Build DNS server with CentOS8 and bind
Introduction
This is yuji323, which is the first article posted in a long time. This time, it's a little different from Java programming, and it's an article closer to NW. As the title suggests, I tried to build a DNS server in a virtual environment with CentOS and BIND. I hope it will help those in need ~
If you have any mistakes, please let me know in the comments.
environment
Hypervisor: VMWare WorkStation Player for Windows 15.0 Host OS: Windows 10 version 1909 Guest OS1 (DNS server / DHCP01): CentOS Linux release 8.2.2004 (Core) Guest OS2 (for verification / TEST01): CentOS Linux release 8.2.2004 (Core) Guest OS3 (for verification / TEST02): CentOS Linux release 8.2.2004 (Core)
Finally, let's create a virtual environment as shown in the network diagram below. There are things that have nothing to do with this content, but that is in the direction of ignoring ...
background
While I was waiting at the company, I was asked to create study materials, saying, "I want to study network-related matters for the education of new employees in the future."
I was a developer and this company was once!
I quit the previous company because I wanted to develop it instead of NW! !! </ b>
Aside from the bitterness of mid-career hires
It seems that he is buying experience as NW Engineering of his previous job ... Server construction, not development content ... and DNS ...
Around this time, I wanted to study development with a lot of effort, but I tried to study with a light feeling, "Well, if you aim to be a full-stack engineer, there is no loss at last."
Build
As a premise
IP addresses and host names are set for each of the three units, and they are joined to the domain "testdomain.local" on the virtual NAT network. Information on each guest OS looks like this ↓. It seems that it will be needed later when writing DNS zone information, so set it in advance.
| Guest OS | hostname | IP address | DNS |
|---|---|---|---|
| TEST01 | test01.testdomain.local | 192.168.146.10 | 192.168.146.140 |
| DNS01 | dns01.testdomain.local | 192.168.146.140 | 192.168.146.2 |
BIND installation
If you install BIND (Berkeley InternetName Domain) (cool) (it's nice to write the abbreviation in English), the installed server seems to function as a DNS server. The image that bind is in charge of various processes when acquiring the combination of IP and host name in the DNS server.
dns01.
[root@dns01 ~]# yum install bind
[root@dns01 ~]# yum install bind-utils
Since "bind" is the main body of bind and "bind-utils" contains dig commands, you can install only bind if you do not use the dig command at the time of verification.
Config edit
Edit the installed bind config file. I wrote a comment for quiita posting, so it may not work even if I copy and paste it. .. .. It is better to delete the comment when using it ◎
- It is recommended to copy the original file so that it can be restored at any time.
dns01.
[root@dns01 ~]# cp /etc/named.conf /etc/named.conf.ORG
[root@dns01 ~]# vi /etc named.conf
/etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.146.140;}; //Listen port
//listen-on-v6 port 53 { ::1; }; //ipv6 seems to be late for inquiries, so comment out
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
recursion yes; //Recursive query permission
allow-query {any; }; //Addresses that allow name resolution → Allow all
forwarders { //In case of a query that does not have information in the zone file, we will throw a solution to another DNS ~
192.168.146.2;}; //The destination to throw. It seems that ISP or google DNS is fine. The nearest router is also acceptable. This time it.
};
logging { //Log acquisition settings
// channel default_debug { //The person who is set by default does not have enough information, so comment out
// file "data/named.run";
// severity dynamic;
// };
channel "default-log" { //Describe new acquisition settings
file "/var/named/log/default.log" versions 5 size 10M;
severity debug;
print-time yes;
print-severity yes;
print-category yes;
};
category default{"default-log";}; //default-I'll use log ~
};
// zone "." IN { //★ Comments out because unresolved addresses do not have zone information. I was really into it(Great defeat)
// type hint;
// file "named.ca";
// };
// include "/etc/named.rfc1912.zones";
// include "/etc/named.root.key";
zone "testdomain.local" { //Specify the location of the zone file of the set domain
type master; //I will write in detail after this.
file "testdomain.local.zone";
};
Create directory for log output / syntax check
Create the log output directory specified in ↑ in advance. Create the directory specified in "/etc/named.conf" and "file" / set permissions!
dns01.
[root@dns01 ~]# mkdir /var/named/log
[root@dns01 ~]# chown named.named /var/named/log
Check the syntax when you're done! !! !! !! Next as soon as the error disappears. (The line will tell you the error in detail.)
dns01.
[root@dns01 ~]# named-checkconf
Zone file creation
Create a DNS
dns01.(Create New)
[root@dns01 ~]# vi /var/named/testdomain.local.zone
/var/named/testdomain.local.zone
$TTL 86400 //↓ Administrator email address.
@ IN SOA dns01.testdomain.local. root.testdomain.local. (
2020050502 ;Serial //Serial number. Update when the file is updated! !! date+It seems that Unit 0 is often used
3600 ;Refresh //Feeling of zone transfer
300 ;Retry //Feeling of retry when transfer fails
360000 ;Expire //Zone file retention time
86400 ) ;Negative //Time cached on other servers
//↓ ↓ Host name ↓ ↓ ↓ ↓ Record type ↓ ↓ ↓ ↓ IP address ↓ ↓
IN NS dns01.testdomain.local
dns01.testdomain.local IN A 192.168.146.140
dns01 IN A 192.168.146.140
db01 IN A 192.168.146.130
dhcp01 IN A 192.168.146.150
pr01 IN A 192.168.146.160
test01 IN A 192.168.146.10
And syntax check !!!!!
dns01.
[root@dns01 ~]# named-checkconf -z
This check will output a log regardless of success / failure, so be sure to check the contents carefully! If there is an error, you can check the details with [systemctl status named].
Firewall settings
If you have cut it from the beginning, you can ignore it. This time it's a verification environment, so it's okay to turn it off, but ... I'll use the drilling method for studying as well.
dns01.
[root@dns01 ~]# firewall-cmd --add-service=dns
[root@dns01 ~]# firewall-cmd --reload
IPv6 disabled
dns01.
[root@dns01 ~]# vi /etc/sysconfig/named
Add "OPTIONS ="-4 ""!
Service start
dns01.
[root@dns01 ~]# status named.service
[root@dns01 ~]# status named-chroot.service
If there are no particular errors, this is the end of the construction! Thank you for your hard work. .. .. .. Let's continue to verify whether name resolution is possible ~
Verification
This time, only the forward zone file is created, so let's verify whether the IP can be pulled from the domain name.
I will try the name resolution of the external domain to see if the name of dns01 can be resolved by the domain name from test01.
I closed safely! </ b>
Summary
Devices in the 192.168.146.0/24 network can now communicate by domain name! !! It's safe because you only have to add records to the zone file when you set up a new server in the future ◎ Then!
Recommended Posts