CentOS8 bind settings

Install bind on CentOS8 and create a public DNS server

** CentOS8 is no longer supported as it will end on December 31, 2020, but ... Since there was an article that was about to be written, I will publish it. ** **

What is written in this article

Information that needs to be prepared

Required packages

package name Use Remarks
bind bind body
bind-chroot bind chroot environment For security, chroot to install unless there are special circumstances.
bind-utils bind debugging tools

Introduction of bind

Check the installation status of the required packages, and install them if they are not installed.

[user01@cent8 ~]$ rpm -q bind bind-chroot bind-utils
Package bind is not installed.
Package bind-chroot is not installed.
bind-utils-9.11.4-26.P2.el8.x86_64
[user01@cent8 ~]$ sudo dnf install -y bind bind-chroot

Check the basic configuration file

Setting target Settings Target file Remarks
Operation setting /etc/named.conf
Forward zone file /var/named/example.co.jp_zone (created) Let's match the domain part to the environment
Reverse zone file /var/named/192.168.1.0_rev (created) Let's match the IP part to the environment
rndc config file /etc/rndc.conf
rndc key file /etc/rndc.key Automatically generated
/etc/named.iscdlv.key dnssec-key for lookaside auto: No setting required
/etc/named.rfc1912.zones Recommended settings for localhost: No settings required
/etc/named.root.key DNSKEY for the root zone.: No setting required
Latest named.ca /var/named/named.ca If not, rndc-confgen -Created using a [email protected] . ns > /var/named/named.ca I don't think you need to update it all the time, but remember how to do it.
/var/named/slaves Save the zone information obtained from master when slave
/var/named/data Directory for storing statistics and debug information
chroot destination directory /var/named/chroot The files and directories required for namd to operate are automatically mounted under this directory at runtime. You don't need to be aware of chroot when making settings.

Things you should know before setting

When using with chroot, pay attention to the placement of the configuration file. The location of the actual file and the location of the file loaded when bind-chroot is started are different. However, this difference is resolved by mounting various files under the chroot directory when bind-chroot is started. Therefore, be aware of the actual file position (SOURCE side) and edit the configuration file / arrange the zone file.

[user01@cent8 ~]$ findmnt /dev/mapper/cl-root
TARGET                                                      SOURCE                                                           FSTYPE OPTIONS
/                                                           /dev/mapper/cl-root                                              xfs    rw,relatime,seclab
/var/named/chroot/etc/localtime                             /dev/mapper/cl-root[/usr/share/zoneinfo/Asia/Tokyo]              xfs    rw,relatime,seclab
/var/named/chroot/etc/named.root.key                        /dev/mapper/cl-root[/etc/named.root.key]                         xfs    rw,relatime,seclab
/var/named/chroot/etc/named.conf                            /dev/mapper/cl-root[/etc/named.conf]                             xfs    rw,relatime,seclab
/var/named/chroot/etc/named.rfc1912.zones                   /dev/mapper/cl-root[/etc/named.rfc1912.zones]                    xfs    rw,relatime,seclab
/var/named/chroot/etc/rndc.key                              /dev/mapper/cl-root[/etc/rndc.key]                               xfs    rw,relatime,seclab
/var/named/chroot/etc/crypto-policies/back-ends/bind.config /dev/mapper/cl-root[/usr/share/crypto-policies/DEFAULT/bind.txt] xfs    rw,relatime,seclab
/var/named/chroot/etc/protocols                             /dev/mapper/cl-root[/etc/protocols]                              xfs    rw,relatime,seclab
/var/named/chroot/etc/services                              /dev/mapper/cl-root[/etc/services]                               xfs    rw,relatime,seclab
/var/named/chroot/etc/named                                 /dev/mapper/cl-root[/etc/named]                                  xfs    rw,relatime,seclab
/var/named/chroot/usr/lib64/bind                            /dev/mapper/cl-root[/usr/lib64/bind]                             xfs    rw,relatime,seclab
/var/named/chroot/usr/share/GeoIP                           /dev/mapper/cl-root[/usr/share/GeoIP]                            xfs    rw,relatime,seclab
/var/named/chroot/var/named                                 /dev/mapper/cl-root[/var/named]                                  xfs    rw,relatime,seclab
[user01@cent8 ~]$

bind settings

Setting description in /etc/named.conf

Make basic settings for bind.

[user01@cent8 ~]$ sudo vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

acl internals {    //Added ACL for access restriction
    127.0.0.1;
    192.168.1.0/24;
};

options {
	//listen-on port 53 { 127.0.0.1; };  //Comment out
	//listen-on-v6 port 53 { ::1; };     //Comment out
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
	allow-query     { internals; };    // localhost ->Change to insternals
	allow-query-cache     { internals; };    //Added acl settings for cache queries
	allow-transfer  { none; };    //Set acl for zone transfer

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;
	version "";  //version.Set bind response to blank
	hostname ""; //hostname.Set bind response to blank

	dnssec-enable yes;
	dnssec-validation yes;

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
	include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

//Authority zone settings
zone "example.co.jp" IN {
        type master;
        allow-query { any; };
        allow-transfer { 192.168.1.11; };	//If there is, specify the secondary server
        file "example.co.jp_zone";		//zone Specify the file name
        notify yes;				//Set to yes when sending update notifications to the secondary
        also-notify { 192.168.1.11; };		//If the secondary server is a private IP, specify that IP
};

zone "1.168.192.in-addr.arpa" IN {
        type master;
        allow-query { any; };
        allow-transfer { 192.168.1.11; };	//If there is, specify the secondary server
        file "192.168.1.0_rev";			//zone Specify the file name
        notify yes;				//Set to yes when sending update notifications to the secondary
        also-notify { 192.168.1.11; };		//If the secondary server is a private IP, specify that IP
};

include "/etc/rndc.key";
//Even without the following settings, rndc.When the key is loaded, it behaves as if it had been set.
//It is described as reference information when changing the settings.
controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
};

Configuration file syntax check

Make sure you don't get a message pointing out the mistake.

[user01@cent8 ~]$ sudo named-checkconf /etc/named.conf
[sudo]password for user01:
[user01@cent8 ~]$

Creating an authoritative zone file

Exmaple.co.jp zone zone file example

[user01@cent8 ~]$ sudo vi /var/named/example.co.jp_zone

; example.co.jp
$TTL 86400
@       IN      SOA ns1.example.co.jp. postmaster.ns1.example.co.jp. (
                  2020061901              ;Serial	//Be sure to update it every time you change it.
                  7200                    ;Refresh
                  1800                    ;Retry
                  1209600                 ;Expire
                  900                     ;nagative
                                )
        IN      NS      ns1.example.co.jp.
        IN      NS      ns2.example.co.jp.
;        IN      TXT     "v=spf1 +ip4:xxx.xxx.xxx.xxx ~all"

ns1    IN      A       192.168.1.10
ns2    IN      A       192.168.1.11
localhost IN    A       127.0.0.1

Example zone file for reverse lookup of 192.168.1.0/24

[user01@cent8 ~]$ sudo vi /var/named/192.168.1.0_rev
; 1.168.192.in-addr.arpa
$TTL 86400
@       IN      SOA ns1.example.co.jp. postmaster.ns1.example.co.jp. (
                   2020061901              ;Serial	//Be sure to update it every time you change it.
                   7200                    ;Refresh
                   1800                    ;Retry
                   1209600                 ;Expire
                   900                    ;negative
                                )
        IN      NS      ns1.example.co.jp.
        IN      NS      ns2.example.co.jp.

10      IN     PTR     ns1.example.co.jp.
11      IN     PTR     ns2.example.co.jp.

Start named-chroot

If you use a chroot-enabled bind, the service you start is named-chroot. Be careful not to accidentally launch named.

Stop if named is running

[user01@cent8 ~]$ sudo systemctl disable named --now

Enable and start named-chroot

[user01@cent8 ~]$ sudo systemctl enable named-chroot --now
Created symlink /etc/systemd/system/multi-user.target.wants/named-chroot.service → /usr/lib/systemd/system/named-chroot.service.
[user01@cent8 ~]$ 

Start (status) confirmation

[user01@cent8 ~]$ sudo systemctl status named-chroot

● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-11-29 17:02:47 JST; 8s ago
  Process: 16297 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 16288 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMED>
 Main PID: 16300 (named)
    Tasks: 7 (limit: 37880)
   Memory: 56.1M
   CGroup: /system.slice/named-chroot.service
           └─16300 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

November 29 17:02:47 cent8.example.co.jp named[16300]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2020061901
November 29 17:02:47 cent8.example.co.jp named[16300]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
November 29 17:02:47 cent8.example.co.jp named[16300]: zone example.co.jp/IN: loaded serial 2020061901
November 29 17:02:47 cent8.example.co.jp named[16300]: all zones loaded
November 29 17:02:47 cent8.example.co.jp named[16300]: running
November 29 17:02:47 cent8.example.co.jp named[16300]: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 2020061901)
November 29 17:02:47 cent8.example.co.jp named[16300]: zone example.co.jp/IN: sending notifies (serial 2020061901)
November 29 17:02:47 cent8.example.co.jp systemd[1]: Started Berkeley Internet Name Domain (DNS).
November 29 17:02:47 cent8.example.co.jp named[16300]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
November 29 17:02:47 cent8.example.co.jp named[16300]: resolver priming query complete
[user01@cent8 ~]$

Check the standby status

[user01@cent8 ~]$ sudo lsof -P -i:53
COMMAND     PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-r  1353 systemd-resolve   16u  IPv4  31263      0t0  UDP 127.0.0.53:53
named     16300           named   21u  IPv4  85726      0t0  TCP localhost:53 (LISTEN)
named     16300           named   22u  IPv4  85728      0t0  TCP cent8.example.co.jp:53 (LISTEN)
named     16300           named  512u  IPv4  85722      0t0  UDP localhost:53
named     16300           named  513u  IPv4  85722      0t0  UDP localhost:53
named     16300           named  514u  IPv4  85722      0t0  UDP localhost:53
named     16300           named  515u  IPv4  85727      0t0  UDP cent8.example.co.jp:53
named     16300           named  516u  IPv4  85727      0t0  UDP cent8.example.co.jp:53
named     16300           named  517u  IPv4  85727      0t0  UDP cent8.example.co.jp:53
[user01@cent8 ~]$

Change Firewalld settings (allow external queries)

To allow external queries, configure the settings to allow external access to port 53. In some cases, 53/udp alone is sufficient, but since the response size to the query tends to be large, allow access to both tcp and udp.

firewalld status check

[user01@cent8 ~]$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: cockpit dhcpv6-client https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[user01@cent8 ~]$

Allow access to Port 53

[user01@cent8 ~]$ sudo firewall-cmd --permanent --add-service=dns --zone=public
success
[user01@cent8 ~]$ sudo firewall-cmd --reload
success
[user01@cent8 ~]$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: cockpit dhcpv6-client dns https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[user01@cent8 ~]$

reference) The setting contents of service dns are described in /usr/lib/firewalld/services/dns.xml.

Commands used daily

Start-up

[user01@cent8 ~]$ sudo systemctl enable named-chroot --now

Stop

[user01@cent8 ~]$ sudo systemctl disable named-chroot --now

Reload config file/zone file

[user01@cent8 ~]$ sudo rndc reload

status check

[user01@cent8 ~]$ sudo rndc status
version: BIND 9.11.13-RedHat-9.11.13-6.el8_2.1 (Extended Support Version) <id:ad4df16> ()
running on cent8.example.co.jp: Linux x86_64 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020
boot time: Sun, 29 Nov 2020 08:02:47 GMT
last configured: Sun, 29 Nov 2020 08:02:47 GMT
configuration file: /etc/named.conf (/var/named/chroot/etc/named.conf)
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 105 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 2/150
TCP high-water: 2
server is up and running
[user01@cent8 ~]$

Collecting query log

Please enable it when you want to check the contents of the query for troubleshooting. Also, it will generate a lot of logs, so be sure to disable it after the investigation. You can check the current status with rndc status. The following commands are used to enable and disable.

The querylog is recorded in /var/named/data/named.run.

query logging on

[user01@cent8 ~]$ sudo rndc status |grep query
query logging is OFF
[user01@cent8 ~]$ sudo rndc querylog
[user01@cent8 ~]$ sudo rndc status |grep query
query logging is ON
[user01@cent8 ~]$

query logging off

[user01@cent8 ~]$ sudo rndc status |grep query
query logging is ON
[user01@cent8 ~]$ sudo rndc querylog
[user01@cent8 ~]$ sudo rndc status |grep query
query logging is OFF
[user01@cent8 ~]$ 

Update rootcache (named.ca)

  1. Back up the current named.ca
  2. Get root cache
  3. Load a new root cache
[user01@cent8 ~]$ sudo cp /var/named/named.ca /var/named/named.ca.`date +%Y%m%d`
[user01@cent8 ~]$ sudo sh -c "dig +noall +answer +add +bufsize=4096 @a.root-servers.net . ns > /var/named/named.ca"
[user01@cent8 ~]$ sudo rndc reload

Recommended Posts

CentOS8 bind settings
centos7 Initial settings
CentOS7 network settings
CentOS7 initial settings
CentOS8 USB LAN adapter network settings
RuboCop settings
Build DNS server with CentOS8 and bind
Ruby settings 1