How to Install and Configure Master-Slave DNS Server on CentOS 7 Linux Systems

Posted by: | Published: April 26, 2017| Updated: April 26, 2017

dns_logo

In this post, we will show you how to install and configure a master-slave DNS server on Linux systems (RPM Family “Redhat /CentOS /Scientific Linux 7”). As a system administrator you will need to setup a DNS server to resolve domains to it’s corresponding IPs. You can setup the DNS server to serve local query “for local zones/domains” or serve public query “for registered domains” or shows different results depending on the query source “internal/external views”

The DNS ( Domain Name System ) is a distributed system, used for translate domain names to IP and vice a versa. This article will help you to How to Setup Master-Slave DNS Server on CentOS 7 Linux systems.

Here’s our network scenario for this setup
Master DNS Server IP: 192.168.1.90 ( ns1.mimastech.com )
Slave  DNS Server IP: 192.168.1.91 ( ns2.mimastech.com )
Domain Name : demomimastech.com   ( For Testing Purpose )
Domain IP   : 192.168.1.100  ( For Testing Purpose )
As you see, our master DNS server will have IP “192.168.1.90” and name “ns1.mimastech.com”, our slave DNS server will have IP “192.168.1.91” and name “ns2.mimastech.com”, and our testing domain is “demomimastech.com” with IP “192.168.1.100”

Let’s start our simple steps:

Step 1: Install Required RPMS ( on both Master and Slave )

First, we need to install bind packages at both Master and Slave DNS servers using following commands.

# yum -y install bind bind-utils

Step 2: Setup Master (NS1) DNS Server

There are two types of configuration files in DNS.

  • One is main DNS configuration files named “named.conf
  • Another type of configuration file are called zone file. Which is individually created for all domains. named.conf keeps an entry for all zone files.
2.1 Configure named.conf using below configuration
# vim /etc/named.conf

Content of named.conf:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
 listen-on port 53 { any;}; 
 listen-on-v6 port 53 { none; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query { localhost; 192.168.1.0/24;}; ### IP Range ###
 allow-transfer{ localhost; 192.168.1.91; }; ### Slave DNS IP ###

 /* 
 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
 recursion. 
 - If your recursive DNS server has a public IP address, you MUST enable access 
 control to limit queries to your legitimate users. Failing to do so will
 cause your server to become part of large scale DNS amplification 
 attacks. Implementing BCP38 within your network would greatly
 reduce such attack surface 
 */
 recursion yes;

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

 managed-keys-directory "/var/named/dynamic";

 pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";
};

logging {
 channel default_debug {
 file "data/named.run";
 severity dynamic;
 };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "demomimastech.com" IN {
        type master;
        file "/var/named/demomimastech.com.db";
	allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
2.2 Create a zone file for you domain “demomimastech.com”
# vim /var/named/demomimastech.com.db

Content of zone file:

; Zone file for demomimastech.com
$TTL 14400
@      86400    IN      SOA     ns1.mimastech.com. contact.mimastech.com. (
                2017042401      ; serial, date+file_version
                86400           ; refresh, seconds
                7200            ; retry, seconds
                3600000         ; expire, seconds
                86400           ; minimum, seconds
)
demomimastech.com. 86400 IN NS ns1.mimastech.com.
demomimastech.com. 86400 IN NS ns2.mimastech.com.
demomimastech.com. IN A 192.168.1.100
demomimastech.com. IN MX 0 demomimastech.com.
mail IN A IN A 192.168.1.100
www IN CNAME demomimastech.com.
2.3 Add more domains in DNS server

To add more domains in DNS, create zone files individually for all domain as above. After that add any entry for all zones in named.conf like below. Change demomimastech.com with your domain name.

zone "demomimastech.com" IN {
        type master;
        file "/var/named/demomimastech.com.db";
	allow-update { none; };
};
2.4 Enable and Start named service

To enable and start named (bind) service use the following commands:

# systemctl enable named
# systemctl start named

At this point, we finished master DNS configuration, let’s proceed with the slave DNS server

Step 3: Setup Slave (NS2) DNS Server

At slave DNS server you need to update named.conf file only. All zone files will automatically synced from the master DNS server. Any changes done on Master will reflect on slave after a specified time interval.

3.1 Configure named.conf using below configuration
# vim /etc/named.conf

Content of named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
 listen-on port 53 { any;}; 
 listen-on-v6 port 53 { none; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query { localhost; 192.168.1.0/24;}; ### IP Range ###

 /* 
 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
 recursion. 
 - If your recursive DNS server has a public IP address, you MUST enable access 
 control to limit queries to your legitimate users. Failing to do so will
 cause your server to become part of large scale DNS amplification 
 attacks. Implementing BCP38 within your network would greatly
 reduce such attack surface 
 */
 recursion yes;

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

 managed-keys-directory "/var/named/dynamic";

 pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";
};

logging {
 channel default_debug {
 file "data/named.run";
 severity dynamic;
 };
};

zone "." IN {
 type hint;
 file "named.ca";
};
zone "demomimastech.com" IN {
	type slave;
        file "slaves/demomimastech.com.db";
	masters { 192.168.1.90; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
3.2 Enable and Start named service

To enable and start named (bind) service use the following commands:

# systemctl enable named
# systemctl start named

After restarting named service, Check zone files on slave DNS server at /var/named/slaves/.

Step 4: Finally Test Your DNS Setup

Query to your Master and Slave DNS Server directly using following commands, You will get the same response from both servers.
Syntax:

nslookup <domainname.com> <DNS server name/ip>

Query to Master DNS Server:

# nslookup demomimastech.com 192.168.1.90

Server:         192.168.1.90
Address:        192.168.1.90#53

Name:   demomimastech.com
Address: 192.168.1.100

Query to Slave DNS Server:

# nslookup demomimastech.com 192.168.1.91

Server:         192.168.1.91
Address:        192.168.1.91#53

Name:   demomimastech.com
Address: 192.168.1.100

Above outputs is showing that DNS server has successfully resolved domain demomimastech.com from master and slave DNS servers.

Extra Step : Firewall Configuration for DNS server

  • If you are using FirewallD to secure your server, you can allow the DNS service default port 53 through firewall “both tcp and udp”, run the following commands:
# firewall-cmd --permanent --add-port=53/tcp
# firewall-cmd --permanent --add-port=53/udp
# firewall-cmd --reload
  • If you are using IPtables to secure your server, you can allow the DNS service default port 53 through firewall “both tcp and udp”, run the following commands:
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

And you must add the above two rules to /etc/sysconfig/iptables file to load these rules at boot time.

 

If You Appreciate What We Do Here On Mimastech, You Should Consider:

  1. Stay Connected to: Facebook | Twitter | Google+
  2. Support us via PayPal Donation
  3. Subscribe to our email newsletters.
  4. Tell other sysadmins / friends about Us - Share and Like our posts and services

We are thankful for your never ending support.

Posted in Linux OS | No Comments »

(Previous Post)
(Next Post)

Leave a Reply

Your email address will not be published. Required fields are marked *