Scenario

Primary DNS Server:

▪ Hostname : ns1.jamil.cloud
▪ Domain Name: jamil.cloud
▪ IP Address : 103.157.135.170

Secondary DNS Server:

▪ Hostname : ns2.jamil.cloud
▪ Domain Name: jamil.cloud
▪ IP Address : 103.157.135.172
 Primary/Master DNS server Setup
To see the installed OS version,

cat /etc/*release

Disabling SELinux
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for
supporting access control security policies, including mandatory access controls.

In RHEL, CentOS, AlmaLinux or several derivatives, the SELinux feature is enabled by default. But, some
applications may not actually support this security mechanism. Therefore, to make such applications
function normally, you have to disable or turn off SELinux.

sed -i 's/SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config

setenforce 0
FIREWALL Configuration
At first, need to check which zone is currently activated and available interfaces under the active zone.

firewall-cmd --get-active-zones

List the available enabled rules under the active zone.

firewall-cmd --zone=public --list-all

Now run the following commands for functioning the whole mailing system.

firewall-cmd --zone=public --permanent --add-port=53/tcp

firewall-cmd --zone=public --permanent --add-port=53/udp

Lastly, restart the firewall service.

service firewalld restart

Changing SSH port

Change the default SSH port for enhancing the system security.
Open the configuration file of SSH

vi /etc/ssh/sshd_config

Locate the line: #port 22

Change the port as per desire: port 2233
Save the changes and close the file.
Next, reload the service.

service sshd restart

Lastly, need to allow the customized SSH port to firewall.

 firewall-cmd --zone=public --permanent --add-port=2233/tcp
service firewalld restart

Date and Time

Ensure the date and time is correct on your running system.

To check the date and time,

timedatectl

If, you find mismatched date or time, then need to adjust your time zone by running the below command.

timedatectl set-timezone Asia/Dhaka

Then, confirm that the change has been made with the timedatectl command.

Set hostname and package update

hostnamectl set-hostname =ns1.jamil.cloud
dnf update -y

Install & Configure BIND

dnf -y install bind bind-utils

Create a backup for original file.

cp /etc/named.conf /etc/named.conf.ori

Open the main configuration file named.conf and change to the following red marked parameters.
options {
listen-on port 53 { 103.157.135.170; };
listen-on-v6 port 53 { 2402:f500:3:2:250:56ff:fe81:89d2; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
// recursion no;
allow-recursion {my_clients; };
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
acl my_clients {103.157.135.0/24; };
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

// Adding forward zone

zone "jamil.cloud" IN {
type master;
file "db.jamil.cloud";
allow-update { none; };
};

// Adding Reverse zone

zone "135.157.103.in-addr.arpa" IN {
type master;
file "db.135.157.103.in-addr.arpa";
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
-----------------------------------------------------------------------
Zone Configuration

Zone files are contained in /var/named/ directory.

Copy existing zone file for sample configuration with your given name in named.conf file like following:

cd /var/named/
cp named.localhost db.jamil.cloud
cp named.loopback db.135.157.103.in-addr.arpa

Configure Forward Zone file

Now open your forward zone file and change the options like following:

vi /var/named/db.jamil.cloud

Configure Reverse Zone file

Now open your Reverse zone file changed the options like following:
 vi /var/named/ db.135.157.103.in-addr.arpa

Change group ownership

cd /var/named/
chgrp named db.jamil.cloud
chgrp named db.135.157.103.in-addr.arpa

Testing Configuration and starting service

named-checkconf -z /etc/named.conf

named-checkzone zone db.jamil.cloud

named-checkzone zone db.135.157.103.in-addr.arpa

ss -ulpn sport eq 53

systemctl enable named

systemctl start named
 Secondary/Slave DNS server Setup

Scenario

Primary DNS Server:

▪ Hostname : ns1.jamil.cloud
▪ Domain Name: jamil.cloud
▪ IP Address : 103.157.135.170

Secondary DNS Server:

▪ Hostname : ns2.jamil.cloud
▪ Domain Name: jamil.cloud
▪ IP Address : 103.157.135.172

To see the installed OS version,

cat /etc/*release

Disabling SELinux
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for
supporting access control security policies, including mandatory access controls.

In RHEL, CentOS, AlmaLinux or several derivatives, the SELinux feature is enabled by default. But, some
applications may not actually support this security mechanism. Therefore, to make such applications
function normally, you have to disable or turn off SELinux.

sed -i 's/SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config

setenforce 0
FIREWALL Configuration
At first, need to check which zone is currently activated and available interfaces under the active zone.

firewall-cmd --get-active-zones

List the available enabled rules under the active zone.

firewall-cmd --zone=public --list-all

Now run the following commands for functioning the whole mailing system.

firewall-cmd --zone=public --permanent --add-port=53/tcp

firewall-cmd --zone=public --permanent --add-port=53/udp

Lastly, restart the firewall service.

service firewalld restart

Changing SSH port

Change the default SSH port for enhancing the system security.
Open the configuration file of SSH

vi /etc/ssh/sshd_config

Locate the line: #port 22

Change the port as per desire: port 2233
Save the changes and close the file.
Next, reload the service.

service sshd restart

Lastly, need to allow the customized SSH port to firewall.

 firewall-cmd --zone=public --permanent --add-port=2233/tcp
service firewalld restart

Date and Time

Ensure the date and time is correct on your running system.

To check the date and time,

timedatectl

If, you find mismatched date or time, then need to adjust your time zone by running the below command.

timedatectl set-timezone Asia/Dhaka

Then, confirm that the change has been made with the timedatectl command.

Set hostname and package update

hostnamectl set-hostname =ns2.jamil.cloud
dnf update -y

Install & Configure BIND

dnf -y install bind bind-utils

Create a backup for original file.

cp /etc/named.conf /etc/named.conf.ori

Open the main configuration file named.conf and change to the following red marked parameters.
options {
listen-on port 53 { 103.157.135.172; };
listen-on-v6 port 53 { 2402:f500:3:2:250:56ff:fe81:89d2; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
// recursion no;
allow-recursion {my_clients; };
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
acl my_clients {103.157.135.0/24; };
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

// Adding forward zone

zone "jamil.cloud" IN {
type slave;
masters { 103.157.135.170; };
file "slaves/db.jamil.cloud";
};

// Adding Reverse zone

zone "135.157.103.in-addr.arpa" IN {
type slave;
masters { 103.157.135.170; };
file "slaves/db.135.157.103.in-addr.arpa";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
-----------------------------------------------------------------------
Configure Master/Primary DNS for this slave/Secondary DNS

Changed the file /etc/named.conf in in Primary DNS servers in only zone section like following:

Zone Configuration

In Secondary DNS, Zone files are contained in /var/named/slaves/ directory. We don’t need to create
zone files again, rather all zone files of Master DNS will be automatically transferred to this slave server.

Additionally, we need to specify this secondary DNS server as NS record like the following:
Testing Configuration and starting service

named-checkconf -z /etc/named.conf
ss -ulpn sport eq 53

systemctl enable named

systemctl start named

Logging for both Master and Slave DNS

By default, DNS logs can be found in /var/named/data/named.run specified in

/etc/named.conf file under logging section. You can change this file name and location.