DNS signifies Domain Name System which is basically a Database of the Internet.
DNS is important as it helps to translate a domain name to IP address to enable the web browser to loads the Internet resource.
Here at LinuxAPT as part of our Server Support Services, we regularly help our customers to install Software, configure DNS on their Server.
In this context, we shall look into how to set up Caching DNS Server on CentOS 8 Machine.
In summary, DNS helps a domain name to resolve to an IP address and in turn the IP address resolves to the domain name. You can learn how to configure DNS Server on CentOS 8.
There are four types of DNS Server as outlined below;
i. Master DNS Server also known as Primary DNS Server.
ii. Slave DNS Server also known as Secondary DNS Server.
iii. Forwarding-only DNS Server.
iv. Caching-only DNS Server.
A DNS Cache Server relates with the remote DNS Server at a time and then stores the addresses locally from the query. This means that it is only valid for a specific time known as TTL (Time To Live). Basically, during this time, any request for a domain name will return the response automatically.
Therefore a Caching-only DNS Server does not have a full database. How it works is that it queries dns servers to get a response and then send it to the requester.
i. Great Performance to achieve a faster response time when a dns lookup of server is performed or cached.
ii. An enhanced security to make internal servers to access dns lookup within the internal network and close the dns port to the public.
In this guide, we are going to use two system. One would represent the DNS Cache Server while the second one will server as a client.
For the DNS Cache Server, we have to install Bind Software package on the Server System which will use the dns default port 53.
The Operating System is CentOS 8/RHEL 8
The Hostname for our demonstration is dnscache.linuxapt.com
The IP address is 192.168.10.10
The Operating System is CentOS 8/RHEL 8
The Hostname for our demonstration is client.linuxapt.com
The IP address is 192.168.10.20
To install BIND, start by updating the system packages and then proceed with the installation of Bind by running the following commands;
yum update
dnf install bind bind-utils
You can use "yum" instead of dnf as stated above to perform the installation of Bind.
From the above command, "Bind" represents the name of the DNS software package while "Bind-utils" signifies a collection of utilities used for querying DNS name Servers to get information about internet hosts.
You can start the BIND service and enable it to start automatically on boot. Note that the name of the BIND Service is "named". Now run the command below to start it;
systemctl enable --now named
Now you can test the BIND service to see if it is running with the command below;
systemctl status named
To configure DNS cache server, simply locate the configuration file located at "/etc/named.conf".
Run the command below to edit the configuration file;
vim /etc/named.conf
Now you will implement the following changes;
listen-on port 53 { 127.0.0.1; any; };
allow-query { localhost; any; };
allow-query-cache { localhost; any; };
recursion yes;
From the attributes above, note that;
"any" means that the query from any range of the network will be accepted. This instructs BIND to be accessible to all available interfaces, public or private.
Also the recursion is set to yes.
The complete "named.conf" configuration file will look like this;
options {
listen-on port 53 { 127.0.0.1; any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; any; };
allow-query-cache { localhost; any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Note the following;
The line "listen-on port 53 { 127.0.0.1; any; };" sets the port on which BIND will listen for incoming DNS requests. We can also specify an IP address in place of "any".
"allow-query { localhost; any; };" will allow queries and caches responses from any machine that reaches the server.
"allow-query-cache { localhost; any; };" will add the query request to the BIND.
"recursion" will query the response and returns it.
For a great performance you need to change the group of the named.conf file to be "named" by running the command below;
chown root:named /etc/named.conf
Also, restore the original SELinux context with the command below;
chcon system_u:object_r:named_conf_t:s0 /etc/named.conf
To check if the syntax for BIND configuration file is correct, run the command below;
named-checkconf
Now that we have completed the BIND configuration, you can restart the "named" service by running the command below;
systemctl restart named
The Firewall allows the incoming and outgoing connections as per the configuration. The default port for DNS is 53 and it needs to be allowed to go through the firewall. Run the following commands to open DNS Port 53;
firewall-cmd --permanent --add-port 53/tcp
firewall-cmd --permanent --add-port 53/udp
To effect changes, run the following command to reload the firewall service;
firewall-cmd --reload
With the "dig" command, the DNS can be tested.
Let's sat we wand to test "google.com", then run the command below;
dig google.com
This involves modifying the DNS address on the client's machine.
Start by knowing the name of the network interface with the command below;
ifconfig -a
Lets say its name is "ens33", then you can run the command to edit the network configuration file;
vim /etc/sysconfig/network-scripts/ifcfg-ens33
You will see the following details;
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=45cc7c46-5417-35aa-9e15-a07314c5f0bd
DEVICE=ens33
ONBOOT=yes
AUTOCONNECT_PRIORITY=-999
IPADDR=192.168.10.20
PREFIX=24
GATEWAY=192.168.43.1
DNS1=192.168.10.10
After the DNS modification, perform an restart of the network manager with the command below;
systemctl restart NetworkManager
You can test the DNS for client with the dig command below;
dig google.com
To start the named service, run the command below;
systemctl start named
To enable the named service to startup automatically on boot with the command below;
systemctl is-enabled named
If it is not enabled, you need to run the following command below;
systemctl enable named
To disable the named service, run the command below;
systemctl disable named
Additionally, if you want to mask the named service so it will not start by any other program, you can run the below command;
systemctl mask named
To unmask the named service, run the command below;
systemctl unmask named