Posted in DNS Howto Linux Red Hat/CentOS
CentOS 5 : chroot DNS with bind
Howto for CentOS 4 here : http://www.wains.be/index.php/2007/02/04/centos-chroot-dns-with-bind/
1. Install packages :
yum install bind bind-chroot bind-libs bind-utils caching-nameserver
2. Configure RNDC :
cd /var/named/chroot/etc
rndc-confgen > rndc.key
chown root:named rndc.key
Edit rndc.key so it looks like this :
key "rndckey" {
algorithm hmac-md5;
secret "SGsvd1dF+mv+yU4ywCCkkg==";
};
You DON’T NEED anything else in the file (you must remove some option lines !)
A symlink in /etc exists and points to the rndc.key file we’ve just created, named expects that file there in order to be able to authenticate against rndc.
3. Configure /var/named/chroot/etc/named.conf
// we include the rndckey (copy-paste from rndc.key created earlier)
key "rndckey" {
algorithm hmac-md5;
secret "SGsvd1dF+mv+yU4ywCCkkg==";
};
// we assume our server has the IP 192.168.254.207 serving the 192.168.254.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndckey"; };
inet 192.168.254.207 allow { 192.168.254.0/24; } keys { "rndckey"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
recursion yes;
allow-recursion {
127.0.0.1;
192.168.254.0/24;
};
// these are the opendns servers (optional)
forwarders {
208.67.222.222;
208.67.220.220;
};
listen-on {
127.0.0.1;
192.168.254.207;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
// so people can't try to guess what version you're running
version "REFUSED";
allow-query {
127.0.0.1;
192.168.254.0/24;
};
};
server 192.168.254.207 {
keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
// forward zone
zone "test.be" IN {
type master;
file "data/test.be.zone";
allow-update { none; };
// we assume we have a slave dns server with the IP 192.168.254.101
allow-transfer { 192.168.254.101; };
};
// reverse zone
zone "250.168.192.in-addr.arpa" IN {
type master;
file "data/192.168.250.zone";
allow-update { none; };
allow-transfer { 192.168.254.101; };
};4. Our first zone
Let’s say I own the domain test.be
We create our first zone under /var/named/chroot/var/named/data/test.be.zone
Here’s an example :
$ttl 38400
test.be. IN SOA ns.test.be. admin.test.be. (
2007020400 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
test.be. IN NS ns.test.be.
test.be. IN MX 1 mx.test.be.
test.be. IN MX 5 mx2.test.be.
www.test.be. IN A 192.168.100.5
ns.test.be. IN A 192.168.100.10
mx.test.be. IN A 192.168.100.20
mx2.test.be. IN A 192.168.100.21
mail.test.be. IN CNAME mx.test.be.Here’s the corresponding reverse zone under /var/named/chroot/var/named/data/192.168.100.zone :
$TTL 86400
100.168.192.in-addr.arpa. IN SOA ns.test.be. admin.test.be. (
2007032000
10800
900
604800
3600 )
100.168.192.in-addr.arpa. IN NS ns.test.be.
20.100.168.192.in-addr.arpa. IN PTR mx.test.be.
5.100.168.192.in-addr.arpa. IN PTR www.test.be.5. Start the service and make sure it’ll start at boot
service named start
chkconfig named on
Make sure it’s running :
# rndc status
number of zones: 1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
6. Query
# nslookup mx.test.be. 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: mx.test.be
Address: 192.168.100.20
# nslookup www.google.com. 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 216.239.59.99
Name: www.l.google.com
Address: 216.239.59.103
Name: www.l.google.com
Address: 216.239.59.104
Name: www.l.google.com
Address: 216.239.59.1477. /etc/resolv.conf
If the query made on the previous point is working, you can set up /etc/resolv.conf on the server.
It should look like this :
search test.be
nameserver 127.0.0.1
Comments
Jamal
Thanks for your Sebastien Declaration Bind chroot with CentOS 5
I did ask a few questions. Can you please answer the questions.
I need your help
Jamal
Sébastien Wains
Hi Jamal, I’m sorry I don’t understand. Which questions are you talking about ?
amri
i need help .. named cannot be started .. i just folowed the sample file and made a change to my enviroment.
updatedb didn’t show any error .. any workaround ..
regards
amri
just found this error ..
rndc: connect failed: 127.0.0.1#953: connection refused
Sébastien Wains
Make sure the daemon is listening.
Also make sure you don’t have your firewall blocking connections..
Check the logs or start the daemon manually with verbose option set.
I might have missed something in this article, but as far as I remember, I set it up on a fresh install..
let me know so we can figure it out
amri
sorry if this was a spam post ..
but i’ve managed to start the named service after chages some lines ..
[code]
server 192.168.254.207 {
keys { rndckey; };
};
[/code]
to
[code]
server 127.0.0.1 {
keys { rndckey; };
};
[/code]
but currently it can’t nslookup to other domain 
.. will try find the solution .. i gr8 to achive this far ..
thank you so much for this gr8 how to
regards
Nathalie
Hello Sébastien,
I am just on placement in a company and I’ve been assigned a task of setting up a DNS server with bind on Centos5. Your article would have just been of paramount help to me if only while installing with the string you provided: “yum install bind bind-chroot bind-libs bind-utils caching-nameserver” I got this error message:yum install bind bind-chroot bind-libs bind-utils caching-nameserver
===
It was therefore impossible for me to proceed with step 3.
Could you pls help me?
Many thanks
Nathalie
bstaggs
Greetings,
I have a fresh install of CentOS 5.1 and I don’t beleive that named.conf is generated by default as it was in version 4.x. I don’t want the GUI stuff so I can’t run system-config-bind. What gives? Did they change something or what am I missing?
Thanks,
bstaggs
Sébastien Wains
Hi bstaggs
Under section “3. Configure /var/named/chroot/etc/named.conf” you get a working named.conf.
A sample config file is provided by the package named (rpm -ql bind | grep named.conf)
gaurav
sir, i need named.conf file always i get the problem to download it provide me a named.conf file so that i can complete dns server
Alberto
Excuseme where i can find this addres on my web server?…. “we assume our server has the IP 192.168.254.207 serving the 192.168.254.0/24 subnet
controls”.
“we assume we have a slave dns server with the IP 192.168.254.101″
thanks for replay
Sébastien Wains
Hello Roberto,
Don’t get me wrong but I’m not sure how you want to set up a chrooted dns server if you don’t know where to find the IP address of your machine.
Here’s the command… ifconfig (there are others)
You may not want to add the “allow transfer” line in the zone if you don’t have a slave server
Alberto
thanks Sébastien for reply
i know ifconfig command
this is the result
inet addr:68.9.198.188 Bcast:68.9.198.255 Mask:255.255.255.0
i know 68.9.198.188 is server ip but subnet
controls ip?
kulpreet singh
hello SAB,
Can u please help me how to create a MASTER and Slave DNS server
regards
kulpreet singh
Sébastien Wains
You basically just need to add a “slave” zone to your “slave” DNS server.
A DNS server is not considered a slave, only zones are.
Check this for an example of slave zone : http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-bindconf-slave-zone.html
Praveen V
Hi,
Read thru the above forum post. It was very helpful. However I am
facing an issue.Our servers are hosted in a Data center. I have installed bind-9.3.3-10.el5. and set up my dns server.
dig domain.com works fine.
dig @localhost domain.com works fine
dig @local_IP domain.com works fine
but
dig @external_IP domain.com fails.
telnet external_IP 53 (the port in which bind is running) also fails.
My conf files are at /var/named/chroot/var/named directory.
Any help / suggestions would be greatly appreciated.
Regards,
Praveen
Praveen V
It got resolved. It was a firewall issue at the Data center.
Thanks & Regards,
Praveen V
Sébastien Wains
FYI, telneting into port 53 wouldn’t help.
DNS servers works on UDP/53 while telnet attempts a tcp connection. DNS servers use TCP for zone transfers, but UDP for responding to requests.
Praveen V
Thank you very much for the info.
Thanks & Regards,
Praveen V
Jose
Hello Sébastien,
Why did you use the caching-nameserver package?
I asked you because I saw other tutorial that install bind-chroot without
this package
http://www.howtoforge.com/centos-5.1-server-lamp-email-dns-ftp-ispconfig-p4
thanks & regards
Sébastien Wains
Hi,
caching-nameserver just provides config files for localhost and 127.0.0.1 zones, and such..
/etc/named.caching-nameserver.conf
/etc/named.conf
/etc/named.rfc1912.zones
/usr/share/doc/caching-nameserver-9.4.2
/usr/share/doc/caching-nameserver-9.4.2/Copyright
/usr/share/doc/caching-nameserver-9.4.2/rfc1912.txt
/var/named/chroot/etc/named.conf
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
Altria
I have followed the above direction but it appears that I am not getting my zone to show up in “rndc status”
the following out put…..
#rndc status;
number of zones: 0
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
Any help would be appreciated,
thanks,
Altria
Sébastien Wains
Hi Altria
If there is an error in the zone that is preventing it from loading, you should get some output in the logs (/var/log/syslog or /var/log/messages)
alaisa22
Hello, Im currently setting up a XZimbra mail Server an it requires a DNS running, I followed your instruction, then when I started named, it works fine. But the problem is when I try to test, here what i got
Note: IP 192.168.120.1 is my gateway.
========================================================
[root@localhost data]# nslookup mx.onin.be. 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can’t find mx.onin.be: NXDOMAIN
========================================================
Altria
Thanks Sebastian!
I found the problem which was in the named.conf file; a incorrect spelling on the zone.
thanks again!
Altria
Sébastien Wains
Hi Alaisa,
Have you checked the logs ? Can you provide me with the configuration, there must be something wrong in the config, given other comments appear to be about satisfied users.
Hi Altria,
You’re welcome 
alaisa22
logs are fine, here is my config file for named.conf
# Start of rndc.conf
key “rndckey” {
algorithm hmac-md5;
secret “y+fRznLdzSffmyZzNG0ZKQ==”;
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { “rndckey”; };
inet 192.168.121.19 allow ( 192.168.254.0/24; } keys { “rndckey”; };
};
options {
directory “/var/named”;
pid-file “/var/run/named/named.pid”;
recursion yes;
allow-recursion {
127.0.0.1;
192.168.254.0/24;
};
listen-on {
127.0.0.1;
192.168.121.19;
};
query-source address * port 53;
allow-query {
127.0.0.1;
192.168.254.0/24;
};
};
server 192.168.121.19 {
keys { rndckey; };
};
zone “onin.be” IN {
type master;
file “cd /var/named/chroot/var/named/data/onin.be.zone”;
allow-update { none; };
allow-transfer { 192.168.121.19; };
};
Here are my confgi file for my zone located at /var/named/chroot/var/named/data/onin.be.zone
$ttl 38400
onin.be. IN SOA ns.onin.be. admin.onin.be. (
2007020800 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
onin.be. IN NS ns.onin.be.
onin.be. IN MX 1 mx.onin.be.
onin.be. IN MS 5 mx2.onin.be.
ns.onin.be. IN A 192.168.120.22
mx.onin.be. IN A 192.168.121.19
mx2.onin.be. IN A 192.168.121.19
mail.onin.be. IN CNAME mx.onin.be.
Thanks!
Sébastien Wains
Hi,
First of all, the “allow”, “allow recursion”, “allow query” are not correct (the 192.168.254.0/24 entry). This is not our problem here since you are trying to resolve from the localhost but it would lead other problems.
Secondly, what is behind 192.168.120.22 ? It is specified as name server for the zone, while I understand that your DNS server is running on 192.168.121.19.
Try to fix those typos and see if it helps ?
Cheers
Emir
Hi Sebastien,
I want to host website name “komentari.info” on VPS i rented and I I’m having problems with named conf that is how I ran to your tutorial. I’ve been provided with nameservers ips and hostnames for them so hostname for first nameserver is NS149210.RAPIDVPS.NET and it corresponds to 208.84.149.210 and hostname for secondary nameserver is NS15135.RAPIDVPS.NET and it corresponds to this ip 208.84.151.35 . I’ve installed all packages you showed above in this tut. I’ve been over this and many other tutorials over and over again and I can’t figure out the problem what am I doing wrong.
Here is my /etc/named.conf it was linked from /var/named/chroot/etc/named.conf with ln -s :
====================================================================
// we include the rndckey (copy-paste from rndc.key created earlier)
key “rndckey” {
algorithm hmac-md5;
secret “HPET6WPJ7gPbry3AqnmqLrh8auV0IVgqyDoTC8nuy1BB5NKx40Q5aUXI2pav”;
};
// we assume our server has the IP 192.168.254.207 serving the 192.168.254.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { “rndckey”; };
inet 192.168.254.207 allow { 192.168.254.0/24; } keys { “rndckey”; };
};
options {
directory “/var/named”;
pid-file “/var/run/named/named.pid”;
recursion yes;
allow-recursion {
127.0.0.1;
192.168.254.0/24;
};
listen-on {
127.0.0.1;
192.168.254.207;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
// so people can’t try to guess what version you’re running
version “REFUSED”;
allow-query {
127.0.0.1;
192.168.254.0/24;
};
};
server 192.168.254.207 {
keys { rndckey; };
};
zone “.” IN {
type hint;
file “named.ca”;
};
view “internal”
{
// we assume we have a slave dns server with the IP 192.168.254.101
zone “komentari.info” IN {
type master;
file “/var/named/komentari.info.zone”;
};
};
view “external”
{
zone “komentari.info” IN {
type master;
file “/var/named/komentari.info.zone”;
};
};
==================================================================
Here is content of /var/named/komentari.info.zone
==================================================================
$TTL 14400
@ 86400 IN SOA NS149210.RAPIDVPS.NET. hexteam.gmail.com. (
2008170717 ; serial, todays date+todays
86400 ; refresh, seconds
7200 ; retry, seconds
3600000 ; expire, seconds
86400 ) ; minimum, seconds
komentari.info. 86400 IN NS ns149210.rapidvps.net.
komentari.info. 86400 IN NS ns15135.rapidvps.net.
komentari.info. IN A 208.84.149.210
localhost.komentari.info. IN A 127.0.0.1
komentari.info. IN MX 0 komentari.info.
mail IN CNAME komentari.info.
www IN CNAME komentari.info.
ftp IN CNAME komentari.info.
====================================================================
Can you figure out where am I making mistake, why can’t I get ping reply from “ping komentari.info” ? Thank you very good tutorial
Sébastien Wains
Emir,
Is your DNS server supposed to serve the 192.168.254.0/24 subnet ?
As I understand it, you are making the server available to the world so you should set it up to accept queries for more than that.
I assume you have copied and pasted the configuration I have provided but you need to adapt to your network configuration and needs.
Azra
Emireeeeeeeeeeeeeee radiiiiil:)
Emir
I have no clue what is my DNS Subnet.. Is there a command with which I can extract that information with.. and yes I’m making the server available to the world to accept queries. how can I adopt it to my network configurations, which files should I look in .. and what exactly should I adapt.. Thank you for the effort
Emir
Sébastien Wains
Hi
Don’t get me wrong. If you don’t know what a subnet is, you should be cautious about opening your DNS server to the world. Understand what you are doing before making it available to anyone. DNS can be a very complex thing to grab so maybe grab the book by O’Reilly “DNS & BIND”, it is the bible !
If you wanna know the subnet just type ifconfig.. the subnet mask is the part that is beginning by 255.. like 255.255.255.0 which is the subnet for a /24 network.
George Ornbo
Thank you very much for this. Your clear and concise post helped me to get up and running in no time!
Alex
Thank you very much!
Add www test.be.zone please, some people can be confused i think.
Guy
Hi Sébastien,
first of all congratulations for your work, but I’m a bit confused about your setup. You are restricting queries with the allow-query option to your local clients for the whole nameserver. Don’t you have to override this option for the test.be zone with a allow-query { any; }; option?
This would imply that while queries for records in authoritative zones (e.g. test.be) can come from anywhere, queries for records outside of authoritative zones (i.e., recursive queries from clients) can only come from your internal addresses.
Besides this I have a suggestion: you could add an acl for your internal addresses:
acl internal { 192.168.254.0/24; };
allow-query { internal; };
I think this is less error prone if you have to use the ip range several times
Guy
Adam
In my opinion, bind-chroot should be installed after you configure everything. It will save you time and misconfiguration errors.
Sébastien Wains
Hi Guy, indeed the setup described here is for an internal DNS server. The purpose of the article was mainly to make things clearer about the RNDC key thing. Thanks for your input !
Clay
This has been very helpful.
I think I have it almost working but dns is not resolving on my second computer connected to the server.
I have copied everything from your page, customized it for my iprange ex.
test.be I replaced with claymoss.ca, that is registered to me and with any luck someday I will have a page hosted.
anyways I digress,
when I nslookup on the server I get
[root@S010600104b22f14b etc]# nslookup http://www.google.ca 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
http://www.google.ca canonical name = http://www.google.com.
ext….
and on the vista computer I get
server: unknown
address: 172.17.10.1 *my internal server ip
unknown can’t find http://www.google.com: queary refused
selinux and iptables are disabled so there should be no firewall issue.
What did I miss?
Sébastien Wains
Hi, there must be a typo in the config. Bind is very sensitive with the syntax..
Clay
Got it, thanks
Sebastian
Hello,
you have installed the caching nameserver configuration but did not update your /et/resolv.conf
If you change the nameserver entry to 127.0.0.1 all applications will use the caching nameserver by default.
Here is my file:
search mydomain.xy
nameserver 127.0.0.1
# optional other nameserver as fallback
# nameserver 111.111.111.111
Best Regards
Sebastian
Sébastien Wains
indeed.. forgot to mention that point. Fixing the post right away. Thanks
Marc-Aurèle Laquerre
Merci beaucoup, ce guide est parfait!!!!
Tony
Very cool, needed this today as my older centos 4.x settings not working on 5.x servers.
Now to update my wiki
tux
Lex
Thanks for this great article Sébastien. Keep up the good work!
Ruben Ortiz
Hi Sebastien, great tutorial once again
I have one doubt, if we create one slave zone, named reload the “domain.zone” (or whatever) automatically with data of its master dns?
Thanks!
Sébastien Wains
Hi Ruben,
Thanks !
I think so.. I no longer have DNS servers under my hand so I can’t give it a try now. You should see the transactions between servers in the logs though.
Cheers
Seb
Tuan
Hi Sebastien, it’s great tutorial. So I want ask some question for Bind DNS, would you help me to know. Thank.
File config: named.conf
nano /etc/named.conf
options {
directory “/var/named”;
query-source port 53;
};
zone “testcms.com” {
type master;
file “testcms.com.db”;
};
And I create file: testcms.com.db
$TTL 2d ; zone TTL default = 2 days or 172800 seconds//I don’t know why TTL = 2days.
$ORIGIN testcms.com.
@ IN SOA testcms.com. hostmaster.testcms.com. (
2008051200 ; serial number (change when you modify DNS)
1d12h ; refresh = 1 day 12 hours
15M ; update retry = 15 minutes
3W12h ; expiry = 3 weeks + 12 hours
2h20M ) ; minimum = 2 hours + 20 minutes
//all of this: serial number for what? expiry = I mean it’s expiry in our server…Can you explain for me, thanks a lots, I’m newbie in jobs, and not well linux system..:)
IN NS testcms.com.
IN A 210.245.110.135
www IN A 210.245.110.135
ftp IN A 210.245.110.149
In slaver server:
I’ve changed: type slaver and use master to {210.245.110.135}
I’ve done with this. When nslookup, it’s OK. But How can I create slaver “sync” with master server. When create zone on master server, I want it’ll be in slaver server, too.
Thank you
supersonicaviator
Thanks for putting this up! It really helped. I had some problems with file permissions (named.conf must be set to user “named” and group “named”) but once I figured that out it was smooth sailing… Rock on!
errornous
here my named.conf
———————-
options {
directory “/etc”;
pid-file “/var/run/named/named.pid”;
};
zone “.” {
type hint;
file “/etc/db.cache”;
};
zone “name.org.my” {
type master;
file “/var/named/name.org.my.hosts”;
};
key rndc-key {
algorithm hmac-md5;
secret “MOh/VWrBda4l3qP0dVvakQ==”;
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
};
and here my zone.hosts file
—————————-
$ttl 38400
name.org.my. IN SOA ns1.name.org.my. server.name.org.my. (
2
6H
1H
5D
20M )
name.org.my. IN A 60.51.xxx.xxx
http://www.name.org.my. IN CNAME name.org.my.
ns1.name.org.my. IN A 60.51.xxx.xxx
ns2.name.org.my. IN A 60.52.xxx.xxx
name.org.my. IN NS ns1.name.org.my.
name.org.my. IN NS ns2.name.org.my.
name.org.my. IN MX 1 name.org.my.
and here my /etc/resolv.conf
—————————-
search named.org.my
nameserver 127.0.0.1
my problem is, when i browse from out outside, it can resolve the domain name, but when i browse using my internal network to access the server it went to my router. anythin problem with my local loopback?
here my setting
eth0
ip : 192.168.1.10
sub: 255.255.255.0
gateway : 192.168.1.1
eth1
ip : 90.0.0.1
sub : 255.255.255.0
Seb
@ errornous
The problem is in your controls statement
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
};
You do not include the inet for your LAN
inet 192.168.100.100 allow { 192.168.100.0/24……
errornous
sorry..this maybe a bit noob..1st time setup..is his corry..coz it seems wont work
my network is using 90.0.0.x ip.
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
inet 90.0.0.1 allow { 90.0.0.0/24; } keys { rndc-key; };
};
errornous
goggling around some said local loopback connection have problem..wonder what im doing wrong here
Stefan
Hello Sébastien.
First of all sorry for my bad english and tnx for your HOWTO.
All is working fine exept one thing… if i try to lookup my server from outside it retern me query is denyed.
Where I made a mistake?
Tnx for your help.
Sébastien Wains
Hi Stephan
Comment the following :
allow-query {
127.0.0.1;
192.168.254.0/24;
};
};
If commented, it means all hosts can query your DNS server. Pay great attention to the security of your server (check out the book “DNS & Bind” from O’Reilly, it’s a great ressource)
Stefan
Done. All is working fine.
Thanks a lot.
Can you tell me where I am wrong, pls. Here is my .zone file all is working exept 4-th level domain name (123.voip.weblog.ro and 456.voip.weblog.ro). When I tried to check it, it returns me the err – NXDOMAIN. Why?
$ttl 3600
webog.ro. IN SOA ns1.weblog.ro. admin.weblog.ro. (
2002032116 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ; Minimum TTL of 1 day
)
weblog.ro. IN NS ns1.weblog.ro.
weblog.ro. IN MX 10 mx.weblog.ro.
ns1.weblog.ro. IN A 87.248.169.122
mx.weblog.ro. IN A 87.248.169.122
http://www.weblog.ro. IN A 87.248.169.122
http://ftp.weblog.ro. IN A 87.248.169.122
123.voip.weblog.ro. IN A 99.333.333.236
456.voip.weblog.ro. IN A 87.248.169.122
mail.weblog.ro. IN CNAME mx.weblog.ro.
I has made the same conf in win 2003 and all is working fine.
Where I am wrong?
Tnx.
errornous
Hello Sébastien.
options {
directory “/etc”;
pid-file “/var/run/named/named.pid”;
};
zone “.” {
type hint;
file “/etc/db.cache”;
};
zone “tbs.org.my” {
type master;
file “/var/named/tbs.org.my.hosts”;
};
key rndc-key {
algorithm hmac-md5;
secret “2WsmJ0BF6esZcqrSzTwkkg==”;
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
inet 192.168.1.10 allow { 192.168.1.0/24; } keys { rndc-key; };
inet 90.0.0.1 allow { 90.0.0.0/24; } keys { rndc-key; };
};
my eth0 id internet, and my eth1 os for LAN.
what wrong with my named..still cant get to my server through LAN. from outside seems ok..can find my domain,
Stefan
Hi Sebastien
> Sébastien Wains March 1st, 2009 | 16:29 you have to declare an N
> record for voip.weblog.ro
I added the following lines in named.conf
zone “weblog.ro” IN {
type master;
file “data/weblog.ro.zone”;
allow-update { none; };
};
zone “voip.weblog.ro” IN {
type master;
file “data/weblog.ro.zone”;
allow-update { none; };
};
but it still doesn’t work
Need I create another zone file, designated fo voip.weblog.ro ?
Sébastien Wains
yes the zone voip.weblog.ro should be stored in another zone file (eg : voip.weblog.ro.zone)
Cheers
Stefan
Hello Sébastien.
Thanx for your help. All is working fine.
Can you give an advise which mail server is better and simplier for installation on CentOS for 10 users?
Tnx
Seb
Not sure you followed this guide (two control instances, you mention rndc.conf that I didn’t have).. please follow this guide and it should work.
Ralph Angenendt
Piece of advice:
*DO NOT* install the caching-nameserver package when you intend to serve your own zones. Any update to caching-nameserver will just overwrite your named.conf.
Really, *DON’T* install it.
DNS error in named.conf file
Hello Sebastian,
here is my named.conf file as a static link to named.conf -> /var/named/chroot/etc/named.conf.
// we include the rndckey (copy-paste from rndc.key created earlier)
key “rndckey” {
algorithm hmac-md5;
secret “SGsvd1dF+mv+yU4ywCCkkg==”;
};
// we assume our server has the IP 192.168.254.207 serving the 192.168.254.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { “rndckey”; };
inet 10.0.0.1 allow { 10.0.0.0/24; } keys { “rndckey”; };
};
options {
directory “/etc”;
pid-file “/var/run/named/named.pid”;
recursion yes;
allow-recursion {
127.0.0.1;
10.0.0.0/24;
};
// these are the opendns servers (optional)
forwarders {
// 208.67.220.220;
194.228.41.113;
};
listen-on {
127.0.0.1;
10.0.0.1;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
// so people can’t try to guess what version you’re running
version “REFUSED”;
allow-query {
127.0.0.1;
10.0.0.0/24;
};
};
server 10.0.0.1 {
keys { rndckey; };
};
zone “.” IN {
type hint;
file “named.ca”;
};
// we assume we have a slave dns server with the IP 192.168.254.101
zone “home.solutia.cz” IN {
type master;
file “/zone/home.solutia.cz.zone”;
allow-update { none; };
// allow-transfer { 192.168.254.101; };
};
When I start “service named start” I got this message:
Error in named configuration:
zone home.solutia.cz/IN: loading master file /zone/home.solutia.cz.zone: file not found
_default/home.solutia.cz/IN: file not found
[FAILED]
I can’t find where named.conf got in the path “_default” and I think this is a reason why my DNS could not start.
Many thanks in advance for your response.
Martin
Seb
file “/zone/home.solutia.cz.zone”;
should be
file “zone/home.solutia.cz.zone”;
Guido
The problem with:
# rndc status
rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
I think the problem is in bind-chroot and the used rndckey:
rndc use /etc/rndc.conf
bind-chroot use what is in /var/named/chroot/etc/named.conf and not the
/var/named/chroot/etc/rndc.key
please check the step:
2. Configure RNDC :
on your good HOWTO.
Thank you.
Alans
Hi,
Thanks for the great explanation.
There is one thing that confusing me, why to use Forwarder in options clause in a master/slave DNS implementation and as i see there is no sub domains it is only test.be domain without sub domains ?!!
Thanks,
RAF
Hi Sebastien
i ve configured a local DNS it work in the centos machine but when i make nslookup from another machine from the lan it doesnt work ive desactivated the firewall and no result but it ping the 192.168.1.18 the centos machine
here is my named.conf file
controls {
inet 127.0.0.1 allow { 127.0.0.1; } ;
inet 192.168.1.18 allow { 192.168.1.0/24; } ;
};
options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
listen-on { 127.0.0.1; 192.168.1.1; };
allow-query { 127.0.0.1; 192.168.1.0/24; };
};
zone “.” IN {
type hint;
file “named.ca”;
};
zone “example.com” IN {
type master;
file “data/master-example.com”;
allow-update { none; };
};
zone “1.168.192.in-addr.arpa” IN {
type master;
file “data/reverse-192.168.1″;
allow-update { none; };
};
the /etc/resolf.conf
search example.com
nameserver 127.0.0.1
and here is the nslookup from the machine:
[root@example etc]# nslookup example.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: example.com
Address: 192.168.1.18
also the dig request
[root@example etc]# dig http://www.example.com
; <> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <> http://www.example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<nslookup http://www.example.com
DNS request timed out.
timeout was 2 seconds.
Serveurà:Unknown
address:192.168.1.18
RAF
; <> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <> http://www.example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<nslookup http://www.example.com
DNS request timed out.
timeout was 2 seconds.
Serveurà:Unknown
address:192.168.1.18
RAF
opcode: QUERY, status: NOERROR, id: 8732
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
http://www.example.com. 86400 IN CNAME galaxy.example.com.
galaxy.example.com. 86400 IN A 192.168.1.18
;; AUTHORITY SECTION:
example.com. 86400 IN NS galaxy.example.com.
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 24 15:46:05 2009
;; MSG SIZE rcvd: 84
The machine is hosted an VMware worksatation
The 1st zone file
;
; Zone File for “example.com” – Internal Use ONLY
;
$TTL 1D
@ IN SOA galaxy.example.com. sysadmin.example.com. (
10 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
;
IN NS galaxy ; Name Server for the domain
IN MX 10 galaxy ; Mail Exchange
;
example.com. IN A 192.168.1.18 ; IP address for the domain ‘example.com’
galaxy IN A 192.168.1.18 ; IP address for ‘galaxy’
www IN CNAME galaxy ; ‘galaxy’ is also known as www
ftp IN CNAME galaxy ; ‘galaxy’ is also known as ftp
;
wkstn1 IN A 192.168.1.201 ; MANUAL IP address entry for ‘wkstn1′
wkstn2 IN A 192.168.1.202 ; MANUAL IP address entry for ‘wkstn2′
the reverse zone file
;
; Reverse File for network “192.168.1.0/24″ – Internal ONLY
;
$TTL 1D
@ IN SOA galaxy.example.com. sysadmin.example.com. (
10 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
;
IN NS galaxy.example.com.
18 IN PTR galaxy.example.com.
;
201 IN PTR wkstn1.example.com. ; MANUAL entry for ‘wkstn1′ reverse delegation
202 IN PTR wkstn2.example.com. ; MANUAL entry for ‘wkstn2′ reverse delegation
the nslookup from another machine in the lan (an xp machine)
C:\Users\Raf>nslookup http://www.example.com
DNS request timed out.
timeout was 2 seconds.
Serveurà:Unknown
address:192.168.1.18
Raf
Hi
yes i ve put http://www.example.com but when i past it in the comment it change to http://www.example.com
i used tcpdump to know if the request is done in port 53 and it does but the xp and the Suse dont show me that it’s dns machine
Sébastien Wains
yes sorry about that, I just discovered wordpress is adding http:// to any host.
can you show me the content of /etc/resolv.conf on your suse client machine ?
Sébastien Wains
Hmm, odd. Enable logging for queries and see if the server ever see queries from clients.
logging {
category “default” { “debug”; };
category “general” { “debug”; };
category “queries” { “debug”; };
channel “debug” {
file “/var/log/named.log” versions 2 size 50m;
severity debug 1;
print-time yes;
print-category yes;
};
};
RAF
Sorry but it doesn’t create /var/log/named.log file
[root@example log]# ls
acpid conman.old maillog rpmpkgs vbox
anaconda.log cron maillog.1 rpmpkgs.1 wtmp
anaconda.syslog cron.1 mailman sa xferlog
anaconda.xlog cups messages samba xferlog.1
audit dmesg messages.1 scrollkeeper.log Xorg.0.log
boot.log faillog munin secure Xorg.0.log.old
boot.log.1 gdm mysqld.log secure.1 yum.log
btmp httpd pm spooler
codendi lastlog ppp spooler.1
conman mail prelink tallylog
Sébastien Wains
you have to create the file and make sure the permissions are correct so the user running bind can write to it
RAF
i ve done it but nothing (with all permission to the file) the file is empty
maybe i have somthing wrong in the named.conf file
controls {
inet 127.0.0.1 allow { 127.0.0.1; } ;
inet 192.168.1.18 allow { 192.168.1.0/24; } ;
};
logging {
category “default” { “debug”; };
category “general” { “debug”; };
category “queries” { “debug”; };
channel “debug” {
file “/var/log/named.log” versions 2 size 50m;
severity debug 1;
print-time yes;
print-category yes;
};
};
options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
listen-on { 127.0.0.1; 192.168.1.18; };
allow-query { 127.0.0.1; 192.168.1.0/24; };
forward first;
forwarders { 193.95.66.10; 193.95.66.11; };
};
zone “.” IN {
type hint;
file “named.ca”;
};
zone “example.com” IN {
type master;
file “data/master-example.com”;
allow-update { none; };
};
zone “1.168.192.in-addr.arpa” IN {
type master;
file “data/reverse-192.168.1″;
allow-update { none; };
};
abhi
Great work! Very precise and works out of the box.
Only suggestion is if you could add the reverse zone file part of it, it will become even better and complete.
thanks a lot
Sébastien Wains
@ abhi : I just added the configuration for reverse zones.
Cheers
abhi
Fantastic!! this is now a real gem.
I’ve read so many of DNS howtos, most of them are either obsolete or just too lengthy.
This one is precise and fastest that I ever tried, in 15 mins you are through.
Great work Wains!
tpatel
OS CentOS 5.4
rndc status
rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
how to resolve this error?
TuanNguyen
Maybe you miss some info in this page. This configuration is really work well. The config of rndc.conf must be correct, “the key is invalid” is the reason.
tpatel
Hi TuanNguyen
key in rndc.conf, rndc.key and named.conf are same,
any solutions..?
TuanNguyen
Hi tpatel,
Can u post ur key here?? this is tutorial, not copy their key to our system, rndcgen will be generate a new rndc.key. So, I just think the key is not correct, if I miss sthing, maybe Wains will help u soon.
tech guy
Thanks for your solution and great explanation. Can you please suggest what is the best web application to manage DNS records?
Sébastien Wains
I’ve never used any web GUI to manage my DNS servers, but the BIND module from webmin is OK.
tech guy
I’m doing it with Webmin too as of the moment. Thanks again Sébastien. I really appreciate sharing your knowledge.
Eugene
Sébastien Wains,
thank for the article, but annoyingly when i start named service it fails with errors bellow, i think that thereis som problem with change root or so, can you guide me:
Error in named configuration:
zone unicreate.ru/IN: loading from master file data/unicreate.ru.zone failed: file not found
_default/unicreate.ru/IN: file not found
zone 1.168.192.in-addr.arpa/IN: loading from master file data/192.168.1.zone failed: file not found
_default/1.168.192.in-addr.arpa/IN: file not found
Eugene
you see, when i modified named.conf like below then it started so it is definitely that change root failed
zone “unicreate.ru” IN {
type master;
file “/var/named/chroot/var/named/data/unicreate.ru.zone”;
allow-update { none; };
// we assume we have a slave dns server with the IP 192.168.254.101
allow-transfer { 192.168.1.11; };
};
// reverse zone
zone “1.168.192.in-addr.arpa” IN {
type master;
file “/var/named/chroot/var/named/data/192.168.1.zone”;
allow-update { none; };
allow-transfer { 192.168.1.11; };
};
Sébastien Wains
I’d say that’s a configuration problem. BIND is very picky about the config file syntax.
Tuan Nguyen
Hi Eugene,
I think you should check data file of BIND service, is it locate on this folder “/var/named/chroot/var/named/data/”. You check again BIND config, because “named.conf” is locate on /etc/named.conf.
Check again or send info “named.conf”
Eugene
yes i’ve fixed the probelm
To check if named is chrooted, type:
ps -ax | grep named
If you see any mention of /var/named/chroot in the named command, then named has been chrooted.
Set ROOTDIR setting in /etc/sysconfig/named
ROOTDIR=”/var/named/chroot”
rhodz
i’m running a Centos 5.5, i have a llitle problem with the tutorial… as i follow the steps on it i just found out that i dont have /var/named/chroot/etc/named.conf
do i have to create that file in case?
thanks by the way for this tutorial…
great job.
Seb
Yes you have to
ph
first, sorry for my english.
i already setup DNS server using BIND in centos 5.4 for intranet access with domain “something.intra.net”. At the same time, all client in local network must have access to Internet. So, i configure directive “forwarders” in “named.conf” file with my ISP DNS server ip address. But now i have problem, when our client in intranet access my local domain “http://something.intra.net”, access will automatically redirect to search engine in internet to search my local domain. Now, i confuse how to resolve this.
Any idea, how i can restrict or protect query to my local domain “something.intra.net” not forward to dns server in internet? so, our local dns server can resolve correctly for our local domain. thanks.
Seb
Please post your config files, there must be a typo somewhere.
ph
finally resolved thanks … i made some typo 
)
Abson
Hi
I am getting this error when I start named
named could not open pid file ‘/var/run/named/named.pid No such file or directory please help.
Seb
/var/run/named/ doesn’t exist or named doesn’t have the right to write inside that dir
Stefan
Hi Sebastien,
Everything works, but in messages log I got following after restarting named:
Jul 31 22:50:43 list named[1528]: the working directory is not writable
For what directory I need to change permissions for who and hoo must be the owner?
Tnx
Seb
/var/named if not chrooted.
/var/named/chroot/var/named if chrooted.
Most directories should be fine with 0750 perms and root:named.
if you allow DNS updates from clients and do master-slave replication, data and slave directories should be writable by the user “named”.
Ariel
Thank you for this how to!!! very cool
Leave Comment
Please consider visiting the partners below if you enjoyed this article :If this post saved you time and money, please consider checking my Amazon wishlist.
Search
About me
-
Internet & Technology junkie.
Photographer.
Backpacker.
I'm the Linux registered user #350986 and RedHat Certified Engineer #804007797825578 (Verify).
This « blog » is some kind of personal notebook about my discoveries in the IT world.
While some tips may seem obvious (we learn a new thing every day eh), hopefully you'll find some of them informative !
Check out my wishlist at Amazon !
Categories
- Android (1)
- Apache (18)
- Apple/Mac OS (7)
- Asterisk (5)
- Bash (15)
- DNS (7)
- Debian/Ubuntu (27)
- Firefox (5)
- Gnome (7)
- Hardware (16)
- High-Availability (2)
- Howto (112)
- Iptables (7)
- LDAP (9)
- Linux (240)
- Linux-Anti-Theft (1)
- Misc (11)
- NSLU2 (5)
- Networking (16)
- Postfix (24)
- Proxy (10)
- RADIUS (2)
- RHCE (22)
- RRDWeather (5)
- Red Hat/CentOS (31)
- Rewards (2)
- SQL (12)
- SSH (13)
- Scripts (4)
- Security (63)
- Tools (15)
- VPN (7)
- Versioning (10)
- Virtualization (2)
- VoIP (6)
- Wifi (9)
- Windows (12)
Links
- Belgian spammers
- Christopher Murray
- Dedicated Servers
- Open Source Heaven
- RRDWeather
- The Admin Blogger
- Yannick
My favorite projects
Sébastien Wains » CentOS 4 : chroot DNS with BIND
[...] Howto available for CentOS 5 : http://www.wains.be/index.php/2007/12/13/centos-5-chroot-dns-with-bind/ [...]