Skip to content

DNS Management

Prerequisites

  • CentOS Stream VM with root/sudo access
  • Firewall configured (firewalld running)
  • Understanding of DNS concepts (see DNS Concepts)
  • Your VM's external IP address

Procedure: Set Up a Recursive Resolver (kresd)

When to use: You need your machine to resolve external DNS queries using its own local caching resolver.

Steps:

  1. Install Knot Resolver: 

    dnf install knot-resolver

  2. Edit /etc/knot-resolver/kresd.conf: 

    -- Listen on localhost and all interfaces
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('0.0.0.0', 53, { kind = 'dns' })

-- Cache size
cache.size = 100 * MB

  3. Open the DNS port in the firewall: 

    firewall-cmd --add-service=dns --permanent
firewall-cmd --reload

  4. Enable and start the service: 

    systemctl enable --now kresd@1.service

  5. Verify: 

    dig @127.0.0.1 google.com
    Expected: an ANSWER SECTION with A records.

Troubleshooting:

  • If kresd@1.service fails with Permission denied, see the post-install fix — runtime directories may have incorrect ownership after installation.
  • If you get SERVFAIL, try adding trust_anchors.remove('.') to the config to disable DNSSEC validation.
  • If port 53 is in use, check for conflicting services: ss -tulpn | grep :53

Procedure: Configure the VM to Use Its Own Resolver

When to use: After setting up kresd, direct all system DNS queries to it.

Steps:

  1. Edit /etc/resolv.conf: 

    nameserver 127.0.0.1

  2. Prevent NetworkManager from overwriting it: 

    chattr +i /etc/resolv.conf

  3. Verify: 

    dig google.com
    The SERVER: line should show 127.0.0.1#53.

Troubleshooting:

  • If /etc/resolv.conf gets overwritten after reboot, ensure the immutable flag is set.

Procedure: Set Up an Authoritative Server (knotd)

When to use: You need to serve DNS records for your own domain on a separate port.

Steps:

  1. Install Knot DNS: 

    dnf install knot

  2. Create the zones directory: 

    mkdir -p /var/lib/knot/zones
chown knot:knot /var/lib/knot/zones

  3. Edit /etc/knot/knot.conf: 

    server:
    listen: 0.0.0.0@5353
    listen: ::@5353

log:
  - target: syslog
    any: info

zone:
  - domain: <vm_name>.sysadm.ee
    storage: /var/lib/knot/zones/
    file: <vm_name>.sysadm.ee.zone

  4. Open firewall ports: 

    firewall-cmd --add-port=5353/tcp --permanent
firewall-cmd --add-port=5353/udp --permanent
firewall-cmd --reload

  5. Enable and start: 

    systemctl enable --now knot

Troubleshooting:

  • Check configuration: knotc conf-check
  • View logs: journalctl -u knot

Procedure: Create a Forward Zone

When to use: Adding DNS records (A, CNAME, NS) for your domain.

Steps:

  1. Create /var/lib/knot/zones/<vm_name>.sysadm.ee.zone: 

    $TTL 900
@       IN  SOA  ns1.<vm_name>.sysadm.ee. admin.<vm_name>.sysadm.ee. (
                  2026031701  ; Serial (YYYYMMDDNN)
                  900         ; Refresh
                  300         ; Retry
                  7200        ; Expire
                  600 )       ; Negative Cache TTL

@              IN  NS   ns1.<vm_name>.sysadm.ee.
@              IN  NS   ns.sysadm.ee.
@              IN  A    <VM_IP>
ns1            IN  A    <VM_IP>
blog           IN  CNAME  <vm_name>.sysadm.ee.
inventory      IN  CNAME  <vm_name>.sysadm.ee.

  2. Set ownership: 

    chown knot:knot /var/lib/knot/zones/<vm_name>.sysadm.ee.zone

  3. Validate the configuration: 

    knotc conf-check

  4. Reload and then check the loaded zone: 

    knotc reload

  5. Check the zone after loading: 

    knotc zone-check <vm_name>.sysadm.ee

  6. Verify: 

    dig @127.0.0.1 -p 5353 <vm_name>.sysadm.ee
dig @127.0.0.1 -p 5353 blog.<vm_name>.sysadm.ee

Troubleshooting:

  • Missing trailing dot on FQDNs causes names like name.zone.zone. — always end FQDNs with .
  • Always increment the serial number when editing zone files.

Procedure: Create a Reverse (ARPA) Zone

When to use: Setting up reverse DNS so IP lookups return your hostname.

Steps:

  1. Determine your reverse zone name. For IP A.B.C.D on a /24 subnet:

    • Reverse zone: C.B.A.in-addr.arpa
    • Your record name: D (last octet)

  2. Create /var/lib/knot/zones/C.B.A.in-addr.arpa.zone: 

    $TTL 900
@       IN  SOA  ns1.<vm_name>.sysadm.ee. admin.<vm_name>.sysadm.ee. (
                  2026031701  ; Serial
                  900         ; Refresh
                  300         ; Retry
                  7200        ; Expire
                  600 )       ; Negative Cache TTL

@              IN  NS   ns1.<vm_name>.sysadm.ee.
@              IN  NS   ns.sysadm.ee.
D              IN  PTR  <vm_name>.sysadm.ee.
    Replace D with the last octet of your IP.

  3. Set ownership and add to knot.conf: 

    zone:
  # ... existing zones ...
  - domain: C.B.A.in-addr.arpa
    storage: /var/lib/knot/zones/
    file: C.B.A.in-addr.arpa.zone

  4. Reload and verify: 

    knotc reload
dig @127.0.0.1 -p 5353 -x <VM_IP>
    Expected: PTR record → <vm_name>.sysadm.ee.

Procedure: Configure Hidden Primary with NOTIFY

When to use: Pushing zone updates to a central secondary server via zone transfers.

Steps:

  1. Add remote and ACL to /etc/knot/knot.conf. The central server's public IP is 193.40.153.43, but AXFR connections arrive from its internal IP 172.17.89.217 — include both in the ACL: 

    remote:
  - id: central-secondary
    address: 193.40.153.43@53

acl:
  - id: allow-transfer
    address: [193.40.153.43, 172.17.89.217]
    action: transfer

  2. Add notify and acl to the forward zone only (the reverse/ARPA zone is served directly by your VM and is not transferred): 

    zone:
  - domain: <vm_name>.sysadm.ee
    storage: /var/lib/knot/zones/
    file: <vm_name>.sysadm.ee.zone
    notify: central-secondary
    acl: allow-transfer

  - domain: C.B.A.in-addr.arpa
    storage: /var/lib/knot/zones/
    file: C.B.A.in-addr.arpa.zone

  3. Reload and trigger notify: 

    knotc reload
knotc zone-notify <vm_name>.sysadm.ee

Procedure: Add an MX record to a zone

When to use: You want to receive email sent to your domain.

Steps:

  1. Open your Forward Zone file in /var/lib/knot/zones/.

  2. Add a type A record for mail.<vm_name>.sysadm.ee pointing to your VM's external IP: 

    mail      IN  A     <VM_IP>

  3. Add an MX record pointing to the hostname mail.<vm_name>.sysadm.ee: 

    <vm_name>.sysadm.ee. IN MX 0 mail.<vm_name>.sysadm.ee.

    • Note: 0 is the priority value here.

  4. Validate the configuration: 

    knotc conf-check
knotc zone-check <zone>

  5. Reload knotc: 

    knotc reload

  6. Verify: 

    dig -t A mail.<vm_name>.sysadm.ee 
dig -t MX <vm_name>.sysadm.ee

  7. Note: The DNS changes might take time to propagate

Troubleshooting:

  • Missing trailing dot on FQDNs causes names like name.zone.zone. — always end FQDNs with .
  • Always increment the serial number when editing zone files.

Quick Reference

Action Command
Start kresd systemctl start kresd@1.service
Start knotd systemctl start knot
Reload knotd config knotc reload
Check knotd config knotc conf-check
Check loaded zone knotc zone-check <zone>
Query recursive (port 53) dig @127.0.0.1 example.com
Query authoritative (port 5353) dig @127.0.0.1 -p 5353 <domain>
Reverse lookup dig @127.0.0.1 -p 5353 -x <IP>
Send NOTIFY knotc zone-notify <zone>