Bind Operations - Set Up DNS Server: Difference between revisions
Line 15: | Line 15: | ||
During this procedure we will create a new "openshift.local" zone file and all OpenShift hosts will get names within the "*.openshift.local" DNS domain. | During this procedure we will create a new "openshift.local" zone file and all OpenShift hosts will get names within the "*.openshift.local" DNS domain. | ||
=Binary Installation= | |||
Intall bind binaries: | |||
<pre> | |||
yum install bind* -y | |||
</pre> | |||
{{Warn|'''DO NOT''' <tt>yum remove bind*</tt>, it will remove dhclient and related libraries, and that might render your host inoperable.}} | |||
=Starting and Stopping the Server= | |||
Installing binaries will deploy a bind server with a basic configuration that can be started and stopped. | |||
==Starting the Server== | |||
You can start the server right away, it should start fine. See [#Troubleshooting_the_Server|Troubleshooting the Server]. | |||
<pre> | |||
systemctl start named | |||
</pre> | |||
==Stopping the Server== | |||
<pre> | |||
systemctl stop named | |||
</pre> | |||
=Troubleshooting the Server= | |||
systemctl status: | |||
<pre> | |||
systemctl status named | |||
</pre> | |||
journalctl: | |||
<pre> | |||
journalctl -u named | |||
</pre> | |||
Log file: | |||
<pre> | |||
/var/named/data/named.run | |||
</pre> | |||
=Edit /etc/named.conf= | |||
<tt>/etc/named.conf</tt> is the main configuration file. | |||
Use the default and modify the following: | |||
==listen-on== | |||
Specifies the IPv4 network interface on which to listen for queries. | |||
On a DNS server that acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv4 interfaces are used by default. | |||
<pre> | |||
options { | |||
... | |||
listen-on port 53 { any; }; | |||
... | |||
} | |||
</pre> | |||
==listen-on-v6== | |||
Specifies the IPv6 network interface on which to listen for queries. | |||
On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv6 interfaces are used by default. | |||
<pre> | |||
options { | |||
... | |||
listen-on-v6 port 53 { any; }; | |||
... | |||
} | |||
</pre> | |||
==allow-query== | |||
Specifies which hosts are allowed to query the nameserver for authoritative resource records. | |||
It accepts an access control list, a collection of IP addresses, or networks in the CIDR notation. All hosts are allowed by default. | |||
<pre> | |||
options { | |||
... | |||
allow-query { any; }; | |||
... | |||
} | |||
</pre> | |||
=Adding a Zone= | |||
Add a zone in <tt>/etc/named.conf</tt>, as follows. Conventionally, I place it between the zone "." and include: | |||
<pre> | |||
... | |||
zone "." IN { | |||
type hint; | |||
file "named.ca"; | |||
}; | |||
zone "openshift.local" IN { | |||
type master; | |||
file "openshift.local.zone"; | |||
}; | |||
include "/etc/named.rfc1912.zones"; | |||
... | |||
</pre> | |||
The zone file path specified after "file" is relative to <tt>/var/named</tt>. | |||
Start with <tt>named.localhost</tt> as a model: | |||
<pre> | |||
cd /var/named | |||
cp named.localhost openshift.local.zone | |||
</pre> | |||
Make sure the file has the same ownership as the rest of the files in the directory: | |||
<pre> | |||
chown root:named openshift.local.zone | |||
</pre> | |||
==Zone File== | |||
<tt>/var/named/openshift.local.zone</tt>: | |||
<pre> | |||
$TTL 3600 | |||
@ IN SOA openshift.local. root ( | |||
2015092101 ; serial | |||
3600 ; refresh | |||
15M ; retry | |||
1W ; expire | |||
1D ) ; minimum | |||
IN NS localhost | |||
localhost IN A 127.0.0.1 | |||
ns IN A 172.20.2.10 | |||
openshift-master1 IN A 172.20.2.1 | |||
openshift-node1 IN A 172.20.2.2 | |||
openshift-node2 IN A 172.20.2.3 | |||
</pre> | |||
==PTR (Inverse Record) File== | |||
<font color=red>TODO: not tested.</font> | |||
<tt>/var/named/openshift.local.rzone</tt>: | |||
<pre> | |||
$TTL 3600 | |||
@ IN SOA openshift.local. root.openshift.local. ( | |||
2015092101 ; serial | |||
3600 ; refresh | |||
15M ; retry | |||
1W ; expire | |||
1D ) ; minimum | |||
IN NS localhost. | |||
172.20.2.1 IN PTR openshift-master1.openshift.local. | |||
172.20.2.2 IN PTR openshift-node1.openshift.local. | |||
</pre> | |||
Make sure the file has the same ownership as the rest of the files in the directory: | |||
<pre> | |||
chown root:named openshift.local.rzone | |||
</pre> | |||
<font color=red> | |||
I think the reverse resolution is not fully enabled until I add something like the following in /etc/named.conf:</font> | |||
<pre> | |||
zone"0.168.192.in-addr.arpa" IN { | |||
type master; | |||
file "reverse.linuxzadmin"; | |||
allow-update { none; }; | |||
}; | |||
</pre> | |||
=Verify Configuration Files= | |||
<pre> | |||
named-checkconf /etc/named.conf | |||
named-checkzone <zone-name> <zone-file> | |||
named-checkzone openshift.local.zone /var/named/openshift.local.zone | |||
</pre> | |||
=Configure iptables= | |||
Add the following rules to your iptables configuration: | |||
<pre> | |||
... | |||
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT | |||
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT | |||
... | |||
</pre> | |||
For more details on the iptables configuration, see | |||
|[iptables Configuration#SimplestPossibleConfiguration] | |||
Make sure the correct rules are in place with {{iptables -F}}: | |||
Also see: | |||
|[iptables Troubleshooting#PingAndSshSucceedButTelnetFails] | |||
!!!Configuring Recursive Resolution | |||
If a name cannot be resolved by the current bind server, the query is forwarded to other DNS servers. | |||
<font color=red>Which one are those? How are those configured?</font> | |||
For a standard bind installation, I did not need to do anything, the mechanism worked by default. | |||
!!!Starting at Boot | |||
{{{ | |||
systemctl enable named | |||
}}} | |||
Test: | |||
{{{ | |||
systemctl is-enabled named | |||
enabled | |||
}}} | |||
!!!Configure The Local DNS Resolver | |||
Same as configuring clients on other machines in the network. See: | |||
|[https://kb.novaordis.com/index.php/Bind_Operations_-_Set_Up_DNS_Client] | |||
!!!Configure DNS Resolver on Other Hosts | |||
|[https://kb.novaordis.com/index.php/Bind_Operations_-_Set_Up_DNS_Client] | |||
!!!Reboot and Tests | |||
!!Local Tests | |||
Assuming that the name of the name server is "ns.openshift.local", and "openshift-master1.openshift.local" is a valid host in domain, after reboot, the following must be successful: | |||
{{{ | |||
# nslookup ns | |||
Server: 172.20.2.10 | |||
Address: 172.20.2.10#53 | |||
Name: ns.openshift.local | |||
Address: 172.20.2.10 | |||
}}} | |||
{{{ | |||
# nslookup ns.openshift.local | |||
Server: 172.20.2.10 | |||
Address: 172.20.2.10#53 | |||
Name: ns.openshift.local | |||
Address: 172.20.2.10 | |||
}}} | |||
{{{ | |||
# nslookup openshift-master1 | |||
Server: 172.20.2.10 | |||
Address: 172.20.2.10#53 | |||
Name: openshift-master1.openshift.local | |||
Address: 172.20.2.1 | |||
}}} | |||
{{{ | |||
# nslookup openshift-master1.openshift.local | |||
Server: 172.20.2.10 | |||
Address: 172.20.2.10#53 | |||
Name: openshift-master1.openshift.local | |||
Address: 172.20.2.1 | |||
}}} | |||
Also a random (but valid) name must be resolved | |||
{{{ | |||
# nslookup www.cnn.com | |||
Server: 172.20.2.10 | |||
Address: 172.20.2.10#53 | |||
Non-authoritative answer: | |||
www.cnn.com canonical name = turner.map.fastly.net. | |||
Name: turner.map.fastly.net | |||
Address: 23.235.47.73 | |||
}}} | |||
!!Remote Tests | |||
!!!Adding a New Host to the Zone File | |||
Go to the corresponding zone file (example if the domain is openshift.local, the zone file is /var/named/openshift.local.zone) | |||
{{{ | |||
... | |||
master31-1 IN A 172.20.2.11 | |||
}}} | |||
Also modify the inverse record file /var/named/openshift.local.rzone (if exists) | |||
{{{ | |||
172.20.2.11 IN PTR master31-1.openshift.local. | |||
}}} | |||
Then reboot the name server. | |||
After reboot, run nslookup from the name server itself, an old host and the newly setup host: | |||
{{{ | |||
[openshift@ns ~]$ nslookup master31-1.openshift.local | |||
Server: 172.20.2.10 | |||
Address: 172.20.2.10#53 | |||
Name: master31-1.openshift.local | |||
Address: 172.20.2.11 | |||
}}} | |||
__Referenced by:__\\ | |||
[{INSERT com.ecyrd.jspwiki.plugin.ReferringPagesPlugin WHERE max=20, maxwidth=50}] | |||
=Adding a New Host to the Zone File= | =Adding a New Host to the Zone File= |
Revision as of 00:49, 4 April 2017
External
- Red Hat Support Solution (used to write the procedure below) https://access.redhat.com/solutions/40683
- Red Hat Enterprise Linux 7 Networking Guide - Chapter 11 DNS Servers https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-DNS_Servers.html
- Red Hat Enterprise Linux 6 Deployment Guide - DNS Servers https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-DNS_Servers.html
- Step by Step how to setup a DNS Server in RHEL 6 Using Bind https://github.com/blackyboy/RedHat-Centos-Common-Stuffs/blob/master/Step-by-Step-how-to-setup-a-DNS-Server-in-RHEL-6.2-6.4-6.5-Using-Bind.md
Internal
Overview
This is a step by step guide on installing and configuring a bind DNS server. We needed it during the deployment of an OpenShift Enterprise v3 instance. The procedure has been tested with Red Hat Enterprise Linux 7.1.
During this procedure we will create a new "openshift.local" zone file and all OpenShift hosts will get names within the "*.openshift.local" DNS domain.
Binary Installation
Intall bind binaries:
yum install bind* -y
DO NOT yum remove bind*, it will remove dhclient and related libraries, and that might render your host inoperable.
Starting and Stopping the Server
Installing binaries will deploy a bind server with a basic configuration that can be started and stopped.
Starting the Server
You can start the server right away, it should start fine. See [#Troubleshooting_the_Server|Troubleshooting the Server].
systemctl start named
Stopping the Server
systemctl stop named
Troubleshooting the Server
systemctl status:
systemctl status named
journalctl:
journalctl -u named
Log file:
/var/named/data/named.run
Edit /etc/named.conf
/etc/named.conf is the main configuration file.
Use the default and modify the following:
listen-on
Specifies the IPv4 network interface on which to listen for queries.
On a DNS server that acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv4 interfaces are used by default.
options { ... listen-on port 53 { any; }; ... }
listen-on-v6
Specifies the IPv6 network interface on which to listen for queries.
On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv6 interfaces are used by default.
options { ... listen-on-v6 port 53 { any; }; ... }
allow-query
Specifies which hosts are allowed to query the nameserver for authoritative resource records.
It accepts an access control list, a collection of IP addresses, or networks in the CIDR notation. All hosts are allowed by default.
options { ... allow-query { any; }; ... }
Adding a Zone
Add a zone in /etc/named.conf, as follows. Conventionally, I place it between the zone "." and include:
... zone "." IN { type hint; file "named.ca"; }; zone "openshift.local" IN { type master; file "openshift.local.zone"; }; include "/etc/named.rfc1912.zones"; ...
The zone file path specified after "file" is relative to /var/named.
Start with named.localhost as a model:
cd /var/named cp named.localhost openshift.local.zone
Make sure the file has the same ownership as the rest of the files in the directory:
chown root:named openshift.local.zone
Zone File
/var/named/openshift.local.zone:
$TTL 3600 @ IN SOA openshift.local. root ( 2015092101 ; serial 3600 ; refresh 15M ; retry 1W ; expire 1D ) ; minimum IN NS localhost localhost IN A 127.0.0.1 ns IN A 172.20.2.10 openshift-master1 IN A 172.20.2.1 openshift-node1 IN A 172.20.2.2 openshift-node2 IN A 172.20.2.3
PTR (Inverse Record) File
TODO: not tested.
/var/named/openshift.local.rzone:
$TTL 3600 @ IN SOA openshift.local. root.openshift.local. ( 2015092101 ; serial 3600 ; refresh 15M ; retry 1W ; expire 1D ) ; minimum IN NS localhost. 172.20.2.1 IN PTR openshift-master1.openshift.local. 172.20.2.2 IN PTR openshift-node1.openshift.local.
Make sure the file has the same ownership as the rest of the files in the directory:
chown root:named openshift.local.rzone
I think the reverse resolution is not fully enabled until I add something like the following in /etc/named.conf:
zone"0.168.192.in-addr.arpa" IN { type master; file "reverse.linuxzadmin"; allow-update { none; }; };
Verify Configuration Files
named-checkconf /etc/named.conf named-checkzone <zone-name> <zone-file> named-checkzone openshift.local.zone /var/named/openshift.local.zone
Configure iptables
Add the following rules to your iptables configuration:
... iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT ...
For more details on the iptables configuration, see
|[iptables Configuration#SimplestPossibleConfiguration]
Make sure the correct rules are in place with Template:Iptables -F:
Also see:
|[iptables Troubleshooting#PingAndSshSucceedButTelnetFails]
!!!Configuring Recursive Resolution
If a name cannot be resolved by the current bind server, the query is forwarded to other DNS servers.
Which one are those? How are those configured?
For a standard bind installation, I did not need to do anything, the mechanism worked by default.
!!!Starting at Boot
{{{ systemctl enable named }}}
Test:
{{{ systemctl is-enabled named enabled }}}
!!!Configure The Local DNS Resolver
Same as configuring clients on other machines in the network. See:
|[1]
!!!Configure DNS Resolver on Other Hosts
|[2]
!!!Reboot and Tests
!!Local Tests
Assuming that the name of the name server is "ns.openshift.local", and "openshift-master1.openshift.local" is a valid host in domain, after reboot, the following must be successful:
{{{
- nslookup ns
Server: 172.20.2.10 Address: 172.20.2.10#53
Name: ns.openshift.local Address: 172.20.2.10 }}}
{{{
- nslookup ns.openshift.local
Server: 172.20.2.10 Address: 172.20.2.10#53
Name: ns.openshift.local Address: 172.20.2.10 }}}
{{{
- nslookup openshift-master1
Server: 172.20.2.10 Address: 172.20.2.10#53
Name: openshift-master1.openshift.local Address: 172.20.2.1 }}}
{{{
- nslookup openshift-master1.openshift.local
Server: 172.20.2.10 Address: 172.20.2.10#53
Name: openshift-master1.openshift.local Address: 172.20.2.1 }}}
Also a random (but valid) name must be resolved
{{{
- nslookup www.cnn.com
Server: 172.20.2.10 Address: 172.20.2.10#53
Non-authoritative answer: www.cnn.com canonical name = turner.map.fastly.net. Name: turner.map.fastly.net Address: 23.235.47.73 }}}
!!Remote Tests
!!!Adding a New Host to the Zone File
Go to the corresponding zone file (example if the domain is openshift.local, the zone file is /var/named/openshift.local.zone)
{{{ ... master31-1 IN A 172.20.2.11 }}}
Also modify the inverse record file /var/named/openshift.local.rzone (if exists)
{{{ 172.20.2.11 IN PTR master31-1.openshift.local. }}}
Then reboot the name server.
After reboot, run nslookup from the name server itself, an old host and the newly setup host:
{{{ [openshift@ns ~]$ nslookup master31-1.openshift.local Server: 172.20.2.10 Address: 172.20.2.10#53
Name: master31-1.openshift.local Address: 172.20.2.11 }}}
__Referenced by:__\\
[{INSERT com.ecyrd.jspwiki.plugin.ReferringPagesPlugin WHERE max=20, maxwidth=50}]