How To Configure BIND As A Private Network DNS Server On CentOS 7 - DigitalOcean

3/10/16
How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean
Me nu
Co mmunit y
By:Mit chellAnicas
13
17
HowToConfigureBINDasaPrivateNetworkDNS
ServeronCentOS7
Apr29,2015
DNS,Net workingCent OS
Introduction
Animport ant part of managingserverconf igurat ionandinf rast ruct ureincludesmaint ainingan
easywayt olookupnet workint erf acesandIPaddressesbyname,byset t ingupaproper
DomainNameSyst em(DNS).Usingf ullyqualif ieddomainnames(FQDNs),inst eadof IP
addresses,t ospecif ynet workaddresseseasest heconf igurat ionof servicesand
applicat ions,andincreasest hemaint ainabilit yof conf igurat ionf iles.Set t ingupyourownDNS
f oryourprivat enet workisagreat wayt oimprovet hemanagement of yourservers.
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-centos-7
1/29
3/10/16
Int hist ut orial,wewillgooverhowt oset upanint ernalDNSserver,usingt heBINDname

serversof t ware(BIND9)onCent OS7,t hat canbeusedbyyourVirt ualPrivat eServers(VPS)
t oresolveprivat ehost namesandprivat eIPaddresses.T hisprovidesacent ralwayt o
manageyourint ernalhost namesandprivat eIPaddresses,whichisindispensablewhenyour
environment expandst omoret hanaf ewhost s.
T heUbunt uversionof t hist ut orialcanbef oundhere.
Prerequisit es
T ocomplet et hist ut orial,youwillneedt hef ollowing:
Someserverst hat arerunningint hesamedat acent erandhaveprivat enet working

enabled
AnewVPSt oserveast hePrimaryDNSserver,ns1
Opt ional:AnewVPSt oserveasaSecondaryDNSserver,ns2
Root accesst oallof t heabove(st eps1- 4 here)
If youareunf amiliarwit hDNSconcept s,it isrecommendedt hat youreadat least t hef irst
t hreepart sof ourInt roduct iont oManagingDNS.
ExampleHosts
Forexamplepurposes,wewillassumet hef ollowing:
Wehavet woexist ingVPScalled"host 1"and"host 2"
Bot hVPSexist int henyc3dat acent er
Bot hVPShaveprivat enet workingenabled(andareont he10.128.0.0/16subnet )
Bot hVPSaresomehowrelat edt oourwebapplicat iont hat runson"example.com"
Wit ht heseassumpt ions,wedecidet hat it makessenset ouseanamingschemet hat uses
2/29
3/10/16
"nyc3.example.com"t oref ert oourprivat esubnet orzone.T heref ore,ho st1'sprivat eFullyQualif iedDomainName(FQDN)willbe"host 1.nyc3.example.com".Ref ert ot hef ollowingt able
t herelevant det ails:
Ho st
Ro le
Privat eFQDN
Privat eIPAddress
host 1
GenericHost 1
host 1.nyc3.example.com
10.128.100.101
host 2
GenericHost 2
host 2.nyc3.example.com
10.128.200.102
No t e:Yourexist ingset upwillbedif f erent ,but t heexamplenamesandIPaddresseswillbe
usedt odemonst rat ehowt oconf igureaDNSservert oprovideaf unct ioningint ernalDNS.You
shouldbeablet oeasilyadapt t hisset upt oyourownenvironment byreplacingt hehost
namesandprivat eIPaddresseswit hyourown.It isnot necessaryt ouset heregionnameof
t hedat acent erinyournamingscheme,but weuseit heret odenot et hat t hesehost sbelong
t oapart iculardat acent er'sprivat enet work.If youut ilizemult ipledat acent ers,youcanset up
anint ernalDNSwit hineachrespect ivedat acent er.
OurGoal
Byt heendof t hist ut orial,wewillhaveaprimaryDNSserver,ns1,andopt ionallyasecondary
DNSserver,ns2,whichwillserveasabackup.
Hereisat ablewit hexamplenamesandIPaddresses:
Ho st
Ro le
Privat eFQDN
Privat eIPAddress
ns1
PrimaryDNSServer
ns1.nyc3.example.com
10.128.10.11
ns2
SecondaryDNSServer
ns2.nyc3.example.com
10.128.20.12
Let 'sget st art edbyinst allingourPrimaryDNSserver,ns1.
Inst allBINDonDNSServers
3/29
3/10/16
No t e:T ext t hat ishighlight edinredisimport ant !It willof t enbeusedt odenot esomet hing
t hat needst obereplacedwit hyourownset t ingsort hat it shouldbemodif iedoraddedt oa

conf igurat ionf ile.Forexample,if youseesomet hinglikehost 1.nyc3.example.com,replaceit
wit ht heFQDNof yourownserver.Likewise,if youseehost 1_privat e_IP,replaceit wit ht he
privat eIPaddressof yourownserver.
Onbot hDNSservers,ns1andns2,inst allBINDwit hyum:
$ sudo yum install bind bind-utils
Conf irmt heprompt byent ering
y.
Nowt hat BINDisinst alled,let 'sconf iguret heprimaryDNSserver.
Conf igurePrimaryDNSServer
BIND'sconf igurat ionconsist sof mult iplef iles,whichareincludedf romt hemainconf igurat ion
f ile,
named.conf.T hesef ilenamesbeginwit h"named"becauset hat ist henameof t he
processt hat BINDruns.Wewillst art wit hconf iguringt heopt ionsf ile.
Conf igureBind
BIND'sprocessisknownasnamed .Assuch,manyof t hef ilesref ert o"named"inst eadof
"BIND".
Onns1,opent he
named.conff ilef oredit ing:
$ sudo vi /etc/named.conf
Abovet heexist ing
optionsblock,creat eanewACLblockcalled"t rust ed".T hisiswherewe
willdef inelist of client st hat wewillallowrecursiveDNSqueriesf rom(i.e.yourserverst hat are

int hesamedat acent erasns1).Usingourexampleprivat eIPaddresses,wewilladdns1,ns2,
ho st1,andho st2t oourlist of t rust edclient s:
4/29
3/10/16
/e tc/name d.co nf1o f4
acl "trusted" {
10.128.10.11;
# ns1 - can be set to localhost
10.128.20.12;
# ns2
10.128.100.101; # host1
10.128.200.102; # host2
};
Nowt hat wehaveourlist of t rust edDNSclient s,wewillwant t oedit t he

t heprivat eIPaddressof ns1t ot he
optionsblock.Add
listen-on port 53direct ive,andcomment out t he
listen-on-v6line:
options {
listen-on port 53 { 127.0.0.1; 10.128.10.11; };
#
listen-on-v6 port 53 { ::1; };
...
Belowt hoseent ries,changet he

IPaddress.Also,change
allow-transferdirect ivet of rom"none"t ons2 'sprivat e
allow-querydirect ivef rom"localhost "t o"t rust ed":
...
options {
...
allow-transfer { 10.128.20.12; };
# disable zone transfers by
default
...
allow-query { trusted; }; # allows queries from "trusted" clients
...
At t heendof t hef ile,addt hef ollowingline:
5/29
3/10/16
/e tc/name d.co nf4 o f4
include "/etc/named/named.conf.local";
Nowsaveandexit
named.conf.T heaboveconf igurat ionspecif iest hat onlyyourown
servers(t he"t rust ed"ones)willbeablet oqueryyourDNSserver.
Next ,wewillconf iguret helocalf ile,t ospecif yourDNSzones.
Conf igureLocalFile
Onns1,opent he
named.conf.localf ilef oredit ing:
$ sudo vi /etc/named/named.conf.local
T hef ileshouldbeempt y.Here,wewillspecif yourf orwardandreversezones.
Addt hef orwardzonewit ht hef ollowinglines(subst it ut et hezonenamewit hyourown):
/e tc/name d/name d.co nf.lo cal1o f2
zone "nyc3.example.com" {
type master;
file "/etc/named/zones/db.nyc3.example.com"; # zone file path
};
Assumingt hat ourprivat esubnet is10.128.0.0/16,addt hereversezonebywit ht hef ollowing

lines(not et hat ourreversezonenamest art swit h"128.10"whichist heoct et reversalof
"10.128"):
/e tc/name d/name d.co nf.lo cal2o f2
zone "128.10.in-addr.arpa" {
type master;
file "/etc/named/zones/db.10.128"; # 10.128.0.0/16 subnet
6/29
3/10/16
};
If yourserversspanmult ipleprivat esubnet sbut areint hesamedat acent er,besuret o

specif yanaddit ionalzoneandzonef ilef oreachdist inct subnet .Whenyouaref inishedadding
allof yourdesiredzones,saveandexit t he
named.conf.localf ile.
Nowt hat ourzonesarespecif iedinBIND,weneedt ocreat et hecorrespondingf orwardand

reversezonef iles.
CreateForwardZoneFile
T hef orwardzonef ileiswherewedef ineDNSrecordsf orf orwardDNSlookups.T hat is,when
t heDNSreceivesanamequery,"host 1.nyc3.example.com"f orexample,it willlookint he
f orwardzonef ilet oresolveho st1'scorrespondingprivat eIPaddress.
Let 'screat et hedirect orywhereourzonef ileswillreside.Accordingt oourname d.co nf.lo cal

conf igurat ion,t hat locat ionshouldbe
/etc/named/zones:
$ sudo chmod 755 /etc/named

$ sudo mkdir /etc/named/zones
Nowlet 'sedit ourf orwardzonef ile:
$ sudo vi /etc/named/zones/db.nyc3.example.com
First ,youwillwant t oaddt heSOArecord.Replacet hehighlight edns1FQDNwit hyourown

FQDN,t henreplacet hesecond"nyc3.example.com"wit hyourowndomain.Everyt imeyou
edit azonef ile,youshouldincrement t hese rialvaluebef oreyourest art t he
namedprocess- -
wewillincrement it t o"3".It shouldlooksomet hingliket his:
/e tc/name d/zo ne s/db.nyc3.e xample .co m1o f3
IN
SOA
ns1.nyc3.example.com. admin.nyc3.example.com. (
7/29
3/10/16
3
604800
; Serial
; Refresh
86400
; Retry
2419200
; Expire
604800 )
; Negative Cache TTL
Af t ert hat ,addyournameserverrecordswit ht hef ollowinglines(replacet henameswit hyour

own).Not et hat t hesecondcolumnspecif iest hat t heseare"NS"records:
; name servers - NS records

IN
NS
ns1.nyc3.example.com.
IN
NS
T henaddt heArecordsf oryourhost st hat belongint hiszone.T hisincludesanyserverwhose

namewewant t oendwit h".nyc3.example.com"(subst it ut et henamesandprivat eIP
addresses).Usingourexamplenamesandprivat eIPaddresses,wewilladdArecordsf orns1,
ns2,ho st1,andho st2likeso:
; name servers - A records

IN
10.128.10.11
IN
10.128.20.12
host1.nyc3.example.com.
IN
10.128.100.101
host2.nyc3.example.com.
IN
10.128.200.102
; 10.128.0.0/16 - A records
Saveandexit t he
db.nyc3.example.comf ile.
Ourf inalexamplef orwardzonef ilelooksliket hef ollowing:
/e tc/name d/zo ne s/db.nyc3.e xample .co mco mple te
8/29
3/10/16
1 $TTL
604800
2@
IN
SOA
4
5
604800
86400
; Refresh
; Retry
2419200
; Expire
; Serial
604800 )
8;
9 ; name servers - NS records
10
IN
NS
11
IN
NS
12
13 ; name servers - A records
14 ns1.nyc3.example.com.
IN
10.128.10.11
15 ns2.nyc3.example.com.
IN
10.128.20.12
17 ; 10.128.0.0/16 - A records
18 host1.nyc3.example.com.
IN
10.128.100.101
19 host2.nyc3.example.com.
IN
10.128.200.102
16
Nowlet 'smoveont ot hereversezonef ile(s).
CreateReverseZoneFile(s)
Reversezonef ilearewherewedef ineDNSPT Rrecordsf orreverseDNSlookups.T hat is,
whent heDNSreceivesaquerybyIPaddress,"10.128.100.101"f orexample,it willlookint he
reversezonef ile(s)t oresolvet hecorrespondingFQDN,"host 1.nyc3.example.com"int hiscase.
Onns1,f oreachreversezonespecif iedint he
named.conf.localf ile,creat eareversezone
f ile.
Edit t hereversezonef ilet hat correspondst ot hereversezone(s)def inedin
named.conf.local:
$ sudo vi /etc/named/zones/db.10.128
Int hesamemannerast hef orwardzonef ile,replacet hehighlight edns1FQDNwit hyourown
9/29
3/10/16
FQDN,t henreplacet hesecond"nyc3.example.com"wit hyourowndomain.Everyt imeyou

edit azonef ile,youshouldincrement t hese rialvaluebef oreyourest art t he
namedprocess- -
wewillincrement it t o"3".It shouldlooksomet hingliket his:
/e tc/name d/zo ne s/db.10.1281o f3
IN
SOA
3
604800
86400
2419200
604800 )
; Serial
; Refresh
; Retry
; Expire
Af t ert hat ,addyournameserverrecordswit ht hef ollowinglines(replacet henameswit hyour

own).Not et hat t hesecondcolumnspecif iest hat t heseare"NS"records:
; name servers - NS records

IN
NS
IN
NS
T henadd
PTRrecordsf orallof yourserverswhoseIPaddressesareont hesubnet of t he
zonef ilet hat youareedit ing.Inourexample,t hisincludesallof ourhost sbecauset heyareall

ont he10.128.0.0/16subnet .Not et hat t hef irst columnconsist sof t helast t wooct et sof your
servers'privat eIPaddressesinreversedorder.Besuret osubst it ut enamesandprivat eIP
addressest omat chyourservers:
; PTR Records
11.10
IN
PTR
; 10.128.10.11
12.20
IN
PTR
; 10.128.20.12
101.100 IN
PTR
host1.nyc3.example.com. ; 10.128.100.101
102.200 IN
PTR
10/29
3/10/16
Saveandexit t hereversezonef ile(repeat t hissect ionif youneedt oaddmorereversezone

f iles).
Ourf inalexamplereversezonef ilelooksliket hef ollowing:
/e tc/name d/zo ne s/db.10.128co mple te
1 $TTL
604800
2@
3
IN
SOA
nyc3.example.com. admin.nyc3.example.com. (
3
; Serial
604800
86400
6
7
2419200
604800 )
; Refresh
; Retry
; Expire
8 ; name servers
9
IN
NS
10
11
IN
NS
12 ; PTR Records
13 11.10
IN
PTR
; 10.128.10.11
14 12.20
IN
PTR
; 10.128.20.12
15 101.100 IN
16 102.200 IN
PTR
PTR
CheckBINDConf igurationSyntax
Runt hef ollowingcommandt ocheckt hesynt axof t he
named.conf*f iles:
$ sudo named-checkconf
If yournamedconf igurat ionf ileshavenosynt axerrors,youwillret urnt oyourshellprompt and

seenoerrormessages.If t hereareproblemswit hyourconf igurat ionf iles,reviewt heerror
messageandt heConf igurePrimaryDNSServersect ion,t hent ry
T he
named-checkconfagain.
named-checkzonecommandcanbeusedt ocheckt hecorrect nessof yourzonef iles.
It sf irst argument specif iesazonename,andt hesecondargument specif iest he
11/29
3/10/16
correspondingzonef ile,whicharebot hdef inedin
named.conf.local.
Forexample,t ocheckt he"nyc3.example.com"f orwardzoneconf igurat ion,runt hef ollowing

command(changet henamest omat chyourf orwardzoneandf ile):
$ sudo named-checkzone nyc3.example.com /etc/named/zones/db.nyc3.example.com
Andt ocheckt he"128.10.in- addr.arpa"reversezoneconf igurat ion,runt hef ollowingcommand

(changet henumberst omat chyourreversezoneandf ile):
$ sudo named-checkzone 128.10.in-addr.arpa /etc/named/zones/db.10.128
Whenallof yourconf igurat ionandzonef ileshavenoerrorsint hem,youshouldbereadyt o

rest art t heBINDservice.
StartBIND
St art BIND:
$ sudo systemctl start named
Nowyouwillwant t oenableit ,soit willst art onboot :
$ sudo systemctl enable named
YourprimaryDNSserverisnowset upandreadyt orespondt oDNSqueries.Let 'smoveont o

creat ingt hesecondaryDNSserver.
Conf igureSecondaryDNSServer
Inmost environment s,it isagoodideat oset upasecondaryDNSservert hat willrespondt o
request sif t heprimarybecomesunavailable.Luckily,t hesecondaryDNSserverismucheasier
12/29
3/10/16
t oconf igure.
Onns2,edit t he
named.conff ile:
$ sudo vi /etc/named.conf
named.conff ileand
Not e:If youpref ert oskipt heseinst ruct ions,youcancopyns1's
modif yit t olist enonns2'sprivat eIPaddress,andnot allowt ransf ers.
Abovet heexist ing
optionsblock,creat eanewACLblockcalled"t rust ed".T hisiswherewe
willdef inelist of client st hat wewillallowrecursiveDNSqueriesf rom(i.e.yourserverst hat are

int hesamedat acent erasns1).Usingourexampleprivat eIPaddresses,wewilladdns1,ns2,
ho st1,andho st2t oourlist of t rust edclient s:
acl "trusted" {
10.128.10.11;
# ns1 - can be set to localhost
10.128.20.12;
# ns2
10.128.100.101; # host1
10.128.200.102; # host2
};
Nowt hat wehaveourlist of t rust edDNSclient s,wewillwant t oedit t he

t heprivat eIPaddressof ns1t ot he
optionsblock.Add
listen-on port 53direct ive,andcomment out t he
listen-on-v6line:
options {
listen-on port 53 { 127.0.0.1; 10.128.20.12; };
#
listen-on-v6 port 53 { ::1; };
...
13/29
3/10/16
Change
allow-querydirect ivef rom"localhost "t o"t rust ed":
...
options {
...
allow-query { trusted; }; # allows queries from "trusted" clients
...
At t heendof t hef ile,addt hef ollowingline:
/e tc/name d.co nf4 o f4
include "/etc/named/named.conf.local";
Nowsaveandexit
named.conf.T heaboveconf igurat ionspecif iest hat onlyyourown
servers(t he"t rust ed"ones)willbeablet oqueryyourDNSserver.
Next ,wewillconf iguret helocalf ile,t ospecif yourDNSzones.
Saveandexit
Nowedit t he
named.conf.
named.conf.localf ile:
$ sudo chmod 755 /etc/named

$ sudo vi /etc/named/named.conf.local
Def ineslavezonest hat correspondt ot hemast erzonesont heprimaryDNSserver.Not et hat

t het ypeis"slave",t hef iledoesnot cont ainapat h,andt hereisa
mastersdirect ivewhich
shouldbeset t ot heprimaryDNSserver'sprivat eIP.If youdef inedmult iplereversezonesin

t heprimaryDNSserver,makesuret oaddt hemallhere:
/e tc/name d/name d.co nf.lo cal
14/29
3/10/16
1 zone "nyc3.example.com" {
2
3
type slave;
file "slaves/db.nyc3.example.com";
masters { 10.128.10.11; }; # ns1 private IP
5 };
6
7 zone "128.10.in-addr.arpa" {
8
type slave;
file "slaves/db.10.128";
10
11 };
Nowsaveandexit
named.conf.local.
Runt hef ollowingcommandt ocheckt hevalidit yof yourconf igurat ionf iles:
$ sudo named-checkconf
Oncet hat checksout ,st art BIND:
$ sudo systemctl start named
EnableBINDt ost art onboot :
sudo systemctl enable named
NowyouhaveprimaryandsecondaryDNSserversf orprivat enet worknameandIPaddress

resolut ion.Nowyoumust conf igureyourserverst ouseyourprivat eDNSservers.
Conf igureDNSClient s
Bef oreallof yourserversint he"t rust ed"ACLcanqueryyourDNSservers,youmust conf igure
eachof t hemt ousens1andns2asnameservers.T hisprocessvariesdependingonOS,but
f ormost Linuxdist ribut ionsit involvesaddingyournameserverst ot he
/etc/resolv.conf
15/29
3/10/16
f ile.
CentOSClients
OnCent OS,RedHat ,andFedoraLinuxVPS,simplyedit t he
resolv.conff ile:
$ sudo vi /etc/resolv.conf
T henaddt hef ollowinglinest ot heT OPof t hef ile(subst it ut eyourprivat edomain,andns1and

ns2privat eIPaddresses):
/e tc/re so lv.co nf
search nyc3.example.com # your private domain

nameserver 10.128.10.11 # ns1 private IP address
Signupf orournewslet t er.
Nowsaveandexit .Yourclient isnowconf iguredt ouseyourDNSservers.

Get t helat est t ut orialsonSysAdminandopensourcet opics.
UbuntuClients
email@example.com
OnUbunt uandDebianLinuxVPS,youcanedit t he
SignUp
headf ile,whichisprependedt o
resolv.confonboot :
S CR O LLT O T O P
$ sudo vi /etc/resolvconf/resolv.conf.d/head
Addt hef ollowinglinest ot hef ile(subst it ut eyourprivat edomain,andns1andns2privat eIP

addresses):
/e tc/re so lvco nf/re so lv.co nf.d/he ad
search nyc3.example.com # your private domain

16/29
3/10/16
Nowrun
resolvconft ogenerat eanew resolv.conff ile:
$ sudo resolvconf -u
Yourclient isnowconf iguredt ouseyourDNSservers.
Test Client s
Use
nslookupincludedint he"bind- ut ils"packaget ot est if yourclient scanqueryyour
nameservers.Youshouldbeablet odot hisonallof t heclient st hat youhaveconf iguredand

areint he"t rust ed"ACL.
ForwardLookup
Forexample,wecanperf ormaf orwardlookupt oret rievet heIPaddressof
ho st1.nyc3 .e xample .co mbyrunningt hef ollowingcommand:
$ nslookup host1
Querying"host 1"expandst o"host 1.nyc3.example.combecauseof t he
searchopt ionisset t o
yourprivat esubdomain,andDNSquerieswillat t empt t olookont hat subdomainbef ore

lookingf ort hehost elsewhere.T heout put of t hecommandabovewouldlookliket he
f ollowing:
Output:
Server:
10.128.10.11
Address:
10.128.10.11#53
Name:
host1.nyc3.example.com
Address: 10.128.100.101
ReverseLookup
17/29
3/10/16
T ot est t hereverselookup,queryt heDNSserverwit hho st1'sprivat eIPaddress:
$ nslookup 10.128.100.101
Youshouldseeout put t hat looksliket hef ollowing:
Output:
Server:
10.128.10.11
Address:
10.128.10.11#53
11.10.128.10.in-addr.arpa
name = host1.nyc3.example.com.
If allof t henamesandIPaddressesresolvet ot hecorrect values,t hat meanst hat yourzone

f ilesareconf iguredproperly.If youreceiveunexpect edvalues,besuret oreviewt hezone
f ilesonyourprimaryDNSserver(e.g.
db.nyc3.example.comand db.10.128).
Congrat ulat ions!Yourint ernalDNSserversarenowset upproperly!Nowwewillcover

maint ainingyourzonerecords.
Maint ainingDNSRecords
Nowt hat youhaveaworkingint ernalDNS,youneedt omaint ainyourDNSrecordssot hey
accurat elyref lect yourserverenvironment .
AddingHosttoDNS
Wheneveryouaddahost t oyourenvironment (int hesamedat acent er),youwillwant t oaddit
t oDNS.Hereisalist of st epst hat youneedt ot ake:
PrimaryName se rve r
Forwardzonef ile:Addan"A"recordf ort henewhost ,increment t hevalueof "Serial"
Reversezonef ile:Adda"PT R"recordf ort henewhost ,increment t hevalueof "Serial"
18/29
3/10/16

Addyournewhost 'sprivat eIPaddresst ot he"t rust ed"ACL(
named.conf.options)
T henreloadBIND:
$ sudo systemctl reload named
Se condaryName se rve r
Addyournewhost 'sprivat eIPaddresst ot he"t rust ed"ACL(
named.conf.options)
T henreloadBIND:
$ sudo systemctl reload named
Conf igure Ne wHost t oUse YourDNS

Conf igureresolv.conf t ouseyourDNSservers
T est using
nslookup
RemovingHostf romDNS
If youremoveahost f romyourenvironment orwant t ojust t akeit out of DNS,just removeall
t het hingst hat wereaddedwhenyouaddedt heservert oDNS(i.e.t hereverseof t hest eps
above).
Conclusion
Nowyoumayref ert oyourservers'privat enet workint erf acesbyname,rat hert hanbyIP
address.T hismakesconf igurat ionof servicesandapplicat ionseasierbecauseyounolonger
havet oremembert heprivat eIPaddresses,andt hef ileswillbeeasiert oreadandunderst and.
Also,nowyoucanchangeyourconf igurat ionst opoint t oanewserversinasingleplace,your
primaryDNSserver,inst eadof havingt oedit avariet yof dist ribut edconf igurat ionf iles,which
easesmaint enance.
19/29
3/10/16
Onceyouhaveyourint ernalDNSset up,andyourconf igurat ionf ilesareusingprivat eFQDNs

t ospecif ynet workconnect ions,it iscrit icalt hat yourDNSserversareproperlymaint ained.If
t heybot hbecomeunavailable,yourservicesandapplicat ionst hat relyont hemwillceaset o
f unct ionproperly.T hisiswhyit isrecommendedt oset upyourDNSwit hat least one
secondaryserver,andt omaint ainworkingbackupsof allof t hem.
Heart
13
Share
Subscribe
Aut hor:
Mit chellAnicas
SpinupanSSDcloudserverinunderaminute.
Simpleset up.Fullroot access.
St raight f orwardpricing.
DEPLOYSERVER
Relat edT ut orials
20/29
3/10/16

DNST ipsandT ricks
Blueprint :HowGhost Migrat edFromDedicat edServerst oDigit alOcean
HowT oSet Upt heUnboundCachingDNSResolveronFreeBSD10.1
HowT oConf igureDNSReplicat iononaSlavePowerDNSServeronUbunt u14 .04
Buildingf orProduct ion:WebApplicat ionsDeploying
17Comments
Leaveacomment ...
Lo gge dinas:
Notifyme ofre plie s

tomycomme nt
C o m m e nt
uddhab May28,2015
t hxf orgreat t ut orial
ronald8192 Jun e9,2015
Ihaveopenport 53inf irewall,but myhost cannot queryt heDNS
sudo firewall-cmd --permanent --add-port=53/tcp --zone=public

sudo firewall-cmd --reload
21/29
3/10/16

NS
IPAddress
ns1
192.168.0.11
ns2
192.168.0.12
Ho st
IPAddress
host 1
192.168.0.101
host 2
192.168.0.102
Icanpingt hensf romt hehost .

But cannot query.
ronald8192@host1 ~ $ ping 192.168.0.11

PING 192.168.0.11 (192.168.0.11) 56(84) bytes of data.
64 bytes from 192.168.0.11: icmp_seq=1 ttl=64 time=0.239 ms
64 bytes from 192.168.0.11: icmp_seq=2 ttl=64 time=0.240 ms
^C
--- 192.168.0.11 ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.239/0.239/0.240/0.015 ms
ronald8192@host1 ~ $ nslookup ns1.mydomain.com
;; connection timed out; no servers could be reached
T henscanqueryit self .
ronald8192@ns1 ~$ nslookup ns2.mydomain.com

Server:
192.168.0.11
Address:
192.168.0.11#53
Name:
ns2.mydomain.com
Address: 192.168.0.12
22/29
3/10/16
m anicas July7,2015
Doesyourhost 1/2havet heDNSserverslist edasnameresolut ionservers(resolv.conf )?
ronald8192 August9,2015
@ manicas
Ididset t heresolv.conf
ronald8192@host1 ~ $ cat /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
#
DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
search mydomain.com
nameserver 192.168.0.11
nameserver 192.168.0.12
ronald8192@host1 ~ $ nslookup google.com

;; connection timed out; no servers could be reached
Myclient host isLinuxMint /Ubunt u,doIneedsomespecialcommandt oaddt henameserver

ent ry?
m anicas August10,2015
T hist ut orialisf orCent OS7 .T heUbunt uversioncanbef oundhere.Ubunt u'sresolv.conf is

manageddif f erent lyt haninCent OS.
T heot hert hingist hat youneedt oleaveint heexist ingnameserverst hat allowyourserver
t oresolveInt ernet addresses:
nameserver 8.8.8.8
nameserver 8.8.4.4
23/29
3/10/16
alpha July7,2015
DearMit chell,
First of all,T hankyouverymuchf oryourt ut orial.
Ihavef ollowallt hest epabovet oinst allandconf iguremyDNS- rDNSserver.However,my
domainnamecant f oundt heip.T heseverscant bef oundwhenIdigornslookupigot
dif f erent IP.Besidet hat ,myreverseDNSdoesn't work.
Ihopeyoucanhelpt of indasolut iont omyproblemLookingf orwardt ohearf romyou
m anicas July7,2015
Makesuret hat yourserversareset t ouseyourDNSserversf ornameresolut ion

(resolv.conf ).Also,makesuret hat yournet maskandcorrespondingz onesarecorrect f or
yourset up.
alpha July8,2015
DearMit chellAnicas
First of all,t hankverymuchf oryourhelpandprompt reply.
Myserverishost edint hecloudsomewhereelse,asyoument ionint hereplyf orDNSservers
f ornameresolut ion(resolv.conf ).T hat f ilecont aint hef ollowing:
;generat edby/sbin/dhclient - script
nameserver110.7 4.128.7 2
nameserver110.7 4.128.7 1
andwhenIcomment t hoseIPsanddigmydomainit worksf ineinmyserver,whenIdigin
anot herPCorserverit givemeanot herIP.WhenIdelet et hoseIPsandPut myIPit worksf inein
myserverbut elsewereit doesn't work.T helast t hingif Irest art myserverit neit herworkinmy
servernoranot her.
HowcanIget solvet hiserror.
Onceagaint hankyouverymuchandlookingf orwardt ohearf romyou
m anicas July8,2015
I'mnot sureof what you'ret ryingt odo.T heusecasef ort hist ut orialist oprovidename
resolut iont oyourserverst hat areinapart icular(privat e)subnet .T henames/IPsshouldnot
resolvef romcomput ersout side.
24/29
3/10/16
s pravtek July25,2015
Nicet ut orial,If oundonet hingt hought hat cancauseanerrorinyourlogsif youdon't set it

likeit shouldbe.Nobigdeal,resolvingworks,but it shouldbef ixedif youwant yourslavet obe
ablet odumpt hemast erf iles.
Ont heslaveserveryouconf iguret henamed.conf .localliket his:
type slave;
file "db.nyc3.example.com";
};
type slave;
file "db.10.128";
};
Liket hat youwillseeanerrorinyour/var/log/messagesliket his:

dumpingmast erf ile:t mp- oFPEZxEKPb:open:permissiondenied
Inst ead,if youconf igureyournamed.conf .localliket hisont heslaveserver:
type slave;
file "slaves/db.nyc3.example.com";
};
type slave;
file "slaves/db.10.128";
};
25/29
3/10/16
T herewillbenomoreerrorsandt hemast erf ilecanbedumpedwit hout issues.
alphaop August19,2015
IamanewbieinCent osandInowIamt ryt oconf igureDNSandReverseDNSserver.Af t er

t ryingseveralt imest heerrorkept showingupandget t ingworst daybyday.NowIamlooking
f orwardt oget assist ancef romagoodvolunt eert ohelpget ridof t hiserrorinorderf ormy
DNSandReverseDNSservert oworkf ine.
Iwillbepast ingt hecont ent of t heconf igurat ionf ilesbellowf oryout ohaveclearpict ur:
Af t ert heInst allat ionandconf igurat ionwhenIuset hedigcommandt henIgot t hef ollowing
digmast erdns.anisehq.com
;<<>>DiG9.8.2rc1- RedHat - 9.8.2- 0.37 .rc1.el6_7 .2<<>>mast erdns.anisehq.com

;;globalopt ions:+cmd
;;Got answer:
;;- >>HEADER<<- opcode:QUERY,st at us:NOERROR,id:5226
;;f lags:qrrdra;QUERY:1,ANSWER:1,AUT HORIT Y:0,ADDIT IONAL:0
;;QUEST IONSECT ION:

;mast erdns.anisehq.com.INA
;;ANSWERSECT ION:
mast erdns.anisehq.com.7 199INA110.7 4.133.89
;;Queryt ime:239msec
;;SERVER:192.168.101.4#53(192.168.101.4)
;;WHEN:WedAug1917 :47 :512015
;;MSGSIZErcvd:55
It seemsnot beencorrect
Af t ert heInst allat ionandconf igurat ionwhenIuset henslookupcommandt henIgot t he
f ollowing
nslookup110.7 4.133.89
Server:192.168.101.4
Address:192.168.101.4#53
**servercan't f ind89.133.7 4.110.in- addr.arpa.:NXDOMAIN

T hereisproblemwit hreverseDNShere
nslookupmast erdns.anisehq.com
Server:192.168.101.4
26/29
3/10/16
Address:192.168.101.4#53
Non- aut horit at iveanswer:

Name:mast erdns.anisehq.com
Address:110.7 4.133.89
dns check August22,2015
It looksliket heaut horit at ivenameserversf or110.7 4.133.89are
ns1.aims.myand
ns2.aims.my:
$ dig ns +short 133.74.110.in-addr.arpa
ns2.aims.my.
ns1.aims.my.
Neit herof t heabovenameserversret urnanyPT Rrecordsf ort heaboveIP:
$ dig +short -x 110.74.133.89 @ns1.aims.my

$ dig +short -x 110.74.133.89 @ns2.aims.my
$
Irecommendverif yingt hat
ns1.aims.myand ns2.aims.myaret henameserverst hat
you'ret ryingt ouse.If t heyare,t hencanyoupost t hez onef ilet hat 89.133.7 4.110.inaddr.arpaappearsin?
alphakeita September7,2015
DearRespect ed,
It isabout amont hnowt ryingt oinst allandconf igureDNSandReverseDNSserverandupt o
nowIamst rugglingwit hit becauseIamanewbiz z init .
Iamf acingbellowerror
f oryourinf ormat ionIhavet woIPsPublicandPrivat e
WhenInslookupns1.anisehq.comlocally(DNSsevermachine)
nslookupns1.anisehq.com
Server:192.168.101.134
Address:192.168.101.134#53
27/29
3/10/16
Name:ns1.anisehq.com
Address:192.168.101.134(Privat eIPof mymachine)
nslookupwit ht hesamenet workint hecloud
Server:192.168.101.4
Address:192.168.101.4#53
Non- aut horit at iveanswer:

Name:ns1.anisehq.com
Address:110.7 4.133.89(PublicIPof mymachine)
nslookupout sideNet work(WAN)
it shownot hing
;;connect iont imeout ;noservercouldbereached
m anicas September21,2015
I'mnot surewhat you'ret ryingt odohere.Couldyouclarif y?
ekaaaaprillia8 September13,2015
visit myblogplease:)
ht t ps://goyangjibang.wordpress.com/2015/09/13/lab- 4- dns- bind- di- cent os- 7 - dengan- client windows- 7 - ult imat e/
t hankssir:)
s aeed November29,2015
Ist hisat ypo?Int he/et c/named.conf 3of 4part

ns2'sprivat eIPaddressisset t o10.132.241.227 ;whileit was10.128.20.12;
m anicas November30,2015
Yes,t hanksf orcat chingt hat .If ixedit .
28/29
3/10/16
T hiswo rkislice nse dunde raCre ative

Co mmo nsAttributio n-No nCo mme rcialS hare Alike 4 .0Inte rnatio nalLice nse .
Copyright 2016Digit alOceanInc.
Co mmunity
T uto rials
T e rms,Privacy,& Co pyright
Que stio ns
S e curity
Pro je cts
T ags
Re po rtaBug
RS S
Ge tPaidto Write
29/29

How To Configure BIND As A Private Network DNS Server On CentOS 7 - DigitalOcean

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

How To Configure BIND As A Private Network DNS Server On CentOS 7 - DigitalOcean

Загружено:

Авторское право:

Доступные форматы

3/10/16

How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean

How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean

Int hist ut orial,wewillgooverhowt oset upanint ernalDNSserver,usingt heBINDname

T heUbunt uversionof t hist ut orialcanbef oundhere.

Someserverst hat arerunningint hesamedat acent erandhaveprivat enet working

AnewVPSt oserveast hePrimaryDNSserver,ns1

Opt ional:AnewVPSt oserveasaSecondaryDNSserver,ns2

Root accesst oallof t heabove(st eps1- 4 here)

Wehavet woexist ingVPScalled"host 1"and"host 2"

Bot hVPSexist int henyc3dat acent er

Bot hVPShaveprivat enet workingenabled(andareont he10.128.0.0/16subnet )

Bot hVPSaresomehowrelat edt oourwebapplicat iont hat runson"example.com"

Wit ht heseassumpt ions,wedecidet hat it makessenset ouseanamingschemet hat uses

How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean

No t e:Yourexist ingset upwillbedif f erent ,but t heexamplenamesandIPaddresseswillbe

Hereisat ablewit hexamplenamesandIPaddresses:

Let 'sget st art edbyinst allingourPrimaryDNSserver,ns1.

How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean

t hat needst obereplacedwit hyourownset t ingsort hat it shouldbemodif iedoraddedt oa

Onbot hDNSservers,ns1andns2,inst allBINDwit hyum:

$ sudo yum install bind bind-utils

Conf irmt heprompt byent ering

Nowt hat BINDisinst alled,let 'sconf iguret heprimaryDNSserver.

named.conf.T hesef ilenamesbeginwit h"named"becauset hat ist henameof t he

named.conff ilef oredit ing:

Abovet heexist ing

optionsblock,creat eanewACLblockcalled"t rust ed".T hisiswherewe

willdef inelist of client st hat wewillallowrecursiveDNSqueriesf rom(i.e.yourserverst hat are

How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean

/e tc/name d.co nf1o f4

# ns1 - can be set to localhost

Nowt hat wehaveourlist of t rust edDNSclient s,wewillwant t oedit t he

listen-on port 53direct ive,andcomment out t he

/e tc/name d.co nf2o f4

listen-on-v6 port 53 { ::1; };

Belowt hoseent ries,changet he

allow-transferdirect ivet of rom"none"t ons2 'sprivat e

allow-querydirect ivef rom"localhost "t o"t rust ed":

/e tc/name d.co nf3o f4

# disable zone transfers by

At t heendof t hef ile,addt hef ollowingline:

How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean

/e tc/name d.co nf4 o f4

named.conf.T heaboveconf igurat ionspecif iest hat onlyyourown

servers(t he"t rust ed"ones)willbeablet oqueryyourDNSserver.

Next ,wewillconf iguret helocalf ile,t ospecif yourDNSzones.

named.conf.localf ilef oredit ing:

T hef ileshouldbeempt y.Here,wewillspecif yourf orwardandreversezones.

Addt hef orwardzonewit ht hef ollowinglines(subst it ut et hezonenamewit hyourown):

/e tc/name d/name d.co nf.lo cal1o f2

Assumingt hat ourprivat esubnet is10.128.0.0/16,addt hereversezonebywit ht hef ollowing

/e tc/name d/name d.co nf.lo cal2o f2

How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean

If yourserversspanmult ipleprivat esubnet sbut areint hesamedat acent er,besuret o

Nowt hat ourzonesarespecif iedinBIND,weneedt ocreat et hecorrespondingf orwardand

Let 'screat et hedirect orywhereourzonef ileswillreside.Accordingt oourname d.co nf.lo cal

$ sudo chmod 755 /etc/named

Nowlet 'sedit ourf orwardzonef ile:

First ,youwillwant t oaddt heSOArecord.Replacet hehighlight edns1FQDNwit hyourown

wewillincrement it t o"3".It shouldlooksomet hingliket his:

/e tc/name d/zo ne s/db.nyc3.e xample .co m1o f3

How To Configure BIND as a Private Network DNS Server on CentOS 7 | DigitalOcean