BIND Config options help?

General support questions
Post Reply
User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

BIND Config options help?

Post by igorek24 » 2014/12/18 06:17:10

I'm managing my own DNS using Windows DNS. I'm trying to switch to BIND on top of CentOS 7. Everything looks like it’s working, but I'm so confused with all this option. Can someone help my figure out what option I need? Here is how far I got:

Code: Select all

options {
	directory "/var/named";
	allow-transfer { none; };
	cleaning-interval 120;
	dump-file "/var/named/data/cache_dump.db";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursion no;
	statistics-file "/var/named/data/named_stats.txt";
	version none;
	zone-statistics yes;
};

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: BIND Config options help?

Post by aks » 2014/12/21 08:29:44

You could probably leave out the statistics bits (zone-statistics, statistics-file, memstatistics-file), if you don't want statistics. Your post is a little ambiguous - what do you want to achieve? If you just want to know what these various options mean - can't you just google?

jeffdvo
Posts: 30
Joined: 2015/01/19 21:06:40

Re: BIND Config options help?

Post by jeffdvo » 2015/01/23 17:26:04

Sorry if I'm hijacking but this seems to be similar issue to mine. I was using a Windows 2003 server as a DNS server and my Linux Smoothwall was DHCP and secondary DNS.
I been messing about with BIND (not a complete noob to Linux but not far off ) on a new install of v 7. I've followed a couple of tuts on setting up DNS but I'm still struggling to get DNS working on the Centos box. I'm hoping to eventually have something similar to what I had with the 2003 server, I don't need a full blown AD and think that Samba4 will do what I want e.g. provide network shares with the option of having user accounts.

Results from SSH to Centos box

[root@dvofps ~]# nslookup bbc.co.uk
;; Got recursion not available from 192.168.0.201, trying next server
Server: 192.168.0.254
Address: 192.168.0.254#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.246.103
Name: bbc.co.uk
Address: 212.58.246.104
Name: bbc.co.uk
Address: 212.58.244.18
Name: bbc.co.uk
Address: 212.58.244.20

[root@dvofps ~]# systemctl status named -l
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled)
Active: active (running) since Tue 2015-01-20 14:16:05 GMT; 3 days ago
Process: 400 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 2405 (named)
CGroup: /system.slice/named.service
└─2405 /usr/sbin/named -u named

Jan 23 16:13:01 dvofps.local named[2405]: listening on IPv4 interface enp6s0, 192.168.0.201#53
Jan 23 16:13:01 dvofps.local named[2405]: sizing zone task pool based on 7 zones
Jan 23 16:13:01 dvofps.local named[2405]: using built-in DLV key for view _default
Jan 23 16:13:01 dvofps.local named[2405]: reloading configuration succeeded
Jan 23 16:13:01 dvofps.local named[2405]: reloading zones succeeded
Jan 23 16:13:01 dvofps.local named[2405]: all zones loaded
Jan 23 16:13:01 dvofps.local named[2405]: running
Jan 23 16:13:01 dvofps.local systemd[1]: Reloaded Berkeley Internet Name Domain (DNS).
Jan 23 16:40:21 dvofps.local named[2405]: client 192.168.0.201#36985 (google.co.uk): query (cache) 'google.co.uk/A/IN' denied
Jan 23 16:40:50 dvofps.local named[2405]: client 192.168.0.201#59313 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied
[root@dvofps ~]#

Do the the last 2 lines above suggest a permissions thing ????

From a Windows 8.1 box, I get

C:\WINDOWS\system32>nslookup pcjudo.co.uk
Server: smoothwall
Address: 192.168.0.254

Non-authoritative answer:
Name: pcjudo.co.uk
Address: 151.252.2.1

C:\WINDOWS\system32>nslookup dvofps
Server: smoothwall
Address: 192.168.0.254

*** smoothwall can't find dvofps: Non-existent domain

C:\WINDOWS\system32>nslookup dvofps.local
Server: smoothwall
Address: 192.168.0.254

*** smoothwall can't find dvofps.local: Non-existent domain

C:\WINDOWS\system32>nslookup 192.168.0.201
Server: smoothwall
Address: 192.168.0.254

201.0.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 192.168.0.201

I appear to have something very basic wrong but I can't see it. I can post the config files.

Thanks in anticipation to any kind soul that can help.

Jeff

User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

Re: BIND Config options help?

Post by igorek24 » 2015/01/26 05:03:15

aks wrote:You could probably leave out the statistics bits (zone-statistics, statistics-file, memstatistics-file), if you don't want statistics. Your post is a little ambiguous - what do you want to achieve? If you just want to know what these various options mean - can't you just google?
Thanks for your reply ask. Sorry I should've been more specific, I have two name servers where my public domain zones reside. I had Windows server DNS before and now I have switched to BIND. I was wondering if there is any other options are required for my name servers.

User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

Re: BIND Config options help?

Post by igorek24 » 2015/01/26 05:23:57

Are your dns servers accessible from the net? Try this:

Promissions

Code: Select all

chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
Make sure your firewall port is open:

Code: Select all

firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --reload
Options:

Code: Select all

allow-recursion {localnets; 192.168.100.0/24;};
Where 192.168.100.0/24 is your local network.
BTW, there is a very good GUI for BIND called facileManager
Image

jeffdvo
Posts: 30
Joined: 2015/01/19 21:06:40

Re: BIND Config options help?

Post by jeffdvo » 2015/02/01 22:43:49

Hi igorek24, sorry I didn't realise you had replied.

I've managed to get the Centos box running as a DNS server, now I've disabled the firewall (and selinux) and I can go to any Windows box on the LAN and run nslookup and get a "non authoritative" result. I've still got a few tweaks I want to do but I've also got Samba working almost as I want :-)

Out of interest, I've installed Facilemanager (after converting the tar.gz to rpm) and find that it needs a web server running :-(( I don't really want Apache running on that box so I guess I'll uninstall it and stick with editing the config files!

Due to my lack of knowledge with Centos, I'm using WinScp and Webmin, along with Putty to admin the Centos box and I'm gradually getting the hang of it :-)

Once I've created a mirror and attached an ext USB drive to backup the "data" drive, I'll have a look at the firewall and selinux but I'm reasonably happy with the Centos box as it is. Lot more learning to do!

Cheers

Jeff

miko
Posts: 56
Joined: 2005/05/03 09:56:00
Location: BiH, Sarajevo

Re: BIND Config options help?

Post by miko » 2015/02/02 12:10:03

Hi
"recursion no" means u wont get answer from your dns server for other domains. So in your case u need to set "recursion yes"

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: BIND Config options help?

Post by aks » 2015/02/02 17:25:03

And you could set the type master option if you want the server to be authoritative for your domain.

User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

Re: BIND Config options help?

Post by igorek24 » 2015/02/02 20:06:44

jeffdvo wrote:Hi igorek24, sorry I didn't realise you had replied.

I've managed to get the Centos box running as a DNS server, now I've disabled the firewall (and selinux) and I can go to any Windows box on the LAN and run nslookup and get a "non authoritative" result. I've still got a few tweaks I want to do but I've also got Samba working almost as I want :-)

Out of interest, I've installed Facilemanager (after converting the tar.gz to rpm) and find that it needs a web server running :-(( I don't really want Apache running on that box so I guess I'll uninstall it and stick with editing the config files!

Due to my lack of knowledge with Centos, I'm using WinScp and Webmin, along with Putty to admin the Centos box and I'm gradually getting the hang of it :-)

Once I've created a mirror and attached an ext USB drive to backup the "data" drive, I'll have a look at the firewall and selinux but I'm reasonably happy with the Centos box as it is. Lot more learning to do!

Cheers

Jeff
Hi Jeff,
About Webmin, keep it close to the public. It has a lot of security holes http://www.webmin.com/security.html. Also you should only disable selinux and firewall for troubleshooting purposes. I think firewalld is a lot easier to manage then iptables (at least for me, I always struggled with iptables). Anyways, CentOS 7 is one of my favorite out of all OSs available, very stable. I have successfully converted all of the windows servers to centos and never looked back. I just love it.

jeffdvo
Posts: 30
Joined: 2015/01/19 21:06:40

Re: BIND Config options help?

Post by jeffdvo » 2015/02/02 22:11:24

Hi igorek24,
Thanks for the heads up about Webmin. I don't think I have much to worry about as it is only available from the LAN and the LAN is behind Smoothwall Express, which is why I'm not too concerned about not running the firewall on the Centos box. Hopefully I'm not being too complacent :-) I'm not up-to-speed on selinux, so for me it's adding another layer to the learning curve but I do intend to enable the firewall and selinux when I've got my head round it. Might be while, I'm at the stage of my life cycle where I'm now in the slow learners club :-)
I can see why you like Centos so much, I've only got enough Linux knowledge to get me into trouble and so far haven't broken it. It's certainly growing on me but my native tongue is Microsoft and I'm a big fan of GUI's. I was going to go for Ubuntu server but think that Centos is definitely the better choice in robustness & stability.

Are your servers mostly member servers? Do you use any as a DC and/or DHCP server?

For me, it's like going forward to the past! In another life, I used to admin SCO servers (about 150+) and was part of a team that were migrating the SCO boxes to NT4 and then Win 2000. It's amazing how things come round and reverse! The main thing I can remember about *nix stuff is my hatred of Vi :-)

Post Reply