How to Create DNS Server in CentOS a Step by Step Guide

Yes, you can create a DNS server on CentOS by following these steps. This guide walks you through installing BIND, configuring forward and reverse zones, securing the server, testing DNS queries, and keeping everything running smoothly. You’ll learn how to set up a reliable, recursive DNS server for your network, including firewall and SELinux considerations, forwarders, backups, and monitoring. This is a practical, step-by-step approach you can follow today.

Useful URLs and Resources:

CentOS Project – centos.org
BIND DNS – isc.org
BIND 9 Administrator Reference – kb.isc.org
Red Hat Enterprise Linux / CentOS Documentation – access.redhat.com
DNSSEC Basics – isc.org/documents/dnssec

Prerequisites

A CentOS server version 7, 8, or Stream with a static IP address. Dynamic IPs complicate DNS consistency.
Root or sudo access.
Basic networking knowledge: firewall rules, SELinux context basics, and zone delegation concepts.
A domain you control for testing e.g., example.com and corresponding subdomains you’ll configure.
Optional but recommended: separate machine or VM for backups and monitoring.

What you’ll have after this section:

A stable foundation for BIND with proper permissions, a sane firewall policy, and a test domain set up.
A plan for backups and monitoring so you don’t lose DNS data or go offline silently.

Install BIND and Utilities on CentOS

This step varies a bit by CentOS version.

For CentOS 7:

sudo yum update -y
sudo yum install bind bind-utils -y

For CentOS 8 or CentOS Stream 9/10:

sudo dnf update -y
sudo dnf install bind bind-utils -y

Verify installation: Discover the dns server name in linux with these simple steps to identify dns servers and resolvers quickly

named -v
dig -v

What this gives you:

The BIND DNS server named and handy utilities like dig for testing.

Plan Your DNS Architecture

Before you touch configuration files, decide:

Do you want to be an authoritative server, a recursive resolver for clients, or both? This guide focuses on a small, self-managed authoritative server with optional recursive capabilities for your internal network.
Forwarders: Do you want to forward unresolved queries to public resolvers e.g., 1.1.1.1, 8.8.8.8 for speed and reliability?
Access control: Which networks should be allowed to query your server? Start with localhost and your internal LAN.
Zone structure: Forward zones for your domains example.com and reverse zones PTR records for your IP range.

Having a plan helps keep your config tidy and reduces the chance of misconfigurations that break resolution.

Configure BIND: Core Files and Zones

Basic options in /etc/named.conf path may vary slightly; on some setups it’s /etc/named/named.conf

Create a strong starting options block. This example uses a private LAN 192.168.50.0/24 for recursion and restricts queries to that network adjust as needed:

options {
  directory "/var/named";

  listen-on port 53 { 127.0.0.1; 192.168.50.1; };
  listen-on-v6 { any; };

  recursion yes;
  allow-query { localhost; 192.168.50.0/24; };
  
  // Forwarders for upstream DNS
  forwarders { 1.1.1.1; 8.8.8.8; };

  dnssec-enable yes;
  dnssec-validation yes;

  dnssec-lookaside auto;

  dnssec-moding no; // depending on your version, ensure correct syntax

  auth-nxdomain no;
  empty-zonedata yes;
  
  logging { /* optional logging config */ };
};

Define zones in named.conf for your domain and its reverse mapping. Example:

zone "example.com" IN {
  type master;
  file "zones/db.example.com";
  allow-update { none; };
};

zone "2.168.192.in-addr.arpa" IN {
  type master;
  file "zones/db.192.168.2";
  allow-update { none; };
};

Create the zone files under /var/named the default directory. If you used the path in options, the actual zone files commonly live in:
/var/named/zones/

Forward zone file: /var/named/zones/db.example.com Stop x server ubuntu a step by step guide: How to stop Xorg on Ubuntu and switch to a safe non-graphical session

$TTL 86400
@   IN  SOA ns1.example.com. hostmaster.example.com. 
        2024061701 ; serial
        3600       ; refresh
        900        ; retry
        604800     ; expire
        86400     ; minimum
@   IN  NS  ns1.example.com.
ns1 IN  A   203.0.113.10
www IN  A   203.0.113.20
mail IN A   203.0.113.30

Reverse zone file: /var/named/zones/db.192.168.2

$TTL 86400
@   IN  SOA ns1.example.com. hostmaster.example.com. 
        2024061701 ; serial
        3600       ; refresh
        900        ; retry
        604800     ; expire
        86400     ; minimum
@   IN  NS  ns1.example.com.
2   IN  PTR ns1.example.com.
20  IN  PTR www.example.com.
30  IN  PTR mail.example.com.

Notes:

Use fully qualified domain names with trailing dots in SOA and NS records.
The serial in the SOA should be updated whenever you change a zone file YYYYMMDDNN format is common.

SELinux context and file permissions

Ensure the zone files have the proper SELinux context:

sudo restorecon -v /var/named/zones/*

If you add new directories or files, you may need to set the correct context:

sudo semanage fcontext -a -e /var/named /var/named/.*?
sudo restorecon -R -v /var/named

Start and enable the DNS service

sudo systemctl enable named
sudo systemctl start named

Open DNS ports in the firewall

# For IPv4
sudo firewall-cmd --permanent --add-service=dns
sudo firewall-cmd --permanent --add-port=53/tcp
sudo firewall-cmd --reload

Optional: if you’re testing from a different host, allow queries from that host on the firewall adjust network:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.50.0/24" port protocol="udp" port="53" accept'
sudo firewall-cmd --reload

Test DNS data locally

dig @127.0.0.1 example.com
dig @127.0.0.1 www.example.com

If you see SERVFAIL or NXDOMAIN, double-check:

Zone file syntax use named-checkzone to validate
Named.conf syntax named-checkconf
Zone file path and permissions
SELinux context

Recursion, Forwarders, and Access Control

If you want your server to resolve external domains on behalf of internal clients, keep recursion enabled and use forwarders for speed and reliability: How to add member count to your discord server the ultimate guide: Real-Time Display, Widgets, Bots, and Easy Steps
- Enable forwarders in the options block as shown above: forwarders { 1.1.1.1; 8.8.8.8; };
- You can specify a restricted allowed-query ACL if needed:
```
acl internal-network {
  192.168.50.0/24;
  localhost;
};
options {
  allow-query { internal-network; };
};
```
To keep external DNS lookups from your DNS server, disable recursion for outside clients:
- Keep target networks in your allow-query list only as above and ensure you don’t expose your DNS server to the public internet.
DNSSEC: If you’re serious about security, enable DNSSEC for validation and consider signing your zones. This is optional for small internal setups but recommended for public-facing domains.

Monitoring, Backups, and Maintenance

Monitoring:

Check status:
```
sudo systemctl status named
```

Check recent logs:

sudo journalctl -u named -n 100 --no-pager

Validate zone syntax on every change:

sudo named-checkconf
sudo named-checkzone example.com /var/named/zones/db.example.com

Backups:
- Regularly back up zone files and the main config:
```
sudo rsync -av /var/named/zones/ /backup/named/zones/
sudo rsync -av /etc/named.conf /backup/named/
```
- Consider a simple nightly backup with an offsite copy or cloud storage for disaster recovery.
Maintenance tips: How to configure virtual machine in windows server 2012 a comprehensive guide: A practical Hyper-V VM setup
- Update the system and BIND regularly to patch vulnerabilities:
```
sudo yum update -y   # CentOS 7
sudo dnf update -y   # CentOS 8/Stream
```
- Rotate the SOA serial numbers after each change YYYYMMDDNN.
Performance improvements:
- Cache memory tuning is optional for large installations; start with default and monitor; adjust as needed.
- Consider enabling views or split-horizon DNS if you have different internal vs. external users.

Security Considerations and Hardening

Block queries from the public internet if you don’t intend to serve public domains. Use tight allow-query rules and network ACLs.
Use strong file permissions on zone files and the named.conf:
- chown root:named /etc/named.conf
- chmod 640 /etc/named.conf
- zone files should be readable by named and owned by root or named appropriately.
SELinux: Keep SELinux enabled, but if you run into permission issues, use the correct context commands see SELinux notes above.
Regularly audit the DNS server for unauthorized zone transfers:
- In named.conf, set:
```
allow-transfer { none; }; // or limit to specific secondary servers only
```
For public servers, consider DNS over TLS or DNS over HTTPS for clients, though that adds complexity beyond the basic setup.

Common Troubleshooting Scenarios

SERVFAIL on a zone:
- Check the serial number increments after changes.
- Run named-checkzone to validate the zone file syntax.
- Ensure the zone file path in named.conf is correct and readable by named.
NXDOMAIN for a known host:
- Verify the A/CAA/CNAME records exist in the forward zone file.
- Confirm the correct zone file is loaded and not shadowed by another zone.
Port 53 blocked by firewall:
- Recheck firewall rules and ensure both UDP and TCP 53 are open.
- Check if another firewall between you and the DNS server is blocking traffic.
SELinux denies zone file access: Why your computer wont connect to the domain server: Quick Fixes for Domain Join, DNS, and Network Problems
- Check audit logs: sudo ausearch -m avc -ts recent
- Restore contexts or adjust SELinux booleans as needed.
Slow resolution or timeouts:
- Test with dig from multiple clients to confirm consistency.
- Check for forwarder reachability and upstream DNS reliability.
- Look at the server load and memory usage; DNS is usually light, but misconfigs can create loops or heavy logging.

Advanced Topics If You Need More

DNS over TLS DoT or DNS over HTTPS DoH for clients.
DNSSEC signing and zone key management for public domains.
Split-horizon DNS: separate internal and external views with different zone data.
Redundancy: set up a second DNS server slave for high availability, with zone transfers enabled to a secondary server.
Dynamic DNS: if you have devices that change IPs, consider secure dynamic DNS updates with a signed key.

Frequently Asked Questions

What is a DNS server?

A DNS server translates human-friendly domain names into IP addresses. It can be authoritative for domains you control, providing the definitive answer for those domains, or recursive, resolving queries on behalf of clients by querying other servers.

What is BIND?

BIND Berkeley Internet Name Domain is the most widely used DNS software on the internet. It’s powerful, flexible, and highly configurable for both authoritative and recursive DNS.

Can I run a DNS server on CentOS for my home network?

Yes. A small CentOS server can handle typical home network DNS needs, including internal domain resolution, caching, and basic forwarding to upstream resolvers.

Do I need a domain to run a DNS server?

For an authoritative server, you should own a domain or subdomain. You can still run a recursive cache on your CentOS box without owning a domain, but you won’t be authoritative for any domain you don’t control. Why your yahoo mail keeps saying connection to server failed and how to fix it

How do I test my DNS server locally?

Use the dig tool to query your server:

dig @127.0.0.1 example.com
dig @localhost example.com
dig @127.0.0.1 www.example.com

How do I restrict who can query my DNS server?

In named.conf, tighten the allow-query option to only include your trusted networks e.g., your LAN. Avoid exposing your server to the public internet if you don’t intend to host public domains.

How do I add a new domain to my server?

Create a new zone in named.conf, then add a corresponding forward zone file with SOA, NS, and A/AAAA records. Update the serial number and reload the service.

How do I configure reverse DNS PTR records?

Create a reverse zone file under /var/named and map IP addresses back to hostnames. This is useful for mail servers and logging clarity.

What’s the difference between a recursive resolver and an authoritative server?

Recursive resolver answers queries for clients by querying other DNS servers and caching results.
Authoritative server holds the actual DNS records for a domain and provides definitive answers for that domain.

How do I ensure high availability for DNS?

Set up at least two DNS servers primary and secondary with zone transfers between them. Use monitoring and alerting to catch failures quickly, and consider geographic distribution for resilience. How to Download and Build Your Own DNS Server The Ultimate Guide: DIY DNS Setup, Self-Hosted DNS, Local Network Resolver

Can I enable DNSSEC on CentOS with BIND?

Yes, BIND supports DNSSEC. You’ll need to enable DNSSEC in named.conf, sign your zones, and manage DNSSEC keys. This adds integrity protections for responses.

How often should I back up DNS data?

Backups should be performed whenever zone data changes serial increments and on a regular schedule daily or weekly to protect zone files and the server configuration.

If you’re ready, fire up your CentOS box, follow these steps, and you’ll have a solid, maintainable DNS server up and running. This setup is practical for small teams, labs, or home networks, with room to grow into more advanced configurations as your needs evolve.

Sources:

翻墙是怎么被发现的：VPN 被检测的原理、常见方式与应对策略

科学上网v2ray：2025年高效稳定访问互联网的终极指南实操教程、隐私保护与节点选择 Joining a discord server with a link the ultimate guide: Invite links, permissions, safety, and tips for smooth onboarding

好用梯子免费：VPN 免费方案、速度对比、隐私保护与使用指南

Le vpn piu veloci del 2025 le abbiamo davvero provate