Hi,
I just installed CentOS 7 on a public server. I'd like to setup BIND as a primary DNS server for a few domains.
Until now, all my public machines were running Slackware Linux, and setting up BIND on a Slackware machine is relatively easy. In its out of the box configuration, it has a bone-headed caching nameserver role, which is quite easy to expand to a primary nameserver. Here's my documentation. It's in French, but the *nix bits are universal.
http://blog.microlinux.fr/bind-slackware/
On my server running CentOS, I notice things are more complicated in the default configuration. The problem here is not so much documentation, but more like the wealth of information on the subject of BIND on CentOS, with often contradicting information.
Is there a *reliable* more or less quick & dirty tutorial on how to get BIND up and running as a primary public nameserver, with the default configuration as a starting point? Think "recipe for pasta" and not "degree in food chemistry". :o)
Cheers,
Niki
On 4/11/2017 10:05 AM, Nicolas Kovacs wrote:
I just installed CentOS 7 on a public server. I'd like to setup BIND as a primary DNS server for a few domains.
do you mean 'authoritative DNS server' ?
Le 11/04/2017 à 19:09, John R Pierce a écrit :
do you mean 'authoritative DNS server' ?
Yes.
On 4/11/2017 10:17 AM, Nicolas Kovacs wrote:
Le 11/04/2017 à 19:09, John R Pierce a écrit :
do you mean 'authoritative DNS server' ?
Yes.
I've not run bind on c7 yet, but on c6, I just edit /etc/named.conf and create /var/named/master/$zonename then do a 'reload' of the named service. not sure why c7 would be much different.
Am 11.04.2017 um 19:17 schrieb Nicolas Kovacs info@microlinux.fr:
Le 11/04/2017 à 19:09, John R Pierce a écrit :
do you mean 'authoritative DNS server' ?
Yes.
Totally off-topic, but it hits my mind right now. We are receiving a big amount of version queries on our public dns infra from a broad range of amazon ips - completely random from (just to show briefly some networks):
... 34.192.0.0/14 34.207.211.0/24 34.209.21.0/24 34.209.5.0/24 35.166.12.0/24 ... 52.0.0.0/9 52.88.0.0/13 52.192.0.0/9 54.89.54.0/24 54.144.0.0/12 54.197.33.0/24 ...
Is some one getting the same door knocks?
-- LF
On 04/11/2017 10:05 AM, Nicolas Kovacs wrote:
Is there a*reliable* more or less quick & dirty tutorial on how to get BIND up and running as a primary public nameserver, with the default configuration as a starting point?
1: Change the "listen-on" settings to bind to network interfaces:
- listen-on port 53 { 127.0.0.1; }; - listen-on-v6 port 53 { ::1; }; + listen-on port 53 { any; }; + listen-on-v6 port 53 { any; };
2: Allow external queries by removing the allow-query setting entirely:
- allow-query { localhost; };
3: Disallow recursion by removing recursion setting:
- recursion yes;
4: Add your zones.
DNSSEC is slightly more involved, but basic setup should be basically the same as what you've been doing.
Le 11/04/2017 à 19:34, Gordon Messmer a écrit :
1: Change the "listen-on" settings to bind to network interfaces:
listen-on port 53 { 127.0.0.1; };listen-on-v6 port 53 { ::1; };
listen-on port 53 { any; };listen-on-v6 port 53 { any; };2: Allow external queries by removing the allow-query setting entirely:
allow-query { localhost; };3: Disallow recursion by removing recursion setting:
recursion yes;4: Add your zones.
DNSSEC is slightly more involved, but basic setup should be basically the same as what you've been doing.
I'll give this a try with a clear head tomorrow. Thanks very much!
One additional DNS server note: you should disable firewalld for any DNS server, caching or authoritative. If you need firewalling, use straight iptables.
The reason is that firewalld always enables connection state tracking (at least as far as I can tell), and that should never be used in front of a DNS server. A public authoritative server or any caching server can get a high rate of requests, and having the kernel firewalling trying to track connection states is a bottleneck (one that will be reached before DNS software's limits).
If you must firewall a DNS server, use straight iptables and do not use connection state tracking.
Hi, I would like to see this addressed.
I found more information on the issue at https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
Is there a firewalld solution to this issue?
On 04/11/2017 11:05 AM, Chris Adams wrote:
One additional DNS server note: you should disable firewalld for any DNS server, caching or authoritative. If you need firewalling, use straight iptables.
The reason is that firewalld always enables connection state tracking (at least as far as I can tell), and that should never be used in front of a DNS server. A public authoritative server or any caching server can get a high rate of requests, and having the kernel firewalling trying to track connection states is a bottleneck (one that will be reached before DNS software's limits).
If you must firewall a DNS server, use straight iptables and do not use connection state tracking.
On 04/11/2017 04:16 PM, Alice Wonder wrote:
Hi, I would like to see this addressed. Is there a firewalld solution to this issue?
Yes:
# Disable connection tracking for UDP DNS traffic # https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m conntrack --ctstate UNTRACKED -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m conntrack --ctstate UNTRACKED -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p udp -m udp --dport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p udp -m udp --sport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp -m udp --dport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp -m udp --sport 53 -j CT --notrack firewall-cmd --reload
On 04/14/2017 06:54 PM, Gordon Messmer wrote:
On 04/11/2017 04:16 PM, Alice Wonder wrote:
Hi, I would like to see this addressed. Is there a firewalld solution to this issue?
Yes:
# Disable connection tracking for UDP DNS traffic # https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m conntrack --ctstate UNTRACKED -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m conntrack --ctstate UNTRACKED -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p udp -m udp --dport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p udp -m udp --sport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp -m udp --dport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp -m udp --sport 53 -j CT --notrack firewall-cmd --reload
Thank you!
Here are two articles on DNS that I wrote for Opensource.com.
Introduction to the Domain Name System (DNS) https://opensource.com/article/17/4/introduction-domain-name-system-dns
Build your own DNS name server on Linux https://opensource.com/article/17/4/build-your-own-name-server
I hope this helps.
On 04/11/2017 01:34 PM, Gordon Messmer wrote:
On 04/11/2017 10:05 AM, Nicolas Kovacs wrote:
Is there a*reliable* more or less quick & dirty tutorial on how to get BIND up and running as a primary public nameserver, with the default configuration as a starting point?
1: Change the "listen-on" settings to bind to network interfaces:
listen-on port 53 { 127.0.0.1; };listen-on-v6 port 53 { ::1; };
listen-on port 53 { any; };listen-on-v6 port 53 { any; };2: Allow external queries by removing the allow-query setting entirely:
allow-query { localhost; };3: Disallow recursion by removing recursion setting:
recursion yes;4: Add your zones.
DNSSEC is slightly more involved, but basic setup should be basically the same as what you've been doing.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
If you are looking for a recursive resolver, I would highly recommend unbound.
If you are looking for an authoritative DNS server, I would highly recommend NSD.
I run both and find both extremely easy to configure and maintain.
Both are available from the EPEL repositories.
I stopped using bind years ago and never looked back.
On 04/11/2017 10:05 AM, Nicolas Kovacs wrote:
Hi,
I just installed CentOS 7 on a public server. I'd like to setup BIND as a primary DNS server for a few domains.
Until now, all my public machines were running Slackware Linux, and setting up BIND on a Slackware machine is relatively easy. In its out of the box configuration, it has a bone-headed caching nameserver role, which is quite easy to expand to a primary nameserver. Here's my documentation. It's in French, but the *nix bits are universal.
http://blog.microlinux.fr/bind-slackware/
On my server running CentOS, I notice things are more complicated in the default configuration. The problem here is not so much documentation, but more like the wealth of information on the subject of BIND on CentOS, with often contradicting information.
Is there a *reliable* more or less quick & dirty tutorial on how to get BIND up and running as a primary public nameserver, with the default configuration as a starting point? Think "recipe for pasta" and not "degree in food chemistry". :o)
Cheers,
Niki
I am writing my howto on BIND for Centos7. Mine is running on Centos7-arm. You can see some of the basics I have done at:
file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html
I have a caveat I learned with dealing with SELinux and BIND there.
On 04/11/2017 01:05 PM, Nicolas Kovacs wrote:
Hi,
I just installed CentOS 7 on a public server. I'd like to setup BIND as a primary DNS server for a few domains.
Until now, all my public machines were running Slackware Linux, and setting up BIND on a Slackware machine is relatively easy. In its out of the box configuration, it has a bone-headed caching nameserver role, which is quite easy to expand to a primary nameserver. Here's my documentation. It's in French, but the *nix bits are universal.
http://blog.microlinux.fr/bind-slackware/
On my server running CentOS, I notice things are more complicated in the default configuration. The problem here is not so much documentation, but more like the wealth of information on the subject of BIND on CentOS, with often contradicting information.
Is there a *reliable* more or less quick & dirty tutorial on how to get BIND up and running as a primary public nameserver, with the default configuration as a starting point? Think "recipe for pasta" and not "degree in food chemistry". :o)
Cheers,
Niki
On 4/12/2017 7:25 PM, Robert Moskowitz wrote:
I am writing my howto on BIND for Centos7. Mine is running on Centos7-arm. You can see some of the basics I have done at:
file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html
noone else can see your local file system
ARGH!
That was the local copy I am editing.
On 04/13/2017 01:11 AM, John R Pierce wrote:
On 4/12/2017 7:25 PM, Robert Moskowitz wrote:
I am writing my howto on BIND for Centos7. Mine is running on Centos7-arm. You can see some of the basics I have done at:
file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html
noone else can see your local file system
Le 13/04/2017 à 04:25, Robert Moskowitz a écrit :
I am writing my howto on BIND for Centos7. Mine is running on Centos7-arm. You can see some of the basics I have done at:
file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html
I have a caveat I learned with dealing with SELinux and BIND there.
You sent a link to a local file (file://) so unfortunately I can't access it.
Yep, I messed up, copying from the wrong window.
On 04/13/2017 01:22 AM, Nicolas Kovacs wrote:
Le 13/04/2017 à 04:25, Robert Moskowitz a écrit :
I am writing my howto on BIND for Centos7. Mine is running on Centos7-arm. You can see some of the basics I have done at:
file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html
I have a caveat I learned with dealing with SELinux and BIND there.
You sent a link to a local file (file://) so unfortunately I can't access it.
-
Alice Wonder -
Chris Adams -
David Both -
Gordon Messmer -
John R Pierce -
Leon Fauster -
Nicolas Kovacs -
Robert Moskowitz