Configuration of caching DNS server on CentOS/RHEL 8

In this article, you will learn to configure DNS cache server.

DNS stands for Domain Name System. DNS is just like a phonebook, but it is the phonebook of the Internet. It is not easy to remember the IP address of a website like 209.132.183.105, but it is easy to remember the name of the websites like linuxgurus.in or google.com. Here, DNS translates the domain name to IP address, so the web browser loads the Internet resource.

In short, we can define DNS as it resolves the domain name to IP address and IP address to domain name.

There are four types of the DNS server.

• Master DNS Server and also known as Primary DNS server
• Slave DNS server and also known as Secondary DNS server
• Caching-only DNS server
• Forwarding-only DNS server

What is the DNS cache server?

A DNS cache server communicates with the remote DNS server once and then it stores locally the addresses it gets from the query. It is valid for a specific time, and this is known as TTL or Time To Live. During this period, if anyone requests for the same website, then it will immediately return the answer. It will not contact the ISP’s DNS server to ask it for the translation.

Lab setup for DNS cache server

For this lab, I’m going to use two systems. So, one system, I will use for DNS cache server and the second system I will use as a client.

Setup for DNS cache server

Firstly, I’ll install the BIND software package on the server system and I’ll use the DNS default port 53.

• Operating system: CentOS/RHEL 8
• Hostname: dnscache.linuxgurus.in
• IP address: 192.168.43.80

Setup for client system

Secondly, I’ll use the client to test our server.

• Operating system: CentOS/RHEL 8
• Hostname: client.linuxgurus.in
• IP address: 192.168.43.90

Step 1: Installation of the BIND9 on CentOS/RHEL 8

As per now, our lab setup has been done. So, now we are going to install the BIND software package. Use the following command to install it.

dnf install bind bind-utils

But, you can also use the yum command instead of dnf command to install it.

Note: The bind is the name of the DNS software package, and Bind-utils contains a collection of utilities for querying DNS name servers to find out information about Internet hosts.

Step 2: Starting the BIND service

The installation has been completed. And it is the time to start the BIND service and enable it to start on system startup automatically. The name of the service is named. So, I’m going to use a single command to start and enable.

systemctl enable --now named

Step 3: Confirming the named service status

It is a good practice to check the named service status to make sure that it is up and running. In this case, we are going to use the below command.

systemctl status named

Also, you can verify it in the below picture.

Step 4: DNS cache server configuration

All the primary setup has been completed. And it is the moment to start the configuration of the DNS cache server. So, to do it, we have to edit the main configuration file of the DNS server, and the name of the configuration file is named.conf. The location of this file is /etc/.

To edit this file, I’m using vim editor, but you can use any other editors as per your choice like nano, pico, etc.

vim /etc/named.conf

To create a DNS caching-only server, we have to change the four essential settings in the configuration file /etc/named.conf . We can leave the default localhost option and we will add any to accept the query from any range of the network, and also recursion must be yes. So, you can find the below options useful for it.

listen-on port 53 { 127.0.0.1; any; };
allow-query { localhost; any; };
allow-query-cache { localhost; any; };
recursion yes;

In short, you have to changes the above settings in the named.conf file. And you can match the settings with below configuration file. Also, I have highlighted the differences with green colour.

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file "/var/named/data/named.secroots";
        recursing-file "/var/named/data/named.recursing";
        allow-query { localhost; any; };
        allow-query-cache { localhost; any; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

zone "." IN {
         type hint;
         file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Brief Explanation

listen-on port 53 { 127.0.0.1; any; }; this line sets the port on which BIND will listen for incoming DNS requests. The default port for DNS is 53. We can use a specific IP address, but I’m using here any option. It instructs BIND to attach all available interfaces, private or public.

allow-query { localhost; any; }; allow queries and caches responses from any machine that reaches the server.

allow-query-cache { localhost; any; }; This value will add the query request to the BIND.

recursion It will query the answer and returns to us. It can send the query to the other DNS server over the internet and get back the query.

Step 5: Updating the SELinux context

So, now we have to check the SELinux context of the named.conf file. Use the below command for that.

ls -lZ /etc/named.conf

So, if you get the output of the command like below then you have to fix the SELinux context. And if you don’t get the output like below then you no need to follow this step, you go to the next step.

-rw-r—–. root root unconfined_u:object_r:etc_t:s0 named.conf

Firstly, we have to change the group of this file which should be named. So, use the command as follows.

chown root:named /etc/named.conf

Secondly, we have to restore the original SELinux context. So for that you can find the below command useful.

chcon system_u:object_r:named_conf_t:s0 /etc/named.conf

Step 6: Checking the BIND configuration

You can use the below command to check the BIND configuration file.

named-checkconf

If you get no output, that means everything is ok. But, if you get any error then go ahead and check the named.conf configuration file and again check the previous steps.

Step 7: Restarting the BIND service

As per now, we have completed the configuration part successfully. So, let’s restat the named service.

systemctl restart named

Step 8: Firewall configuration

In CentOS/RHEL 8, there is a service firewall that allows the incoming and outgoing connections based on the configuration. So, here we have to enable the DNS to port 53 to recognize it to through the firewall. Use the below command to allow it.

firewall-cmd --permanent --add-port 53/tcp

firewall-cmd --permanent --add-port 53/udp

So, now reload the firewall service to reflect the changes.

firewall-cmd --reload

Step 9: Testing the DNS caching-only server

Altogether, We have completed the setup and now we have to test it. So, for this, I’m going to use the dig command.

Firstly, I will test the duckduckgo.com. Secondly, again I will check it to see the difference.

dig duckduckgo.com

So, you can see in the below picture, when I dig for duckduckgo.com for the first time it takes 3404 msec.

But, when I test the second time, it only takes 0 msec. It shows that when we queried for the first time, then it stored (cached) that and again I queried for the same, it shows immediately. So, it is the difference because of the DNS cache server. You can look at the below picture for the difference.

dig duckduckgo.com

Step 10: Setting up DNS cache-only to the client machine

For this step, you only have to change the DNS address on the client machine. So, you can use the vim editor to edit the network configuration file. In my case the network interface name is ens33, replace this name with your system network interface name.

vim /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=45cc7c46-5417-35aa-9e15-a07314c5f0bd
DEVICE=ens33
ONBOOT=yes
AUTOCONNECT_PRIORITY=-999
IPADDR=192.168.43.40
PREFIX=24
GATEWAY=192.168.43.1
DNS1=192.168.43.80

Note: After making the changes for DNS, restart the network manger, you can use the below command.

systemctl restart NetworkManager

Step 11: Testing DNS caching-only settings on the client machine

Finally, we have tested our DNS caching-only server, and now it is the time to check on the client machine after changing the DNS address on the client machine.

So, let’s dig it.

dig amazon.in

As you can see in the below picture, it takes 924 msec for the first time from the client system.

But, the second time you can see in the below picture, it took 0 msec. So It is the difference.

dig amazon.in

Step 12: Managing the named service

If you want to manage the named service so you can find the below options are useful.

Firstly, To start the named servie

systemctl start named

Secondly, If you want to check that it is enabled on startup or not then use the below command.

systemctl is-enabled named

So, if it is not enabled then and you want to enable it, then you can use the following command.

systemctl enable named

In case, you want to disable.

systemctl disable named

Also, if you want to mask this service so it will not start by any other program, you can use the below command

systemctl mask named

Finally, to unmask named service, you can use the below command

systemctl unmask named

Conclusion

In conclusion, you learned to configure the DNS caching-only server. So, I hope you understand, but if you have any questions, you can ask in the comment section.

Also, you can read further.

• How to use the dig command on Linux
• How to set up NFS server on CentOS/RHEL 7
• BIND Wikipedia
• How to setup passwordless ssh login
• BIND from isc