Setting Up A BIND Domain Name Server on CentOS 5.3

BIND (i.e. named) : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server.

Author : j0zf 2009.8.24

[] Setup your hostname
    cp /etc/sysconfig/network /etc/sysconfig/network_bakTHEDATE #backup
    vi /etc/sysconfig/network
        <> Modify Line :
    hostname  #this will set your hostname
    hostname  #check to see if it set correctly
[] Set your server time
    cp -f /etc/localtime /etc/localtime_bakTHEDATE  #backup
    ln -sf /usr/share/zoneinfo/PST8PDT /etc/localtime  #(centos 5.3 specific, lookup in your docs) substitute desired timezone file
    date  #verify the time is what you were expecting
        <> Note : you may need to restart several services such as apache, named, etc. (reboot if you're not sure)

[] Setup your resolver file
    cp /etc/resolv.conf /etc/resolv.conf_bakTHEDATE  #backup
    vi /etc/resolv.conf  #Add in your gateways preferred nameservers
    *** FILE : /etc/resolv.conf ***
    *** EOF : /etc/resolv.conf ***

[] Configure Firewall (iptables)
    cp /etc/sysconfig/iptables /etc/sysconfig/iptables_bakTHEDATE  #backup
    vi /etc/sysconfig/iptables
        <> Add rules for BIND (port 53) and RNDC (port 953). See commented sections in my iptables file example below.
    *** FILE : /etc/sysconfig/iptables ***
    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -s -d --dport 953 -j ACCEPT

    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    *** EOF : /etc/sysconfig/iptables ***

    service iptables restart  #restart iptables so your firewall changes are applied
[] Install BIND (named) and RNDC
    yum install bind bind-chroot bind-libs bind-utils caching-nameserver #install required packages
[] Configure BIND (named) and RNDC
    cd /var/named/chroot/etc  #The following operations should be done in this folder.
    cp rndc.key rndc.key_bakTHEDATE  #Backup the old key if the file already exists.
    rndc-confgen > rndc.key  #Generate a keyfile for rndc.
    chown root:named rndc.key  #Set permissions
    chmod 640 rndc.key
    cp rndc.key rndc.conf
    chown root:named rndc.conf
    chmod 640 rndc.conf
    vi rndc.conf
        <> Edit your rndc.conf file so it looks basically like the following file.
    *** FILE : /var/named/chroot/etc/rndc.conf ***
    # Start of rndc.conf
    key "rndckey" {
            algorithm hmac-md5;
            secret "[ keep this part secret ]";
    options {
            default-key "rndckey";
            default-port 953;
    # End of rndc.conf    
    *** EOF : /var/named/chroot/etc/rndc.conf ***
    ##commands - edit rndc.key file
    cp rndc.key rndc.key_20091027
    vi rndc.key  ##Now edit the KEY file.
        <> Edit your rndc.key file so has only the "key" section in it.

    *** FILE : /var/named/chroot/etc/rndc.key ***
    key "rndckey" {
            algorithm hmac-md5;
            secret "[ keep this part secret ]";
    *** EOF : /var/named/chroot/etc/rndc.key ***
    ##commands - create and edit named.conf
    touch named.conf
    chown root:named named.conf
    chmod 640 named.conf
    vi named.conf
        <> Make sure you replace [STUFF] in the "allow-recursion" section with the ip-addresses of your server.
    *** FILE : /var/named/chroot/etc/named.conf ***
    // Began [TODAYS DATE]
    include "/etc/rndc.key";
    controls {
            inet allow { localhost; } keys { "rndckey"; };
    options {
            allow-transfer {; };
            allow-recursion {; };
            directory "/var/named";
            pid-file "/var/run/named/";
            dump-file "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            // query-source address * port 53;
    // a caching only nameserver config
    zone "." IN {
            type hint;
            file "/var/named/";
    zone "localdomain" IN {
            type master;
            file "/var/named/";
            allow-update { none; };
    zone "localhost" IN {
            type master;
            file "/var/named/";
            allow-update { none; };
    zone "" IN {
            type master;
            file "/var/named/named.local";
            allow-update { none; };
    zone "" IN {
            type master;
            file "/var/named/named.ip6.local";
            allow-update { none; };
    zone "" IN {
            type master;
            file "/var/named/named.broadcast";
            allow-update { none; };
    zone "" IN {
            type master;
            file "/var/named/";
            allow-update { none; };
    // LOCAL ZONES /////////////////////////////////////////////////////////////////
    // your websites and other named-servers will go below here.
    *** EOF : /var/named/chroot/etc/named.conf ***
    ln -s /var/named/chroot/etc/named.conf /etc/named.conf
    ln -s /var/named/chroot/etc/rndc.conf /etc/rndc.conf
    ln -s /var/named/chroot/etc/rndc.key /etc/rndc.key
    chkconfig --levels 35 named on  #This will make it so BIND starts at boot time.
    service named start  #This will turn the BIND daemon service on now.

[] Setting up website zone files

    ##commands - setting up sites folder
    mkdir /var/named/chroot/var/named/sites
    chown root:named /var/named/chroot/var/named/sites
    chmod 750 /var/named/chroot/var/named/sites
    ln -s /var/named/chroot/var/named/sites /var/named/sites
    ##commands - create the zone file
    cd /var/named/chroot/var/named/sites
        <> Make sure you replace "yoursite" with yoursite.
        <> If you need more info on this google "bind zone files" and read up on them.
        <> This is an example zone file only, you may have differing needs. rtfm.

    *** FILE : /var/named/chroot/var/named/sites/ ***
    ; Zone File for
    $TTL 14400
    @       86400   IN      SOA (
                2009102701      ; serial, todays date+todays
                86400           ; refresh, seconds
                7200            ; retry, seconds
                1814400         ; expire, seconds
                86400 )         ; minimum, seconds
                                                       86400   IN      NS                86400   IN      NS            14400   IN      A       [first ip address of the server]            14400   IN      A       [2nd ip address of the server]                14400   IN      A       [main ip address of the server]
    *          14400   IN      A       [ip address, only include this line if you're doing wildcard 3rd level domains]      14400   IN      A                14400   IN      MX      0
    www                          14400   IN      CNAME
    ftp                          14400   IN      CNAME
    mail                         14400   IN      CNAME
    webmail                      14400   IN      CNAME
    *** EOF : /var/named/chroot/var/named/sites/ ***    
    ##commands - add the entry into the named.conf file
    cp /etc/named.conf /etc/named.conf_bakTHEDATE  #backup
    vi /etc/named.conf
        <> Add the following "file snippet" to the end of your named.conf file. (be sure to replace with your domain name)
    *** FILE SNIPPET : /etc/named.conf ***
    zone "" {
            type master;
            file "/var/named/sites/";
    *** END FILE SNIPPET : /etc/named.conf ***
    service named restart  #Restart BIND so it'll resource your configuration files.
Joseph Frazier | Create Your Badge

This page has been visited 12,347 times since October 28th, 2009

This is an ApogeeInvent Dynamic Website