Domain Name System is a hierarchical naming system for computers or resources connected to the Internet or private network. DNS is the way how Internet domain names like google.com are located and translated into Internet Protocol (IP) addresses, hence DNS allow us to use domain names instead of network addresses (IP address) to associate with individual networking equipments. A DNS Server is a distributed database system that maintains and publishes information of any domain subordinate to it.
Features:1) DNS Protocol Enhancements
2) Multiple view
3) Security
4) Support for IPv6
InstallationThere are 3 ways to install BIND:
1) Installing through YUM
2) Install RPM packages
3) Build from source
Yum( Yellowdog Updater Modified)
Install through Yum is simple. Just execute the following command to install.
#yum install bind
RPM Package Manager
Installing through RPM Package manager requires a bit more work. Normally we will install from the CD/DVD-ROM provided. If in any case a CD/DVD-ROM is not available, we will have to download the rpm file from online source.
a) Navigate to the source, which most like be the CD/DVD-ROM. The source CD/DVD-ROM have to be inserted first.
#cd / media/RHEL_5.3\ x86_64\ DVD/Server
b) Install RPM
#rpm -ivh bind*
Install from sourcea) Download source
# wget http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz
b. Unzip the source
# tar –zxvf bind-9.7.0-P1.tar.gz
c. Compile the source
# cd bind-9.7.0-P1
# ./configure
# make
# make install
Configure Firewall to allow BIND
Make sure to configure the firewall of the server in which Samba resides in. If not all incoming authentication request will be rejected by the firewall.
GUI
1) Go to System > Administration > Security Level and Firewall. Enter root credential as required.
2. Security Level Configuration Window will be displayed. Expand Other port (1) and add required DNS ports (2) as followed (3): a. Ports: 53, Protocol: TCP
b. Ports: 53, Protocol: UDP
3. Click OK to add port and OK to confirm configuration.
ShellThe shell command to configure IPTABLES for BIND is as followed:
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
ConfigurationThere are many different scenarios to setup a DNS server into a network environment. BIND can be configured to become roles as followed:
1. Master
2. Slave
3. Caching-only
4. Forwarding
BIND configuration can be found in 2 locations:
1. /etc/named.confMain configuration file
2. /var/named/ directory
Working directory that contains zone, statistic and cache files
/etc/named.confThe main configuration can be complex in a multiple-view environment. To get new administrators started easily, we’ll look into a single-view configuration. Before we get started, it is important to note that the named.conf file is critical on the syntax and any minor errors like missing a semi-colon (;) can cause the entire daemon from failing to start. Caching server role is set in this file.
1. acl statement
a. This statement defines the group of hosts from a particular network segments which are permitted or denied access to the nameserver.
2. options statement
a. A list of global server configuration options. Forwarding server role is set here.
3. zone statement
a. Defines characteristic of a zone. Options set here override the global options statements. Master/slave server role is set here.
Sample configuration of named.conf:
# nano /etc/named.conf
acl all {
192.168.205.0/24;
127.0.0.1;
};
options {
listen-on port 53 { all; };
allow-query { all; };
forward { first; };
forwarders { 172.20.120.74; };
};
zone "ca.com" IN {
type master;
file "/var/named/ca.com.zone";
};
zone "205.168.192.in-addr.arpa" IN {
type master;
file "/var/named/192.168.205.zone";
};
Zone files in /var/named/
Zone files contain information about a namespace (example of a namespace: google.com). By default they are located in /var/named/ directory, but if any case bind-chroot package is installed, the default location has to be in /var/named/chroot/var/named/ directory.
Sample Zone file configuration:
1. ca.com.zone
#nano /var/named/ca.com.zone;
; Zone file for my-site.com
;
; The full zone file
;
$TTL 3D
@ IN SOA ns1.ca.com. hostmaster.ca.com. (
200211152 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds
IN NS ns1.ca.com. ; Inet Address of nameserver
IN MX 10 mail.ca.com. ; Primary Mail Exchanger
localhost IN A 127.0.0.1
svr1 IN A 192.168.205.10
ns1 IN CNAME svr1
mail IN CNAME svr1
2. 192.168.205.zone
#nano /var/named/192.168.205.zone;
; Filename: 192-168-1.zone
;
; Zone file for 192.168.1.x
;
$TTL 3D
@ IN SOA www.ca.com. hostmaster.ca.com. (
200303301 ; serial number
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
IN NS ns1.ca.com.
10 IN PTR ns1.ca.com.
10 IN PTR mail.ca.com.
10 IN PTR svr1.ca.com.
Starting/Restarting/Stopping of BIND
To start/restart/stop a daemon in Linux, we use the command “service”.
Start
# service named startRestart
# service named restartStop
# service named stopStatus
# service named status
Troubleshooting BIND
Ensure BIND is working locally
To ensure BIND works locally, just execute dig command. It should return results similar to as follow:
# dig
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16265 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 604800 IN A 198.41.0.4 A.ROOT-SERVERS.NET. 604800 IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. 604800 IN A 192.228.79.201 C.ROOT-SERVERS.NET. 604800 IN A 192.33.4.12 D.ROOT-SERVERS.NET. 604800 IN A 128.8.10.90 E.ROOT-SERVERS.NET. 604800 IN A 192.203.230.10 F.ROOT-SERVERS.NET. 604800 IN A 192.5.5.241 F.ROOT-SERVERS.NET. 604800 IN AAAA 2001:500:2f::f G.ROOT-SERVERS.NET. 604800 IN A 192.112.36.4 H.ROOT-SERVERS.NET. 604800 IN A 128.63.2.53 H.ROOT-SERVERS.NET. 604800 IN AAAA 2001:500:1::803f:235 I.ROOT-SERVERS.NET. 604800 IN A 192.36.148.17 J.ROOT-SERVERS.NET. 604800 IN A 192.58.128.30 J.ROOT-SERVERS.NET. 604800 IN AAAA 2001:503:c27::2:30 ;; Query time: 2747 msec ;; SERVER: 192.168.205.10#53(192.168.205.10) ;; WHEN: Wed Apr 14 14:43:46 2010 ;; MSG SIZE rcvd: 500 If the above command does not work, it could be any of the 2 problems: i. Mistake in configuration files ii. Query blocked by firewall Before checking on the firewall rules, it is best to recheck your configuration first. Ensure the network of the originating query is allowed in the named.conf Ensure that the network of the originating query is set in the acl statement of named.conf: acl all { 192.168.205.0/24; 127.0.0.1; }; Add in required network into this statement. Ensure query is not blocked by firewall Ensure that DNS query to the firewall is not blocked on the server side, as well as on the client side. Refer to Configure Firewall to allow BIND section for more information. Appendix A – Networking configuration
1. Set static Ip address
Setup your network configuration, make sure the ip address for the server is set to static. Below is a sample configuratio to configure the interface to use a static address.
/etc/sysconfig/network-scripts/ifcfg-eth0:
# nano /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0
IPADDR=192.168.205.10
NETMASK=255.255.255.0
BOOTPROTO=static
HWADDR=00:0C:29:75:C3:F4
ONBOOT=yes
BROADCAST=192.168.205.255
NETWORK=192.168.205.0
GATEWAY=192.168.205.2
2. Set the hostname of the server.
/etc/sysconfig/network:
# nano /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=svr1.ca.com
3. Ensure that the resolver file on the dns server is set correctly. Since this is a DNS server, any query should be send back to itself. Any public namespace will be send to a public DNS server using the forwarder option.
/etc/resolv.conf:
# nano /etc/resolv.conf
search ca.com # add ca.com to the domain name resolving, for example if I try to resolve eliz, the system will add ca.com to eliz and try to resolve eliz.ca.com from the dns servers list below
nameserver 192.168.205.2
nameserver 192.168.205.10
