In this recipe, we will show you how you can quickly add new local domain record entries to your authoritative BIND server which are currently unknown to your nameserver.
To complete this recipe, you will require a working installation of the CentOS 7 operating system and a console-based text editor of your choice. It is expected that Unbound and BIND have both been installed and are already running, and that you have read and applied the zone recipes in this chapter and have prepared the required forward and reverse zone files for resolving hostnames of your private network.
If you want to add new domain names to the IP address mappings to your DNS server, for example for new or unknown hosts in your local network, you have two alternatives. Since we have already created zone files for our local network, we can simply add new A
(and/or CNAME
) and corresponding PTR
entries for every new subdomain within our base domain name into our forward and reverse zone file configuration using our text editor of choice. Alternatively, we can use the nsupdate
command-line tool to add those records interactively without the need to restart the DNS server. In this section, we will show you how to prepare and work with the nsupdate
tool. In our example, we will add a new subdomain client4.centos7.home
for a computer with the IP address 192.168.1.14
to our DNS server's zone:
named
to be allowed to write into its zone files by SELinux:setsebool -P named_write_master_zones 1
nsupdate
cannot update our zone files later:chown :named /var/named -R; chmod 775 /var/named -R
8053
, type the following command to start the interactive nsupdate
session locally:nsupdate -p 8053 -d -l
>
), first connect to the local DNS server by typing the following (press Return to finish commands): local 127.0.0.1
update add client4.centos7.home. 115200 A 192.168.1.14 send
update add 14.1.168.192.in-addr.arpa. 115200 PTR client4.centos7.home. send
If both the update commands' outputs contained the message NOERROR
, press Ctrl+c key to exit the interactive nsupdate
session.
dig -p 8053 @127.0.0.1 client4.centos7.home. nslookup -port=8053 192.168.1.14 127.0.0.1
In this fairly easy recipe, we showed you how easily you can add new domain name resolution records with the nsupdate
tool dynamically at runtime without needing to restart your BIND DNS server.
So what did we learn from this experience?
In this recipe, we introduced you to the nsupdate
command-line tool which is a utility for making changes to a running BIND DNS database without the need to edit the zone files or restart the server. If you have already configured the zone files in your DNS server, then this is the preferred way to make changes to the DNS server. It has several options, for example, you can connect to the remote DNS servers but for simplicity and for security reasons we will only use and allow the most simple form and only connect nsupdate
to our BIND server locally (to connect to a BIND server remotely using nsupdate
, you need to do more configuration, such as generate secure key-pairs, open the firewall, and so on).
After allowing named
to write into its own zone files, which otherwise is prohibited by SELinux, and fixing some permission problems on the default named configuration directory, we started the nsupdate
program with -l
for local connection, and -p 8053
to connect to our BIND DNS server on port 8053
. -d
gives us debug output which can be useful for resolving any problems. We then got prompted by an interactive shell where we could run BIND specific update
commands. First we set local
127.0.0.1
which connects to our local server, than we used the commands update add
to add a new forward A
record to our running DNS server. The syntax is similar to defining records in the zone files. Here we used the line update add <domain-name> <TTL> <type> <IP address>
to add a new A
record with a TTL of three days (115200 seconds) for the domain client4.centos7.home
to resolve to the IP address 192.168.1.14
. The next line was used to config some reverse resolution rules for our new domain and which adds the domain name as a PTR
entry into our reverse zone. Here it is important to note that you need to define the domain part of the reverse update add
rule the following way: <host name for the rule>.<reverse C-class>.in-addr.arpa
. To finally execute our commands and make them permanent in our DNS server's database, without the need to restart the server, we used the send
command for both the reverse and forward commands separately since they target different zones. Finally, we tested if the new entries into the DNS server's zone files were working by querying the BIND server.