[CentOS] Primary DNS server with BIND on a public machine running CentOS 7

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

[CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Nicolas Kovacs
Hi,

I just installed CentOS 7 on a public server. I'd like to setup BIND as
a primary DNS server for a few domains.

Until now, all my public machines were running Slackware Linux, and
setting up BIND on a Slackware machine is relatively easy. In its out of
the box configuration, it has a bone-headed caching nameserver role,
which is quite easy to expand to a primary nameserver. Here's my
documentation. It's in French, but the *nix bits are universal.

http://blog.microlinux.fr/bind-slackware/

On my server running CentOS, I notice things are more complicated in the
default configuration. The problem here is not so much documentation,
but more like the wealth of information on the subject of BIND on
CentOS, with often contradicting information.

Is there a *reliable* more or less quick & dirty tutorial on how to get
BIND up and running as a primary public nameserver, with the default
configuration as a starting point? Think "recipe for pasta" and not
"degree in food chemistry". :o)

Cheers,

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

John R Pierce
On 4/11/2017 10:05 AM, Nicolas Kovacs wrote:
> I just installed CentOS 7 on a public server. I'd like to setup BIND as
> a primary DNS server for a few domains.


do you mean 'authoritative DNS server' ?


--
john r pierce, recycling bits in santa cruz

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Nicolas Kovacs
Le 11/04/2017 à 19:09, John R Pierce a écrit :
> do you mean 'authoritative DNS server' ?

Yes.

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

John R Pierce
On 4/11/2017 10:17 AM, Nicolas Kovacs wrote:
> Le 11/04/2017 à 19:09, John R Pierce a écrit :
>> do you mean 'authoritative DNS server' ?
> Yes.


I've not run bind on c7 yet, but on c6, I just edit /etc/named.conf and
create /var/named/master/$zonename then do a 'reload' of the named
service.   not sure why c7 would be much different.


--
john r pierce, recycling bits in santa cruz

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Gordon Messmer-2
In reply to this post by Nicolas Kovacs
On 04/11/2017 10:05 AM, Nicolas Kovacs wrote:
> Is there a*reliable*  more or less quick & dirty tutorial on how to get
> BIND up and running as a primary public nameserver, with the default
> configuration as a starting point?


1: Change the "listen-on" settings to bind to network interfaces:

-       listen-on port 53 { 127.0.0.1; };
-       listen-on-v6 port 53 { ::1; };
+       listen-on port 53 { any; };
+       listen-on-v6 port 53 { any; };

2: Allow external queries by removing the allow-query setting entirely:

-       allow-query     { localhost; };

3: Disallow recursion by removing recursion setting:

-       recursion yes;

4: Add your zones.

DNSSEC is slightly more involved, but basic setup should be basically
the same as what you've been doing.

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Alice Wonder
In reply to this post by Nicolas Kovacs
If you are looking for a recursive resolver, I would highly recommend
unbound.

If you are looking for an authoritative DNS server, I would highly
recommend NSD.

I run both and find both extremely easy to configure and maintain.

Both are available from the EPEL repositories.

I stopped using bind years ago and never looked back.

On 04/11/2017 10:05 AM, Nicolas Kovacs wrote:

> Hi,
>
> I just installed CentOS 7 on a public server. I'd like to setup BIND as
> a primary DNS server for a few domains.
>
> Until now, all my public machines were running Slackware Linux, and
> setting up BIND on a Slackware machine is relatively easy. In its out of
> the box configuration, it has a bone-headed caching nameserver role,
> which is quite easy to expand to a primary nameserver. Here's my
> documentation. It's in French, but the *nix bits are universal.
>
> http://blog.microlinux.fr/bind-slackware/
>
> On my server running CentOS, I notice things are more complicated in the
> default configuration. The problem here is not so much documentation,
> but more like the wealth of information on the subject of BIND on
> CentOS, with often contradicting information.
>
> Is there a *reliable* more or less quick & dirty tutorial on how to get
> BIND up and running as a primary public nameserver, with the default
> configuration as a starting point? Think "recipe for pasta" and not
> "degree in food chemistry". :o)
>
> Cheers,
>
> Niki
>

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Nicolas Kovacs
In reply to this post by Gordon Messmer-2
Le 11/04/2017 à 19:34, Gordon Messmer a écrit :

> 1: Change the "listen-on" settings to bind to network interfaces:
>
> -       listen-on port 53 { 127.0.0.1; };
> -       listen-on-v6 port 53 { ::1; };
> +       listen-on port 53 { any; };
> +       listen-on-v6 port 53 { any; };
>
> 2: Allow external queries by removing the allow-query setting entirely:
>
> -       allow-query     { localhost; };
>
> 3: Disallow recursion by removing recursion setting:
>
> -       recursion yes;
>
> 4: Add your zones.
>
> DNSSEC is slightly more involved, but basic setup should be basically
> the same as what you've been doing.

I'll give this a try with a clear head tomorrow. Thanks very much!

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

David Both
In reply to this post by Gordon Messmer-2
Here are two articles on DNS that I wrote for Opensource.com.

Introduction to the Domain Name System (DNS)
https://opensource.com/article/17/4/introduction-domain-name-system-dns

Build your own DNS name server on Linux
https://opensource.com/article/17/4/build-your-own-name-server

I hope this helps.

On 04/11/2017 01:34 PM, Gordon Messmer wrote:

> On 04/11/2017 10:05 AM, Nicolas Kovacs wrote:
>> Is there a*reliable*  more or less quick & dirty tutorial on how to get
>> BIND up and running as a primary public nameserver, with the default
>> configuration as a starting point?
>
>
> 1: Change the "listen-on" settings to bind to network interfaces:
>
> -       listen-on port 53 { 127.0.0.1; };
> -       listen-on-v6 port 53 { ::1; };
> +       listen-on port 53 { any; };
> +       listen-on-v6 port 53 { any; };
>
> 2: Allow external queries by removing the allow-query setting entirely:
>
> -       allow-query     { localhost; };
>
> 3: Disallow recursion by removing recursion setting:
>
> -       recursion yes;
>
> 4: Add your zones.
>
> DNSSEC is slightly more involved, but basic setup should be basically
> the same as what you've been doing.
>
> _______________________________________________
> CentOS mailing list
> [hidden email]
> https://lists.centos.org/mailman/listinfo/centos

--


*********************************************************
David P. Both, RHCE
Millennium Technology Consulting LLC
Raleigh, NC, USA
919-389-8678

[hidden email]

www.millennium-technology.com
www.Linux-Databook.info - Home of the DataBook for Linux
DataBook is a Registered Trademark of David Both
*********************************************************

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Chris Adams-2
In reply to this post by Nicolas Kovacs
One additional DNS server note: you should disable firewalld for any DNS
server, caching or authoritative.  If you need firewalling, use straight
iptables.

The reason is that firewalld always enables connection state tracking
(at least as far as I can tell), and that should never be used in front
of a DNS server.  A public authoritative server or any caching server
can get a high rate of requests, and having the kernel firewalling
trying to track connection states is a bottleneck (one that will be
reached before DNS software's limits).

If you must firewall a DNS server, use straight iptables and do not use
connection state tracking.

--
Chris Adams <[hidden email]>
_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Leon Fauster
In reply to this post by Nicolas Kovacs
Am 11.04.2017 um 19:17 schrieb Nicolas Kovacs <[hidden email]>:
>
> Le 11/04/2017 à 19:09, John R Pierce a écrit :
>> do you mean 'authoritative DNS server' ?
>
> Yes.

Totally off-topic, but it hits my mind right now. We are receiving a big
amount of version queries on our public dns infra from a broad range of
amazon ips - completely random from (just to show briefly some networks):

...
34.192.0.0/14
34.207.211.0/24
34.209.21.0/24
34.209.5.0/24
35.166.12.0/24
...
52.0.0.0/9
52.88.0.0/13
52.192.0.0/9
54.89.54.0/24
54.144.0.0/12
54.197.33.0/24
...

Is some one getting the same door knocks?

--
LF

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

[CentOS] connection state tracking with DNS [was Primary DNS...]

Alice Wonder
In reply to this post by Chris Adams-2
Hi, I would like to see this addressed.

I found more information on the issue at
https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html

Is there a firewalld solution to this issue?

On 04/11/2017 11:05 AM, Chris Adams wrote:

> One additional DNS server note: you should disable firewalld for any DNS
> server, caching or authoritative.  If you need firewalling, use straight
> iptables.
>
> The reason is that firewalld always enables connection state tracking
> (at least as far as I can tell), and that should never be used in front
> of a DNS server.  A public authoritative server or any caching server
> can get a high rate of requests, and having the kernel firewalling
> trying to track connection states is a bottleneck (one that will be
> reached before DNS software's limits).
>
> If you must firewall a DNS server, use straight iptables and do not use
> connection state tracking.
>

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Robert Moskowitz
In reply to this post by Nicolas Kovacs
I am writing my howto on BIND for Centos7.  Mine is running on
Centos7-arm.  You can see some of the basics I have done at:

file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html

I have a caveat I learned with dealing with SELinux and BIND there.

On 04/11/2017 01:05 PM, Nicolas Kovacs wrote:

> Hi,
>
> I just installed CentOS 7 on a public server. I'd like to setup BIND as
> a primary DNS server for a few domains.
>
> Until now, all my public machines were running Slackware Linux, and
> setting up BIND on a Slackware machine is relatively easy. In its out of
> the box configuration, it has a bone-headed caching nameserver role,
> which is quite easy to expand to a primary nameserver. Here's my
> documentation. It's in French, but the *nix bits are universal.
>
> http://blog.microlinux.fr/bind-slackware/
>
> On my server running CentOS, I notice things are more complicated in the
> default configuration. The problem here is not so much documentation,
> but more like the wealth of information on the subject of BIND on
> CentOS, with often contradicting information.
>
> Is there a *reliable* more or less quick & dirty tutorial on how to get
> BIND up and running as a primary public nameserver, with the default
> configuration as a starting point? Think "recipe for pasta" and not
> "degree in food chemistry". :o)
>
> Cheers,
>
> Niki
>

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

John R Pierce
On 4/12/2017 7:25 PM, Robert Moskowitz wrote:
> I am writing my howto on BIND for Centos7.  Mine is running on
> Centos7-arm.  You can see some of the basics I have done at:
>
> file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html


noone else can see your local file system


--
john r pierce, recycling bits in santa cruz

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Robert Moskowitz
ARGH!

That was the local copy I am editing.

On 04/13/2017 01:11 AM, John R Pierce wrote:
> On 4/12/2017 7:25 PM, Robert Moskowitz wrote:
>> I am writing my howto on BIND for Centos7.  Mine is running on
>> Centos7-arm.  You can see some of the basics I have done at:
>>
>> file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html
>
>
> noone else can see your local file system

http://medon.htt-consult.com/Centos7-armv7.html


_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Nicolas Kovacs
In reply to this post by Robert Moskowitz
Le 13/04/2017 à 04:25, Robert Moskowitz a écrit :
> I am writing my howto on BIND for Centos7.  Mine is running on
> Centos7-arm.  You can see some of the basics I have done at:
>
> file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html
>
> I have a caveat I learned with dealing with SELinux and BIND there.

You sent a link to a local file (file://) so unfortunately I can't
access it.

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

Robert Moskowitz
Yep, I messed up, copying from the wrong window.

On 04/13/2017 01:22 AM, Nicolas Kovacs wrote:

> Le 13/04/2017 à 04:25, Robert Moskowitz a écrit :
>> I am writing my howto on BIND for Centos7.  Mine is running on
>> Centos7-arm.  You can see some of the basics I have done at:
>>
>> file:///home/rgm/data/htt/httnet/homepage/Centos7-armv7.html
>>
>> I have a caveat I learned with dealing with SELinux and BIND there.
> You sent a link to a local file (file://) so unfortunately I can't
> access it.
>
http://medon.htt-consult.com/Centos7-armv7.html


_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] connection state tracking with DNS [was Primary DNS...]

Gordon Messmer-2
In reply to this post by Alice Wonder
On 04/11/2017 04:16 PM, Alice Wonder wrote:
> Hi, I would like to see this addressed.
> Is there a firewalld solution to this issue?


Yes:

# Disable connection tracking for UDP DNS traffic
#
https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m
conntrack --ctstate UNTRACKED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m
conntrack --ctstate UNTRACKED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
udp -m udp --dport 53 -j CT --notrack
firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
udp -m udp --sport 53 -j CT --notrack
firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
-m udp --dport 53 -j CT --notrack
firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
-m udp --sport 53 -j CT --notrack
firewall-cmd --reload

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] connection state tracking with DNS [was Primary DNS...]

Alice Wonder
On 04/14/2017 06:54 PM, Gordon Messmer wrote:

> On 04/11/2017 04:16 PM, Alice Wonder wrote:
>> Hi, I would like to see this addressed.
>> Is there a firewalld solution to this issue?
>
>
> Yes:
>
> # Disable connection tracking for UDP DNS traffic
> #
> https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
>
> firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m
> conntrack --ctstate UNTRACKED -j ACCEPT
> firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m
> conntrack --ctstate UNTRACKED -j ACCEPT
> firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
> udp -m udp --dport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
> udp -m udp --sport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
> -m udp --dport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
> -m udp --sport 53 -j CT --notrack
> firewall-cmd --reload
>
>

Thank you!


_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos