March 11, 2018

DNS – Configure a caching-only name server on CentOS/RHEL 7

A caching-only DNS server is a server that sits inside an internal network that all the other boxes in the internal network uses when it wants they do a dns lookup. You can follow along with this article using our dns demo vagrant environment.


You can find all my latest posts on medium.

A caching-only DNS server doesn’t have a full dns db, instead it would query actual dns servers to get the info and then feed it back to the requester. It will than cache the request so that it responds quicker if the request is made again.
There’s a few reason for using caching-only DNS servers:

  • Better security – internal servers can do dns lookup within the internal network, so can close the dns port from network to the public
  • Better performance – you get faster response times if dns lookup a server want is already cached

To set up a cache-only dns server, you need to first install the main dns software:

$ yum install bind

This software let’s you build all four types of DNS servers:

  • Master DNS Server
  • Slave DNS server
  • Caching-only DNS server
  • Forwarding-only DNS server

The main (and only) config file that needs to be edited to set up a caching-only server is /etc/named.conf. By default this file is already preconfigured for a Caching-Only Server but only few extra tweaks are required:

[root@webserver ~]# cat /etc/named.conf
// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        // change this to 'any'
	listen-on port 53 {; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
        // change this to 'any'
	allow-query     { localhost; };

	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable
	 - If your recursive DNS server has a public IP address, you MUST enable access
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface
	recursion yes;

	dnssec-enable yes;
        // change this to 'no'
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/";
	session-keyfile "/run/named/session.key";

logging {
        channel default_debug {
                file "data/";
                severity dynamic;

zone "." IN {
	type hint;
	file "";

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key"; 

Bind exclusively uses IPV6 which isn’t fully supported yet. So for maximum compatibility you need to append the append the following line to /etc/sysconfig/named to enable IPV4:


For more info, see man named. Next you can run the following command to check if you made any syntax errors:

$ named-checkconf

This will give if all is ok.

Next we all dns in firewalld:

$ firewall-cmd --permanent --add-service=dns
$ systemctl restart firewalld

This effectively opens up the dns port, which is port 53. Finally we start and enable the dns service:

$ systemctl enable named
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/named.service.
$ systemctl start named

Next we need to test if this has worked. You can use nslookup or the dig command to test this. First let’s do test the lookups by using an ordinary public server:

[root@webserver ~]# nslookup

Non-authoritative answer:

[root@webserver ~]# dig

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62918
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;			IN	A


;; Query time: 2 msec
;; WHEN: Sun Mar 11 17:33:08 UTC 2018
;; MSG SIZE  rcvd: 47

Now we do this again, but this time explicit we send the resolution request to our new caching-only server:

[root@webserver ~]# nslookup

Non-authoritative answer:

[root@webserver ~]# dig @

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 249
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;			IN	A


;; AUTHORITY SECTION:		172332	IN	NS		172332	IN	NS

;; Query time: 0 msec
;; WHEN: Sun Mar 11 17:46:34 UTC 2018
;; MSG SIZE  rcvd: 114

Now to let other boxes in the private network to start using this caching-only dns server, you just have to update the other boxes 'nameserver' setting in the /etc/resolv.conf file.

[post-content post_name=rhsca-quiz]

What is the command to install the dns software?

$ yum install bind

What is the main config file?


What changes need to be made to this file?

- Set the 'listen-on port 53' to 'any'
- set the allow-query to 'any'
- set dnssec-validation to 'no'

What other file needs changing?

You need to append:

What is the command to syntax check our config files?

$ named-checkconf

What is the commands to open up dns firewalls?

$ firewall-cmd --permanent --add-service=dns
$ systemctl restart dns

What is the command to start and enable the dns service?

$ systemctl start named
$ systemctl enable named

What is a command to check if your caching-only dns server is working?

$ nslookup
# or:
$ dig @