Set up BIND DNS Server on CentOS 6

Part 2 of setting up a Linux home lab environment with VirtualBox. Check this blog post for more info.

BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. The name BIND stands for “Berkeley Internet Name Domain”.

Software

Software used in this article:

  1. CentOS 6.7
  2. Bind 9.8.2

Before We Begin

We are going to to set up a general purpose DNS server, which:

  1. Acts as master for two internal zones, and
  2. Acts as cache server for all other requests.

BIND server’s info:

  1. Hostname: spacewalk,
  2. IP: 10.8.8.2,
  3. LAN: 10.8.8.0/24.

Two internal DNS zones will be setup:

  1. hl.local – a forward zone, translates domain names into IP addresses,
  2. 8.8.10 – a reverse zone, translates IP addresses into domain names.

The hl.local domain stands for “home lab” in our case.
DNS server will be secured by:

  1. Running BIND with less privileges,
  2. Limiting queries to LAN only,
  3. Limiting zone transfers to LAN only,
  4. Hiding the BIND version number and hostname from being disclosed,
  5. Configuring iptables to allow access to TCP/UDP ports 53 from LAN only,

Installation

Install BIND packages:

# yum install -y bind bind-utils

Start BIND on boot:

# chkconfig named on

Update the /etc/resolv.conf file:

seach hl.local
nameserver 127.0.0.1
nameserver 10.8.8.2

We have peerdns set to “no”.

Configuration

Create a log directory:

# mkdir /var/log/named
# chown named:named /var/log/named

/etc/named.conf

Some comments are provided. Check BIND v9.8 documentation for more info.

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

# Limiting access to local networks only
acl "clients" {
        127.0.0.0/8;
        10.8.8.0/24;
};

options {
	listen-on port 53 { any; };
	listen-on-v6 { none; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

	# Maximum number of simultaneous client TCP connections to accept
	tcp-clients 50;

	# Disable built-in server information zones
	version none;
	hostname none;
	server-id none;

	# Attempt to do all the work required to answer the query
	recursion yes;
	recursive-clients 100;
        allow-recursion { clients; };
        allow-query { clients; };
	# Only LAN users are allowed to receive zone transfers from the server
        allow-transfer { clients; };

	auth-nxdomain no;
        notify no;
	dnssec-enable yes;
	dnssec-validation auto;
	dnssec-lookaside auto;

	# Path to ISC DLV key
	bindkeys-file "/etc/named.iscdlv.key";
	managed-keys-directory "/var/named/dynamic";
};

# Specifications of what to log, and where the log messages are sent
logging {
        channel "common_log" {
                file "/var/log/named/named.log" versions 10 size 5m;
		severity error;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category default { "common_log"; };
        category general { "common_log"; };
        category queries { "common_log"; };
	category client { "common_log"; };
	category security { "common_log"; };
	category query-errors { "common_log"; };
	category lame-servers { null; };
};

# Internal zone definitions
zone "hl.local" {
        type master;
        file "/etc/named/db.hl.local";
        allow-update { none; };
};

zone "8.8.10.in-addr.arpa" {
        type master;
        file "/etc/named/db.8.8.10";
        allow-update { none; };
};

/etc/named/db.hl.local

$TTL    86400

@               IN      SOA     localhost. root.localhost. (
                                    2015101000    ; Serial
                                    86400         ; Refresh
                                    3600          ; Retry
                                    604800        ; Expire
                                    7200 )        ; Negative Cache TTL

@               IN      NS      localhost.

@		IN	A	10.8.8.2
dhcp            IN      A       10.8.8.2
dns             IN      A       10.8.8.2
ntp		IN	A	10.8.8.2
puppet          IN      A       10.8.8.2
smtp            IN      A       10.8.8.2
spacewalk       IN      A       10.8.8.2

/etc/named/db.8.8.10

$TTL    86400

@               IN      SOA     localhost. root.localhost. (
                                    2015101000    ; Serial
                                    86400         ; Refresh
                                    3600          ; Retry
                                    604800        ; Expire
                                    7200 )        ; Negative Cache TTL

@               IN      NS      localhost.

2		IN	PTR	dhcp.hl.local.	    ;10.8.8.2
2		IN	PTR	dns.hl.local.	    ;10.8.8.2
2		IN	PTR	ntp.hl.local.	    ;10.8.8.2
2		IN	PTR	puppet.hl.local.    ;10.8.8.2
2		IN	PTR	smtp.hl.local.	    ;10.8.8.2
2		IN	PTR	spacewalk.hl.local. ;10.8.8.2

Verify BIND Configuration

# named-checkconf /etc/named.conf

Restart the service if no errors were raised:

# /etc/init.d/named restart

Configure Iptables on the BIND Server to Allow LAN Access

Iptables will be configured via Puppet. The lines below are used for the time being only:

# iptables -A INPUT -s 10.8.8.0/24 -p tcp -m state --state NEW --dport 53 -j ACCEPT
# iptables -A INPUT -s 10.8.8.0/24 -p udp -m state --state NEW --dport 53 -j ACCEPT

Troubleshooting

Check logs:

# tail /var/log/messages
# tail /var/log/named/named.log

Leave a Reply

Your email address will not be published. Required fields are marked *