红帽全球峰会1.2. Configuring BIND as a caching DNS server
By default, the BIND DNS server resolves and caches successful and failed lookups. The service then answers requests to the same records from its cache. This significantly improves the speed of DNS lookups.
Prerequisites
- The IP address of the server is static.
Procedure
Install the
bindandbind-utilspackages:# dnf install bind bind-utilsIf you want to run BIND in a change-root environment install the
bind-chrootpackage:# dnf install bind-chrootNote that running BIND on a host with SELinux in
enforcingmode, which is default, is more secure.Edit the
/etc/named.conffile, and make the following changes in theoptionsstatement:Update the
listen-onandlisten-on-v6statements to specify on which IPv4 and IPv6 interfaces BIND should listen:listen-on port 53 { 127.0.0.1; 192.0.2.1; }; listen-on-v6 port 53 { ::1; 2001:db8:1::1; };Update the
allow-querystatement to configure from which IP addresses and ranges clients can query this DNS server:allow-query { localhost; 192.0.2.0/24; 2001:db8:1::/64; };Add an
allow-recursionstatement to define from which IP addresses and ranges BIND accepts recursive queries:allow-recursion { localhost; 192.0.2.0/24; 2001:db8:1::/64; };警告Do not allow recursion on public IP addresses of the server. Otherwise, the server can become part of large-scale DNS amplification attacks.
By default, BIND resolves queries by recursively querying from the root servers to an authoritative DNS server. Alternatively, you can configure BIND to forward queries to other DNS servers, such as the ones of your provider. In this case, add a
forwardersstatement with the list of IP addresses of the DNS servers that BIND should forward queries to:forwarders { 198.51.100.1; 203.0.113.5; };As a fall-back behavior, BIND resolves queries recursively if the forwarder servers do not respond. To disable this behavior, add a
forward only;statement.
Verify the syntax of the
/etc/named.conffile:# named-checkconfIf the command displays no output, the syntax is correct.
Update the
firewalldrules to allow incoming DNS traffic:# firewall-cmd --permanent --add-service=dns # firewall-cmd --reloadStart and enable BIND:
# systemctl enable --now namedIf you want to run BIND in a change-root environment, use the
systemctl enable --now named-chrootcommand to enable and start the service.
Verification
Use the newly set up DNS server to resolve a domain:
# dig @localhost www.example.org ... www.example.org. 86400 IN A 198.51.100.34 ;; Query time: 917 msec ...This example assumes that BIND runs on the same host and responds to queries on the
localhostinterface.After querying a record for the first time, BIND adds the entry to its cache.
Repeat the previous query:
# dig @localhost www.example.org ... www.example.org. 85332 IN A 198.51.100.34 ;; Query time: 1 msec ...Because of the cached entry, further requests for the same record are significantly faster until the entry expires.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}