.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
11.1.168.192.in-addr.arpa. 86400 IN     PTR     example.com.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400   IN      NS      example.com.

;; ADDITIONAL SECTION:
example.com.            86400   IN      A       192.168.1.11

;; Query time: 2 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Fri Mar 14 18:35:24 2014
;; MSG SIZE  rcvd: 98
So we are getting outputs for forward and reverse lookup entries.
 Everything is working as expected. :)