- Do you want to set up a secure local resolver on RHEL 9/ Rocky 9/ Alma 9?
- Prerequisites and initial installation
- Checking base files and validating configuration
- Recommended configuration for a caching resolver (basic)
- RNDC key generation and remote management
- Firewall and SELinux
- More security: Restriction, monitoring and prevention of abuse
- Monitoring, logging and troubleshooting
- Advanced scenarios: views, split-horizon, and distributed servers
- Practical tips for different applications
- Full Summary Configuration Example (Quick Example)
- Final Tips and Best Practices
- Why implement this service on the provider's cloud infrastructure?
- Frequently Asked Questions
Do you want to set up a secure local resolver on RHEL 9/ Rocky 9/ Alma 9?
This guide will walk you through the step-by-step implementation of a resolver (local resolver) Based on BIND On distributions based on RHEL 9 Like Rocky Linux 9 and Alma Linux 9 We're looking at it. The goal is to provide a secure, monitorable, and optimized resolver for use in internal networks, cloud servers, and workload clusters — perfect for webmasters, DevOps, traders, gamers, and AI teams who need to reduce latency and increase DNS resolution stability.
Prerequisites and initial installation
Prerequisites
- Server RHEL 9/Rocky Linux 9/Alma Linux 9 With root or sudo access.
- Internet access to update and download root hints/forwarders.
- Packages bind and bind-utils.
Initial installation
Use the following commands to update and install BIND:
sudo dnf update -y
sudo dnf install -y bind bind-utils
sudo systemctl enable --now named
sudo systemctl status namedChecking base files and validating configuration
Important files and paths:
- /etc/named.conf — Main config
- /var/named — Default zone directory
- /etc/rndc.key (after rndc-confgen -a)
- /var/named/data — Logs and cache dumps
Use the following tools to quickly check the configuration:
sudo named-checkconf
sudo named-checkzone example.com /var/named/example.com.zoneRecommended configuration for a caching resolver (basic)
In /etc/named.conf Section options Edit as follows. This is a working example for a local resolver with query constraints and forwarders:
options {
directory "/var/named";
listen-on port 53 { 127.0.0.1; 10.10.10.5; };
listen-on-v6 { none; };
allow-query { localhost; localnets; 10.10.10.0/24; };
recursion yes;
forwarders { 1.1.1.1; 8.8.8.8; };
dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";
minimal-responses yes;
max-cache-ttl 86400;
max-ncache-ttl 3600;
rate-limit {
responses-per-second 10;
window 5;
};
auth-nxdomain no;
};Practical tips:
- forwarders Can be assigned to the company's Anycast resolvers or to Cloudflare/Google; it is recommended to use the closest location to reduce latency.
- minimal-responses And reasonable TTLs reduce traffic and improve performance.
RNDC key generation and remote management
Use RNDC to securely manage BIND. First generate the key and then restart the service:
sudo rndc-confgen -a
sudo systemctl restart named
sudo rndc statusFirewall and SELinux
Opening ports in firewalld
sudo firewall-cmd --permanent --add-port=53/udp
sudo firewall-cmd --permanent --add-port=53/tcp
sudo firewall-cmd --reloadSELinux settings
If you are using SELinux, use the following commands to set context and permissions:
sudo restorecon -Rv /var/named
sudo setsebool -P named_write_master_zones on
sudo semanage port -a -t dns_port_t -p tcp 53
sudo semanage port -a -t dns_port_t -p udp 53More security: Restriction, monitoring and prevention of abuse
Prohibition of unauthorized duplication (zone transfer)
Use TSIG keys to prevent unauthorized AXFR in authoritative zones. The following example shows the key definition and allow-transfer restriction:
key "xfr-key" {
algorithm hmac-sha256;
secret "BASE64-SECRET";
};
zone "example.com" IN {
type master;
file "example.com.zone";
allow-transfer { key "xfr-key"; };
};DDoS and rate-limiting solutions
- From rate-limit Use in options.
- Use of RPZ (Response Policy Zone) To block malicious domains.
- At the network level, utilize Anti-DDoS and Anycast/BGP solutions to distribute malicious traffic.
DNSSEC and Validation
By activating dnssec-validation autoThe resolver checks the DNSSEC signature and malicious responses are rejected. Make sure managed-keys is present:
sudo ls /var/named/dynamicMonitoring, logging and troubleshooting
Logs and rotate
BIND logs to by default. /var/named/data/ To manage files from logrotate Use or redirect logs to syslog/journal.
Functional commands
dig @10.10.10.5 example.com +stats
dig @10.10.10.5 google.com +short
sudo rndc flush
sudo named-checkconf
sudo named-checkzone example.com /var/named/example.com.zone
sudo systemctl status named
sudo journalctl -u named -fAdvanced scenarios: views, split-horizon, and distributed servers
views for split-horizon
To respond differently to internal and external clients from views Use. Example:
acl "internal" { 10.10.10.0/24; localhost; };
view "internal" {
match-clients { "internal"; };
recursion yes;
zone "example.com" {
type master;
file "zones/db.example.internal";
};
};
view "external" {
match-clients { any; };
recursion no;
zone "example.com" {
type master;
file "zones/db.example.public";
};
};Geographic distribution and Anycast
For services with low latency requirements (traders, gamers), distributing resolvers in different locations and using Anycast/BGP gives the best results. The company providing this solution has more than 85 global locations And Anycast and CDN infrastructure to deploy distributed resolvers, DDoS protection, and BGP connectivity.
Practical tips for different applications
For website and WordPress administrators
- Use internal resolver caching on cloud servers to reduce DNS lookups.
- Setting minimal-responses and rationalizing TTLs to improve page load speed.
- Combining CDN and DNS is recommended to reduce latency and increase availability.
For DevOps and AI/Render clusters
- Run a local resolver on each node or a high-capacity central resolver for faster access to registries and resources.
- Use DNS caching in CI/CD jobs and package downloads.
- In large environments, use split-horizon to separate internal and external services.
For traders and gamers
- Placing the resolver in the closest geographical location 85 locations Recommended to reduce ping.
- Use Anycast resolvers and Anti-DDoS servers to increase stability and protect against attacks.
Full Summary Configuration Example (Quick Example)
An important piece of /etc/named.conf:
options {
directory "/var/named";
listen-on port 53 { 127.0.0.1; 10.10.10.5; };
allow-query { localhost; localnets; 10.10.10.0/24; };
recursion yes;
forwarders { 1.1.1.1; 8.8.8.8; };
dnssec-validation auto;
minimal-responses yes;
rate-limit { responses-per-second 10; window 5; };
};Final Tips and Best Practices
- Always Run named-checkconf and named-checkzone before restarting.
- Specify access limited to subnets; avoid leaving the resolver open to everyone.
- Use TSIG keys for zone transfers and
rndc-confgen -aUse for secure management. - Monitor logs and define alert thresholds for increased traffic or errors.
- If serving the public, take advantage of Anti-DDoS infrastructure and geographic distribution.
Why implement this service on the provider's cloud infrastructure?
Advantages:
- Deploy resolvers in different geographical locations to reduce ping and provide fast response.
- Advanced protection with Anti-DDoS and network firewalls.
- Integration with CDNs and distributed networks to increase availability and reduce latency.
- Managed plans (Managed DNS) and the ability to host GitLab, databases, and AI infrastructure.
