Linux DNS Installation and Configuration

Introduction

This guide provides step-by-step instructions to install and configure a DNS server on a Linux system.

Installation

To install a DNS server, use the following command:

sudo apt update && sudo apt install bind9

For Red Hat-based systems, use:

sudo yum install bind

Configuration

After installation, configure the DNS server by editing the /etc/bind/named.conf.options : Global DNS options
/etc/bind/named.conf.local : For your zones
/etc/bind/named.conf.default-zones : Default zones such as localhost, its reverse, and the root hints

options {
    directory "/var/cache/bind";
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    dnssec-validation auto;
    listen-on-v6 { any; };
};
            

Define your zones in the /etc/bind/named.conf.local file:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};
zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.192";
};
            

Create the zone files:

sudo cp /etc/bind/db.local /etc/bind/db.example.com
sudo cp /etc/bind/db.127 /etc/bind/db.192

sudo vim /etc/bind/db.example.com  
sudo vim /etc/bind/db.192
            

Example content for /etc/bind/db.example.com:

$TTL    604800
@       IN      SOA     ns.example.com. db.example.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns.example.com.
@       IN      A       192.168.1.10
@       IN      AAAA    ::1
ns      IN      A       192.168.1.10
                

Example content for /etc/bind/db.192:

$TTL    604800
@       IN      SOA     ns.example.com. db.example.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns.example.com.
@       IN      PTR     example.com.
10      IN      PTR     ns.example.com.
            

Make sure to adjust the IP addresses and domain names as per your setup.

Check the configuration for syntax errors:

sudo named-checkconf

Check the zone files for errors:

sudo named-checkzone example.com /etc/bind/db.example.com

sudo named-checkzone 1.168.192.in-addr.arpa /etc/bind/db.192

Check the DNS server status:

sudo systemctl status bind9

If the service is not running, start it:

sudo systemctl start bind9

Enable the service to start on boot:

sudo systemctl enable bind9

Check the firewall settings to allow DNS traffic:

sudo ufw allow 53

For Red Hat-based systems, use:

sudo firewall-cmd --add-service=dns --permanent
sudo firewall-cmd --reload

For SELinux, ensure that it allows DNS traffic:

sudo setsebool -P named_connect_any=1

Check the SELinux status:

sestatus

If SELinux is enforcing, you may need to adjust the policies or set it to permissive mode:

sudo setenforce 0

To make the change permanent, edit the /etc/selinux/config file and set:

SELINUX=permissive

For systems using AppArmor, ensure that the DNS server is allowed to run:

sudo aa-status

If AppArmor is blocking the DNS server, you may need to adjust the profiles or disable it:

sudo systemctl stop apparmor
sudo systemctl disable apparmor

To disable AppArmor for the DNS server, edit the profile file:

sudo vim /etc/apparmor.d/usr.sbin.named

Comment out the lines that restrict access to the DNS server files:

# /etc/bind/db.example.com r,
# /etc/bind/db.192 r,
# /etc/bind/named.conf.local r,
# /etc/bind/named.conf.options r,
# /etc/bind/named.conf.default-zones r,
# /etc/bind/named.conf r,

Then reload the AppArmor profiles:

sudo systemctl restart apparmor

To check the AppArmor status:

sudo aa-status

If AppArmor is enforcing, you may need to adjust the profiles or set it to complain mode:

sudo aa-complain /etc/apparmor.d/usr.sbin.named

To make the change permanent, edit the /etc/apparmor.d/usr.sbin.named file and set:

profile /usr/sbin/named flags=(attach_disconnected, complain) ⦃

Restart the AppArmor service to apply changes:

sudo systemctl restart apparmor

Restart the DNS service to apply changes:

sudo systemctl restart bind9

Testing

To test the DNS server, use the dig command:

dig example.com

Common record types

This section covers some of the most common DNS record types.

www      IN    A      192.168.1.12 

CNAME record Used to create an alias to an existing A record. You cannot create a CNAME record pointing to another CNAME record.

 web     IN    CNAME  www 

MX record Used to define where emails should be sent to. Must point to an A record, not a CNAME.

@       IN    MX  1   mail.example.com.
mail    IN    A       192.168.1.13
            

NS record Used to define which servers serve copies of a zone. It must point to an A record, not a CNAME. This is where primary and secondary servers are defined.

@       IN    NS     ns.example.com.
@       IN    NS     ns2.example.com.
ns      IN    A      192.168.1.10
ns2     IN    A      192.168.1.11