===============How to set up a primary DNS server using CentOS=============

1 Installing Packages
# yum install bind bind-utils
# yum install bind bind-chroot

2 Preparing a Configuration File

# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones /etc/named.conf
# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones
/var/named/chroot/etc/named.conf

3 Edit
# vi /etc/named.conf
# vi /var/named/chroot/etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; 172.31.20.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 10.3.243.0/24; 10.3.245.0/24;
10.3.249.0/24; 10.1.252.0/24; };
allow-transfer { localhost; 172.31.20.11; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable
access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
allow-recursion {any;};
dnssec-enable yes;
dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "napas.local" IN {
type master;
file "/etc/named/forward.napas.local";
allow-update { none; };
notify yes;
also-notify { 172.31.20.11; };
};

zone "252.1.10.in-addr.arpa" IN {
type master;
file "/etc/named/napas.local.vlan252.reverse";
allow-update { none; };
notify yes;
also-notify { 172.31.20.11; };
};

zone "243.3.10.in-addr.arpa" IN {
type master;
file "/etc/named/napas.local.vlan243.reverse";
allow-update { none; };
notify yes;
also-notify { 172.31.20.11; };
};

zone "245.3.10.in-addr.arpa" IN {
type master;
file "/etc/named/napas.local.vlan245.reverse";
allow-update { none; };
notify yes;
also-notify { 172.31.20.11; };
};

zone "247.3.10.in-addr.arpa" IN {
type master;
file "/etc/named/napas.local.vlan247.reverse";
allow-update { none; };
notify yes;
also-notify { 172.31.20.11; };
};

zone "249.3.10.in-addr.arpa" IN {
type master;
file "/etc/named/napas.local.vlan249.reverse";
allow-update { none; };
notify yes;
also-notify { 172.31.20.11; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

4 Preparing Zone Files

# cp /usr/share/doc/bind-9.8.2/sample/var/named/named.* /var/named/
# cp /usr/share/doc/bind-9.8.2/sample/var/named/named.* /var/named/chroot/var/named

# vi /etc/named/forward.napas.local
# vi /etc/named/chroot/var/named/lab.com.forward
$TTL 86400
@ IN SOA dns-master.napas.local. root.napas.local. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS dns-master.napas.local.
@ IN A 172.31.20.10
dns-master IN A 172.31.20.10
switch-ist IN A 10.1.252.69
switch-istdb IN A 10.3.243.39
switch-ips-ist1 IN A 10.1.252.60
switch-ips-ist2 IN A 10.1.252.61
switch-ips-ist3 IN A 10.1.252.62
switch-ips-vcb IN A 10.1.252.63
ibft-ips IN A 10.1.252.20
ibft-ws IN A 10.1.252.21
ibft-core IN A 10.1.252.16
ibft-gw IN A 10.1.252.15
switch-gw IN A 10.1.252.8
switchgw IN A 10.1.252.8
switch-dbips IN A 10.3.243.14
ibft-db IN A 10.3.243.14
switch-dbgw IN A 10.3.243.14
switch-hsm1 IN A 10.3.247.9
switch-hsm2 IN A 10.3.247.11
switch-dbmonitor IN A 10.3.243.249
switch-monitor IN A 10.3.249.10
ibft-monitor IN A 10.3.249.21
switch-baocao IN A 10.3.245.107
switch-trasoat IN A 10.3.245.107
switch-bcqt IN A 10.3.245.109
switch-ftp IN A 10.3.245.133
ctkt IN A 10.3.245.100
citad IN A 10.3.245.84
switch-db-backend IN A 10.3.243.12
db-ecom IN A 10.3.243.43
istdb-gds IN A 10.3.243.39

# vi /etc/named/napas.local.vlan243.reverse
# vi /etc/named/chroot/var/named/lab.com.reverse
$TTL 86400
@ IN SOA dns-master.napas.local. root.napas.local. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
 604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS dns-master.napas.local.
@ IN PTR napas.local.
dns-master IN A 172.31.20.10
39 IN PTR switch-istdb.napas.local.
14 IN PTR switch-dbips.napas.local.
12 IN PTR switch-db-backend.napas.local.
249 IN PTR switch-dbmonitor.napas.local.
243 IN PTR db-ecom.napas.local

5 Finalizing
# chgrp named /etc/named/forward.napas.local
# chgrp named /etc/named/
# named-checkconf /etc/named.conf
# named-checkzone napas.local /etc/named/forward.napas.local
# named-checkzone lab.com /var/named/lab.com.reverse
# iptables -I INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# service iptables save
# service iptables start
# vi /etc/resolv.conf
nameserver 172.31.20.10
nameserver 172.31.20.11
# systemctl enable named
# systemctl start named
# service named restart
# chkconfig named on

Disable the Firewalld, enter the following commands:

# systemctl stop firewalld
# systemctl disable firewalld

To disable SELinux, edit file /etc/sysconfig/selinux

# vi /etc/sysconfig/selinux
[...]
SELINUX=disabled
[...]

6 Testing DNS
# dig @172.31.20.10 napas.local AXFR
# dig napas.local
# dig -x 10.3.243.10
# dig napas.local mx

=============How to set up a secondary DNS server in CentOS=====================

1 Installing Packages
# yum install bind bind-utils
# yum install bind bind-chroot

2 Preparing a Configuration File

# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones /etc/named.conf
# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones
/var/named/chroot/etc/named.conf

3 Preparing Configuration File for Zone Transfers

# vi /etc/named.conf
# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; 172.31.20.11; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 10.3.243.0/24; 10.3.245.0/24;
10.3.247.0/24; 10.3.249.0/24; 10.1.252.0/24; };
//allow-transfer { localhost;172.31.13.11/32; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable
access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
allow-recursion {any;};

dnssec-enable yes;
dnssec-validation no;
dnssec-lookaside auto;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/*forwarders {
8.8.8.8;
8.8.4.4;
};
*/
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
 };
};

zone "." IN {
type hint;
file "named.ca";
};

zone "napas.local" IN {
type slave;
file "/etc/named/forward.napas.local";
masters { 172.31.20.10; };
masterfile-format text;
};

zone "252.1.10.in-addr.arpa" IN {
type slave;
file "/etc/named/napas.local.vlan252.reverse";
masters { 172.31.20.10; };
};

zone "243.3.10.in-addr.arpa" IN {
type slave;
file "/etc/named/napas.local.vlan243.reverse";
masters { 172.31.20.10; };
};

zone "245.3.10.in-addr.arpa" IN {
type slave;
file "/etc/named/napas.local.vlan245.reverse";
masters { 172.31.20.10; };
};

zone "247.3.10.in-addr.arpa" IN {
type slave;
file "/etc/named/napas.local.vlan247.reverse";
masters { 172.31.20.10; };
};

zone "249.3.10.in-addr.arpa" IN {
type slave;
file "/etc/named/napas.local.vlan249.reverse";
masters { 172.31.20.10; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

4 Finalizing Installation
# chgrp named /etc/named/forward.napas.local
# chown -R named:named /etc/named/
# named-checkconf /etc/named.conf
# named-checkzone napas.local /etc/named/forward.napas.local
# named-checkzone lab.com /var/named/lab.com.reverse
# iptables -I INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# service iptables save
# service iptables start
# vi /etc/resolv.conf
nameserver 172.31.13.10
nameserver 172.31.13.11
# systemctl enable named
# systemctl start named
# service named restart
# chkconfig named on

5. Verify Zone File Replicated from Master

# named-compilezone -f raw -F text -o forward.napas.local.text napas.local
forward.napas.local

==============================Setting DNS on Client======================

$ vi /etc/resolv.conf
search tecmintlocal.com
nameserver 192.168.0.200
nameserver 192.168.0.201