How to compile and install BIND Caching Server on RHEL 7 - nomorespice/rhel7-howto GitHub Wiki

BIND (Berkeley Internet Name Domain), or named is the most widely used Domain Name System (DNS) software on the Internet. It can be configured to perform a variety of DNS roles, the two most common are authoritative and recursive modes. This procedure will guide you through the source compilation and installation process on a Red Hat Enterprise Linux 7 server.

This document assumes that:

  • you installed the RHEL 7 x64 Operating System according to How to install RHEL 7 via kickstart
  • you are performing these tasks as root
  • you are performing these tasks in order, as some tasks require others to be completed first

Install required software

yum -y install python-ply.noarch openssl-devel.x86_64

Download, compile and install the BIND software

mkdir /var/src
cd /var/src
wget -q https://ftp.isc.org/isc/bind9/cur/9.11/bind-9.11.20.tar.gz
tar -zxvf bind-9.11.20.tar.gz 
cd bind-9.11.20
./configure
make
make install

Build the base file and directory structure under /opt

mkdir -p /opt/named
mkdir /opt/named/conf
mkdir /opt/named/etc
cp /etc/localtime /opt/named/etc/localtime
mkdir /opt/named/logs
mkdir /opt/named/dev
mknod /opt/named/dev/null c 1 3
mknod /opt/named/dev/zero c 1 5
mknod /opt/named/dev/random c 1 8
mknod /opt/named/dev/urandom c 1 9
mkdir -p /opt/named/var/run

Create the named user and group

groupadd named
useradd -g named -d /opt/named -s /sbin/nologin named
passwd -l named

Setup the named logging infrastructure

touch /opt/named/logs/named-query.log
touch /opt/named/logs/named-security.log
touch /opt/named/logs/named-rate-limit.log
touch /var/log/named.log

/bin/cat <<\EOT >/etc/rsyslog.d/15-named.conf
\$AddUnixListenSocket /opt/named/dev/log
if $programname == 'named' then /var/log/named.log 
& stop
EOT

semanage fcontext -a -t devlog_t '/opt/named/dev/log'
restorecon -v '/opt/named/dev/log'

systemctl restart rsyslog

sed -i '/\/var\/log\/messages/ a \/var\/log\/named.log' /etc/logrotate.d/syslog

Create the rndc (remote name daemon control) key file and associated links

rndc-confgen -a -c /opt/named/etc/rndc.key -r /dev/urandom -u named
ln -s /opt/named/etc/rndc.key /usr/local/etc/rndc.key
ln -s /opt/named/etc/rndc.key /etc/rndc.key

Create the associated named temporary files

touch /opt/named/var/run/named.pid
touch /opt/named/var/run/named.stats
touch /opt/named/var/run/named.db

Build the root hints file

dig +bufsize=1200 +norec NS . @a.root-servers.net > /opt/named/conf/db.rootcache

Create the main named configuration file

Note for this named.conf configuration:

  • RFC 1918 bogon query access has been disabled (except 10.0.0.0/8- which is assumed to be "internal"
  • Only internal 10.0.0.0/8 IP addresses can sucessfully query this service
  • The BIND named service runs "chrooted" in the /opt/named directory
  • IPv6 has been disabled
  • RRL (Response Rate Limiting) has been enabled
  • DNSSEC (Domain Name System Security Extensions) has been disabled
/bin/cat <<\EOT >/opt/named/etc/named.conf
acl "bogon" {
  0.0.0.0/8;
  169.254.0.0/16;
  172.16.0.0/12;
  192.0.0.0/24;
  192.0.2.0/24;
  192.168.0.0/16;
  198.51.100.0/24;
  203.0.113.0/24;
  224.0.0.0/3;
};

acl "internal" {
  10.0.0.0/8;
  localhost;
};

include "/etc/rndc.key";
controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { rndc-key; }; };

options {
  directory "/conf";
  pid-file "/var/run/named.pid";
  statistics-file "/var/run/named.stats";
  dump-file "/var/run/named.db";
  zone-statistics yes;
  recursive-clients 4000;
  version none;
  allow-query { internal; };
  allow-recursion { internal; };
  listen-on-v6 { none; };
  max-udp-size 1220;
  edns-udp-size 1220;
  interface-interval 0;
  blackhole { bogon; };
  allow-transfer {"none";};
  managed-keys-directory "/conf";
  rate-limit { responses-per-second 40; ipv4-prefix-length 32; };
  dnssec-enable no;
  dnssec-validation no;
};

logging {
  channel default_syslog { syslog local2; severity info; };
  channel dns_security { file "/logs/named-security.log" versions 3 size 10m; severity info; print-time yes; };
  category security { dns_security; };
  channel dns_queries { file "/logs/named-query.log" versions 5 size 200m; severity dynamic; print-time yes; };
  category queries { dns_queries; };
  channel rate_limiting_log { file "/logs/named-rate-limit.log" versions 3 size 50m; severity info; print-time yes; };
  category rate-limit { rate_limiting_log; default_debug; };
  channel junk { null; };
  category lame-servers { null; };
  category update { null; };
  category update-security { null; };
  category edns-disabled { null; };
};

zone "." in { type hint; file "db.rootcache"; };
EOT

ln -s /opt/named/etc/named.conf /etc/named.conf

Set the appropriate permissions on all directories and files

chown -R root:named /opt/named/.
find /opt/named/. -type f -print | xargs chmod u=rw,og=r
find /opt/named/. -type d -print | xargs chmod u=rwx,og=rx

chmod o= /opt/named/etc/*.conf

chown root:root  /opt/named/var/
chmod u=rwx,og=x /opt/named/var/
chown root:named  /opt/named/var/run/
chmod ug=rwx,o=rx /opt/named/var/run/
chmod ug=rwx,o=rx /opt/named/var/run/*

chown root:named  /opt/named/logs/
chmod ug=rwx,o=rx /opt/named/logs/
chmod ug=rwx,o=rx /opt/named/logs/*

chown -R named:named  /opt/named/conf/
chmod -R ug=rwx,o=rx /opt/named/conf/
chmod -R ug=rwx,o=rx /opt/named/conf/*

Build, enable and start the named systemd service

/bin/cat <<\EOT >/usr/lib/systemd/system/named.service
[Unit]
Description=Berkeley Internet Name Domain (DNS)
After=network.target

[Service]
Type=simple
PIDFile=/opt/named/var/run/named.pid
ExecStartPre=/bin/bash -c '/usr/local/sbin/named-checkconf -t /opt/named -z /etc/named.conf'
ExecStart=/usr/local/sbin/named -4 -t /opt/named -u named -c /etc/named.conf
ExecReload=/bin/sh -c '/usr/local/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/local/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOT

systemctl enable named
systemctl start named
⚠️ **GitHub.com Fallback** ⚠️