Build DNS server with CentOS8 and bind

Introduction

This is yuji323, which is the first article posted in a long time. This time, it's a little different from Java programming, and it's an article closer to NW. As the title suggests, I tried to build a DNS server in a virtual environment with CentOS and BIND. I hope it will help those in need ~

If you have any mistakes, please let me know in the comments.

environment

Hypervisor: VMWare WorkStation Player for Windows 15.0 Host OS: Windows 10 version 1909 Guest OS1 (DNS server / DHCP01): CentOS Linux release 8.2.2004 (Core) Guest OS2 (for verification / TEST01): CentOS Linux release 8.2.2004 (Core) Guest OS3 (for verification / TEST02): CentOS Linux release 8.2.2004 (Core)

Finally, let's create a virtual environment as shown in the network diagram below. There are things that have nothing to do with this content, but that is in the direction of ignoring ...

空白の図 (3).png

background

While I was waiting at the company, I was asked to create study materials, saying, "I want to study network-related matters for the education of new employees in the future."


I was a developer and this company was once!

I quit the previous company because I wanted to develop it instead of NW! !! </ b>


Aside from the bitterness of mid-career hires

It seems that he is buying experience as NW Engineering of his previous job ... Server construction, not development content ... and DNS ...

Around this time, I wanted to study development with a lot of effort, but I tried to study with a light feeling, "Well, if you aim to be a full-stack engineer, there is no loss at last."

Build

As a premise

IP addresses and host names are set for each of the three units, and they are joined to the domain "testdomain.local" on the virtual NAT network. Information on each guest OS looks like this ↓. It seems that it will be needed later when writing DNS zone information, so set it in advance.

Guest OS hostname IP address DNS
TEST01 test01.testdomain.local 192.168.146.10 192.168.146.140
DNS01 dns01.testdomain.local 192.168.146.140 192.168.146.2

BIND installation

If you install BIND (Berkeley InternetName Domain) (cool) (it's nice to write the abbreviation in English), the installed server seems to function as a DNS server. The image that bind is in charge of various processes when acquiring the combination of IP and host name in the DNS server.

dns01.


[root@dns01 ~]# yum install bind
[root@dns01 ~]# yum install bind-utils

Since "bind" is the main body of bind and "bind-utils" contains dig commands, you can install only bind if you do not use the dig command at the time of verification.

Config edit

Edit the installed bind config file. I wrote a comment for quiita posting, so it may not work even if I copy and paste it. .. .. It is better to delete the comment when using it ◎

  • It is recommended to copy the original file so that it can be restored at any time.

dns01.


[root@dns01 ~]# cp /etc/named.conf /etc/named.conf.ORG
[root@dns01 ~]# vi /etc named.conf

/etc/named.conf


options {
        listen-on port 53 { 127.0.0.1; 192.168.146.140;}; //Listen port
        //listen-on-v6 port 53 { ::1; };          //ipv6 seems to be late for inquiries, so comment out
        directory       "/var/named";           
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";

        recursion       yes;         //Recursive query permission
        allow-query     {any; };   //Addresses that allow name resolution → Allow all

        forwarders {         //In case of a query that does not have information in the zone file, we will throw a solution to another DNS ~
                192.168.146.2;};   //The destination to throw. It seems that ISP or google DNS is fine. The nearest router is also acceptable. This time it.
        };

logging {               //Log acquisition settings
//        channel default_debug {      //The person who is set by default does not have enough information, so comment out
//                file "data/named.run";
//                severity dynamic;
//        };
        channel "default-log" {       //Describe new acquisition settings
                file "/var/named/log/default.log" versions 5 size 10M;
                severity debug;
               print-time yes;
                print-severity yes;
                print-category yes;
        };

        category default{"default-log";};  //default-I'll use log ~
};

// zone "." IN {               //★ Comments out because unresolved addresses do not have zone information. I was really into it(Great defeat)
//      type hint;
//      file "named.ca";
// };

// include "/etc/named.rfc1912.zones";
// include "/etc/named.root.key";

zone "testdomain.local" {          //Specify the location of the zone file of the set domain
        type master;             //I will write in detail after this.
        file "testdomain.local.zone";
};

Create directory for log output / syntax check

Create the log output directory specified in ↑ in advance. Create the directory specified in "/etc/named.conf" and "file" / set permissions!

dns01.


[root@dns01 ~]# mkdir /var/named/log
[root@dns01 ~]# chown named.named /var/named/log

Check the syntax when you're done! !! !! !! Next as soon as the error disappears. (The line will tell you the error in detail.)

dns01.


[root@dns01 ~]# named-checkconf

Zone file creation

Create a DNS zone file. The "domain name: IP address" correspondence table is the main part of the file, and in addition to that, the behavior when a DNS request comes is also described a little. Less than!

dns01.(Create New)


[root@dns01 ~]# vi /var/named/testdomain.local.zone

/var/named/testdomain.local.zone


$TTL 86400                                       //↓ Administrator email address.
@       IN      SOA     dns01.testdomain.local.   root.testdomain.local. (
          2020050502   ;Serial //Serial number. Update when the file is updated! !! date+It seems that Unit 0 is often used
          3600         ;Refresh  //Feeling of zone transfer
          300          ;Retry   //Feeling of retry when transfer fails
          360000       ;Expire   //Zone file retention time
          86400   )    ;Negative //Time cached on other servers

//↓ ↓ Host name ↓ ↓ ↓ ↓ Record type ↓ ↓ ↓ ↓ IP address ↓ ↓
                        IN      NS      dns01.testdomain.local
dns01.testdomain.local  IN      A       192.168.146.140
dns01                   IN      A       192.168.146.140
db01                    IN      A       192.168.146.130
dhcp01                  IN      A       192.168.146.150
pr01                    IN      A       192.168.146.160
test01                  IN      A       192.168.146.10

And syntax check !!!!!

dns01.


[root@dns01 ~]# named-checkconf -z

This check will output a log regardless of success / failure, so be sure to check the contents carefully! If there is an error, you can check the details with [systemctl status named].

Firewall settings

If you have cut it from the beginning, you can ignore it. This time it's a verification environment, so it's okay to turn it off, but ... I'll use the drilling method for studying as well.

dns01.


[root@dns01 ~]# firewall-cmd --add-service=dns
[root@dns01 ~]# firewall-cmd --reload

IPv6 disabled

dns01.


[root@dns01 ~]# vi /etc/sysconfig/named

Add "OPTIONS ="-4 ""!

Service start

dns01.


[root@dns01 ~]# status named.service
[root@dns01 ~]# status named-chroot.service

If there are no particular errors, this is the end of the construction! Thank you for your hard work. .. .. .. Let's continue to verify whether name resolution is possible ~

Verification

This time, only the forward zone file is created, so let's verify whether the IP can be pulled from the domain name. I will try the name resolution of the external domain to see if the name of dns01 can be resolved by the domain name from test01. image.png image.png

I closed safely! </ b>

Summary

Devices in the 192.168.146.0/24 network can now communicate by domain name! !! It's safe because you only have to add records to the zone file when you set up a new server in the future ◎ Then!

Recommended Posts