Setting Up A BIND Domain Name Server on CentOS 5.3

BIND (i.e. named) : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server.

Author : j0zf 2009.8.24

[] Setup your hostname
    ##commands
    cp /etc/sysconfig/network /etc/sysconfig/network_bakTHEDATE #backup
    vi /etc/sysconfig/network
        <> Modify Line : HOSTNAME=to-your.hostname.com
    ##commands
    hostname to-your.hostname.com  #this will set your hostname
    hostname  #check to see if it set correctly
    
[] Set your server time
    ##commands
    cp -f /etc/localtime /etc/localtime_bakTHEDATE  #backup
    ln -sf /usr/share/zoneinfo/PST8PDT /etc/localtime  #(centos 5.3 specific, lookup in your docs) substitute desired timezone file
    date  #verify the time is what you were expecting
        <> Note : you may need to restart several services such as apache, named, etc. (reboot if you're not sure)

[] Setup your resolver file
    ##commands
    cp /etc/resolv.conf /etc/resolv.conf_bakTHEDATE  #backup
    vi /etc/resolv.conf  #Add in your gateways preferred nameservers
    
    *** FILE : /etc/resolv.conf ***
    nameserver 4.2.2.1
    nameserver 4.2.2.2
    *** EOF : /etc/resolv.conf ***

[] Configure Firewall (iptables)
    ##commands
    cp /etc/sysconfig/iptables /etc/sysconfig/iptables_bakTHEDATE  #backup
    vi /etc/sysconfig/iptables
        <> Add rules for BIND (port 53) and RNDC (port 953). See commented sections in my iptables file example below.
        
    *** FILE : /etc/sysconfig/iptables ***
    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

# BIND DNS
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT

# RNDC (FOR DNS)
-A RH-Firewall-1-INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 953 -j ACCEPT

    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    *** EOF : /etc/sysconfig/iptables ***

    ##commands
    service iptables restart  #restart iptables so your firewall changes are applied
    
[] Install BIND (named) and RNDC
    ##commands
    yum install bind bind-chroot bind-libs bind-utils caching-nameserver #install required packages
    
[] Configure BIND (named) and RNDC
    cd /var/named/chroot/etc  #The following operations should be done in this folder.
    cp rndc.key rndc.key_bakTHEDATE  #Backup the old key if the file already exists.
    rndc-confgen > rndc.key  #Generate a keyfile for rndc.
    chown root:named rndc.key  #Set permissions
    chmod 640 rndc.key
    cp rndc.key rndc.conf
    chown root:named rndc.conf
    chmod 640 rndc.conf
    vi rndc.conf
        <> Edit your rndc.conf file so it looks basically like the following file.
        
    *** FILE : /var/named/chroot/etc/rndc.conf ***
    # Start of rndc.conf
    key "rndckey" {
            algorithm hmac-md5;
            secret "[ keep this part secret ]";
    };
    
    options {
            default-key "rndckey";
            default-server 127.0.0.1;
            default-port 953;
    };
    # End of rndc.conf    
    *** EOF : /var/named/chroot/etc/rndc.conf ***
    
    ##commands - edit rndc.key file
    cp rndc.key rndc.key_20091027
    vi rndc.key  ##Now edit the KEY file.
        <> Edit your rndc.key file so has only the "key" section in it.

    *** FILE : /var/named/chroot/etc/rndc.key ***
    key "rndckey" {
            algorithm hmac-md5;
            secret "[ keep this part secret ]";
    };    
    *** EOF : /var/named/chroot/etc/rndc.key ***
    
    ##commands - create and edit named.conf
    touch named.conf
    chown root:named named.conf
    chmod 640 named.conf
    vi named.conf
        <> Make sure you replace [STUFF] in the "allow-recursion" section with the ip-addresses of your server.
    
    *** FILE : /var/named/chroot/etc/named.conf ***
    // MAINTAINED BY [YOUR NAME]
    // Began [TODAYS DATE]
    
    include "/etc/rndc.key";
    
    controls {
            inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
    };
    
    options {
            allow-transfer { 127.0.0.1; };
            allow-recursion { 127.0.0.1; };
            directory "/var/named";
            pid-file "/var/run/named/named.pid";
            dump-file "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            // query-source address * port 53;
    };
    
    //
    // a caching only nameserver config
    //
    
    zone "." IN {
            type hint;
            file "/var/named/named.ca";
    };
    
    zone "localdomain" IN {
            type master;
            file "/var/named/localdomain.zone";
            allow-update { none; };
    };
    
    zone "localhost" IN {
            type master;
            file "/var/named/localhost.zone";
            allow-update { none; };
    };
    
    zone "0.0.127.in-addr.arpa" IN {
            type master;
            file "/var/named/named.local";
            allow-update { none; };
    };
    
    zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
            type master;
            file "/var/named/named.ip6.local";
            allow-update { none; };
    };
    
    zone "255.in-addr.arpa" IN {
            type master;
            file "/var/named/named.broadcast";
            allow-update { none; };
    };
    
    zone "0.in-addr.arpa" IN {
            type master;
            file "/var/named/named.zero";
            allow-update { none; };
    };
    
    // LOCAL ZONES /////////////////////////////////////////////////////////////////
    // your websites and other named-servers will go below here.
    *** EOF : /var/named/chroot/etc/named.conf ***
    
    ##commands
    ln -s /var/named/chroot/etc/named.conf /etc/named.conf
    ln -s /var/named/chroot/etc/rndc.conf /etc/rndc.conf
    ln -s /var/named/chroot/etc/rndc.key /etc/rndc.key
    chkconfig --levels 35 named on  #This will make it so BIND starts at boot time.
    service named start  #This will turn the BIND daemon service on now.

[] Setting up website zone files

    ##commands - setting up sites folder
    mkdir /var/named/chroot/var/named/sites
    chown root:named /var/named/chroot/var/named/sites
    chmod 750 /var/named/chroot/var/named/sites
    ln -s /var/named/chroot/var/named/sites /var/named/sites
    
    ##commands - create the zone file
    cd /var/named/chroot/var/named/sites
    vi yoursite.com.db
        <> Make sure you replace "yoursite" with yoursite.
        <> If you need more info on this google "bind zone files" and read up on them.
        <> This is an example zone file only, you may have differing needs. rtfm.

    *** FILE : /var/named/chroot/var/named/sites/yoursite.com.db ***
    ; Zone File for yoursite.com
    $TTL 14400
    @       86400   IN      SOA     ns1.yoursite.com.     root.yoursite.com. (
                2009102701      ; serial, todays date+todays
                86400           ; refresh, seconds
                7200            ; retry, seconds
                1814400         ; expire, seconds
                86400 )         ; minimum, seconds
                                            
    yoursite.com.                86400   IN      NS      ns1.yoursite.com.
    yoursite.com.                86400   IN      NS      ns2.yoursite.com.
    ns1.yoursite.com.            14400   IN      A       [first ip address of the server]
    ns2.yoursite.com.            14400   IN      A       [2nd ip address of the server]
    yoursite.com.                14400   IN      A       [main ip address of the server]
    *.producttoweb.com.          14400   IN      A       [ip address, only include this line if you're doing wildcard 3rd level domains]
    localhost.yoursite.com.      14400   IN      A       127.0.0.1
    yoursite.com.                14400   IN      MX      0 yoursite.com.
    www                          14400   IN      CNAME   yoursite.com.
    ftp                          14400   IN      CNAME   yoursite.com.
    mail                         14400   IN      CNAME   yoursite.com.
    webmail                      14400   IN      CNAME   yoursite.com.
    *** EOF : /var/named/chroot/var/named/sites/yoursite.com.db ***    
    
    ##commands - add the entry into the named.conf file
    cp /etc/named.conf /etc/named.conf_bakTHEDATE  #backup
    vi /etc/named.conf
        <> Add the following "file snippet" to the end of your named.conf file. (be sure to replace yoursite.com with your domain name)
        
    *** FILE SNIPPET : /etc/named.conf ***
    zone "yoursite.com" {
            type master;
            file "/var/named/sites/yoursite.com.db";
    };        
    *** END FILE SNIPPET : /etc/named.conf ***
    
    ##commands
    service named restart  #Restart BIND so it'll resource your configuration files.
   
Joseph Frazier | Create Your Badge

This page has been visited 10,958 times since October 28th, 2009

This is an ApogeeInvent Dynamic Website