How to Set Up Private DNS Servers With Bind on AlmaLinux 9

Sakshi . -

Choose a different version or distribution

Introduction

Before we begin talking about how to set up private DNS Servers with Bind on AlmaLinux 9, let's briefly understand – What is DNS Server?

A DNS server, which stands for Domain Name System, is a crucial component of the internet infrastructure. It functions like a digital phonebook, translating human-friendly domain names (such as example.com) into the corresponding IP addresses that computers use to communicate with each other.

By doing so, DNS servers enable smooth navigation of the internet, allowing you to access websites through familiar and memorable domain names. DNS servers play a vital role in ensuring speedy and reliable internet connectivity, minimizing delays experienced during web browsing or accessing online services.

BIND, which stands for Berkeley Internet Name Domain, is an open-source software package used for implementing the Domain Name System (DNS) protocol. It serves as a DNS server, translating domain names into their corresponding IP addresses to facilitate communication between computers on the internet.

In this tutorial, you will set up private DNS Servers with Bind on AlmaLinux 9. We will also address a few FAQs on how to set up private DNS Servers with Bind on AlmaLinux 9.

Prerequisites

Step 1. Log in to your server via SSH

Initially, you must use SSH to access your AlmaLinux 9 VPS as the root user:

ssh root@IP_Address -p Port_number

You must replace IP_Address and Port_number with the appropriate IP address and SSH port number for your server. In addition, replace root with the username of the system user who has sudo access.

With the following command, you may check if the correct version of AlmaLinux is installed on your server:

# cat /etc/almalinux-release

You would see an output like this:

AlmaLinux release 9.2 (Turquoise Kodkod)

The shell commands in this article are run using the command root. Put sudo in front of the instructions if you want to execute them using your regular user account with sudo access.

Step 2. Install Bind

To install Bind 9 from its default repository on your AlmaLinux 9, use the following command. The most recent version is Bind 9, while Bind 10 is an outdated project.

# dnf update
# dnf install bind bind-utils

After installation, we may view the Bind version details.

# named -v

Sample output:

BIND 9.16.23-RH (Extended Support Version)

We can use this command to view the build choices and Bind version number.

# named -V

Output

BIND 9.16.23-RH (Extended Support Version)
running on Linux x86_64 5.14.0-284.11.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Tue May 9 05:49:00 EDT 2023
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--with-maxminddb' '--with-dlopen=yes' '--with-gssapi=yes' '--with-lmdb=yes' '--without-libjson' '--with-json-c' '--enable-dnstap' '--enable-fixed-rrset' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS= -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 11.3.1 20221121 (Red Hat 11.3.1-4)
compiled with OpenSSL version: OpenSSL 3.0.1 14 Dec 2021
linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled

default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP

Although Bind is now installed, it is not operating automatically. Let's use this command to launch Bind and set it up to launch automatically when the computer reboots.

# systemctl enable --now named

Step 3. Configure Bind

On CentOS/RHEL, the BIND9 server by default provides recursive capabilities only for the localhost. Requests from outside sources will be rejected. Make changes to BIND's main configuration file, /etc/named.conf.

# nano /etc/named.conf

Find these two lines

listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };

Comment on them after that, and it ought to seem like this.

#listen-on port 53 { 127.0.0.1; };
#listen-on-v6 port 53 { ::1; };

This line can also be modified.

allow-query { localhost; };

To something like this

allow-query { localhost; 192.168.0.0/24; 10.10.10.0/24; };

Alternatively, you can just comment on the lines and run some tests before granting access to particular IP ranges; it should look something like this:

#allow-query { localhost; };

Save the file before exiting and restarting Bind.

# systemctl restart named

The Bind service is now listening to all of your server's interfaces, not just localhost.

Step 4. Create Zones

Add the following lines to the end of the document while changing the domain name to suit your needs.

zone "yourdomain.com" {
    type master;
    file "/var/named/yourdomain.com";
};

Exit after saving the file.

Make a BIND zone configuration file called /var/named/yourdomain.com.

# nano /var/named/yourdomain.com

Then include these lines.

Output

$TTL 1d
@               IN      SOA     dns1.yourdomain.com.    hostmaster.yourdomain.com. (
                1        ; serial
                6h       ; refresh after 6 hours
                1h       ; retry after 1 hour
                1w       ; expire after 1 week
                1d )     ; minimum TTL of 1 day


@               IN      NS      ns1.yourdomain.com.
@IN NS ns2.yourdomain.com.

ns1             IN      A       192.168.0.1
ns2IN      A       192.168.0.1

yourdomain.com.    IN      MX      0      mail.yourdomain.com.
mail            IN      A       192.168.0.1
www             IN      CNAME       yourdomain.com.
blog            IN      A       192.168.0.1

Close the file after saving it.

When utilizing the domain name in the zone file, please make sure that a dot is added at the end of the name. Using the supplied template, you have the freedom to add or change the records as needed.

This line represents:

Output

@ – The domain mentioned in the named.conf.local file, which is yourdomain.com, will be substituted here.
IN – Records of INTERNET type in this case.
SOA – This is the Start Of Authority record, which is the authoritative record for this domain.
ns1.yourdomain.com. – The nameserver DNS record. – The server that handles the domain's DNS.
hostmaster.yourdomain.com. – The email address of the nameserver's manager. The @ symbol is replaced with a dot.

You can add other zones and repeat the previous procedures. However, each time you edit Bind configuration files, remember to run this command:

# named-checkconf

After running the command, if there isn't any message, the configuration is okay, and the Bind service can be restarted.

# systemctl restart named

You ought to be able to utilize your server as the DNS server at this point. We may, for instance, attempt to query mail.yourdomain.com.

# dig mail.yourdomain.com @127.0.0.1

The output will look like this:

Output

; <<>> DiG 9.16.23-RH <<>> mail.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 933
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 86b765bc5dc202110100000064a7606f61c60bf02ed52508 (good)
;; QUESTION SECTION:
;mail.yourdomain.com. IN A

;; ANSWER SECTION:
mail.yourdomain.com. 86400 IN A 192.168.0.1

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 06 19:46:39 CDT 2023

You may observe that 192.168.0.1 is the address that mail.yourdomain.com points to.

Step 5. Configure Systemd

We can edit the systemd file to keep the Bind service up and running at all times.

# systemctl edit named

Make sure to add these two lines to the file in the appropriate location.

[Service]
Restart=always
RestartSec=5s

Exit the file, after saving.

Let's reload it now and attempt to stop the Bind service.

# systemctl daemon-reload

# pkill named

Next, check the Bind status. You'll see that an automatic restart of the Bind service occurred.

# systemctl status named

Well done! On AlmaLinux 9, you have effectively set up a private DNS server using Bind.

FAQs on setting up private DNS servers with Bind on AlmaLinux 9

Why would I want to set up private DNS servers?

Setting up private DNS servers allows you to have full control over your DNS infrastructure. It can enhance security, improve performance, and enable customization of DNS settings based on your specific needs.

How do I install Bind on AlmaLinux 9?

To install Bind on AlmaLinux 9, you can use the package manager dnf. Run the command sudo dnf install bind to install Bind and its dependencies.

What configuration files do I need to modify for Bind?

The main configuration file for Bind is located at /etc/named.conf. You may also need to modify additional configuration files such as zone files, access control lists, and logging settings, depending on your requirements.

How do I create a new DNS zone?

To create a new DNS zone, you need to define the zone in the Bind configuration file and create the corresponding zone file. The zone file contains the DNS records (such as A, CNAME, MX, etc.) for the domain.

How do I configure DNS records in Bind?

You can configure DNS records in the zone file for each domain. Use record types like A (IPv4 address), AAAA (IPv6 address), CNAME (canonical name), MX (mail exchange), and others to define the records.

How do I secure my private DNS server?

To secure your private DNS server, you can implement access control lists (ACLs) to restrict client access, use DNSSEC to ensure data integrity, implement firewall rules to allow only necessary network traffic, and regularly update your Bind installation for security patches.

How can I ensure high availability for my private DNS server?

To achieve high availability, you can set up multiple DNS servers in a redundant configuration. This can involve using technologies like DNS clustering, load balancing, and DNS anycast to distribute the workload and ensure that DNS requests are handled by a functioning server even if one goes offline.

Conclusion

A DNS server is a pivotal part of the internet infrastructure that translates human-friendly domain names into machine-readable IP addresses. This enables seamless internet navigation.

BIND, also known as Berkeley Internet Name Domain, is an open-source software package widely used as a DNS server. It is highly flexible and scalable, suitable for diverse network sizes. Its features enhance the security and reliability of DNS, making it an essential component of internet connectivity.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them.