Setting Up A BIND Domain Name Server on CentOS 5.3
BIND (i.e. named) : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server.
Author : j0zf 2009.8.24
[] Setup your hostname
##commands
cp /etc/sysconfig/network /etc/sysconfig/network_bakTHEDATE #backup
vi /etc/sysconfig/network
<> Modify Line : HOSTNAME=to-your.hostname.com
##commands
hostname to-your.hostname.com #this will set your hostname
hostname #check to see if it set correctly
[] Set your server time
##commands
cp -f /etc/localtime /etc/localtime_bakTHEDATE #backup
ln -sf /usr/share/zoneinfo/PST8PDT /etc/localtime #(centos 5.3 specific, lookup in your docs) substitute desired timezone file
date #verify the time is what you were expecting
<> Note : you may need to restart several services such as apache, named, etc. (reboot if you're not sure)
[] Setup your resolver file
##commands
cp /etc/resolv.conf /etc/resolv.conf_bakTHEDATE #backup
vi /etc/resolv.conf #Add in your gateways preferred nameservers
*** FILE : /etc/resolv.conf ***
nameserver 4.2.2.1
nameserver 4.2.2.2
*** EOF : /etc/resolv.conf ***
[] Configure Firewall (iptables)
##commands
cp /etc/sysconfig/iptables /etc/sysconfig/iptables_bakTHEDATE #backup
vi /etc/sysconfig/iptables
<> Add rules for BIND (port 53) and RNDC (port 953). See commented sections in my iptables file example below.
*** FILE : /etc/sysconfig/iptables ***
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
# BIND DNS
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
# RNDC (FOR DNS)
-A RH-Firewall-1-INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 953 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*** EOF : /etc/sysconfig/iptables ***
##commands
service iptables restart #restart iptables so your firewall changes are applied
[] Install BIND (named) and RNDC
##commands
yum install bind bind-chroot bind-libs bind-utils caching-nameserver #install required packages
[] Configure BIND (named) and RNDC
cd /var/named/chroot/etc #The following operations should be done in this folder.
cp rndc.key rndc.key_bakTHEDATE #Backup the old key if the file already exists.
rndc-confgen > rndc.key #Generate a keyfile for rndc.
chown root:named rndc.key #Set permissions
chmod 640 rndc.key
cp rndc.key rndc.conf
chown root:named rndc.conf
chmod 640 rndc.conf
vi rndc.conf
<> Edit your rndc.conf file so it looks basically like the following file.
*** FILE : /var/named/chroot/etc/rndc.conf ***
# Start of rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "[ keep this part secret ]";
};
options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
*** EOF : /var/named/chroot/etc/rndc.conf ***
##commands - edit rndc.key file
cp rndc.key rndc.key_20091027
vi rndc.key ##Now edit the KEY file.
<> Edit your rndc.key file so has only the "key" section in it.
*** FILE : /var/named/chroot/etc/rndc.key ***
key "rndckey" {
algorithm hmac-md5;
secret "[ keep this part secret ]";
};
*** EOF : /var/named/chroot/etc/rndc.key ***
##commands - create and edit named.conf
touch named.conf
chown root:named named.conf
chmod 640 named.conf
vi named.conf
<> Make sure you replace [STUFF] in the "allow-recursion" section with the ip-addresses of your server.
*** FILE : /var/named/chroot/etc/named.conf ***
// MAINTAINED BY [YOUR NAME]
// Began [TODAYS DATE]
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};
options {
allow-transfer { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
directory "/var/named";
pid-file "/var/run/named/named.pid";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
// query-source address * port 53;
};
//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "/var/named/named.ca";
};
zone "localdomain" IN {
type master;
file "/var/named/localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "/var/named/localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "/var/named/named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "/var/named/named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "/var/named/named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "/var/named/named.zero";
allow-update { none; };
};
// LOCAL ZONES /////////////////////////////////////////////////////////////////
// your websites and other named-servers will go below here.
*** EOF : /var/named/chroot/etc/named.conf ***
##commands
ln -s /var/named/chroot/etc/named.conf /etc/named.conf
ln -s /var/named/chroot/etc/rndc.conf /etc/rndc.conf
ln -s /var/named/chroot/etc/rndc.key /etc/rndc.key
chkconfig --levels 35 named on #This will make it so BIND starts at boot time.
service named start #This will turn the BIND daemon service on now.
[] Setting up website zone files
##commands - setting up sites folder
mkdir /var/named/chroot/var/named/sites
chown root:named /var/named/chroot/var/named/sites
chmod 750 /var/named/chroot/var/named/sites
ln -s /var/named/chroot/var/named/sites /var/named/sites
##commands - create the zone file
cd /var/named/chroot/var/named/sites
vi yoursite.com.db
<> Make sure you replace "yoursite" with yoursite.
<> If you need more info on this google "bind zone files" and read up on them.
<> This is an example zone file only, you may have differing needs. rtfm.
*** FILE : /var/named/chroot/var/named/sites/yoursite.com.db ***
; Zone File for yoursite.com
$TTL 14400
@ 86400 IN SOA ns1.yoursite.com. root.yoursite.com. (
2009102701 ; serial, todays date+todays
86400 ; refresh, seconds
7200 ; retry, seconds
1814400 ; expire, seconds
86400 ) ; minimum, seconds
yoursite.com. 86400 IN NS ns1.yoursite.com.
yoursite.com. 86400 IN NS ns2.yoursite.com.
ns1.yoursite.com. 14400 IN A [first ip address of the server]
ns2.yoursite.com. 14400 IN A [2nd ip address of the server]
yoursite.com. 14400 IN A [main ip address of the server]
*.producttoweb.com. 14400 IN A [ip address, only include this line if you're doing wildcard 3rd level domains]
localhost.yoursite.com. 14400 IN A 127.0.0.1
yoursite.com. 14400 IN MX 0 yoursite.com.
www 14400 IN CNAME yoursite.com.
ftp 14400 IN CNAME yoursite.com.
mail 14400 IN CNAME yoursite.com.
webmail 14400 IN CNAME yoursite.com.
*** EOF : /var/named/chroot/var/named/sites/yoursite.com.db ***
##commands - add the entry into the named.conf file
cp /etc/named.conf /etc/named.conf_bakTHEDATE #backup
vi /etc/named.conf
<> Add the following "file snippet" to the end of your named.conf file. (be sure to replace yoursite.com with your domain name)
*** FILE SNIPPET : /etc/named.conf ***
zone "yoursite.com" {
type master;
file "/var/named/sites/yoursite.com.db";
};
*** END FILE SNIPPET : /etc/named.conf ***
##commands
service named restart #Restart BIND so it'll resource your configuration files.
