Step-by-Step Tutorial: Configure DNS Server using bind chroot (CentOS/RHEL 7/8)

Table of Contents

 Install Bind Chroot RPM

 Configure DNS Server (named.conf)
 Add zone records
 Create Forward Zone File
 Create Reverse Zone File
 Verify the bind chroot configuration
 Start named-chroot service
 Configure DNS server using resolv.conf
 Verify Bind Chroot DNS Server
 Configure DNS Server on Client

how to configure dns server in rhel 7 or rhel 8 step by step. dns server configuration in linux step by step
centos. bind chroot. dns server configuration in linux step by step centos. how to configure dns server in
rhel 7 step by step. named chroot. bind allow query. install bind centos 7 or centos 8. Configure forward
zone file and reverse zone file using named chroot using centos or rhel 7 or centos 8. Sample forward zone
file and reverse zone file on rhel 7 or rhel 8 linux. Verify bind dns server configuration files using named-
checkconf. Do not copy chroot contents to /var/named/chroot. dns configuration step by step. setup dns
server on red hat.

Install Bind Chroot RPM

To install BIND running in a chroot environment, you have to install the bind-chroot package.

NOTE:
If you do not have an active repository then download rpms with all the list of dependencies using which
then you can create an offline repository.
[root@centos-8 ~]# yum install -y bind-chroot

Verify the list of available bind packages installed with bind chroot via yum:

[root@centos-8 ~]# rpm -qa| grep bind

bind-license-9.9.4-74.el7_6.1.noarch
bind-chroot-9.9.4-74.el7_6.1.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-libs-9.9.4-74.el7_6.1.x86_64
bind-utils-9.9.4-74.el7_6.1.x86_64
bind-libs-lite-9.9.4-74.el7_6.1.x86_64
bind-9.9.4-74.el7_6.1.x86_64
rpcbind-0.2.0-47.el7.x86_64

Below list of directories and files will be created with bind chroot package on your CentOS/RHEL 7/8
Linux host:

[root@centos-8 ~]# ls -l /var/named/chroot/

total 20
drwxr-x---. 2 root named 4096 Jun 21 16:11 dev
drwxr-x---. 4 root named 4096 Jun 21 16:11 etc
drwxr-x---. 3 root named 4096 Jun 21 16:11 run
drwxr-xr-x. 3 root root 4096 Jun 21 16:11 usr
drwxr-x---. 5 root named 4096 Jun 21 16:11 var

Turn ON the bind chroot environment, with this all your Bind DNS server related files and directories will
be mount on /var/named/chroot
HINT:
If you have installed the bind chroot package, the BIND service will run in the chroot environment. In
that case, the initialization script will mount all of the BIND configuration files into the chroot location
using the mount --bind command, so that you can manage the configuration outside this environment.
There is no need to copy anything into the /var/named/chroot/ directory because it is mounted
automatically.
[root@centos-8 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

Next verify the list of mount paths on /var/named/chroot

[root@centos-8 ~]# mount | grep chroot

/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/localtime type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.root.key type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.conf type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.rfc1912.zones type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/rndc.key type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.iscdlv.key type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/protocols type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/services type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4
(rw,relatime,data=ordered)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755)
/dev/mapper/centos-root on /var/named/chroot/var/named type ext4
(rw,relatime,data=ordered)

We will note our IP Address which we will use to configure our BIND DNS in chroot environment

[root@centos-8 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen
1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group
default qlen 1000
link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.32/8 brd 10.255.255.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fedf:8741/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group
default qlen 1000
link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group
default qlen 1000
link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state
DOWN group default qlen 1000
link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff

Configure DNS Server (named.conf)

To configure DNS server first thing is to update our /etc/named.conf file. We have made the below
highlighted changes in our named.conf file:

[root@centos-8 ~]# cat /etc/named.conf

options {
listen-on port 53 { 127.0.0.1; any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; any; };
allow-query-cache { localhost; any; };

recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Add zone records

Next we need to add zone records for forward zone file and reverse zone file location in
/etc/named.rfc1912.zones file. here example.com contains details for our forward zone file and
2.0.10.in-addr.arpa contains information about reverse zone file.

zone "example.com" IN {
type master;
 file "example.com.zone";
allow-update { none; };
};

zone "2.0.10.in-addr.arpa" IN {
type master;
file "example.com.rzone";
allow-update { none; };
};
NOTE:
For the reverse zone, here since our IP is 10.0.2.32, I have used 2.0.10.in-addr.arpa as the zone name,
similarly if your IP is 192.168.0.XX then your reverse zone name syntax would be 0.168.192.in-
addr.arpa

We will create our forward and reverse zone files in the next steps.

Create Forward Zone File

Navigate to /var/named where we will have some default templates which can be used to configure our
forward zone file.

[root@centos-8 ~]# cd /var/named/

List the content of /var/named

[root@centos-8 named]# ls -l
total 32
drwxr-x---. 2 root named 4096 Jun 21 16:12 chroot
drwxrwx---. 2 named named 4096 Jun 5 00:56 data
drwxrwx---. 2 named named 4096 Jun 5 00:56 dynamic
-rw-r-----. 1 root named 2281 May 22 2017 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Jun 5 00:56 slaves

Create forward zone file using named.localhost

[root@centos-8 named]# cat named.loopback > example.com.zone

Change the permission and ownership of the forward zone file (example.com.zone) as shown below:

[root@centos-8 named]# chmod 644 example.com.zone

[root@centos-8 named]# chown root:named example.com.zone

[root@centos-8 named]# ls -l example.com.zone

-rw-r--r--. 1 root named 260 Jun 21 16:28 example.com.zone

Update the forward zone file with the details from your setup and environment. Below is my sample
forward zone file:

[root@centos-8 named]# cat example.com.zone

$TTL 1D
@ IN SOA example.com root (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
centos-7 IN A 10.0.2.30
rhel-8 IN A 10.0.2.31
centos-8 IN A 10.0.2.32

Create Reverse Zone File

Similarly create a reverse zone file using named.localhost.

[root@centos-8 named]# cat named.localhost > example.com.rzone

Change the permission and ownership of the reverse zone file (example.com.rzone) as shown below:

[root@centos-8 named]# chmod 644 example.com.rzone

[root@centos-8 named]# chown root:named example.com.rzone

[root@centos-8 named]# ls -l example.com.rzone

-rw-r--r--. 1 root named 260 Jun 21 16:28 example.com.rzone

Next update the values of your reverse zone file depending upon your environment. Below is my sample
reverse zone file:

[root@centos-8 named]# cat example.com.rzone

$TTL 1D
@ IN SOA example.com. root.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS localhost.
30 IN PTR centos-7.example.com.
31 IN PTR rhel-8.example.com.
32 IN PTR centos-8.example.com.

NOTE:
Update the serial number every time you modify the zone file.

Verify the bind chroot configuration

Before you start the named-chroot service, it is important that you verify your bind chroot configuration
file for any syntax errors:

[root@centos-8 named]# named-checkconf -t /var/named/ etc/named.conf

Here -t means chroot to directory so that include directives in the configuration file are processed as if run
by a similarly chrooted named. Make sure all the content of /var/named/ are mounted on
/var/named/chroot before you execute this command or else you may get open: etc/named.conf:
file not found error.

Check the /etc/mtab content using mount command

[root@centos-8 ~]# mount | grep chroot

/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/localtime type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.root.key type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.conf type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.rfc1912.zones type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/rndc.key type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/named.iscdlv.key type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/protocols type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/etc/services type ext4
(rw,relatime,data=ordered)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type ext4
(rw,relatime,data=ordered)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755)
/dev/mapper/centos-root on /var/named/chroot/var/named type ext4
(rw,relatime,data=ordered)

If you do not see these paths mounted on /var/named/chroot then turn off the chroot mount using

[root@centos-8 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot off

and then turn it back ON

[root@centos-8 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

Next re-verify the mount | grep chroot command output. You should see that all required devices are
mounted on /var/named/chroot. This is important to refresh all the changes what you have performed
recently should be visible under /var/named/chroot

Now you can run below command to verify your chroot config files

[root@centos-8 named]# named-checkconf -t /var/named/ etc/named.conf

Start named-chroot service

To configure dns server on Red Hat Enterprise Linux 7 the installation of bind-chroot does NOT change
how the named service is run. On the contrary it installs new named-chroot service that needs to be started
using systemctl command, if you want to run named service in a chroot environment.

But before, make sure to stop and disable any named service which is available and running on your RHEL
7 Linux host:

[root@centos-8 named]# systemctl stop named

[root@centos-8 named]# systemctl disable named

Next start named-chroot service using systemctl:

[root@centos-8 named]# systemctl start named-chroot

[root@centos-8 ~]# systemctl status named-chroot

● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor
preset: disabled)
Active: active (running) since Fri 2019-06-21 17:00:25 IST; 1min 1s ago
Process: 5321 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t
/var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 5319 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ];
then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo
"Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 5323 (named)
Tasks: 4
CGroup: /system.slice/named-chroot.service
└─5323 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

Jun 21 17:00:25 centos-8.example.com named[5323]: zone 2.0.10.in-addr.arpa/IN: loaded

serial 1
Jun 21 17:00:25 centos-8.example.com named[5323]: zone 1.0.0.127.in-addr.arpa/IN:
loaded serial 0
Jun 21 17:00:25 centos-8.example.com named[5323]: zone localhost.localdomain/IN:
loaded serial 0
Jun 21 17:00:25 centos-8.example.com named[5323]: zone example.com/IN: loaded serial 1
Jun 21 17:00:25 centos-8.example.com named[5323]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0....ial 0
Jun 21 17:00:25 centos-8.example.com named[5323]: zone localhost/IN: loaded serial 0
Jun 21 17:00:25 centos-8.example.com named[5323]: all zones loaded
Jun 21 17:00:25 centos-8.example.com named[5323]: running
Jun 21 17:00:25 centos-8.example.com named[5323]: zone example.com/IN: sending
notifies (serial 1)
Jun 21 17:00:25 centos-8.example.com named[5323]: zone 2.0.10.in-addr.arpa/IN: sending
notifies (serial 1)
Hint: Some lines were ellipsized, use -l to show in full.

Now our configure dns server steps are almost done, enable the named-chroot service to start the service
automatically after every reboot:

[root@centos-8 ~]# systemctl enable named-chroot

Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service
to /usr/lib/systemd/system/named-chroot.service.

Configure DNS server using resolv.conf

Now the last step to configure dns server is to update our /etc/resolv.conf with our DNS server IP i.e.
10.0.2.32

[root@centos-8 ~]# cat /etc/resolv.conf

# Generated by NetworkManager
search example.com
nameserver 10.0.2.32
nameserver 8.8.8.8

Verify Bind Chroot DNS Server

Now you can use different tools to verify your bind chroot DNS server configuration. In this example I am
using nslookup and dig to verify my forward and reverse zone configuration

[root@centos-8 ~]# nslookup centos-7.example.com

Server: 10.0.2.32
Address: 10.0.2.32#53
Name: centos-7.example.com
Address: 10.0.2.30

So the nslookup was able to get a response for centos-7.example.com using our bind chroot DNS server
10.0.2.32. Similarly look out for ANSWER SECTION using dig command for reverse zone file content.

[root@centos-8 ~]# dig -x 10.0.2.30

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -x 10.0.2.30

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55495
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;30.2.0.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:
30.2.0.10.in-addr.arpa. 86400 IN PTR centos-7.example.com.

;; AUTHORITY SECTION:
2.0.10.in-addr.arpa. 86400 IN NS localhost.

;; ADDITIONAL SECTION:
localhost. 86400 IN A 127.0.0.1
localhost. 86400 IN AAAA ::1

;; Query time: 0 msec

;; SERVER: 10.0.2.32#53(10.0.2.32)
;; WHEN: Fri Jun 21 17:02:28 IST 2019
;; MSG SIZE rcvd: 149

Configure DNS Server on Client

To configure DNS server on a client you do not need to install any additional bind chroot related rpms, you
only need to update the /etc/resolv.conf file on all the clients to use nameserver IP of the DNS server.

For example on my client node:

[root@rhel-8 ~]# cat /etc/resolv.conf

# Generated by NetworkManager
search example.com
nameserver 10.0.2.32

Let us verify the DNS server configuration by using nslookup:

[root@rhel-8 ~]# nslookup centos-8.example.com

Server: 10.0.2.32
Address: 10.0.2.32#53

Name: centos-8.example.com
Address: 10.0.2.32

As you see the client is properly able to get the response from the DNS server running on 10.0.2.32 rhel
linux host.