To Start With: What Do You Need?
The Process
- To begin with, log in as root on your Unbound DNS server and install the required BIND package and enable the DNS server on boot:
yum install bind && systemctl enable named
- The actual name of the DNS server in the BIND package is called named, so let’s open its main configuration file to make some adjustments after creating a backup copy of it first:
cp /etc/named.conf /etc/named.conf.BAK; vi /etc/named.conf
- First, find the line listen-on port 53 { 127.0.0.1; }; and then change the port number to the custom port 8053, so it reads as follows:
listen-on port 8053 { 127.0.0.1; };
- Next, find the line listen-on-v6 port 53 { ::1; } and change it to:
listen-on-v6 port 8053 { none; };
- Next, since we are configuring an authoritative-only server, we will disable contacting other remote DNS servers, find the line that reads recursion yes; and change it to:
recursion no;
- Save and close the file, and then validate the syntax of our config changes (no output means no errors!):
named-checkconf
- Now tell SELinux about the changed named DNS port (this needs package policycoreutils-python):
semanage port -a -t dns_port_t -p tcp 8053
- Now type the following command in order to create your forward zone file. Name the file after the domain whose resource records it will contain:
vi /var/named/<domain>.<top-level domain>.db
- In our example, for our centos7.home domain, this will be:
vi /var/named/centos7.home.db
- Now simply add the following lines (be careful not to forget typing the tailing dots in the domain names). We will start with the Start of Authority (SOA) block:
$TTL 3h
@ IN SOA ns1.centos7.home. admin.centos7.home.(
2015082400 ; Serial yyyymmddnn
3h ; Refresh After 3 hours
1h ; Retry Retry after 1 hour
1w ; Expire after 1 week
1h) ; Minimum negative caching - Afterwards, add the rest of the file’s content:
; add your name servers here for your domain
IN NS ns1.centos7.home.
; add your mail server here for the domain
IN MX 10 mailhost.centos7.home.
; now follows the actual domain name to IP
; address mappings:; first add all referenced hostnames from above
ns1 IN A 192.168.1.7
mailhost IN A 192.168.1.8
; add all accessible domain to ip mappings here
router IN A 192.168.1.0
www IN A 192.168.1.9
ftp IN A 192.168.1.10
; add all the private clients on the Lan here
client1 IN A 192.168.1.11
client2 IN A 192.168.1.12
client3 IN A 192.168.1.13
; finally we can define some aliases for
; existing domain name mappings
webserver IN CNAME www
johnny IN CNAME client2 - When you have finished, simply save and close the file before proceeding to create the reverse zone file for our private subnetwork used by our domain (the C-Class are the first three numbers (octets) which are separated by dots: XXX.XXX.XXX. For example, for the 192.168.1.0/24 subnet the C-Class is 192.168.1:
vi /var/named/db.<C-Class of our search IP in reverse order>
- In our example, a reverse zone file resolving our centos7.home's 192.168.1 C-Class subnet will be:
vi /var/named/db.1.168.192
- First put in the exact same SOA as in step 10, and then append the following content to the end of the file:
; add your name servers for your domain
IN NS ns1.centos7.home.
; here add the actual IP octet to
; subdomain mappings:
7 IN PTR ns1.centos7.home.
8 IN PTR mailhost.centos7.home.
9 IN PTR www.centos7.home.
10 IN PTR ftp.centos7.home.
11 IN PTR client1.centos7.home.
12 IN PTR client2.centos7.home.
13 IN PTR client3.centos7.home. - Save and close the file, and then add our new zone pair to the named configuration. To do this, open named.conf again:
vi /etc/named.conf
- Now locate the line including "/etc/named.rfc1912.zones";. Immediately following this line, create a space for your work and add the appropriate zone statement to enable your reverse zone, as follows (substitute XXX.XXX.XXX with the reversed C-Class of your reverse zone file name, in our example 1.168.192):
zone "XXX.XXX.XXX.in-addr.arpa." IN {
type master;
file "/var/named/db.XXX.XXX.XXX";
update-policy local;
}; - Having done this, you can now proceed to add a zone statement for your forward zone right afterwards, as follows (replacing <domain>.<top-level domain>.db with your forward zone file name, in our example centos7.home):
zone "<domain>.<top-level domain>." IN {
type master;
file "/var/named/<domain>.<top-level domain>.db";
update-policy local;
}; -
When you have finished, simply save and close the file, and then restart the bind service using:
named-checkconf && systemctl restart named
How Does It Work?
- The serial-number value is a numeric value, typically taking the form of the date in reverse (YYYYMMDD) with an additional value (VV), which is incremented every time the zone file is modified or updated, in order to indicate that it is time for the named service to reload the zone. The value VV typically starts at 00, and the next time you modify this file, simply increment it to 01, 02, 03, and so on.
- The time-to-refresh value determines how frequently the secondary or slave nameservers will ask the primary nameserver if any changes have been made to the zone.
- The time-to-retry value determines how frequently the secondary or slave nameservers should check the primary server after the serial number has failed. If a failure has occurred during the time frame specified by the time-to-expire value elapses, the secondary nameservers will stop responding as an authority for requests.
- The minimum-TTL value determines how long the other nameservers can cache negative responses.
ns1 IN A 192.168.1.7
mailhost IN A 192.168.1.7
www IN A 192.168.1.7
ftp IN A 192.168.1.7
There's more…
;; ANSWER SECTION:
client2.centos7.home. 10800 IN A 192.168.1.12