{"id":561,"date":"2018-09-02T21:52:44","date_gmt":"2018-09-02T18:52:44","guid":{"rendered":"http:\/\/kifarunix.com\/?p=561"},"modified":"2024-03-11T19:49:03","modified_gmt":"2024-03-11T16:49:03","slug":"how-to-setup-master-slave-dns-server-using-bind-on-centos-7","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-setup-master-slave-dns-server-using-bind-on-centos-7\/","title":{"rendered":"Setup Master-Slave DNS Server using BIND on CentOS 7"},"content":{"rendered":"\n<p>Welcome gurus to this very tutorial on how to setup Master-Slave DNS Server using BIND on CentOS 7. <a href=\"https:\/\/www.isc.org\/bind\/\" target=\"_blank\" rel=\"noopener noreferrer\">BIND<\/a>, <span class=\"ILfuVd yZ8quc\"><b>Berkeley Internet Name Domain,<\/b> can be configured to function<\/span> as both Master and Slave DNS server. There are different open-source packages that can be used to configure DNS nameservers. Some of these packages include <strong>BIND<\/strong>, <strong>dnsmasq<\/strong>, and <strong>unbound<\/strong>. In this tutorial, we are going to use BIND package to configure our local DNS server. BIND is an open-source software that is used to implement DNS protocols that defines how networked devices can locate one another based on their hostnames.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#setting-up-master-slave-dns-server-using-bind-on-cent-os\">Setting up Master-Slave DNS Server using BIND on CentOS<\/a><ul><li><a href=\"#deployment-architecture\">Deployment Architecture<\/a><\/li><li><a href=\"#configure-master-dns-server-using-bind-on-cent-os\">Configure Master DNS Server using BIND on CentOS<\/a><ul><li><a href=\"#install-required-bind-packages\">Install Required Bind Packages<\/a><\/li><li><a href=\"#create-dns-access-control-list-acl\">Create DNS Access Control List (ACL)<\/a><\/li><li><a href=\"#define-dns-server-global-options\">Define DNS Server Global Options<\/a><\/li><li><a href=\"#create-forward-and-reverse-zone-statements\">Create Forward and Reverse Zone Statements<\/a><\/li><li><a href=\"#create-forward-zone-file\">Create Forward zone file<\/a><\/li><li><a href=\"#create-reverse-zone-file\">Create Reverse Zone file<\/a><\/li><li><a href=\"#check-bind-configuration-for-syntax-errors\">Check BIND Configuration for Syntax Errors<\/a><\/li><li><a href=\"#verify-forward-zone-syntax\">Verify Forward Zone Syntax<\/a><\/li><li><a href=\"#start-bind-dns-service\">Start BIND DNS Service<\/a><\/li><li><a href=\"#open-dns-ports-on-firewall\">Open DNS Ports on Firewall<\/a><\/li><li><a href=\"#update-master-dns-server-address\">Update Master DNS Server Address<\/a><\/li><li><a href=\"#verify-dns-records-on-master-dns-server\">Verify DNS Records on Master DNS Server<\/a><\/li><\/ul><\/li><li><a href=\"#configure-slave-dns-server-using-bind-on-cent-os-7\">Configure Slave DNS server Using BIND on CentOS 7<\/a><ul><li><a href=\"#install-required-bind-packages-1\">Install Required Bind Packages<\/a><\/li><li><a href=\"#define-slave-dns-settings\">Define Slave DNS Settings<\/a><\/li><li><a href=\"#verify-bind-configuration-for-any-errors\">Verify BIND Configuration for any errors<\/a><\/li><li><a href=\"#start-bind-dns-service-2\">Start BIND DNS Service<\/a><\/li><\/ul><\/li><li><a href=\"#configure-nodes-to-use-dns-server\">Configure Nodes to use DNS Server<\/a><ul><li><a href=\"#install-dns-utilities\">Install DNS Utilities<\/a><\/li><li><a href=\"#update-dns-server-entries\">Update DNS Server Entries<\/a><\/li><li><a href=\"#verify-dns-resolution\">Verify DNS Resolution<\/a><\/li><\/ul><\/li><\/ul><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"setting-up-master-slave-dns-server-using-bind-on-cent-os\">Setting up Master-Slave DNS Server using BIND on CentOS<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"deployment-architecture\">Deployment Architecture<\/h3>\n\n\n\n<p>In this tutorial, we will be using three CentOS 7 servers configured as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Server<\/td><td>Hostname<\/td><td>IP Address<\/td><td>Role<\/td><\/tr><tr><td>Server1<\/td><td><code>ns1.kifarunix-demo.com<\/code><\/td><td><code>192.168.122.10<\/code><\/td><td>Master DNS Server<\/td><\/tr><tr><td>Server2<\/td><td><code>ns2.kifarunix-demo.com<\/code><\/td><td><code>192.168.122.11<\/code><\/td><td>Slave DNS Server<\/td><\/tr><tr><td>Server3<\/td><td><code>fileserver.kifarunix-demo.com<\/code><\/td><td><code>192.168.122.20<\/code><\/td><td>Client Server<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-master-dns-server-using-bind-on-cent-os\">Configure Master DNS Server using BIND on CentOS<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-required-bind-packages\">Install Required Bind Packages<\/h4>\n\n\n\n<p>In all the servers, we have to install BIND packages before we proceed with configurations;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum install -y bind bind-utils<\/code><\/pre>\n\n\n\n<p>Once the package is installed, let us get to work.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-dns-access-control-list-acl\">Create DNS Access Control List (ACL)<\/h4>\n\n\n\n<p>We would want to allow specific hosts to access the DNS server. Therefore, we will create an Access Control List called <strong>allowed<\/strong> containing IP addresses of the hosts to be allowed to query our DNS servers before the <strong>options<\/strong> sections in the configuration file, <code><strong>\/etc\/named.conf<\/strong><\/code>;<\/p>\n\n\n\n<p>Before you can proceed, this is the default <strong><code>\/etc\/named.conf<\/code><\/strong> configurations;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/named.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\/\/\n\/\/ named.conf\n\/\/\n\/\/ Provided by Red Hat bind package to configure the ISC BIND named(8) DNS\n\/\/ server as a caching only nameserver (as a localhost DNS resolver only).\n\/\/\n\/\/ See \/usr\/share\/doc\/bind*\/sample\/ for example named configuration files.\n\/\/\n\/\/ See the BIND Administrator's Reference Manual (ARM) for details about the\n\/\/ configuration located in \/usr\/share\/doc\/bind-{version}\/Bv9ARM.html\n\noptions {\n\tlisten-on port 53 { 127.0.0.1; };\n\tlisten-on-v6 port 53 { ::1; };\n\tdirectory \t\"\/var\/named\";\n\tdump-file \t\"\/var\/named\/data\/cache_dump.db\";\n\tstatistics-file \"\/var\/named\/data\/named_stats.txt\";\n\tmemstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\n\trecursing-file  \"\/var\/named\/data\/named.recursing\";\n\tsecroots-file   \"\/var\/named\/data\/named.secroots\";\n\tallow-query     { localhost; };\n\n\t\/* \n\t - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.\n\t - If you are building a RECURSIVE (caching) DNS server, you need to enable \n\t   recursion. \n\t - If your recursive DNS server has a public IP address, you MUST enable access \n\t   control to limit queries to your legitimate users. Failing to do so will\n\t   cause your server to become part of large scale DNS amplification \n\t   attacks. Implementing BCP38 within your network would greatly\n\t   reduce such attack surface \n\t*\/\n\trecursion yes;\n\n\tdnssec-enable yes;\n\tdnssec-validation yes;\n\n\t\/* Path to ISC DLV key *\/\n\tbindkeys-file \"\/etc\/named.root.key\";\n\n\tmanaged-keys-directory \"\/var\/named\/dynamic\";\n\n\tpid-file \"\/run\/named\/named.pid\";\n\tsession-keyfile \"\/run\/named\/session.key\";\n};\n\nlogging {\n        channel default_debug {\n                file \"data\/named.run\";\n                severity dynamic;\n        };\n};\n\nzone \".\" IN {\n\ttype hint;\n\tfile \"named.ca\";\n};\n\ninclude \"\/etc\/named.rfc1912.zones\";\ninclude \"\/etc\/named.root.key\";\n<\/code><\/pre>\n\n\n\n<p>Thus, let&#8217;s begin by creating an ACL;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/named.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\/\/\n\/\/ named.conf\n\/\/\n\/\/ Provided by Red Hat bind package to configure the ISC BIND named(8) DNS\n\/\/ server as a caching only nameserver (as a localhost DNS resolver only).\n\/\/\n\/\/ See \/usr\/share\/doc\/bind*\/sample\/ for example named configuration files.\n\/\/\n\/\/ See the BIND Administrator's Reference Manual (ARM) for details about the\n\/\/ configuration located in \/usr\/share\/doc\/bind-{version}\/Bv9ARM.html\n\n# Create an access control list called allowed \n<strong>acl \"allowed\" {\n        192.168.122.10;\n        192.168.122.11;\n        192.168.122.20;\n};<\/strong>\noptions {\n        listen-on port 53 ...\n<\/code><\/pre>\n\n\n\n<p>In the above, we have only limited access to DNS queries to three hosts.<\/p>\n\n\n\n<p>Apart from defining the allowed system IP addresses, there are default BIND ACLs that you can use if it suit your needs;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>none<\/code>: Matches no hosts.<\/li>\n\n\n\n<li><code>any<\/code>: Matches all hosts.<\/li>\n\n\n\n<li><code>localhost<\/code>: Matches the loopback addresses&nbsp;<code>127.0.0.1<\/code>&nbsp;and&nbsp;<code>::1<\/code>, as well as the IP addresses of all interfaces on the server that runs BIND.<\/li>\n\n\n\n<li><code>localnets<\/code>: Matches the loopback addresses&nbsp;<code>127.0.0.1<\/code>&nbsp;and&nbsp;<code>::1<\/code>, as well as all subnets the server that runs BIND is directly connected to.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"define-dns-server-global-options\">Define DNS Server Global Options<\/h4>\n\n\n\n<p>The &#8220;options&#8221; section in the BIND configuration file (<code>named.conf<\/code>) specifies global options for the DNS server.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n\n# Create an access control list called allowed \nacl \"allowed\" {\n        192.168.122.10;\n        192.168.122.11;\n        192.168.122.20;\n};\n<strong>options {\n        listen-on port 53 { 127.0.0.1; 192.168.122.10; };\n        directory       \"\/var\/named\";\n        dump-file       \"\/var\/named\/data\/cache_dump.db\";\n        statistics-file \"\/var\/named\/data\/named_stats.txt\";\n        memstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\n        recursing-file  \"\/var\/named\/data\/named.recursing\";\n        secroots-file   \"\/var\/named\/data\/named.secroots\";\n        allow-query     { localhost; allowed; };\n        allow-transfer  { 192.168.122.11; };\n        recursion yes;\n        dnssec-enable yes;\n        dnssec-validation yes;\n        bindkeys-file \"\/etc\/named.root.key\";\n        managed-keys-directory \"\/var\/named\/dynamic\";\n        pid-file \"\/run\/named\/named.pid\";\n        session-keyfile \"\/run\/named\/session.key\";\n};<\/strong>\n<\/code><\/pre>\n\n\n\n<p>These options are explained below;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>listen-on<\/code>: Specifies the IP address(es) and port number(s) that the DNS server should listen on for incoming requests. The default port for DNS is 53.<\/li>\n\n\n\n<li><code>directory<\/code>: Specifies the directory where the DNS server should store its zone files, key files, and other data.<\/li>\n\n\n\n<li><code>dump-file<\/code>: Specifies the file where the DNS server should dump its cache database when it shuts down.<\/li>\n\n\n\n<li><code>statistics-file<\/code>: Specifies the file where the DNS server should log statistics about its performance and activity.<\/li>\n\n\n\n<li><code>memstatistics-file<\/code>: Specifies the file where the DNS server should log detailed memory usage statistics.<\/li>\n\n\n\n<li><code>recursing-file<\/code>: Specifies the file where the DNS server should log queries that it has forwarded to other DNS servers when performing recursive lookups.<\/li>\n\n\n\n<li><code>secroots-file<\/code>: Specifies the file where the DNS server should store trusted DNSSEC root keys.<\/li>\n\n\n\n<li><code>allow-query<\/code>: Specifies which hosts are allowed to query the DNS server. By default, the DNS server will only allow queries from localhost.<\/li>\n\n\n\n<li><code>allow-transfer<\/code>: Specifies which hosts are allowed to transfer zone data from the DNS server. By default, zone transfers are not allowed.<\/li>\n\n\n\n<li><code>recursion<\/code>: Enables or disables recursion. Recursion is the process by which a DNS server queries other DNS servers to resolve a DNS query.<\/li>\n\n\n\n<li><code>dnssec-enable<\/code>: Enables or disables DNSSEC validation. DNSSEC is a security protocol that is used to verify the authenticity of DNS data.<\/li>\n\n\n\n<li><code>dnssec-validation<\/code>: Enables or disables DNSSEC validation.<\/li>\n\n\n\n<li><code>bindkeys-file<\/code>: Specifies the file where the DNS server should look for the DNSSEC root key.<\/li>\n\n\n\n<li><code>managed-keys-directory<\/code>: Specifies the directory where the DNS server should store managed keys.<\/li>\n\n\n\n<li><code>pid-file<\/code>: Specifies the file where the DNS server should write its process ID.<\/li>\n\n\n\n<li><code>session-keyfile<\/code>: Specifies the file where the DNS server should store session keys.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-forward-and-reverse-zone-statements\">Create Forward and Reverse Zone Statements<\/h4>\n\n\n\n<p>Create zone statements for both forward and reverse DNS lookups.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n# Zone statement for forward DNS lookup\nzone \"kifarunix-demo.com\" IN {\n        type master;                           # type of zone\n        file \"\/var\/named\/forward.kifarunix-demo.com\"; # location of forward zone file\n        allow-update { none; };\n};\n# Zone statement for reverse DNS lookup\nzone    \"122.168.192.in-addr.arpa\" IN {\n        type master;                    \n        file \"\/var\/named\/reverse.kifarunix-demo.com\"; # location of reverse zone file\n        allow-update { none; };\n};\n<\/code><\/pre>\n\n\n\n<p>After that, save the configuration file and exit.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The first zone statement defines the forward zone for the domain kifarunix-demo.com<\/li>\n\n\n\n<li>The &#8220;<strong><code>type master<\/code><\/strong>&#8221; specifies that this DNS server is the master server for this zone, meaning that it is the authoritative source for the DNS records in this zone.<\/li>\n\n\n\n<li>The &#8220;<strong><code>file<\/code><\/strong>&#8221; parameter specifies the location of the zone file that contains the DNS records for this zone. In this case, the file is &#8220;\/var\/named\/forward.example.com&#8221;.<\/li>\n\n\n\n<li>The &#8220;<strong><code>allow-update<\/code><\/strong>&#8221; parameter specifies who is allowed to update the DNS records in this zone. In this case, the value &#8220;none&#8221; means that no one is allowed to update the DNS records in these zones. This is a common setting for master DNS servers that do not allow dynamic updates from clients.<\/li>\n<\/ul>\n\n\n\n<p>This is the named.conf file with no comment lines;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grep -vE '^\/\/|^$' \/etc\/named.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nacl \"allowed\" {\n        192.168.122.10;\n        192.168.122.11;\n        192.168.122.20;\n};\noptions {\n        listen-on port 53 { 127.0.0.1; 192.168.122.10; };\n        directory       \"\/var\/named\";\n        dump-file       \"\/var\/named\/data\/cache_dump.db\";\n        statistics-file \"\/var\/named\/data\/named_stats.txt\";\n        memstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\n        recursing-file  \"\/var\/named\/data\/named.recursing\";\n        secroots-file   \"\/var\/named\/data\/named.secroots\";\n        allow-query     { localhost; allowed; };\n        allow-transfer  { 192.168.122.11; };\n        recursion yes;\n        dnssec-enable yes;\n        dnssec-validation yes;\n        bindkeys-file \"\/etc\/named.root.key\";\n        managed-keys-directory \"\/var\/named\/dynamic\";\n        pid-file \"\/run\/named\/named.pid\";\n        session-keyfile \"\/run\/named\/session.key\";\n};\nlogging {\n        channel default_debug {\n                file \"data\/named.run\";\n                severity dynamic;\n        };\n};\n# Zone statement for forward DNS lookup\nzone \"kifarunix-demo.com\" IN {\n        type master;                           # type of zone\n        file \"\/var\/named\/forward.kifarunix-demo.com\"; # location of forward zone file\n        allow-update { none; };\n};\n# Zone statement for reverse DNS lookup\nzone    \"122.168.192.in-addr.arpa\" IN {\n        type master;                    \n        file \"\/var\/named\/reverse.kifarunix-demo.com\"; # location of reverse zone file\n        allow-update { none; };\n};\ninclude \"\/etc\/named.rfc1912.zones\";\ninclude \"\/etc\/named.root.key\";\n<\/code><\/pre>\n\n\n\n<p>Next, create Zone files for both the forward and reverse zone statements created in the <strong>\/etc\/named.conf<\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-forward-zone-file\">Create Forward zone file<\/h4>\n\n\n\n<p>As specified in the zone statement in the \/etc\/named.conf file, forward zone file is located <strong>\/var\/named\/forward.kifarunix-demo.com<\/strong>. Open the file and edit it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/var\/named\/forward.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n$ORIGIN kifarunix-demo.com.\n$TTL 86400\n@   IN  SOA ns1.kifarunix-demo.com. admin.kifarunix-demo.com. (\n        2023051301   ; serial\n        3600         ; refresh\n        1800         ; retry\n        604800       ; expire\n        86400 )      ; minimum TTL\n;\n; define nameservers\n    IN  NS  ns1.kifarunix-demo.com.\n    IN  NS  ns2.kifarunix-demo.com.\n;\n; IP addresses and hostnames\nns1 IN  A   192.168.122.10\nns2 IN  A   192.168.122.11\n;\n; client records\nfileserver IN  A   192.168.122.20\n<\/code><\/pre>\n\n\n\n<p>Save the file and exit the editor.<\/p>\n\n\n\n<p>Explanation of some options used;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>$ORIGIN<\/code> is a directive in a DNS zone file that sets the base domain name for relative domain names defined in the file. It specifies the domain name that will be appended to any domain name that does not end with a trailing period. This directive is usually used at the beginning of a zone file to simplify the specification of domain names within the zone file.<\/li>\n\n\n\n<li><code>$TTL 86400<\/code>: Sets the default TTL (time-to-live) value to 86400 seconds (1 day).<\/li>\n\n\n\n<li>The SOA line defines the Start of Authority (SOA) record for the zone. It specifies the primary name server <code>ns1.kifarunix-demo.com<\/code> and the email address of the responsible person <code>admin.kifarunix-demo.com<\/code>. The numbers in parentheses are the;\n<ul class=\"wp-block-list\">\n<li>serial number,<\/li>\n\n\n\n<li>refresh time,<\/li>\n\n\n\n<li>retry time,<\/li>\n\n\n\n<li>expiry time,<\/li>\n\n\n\n<li>minimum TTL value for the zone, respectively.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The <strong><code>\"IN NS\"<\/code><\/strong> specifies the nameservers for the zone, using the <code>NS<\/code> resource record type. These records indicate which nameservers are authoritative for the zone.<\/li>\n\n\n\n<li>The <strong><code>\"IN A\"<\/code><\/strong> define the A records that maps domain names\/hostnames to IP addresses.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-reverse-zone-file\">Create Reverse Zone file<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/var\/named\/reverse.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n$ORIGIN 122.168.192.in-addr.arpa.\n$TTL    86400\n@   IN  SOA ns1.kifarunix-demo.com.    admin.kifarunix-demo.com. (\n        2017020402  ; serial\n        3600        ; refresh\n        1800        ; retry\n        604800      ; expire\n        86400 )     ; minimum TTL\n;\n;nameservers\n    IN  NS  ns1.kifarunix-demo.com.\n    IN  NS  ns2.kifarunix-demo.com.\n;\n;nameserver IP addresses\n    IN  A   192.168.122.10\n    IN  A   192.168.122.11\n;\n; client IP Address\n    IN  A   192.168.122.20\n; nameserver PTR records\n10  IN  PTR ns1.kifarunix-demo.com.\n11  IN  PTR ns2.kifarunix-demo.com.\n;\n; client PTR records\n20  IN  PTR fileserver.kifarunix-demo.com.\n<\/code><\/pre>\n\n\n\n<p>Save the file and exit the editor.<\/p>\n\n\n\n<p>Explanation of some options;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>$ORIGIN 122.168.192.in-addr.arpa.<\/code>: sets the default origin for the zone to <code>122.168.192.in-addr.arpa<\/code>. This means that any hostname without a trailing dot will be assumed to be relative to this origin.<\/li>\n\n\n\n<li>The <strong><code>\"IN PTR\"<\/code><\/strong> specifies the reverse DNS lookup records for the nameservers, using the <code>PTR<\/code> (pointer) resource record type. These records map each IP address to its corresponding hostname.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"check-bind-configuration-for-syntax-errors\">Check BIND Configuration for Syntax Errors<\/h4>\n\n\n\n<p>Before starting BIND i.e <strong>named service<\/strong>, check that there are no syntactic errors in your configuration files using the following command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><span class=\"hljs-comment\">named-checkconf<\/span><\/code><\/pre>\n\n\n\n<p>If the configuration file has no error, the command will return nothing, exit status 0.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-forward-zone-syntax\">Verify Forward Zone Syntax<\/h4>\n\n\n\n<p>To verify the syntax of the forward zone file run the following command; <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>named-checkzone kifarunix-demo.com \/var\/named\/forward.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>zone kifarunix-demo.com\/IN: loaded serial 2023051301\nOK<\/code><\/pre>\n\n\n\n<p>Verify Reverse Zone Syntax<\/p>\n\n\n\n<p>To verify the syntax of the reverse zone file, run the command.  <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><code>named-checkzone 122.168.192.in-addr.arpa \/var\/named\/reverse.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>zone 122.168.192.in-addr.arpa\/IN: loaded serial 2023051301\nOK<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"start-bind-dns-service\">Start BIND DNS Service<\/h4>\n\n\n\n<p>Since there are no errors, we can start BIND and enable it to start on boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl <span class=\"hljs-keyword\">enable<\/span> --now named<\/code><\/pre>\n\n\n\n<p>Confirm the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status named<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf named.service - Berkeley Internet Name Domain (DNS)\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/named.service; enabled; vendor preset: disabled)\n   Active: active (running) since Sat 2023-05-13 13:37:27 EDT; 5s ago\n  Process: 1801 ExecStart=\/usr\/sbin\/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0\/SUCCESS)\n  Process: 1799 ExecStartPre=\/bin\/bash -c if [ ! \"$DISABLE_ZONE_CHECKING\" == \"yes\" ]; then \/usr\/sbin\/named-checkconf -z \"$NAMEDCONF\"; else echo \"Checking of zone files is disabled\"; fi (code=exited, status=0\/SUCCESS)\n Main PID: 1803 (named)\n   CGroup: \/system.slice\/named.service\n           \u2514\u25001803 \/usr\/sbin\/named -u named -c \/etc\/named.conf\n\nMay 13 13:37:27 ns1.kifarunix-demo.com named[1803]: network unreachable resolving '.\/DNSKEY\/IN': 2001:500:1::53#53\nMay 13 13:37:27 ns1.kifarunix-demo.com named[1803]: network unreachable resolving '.\/NS\/IN': 2001:500:1::53#53\nMay 13 13:37:27 ns1.kifarunix-demo.com named[1803]: network unreachable resolving '.\/DNSKEY\/IN': 2001:500:200::b#53\nMay 13 13:37:27 ns1.kifarunix-demo.com named[1803]: network unreachable resolving '.\/NS\/IN': 2001:500:200::b#53\nMay 13 13:37:27 ns1.kifarunix-demo.com named[1803]: network unreachable resolving '.\/DNSKEY\/IN': 2001:503:c27::2:30#53\nMay 13 13:37:27 ns1.kifarunix-demo.com named[1803]: network unreachable resolving '.\/NS\/IN': 2001:503:c27::2:30#53\nMay 13 13:37:27 ns1.kifarunix-demo.com named[1803]: network unreachable resolving '.\/DNSKEY\/IN': 2001:500:2d::d#53\nMay 13 13:37:27 ns1.kifarunix-demo.com named[1803]: network unreachable resolving '.\/NS\/IN': 2001:500:2d::d#53\nMay 13 13:37:28 ns1.kifarunix-demo.com named[1803]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted\nMay 13 13:37:28 ns1.kifarunix-demo.com named[1803]: resolver priming query complete\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -alnp | grep :53<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nudp    UNCONN     0      0      192.168.122.10:53                    *:*                   users:((\"named\",pid=1803,fd=513))\nudp    UNCONN     0      0      127.0.0.1:53                    *:*                   users:((\"named\",pid=1803,fd=512))\ntcp    LISTEN     0      10     192.168.122.10:53                    *:*                   users:((\"named\",pid=1803,fd=22))\ntcp    LISTEN     0      10     127.0.0.1:53                    *:*                   users:((\"named\",pid=1803,fd=21))\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"open-dns-ports-on-firewall\">Open DNS Ports on Firewall<\/h4>\n\n\n\n<p>If firewall is running, enable dns service through it and reload the firewall.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-service=dns --permanent;firewall-cmd --reload<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-master-dns-server-address\">Update Master DNS Server Address<\/h4>\n\n\n\n<p>Change DNS server of the master to that of its own by editing the \/etc\/resolv.conf file and adding the nameserver IP address<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/resolv.conf<\/code><\/pre>\n\n\n\n<p>Add the line:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nameserver 192.168.122.10\nnameserver 8.8.8.8<\/code><\/pre>\n\n\n\n<p>Change the dns server details on the network interface. My network interface is enp0s8.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli <span class=\"hljs-keyword\">con<\/span> <span class=\"hljs-keyword\">mod<\/span> enp0s8 ipv4.dns <span class=\"hljs-number\">192.168<\/span>.<span class=\"hljs-number\">122.10<\/span> 8.8.8.8<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>nmcli con reload<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-dns-records-on-master-dns-server\">Verify DNS Records on Master DNS Server<\/h4>\n\n\n\n<p>After that, test to check if the hostnames or addresses are being resolved.<\/p>\n\n\n\n<p>To check name resolution:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dig ns1.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>To check hostname resolution;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dig -x 192.168.122.10<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-slave-dns-server-using-bind-on-cent-os-7\">Configure Slave DNS server Using BIND on CentOS 7<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-required-bind-packages-1\">Install Required Bind Packages<\/h4>\n\n\n\n<p>Install BIND package.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum install bind bind-utils -y<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"define-slave-dns-settings\">Define Slave DNS Settings<\/h4>\n\n\n\n<p>Edit the <strong>\/etc\/named.conf<\/strong> file and make the adjustments as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/named.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nacl \"allowed\" {\n        192.168.122.10;\n        192.168.122.11;\n        192.168.122.20;\n};\noptions {\n        listen-on port 53 { 127.0.0.1; 192.168.122.11; };\n        directory       \"\/var\/named\";\n        dump-file       \"\/var\/named\/data\/cache_dump.db\";\n        statistics-file \"\/var\/named\/data\/named_stats.txt\";\n        memstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\n        recursing-file  \"\/var\/named\/data\/named.recursing\";\n        secroots-file   \"\/var\/named\/data\/named.secroots\";\n        allow-query     { localhost; allowed; };\n        allow-transfer  { none; };\n        recursion no;\n        dnssec-enable yes;\n        dnssec-validation yes;\n        bindkeys-file \"\/etc\/named.root.key\";\n        managed-keys-directory \"\/var\/named\/dynamic\";\n        pid-file \"\/run\/named\/named.pid\";\n        session-keyfile \"\/run\/named\/session.key\";\n};\nlogging {\n        channel default_debug {\n                file \"data\/named.run\";\n                severity dynamic;\n        };\n};\n# zone statement for forward dns lookup\nzone \"kifarunix-demo.com\" IN {\n        type slave;\n        file \"slaves\/forward.kifarunix-demo.com\";\n        masters { 192.168.122.10; };\n};\n# zone statement for reverse dns lookup\nzone  \"122.168.192.in-addr.arpa\" IN {\n        type slave;\n        file \"slaves\/reverse.kifarunix-demo.com\";\n        masters { 192.168.122.10; };\n};\ninclude \"\/etc\/named.rfc1912.zones\";\ninclude \"\/etc\/named.root.key\";\n<\/code><\/pre>\n\n\n\n<p>Save the file and exit.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-bind-configuration-for-any-errors\">Verify BIND Configuration for any errors<\/h4>\n\n\n\n<p>Verify the DNS configs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>named-checkconf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"start-bind-dns-service-2\">Start BIND DNS Service<\/h4>\n\n\n\n<p>Restart the DNS service and enable to run on boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart named<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable named<\/code><\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status named<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf named.service - Berkeley Internet Name Domain (DNS)\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/named.service; disabled; vendor preset: disabled)\n   Active: active (running) since Sat 2023-05-13 14:18:49 EDT; 5s ago\n  Process: 2101 ExecStart=\/usr\/sbin\/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0\/SUCCESS)\n  Process: 2099 ExecStartPre=\/bin\/bash -c if [ ! \"$DISABLE_ZONE_CHECKING\" == \"yes\" ]; then \/usr\/sbin\/named-checkconf -z \"$NAMEDCONF\"; else echo \"Checking of zone files is disabled\"; fi (code=exited, status=0\/SUCCESS)\n Main PID: 2103 (named)\n   CGroup: \/system.slice\/named.service\n           \u2514\u25002103 \/usr\/sbin\/named -u named -c \/etc\/named.conf\n\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: transfer of 'kifarunix-demo.com\/IN' from 192.168.122.10#53: Transfer completed: 1 messages, 7 records, 209 b...ytes\/sec)\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: zone kifarunix-demo.com\/IN: sending notifies (serial 2023051301)\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: resolver priming query complete\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: zone 122.168.192.in-addr.arpa\/IN: Transfer started.\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: transfer of '122.168.192.in-addr.arpa\/IN' from 192.168.122.10#53: connected using 192.168.122.11#58456\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: zone 122.168.192.in-addr.arpa\/IN: transferred serial 2023051301\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: transfer of '122.168.192.in-addr.arpa\/IN' from 192.168.122.10#53: Transfer status: success\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: transfer of '122.168.192.in-addr.arpa\/IN' from 192.168.122.10#53: Transfer completed: 1 messages, 10 records...ytes\/sec)\nMay 13 14:18:49 ns2.kifarunix-demo.com named[2103]: zone 122.168.192.in-addr.arpa\/IN: sending notifies (serial 2023051301)\nHint: Some lines were ellipsized, use -l to show in full.\n<\/code><\/pre>\n\n\n\n<p>Change the DNS server details on your network interface. In this case, we will add both DNS servers and restart the interface.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"hljs-selector-tag\">nmcli<\/span> <span class=\"hljs-selector-tag\">con<\/span> <span class=\"hljs-selector-tag\">mod<\/span> <span class=\"hljs-selector-tag\">e<\/span>np0s8 +<span class=\"hljs-selector-tag\">ipv4.dns<\/span> \"192<span class=\"hljs-selector-class\">.168.122.10<\/span> 192<span class=\"hljs-selector-class\">.168.122.11<\/span>\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>nmcli con reload<\/code><\/pre>\n\n\n\n<p>Edit the <strong>\/etc\/resolv.conf<\/strong> file by adding the following lines.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"hljs-selector-tag\">nameserver<\/span> 192<span class=\"hljs-selector-class\">.168.122.10<\/span>\n<span class=\"hljs-selector-tag\">nameserver<\/span> 192<span class=\"hljs-selector-class\">.168.122.11<\/span><\/code><\/pre>\n\n\n\n<p>Allow DNS service through firewall and reload firewall.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>firewall-cmd --add-service=dns --permanent;firewall-cmd --reload<\/code><\/pre>\n\n\n\n<p>Test the DNS server, if everything goes well, proceed to configure the client.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-nodes-to-use-dns-server\">Configure Nodes to use DNS Server<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-dns-utilities\">Install DNS Utilities<\/h4>\n\n\n\n<p>On Debian Systems and similar derivatives;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install dnsutils<\/code><\/pre>\n\n\n\n<p>On CentOS and similar derivatives;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum install bind-utils<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-dns-server-entries\">Update DNS Server Entries<\/h4>\n\n\n\n<p>Log into the client and edit the <strong>\/etc\/resolv.conf<\/strong> file. Add the IP addresses of both the primary and secondary nameserver.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/resolv.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"hljs-selector-tag\">nameserver<\/span> 192<span class=\"hljs-selector-class\">.168.122.10<\/span>\n<span class=\"hljs-selector-tag\">nameserver<\/span> 192<span class=\"hljs-selector-class\">.168.122.11<\/span><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-dns-resolution\">Verify DNS Resolution<\/h4>\n\n\n\n<p>Test for forward lookup;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nslookup fileserver<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Server:\t\t192.168.122.10\nAddress:\t192.168.122.10#53\n\nName:\tfileserver.kifarunix-demo.com\nAddress: 192.168.122.20<\/code><\/pre>\n\n\n\n<p>Test the reverse lookup;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nslookup 192.168.122.20<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>20.122.168.192.in-addr.arpa\tname = fileserver.kifarunix-demo.com.<\/code><\/pre>\n\n\n\n<p>Magnificent, your local DNS server is now set up and operational.<\/p>\n\n\n\n<p>And that is marks the end of our guide on how to configure Master-Slave DNS Server using BIND on CentOS 7.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h2>\n\n\n\n<p class=\"entry-title td-module-title\"><a title=\"Configure Local DNS Server using Dnsmasq on Ubuntu 20.04\" href=\"https:\/\/kifarunix.com\/configure-local-dns-server-using-dnsmasq-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noopener noreferrer\">Configure Local DNS Server using Dnsmasq on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p class=\"entry-title td-module-title\"><a title=\"Setup Caching-Only DNS Server using BIND9 on Ubuntu 20.04\" href=\"https:\/\/kifarunix.com\/setup-caching-only-dns-server-using-bind9-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noopener noreferrer\">Setup Caching-Only DNS Server using BIND9 on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p class=\"entry-title td-module-title\"><a title=\"Configure BIND DNS Server using Webmin on CentOS 8\" href=\"https:\/\/kifarunix.com\/configure-bind-dns-server-using-webmin-on-centos-8\/\" target=\"_blank\" rel=\"noopener noreferrer\">Configure BIND DNS Server using Webmin on CentOS 8<\/a><\/p>\n\n\n\n<p class=\"entry-title td-module-title\"><a title=\"Setup Bind DNS Using Webmin on Debian 10\" href=\"https:\/\/kifarunix.com\/setup-bind-dns-using-webmin-on-debian-10\/\" target=\"_blank\" rel=\"noopener noreferrer\">Setup Bind DNS Using Webmin on Debian 10<\/a><\/p>\n\n\n\n<p class=\"entry-title td-module-title\"><a title=\"Configure BIND as Slave DNS Server on Ubuntu 18.04\" href=\"https:\/\/kifarunix.com\/configure-bind-as-slave-dns-server-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noopener noreferrer\">Configure BIND as Slave DNS Server on Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome gurus to this very tutorial on how to setup Master-Slave DNS Server using BIND on CentOS 7. BIND, Berkeley Internet Name Domain, can be<\/p>\n","protected":false},"author":1,"featured_media":9314,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,979,971],"tags":[109,88,110,973,6665,6666,108,6664,3741,3740,111],"class_list":["post-561","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-bind","category-dns","tag-bind","tag-centos-7","tag-dig","tag-dns","tag-dns-acl","tag-dns-master-and-slave","tag-dns-server","tag-dns-utilities","tag-install-bind-centos","tag-master-slave-dns-centos","tag-nslookup","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/561"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=561"}],"version-history":[{"count":14,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/561\/revisions"}],"predecessor-version":[{"id":21004,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/561\/revisions\/21004"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9314"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}