CentOS 7.2 BIND config issues...

Ben Hart
Ben Hart used Ask the Experts™
on
I'm setting up a private bind server in a lab, this box will not be available from the outside.

So an updated CentOS 7.2 and whatever version of BIND is in the latest repos.  Following the instructions here: https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-centos-7

/etc/named.conf
[root@dns-dhcp dns]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "trusted" {
	192.168.100.9;	#dns-dhcp
	192.168.100.10;	#workstation
	192.168.100.8;	#spacewalk
};
options {
	listen-on port 53 { 127.0.0.1; 192.168.100.9; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { trusted; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";

Open in new window


/etc/named/named.conf.local

[root@dns-dhcp dns]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "trusted" {
	192.168.100.9;	#dns-dhcp
	192.168.100.10;	#workstation
	192.168.100.8;	#spacewalk
};
options {
	listen-on port 53 { 127.0.0.1; 192.168.100.9; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { trusted; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";

[root@dns-dhcp dns]# 
[root@dns-dhcp dns]# cd /etc/named
[root@dns-dhcp named]# ls
named.conf.local  zones
[root@dns-dhcp named]# cat named.conf.local 
zone "jinxed.com"  {
	type master;
	file "/etc/named/zones/db.jinxed.com";
};

zone "100.168.192.in-addr.arpa" {
	type master;
	file "/etc/named/zones/db.192.168.100"; # 192.168.100.0/24 subnet
	};

Open in new window


/etc/named/zones/db.192.168.100

[root@dns-dhcp zones]# cat db.192.18.100 
@	IN	SOA	dns-dhcp.jinxed.com. admin.dns-dhcp.jinxed.com. (
	3	;	Serial
	604800	;	Refresh
	86400	;	Retry
	2419200	;	Expire
	604800 )	;	Negative Cache TTL

;	names server - NS records
.9	IN	PTR	dns-dhcp.jinxed.com.	;	192.168.100.9

Open in new window


/etc/named/zones/db.jinxed.com

[root@dns-dhcp zones]# cat db.jinxed.com 
$TTL	604800
@	IN	SOA	dns-dhcp.jinxed.com. admin.dns-dhcp.jinxed.com. (
		4	;	Serial
		604800	;	Refresh
		86400	;	Retry
		2419200	;	Expire
		608400	)	;	Negative Cache TTL
;
;	name servers - NS records
	IN	NS	dns-dhcp.jinxed.com.

;	name servers - A records
	dns-dhcp.jinxed.com.	IN	A	192.168.100.9

Open in new window



The BIND server is 192.168.100.9..
So after all of this when I try to check my conf files.

[root@dns-dhcp zones]# named-checkzone "jinxed.com" /etc/named/zones/db.jinxed.com
/etc/named/zones/db.jinxed.com:13: unknown RR type 'dns-dhcp.jinxed.com.'
zone jinxed.com/IN: loading from master file /etc/named/zones/db.jinxed.com failed: unknown class/type
zone jinxed.com/IN: not loaded due to errors.

Open in new window


[root@dns-dhcp zones]# named-checkzone "100.168.192" /etc/named/zones/db.192.168.100
/etc/named/zones/db.192.168.100:1: no TTL specified; using SOA MINTTL instead
dns_master_load: /etc/named/zones/db.192.168.100:9: empty label
zone 100.168.192/IN: loading from master file /etc/named/zones/db.192.168.100 failed: empty label
zone 100.168.192/IN: not loaded due to errors.

Open in new window


What am I doing wrong here?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
you do not need a .9
9 IN PTR dns-dhcp.jinxed.com. is what is needed
the zone name is not 192.168.100 it is as you entered in the config 100.168.192.in-addr.arpa

the .9 translates into
.9.100.168.192.in-addr.arpa

make the change to the db.192.168.100 and run
rndc reload zone 100.168.192.in-addr.arpa
Distinguished Expert 2017

Commented:
the entry must start at the begining of the line. when you space it presumes the local zone as the initial and then treats the rest as though it is a record.
dns-dhcp.jinxed.com. IN A 192.168.100.9

Author

Commented:
[root@dns-dhcp dns]# rndc reload zone 100.168.192.in-addr.arpa
rndc: connect failed: 127.0.0.1#953: connection refused
[root@dns-dhcp dns]# 

Open in new window


This is what I get...
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2017

Commented:
You did not define rndc related entries in your config, rndc-key, etc.......
Rndc is a tool to manage/access named with such items as having named reprocess named.conf for new additions or removal without the delay encountered when named is reloaded, stopped restarted along with the granular control of having named reprocess an individual zone change....

You should have /etc/rndc.conf with the private key to the public entry in named.conf ....

Author

Commented:
I also tried restarting named:

ar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: zone localhost/IN: loaded serial 0
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: zone 0.in-addr.arpa/IN: loaded serial 0
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: /etc/named/zones/db.jinxed.com:13: unknown RR type 'dns-dhcp.jinxed.com.'
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: zone jinxed.com/IN: loading from master file /etc/named/zones/db.jinxed.com failed: unknown class/type
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: zone jinxed.com/IN: not loaded due to errors.
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: _default/jinxed.com/IN: unknown class/type
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: zone 100.168.192.in-addr.arpa/IN: has no NS records
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: zone 100.168.192.in-addr.arpa/IN: not loaded due to errors.
Mar 29 09:13:03 dns-dhcp.jinxed.com bash[27569]: _default/100.168.192.in-addr.arpa/IN: bad zone
Mar 29 09:13:03 dns-dhcp.jinxed.com systemd[1]: named.service: control process exited, code=exited status=1
Mar 29 09:13:03 dns-dhcp.jinxed.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
-- Subject: Unit named.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit named.service has failed.
-- 
-- The result is failed.
Mar 29 09:13:03 dns-dhcp.jinxed.com systemd[1]: Unit named.service entered failed state.
Mar 29 09:13:03 dns-dhcp.jinxed.com systemd[1]: named.service failed.

Open in new window

Author

Commented:
Ok I fixed part of the 100.168.192 entry

-- Unit named.service has begun starting up.
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: zone localhost.localdomain/IN: loaded serial 0
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: zone localhost/IN: loaded serial 0
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: zone 0.in-addr.arpa/IN: loaded serial 0
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: /etc/named/zones/db.jinxed.com:13: unknown RR type 'dns-dhcp.jinxe
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: zone jinxed.com/IN: loading from master file /etc/named/zones/db.j
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: zone jinxed.com/IN: not loaded due to errors.
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: _default/jinxed.com/IN: unknown class/type
Mar 29 09:20:27 dns-dhcp.jinxed.com bash[27590]: zone 100.168.192.in-addr.arpa/IN: loaded serial 4
Mar 29 09:20:27 dns-dhcp.jinxed.com systemd[1]: named.service: control process exited, code=exited status=1
Mar 29 09:20:27 dns-dhcp.jinxed.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
-- Subject: Unit named.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit named.service has failed.
-- 
-- The result is failed.
Mar 29 09:20:27 dns-dhcp.jinxed.com systemd[1]: Unit named.service entered failed state.
Mar 29 09:20:27 dns-dhcp.jinxed.com systemd[1]: named.service failed.

Open in new window


Il lookup the configuring of rndc.
Distinguished Expert 2017

Commented:
Use rndc-confgen to get the requisite entries to get rndc working ...



The error points to missing
ns records in the reverse zone.
In the jinxed X obe, all entries must start in the first position of the line. A space is presumed to be as the zone name I.e in jinxed.con
Www in A 1.2.3.4 ; defines a www record in the zone
 Www in a 1.2.3.4; is interpreted as jinxed.com. Www in a 1.2.3.4 which generates an error because www is not a valid revord definition/class
Www a 1.2.3.4 ; will work as in will be implicit.

Strip out the spaces on the DNS-DHCP a record definition.
Add NS records to all your zones if missing.

Author

Commented:
I got it..

Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 127.100.IN-ADDR.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 127.IN-ADDR.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: D.F.IP6.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: A.E.F.IP6.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: B.E.F.IP6.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: command channel listening on 127.0.0.1#953
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: command channel listening on ::1#953
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: managed-keys-zone: loaded serial 0
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: zone 0.in-addr.arpa/IN: loaded serial 0
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: zone jinxed.com/IN: loaded serial 4
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: zone localhost.localdomain/IN: loaded serial 0
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: zone 100.168.192.in-addr.arpa/IN: loaded serial 4
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: zone localhost/IN: loaded serial 0
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: all zones loaded
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: running
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: error (network unreachable) resolving './DNSKEY/IN': 2001:500:1::803f:235#53
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: error (network unreachable) resolving './NS/IN': 2001:500:1::803f:235#53
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: error (network unreachable) resolving './DNSKEY/IN': 2001:500:3::42#53
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: error (network unreachable) resolving './NS/IN': 2001:500:3::42#53
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: error (network unreachable) resolving './DNSKEY/IN': 2001:dc3::35#53
Mar 29 09:23:16 dns-dhcp.jinxed.com named[27614]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53
Mar 29 09:23:16 dns-dhcp.jinxed.com systemd[1]: Started Berkeley Internet Name Domain (DNS).
-- Subject: Unit named.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit named.service has finished starting up.
-- 
-- The start-up result is done.

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial