{"id":9245,"date":"2021-06-23T22:19:04","date_gmt":"2021-06-23T19:19:04","guid":{"rendered":"https:\/\/kifarunix.com\/?p=9245"},"modified":"2024-03-18T20:27:19","modified_gmt":"2024-03-18T17:27:19","slug":"install-and-setup-bind-dns-server-on-rocky-linux-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-bind-dns-server-on-rocky-linux-8\/","title":{"rendered":"Install and Setup BIND DNS server on Rocky Linux 8"},"content":{"rendered":"\n<p>Follow through to learn how to install and setup BIND DNS server on Rocky Linux 8. Packages such as \u00a0<strong>BIND<\/strong>,\u00a0<strong>dnsmasq<\/strong>, and\u00a0<strong>unbound<\/strong> can be configured to function as DNS nameservers. In this tutorial, we are going to use BIND package to configure our local DNS server. <a href=\"https:\/\/www.isc.org\/bind\/\" target=\"_blank\" rel=\"noreferrer noopener\">BIND<\/a>,\u00a0<strong>Berkeley Internet Name Domain,<\/strong>\u00a0is an open-source software that is used to implement DNS protocols that defines how networked devices can locate one another based on their hostnames.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing BIND DNS server on Rocky Linux 8<\/h2>\n\n\n\n<p>In this tutorial, we will be using three Rocky Linux 8 servers configured as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server1\n<ul class=\"wp-block-list\">\n<li>Hostname:&nbsp;<code>ns1.kifarunix-demo.com<\/code><\/li>\n\n\n\n<li>IP Address:&nbsp;<code>192.168.60.19<\/code><\/li>\n\n\n\n<li>Role:&nbsp;<code>Master DNS server<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Server2\n<ul class=\"wp-block-list\">\n<li>Hostname:&nbsp;<code>client.kifarunix-demo.com<\/code><\/li>\n\n\n\n<li>Ip Address:&nbsp;<code>192.168.60.18<\/code><\/li>\n\n\n\n<li>Role:&nbsp;<code>client server<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Install BIND and BIND Utilities on Rocky Linux 8<\/h3>\n\n\n\n<p>Run the command below to Install BIND and required utilities;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install -y bind bind-utils<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-master-dns-server:b0fc218a7083489c2a29de625a52f76b\">Setup BIND DNS server on Rocky Linux 8<\/h3>\n\n\n\n<p>BIND&#8217;s main configuration file is&nbsp;<strong>\/etc\/named.conf<\/strong>.<\/p>\n\n\n\n<p>You need to open this file and make some configuration adjustments to setup your DNS server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/named.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Define BIND Access Control Lists<\/h4>\n\n\n\n<p>BIND ACL <em>gives you a finer control over who can access the name server and thus help prevent spoofing and denial of service (DoS) attacks against the server.<\/em><\/p>\n\n\n\n<p>Therefore, create an Access Control List called&nbsp;<strong>allowed<\/strong>&nbsp;containing IP addresses of the hosts to be allowed before the&nbsp;<strong>options<\/strong>&nbsp;configuration sections in the configuration file.<\/p>\n\n\n\n<p>In the example configuration below, we only allow hosts in the network, <strong><code>192.168.60.0\/24<\/code><\/strong> use our DNS server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Create an access control list called allowed \n<strong>acl \"allowed\" {\n        192.168.60.0\/24;\n};<\/strong>\n...<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Define Global BIND Options<\/h4>\n\n\n\n<p><em>The options statement sets up global options to be used by BIND.<\/em><\/p>\n\n\n\n<p>There are only a few changes we will make to the default options statement;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specify the BIND DNS server non-loopback IP on the <strong><code>listen-on<\/code><\/strong> line.<\/li>\n\n\n\n<li>Specify the hosts allowed to query DNS server, defined by the ACL statement on the <strong><code>allow-query<\/code><\/strong> line.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>options {\n        listen-on port 53 { 127.0.0.1; <strong>192.168.60.19;<\/strong> };\n        listen-on-v6 port 53 { ::1; };\n        directory   \"\/var\/named\";\n        dump-file   \"\/var\/named\/data\/cache_dump.db\";\n        statistics-file \"\/var\/named\/data\/named_stats.txt\";\n        memstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\n        allow-query     { localhost; <strong>allowed;<\/strong> };\n...<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Define BIND DNS Zone Statements<\/h4>\n\n\n\n<p>Create Forward zone statement which can be used to resolve domain names into IP addresses (Forward look up zones).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Zone statement for forward DNS lookup\nzone \"kifarunix-demo.com\" IN {\n        type master;                           <strong># type of zone<\/strong>\n        file \"\/var\/named\/forward.kifarunix-demo.com\"; <strong># location of forward zone file<\/strong>\n        allow-update { none; };\n};\n...\n<\/code><\/pre>\n\n\n\n<p>Create BIND reverse DNS zone statement which defines how to resolve IP addresses into their hostnames, (Reverse look up zones).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Zone statement for reverse DNS lookup\nzone    \"60.168.192.in-addr.arpa\" IN {\n        type master;                    \n        file \"\/var\/named\/reverse.kifarunix-demo.com\"; # location of reverse zone file\n        allow-update { none; };\n};<\/code><\/pre>\n\n\n\n<p>After that, save the configuration file and exit.<\/p>\n\n\n\n<p>This is how our configuration file looks like with comment lines and blank lines\/white spaces removed!<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nacl \"allowed\" {\n        192.168.60.0\/24;\n};\n\noptions {\n\tlisten-on port 53 { 127.0.0.1; 192.168.60.19; };\n\tlisten-on-v6 port 53 { ::1; };\n\tdirectory \t\"\/var\/named\";\n\tdump-file \t\"\/var\/named\/data\/cache_dump.db\";\n\tstatistics-file \"\/var\/named\/data\/named_stats.txt\";\n\tmemstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\n\tsecroots-file\t\"\/var\/named\/data\/named.secroots\";\n\trecursing-file\t\"\/var\/named\/data\/named.recursing\";\n\tallow-query     { localhost; allowed; };\n\n\trecursion yes;\n\tdnssec-enable yes;\n\tdnssec-validation yes;\n\tmanaged-keys-directory \"\/var\/named\/dynamic\";\n\tpid-file \"\/run\/named\/named.pid\";\n\tsession-keyfile \"\/run\/named\/session.key\";\n\tinclude \"\/etc\/crypto-policies\/back-ends\/bind.config\";\n};\nlogging {\n        channel default_debug {\n                file \"data\/named.run\";\n                severity dynamic;\n        };\n};\nzone \".\" IN {\n\ttype hint;\n\tfile \"named.ca\";\n};\nzone \"kifarunix-demo.com\" IN {\n        type master;                           # type of zone\n        file \"\/var\/named\/forward.kifarunix-demo.com\"; # location of forward zone file\n        allow-update { none; };\n};\nzone    \"60.168.192.in-addr.arpa\" IN {\n        type master;                    \n        file \"\/var\/named\/reverse.kifarunix-demo.com\"; # location of reverse zone file\n        allow-update { none; };\n};\ninclude \"\/etc\/named.rfc1912.zones\";\ninclude \"\/etc\/named.root.key\";\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Create BIND DNS Zone Files<\/h4>\n\n\n\n<p>Zone files define various types of Resource Records.<\/p>\n\n\n\n<p>Create Zone files for both the forward and reverse zone statements defined in the&nbsp;<strong>\/etc\/named.conf<\/strong><\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>Creating a Forward zone file<\/strong><\/h5>\n\n\n\n<p>As specified in the zone statement in the <strong>\/etc\/named.conf<\/strong> file, forward zone file is located&nbsp;<strong>\/var\/named\/forward.kifarunix-demo.com<\/strong>.<\/p>\n\n\n\n<p>Create this file and configure it as follows;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/var\/named\/forward.kifarunix-demo.com << 'EOL'\n$ORIGIN kifarunix-demo.com.\n$TTL 86400\n@   IN  SOA ns1.kifarunix-demo.com. admin.kifarunix-demo.com. (\n        2021062301   ; serial\n        3600         ; refresh\n        1800         ; retry\n        604800       ; expire\n        86400 )      ; minimum TTL\n;\n; define nameservers\n    IN  NS  ns1.kifarunix-demo.com.\n;\n; DNS Server IP addresses and hostnames\nns1 IN  A   192.168.60.19\n;\n;client records\nclient IN  A   192.168.60.18\nEOL\n<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>Creating a reverse zone file<\/strong>.<\/h5>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/var\/named\/reverse.kifarunix-demo.com << 'EOL'\n$ORIGIN 60.168.192.in-addr.arpa.\n$TTL    86400\n@   IN  SOA  ns1.kifarunix-demo.com. admin.kifarunix-demo.com. (\n        2021062302  ; serial\n        3600        ; refresh\n        1800        ; retry\n        604800      ; expire\n        86400 )     ; minimum TTL\n;\n;nameservers\n    IN  NS  ns1.kifarunix-demo.com.\n;\n;nameserver IP addresses\n    IN  A   192.168.60.19\n;\n; client IP Address\n    IN  A   192.168.60.18\n; nameserver PTR records\n19  IN  PTR ns1.kifarunix-demo.com.\n;\n; client PTR records\n18  IN  PTR client.kifarunix-demo.com.\nEOL\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Validate BIND configuration Syntax<\/h4>\n\n\n\n<p>Before starting BIND i.e&nbsp;<strong>named service<\/strong>, check that there are no syntactic errors in your configuration files using the following command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>named-checkconf<\/code><\/pre>\n\n\n\n<p>If the configuration file has no error, the command will return nothing and exit status is 0.<\/p>\n\n\n\n<p>To verify the syntax of the forward zone file run the following command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>named-checkzone kifarunix-demo.com \/var\/named\/forward.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zone kifarunix-demo.com\/IN: loaded serial 2021062301\nOK<\/code><\/pre>\n\n\n\n<p>To verify the syntax of the reverse zone file, run the command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>named-checkzone 60.168.192.in-addr.arpa \/var\/named\/reverse.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>zone 60.168.192.in-addr.arpa\/IN: loaded serial 2021062302\nOK<\/code><\/pre>\n\n\n\n<p>If there are no errors, start BIND and enable it to start on boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now named<\/code><\/pre>\n\n\n\n<p>If firewall is running, enable DNS service through it and reload the firewall.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-service=dns --permanent;firewall-cmd --reload <\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verifying BIND DNS Server Resolution<\/h3>\n\n\n\n<p>Change DNS server of the DNS server to its own IP by editing the <code><strong>\/etc\/resolv.conf<\/strong><\/code> file and adding the nameserver IP address<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"nameserver 192.168.60.19\"  &gt;  \/etc\/resolv.conf <\/code><\/pre>\n\n\n\n<p>Change the dns server details on the network interface. My network interface is enp0s8.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ip add<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host \n       valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 08:00:27:3e:fe:0e brd ff:ff:ff:ff:ff:ff\n    inet 10.0.2.15\/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3\n       valid_lft 58976sec preferred_lft 58976sec\n    inet6 fe80::689b:622:1eaf:287a\/64 scope link noprefixroute \n       valid_lft forever preferred_lft forever\n3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 08:00:27:02:b9:8c brd ff:ff:ff:ff:ff:ff\n    inet 192.168.60.19\/24 brd 192.168.60.255 scope global dynamic noprefixroute enp0s8\n       valid_lft 473sec preferred_lft 473sec\n    inet6 fe80::301d:abeb:ad8b:6c56\/64 scope link noprefixroute \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>Update the DNS;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli con mod enp0s8 ipv4.dns 192.168.60.19<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli con down enp0s8; nmcli con up enp0s8<\/code><\/pre>\n\n\n\n<p>After that, test to check if the hostnames or IP addresses are being resolved.<\/p>\n\n\n\n<p>To check name resolution:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dig ns1.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>Sample Output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> ns1.kifarunix-demo.com\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25000\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 1232\n; COOKIE: 7086456c0747f91d9a6baf9160d379d78db89f52c45e867f (good)\n;; QUESTION SECTION:\n;ns1.kifarunix-demo.com.\t\tIN\tA\n\n;; ANSWER SECTION:\nns1.kifarunix-demo.com.\t86400\tIN\tA\t192.168.60.19\n\n;; AUTHORITY SECTION:\nkifarunix-demo.com.\t86400\tIN\tNS\tns1.kifarunix-demo.com.\n\n;; Query time: 0 msec\n;; SERVER: 192.168.60.19#53(192.168.60.19)\n;; WHEN: Wed Jun 23 21:13:43 EAT 2021\n;; MSG SIZE  rcvd: 109\n<\/code><\/pre>\n\n\n\n<p>To check reverse DNS resolution;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dig -x 192.168.60.19<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -x 192.168.60.19\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6772\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 1232\n; COOKIE: be2acb0f5766be389b24d55260d37a3f1c3c8466a7248483 (good)\n;; QUESTION SECTION:\n;19.60.168.192.in-addr.arpa.\tIN\tPTR\n\n;; AUTHORITY SECTION:\n60.168.192.in-addr.arpa. 86400\tIN\tSOA\tns1.kifarunix-demo.com. admin.kifarunix-demo.com. 2021062302 3600 1800 604800 86400\n\n;; Query time: 0 msec\n;; SERVER: 192.168.60.19#53(192.168.60.19)\n;; WHEN: Wed Jun 23 21:15:27 EAT 2021\n;; MSG SIZE  rcvd: 146\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-the-client:b0fc218a7083489c2a29de625a52f76b\">Configuring the client for BIND DNS Resolution<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Update the DNS Settings<\/h4>\n\n\n\n<p>Log into the client and edit the&nbsp;<strong>\/etc\/resolv.conf<\/strong>&nbsp;file.<\/p>\n\n\n\n<p>Set the DNS server IP addresses.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo -e \"search kifarunix-demo.com\\nnameserver 192.168.60.19\" &gt; \/etc\/resolv.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Install BIND Utils\/Tools on CentOS<\/h4>\n\n\n\n<p>To install BIND utils on CentOS\/RHEL based derivatives;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install bind-utils<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Install BIND Utils on Ubuntu<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install dnsutils<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Verify DNS forward lookup;<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nslookup client<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Server:\t\t192.168.60.19\nAddress:\t192.168.60.19#53\n\nName:\tclient.kifarunix-demo.com\nAddress: 192.168.60.18<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Verify DNS reverse lookup<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nslookup 192.168.60.18<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>18.60.168.192.in-addr.arpa\tname = client.kifarunix-demo.com.<\/code><\/pre>\n\n\n\n<p>Magnificent, your local DNS server is now set up and operational.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Rocky Linux Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-nagios-plugins-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Nagios Plugins on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-nagios-server-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Nagios Server on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-google-chrome-on-rocky-linux-8-desktop\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Google Chrome on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-vnc-server-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install VNC Server on Rocky Linux 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through to learn how to install and setup BIND DNS server on Rocky Linux 8. Packages such as \u00a0BIND,\u00a0dnsmasq, and\u00a0unbound can be configured to<\/p>\n","protected":false},"author":3,"featured_media":9304,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[971,979,121],"tags":[973,3737,3738,3739],"class_list":["post-9245","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dns","category-bind","category-howtos","tag-dns","tag-install-bind-dns-rocky-linux","tag-rocky-linux-bind-dns","tag-setup-bind-dns-on-rocky-linux","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9245"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=9245"}],"version-history":[{"count":11,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9245\/revisions"}],"predecessor-version":[{"id":21765,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9245\/revisions\/21765"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9304"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=9245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=9245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=9245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}