This article will describe running DNS server for private network.
This DNS server does not use recursion query for outside of private network.
Table of Contents
1 System environment
Private network address is 192.168.11.0/24.
Private network name is my.net.
IP address of DNS server is 192.168.11.70.
IP address of local machine inside private network is 192.168.11.128.
2 Install bind
Install bind with yum.
$ sudo yum install -y bind
3 Configuration
Editing /etc/named.conf and adding zone file for my.net.
3.1 /etc/named.conf
Allow query from private network and disallow recursion query.
Load zone file "my.net.zone" for private network "my.net".
And do not load other zone files.
A directory directive defines path of zone files.
$ sudo diff -uprN /etc/named.conf{.org,}
--- /etc/named.conf.org 2016-05-02 15:15:34.378542110 +0900
+++ /etc/named.conf 2016-05-02 15:48:28.273186281 +0900
@@ -8,13 +8,13 @@
//
options {
- listen-on port 53 { 127.0.0.1; };
+ listen-on port 53 { 127.0.0.1; 192.168.11.0/24;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
+ allow-query { localhost; 192.168.11.0/24;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
@@ -26,7 +26,7 @@ options {
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
- recursion yes;
+ recursion no;
dnssec-enable yes;
dnssec-validation yes;
@@ -47,10 +47,17 @@ logging {
};
};
+/*
zone "." IN {
type hint;
file "named.ca";
};
+*/
+
+zone "my.net" IN {
+ type master;
+ file "my.net.zone";
+};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
3.2 /var/named/my.net.zone
Mapping 192.168.11.70, which is IP address of DNS server, to centos-7-server as NS record.
Mapping 192.168.11.128, which is IP address of local machine, to centos-7-client as A record. If you want to map more, please append A record.
$ sudo cat /var/named/my.net.zone
$TTL 86400
@ IN SOA my.net root.my.net (
2016050204
3600
900
604800
86400
)
@ IN NS centos-7-server
centos-7-server IN A 192.168.11.70
centos-7-client IN A 192.168.11.128
3.3 Validation
named-checkconf validates /etc/named.conf.
$ sudo named-checkconf
named-checkzone validates zone file.
$ sudo named-checkzone my.net /var/named/my.net.zone zone my.net/IN: loaded serial 2016050204 OK
4 firewalld
Open 53/tcp and 53/udp with a service file of dns at /usr/lib/firewalld/services/dns.xml.
$ sudo firewall-cmd --add-service=dns --permanent success $ sudo firewall-cmd --reload success
5 Run named
Run named with systemctl.
$ sudo systemctl enable named $ sudo systemctl start named
6 Execution result
/etc/resolv.conf is as below.
This uses 192.168.11.70 for private network name resolution and 192.168.11.1 for internet name resolution.
/etc/resolv.conf in CentOS 7 will be created by dhcp server.
$ cat /etc/resolv.conf # Generated by NetworkManager search my.net nameserver 192.168.11.70 nameserver 192.168.11.1
Running ping command to centos-7-server and centos-7-client.
$ ping -c 4 centos-7-server PING centos-7-server.my.net (192.168.11.70) 56(84) bytes of data. 64 bytes from 192.168.11.70: icmp_seq=1 ttl=64 time=0.166 ms 64 bytes from 192.168.11.70: icmp_seq=2 ttl=64 time=0.250 ms 64 bytes from 192.168.11.70: icmp_seq=3 ttl=64 time=0.259 ms 64 bytes from 192.168.11.70: icmp_seq=4 ttl=64 time=0.227 ms --- centos-7-server.my.net ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 0.166/0.225/0.259/0.039 ms $ ping -c 4 centos-7-client PING centos-7-client.my.net (192.168.11.128) 56(84) bytes of data. 64 bytes from centos-7 (192.168.11.128): icmp_seq=1 ttl=64 time=0.020 ms 64 bytes from centos-7 (192.168.11.128): icmp_seq=2 ttl=64 time=0.053 ms 64 bytes from centos-7 (192.168.11.128): icmp_seq=3 ttl=64 time=0.046 ms 64 bytes from centos-7 (192.168.11.128): icmp_seq=4 ttl=64 time=0.039 ms --- centos-7-client.my.net ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 0.020/0.039/0.053/0.013 ms