External, or public, DNS servers map hostnames to IP addresses and, in the case of PTR (known as "pointer" or "reverse") records, map the IP addresses to the hostname. This is an essential part of the Internet. It makes your mail server, web server, FTP server, or many other servers and services work as expected no matter where you are.
On a private network, particularly one for developing many systems, you can use your Rocky Linux workstation's /etc/hosts file to map a name to an IP address.
This will work for your workstation, but not for any other machine on your network. The best method to make things universally applied is to take some time out and create a local, private DNS server to handle this for all your machines.
Suppose you were creating production-level public DNS servers and resolvers. In that case, this author recommends the more robust PowerDNS authoritative and recursive DNS, which is installable on Rocky Linux servers. However, this document is for a local network that will not expose its DNS servers to the outside world. That is why the author chose bind for this example.
DNS separates services into authoritative and recursive servers. These services are now recommended to be separate on separate hardware or containers.
The authoritative server is the storage area for all IP addresses and host names, and the recursive server looks up addresses and host names. In the case of our private DNS server, the authoritative and the recursive server services will run together.
Before making changes to any configuration file, create a backup copy of the original installed working file, named.conf:
cp/etc/named.conf/etc/named.conf.orig
That will help in the future if the introduction of errors into the configuration file occurs. It is always a good idea to make a backup copy before making changes.
Edit the named.conf file. The author is using vi , but you can substitute your favorite command line editor:
vi/etc/named.conf
Turn off listening on the localhost. Do this by remarking with a "#" sign, these two lines in the "options" section. This shuts down any connection to the outside world.
This is helpful, particularly when you add this DNS to our workstations because you want the DNS server to only respond when the IP address requesting the service is local and not react if the server or service is on the Internet.
This way, the other configured DNS servers will take over nearly immediately to look up the Internet based services:
options{# listen-on port 53 { 127.0.0.1; };# listen-on-v6 port 53 { ::1; };
Finally, skip down to the bottom of the named.conf file and add a section for your network. Our example is "ourdomain", so sub in what you want to call your LAN hosts:
# primary forward and reverse zones
//forwardzone
zone"ourdomain.lan"IN{typemaster;file"ourdomain.lan.db";allow-update{none;};allow-query{any;};};
//reversezone
zone"1.168.192.in-addr.arpa"IN{typemaster;file"ourdomain.lan.rev";allow-update{none;};allow-query{any;};};
You need to create two files in /var/named. You will edit these files if you add machines to your network to include them in the DNS.
The first is the forward file to map our IP address to the hostname. Again, our examples is "ourdomain" here. Note that the IP of our local DNS is 192.168.1.136. Add hosts at the bottom of this file.
vi/var/named/ourdomain.lan.db
The file will look something like this when completed:
Add all the hosts and IP addresses you need and save your changes.
You need a reverse file to map our hostname to the IP address. In this case, the only part of the IP that you need is the last octet (in an IPv4 address each number separated by a "." is an octet) of the host, the PTR, and hostname.
vi/var/named/ourdomain.lan.rev
When completed, the file will look something like this:
Since you have all of this added in, and are preparing to restart our bind DNS server, let us explore some of the terminologies used in these two files.
Just making things work is not good enough if you do not know what each term means, right?
TTL stands for "Time To Live". TTL tells the DNS server how long to keep its cache before requesting a fresh copy. In this case, the TTL is the default setting for all records unless you manually enter a specific TTL. The default here is 86400 seconds or 24 hours.
IN stands for Internet. In this case, the Internet is not used. Think of this as the Intranet instead.
SOA stands for "Start Of Authority" or what the primary DNS server is for the domain
NS stands for "name server"
Serial is the value used by the DNS server to verify that the contents of the zone file are up-to-date
Refresh specifies how often a slave DNS server will request a zone transfer from the master
Retry specifies the length of time in seconds to wait before trying again on a failed zone transfer
Expire specifies how long a slave server will wait to answer a query when the master is unreachable
A Is the host address or forward record and is only in the forward file
PTR The pointer record better known as the "reverse" and is only in our reverse file
When you have all of your files created, you need to ensure that the configuration files and zones are in good working order before you start the bind service again.
Check the main configuration:
named-checkconf
This will return an empty result if everything is OK.
You need to add the DNS server (in our example 192.168.1.136) to each machine that you want to have access to the servers that you added to your local DNS. The author only shows an example of how to do this on a Rocky Linux workstation. Similar methods exist for other Linux distributions, Windows, and Mac machines.
You will want to add the DNS servers to the list, not replace what is currently there, as you will still need Internet access, which will require your presently assigned DNS servers. DHCP (Dynamic Host Configuration Protocol) services generally assign these or they are statically assigned.
You will add our local DNS with nmcli and then restart the connection.
Stupid Profile Names
In NetworkManager, the connections are not modified by the name of the device but by the name of the profile. This can be things like "Wired connection 1" or "Wireless connection 1". You can see the profile by running nmcli without any parameters:
Before we even start modifying the connection, you should name this something sane, like the name of the interface (note the "\" below escapes the spaces in the name):
You need to add the DNS server (in our example 192.168.1.136) to each machine that you want to have access to the servers that you added to your local DNS. The author only shows an example of how to do this on a Rocky Linux workstation. Similar methods exist for other Linux distributions, Windows, and Mac machines.
You will want to add the DNS server to the list, as you will still need Internet access, which will require your currently assigned DNS servers. DHCP (Dynamic Host Configuration Protocol) generally assigns these, or they are statically assigned.
On a Rocky Linux workstation where the enabled network interface is eth0, use:
vi /etc/sysconfig/network-scripts/ifcfg-eth0
If your enabled network interface differs, you will need to substitute that interface name. The configuration file that you open will look something like this for a statically assigned IP (not DHCP as mentioned above). In the example below, our machine's IP address is 192.168.1.151:
After completing the changes, restart the machine or restart networking with:
systemctl restart network
You will now be able to get to anything in the ourdomain.lan domain from your workstations, plus still be able to resolve and get to Internet addresses.
With Rocky Linux 9.0 and above, using iptables rules is deprecated. You should use firewalld instead.
The author is not making any assumptions about the network or services that you might need, except for turning on SSH access and DNS access for our LAN network only. For this, you will use firewalld's built-in zone, "trusted". You will have to make service changes to the "public" zone to limit SSH access to the LAN.
The first step is to add our LAN network to the "trusted" zone:
These rules will get you DNS resolution on your private DNS server from hosts on the 192.168.1.0/24 network. In addition, you will be able to SSH from any of those hosts into your private DNS server.
Changing /etc/hosts on an individual workstation will get you access to a machine on your internal network, but you can only use it on that one machine. A private DNS server that is uses bind will allow you to add hosts to the DNS and, provided the workstations have access to that private DNS server, they will be able to get to these local servers.
If you do not need machines to resolve on the Internet, but do need local access from several machines to local servers, then consider a private DNS server instead.