This document describes the installation of ISC BIND on Red Hat Linux.

Installation

The following procedure will provide a default install of BIND (BIND 9.8.2 and greater).We strongly recommend using the latest versions of BIND 9 and keeping it up-to-date with the latest security fixes.

  • Login to your account on the CentOS system. You will need root access - via sudo or su. The instructions below will use sudo but you can run them without sudo if you are logged in as root.
  • Next we’ll need to download and install BIND and its utilities 
    sudo yum install bind bind-utils
  • Next we’ll need to enable and start bind with the following commands: 
    sudo /bin/systemctl enable named
sudo /bin/systemctl start named
  • Verify that Bind is running. 
    dig @127.0.0.1 google.com
  • If dig fails, check BIND’s logs in /var/log/messages
  • Check the installed version matches at least 9.8.2 for example: 
    /usr/sbin/named -v
BIND 9.9.4-RedHat-9.9.4-51.el7 (Extended Support Version)

NTP on Red Hat Linux

A correct system time is required for transferring ThreatSTOP Policy zones. Using NTP is an easy way to keep correct time. Install ntp:

sudo yum install ntp
sudo /bin/systemctl enable ntpd
sudo /bin/systemctl start ntpd

Check that the time is synchronized:

sudo ntpstat
synchronised to NTP server (<ip address>) at stratum 3
   time correct to within 105 ms
   polling server every 64 s

BIND will show the following error in /var/log/messages if the clock is not synchronized:

zone <ZONE NAME> refresh: failure trying master 192.124.129.51#53 (source 0.0.0.0#0): clocks are unsynchronized

Restricting access to BIND

  • It is recommendeded to add ACLs to limit the systems that can connect to your BIND instance.
  • Add an ACL with the list of authorized subnets
  • Since version 9.4, BIND defaults the allow-recursion option to the local networks (localnets), rather than any.
  • Add the ACL to /etc/named.conf 
    acl my-networks {
      172.16.0.0/12;
};
  • Restrict access with the allow-recursion parameter in the options block of /etc/named.conf 
    options {
  ...
  allow-recursion { my-networks; };
  ...
};