Last played -

creating stuff

capture

conjure

create

connect

CentOS 7, DNS and firewalld

Yesterday I needed to setup a local DNS server. Sure, I could’ve used Windows but, mostly for licensing reasons, decided that using a free OS would be a much better idea. For various reasons I used to go with CentOS 7, the latest version of the CentOS Project Linux distribution.

This particular server is virtual and currently provided by Oracle VirtualBox, another free product. You can see a pattern here, right? 🙂

After installing CentOS, configuring the interfaces & network then installing & configuring BIND, I found that DNS name resolution worked perfectly while logged into the server itself. However, the CentOS DNS server would not respond to any DNS requests from any other host. I had configured BIND to allow queries from any IP address on my local network andlisten on all interfaces. At this point, I thought it should be working.

The first thing I checked was the configuration:

Check BIND configuration

If that command returns no output, the /etc/named.conf configuration file contains no syntax errors.

The next check was to verify the syntax of the zone configuration files:

Check BIND zone files

Yes, I’m logged in as root. Whatever.

Anyway, those commands confirm that BIND is configured properly, including the zone files.

I had already checked to make sure IPtables wasn’t running:

Check iptables services

Nope, no iptables services running.

What I didn’t realise is that since Red Hat Enterprise Linux (RHEL) 7 and CentOS 7, iptables interaction is provided the dynamic firewall daemon firewalld. Sure enough, firewalld was definitely running:

Check firewalld service

Here’s the Red Hat page that confirms it:

Red Hat Enterprise Linux 7 iptables & firewalld

So, what to do? firewalld had to be configured to permanently allow requests on UDP port 53, followed by reloading the firewalld configuration.

Add firewalld rule

Update: As pointed out by certdepot in the comments below, requests on TCP port 53 should also be allowed in the event that the DNS request or response is greater than a single packet, for example responses that have a large number of records, many IPv6 responses or most DNSSEC responses.

firewall-cmd --zone=public --add-port=53/tcp --permanent

After that, requests from my local laptop to the BIND server running on the CentOS system worked as they should:

Test nslookup

Nice!

During this process I also had the help of friend & total guru – Tim Philips a.k.a @mr_timp. Thanks, Tim! 🙂

  • You should also open the TCP port 53 otherwise you will get some surprise (when the UDP packet size is not enough to get all the data, the DNS protocol switches to TCP …).

    • Well spotted – thanks for pointing that out. I’ve updated the post to reference your comment.

DigitalFormula is the website of Chris Rasmussen, a Nutanix SE and casual designer/developer based in Melbourne, Australia. -37.813611 144.963056
Custom digitalformula.net Wordpress theme by Chris Rasmussen