Install and Configure Caching-Only DNS Server in RHEL/CentOS 7


DNS (Domain Name System) plays a crucial role in translating domain names into IP addresses, allowing users to access websites using human-readable URLs. To enhance DNS performance and reduce network latency, implementing a caching-only DNS server can significantly improve the speed and efficiency of DNS lookups. In this article, we will guide you through the process of installing and configuring a caching-only DNS server in RHEL/CentOS 7.


Before proceeding, ensure that you have the following −

  • A server running RHEL/CentOS 7.

  • Root or sudo access to the server.

  • Basic knowledge of the Linux command line.

Update the System

To begin, update your system packages to their latest versions by running the following command −

sudo yum update -y

Install BIND DNS Server

BIND (Berkeley Internet Name Domain) is the most widely used DNS software. Install the BIND package using the following command −

sudo yum install bind bind-utils -y

Configure BIND DNS Server

Next, we need to configure BIND to work as a caching-only DNS server. Open the BIND configuration file in a text editor −

sudo vi /etc/named.conf

Inside the file, replace its contents with the following configuration −

options {
   listen-on port 53 { any; };
   listen-on-v6 port 53 { any; };
   directory "/var/named";
   dump-file "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
   memstatistics-file "/var/named/data/named_mem_stats.txt";
   recursion yes;
   dnssec-enable no;
   dnssec-validation no;
   allow-query { any; };

Save and close the file by pressing Esc followed by −wq.

Configure DNS Forwarders

To improve the DNS resolution speed, we can configure BIND to use DNS forwarders. Open the BIND options file −

sudo vi /etc/named.rfc1912.zones

Add the following forwarder configuration inside the file −

zone "." IN {	
   type hint;
   file "";

zone "localhost" IN {
   type master;
   file "";
   allow-update { none; };

zone "" IN {
   type master;
   file "named.loopback";
   allow-update { none; };

zone "" IN {
   type forward;
   forwarders {;; };
   forward only;

Save and close the file.

Enable and Start BIND Service

To enable BIND to start automatically at system boot, run the following command −

sudo systemctl enable named

Then, start the BIND service using −

sudo systemctl start named

Test the Caching-Only DNS Server

To ensure that the caching-only DNS server is functioning correctly, we can perform some tests. Here are a few examples with their expected outputs −

Example 1: Checking the DNS Resolver

Run the following command to check if the server is using the caching-only DNS server as the resolver −




Non-authoritative answer:

Example 2: Checking Cached DNS Entries

To verify if the DNS server is caching the DNS entries, perform a lookup twice for the same domain −




Non-authoritative answer:

Run the same command again, and you should observe a reduced response time, indicating that the DNS entry was served from the cache.

Example 3: Checking Forwarding to DNS Forwarders

To ensure that the DNS server is forwarding the queries to the specified DNS forwarders, perform a lookup for a non-cached domain −




Non-authoritative answer:

The response should contain the IP address provided by the DNS forwarder (in this case, the Google DNS servers).

Securing the Caching-Only DNS Server

It's crucial to implement security measures to protect your caching-only DNS server from potential attacks. Here are a few recommendations −

Firewall Configuration − Use firewall rules to allow DNS traffic only from trusted sources. For example, to allow DNS queries from the local network (, execute the following commands:

sudo firewall-cmd --zone=public --add-service=dns --permanent
sudo firewall-cmd --zone=public --add-source= --permanent
sudo firewall-cmd --reload

Limit Query Rate − Implement rate limiting to prevent DNS amplification attacks and excessive queries from a single source. Open the BIND options file (/etc/named.conf) and add the following configuration inside the options block −

rate-limit {
   responses-per-second 5;
   nxdomains-per-second 5;
   errors-per-second 5;

DNSSEC − Consider enabling DNSSEC (Domain Name System Security Extensions) to protect against DNS spoofing and data integrity attacks. Open the BIND options file (/etc/named.conf) and modify the dnssec-enable and dnssec-validation options as follows −

dnssec-enable yes;
dnssec-validation yes;

Note − Enabling DNSSEC requires additional configuration, including key generation and signing.

Monitoring and Logging

Monitoring and logging DNS activity can provide valuable insights into server performance and potential issues. Here are a few tools and techniques to consider −

BIND Statistics − BIND provides statistics about the DNS server's performance and resource usage. Access the statistics by running the following command −

sudo rndc stats

This generates a statistics file in the /var/named/data directory.

Log Files − BIND logs DNS-related events and errors to log files. The default log file location is /var/log/messages. To view BIND-specific logs, use the following command −

sudo tail -f /var/log/messages | grep named

Monitoring Tools − Consider using monitoring tools like dnstop or dnsmeter to gather detailed DNS traffic statistics and analyze server performance.

Fine-Tuning DNS Server Configuration

Depending on your specific requirements, you may need to adjust certain DNS server parameters to optimize performance. Here are a few configuration options worth exploring −

Cache Size − By default, BIND allocates a limited amount of memory for DNS caching. Adjust the cache size based on your server's available resources and expected query load. Open the BIND options file (/etc/named.conf) and modify the max-cache-size option as needed.

TTL (Time to Live) − DNS records contain a TTL value, which specifies how long they can be cached by clients and DNS servers. Adjusting the TTL value can impact how frequently DNS resolutions are fetched from upstream servers. Consider modifying the TTL value based on your requirements.

Zone Transfer − If you have secondary DNS servers, configure zone transfers to keep them in sync with the caching-only DNS server. Refer to the BIND documentation for more details on configuring zone transfers.


By following the steps outlined in this article, you have successfully installed and configured a caching-only DNS server on your RHEL/CentOS 7 system. The caching functionality improves DNS lookup performance by storing frequently accessed domain name resolutions, reducing network latency and enhancing overall browsing experience. You can now enjoy the benefits of faster DNS resolution and improved network efficiency.

Updated on: 17-Jul-2023


Kickstart Your Career

Get certified by completing the course

Get Started