RHEL7: Configure a caching-only name server.

Share this link

Note: This is an RHCE 7 exam objective.

Presentation of Caching-only Name Server

A cache-only name server keeps a cache of all the results of the previous requests to the root DNS servers.

Configuration Procedure

Install the bind package:

# yum install -y bind

Edit the /etc/named.conf file and change the listen-on option from to any:

listen-on port 53 { any; };

In the same file, change the allow-query option from localhost to any:

allow-query { any; };

In the same file, disable the dnssec-validation option:

dnssec-validation no;

Check the configuration file:

# named-checkconf

Add a new service to the firewall:

# firewall-cmd --permanent --add-service=dns

Reload the firewall configuration:

# firewall-cmd --reload

Activate the DNS service:

# systemctl enable named

Start the DNS service:

# systemctl start named

Time to Test

Check the configuration:

# nslookup cnn.com
# dig @ cnn.com

Additional Resources

You can also read this nice article from Zytrax.com about the different DNS Configuration Types.
If you want to go any further, check the master DNS server tutorial.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
34 comments on “RHEL7: Configure a caching-only name server.
  1. Shikaz says:

    In one of the tutorials I have seen they are installing unbound instead of bind, do you thing from the RHCE perspective it will matter to install bind or unbound?

  2. Jaz says:

    What if I put my interface ip address in listen-on port directive and add my network ip in allow-query directive during the exam even if not asked in the question?
    Because ‘any’ means no restriction.

  3. dan says:

    why set dnssec-validation to no?

    • CertDepot says:

      You can perfectly set dnssec-validation to yes but in this case you need to add some additional configuration.
      As this configuration is not needed for the RHCE exam, as far as I know, I didn’t add the corresponding instructions.

      • Oxygen says:

        It seems that disabling dnssec-validation can be safely omitted (correct me if I am wrong):
        “yes: DNSSEC validation is enabled, but a trust anchor must be manually configured. No validation will actually take place until you have manually configured at least one trusted key. This is the default.”

        • CertDepot says:

          When I wrote the tutorial 4 years ago, I had to set dnssec-validation no; otherwise it didn’t work.
          Since, I haven’t tried with new versions of the bind package. Sorry.

  4. bazouie says:

    Hi Guys,
    I haven’t seen any DNS question on RHCE mock test. Do you think that might be included in the exam ?

    Thank you

  5. mairj23 says:

    Hi everyone, when I configure a cache only dns server it doesn’t resolve any domain, but it works correctly when I add forwarders any ideas? If I ping a domain from shell it works…
    Thanks in advance

  6. asifshabir says:

    This cache only DNS server is supposed to work when you don’t have internet connection i.e. it should resolve the domain even if net is down.

    I have followed this guide. Everything mentioned in this guide works perfectly. But, when I disable Internet, it does not resolve any domain.

    Please correct me if I am on a wrong line.

    • CertDepot says:

      A cache-only DNS server doesn’t provide any translation, domain -> IP address, on its own. When it can’t solve a domain, it asks a forwarder (Google DNS, etc) and stores in its cache the answer. When you ask the same domain again, it doesn’t ask the forwarder but reads its cache. It’s all.

    • Lisenet says:

      “This cache only DNS server is supposed to work when you don’t have internet connection i.e. it should resolve the domain even if net is down.”

      This is incorrect.

      When a DNS server resolves a query, it returns the answer to the client. The DNS server also stores the answer in its cache for the period of time that was allowed by the records’ TTL value. This way any subsequent requests are processed faster when the nameserver is asked to resolve the same names again. This is about storing the answers in cache – nothing do to with lost internet connection.

      • asifshabir says:

        thank you for your reply,

        Just to rephrase the question.
        we have resolved some domains with cache only DNS . Now internet is down…. those resolved domains should also get resolved while cache DNS is offline ( No internet )??

        I just wanted to know proper way of testing this server.

        • Lisenet says:

          Yes, the domain names that were resolved while the server had internet connection will still be served from cache even though internet is down as long as TTL is valid.

          • Sam says:

            I don’t think there is a simple way of testing this. If you can’t wait, set up a local DNS, and propagate it with local domain names. Unless you can wait for your internet to become live again.

          • Lisenet says:

            There is. You log into your caching-only DNS server, the resolve some domain name of your choice, then disable networking simulating “the loss of internet”, and try to resolve the same domain name again. It will be served from local DNS cache as long as TTL is valid.

  7. Mike_ says:

    This might be obvious to some or all, but it was not to me.

    Following the examples above, I realized that my caching doesn’t work if I have a valid DNS host in my /etc/resolv.conf. I verified this dumping my cache after performing an nslookup and it was not present in the dump.

    On my system I configured dns caching:
    nslookup http://www.certdepot.net
    rndc dumpdb -cache
    grep certdepot /var/named/data/cache_dump.db (returns nothing)

    If I comment out the server from /etc/resolv.conf and perform same exercise, the certdepot is now in my cache.

    Just FYI: Just because you get a return from nslookup does not mean cache is woring, your resolve.conf could circumvent it. Or, I could be very wrong. 🙂

    • CertDepot says:

      Interesting. Thanks.

    • Lisenet says:

      Can you clarify on “caching doesn’t work if I have a valid DNS host in my /etc/resolv.conf”.

      What do you mean by saying “a valid DNS host”? What is a valid DNS host in this case? Or what would be an invalid DNS host?

      • Mike_ says:


        Sorry, I will clarify.

        When I logged onto my system to create a DNS caching server, I already had DNS resolution configured via /etc/resolv.conf. It either points to my home router,, or the KVM NAT gateway

        I then install bind and configured it to be a DNS caching server, and provide DNS forwarders to be either another DNS server. e.g. The home router, the kvm gateway, or, etc.

        If after installing the bind to be a caching server, I attempt to test it via nslookup or dig, I am still using /etc/resolv.conf at that point. I must either force nslookup or dig to use my server as the resolver, or I have to change /etc/resolv.conf to point to the localhost.

        Does that make sense? Initially I did not and performed some nslookups, but noticed nothing was in my cache. Then I figured /etc/resolv.conf was still doing the work via home router. Once I modified it I was able to see results in cache via rdnc dump.


        • Lisenet says:

          Caching does work if you use your caching DNS server to do name resolution, it obviously does not work if you use some other DNS server be it your home router, KVM gateway or anything else.

          • Mike_ says:

            Exactly! In the directions above, updating ./etc/resolv.conf is omitted. Conversely, on your site, you use unbound, but you update the resolver to pont to localhost.

          • Lisenet says:

            There are instructions for both Unbound as well as Bind (scroll down the page), and I use nmcli to set “ipv4.dns” (don’t mess around with editing resolv.conf manually).

  8. ursabear333 says:

    So, to be safe in the exam change the localhost to any? and we are good?

    • Lisenet says:

      It really depends on how a question is worded, but as long as firewall does not allow (or does allow) DNS traffic, this setting does not make much of a difference. My point is that even if you change it to “any” but don’t allow traffic via firewall, not external clients will be able to use DNS services.

    • Sam says:

      I would recommend only changing the dns if you are requested to. Follow the exam instructions. This goes for all question. While you may/(may not) be able to change this, your goal is to pass the exam.

  9. muhammad.shakeeb says:

    Problem: Ping fails on internal host but nslookup and dig works.

    [root@node11 network-scripts]# cat ifcfg-ens33-1

    [root@node11 network-scripts]# getent hosts testserver.com.pk testserver.com.pk

    [root@node11 network-scripts]# nslookup testserver.com.pk

    Name: testserver.com.pk

    [root@node11 network-scripts]# dig testserver.com.pk

    ; <> DiG 9.9.4-RedHat-9.9.4-37.el7 <> testserver.com.pk
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55349
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    ;; WARNING: recursion requested but not available

    ; EDNS: version: 0, flags:; udp: 4096
    ;testserver.com.pk. IN A

    testserver.com.pk. 86400 IN A

    com.pk. 86400 IN NS sanserver.com.pk.

    sanserver.com.pk. 86400 IN A

    ;; Query time: 1 msec
    ;; SERVER:
    ;; WHEN: Sat Jul 28 23:21:25 PKT 2018
    ;; MSG SIZE rcvd: 102


    [root@node11 network-scripts]# ping testserver.com.pk
    PING testserver.com.pk ( 56(84) bytes of data.

  10. Pat says:

    How do I know that the caching dns works? What should I expect typing nslookup cnn.com dig @ cnn.com?

    • Lisenet says:

      If DNS caching works, you should see the query time drop to zero on the second run because no lookup has to be made.

      The first run queries the DNS:

      # dig A google.com +noall +stats @
      ;; Query time: 67 msec

      The second run returns the result from the cache:

      # dig A google.com +noall +stats @
      ;; Query time: 0 msec

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 15 minutes.
Get an iso image of CentOS 7 (or a DVD) and set up a local repository.

RHCE7: Task of the day

Allowed time: 5 minutes.
Set up time synchronization with default configuration.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...