How to compile and install BIND Caching Server on RHEL 7 - nomorespice/rhel7-howto GitHub Wiki
BIND (Berkeley Internet Name Domain), or named is the most widely used Domain Name System (DNS) software on the Internet. It can be configured to perform a variety of DNS roles, the two most common are authoritative and recursive modes. This procedure will guide you through the source compilation and installation process on a Red Hat Enterprise Linux 7 server.
This document assumes that:
- you installed the RHEL 7 x64 Operating System according to How to install RHEL 7 via kickstart
- you are performing these tasks as root
- you are performing these tasks in order, as some tasks require others to be completed first
yum -y install python-ply.noarch openssl-devel.x86_64
mkdir /var/src
cd /var/src
wget -q https://ftp.isc.org/isc/bind9/cur/9.11/bind-9.11.20.tar.gz
tar -zxvf bind-9.11.20.tar.gz
cd bind-9.11.20
./configure
make
make install
mkdir -p /opt/named
mkdir /opt/named/conf
mkdir /opt/named/etc
cp /etc/localtime /opt/named/etc/localtime
mkdir /opt/named/logs
mkdir /opt/named/dev
mknod /opt/named/dev/null c 1 3
mknod /opt/named/dev/zero c 1 5
mknod /opt/named/dev/random c 1 8
mknod /opt/named/dev/urandom c 1 9
mkdir -p /opt/named/var/run
groupadd named
useradd -g named -d /opt/named -s /sbin/nologin named
passwd -l named
touch /opt/named/logs/named-query.log
touch /opt/named/logs/named-security.log
touch /opt/named/logs/named-rate-limit.log
touch /var/log/named.log
/bin/cat <<\EOT >/etc/rsyslog.d/15-named.conf
\$AddUnixListenSocket /opt/named/dev/log
if $programname == 'named' then /var/log/named.log
& stop
EOT
semanage fcontext -a -t devlog_t '/opt/named/dev/log'
restorecon -v '/opt/named/dev/log'
systemctl restart rsyslog
sed -i '/\/var\/log\/messages/ a \/var\/log\/named.log' /etc/logrotate.d/syslog
rndc-confgen -a -c /opt/named/etc/rndc.key -r /dev/urandom -u named
ln -s /opt/named/etc/rndc.key /usr/local/etc/rndc.key
ln -s /opt/named/etc/rndc.key /etc/rndc.key
touch /opt/named/var/run/named.pid
touch /opt/named/var/run/named.stats
touch /opt/named/var/run/named.db
dig +bufsize=1200 +norec NS . @a.root-servers.net > /opt/named/conf/db.rootcache
Note for this named.conf configuration:
- RFC 1918 bogon query access has been disabled (except 10.0.0.0/8- which is assumed to be "internal"
- Only internal 10.0.0.0/8 IP addresses can sucessfully query this service
- The BIND named service runs "chrooted" in the /opt/named directory
- IPv6 has been disabled
- RRL (Response Rate Limiting) has been enabled
- DNSSEC (Domain Name System Security Extensions) has been disabled
/bin/cat <<\EOT >/opt/named/etc/named.conf
acl "bogon" {
0.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.0.0/24;
192.0.2.0/24;
192.168.0.0/16;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/3;
};
acl "internal" {
10.0.0.0/8;
localhost;
};
include "/etc/rndc.key";
controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { rndc-key; }; };
options {
directory "/conf";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
dump-file "/var/run/named.db";
zone-statistics yes;
recursive-clients 4000;
version none;
allow-query { internal; };
allow-recursion { internal; };
listen-on-v6 { none; };
max-udp-size 1220;
edns-udp-size 1220;
interface-interval 0;
blackhole { bogon; };
allow-transfer {"none";};
managed-keys-directory "/conf";
rate-limit { responses-per-second 40; ipv4-prefix-length 32; };
dnssec-enable no;
dnssec-validation no;
};
logging {
channel default_syslog { syslog local2; severity info; };
channel dns_security { file "/logs/named-security.log" versions 3 size 10m; severity info; print-time yes; };
category security { dns_security; };
channel dns_queries { file "/logs/named-query.log" versions 5 size 200m; severity dynamic; print-time yes; };
category queries { dns_queries; };
channel rate_limiting_log { file "/logs/named-rate-limit.log" versions 3 size 50m; severity info; print-time yes; };
category rate-limit { rate_limiting_log; default_debug; };
channel junk { null; };
category lame-servers { null; };
category update { null; };
category update-security { null; };
category edns-disabled { null; };
};
zone "." in { type hint; file "db.rootcache"; };
EOT
ln -s /opt/named/etc/named.conf /etc/named.conf
chown -R root:named /opt/named/.
find /opt/named/. -type f -print | xargs chmod u=rw,og=r
find /opt/named/. -type d -print | xargs chmod u=rwx,og=rx
chmod o= /opt/named/etc/*.conf
chown root:root /opt/named/var/
chmod u=rwx,og=x /opt/named/var/
chown root:named /opt/named/var/run/
chmod ug=rwx,o=rx /opt/named/var/run/
chmod ug=rwx,o=rx /opt/named/var/run/*
chown root:named /opt/named/logs/
chmod ug=rwx,o=rx /opt/named/logs/
chmod ug=rwx,o=rx /opt/named/logs/*
chown -R named:named /opt/named/conf/
chmod -R ug=rwx,o=rx /opt/named/conf/
chmod -R ug=rwx,o=rx /opt/named/conf/*
/bin/cat <<\EOT >/usr/lib/systemd/system/named.service
[Unit]
Description=Berkeley Internet Name Domain (DNS)
After=network.target
[Service]
Type=simple
PIDFile=/opt/named/var/run/named.pid
ExecStartPre=/bin/bash -c '/usr/local/sbin/named-checkconf -t /opt/named -z /etc/named.conf'
ExecStart=/usr/local/sbin/named -4 -t /opt/named -u named -c /etc/named.conf
ExecReload=/bin/sh -c '/usr/local/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/local/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOT
systemctl enable named
systemctl start named