I’ve been running my own in house BIND master/slave DNS server for a couple of months now, like any serious Linux systems administrator should do. Although the setup was kind of difficult initially, I have to say that running my own DNS server has made administrating all hosts in my network a lot easier. With over ten virtual machine instances (and physical) consisting of a mixture of Linux, Windows, Mac OS X, and FreeBSD, the simple fact of remembering their static IP address was becomming a hassle. I initially tried to alleviate this issue by creating bash aliases, but as the number of virtual machines increased, keeping the bashrc aliased entries synced was simply to tedious. This is why I decided to run my own internal authoritative DNS server.

Pros:
Total flexibility in your network (add as many hosts as I want)

Cons:
High learning curve
On-going DNS maintenance (security patches, etc.)

 

I took the following steps on configuring my master BIND DNS server on a minimal CentOS 6 install.

 

Install necessary packages:
yum install vim perl ntpdate bind bind-libs bind-utils mlocate anacron sendmail

 

Environment configuration, this configuration assumes BIND will be jailed under /var/named/chroot :
/usr/sbin/groupadd named
/usr/sbin/useradd named -c "Named" -G named -d /var/named/chroot -s /sbin/nolgin
mkdir -p /var/named/chroot/var/run/named/
mkdir /var/named/chroot/var/named/
mkdir /var/named/chroot/etc/
mkdir /var/named/chroot/dev/
mkdir /var/named/chroot/logs/
mkdir /var/named/chroot/dynamic
mknod /var/named/chroot/dev/null c 1 3
mknod /var/named/chroot/dev/random c 1 8
chmod 666 /var/named/chroot/dev/*
chown -R named:named /var/named/chroot/var/*
chown -R named:named /var/named/chroot/etc/*
chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/dev/
chmod 755 /var/named/chroot/dynamic/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 775 /var/named/chroot/logs
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
touch /var/named/chroot/var/named/named.local
cd /var/named/chroot

 

Generate a dnssec key (This will create a Krndc.*.key and Krndc.*.private file):
/usr/sbin/dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 256 -n HOST rndc

 

Create master named.conf configuration file (/var/named/chroot/etc/named.conf):
See my sample named.conf file http://www.rubyninja.org/scripts/named-conf.txt
One important thing to notice is the “rndckey”secret key setting which needs to be based on the key value in the Krndc.*.private/ Krndc.*.key files.

 

Create rndc.conf file (/var/named/chroot/etc/rndc.conf):
See my sample rndc.conf file http://www.rubyninja.org/scripts/rndc-conf.txt
Again, the same private key in the Krndc.*.private/ Krndc.*.key files needs to be specified.

 

Symlink /var/named/chroot/etc/rndc.conf as /etc/rndc.conf
ln -s /var/named/chroot/etc/rndc.conf /etc/rndc.conf

 

Create root hints nameserver file (/var/named/chroot/etc/db.cache):
See db.cache file http://www.rubyninja.org/scripts/db-cache.txt

 

Create locahost forward zone file (/var/named/chroot/etc/db.localhost):
See my sample db.localhost file http://www.rubyninja.org/scripts/db-localhost.txt

 

Create localhost inverse zone file (/var/named/chroot/etc/db.127.0.0.1):
See my sample db.127.0.0.1 file http://www.rubyninja.org/scripts/db-127.0.0.1.txt

 

Now, that all basic configurations have been created, BIND can be started. I use the following shell script to start my jailed BIND instance http://www.rubyninja.org/scripts/start_jailed_bind.sh

 

I added the following entry to /etc/rc.local so BIND starts every time the system reboots.
/bin/bash /var/named/chroot/start_jailed_bind.sh

 

Lastly, firewall needs to allow incoming requests made to port TCP/UDP 53. Append INPUT chain in /etc/sysconfig/iptables :
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT