4 minute read


Installing a master DNS server will bring you several advantages:

  • you define machine names one for all in a centralized way, you can then better organize your workshops, build machines dedicated to a specific task (NFS server, LDAP server, etc),
  • you don’t need to regularly edit the /etc/hosts file of each of them,
  • you can use the machine names everywhere in an efficient way,
  • you can now test postfix labs through MX records (Mail eXchange).

Besides making conversion between IP address and names, the DNS service provides the infrastructure necessary for mail management through the MX records: for a given domain name, mails coming are sent to servers owning a MX record.

Let’s install a DNS server for the example.com domain. Here, the DNS service is installed on a server called dns.example.comwith an IP address of192.168.1.5.


Install the bind package:

# yum install -y bind

Edit the /etc/named.conf file and change the listen-on option from to any:

listen-on port 53 { any; };

In the same file, change the allow-query option from localhost to any:

allow-query { any; };

In the same file, disable the dnssec-validation option:

dnssec-validation no;

Still in the same file, below the recursion option, add the two following lines (with192.168.1.1 being the DNS IP address of your Internet provider):

forward only;
forwarders {; };

After the logging stanza and still in the /etc/named.conf file, add the following lines (example.com is supposed to be your domain name):

zone "example.com" {
type master;
file "example.com.zone";
allow-update { none; };

zone "1.168.192.in-addr.arpa" {
type master;
file "example.com.revzone";
allow-update { none; };

Create the /var/named/example.com.zone file and insert the following lines (where gateway is your gateway to Internet, dns your DNS server, mail your mail server and client a simple client):

$TTL 86400
@ IN SOA dns.example.com. root.example.com. (
 2014080601 ; Serial
 1d ; refresh
 2h ; retry
 4w ; expire
 1h ) ; min cache
 IN NS dns.example.com.
 IN MX 10 mail.example.com.

gateway    IN A
dns        IN A
master     IN CNAME dns.example.com.
mail       IN A
client     IN A

Note1: IN NS indicates a name server, IN MX a mail server. Note2: It is a good practice to put the date in the Serial field and increase it (only the last two digits) when changes are required (if you don’t increase them, no changes will be taken into account even after restarting the named service). Note3: It is possible to assign the same IP address to several names by using a CNAME record (Canonical NAME). However, only one name, the canonical name, will be sent back for this IP address. This feature allows a lot of flexibility when setting up service configuration: here the same server can be called dns.example.com or master.example.com according to the situation. The services may be later spread over two different machines if needed without any changes on the client side.

Create the /var/named/example.com.revzone file and insert the following lines:

$TTL 86400
@ IN SOA dns.example.com. root.example.com. (
 2014080601 ; Serial
 1d ; refresh
 2h ; retry
 4w ; expire
 1h ) ; min cache
 IN NS dns.example.com.

1     IN PTR gateway.example.com.
5     IN PTR dns.example.com.
10    IN PTR mail.example.com.
15    IN PTR client.example.com.

Check the configuration files:

# named-checkconf

Alternatively, you can check your zone files:

# named-checkzone example.com /var/named/example.com.zone
zone example.com/IN: loaded serial 2014080601
# named-checkzone 1.168.192.in-addr.arpa /var/named/example.com.revzone
zone 1.168.192.in-addr.arpa/IN: loaded serial 2014080601

If Firewalld is running, add the new service to the firewall and reload the configuration:

# firewall-cmd --permanent --add-service=dns
# firewall-cmd --reload

Note: For performance reasons, when protecting a production master DNS server, it is recommended to use Iptables rather than Firewalld(see details here).

Activate the DNS service at boot and start it:

# systemctl enable named && systemctl start named

Check the configuration:

# nslookup cnn.com

Non-authoritative answer:
Name:    cnn.com
Name:    cnn.com

# dig @ cnn.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> @ cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41414
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 13

; EDNS: version: 0, flags:; udp: 4096
;cnn.com.            IN    A

cnn.com.        152    IN    A
cnn.com.        152    IN    A

com.            125267    IN    NS    c.gtld-servers.net.
com.            125267    IN    NS    i.gtld-servers.net.
com.            125267    IN    NS    a.gtld-servers.net.
com.            125267    IN    NS    k.gtld-servers.net.
com.            125267    IN    NS    f.gtld-servers.net.
com.            125267    IN    NS    m.gtld-servers.net.
com.            125267    IN    NS    l.gtld-servers.net.
com.            125267    IN    NS    d.gtld-servers.net.
com.            125267    IN    NS    j.gtld-servers.net.
com.            125267    IN    NS    e.gtld-servers.net.
com.            125267    IN    NS    g.gtld-servers.net.
com.            125267    IN    NS    b.gtld-servers.net.
com.            125267    IN    NS    h.gtld-servers.net.

i.gtld-servers.net.     9799    IN    A
m.gtld-servers.net.     5154    IN    A
f.gtld-servers.net.    11700    IN    A
d.gtld-servers.net.    16095    IN    A
g.gtld-servers.net.     5325    IN    A
h.gtld-servers.net.     5345    IN    A
j.gtld-servers.net.     5108    IN    A
c.gtld-servers.net.    13522    IN    A
l.gtld-servers.net.     6529    IN    A
e.gtld-servers.net.     6040    IN    A
k.gtld-servers.net.    10294    IN    A
b.gtld-servers.net.     3807    IN    AAAA 2001:503:231d::2:30

;; Query time: 70 msec
;; WHEN: Wed Aug 06 13:00:29 CEST 2014
;; MSG SIZE  rcvd: 496

Additional Resources

You can also read the Ubuntu BIND 9 Server How-To. Matt Micene from RedHat wrote an article about Containing System Services in Red Hat Enterprise Linux.

Leave a comment