Set up DNS service on CentOS 7

Source: Internet
Author: User
Tags dnssec

Set up DNS service on CentOS 7

Document Description:

This document uses a case study to deploy DNS services on CentOS 7. This case is only a summary of my knowledge about how to deploy the DNS service. It is not a case in the production environment. In addition, the CentOS systems used in this case are all installed in the vmwarevm. Although this is not a problem in general, it is worth noting.

Case study:

In this case, two vmwarevms are used. CentOS 7 is installed on both VMS (the detailed version is 7.0.1406 and the core version is 3.10.0-123. el7.x86 _ 64). One virtual machine is used to simulate the Master DNS server (assuming the IP address is, and the other virtual machine is used to simulate the Slave DNS server (assuming the IP address is ).

In addition, if the campus network of the DNS server has its own legal domain name, which is, all source hosts are allowed to resolve the domain name. When hosts in the campus network need to access the Internet domain name, the DNS server first queries the local cache, if this resolution request is not found, it is forwarded to the DNS server of the ISP (for example, the IP address is and instead of. (Root) server. In addition, only the resolution requests of the Intranet host will be forwarded (assuming that the Intranet CIDR block range is, rather than the resolution requests of the Internet host.

DNSBrief Introduction to services:

DNS serviceThe BIND software is provided, and the service name isNamed, the management tool isRndc, debug tool isDig. The main configuration file is/Etc/named. conf.

To set up the DNS service in this case, follow these steps:

1. Install BIND software in the chroot environment

Install the BIND software and run it in the chroot environment. You only need to install the bind-chroot software, and other software (including the BIND software itself) will be automatically installed, that is, you only need to execute the command:

[Root @ localhost ~] #Yum install bind-chroot

After executing the preceding command, the yum program prompts you to install/upgrade the following software:

After the installation is complete, you need to start the named-chroot service and set it to boot:

[Root @ localhost ~] #Systemctl start named-chroot

[Root @ localhost ~] #Systemctl enablenamed-chroot

After the preceding command is executed, use the following command to verify the status of the named-chroot service:

[Root @ localhost ~] #Systemctl status named-chroot

2. Set the configuration file/etc/named. conf on the primary DNS server.

Back up the configuration file/etc/named. conf on the primary DNS Server:

[Root @ localhost ~] #Cp-a/etc/named. conf/etc/named. conf. raw

Modify the content as follows:

Certificate -------------------------------------------------------------------------------------------------------------------------------------

Options {

Listen-on port 53 {any ;}; // listen for access from any source IP address to port 53

Listen-on-v6 port 53 {: 1 ;}; // set the IPv6 listening port, so keep the default because it is not used

Directory "/var/named"; // specifies the working directory.

Dump-file "/var/named/data/cache_dump.db"; // After executing the rndcdumpdb command, the database is saved to the specified file.

Statistics-file "/var/named/data/named_stats.txt"; // After the command rndcstats is executed, the statistical data is saved to the specified file.

Memstatistics-file "/var/named/data/named_mem_stats.txt"; // file path for recording memory usage data

Allow-query {;}; // specifies that DNS query (authoritative data) can be performed only on hosts with intranet network segments)

Recursion yes; // This option controls whether the recursive query function of the server is enabled.

Allow-recursion {;}; // specifies that recursive queries can be performed only on hosts with intranet network segments.

Forward first; // when receiving a query request, it is first forwarded to the DNS specified by forwarders, and then recursive

Forwarders {// (connected) Of course, the local cache will be checked before forwarding;;


Dnssec-enable no; // This part sets DNSSEC. Turn it off. The default value is yes.

Dnssec-validationno; // disable. The default value is yes.

Dnssec-lookaside no; // disable, auto by default

Bindkeys-file "/etc/named. iscdlv. key ";

Managed-keys-directory "/var/named/dynamic ";

Pid-file "/run/named. pid"; // The default storage location of the PID file of the named service.

Session-keyfile "/run/named/session. key"; // path where the TSIG session key is stored, keep the default value.


Logging {// set the log statement

Channel default_debug {

File "data/named. run ";

Severity dynamic;



Zone "." IN {// set the root zone statement

Type hint; // The hint type is used exclusively for the root field.

File "named. ca"; // the configuration file of the root domain is/var/named. ca.


Zone "speedsnail" IN {// sets the statements for the domain speedsnail .com.

Type master; // specifies that this server is the primary DNS server in this domain

File " zone"; // specify the configuration file for this domain as/var/named/ zone.

Allow-transfer { ;}; // specify the IP address of the slave DNS server for this domain

Allow-query {any ;}; // allows resolution requests from any IP addresses to this domain


Include "/etc/named. rfc1912.zones"; // The zone statement can also be written in this file.

Include "/etc/named. root. key"; // key file of the root domain, which is related to DNSSEC

Certificate -------------------------------------------------------------------------------------------------------------------------------------

3. Set the zone configuration file on the primary DNS Server

In the configuration file named. conf above, because a forward-Resolved domain is defined, you must also set the configuration file zone for this domain. Create the configuration file in the working directory/var/named and modify its content as follows:

Certificate -------------------------------------------------------------------------------------------------------------------------------------

$ ORIGIN speedsnail

$ TTL 86400


In the zone configuration file, it uses a semicolon as the annotation statement identifier.

When modifying this configuration file, note that the name does not end with a period of hostname, And the last period is FQDN (except for $ ORIGIN ).

; $ ORIGIN fill in the domain name. The @ symbol below references the value entered here. If this parameter is not specified, the value following the zone statement in the main configuration file is referenced.

; $ TTL indicates the timeto live value, indicating how long the record can exist in its DNS Cache when other DNS queries the DNS record in this zone. The unit is seconds.


@ In soa dns1.speedsnail xie.speedsnail .(







The two parameters behind SOA are the Master DNS server host name and administrator mailbox (, respectively ). Because the @ symbol has a special meaning, it is written as this.

The first parameter in the brackets is the serial number, which indicates the New and Old parameters in this configuration document. The larger the serial number, the newer the parameter. This value must be increased every time this document is modified.

The second parameter is the refresh frequency, indicating the interval between the slave and the master to compare the configuration file, in seconds.

The third parameter is the failed retry time, in seconds.

The fourth parameter is the expiration time, in seconds.

In BIND9, the fifth parameter indicates the time when other DNS servers can cache negative answers, in seconds.


@ In ns dns1.speedsnail

In ns

Dns1IN A

Dns2IN A


; Type NS defines the DNS server host name (such as of the specified domain, whether it is the primary DNS or the slave DNS.

; Type A defines the IP address of the specified host (such as dns1. If the IPv6 address is used, AAAA is required.


@ In mx 10mail1.speedsnail

In mx 20 mail2.speedsnail

Mail1 in a

Mail2 in a


; Type MX defines the mail server host name (such as for the specified domain ).

The number after MX is the priority. The smaller the value, the higher the priority. The same priority value can be used for load balancing among multiple email servers.


Www in cname servs.speedsnail

Ftp IN cnameservs.speedsnail

ServsIN A


The Type CNAME is used to define the alias. It is usually used when the same host provides multiple services.

Take the settings here as an example. When you want to resolve the IP address of, it will be resolved to the IP address of the host



Travel INA



As shown above, you can also directly set the IP address of a host (for example, forum.speedsnail

You can also set multiple IP addresses for the same host (for example,

Certificate -------------------------------------------------------------------------------------------------------------------------------------

4. Set the slave DNS Server

Repeat Step 1 to install the bind-chroot software on the DNS server, and then set it to start and enable. After the configuration is completed, modify the master configuration file/etc/named. conf of the slave DNS server. The master configuration file of the slave DNS is basically the same as that of the master DNS, so you can copy the configuration directly, but the zone statement needs to be modified. The zone statement in the DNS named. conf configuration file is as follows:

Certificate -------------------------------------------------------------------------------------------------------------------------------------

Zone "speedsnail" IN {

Type slave; // indicates that this server is a slave DNS server for this domain

File "slaves/ zone"; // The zone configuration file from the DNS must be placed in the slaves directory under the working directory.

Masters { ;}; // specify the IP address of the primary DNS server in this domain

Allow-query {any ;}; // allows resolution requests from any IP addresses to this domain


Certificate -------------------------------------------------------------------------------------------------------------------------------------

Unlike the primary DNS, the zone configuration file on the DNS does not need to be manually created. It is automatically created through synchronization. Therefore, the configuration file on the DNS is configured.

5. Open Port

Set tcp and udp ports 53 on the primary DNS and the slave DNS Server:

[Root @ localhost ~] #Firewall-cmd -- zone = public -- add-port = 53/tcp -- permanent

[Root @ localhost ~] #Firewall-cmd -- zone = public -- add-port = 53/udp -- permanent

Restart the firewall to make the change take effect immediately:

[Root @ localhost ~] #Firewall-cmd-reload

Run the following command to check whether the configuration is successful:

[Root @ localhost ~] #Firewall-cmd -- list-all

6. Set the named service

Start the named service on the primary DNS and slave DNS, and set it to boot:

[Root @ localhost ~] #Systemctl start named

[Root @ localhost ~] #Systemctl enable named

After the above command is executed, if there is no problem, you can use the following command to verify the named service status:

[Root @ localhost ~] #Systemctl status named

7. test and verification

By default, DNS service logs are stored in the/var/log/messages document. If you have modified the configuration file and started or restarted the named service, we recommend that you first check this log file to see if there is any error:

Logs about zone configuration file update from the DNS server:

Check whether the DNS Service port (port 53) Is Enabled:

Use the dig command to test whether the primary DNS can properly resolve the Internet URL on the DNS:

Use the dig command to test whether the primary DNS can properly parse its own website address on the DNS:

Verify that DNS Forwarders works properly:

As shown in the preceding figure, When I specify DNS resolution for on the primary DNS server (, the packet capture result is displayed, the server indeed forwarded the DNS query to one ( in the DNS of the configured ISP, which indicates that the Forwarders configuration was successful.

In the case description section at the beginning of this document, it is mentioned that the Intranet host resolution request is allowed, but the Internet host resolution request is not allowed, and all hosts are allowed to parse requests for the domain To verify whether the restriction mechanism works, first modify the named. conf configuration file on the primary DNS server as follows:

In this way, all hosts can parse the domain, but only the primary DNS server ( can resolve other domains. Restart the named service on the primary DNS for the modification to take effect. Then, perform the test on the slave DNS server (

As you can see, is used as the DNS, and the Internet website ( cannot be resolved, while the Intranet website ( can still be resolved. This indicates that the source IP address of the Resolution request is set correctly. Logs on the primary DNS server also verify this point:


In terms of DNS software settings, deploying DNS on CentOS 7 is not much different from deploying DNS on earlier systems, but the underlying mechanism may change. In terms of system, the application service management and firewall management of CentOS 7 have changed. For example, systemctl and firewall-cmd are used in this article, but chkconfig and iptables are not used.

Available materials:

Named. conf(5) Description: man documents of the statement formats in/etc/named. conf

/Usr/share/doc/bind */sample/etc/named. conf:/etc/named. conf configuration example

/Usr/share/doc/bind */sample/etc/named. rfc1912.zones: the default content of this document is the same as that of/etc/named. rfc1912.zones.

/Usr/share/doc/bind */Bv9ARM.pdf orBv9ARM.html: BIND 9 Management Reference Manual

The Guide provides an introduction to DNS server setup and configuration.

The attachment is the configuration files used in this article and can be downloaded as needed.

This article from the "technology never stop" blog, please be sure to keep this source

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.