In this process, we will show you how you can quickly add new local domain record entries to your authoritative BIND server which are currently unknown to your nameserver.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system and a console-based text editor of your choice. It is expected that Unbound and BIND have both been installed and are already running and that you have read and applied the zone process and have prepared the required forward and reverse zone files for resolving hostnames of your private network.
The Process
If you want to add new domain names to the IP address mappings to your DNS server, for example for new or unknown hosts in your local network, you have two alternatives. Since we have already created zone files for our local network, we can simply add new A (and/or CNAME) and corresponding PTR entries for every new subdomain within our base domain name into our forward and reverse zone file configuration using our text editor of choice. Alternatively, we can use the nsupdate command-line tool to add those records interactively without the need to restart the DNS server. In this section, we will show you how to prepare and work with the nsupdate tool. In our example, we will add a new subdomain client4.centos7.home for a computer with the IP address 192.168.1.14 to our DNS server’s zone:
- Log in as root on the server running your BIND service. Now first we need to activate named to be allowed to write into its zone files by SELinux:
setsebool -P named_write_master_zones 1
- Next, we need to fix some permission problems with the named configuration directory, otherwise nsupdate cannot update our zone files later:
chown :named /var/named -R; chmod 775 /var/named -R
- Since our BIND server is running on port 8053, type the following command to start the interactive nsupdate session locally:
nsupdate -p 8053 -d -l
- At the prompt (>), first connect to the local DNS server by typing the following (press Return to finish commands):
local 127.0.0.1
- To add a new forward domain to IP mapping to your DNS server, type the following:
update add client4.centos7.home. 115200 A 192.168.1.14
send - Now add the reverse relationship using the following command:
update add 14.1.168.192.in-addr.arpa. 115200 PTR client4.centos7.home. send
If both the update commands’ outputs contained the message NOERROR, press Ctrl+c key to exit the interactive nsupdate session. - Finally, check if both the domain and IP resolution for the new zone entry work (this should also work remotely through the Unbound server):
dig -p 8053 @127.0.0.1 client4.centos7.home.
nslookup -port=8053 192.168.1.14 127.0.0.1
How Does It Work?
In this fairly easy process, we showed you how easily you can add new domain name resolution records with the nsupdate tool dynamically at runtime without needing to restart your BIND DNS server.
So what did we learn from this experience?
In this process, we introduced you to the nsupdate command-line tool which is a utility for making changes to a running BIND DNS database without the need to edit the zone files or restart the server. If you have already configured the zone files in your DNS server, then this is the preferred way to make changes to the DNS server. It has several options, for example, you can connect to the remote DNS servers but for simplicity and for security reasons we will only use and allow the most simple form and only connect nsupdate to our BIND server locally (to connect to a BIND server remotely using nsupdate, you need to do more configuration, such as generate secure key-pairs, open the firewall, and so on).
After allowing named to write into its own zone files, which otherwise is prohibited by SELinux, and fixing some permission problems on the default named configuration directory, we started the nsupdate program with -l for local connection, and -p 8053 to connect to our BIND DNS server on port 8053. -d gives us debug output which can be useful for resolving any problems. We then got prompted by an interactive shell where we could run BIND specific update commands. First we set local 127.0.0.1 which connects to our local server, than we used the commands update add to add a new forward A record to our running DNS server. The syntax is similar to defining records in the zone files. Here we used the line update add <domain-name> <TTL> <type> <IP address> to add a new A record with a TTL of three days (115200 seconds) for the domain client4.centos7.home to resolve to the IP address 192.168.1.14. The next line was used to config some reverse resolution rules for our new domain and which adds the domain name as a PTR entry into our reverse zone. Here it is important to note that you need to define the domain part of the reverse update add rule the following way: <host name for the rule>.<reverse C-class>.in-addr.arpa. To finally execute our commands and make them permanent in our DNS server’s database, without the need to restart the server, we used the send command for both the reverse and forward commands separately since they target different zones. Finally, we tested if the new entries into the DNS server’s zone files were working by querying the BIND server.