Bind9 in CentOS

Hello everybody,

recently I've got a task to configure Bind9 on CentOS.

While doing this I have found some hardly documented features of CentOS.

File locations and defaults

By default bind9 is has name named. It means that you can start it with command systemctl. For example you can get status of bind with this command:

systemctl status named

Information about zones are stored in zone files. By default named stroes zone files at /var/named/.

Infromation about bind itself is stored at /etc/named* location.

Following command tells us something more about those files:

 ls -ld /var/named

drwxr-x--- 5 root named 127 May 17 17:25 /var/named

It says that access to those files has two accounts: root and named.

Default options can be configured at /etc/sysconfig/named

I've just installed on my CentOS bind9. Content of folder named can be seen like this:

ls named*:

[root@PersonlaZaletsky etc]# ls named*
named.conf named.iscdlv.key named.rfc1912.zones named.root.key

You can see that following files were added: 

 1. named.conf

  2. named.iscdlv.key

  3. named.rfc1912.zones

  4. named.root.key

Below goes output with content of /var/named/ display:

[root@PersonlaZaletsky etc]# ls /var/named/
data dynamic named.ca named.empty named.localhost named.loopback slaves

Let's analyze default configuration: cat /usr/lib/systemd/system/named.service

[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
After=named-setup-rndc.service

[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid

ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named $OPTIONS

ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'

ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

PrivateTmp=true

[Install]
WantedBy=multi-user.target

From this file you can understand what bind means: Berkley Internet Name Domain. Also you can see that for reading of options /etc/sysconfig/named file is used. Also you can see that before start named-checkconf will be executed for validation of configuration.

Now let's see environment file:

[root@PersonlaZaletsky etc]# cat /etc/sysconfig/named
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# OPTIONS="whatever" -- These additional options will be passed to named
# at startup. Don't add -t here, enable proper
# -chroot.service unit file.
#
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
# utility for every zone to ensure all zones are
# valid before named starts. If you set this option
# to 'yes' then service file doesn't perform those
# checks.

Actually it says that for now #options are commented out. And following line

ExecStart=/usr/sbin/named -u named $OPTIONS

from named.service file will be empty.

Also we can monitor bind9 service status with rndc.

[root@PersonlaZaletsky etc]# rndc status
version: 9.9.4-RedHat-9.9.4-38.el7_3.3 <id:8f9657aa>
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

Modes

Bind9 can have following modes:

  • Caching (default mode)
  • Forwarding ( we set up addresses of other DNS servers )
  • Master ( Oversight of some zone )
  • Slave ( gets copy of zone information from master )

Configuring named.conf

Lets see before any changes how named.conf look like:

[root@PersonlaZaletsky etc]# cat named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Some comments regarding modifications. 

By default bind listens on port 53 all trafic from 127.0.0.1. 

In this file I've enabled allow-query { localhost;  any; }; in order to make bind listen to all queries.

For restart we can use rndc reload.

Configuring Zones

First of all I want to describe pattern of how forward zone can be configured in named.conf file:

zone "yz.com" IN {

type master;

file "db.yz";

allow-update {none;}

};

Take note of semicolumn usage. IN stands for internet zone.

Now let's see reverse zone pattern for ip address 10.0.2 reverse zone pattern: 

zone "2.0.10.in-addr.arp" IN {

type master;

file "db.10.0.2";

allow-update {none;};

};

Suffix will always be in-addr.arpa

For debugging purposes you can use named-checkconf. It will check your configuration file. It can give output like this:

/etc/named.conf:56: missing ';' before '}'

And if everything is configured properly it will show nothing as output.

Creating zone datafile

$TTL 5h 

This instruction says that time to live is set to 5 hours.

$ORIGIN yz.com.

default value to put in. 

yz.com IN SOA m1.yz.com. root.yz.com.

(

   2016122105 ; Serial

   8h ; Refresh

   4h ; Retry

    1w ; Expire

    1h ; Negative TTL

)

Of course, for debugging of zone files you can also use some utilities. One of them is named-checkzone

Here is example of how I validated my zone files:

named-checkzone yz.com db.yz

Here is response:

[root@PersonlaZaletsky named]# named-checkzone yz.com db.yz
zone yz.com/IN: loaded serial 2017051814
OK

No Comments

Add a Comment