Split DNS or sometime named dual home DNS is a DNS server, connected to two or more networks and serve different information, depend of the network from where request is initiated. This is very helpful when you want to have different view, different IP addreses for the same server. For example your mail server will have one address when you access it from internal network and totally different when you access it from internet.
In this article I will use 10.1.0 and 10.0.1 networks as example
23. Define access control lists in bind configuration
Add in named.conf the lines
acl net1 { 10.1.0.0/24;};
acl net2 { 10.0.1.0/24;};
24. Redefine example.net zone to ne int.example.net
this
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {11.1.0.10;};
};
become
zone "int.example.net" in{
type master;
file "master.example.net";
allow-transfer {11.1.0.10;};
allow-query { net1; };
};
This should be done because is not possible to set one domain to be defined twice
25. And the same for IP network
this
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
become
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
allow-query { net1; };
};
26. Lets add new sections for external view of domain and IP addresses
zone "example.net.ext" in{
type master;
file "master.example.net.ext";
allow-query { net1; net2; };
};
zone "1.0.10.IN-ADDR.ARPA" in{
type master;
file "10.0.1.rev";
allow-query { net1;net2; };
};
27. And create the appropriate files
[root@nsd named]# cat master.example.net.ext
@ IN SOA ns.example.net. root@ns.example.net. (
2010081501 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS ns.example.net.
ns IN A 10.0.1.5
[root@nsd named]# cat 10.0.1.rev
@ IN SOA ns.example.net. root@ns.example.net. (
2010008151 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS ns.example.net
5 IN PTR ns.example.net.
Of course on my old files I replace records *.example.net with *.int.example.net
28. And tell name server to reload configuration
[root@nsd named]# rndc reload
server reload successful
29. And of course make some tests
29.1. First from network 10.1.0
[root@nsd named]# nslookup
> nsd
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: nsd.int.example.net
Address: 10.1.0.5
> set q=ns
> int.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net nameserver = nsd.int.example.net.
example.net nameserver = centos.int.example.net.
> ns.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: ns.example.net
Address: 10.0.1.5
> 10.0.1.5
Server: 10.1.0.5
Address: 10.1.0.5#53
5.1.0.10.in-addr.arpa name = ns.example.net.
29.2. And from network 10.1.0
[root@c01-n1 ~]# ifconfig|grep -E "Ethernet|inet addr"
eth0 Link encap:Ethernet HWaddr 00:0C:29:E1:57:32
inet addr:10.0.1.101 Bcast:10.0.1.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
[root@c01-n1 ~]# nslookup
> ns
Server: 10.0.1.5
Address: 10.0.1.5#53
Name: ns.example.net
Address: 10.0.1.5
> 10.0.1.5
Server: 10.0.1.5
Address: 10.0.1.5#53
5.1.0.10.in-addr.arpa name = ns.example.net.
> nsd
Server: 10.0.1.5
Address: 10.0.1.5#53
** server can't find nsd: NXDOMAIN
> nsd.int.example.net
Server: 10.0.1.5
Address: 10.0.1.5#53
** server can't find nsd.int.example.net: NXDOMAIN
So if I name my mail server just mail and add in search domains int.example.net and example.net I will have access to the same server independently of the network I am attached. And I will give no access to the people outside to information about my internal network
Showing posts with label bind. Show all posts
Showing posts with label bind. Show all posts
DNS - make it sample and fast, part 4 - master/slave
12. Why is need master/slave architecture
There are many reasons why is need this architecture. First at all for redundancy, if you have only one DNS server what will happen in case of hardware failure? Or if DNS software or OS crash? Thats because it is wise to have more that one server. And to avoid synchronization efforts and mistakes will be good to do it automatically.
Next possible reason is spread the load of DNS requests. In case of big enterprise DNS requests can overload the server if there is only one. Of course you can replace it with new, more powerful server, but this will be (again) single point of failure.
Other reason can be security. If you expose to for public access only secondary server this will prevent (more or less) the possibility of harm on some way the resolv of hostnames/IP addreses. At the end this is only one server, so do not forget to implement all the security precautions you usually do
13. Configure to allow transfers to slave server(s)
In file /var/named/chroot/etc/named.conf the block
zone "example.net" in{
type master;
file "master.example.net";
};
will become
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {10.1.0.10;};
};
and
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
};
will become
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
14. Configure slave server
The base is the same so lets edit /var/named/chroot/etc/named.conf. I will use config file from master and just edit some sections like
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {10.1.0.10;};
};
become
zone "example.net" in{
type slave;
file "slave.example.net";
masters {10.1.0.5;};
};
and
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
become
zone "0.1.10.IN-ADDR.ARPA" in{
type slave;
file "10.1.0.rev.slave";
masters {10.1.0.5;};
};
14. Check the configuration
[root@centos named]# service named configtest
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
15. This look nice, but it is need to do few more steps
>/var/named/chroot/var/named/10.1.0.rev.slave
>/var/named/chroot/var/named/slave.example.net
chown named:named /var/named/chroot/var/named/10.1.0.rev.slave /var/named/chroot/var/named/slave.example.net
mkdir -p /var/named/chroot/tmp
chmod 1777 /var/named/chroot/tmp
last two lines are because of the chroot environment
16. Run the server
[root@centos named]# service named start
Starting named: [ OK ]
17. And of course make some tests
[root@centos named]# nslookup
> server 10.1.0.10
Default server: 10.1.0.10
Address: 10.1.0.10#53
> nsd
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: nsd.example.net
Address: 10.1.0.5
> nsd.example.net.
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: nsd.example.net
Address: 10.1.0.5
> centos
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: centos.example.net
Address: 10.1.0.10
> set q=mx
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net mail exchanger = 1 centos.example.net.
> set q=ns
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net nameserver = nsd.example.net.
> exit
18. All is fine except one minor mistake.
On the definitions for domain example,net is missing our new name server. Lets correct this
19. Go to master name server and edit /var/named/chroot/var/named/master.example.net
and line
2010072501 ; serial
will be changed to
2010080701 ; serial
and after line
@ IN NS nsd.example.net.
will be added
@ IN NS centos.example.net.
20. Make server reload the configuration
[root@nsd named]# service named reload
Reloading named: [ OK ]
21. And go back to slave server
[root@centos named]# nslookup
> server 10.1.0.10
Default server: 10.1.0.10
Address: 10.1.0.10#53
> set q=ns
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net nameserver = centos.example.net.
example.net nameserver = nsd.example.net.
22. E voila, we have already working master/slave DNS configuration
There are many reasons why is need this architecture. First at all for redundancy, if you have only one DNS server what will happen in case of hardware failure? Or if DNS software or OS crash? Thats because it is wise to have more that one server. And to avoid synchronization efforts and mistakes will be good to do it automatically.
Next possible reason is spread the load of DNS requests. In case of big enterprise DNS requests can overload the server if there is only one. Of course you can replace it with new, more powerful server, but this will be (again) single point of failure.
Other reason can be security. If you expose to for public access only secondary server this will prevent (more or less) the possibility of harm on some way the resolv of hostnames/IP addreses. At the end this is only one server, so do not forget to implement all the security precautions you usually do
13. Configure to allow transfers to slave server(s)
In file /var/named/chroot/etc/named.conf the block
zone "example.net" in{
type master;
file "master.example.net";
};
will become
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {10.1.0.10;};
};
and
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
};
will become
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
14. Configure slave server
The base is the same so lets edit /var/named/chroot/etc/named.conf. I will use config file from master and just edit some sections like
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {10.1.0.10;};
};
become
zone "example.net" in{
type slave;
file "slave.example.net";
masters {10.1.0.5;};
};
and
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
become
zone "0.1.10.IN-ADDR.ARPA" in{
type slave;
file "10.1.0.rev.slave";
masters {10.1.0.5;};
};
14. Check the configuration
[root@centos named]# service named configtest
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
15. This look nice, but it is need to do few more steps
>/var/named/chroot/var/named/10.1.0.rev.slave
>/var/named/chroot/var/named/slave.example.net
chown named:named /var/named/chroot/var/named/10.1.0.rev.slave /var/named/chroot/var/named/slave.example.net
mkdir -p /var/named/chroot/tmp
chmod 1777 /var/named/chroot/tmp
last two lines are because of the chroot environment
16. Run the server
[root@centos named]# service named start
Starting named: [ OK ]
17. And of course make some tests
[root@centos named]# nslookup
> server 10.1.0.10
Default server: 10.1.0.10
Address: 10.1.0.10#53
> nsd
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: nsd.example.net
Address: 10.1.0.5
> nsd.example.net.
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: nsd.example.net
Address: 10.1.0.5
> centos
Server: 10.1.0.10
Address: 10.1.0.10#53
Name: centos.example.net
Address: 10.1.0.10
> set q=mx
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net mail exchanger = 1 centos.example.net.
> set q=ns
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net nameserver = nsd.example.net.
> exit
18. All is fine except one minor mistake.
On the definitions for domain example,net is missing our new name server. Lets correct this
19. Go to master name server and edit /var/named/chroot/var/named/master.example.net
and line
2010072501 ; serial
will be changed to
2010080701 ; serial
and after line
@ IN NS nsd.example.net.
will be added
@ IN NS centos.example.net.
20. Make server reload the configuration
[root@nsd named]# service named reload
Reloading named: [ OK ]
21. And go back to slave server
[root@centos named]# nslookup
> server 10.1.0.10
Default server: 10.1.0.10
Address: 10.1.0.10#53
> set q=ns
> example.net
Server: 10.1.0.10
Address: 10.1.0.10#53
example.net nameserver = centos.example.net.
example.net nameserver = nsd.example.net.
22. E voila, we have already working master/slave DNS configuration
DNS - make it sample and fast, part 3
8. Master domain zone
I will create sample record for my master zone in file master.example.net
[root@nsd named]# cat master.example.net
@ IN SOA nsd.example.net. root@nsd.example.net. (
2010072401 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS nsd.example.net.
@ IN MX 1 centos.example.net.
gw1 IN A 10.1.0.1
gw2 IN A 10.1.0.2
nsd IN A 10.1.0.5
centos IN A 10.1.0.10
As you can see I define one nameserver, one mail exchanger and four hosts
9. Reverse zone for network 10.1.0
@ IN SOA nsd.example.net. root@nsd.example.net. (
2010072401 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS nsd.example.net
1 IN PTR gw1.example.net.
2 IN PTR gw1.example.net.
5 IN PTR nsd.example.net.
10 IN PTR centos.example.net.
I have only four IP addresses. Do not forget the dot on the end of host names
10. Check the configuration
[root@nsd named]# service named configtest
master.example.net:1: no TTL specified; using SOA MINTTL instead
zone example.net/IN: loaded serial 2010072401
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
10.1.0.rev:1: no TTL specified; using SOA MINTTL instead
zone 0.1.10.IN-ADDR.ARPA/IN: loaded serial 2010072401
All seems OK, so its time to start the service and make some tests
11. Start and tests
[root@nsd named]# service named restart
Starting named: [ OK ]
[root@nsd named]# nslookup gw1
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: gw1.example.net
Address: 10.1.0.1
[root@nsd named]# nslookup gw1.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: gw1.example.net
Address: 10.1.0.1
[root@nsd named]# nslookup 10.1.0.5
Server: 10.1.0.5
Address: 10.1.0.5#53
5.0.1.10.in-addr.arpa name = nsd.example.net.
[root@nsd named]# nslookup
> set q=ns
> example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net nameserver = nsd.example.net.
> set q=mx
> example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net mail exchanger = 1 centos.example.net.
> exit
At the end our nameserver is up and running and can server my domain and my IP range for my home network. For further information about parameters you see in usage in above files please refer official Bind documentation
I will create sample record for my master zone in file master.example.net
[root@nsd named]# cat master.example.net
@ IN SOA nsd.example.net. root@nsd.example.net. (
2010072401 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS nsd.example.net.
@ IN MX 1 centos.example.net.
gw1 IN A 10.1.0.1
gw2 IN A 10.1.0.2
nsd IN A 10.1.0.5
centos IN A 10.1.0.10
As you can see I define one nameserver, one mail exchanger and four hosts
9. Reverse zone for network 10.1.0
@ IN SOA nsd.example.net. root@nsd.example.net. (
2010072401 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS nsd.example.net
1 IN PTR gw1.example.net.
2 IN PTR gw1.example.net.
5 IN PTR nsd.example.net.
10 IN PTR centos.example.net.
I have only four IP addresses. Do not forget the dot on the end of host names
10. Check the configuration
[root@nsd named]# service named configtest
master.example.net:1: no TTL specified; using SOA MINTTL instead
zone example.net/IN: loaded serial 2010072401
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
10.1.0.rev:1: no TTL specified; using SOA MINTTL instead
zone 0.1.10.IN-ADDR.ARPA/IN: loaded serial 2010072401
All seems OK, so its time to start the service and make some tests
11. Start and tests
[root@nsd named]# service named restart
Starting named: [ OK ]
[root@nsd named]# nslookup gw1
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: gw1.example.net
Address: 10.1.0.1
[root@nsd named]# nslookup gw1.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: gw1.example.net
Address: 10.1.0.1
[root@nsd named]# nslookup 10.1.0.5
Server: 10.1.0.5
Address: 10.1.0.5#53
5.0.1.10.in-addr.arpa name = nsd.example.net.
[root@nsd named]# nslookup
> set q=ns
> example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net nameserver = nsd.example.net.
> set q=mx
> example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net mail exchanger = 1 centos.example.net.
> exit
At the end our nameserver is up and running and can server my domain and my IP range for my home network. For further information about parameters you see in usage in above files please refer official Bind documentation
DNS - make it sample and fast, part 2
6. Root servers
With one sample command I will create file for root server and will be sure this information is correct
[root@nsd chroot]# dig @e.root-servers.net . ns >/var/named/chroot/var/named/root.servers
And the content of the file is
[root@nsd chroot]# cat /var/named/chroot/var/named/root.servers
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @e.root-servers.net . ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35642
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS e.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 3600000 IN A 192.228.79.201
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN A 128.8.10.90
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 128.63.2.53
h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
j.root-servers.net. 3600000 IN A 192.58.128.30
;; Query time: 126 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Sat Jul 24 20:30:15 2010
;; MSG SIZE rcvd: 500
But I will check just on case if all is OK with the file
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/localhost/in: file not found
_default/0.0.127.in-addr.arpa/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loading master file master.localhost: file not found
zone 0.0.127.in-addr.arpa/IN: loading master file localhost.rev: file not found
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
Aha, no more complains about missing root servers file
7. Local domain and host files. (RFC-1912)
Because I am lazy I will get the files directly from bind package examples
[root@nsd chroot]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/localhost.rev
[root@nsd chroot]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone /var/named/chroot/var/named/master.locahost
And check what is the situation
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
Cool, so part of the files are in place and I can continue with configuration
With one sample command I will create file for root server and will be sure this information is correct
[root@nsd chroot]# dig @e.root-servers.net . ns >/var/named/chroot/var/named/root.servers
And the content of the file is
[root@nsd chroot]# cat /var/named/chroot/var/named/root.servers
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @e.root-servers.net . ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35642
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS e.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 3600000 IN A 192.228.79.201
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN A 128.8.10.90
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 128.63.2.53
h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
j.root-servers.net. 3600000 IN A 192.58.128.30
;; Query time: 126 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Sat Jul 24 20:30:15 2010
;; MSG SIZE rcvd: 500
But I will check just on case if all is OK with the file
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/localhost/in: file not found
_default/0.0.127.in-addr.arpa/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loading master file master.localhost: file not found
zone 0.0.127.in-addr.arpa/IN: loading master file localhost.rev: file not found
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
Aha, no more complains about missing root servers file
7. Local domain and host files. (RFC-1912)
Because I am lazy I will get the files directly from bind package examples
[root@nsd chroot]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/localhost.rev
[root@nsd chroot]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone /var/named/chroot/var/named/master.locahost
And check what is the situation
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
Cool, so part of the files are in place and I can continue with configuration
DNS - make it sample and fast
1. Preamble
In this article will try to show how to make sample DNS server. Do not expect here to see master/slave architecture, DNSSEC, sophisticated settings and so on (maybe in some late article). DNS server will serve example.net domain which is free and everyone can use it locally. Examples are based on Bind v9 and RHEL/CentOS. If you use different distribution, please consult your manuals.
2. First lets check prerequisites
[root@nsd ~]# rpm -qa |grep bind
bind-utils-9.3.6-4.P1.el5_4.2
ypbind-1.19-12.el5
bind-libs-9.3.6-4.P1.el5_4.2
bind-chroot-9.3.6-4.P1.el5_4.2
bind-9.3.6-4.P1.el5_4.2
If you do not have it installed you can do it with command
[root@nsd ~]# yum install bind-chroot
I will use chroot environment to make server a little bit more secure. But this do not change so much examples below
3. Check the directory tree
[root@nsd ~]# grep -v ^# /etc/sysconfig/named
ROOTDIR=/var/named/chroot
[root@nsd ~]# cd /var/named/chroot/
[root@nsd chroot]# tree
.
|-- dev
| |-- null
| |-- random
| `-- zero
|-- etc
| |-- localtime
| `-- rndc.key
`-- var
|-- log
|-- named
| |-- data
| `-- slaves
|-- run
| `-- named
`-- tmp
10 directories, 5 files
4. Looks good so lets start with build our named.conf file
4.1. Options
options {
directory "/var/named";
allow-recursion {10.1.0.0/24;};
};
Base directory for files is set to be /var/named and access will be enabled from my local network IP range. Do not forget that the actual path is /var/named/chroot/var/named because of chroot environment
4.2. Root servers
zone "." {
type hint;
file "root.servers";
};
This is definition for servers, who will serve top level Internet zone . (dot)
4.3. Local host
zone "localhost" in{
type master;
file "master.localhost";
allow-update{none;};
};
zone "0.0.127.in-addr.arpa" in{
type master;
file "localhost.rev";
allow-update{none;};
};
Here is the definition for localhost zone and its corresponding reverse zone.
4.4. My zone
zone "example.net" in{
type master;
file "data/master.example.net";
};
I will not allow any slaves, because this will be the only DNS in to the network
4.5 My reverse zone
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
};
I will manage locally 10.1.0 network
5. Create file named.conf and check configuration
[root@nsd chroot]# vi etc/named.conf
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/localhost/in: file not found
_default/0.0.127.in-addr.arpa/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loading master file master.localhost: file not found
zone 0.0.127.in-addr.arpa/IN: loading master file localhost.rev: file not found
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
As it is expected zone files do not exist, but I will create them soon. Do not forget the actual place of config file is in chroot-ed environment i.e. /var/named/chroot/etc and not in /etc
Subscribe to:
Posts (Atom)