This guide will show how to install and configure a DNS Server in RHEL-8 beta in caching mode only or as single DNS Server, no master-slave configuration. As we are working in a beta version system, what will be explained here is not meant for production. A reverse and forward zone example is provided.
In this tutorial you will learn:- How to install a DNS server in RHEL 8 beta
- How to configure a server as caching only DNS Server
- How to configure a server as single DNS Server
Software Requirements and Conventions Used
Software Requirements and Linux Command Line Conventions Category Networking System RHEL 8.0 (Ootpa) Software bind Other Privileged access to your Linux system as root or via the sudo command. Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command $ - requires given linux commands to be executed as a regular non-privileged userPrerequisites
Before starting it is assumed that:
- You or your organization has already created an account in Red Hat
- RHEL 8 beta has been already downloaded and installed
- The system has been already registered through the Subscription Manager
- You have already setup a local or remote repository
DNS Server installation
- Bind installation We are going to install BIND, the most famous Open Source DNS Server, through the
dnf
tool to which nowyum
is based. The command to run is:# dnf -y install bind*
Which should install all these packages:
Common DNS Server Configuration
- Configuring the Firewall We need enable the DNS service:
# firewall-cmd --permanent --zone=public --add-service=dns
and reload the configuration:# firewall-cmd --reload
- Backing up main configuration files It is always a good habit to make an initial backup copy of the main bind config files; also before any change.
# cp /etc/named.conf /etc/named.conf.org # cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.org
- Checking the network configuration A DNS Server must have a static IP address, let's verify is the case:
$ cat /etc/sysconfig/network-scripts/ifcfg-enp0s3|egrep -i "boot|ipaddr|mask|gateway"
Which, for instance, yields the below results:BOOTPROTO=static ONBOOT=yes IPADDR=10.0.0.63 NETMASK=255.255.255.0 GATEWAY=10.0.0.1
Of course your network configuration might be different, yet again the IP address must be static.
- Choosing the domain name To set a Fully Qualified Domain Name or FQDN
# hostnamectl set-host name dns-srv.vulcansys-local.com
You can of course choose another name, here I have invented a domain name which doesn't appear to have been registered to any organization.
- Resolver configuration We are going to configure the
resolv.conf
file. The first lines must be:search vulcansys-local.com nameserver 10.0.0.63
This is both in the server and in any client querying our DNS; of course you need to add a second name server to resolve internet sites or any other domain.
- Disabling the Network Manager DNS auto-configuration We don't want the Network Manager to change the
resolv.conf
file. To do that we simply add the line:dns=none
in the file/etc/NetworkManager/NetworkManager.conf
, and we reload the service:# systemctl reload NetworkManager
- Enabling the bind service at startup We need to make sure the DNS service is started with the system so:
# systemctl enable named
DNS Server types
It is possible to configure a DNS server to work in one of the below modes, only one at time:- Root Server
- Single Server
- Secondary Server
- Caching-only Server
- Forwarding Server
A primary or single DNS server is authoritative for a domain, but we have no high availability and therefore if it is down or unreachable no DNS query for the domain will work, unless cached or duplicated in the static file /etc/hosts
.
NOTEWhat we have configured so far is common whichever "configuration mode" we will choose.
- Caching only DNS Server We make sure the following lines are changed/configured in the
named.conf
file:listen-on port 53 { 127.0.0.1; 10.0.0.63; }; #listen-on-v6 port 53 { ::1; }; allow-query { 127.0.0.1; 10.0.0.0/24; }; recursion yes; allow-recursion { 127.0.0.1; 10.0.0.0/24; };
For simplicity here the server will not listen on an IPv6 address ( the relative line is therefore commented ). To check if the configuration is OK we can run the command:
# named-checkconf
if everything is fine no output is returned. Finally we need to have the service reload its configuration:# systemctl reload named
- Single DNS server In case we choose this type it will be our authoritative DNS server in charge for any name resolution in the domain we have chosen.
Here also we are going to edit
/etc/named.conf
:listen-on port 53 { localhost; 10.0.0.63; }; #listen-on-v6 port 53 { ::1; }; allow-query { 127.0.0.1; 10.0.0.0/24; }; recursion no;
In this guide, for simplicity, we are not setting the bind service to listen on an IPv6 address.The option
Afterwards we have to specify our zone files; here we will configure a forward zone (to resolve to an IP from a name) and a reverse zone (to resolve to a name given an IP address) each in its specific file, by appending the following lines to the filerecursion no
makes sure the DNS will not do all the job to provide an answer to a particular query, but will delegate to the root servers if necessary and to other authoritative servers the task for those unknown names or IP. In other words: an authoritative server must not be recursive.named.rfc1912.zones
file:zone "vulcansys-local.com" IN { type master; file "forward.zone"; allow-update { none; }; }; zone "63.0.0.10.in-addr.arpa" IN { type master; file "reverse.zone"; allow-update { none; }; };
The option
allow-update
refers to DNS dynamic updates, that means an application in a host can add a DNS record; for security reasons this is disabled by default and therefore only the system administrator can add records and manually.Now we need to create the files
Ourforward.zone
andreverse.zone
. Usually the zone files are inside the directory/var/named
as we can infer from thedirectory
option in thenamed.conf
configuration file.forward.zone
file will contain:$TTL 1D @ IN SOA dns-srv.vulcansys-local.com. root.vulcansys-local.com. ( 2019022400 ; serial 3h ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS dns-srv.vulcansys-local.com. dns-srv IN A 10.0.0.63
And thereverse.zone
file:$TTL 1D @ IN SOA dns-srv.vulcansys-local.com. root.vulcansys-local.com. ( 2019022400 ; serial 3h ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS dns-srv.vulcansys-local.com. 63 IN PTR dns-srv.vulcansys-local.com
In the mentioned config filesSOA
(Start Of Authority) defines the global parameters for the zone (domain); only one Resource Record can be specified (the line with SOA keyword with our fully qualified domain name). The Time To Leave ($TTL) is by default 1 day (or 86400 seconds) and should be temporarily shortened if changing any entry in this config file as it tells the DNS server for how long to cache any information retrieved. Most important is to remember to end any Fully Qualified Domain Name in these configuration files with a dot.Here
root.vulcansys-local.com
is the e-mail address and2019022400
a serial field which in practice is there to track any change in the zone file and conventionally is in the formYYYYmmddss
, wheress
is a two-digit number.In the reverse file you might have noticed everything looks the same except the last line. There we specify with
Now we make sure to have the correct permissions:PTR
a reverse lookup which will resolve to10.0.0.63
; it is just needed to type the last digit63
which identifies the host (as netmask is255.255.255.0
).# chgrp named /var/named/reverse.zone # chgrp named /var/named/forward.zone
To check that the zone files are correctly configured you can issue the commands:# named-checkzone vulcansys-local.com /var/named/forward.zone # named-checkzone 10.0.0.63 /var/named/reverse.zone
And to verify the overall configuration:# named-checkconf -v
If everything's fine we can reload the service:# systemctl reload named
Client configuration
- Configuring the Firewall We need to configure the firewall as explained above with the server. For simplicity I'm assuming the client is also a RHEL 7 or 8.
- Resolver configuration The first nameserver must be our server DNS, also here make sure the Network Manager doesn`t alter the resolv.conf file.
- Setting the Hostname For consistency any client in the domain would have a FQDN hostname assigned.
Finally we verify our DNS configuration is working, from a client, by trying to ping the DNS server by name.
Conclusion
Setting up a DNS Server is a task that any serious administrator should have done at least once and in RHEL 8 beta the way to do it is not difficult.
This is a companion discussion topic for the original entry at https://linuxconfig.org/install-dns-server-on-redhat-8