Bind Operations - Set Up DNS Server: Difference between revisions
No edit summary |
|||
| Line 239: | Line 239: | ||
For more details on the iptables configuration, see {{Internal|Iptables_Command_Line_Tool_Examples#Base_Configuration|iptables IPv4 Base Configuration}} | For more details on the iptables configuration, see {{Internal|Iptables_Command_Line_Tool_Examples#Base_Configuration|iptables IPv4 Base Configuration}} | ||
Make sure the correct rules are in place with | Make sure the correct rules are in place with <tt>iptables -F</tt>: | ||
Also see {{Internal|Iptables_Troubleshooting#ping_and_ssh_succeed_but_telnet_fails|ping and ssh succeed but telnet fails}} | Also see {{Internal|Iptables_Troubleshooting#ping_and_ssh_succeed_but_telnet_fails|ping and ssh succeed but telnet fails}} | ||
=Configuring Recursive Resolution= | |||
If a name cannot be resolved by the current bind server, the query is forwarded to other DNS servers. | If a name cannot be resolved by the current bind server, the query is forwarded to other DNS servers. | ||
| Line 251: | Line 251: | ||
For a standard bind installation, I did not need to do anything, the mechanism worked by default. | For a standard bind installation, I did not need to do anything, the mechanism worked by default. | ||
=Starting at Boot= | |||
<pre> | |||
systemctl enable named | systemctl enable named | ||
</pre> | |||
Test: | Test: | ||
<pre> | |||
systemctl is-enabled named | systemctl is-enabled named | ||
enabled | enabled | ||
</pre> | |||
=Configure The Local DNS Resolver= | |||
Same as configuring clients on other machines in the network. See | Same as configuring clients on other machines in the network. See | ||
| | {{Internal|Bind_Operations_-_Set_Up_DNS_Client|Set Up DNS Client}} | ||
=Configure DNS Resolver on Other Hosts= | |||
| | {{Internal|Bind_Operations_-_Set_Up_DNS_Client|Set Up DNS Client}} | ||
=Reboot and Test= | |||
==Local Tests== | |||
Assuming that the name of the name server is "ns.openshift.local", and "openshift-master1.openshift.local" is a valid host in domain, after reboot, the following must be successful: | Assuming that the name of the name server is "ns.openshift.local", and "openshift-master1.openshift.local" is a valid host in domain, after reboot, the following must be successful: | ||
<pre> | |||
# nslookup ns | # nslookup ns | ||
Server: 172.20.2.10 | Server: 172.20.2.10 | ||
| Line 289: | Line 287: | ||
Name: ns.openshift.local | Name: ns.openshift.local | ||
Address: 172.20.2.10 | Address: 172.20.2.10 | ||
</pre> | |||
<pre> | |||
# nslookup ns.openshift.local | # nslookup ns.openshift.local | ||
Server: 172.20.2.10 | Server: 172.20.2.10 | ||
| Line 298: | Line 296: | ||
Name: ns.openshift.local | Name: ns.openshift.local | ||
Address: 172.20.2.10 | Address: 172.20.2.10 | ||
</pre> | |||
<pre> | |||
# nslookup openshift-master1 | # nslookup openshift-master1 | ||
Server: 172.20.2.10 | Server: 172.20.2.10 | ||
| Line 307: | Line 305: | ||
Name: openshift-master1.openshift.local | Name: openshift-master1.openshift.local | ||
Address: 172.20.2.1 | Address: 172.20.2.1 | ||
</pre> | |||
<pre> | |||
# nslookup openshift-master1.openshift.local | # nslookup openshift-master1.openshift.local | ||
Server: 172.20.2.10 | Server: 172.20.2.10 | ||
| Line 316: | Line 314: | ||
Name: openshift-master1.openshift.local | Name: openshift-master1.openshift.local | ||
Address: 172.20.2.1 | Address: 172.20.2.1 | ||
</pre> | |||
Also a random (but valid) name must be resolved | Also a random (but valid) name must be resolved | ||
<pre> | |||
# nslookup www.cnn.com | # nslookup www.cnn.com | ||
Server: 172.20.2.10 | Server: 172.20.2.10 | ||
| Line 329: | Line 327: | ||
Name: turner.map.fastly.net | Name: turner.map.fastly.net | ||
Address: 23.235.47.73 | Address: 23.235.47.73 | ||
</pre> | |||
==Remote Tests== | |||
=Adding a New Host to the Zone File= | |||
Go to the corresponding zone file (example if the domain is openshift.local, the zone file is <tt>/var/named/openshift.local.zone</tt>) | |||
<pre> | |||
... | ... | ||
master31-1 IN A 172.20.2.11 | master31-1 IN A 172.20.2.11 | ||
</pre> | |||
Also modify the inverse record file /var/named/openshift.local.rzone (if exists) | Also modify the inverse record file <tt>/var/named/openshift.local.rzone</tt> (if exists) | ||
<pre> | |||
172.20.2.11 IN PTR master31-1.openshift.local. | 172.20.2.11 IN PTR master31-1.openshift.local. | ||
</pre> | |||
Then reboot the name server. | Then reboot the name server. | ||
| Line 353: | Line 350: | ||
After reboot, run nslookup from the name server itself, an old host and the newly setup host: | After reboot, run nslookup from the name server itself, an old host and the newly setup host: | ||
<pre> | |||
[openshift@ns ~]$ nslookup master31-1.openshift.local | [openshift@ns ~]$ nslookup master31-1.openshift.local | ||
Server: 172.20.2.10 | Server: 172.20.2.10 | ||
| Line 360: | Line 357: | ||
Name: master31-1.openshift.local | Name: master31-1.openshift.local | ||
Address: 172.20.2.11 | Address: 172.20.2.11 | ||
</pre> | |||
Revision as of 00:57, 4 April 2017
External
- Red Hat Support Solution (used to write the procedure below) https://access.redhat.com/solutions/40683
- Red Hat Enterprise Linux 7 Networking Guide - Chapter 11 DNS Servers https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-DNS_Servers.html
- Red Hat Enterprise Linux 6 Deployment Guide - DNS Servers https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-DNS_Servers.html
- Step by Step how to setup a DNS Server in RHEL 6 Using Bind https://github.com/blackyboy/RedHat-Centos-Common-Stuffs/blob/master/Step-by-Step-how-to-setup-a-DNS-Server-in-RHEL-6.2-6.4-6.5-Using-Bind.md
Internal
Overview
This is a step by step guide on installing and configuring a bind DNS server. We needed it during the deployment of an OpenShift Enterprise v3 instance. The procedure has been tested with Red Hat Enterprise Linux 7.1.
During this procedure we will create a new "openshift.local" zone file and all OpenShift hosts will get names within the "*.openshift.local" DNS domain.
Binary Installation
Intall bind binaries:
yum install bind* -y
DO NOT yum remove bind*, it will remove dhclient and related libraries, and that might render your host inoperable.
Starting and Stopping the Server
Installing binaries will deploy a bind server with a basic configuration that can be started and stopped.
Starting the Server
You can start the server right away, it should start fine. See [#Troubleshooting_the_Server|Troubleshooting the Server].
systemctl start named
Stopping the Server
systemctl stop named
Troubleshooting the Server
systemctl status:
systemctl status named
journalctl:
journalctl -u named
Log file:
/var/named/data/named.run
Edit /etc/named.conf
/etc/named.conf is the main configuration file.
Use the default and modify the following:
listen-on
Specifies the IPv4 network interface on which to listen for queries.
On a DNS server that acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv4 interfaces are used by default.
options {
...
listen-on port 53 { any; };
...
}
listen-on-v6
Specifies the IPv6 network interface on which to listen for queries.
On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv6 interfaces are used by default.
options {
...
listen-on-v6 port 53 { any; };
...
}
allow-query
Specifies which hosts are allowed to query the nameserver for authoritative resource records.
It accepts an access control list, a collection of IP addresses, or networks in the CIDR notation. All hosts are allowed by default.
options {
...
allow-query { any; };
...
}
Adding a Zone
Add a zone in /etc/named.conf, as follows. Conventionally, I place it between the zone "." and include:
...
zone "." IN {
type hint;
file "named.ca";
};
zone "openshift.local" IN {
type master;
file "openshift.local.zone";
};
include "/etc/named.rfc1912.zones";
...
The zone file path specified after "file" is relative to /var/named.
Start with named.localhost as a model:
cd /var/named cp named.localhost openshift.local.zone
Make sure the file has the same ownership as the rest of the files in the directory:
chown root:named openshift.local.zone
Zone File
/var/named/openshift.local.zone:
$TTL 3600
@ IN SOA openshift.local. root (
2015092101 ; serial
3600 ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
ns IN A 172.20.2.10
openshift-master1 IN A 172.20.2.1
openshift-node1 IN A 172.20.2.2
openshift-node2 IN A 172.20.2.3
PTR (Inverse Record) File
TODO: not tested.
/var/named/openshift.local.rzone:
$TTL 3600 @ IN SOA openshift.local. root.openshift.local. ( 2015092101 ; serial 3600 ; refresh 15M ; retry 1W ; expire 1D ) ; minimum IN NS localhost. 172.20.2.1 IN PTR openshift-master1.openshift.local. 172.20.2.2 IN PTR openshift-node1.openshift.local.
Make sure the file has the same ownership as the rest of the files in the directory:
chown root:named openshift.local.rzone
I think the reverse resolution is not fully enabled until I add something like the following in /etc/named.conf:
zone"0.168.192.in-addr.arpa" IN {
type master;
file "reverse.linuxzadmin";
allow-update { none; };
};
Verify Configuration Files
named-checkconf /etc/named.conf named-checkzone <zone-name> <zone-file> named-checkzone openshift.local.zone /var/named/openshift.local.zone
Configure iptables
Add the following rules to your iptables configuration:
... iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT ...
For more details on the iptables configuration, see
Make sure the correct rules are in place with iptables -F:
Also see
Configuring Recursive Resolution
If a name cannot be resolved by the current bind server, the query is forwarded to other DNS servers.
Which one are those? How are those configured?
For a standard bind installation, I did not need to do anything, the mechanism worked by default.
Starting at Boot
systemctl enable named
Test:
systemctl is-enabled named enabled
Configure The Local DNS Resolver
Same as configuring clients on other machines in the network. See
Configure DNS Resolver on Other Hosts
Reboot and Test
Local Tests
Assuming that the name of the name server is "ns.openshift.local", and "openshift-master1.openshift.local" is a valid host in domain, after reboot, the following must be successful:
# nslookup ns Server: 172.20.2.10 Address: 172.20.2.10#53 Name: ns.openshift.local Address: 172.20.2.10
# nslookup ns.openshift.local Server: 172.20.2.10 Address: 172.20.2.10#53 Name: ns.openshift.local Address: 172.20.2.10
# nslookup openshift-master1 Server: 172.20.2.10 Address: 172.20.2.10#53 Name: openshift-master1.openshift.local Address: 172.20.2.1
# nslookup openshift-master1.openshift.local Server: 172.20.2.10 Address: 172.20.2.10#53 Name: openshift-master1.openshift.local Address: 172.20.2.1
Also a random (but valid) name must be resolved
# nslookup www.cnn.com Server: 172.20.2.10 Address: 172.20.2.10#53 Non-authoritative answer: www.cnn.com canonical name = turner.map.fastly.net. Name: turner.map.fastly.net Address: 23.235.47.73
Remote Tests
Adding a New Host to the Zone File
Go to the corresponding zone file (example if the domain is openshift.local, the zone file is /var/named/openshift.local.zone)
... master31-1 IN A 172.20.2.11
Also modify the inverse record file /var/named/openshift.local.rzone (if exists)
172.20.2.11 IN PTR master31-1.openshift.local.
Then reboot the name server.
After reboot, run nslookup from the name server itself, an old host and the newly setup host:
[openshift@ns ~]$ nslookup master31-1.openshift.local Server: 172.20.2.10 Address: 172.20.2.10#53 Name: master31-1.openshift.local Address: 172.20.2.11