We are going to setup and configure the BIND DNS Server on CentOS. We are going to configure it at the same VPS sever where our webserver is installed. This this may not be the most viable solution for managing large number of domains.
• Our DNS VPS system Details
o DNS VPS Hostname: server1.example.com
o DNS IP Address: 1.1.1.1
o Domain to configure: domain1.com
o Web server IP address: 2.2.2.2
• Preparation
o Make sure that your system is updated before proceeding with the installation:
§ yum update –y
• BIND Installation
o Now install the BIND and BIND Utilities packages:
§ yum install bind bind-utils –y
o Now open the BIND (named) configuration file and make few modifications.
§ nano -w /etc/named.conf
o Sample ‘/etc/named.conf‘ configuration file:
options {
#listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-transfer { localhost; };
allow-query { any; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;
managed-keys-directory “/var/named/dynamic”;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
zone “.” IN {
type hint;
file “named.ca”;
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
o In the above sample configuration file listen-on has been commented to listen on all available interfaces. Recursion should be turned off to prevent your server from being abused in “reflection” DDoS attacks. The allow-transfer directive whitelists transfers to your secondary droplet’s IP. Furthermore, we have changed the allow-query directive to “any” in order to allow users proper access to hosted zones.
o We have added a new zone for our domain, now add the following to your named.conf below the existing zones. And now our configuration file looks like this:
options {
#listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-transfer { localhost; };
allow-query { any; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;
managed-keys-directory “/var/named/dynamic”;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
zone “.” IN {
type hint;
file “named.ca”;
};
zone “domain1.com” IN {
type master;
file “domain1.com.zone”;
allow-update { none; };
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
• Configure BIND Zones
o Create the zone file, using the name you specified in the configuration above.
§ nano -w /var/named/domain1.com.zone
o Sample ‘/var/named/domain1.com.zone ‘ configuration file:
$TTL 86400
@ IN SOA ns1.domain1.com. root.domain1.com. (
2013042201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
; Specify our two nameservers
IN NS ns1.domain1.com.
; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.
ns1 IN A 2.2.2.2
; Define hostname -> IP pairs which you wish to resolve
@ IN A 2.2.2.2
www IN A 2.2.2.2
o Start named for the first time. This may take several minutes while named generates the rndc.key file, which only occurs on first execution.
§ service named restart
o When the named has started successfully, we would like to ensure that it is enabled as a startup service, by running the following:
§ chkconfig named on
o Now we have a fully operational primary nameserver. You can verify that BIND is working correctly by running the following command, replacing 1.1.1.1 with the IP of your first droplet.
§ dig @1.1.1.1 mydomain.com
o After any changes you make to the master zone files, you will need to instruct BIND to reload. To reload the zone files, we need to run the following command on the master nameserver:
§ rndc reload
• BIND in a chroot environment
o It is generally advised to install the additional package “bind-chroot” which will drop the privileges of BIND into a chroot environment. If you’d like to enable this feature for the added security which it provides, you can do the following:
§ yum install bind-chroot –y
§ service named restart
• Configuring child name server
o We need to configure child name server to make it available over the internet for everyone.
o Login into domain control panel from http://store.domainsgofast.com/customer
o Search the order into control panel- domain and click on the domain name
o On appeared page you will be able to see Child Name Server section, click on the same.
o Fill the prefix like- ns1, in hostname section and IP in second section and click on submit.
Here we are done and now we have configured a working DNS server.
]]>