Introduction:
================================================
Berkeley Internet
Name Domain is the most commonly used DNS server on the Internet, especially on
Unix-like systems, where it is a de facto standard. Supported by Internet
Systems Consortium. BIND was originally created by four graduate students with
CSRG at the University of California, Berkeley and first released with 4.3BSD.
Paul Vixie started maintaining it in 1988 while working for DEC.
History:
================================================
BIND was
originally written in the early 1980s under a DARPA grant. In the mid-1980s,
DEC employees took over BIND development. One of these employees was Paul
Vixie, who continued to work on BIND after leaving DEC. He eventually helped
start the ISC, which became the entity responsible for maintaining BIND.
The development
of BIND 9 was done with a combination of commercial and military contracts.
Most of the features of BIND 9 were funded by UNIX vendors who wanted to ensure
that BIND stayed competitive with Microsoft's DNS offerings; the DNSSEC
features were funded by the US military who felt that DNS security was
important.
Things Covered:
================================================
• Two DNS Servers
(Master and Slave) [Internal External]
• Internal DNS
server exists on private non-routable network (192.168.X.X)
• External DNS
server is visible to the internet (142.25.97.X)
• Internal DNS
server has three private computer A record entries (mythical)
• Internal DNS
server receives updates from external master server (every 3 hours)
• External DNS
server does not contain internal A record entries
• Internal Server
is not to be visible/routable on the internet
• External DNS
server contains all entries for Apache Sites #1 - #7 (site1, site2)
• Restrict
recursive queries from people not within the 142 network
• The DNS server
must run in a chroot environment where it is secure
• External DNS
server is configured to update slave (internal server)
• A veritas
backup of your DNS server
Network
Configuration:
================================================
-1 Linksys run of
the mill router
-2 RHEL 5
machines that will act as primary and secondary DNS
-2 Optional
machines that will act as end users or apache servers on the primary network
and the secondary.(142.25.97.90 and 10.0.0.20 respectively)
Primary DNS
servers IP is 142.25.97.89 and has the fully qualified domain name of
ns.orangespike.ca
Secondary DNS
servers IP is 10.0.0.10 and has the fully qualified domain name of
slave.orangespike.ca
The gateway for
the router is 142.25.97.40 and is port forwarding 53 UDP/TCP to the secondary
DNS.
Installation:
================================================
yum install bind*
yum install caching-nameserver
yum install caching-nameserver
(If you do not
know how to yum , that is a different issueJ)
vi etc/hosts and
add the following entry ( IP and qualified domain name of that server ):
142.25.97.89
ns.orangespike.ca
Next, set the
static IP with utility setup from terminal and check the following file:
vi
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=MAC
address of adapter
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=142.25.97.89
GATEWAY=142.25.97.254
TYPE=Ethernet
Now go to
/var/named/chroot/etc/ and do a ls -la
You should see
about three or four files: localtime, named.conf, named.rfc1912.zones, rndc.key
Note if there is
no named.conf, and you have a named.caching-nameserver.conf use cp to create a
named.conf in the terminal by:
cp
named.caching-nameserver.conf named.conf
Goto
/var/named/chroot/var/named/ and touch the following files:
touch
orangespike.com.zone
touch orangespike.com.rev.zone
touch orangespike.com.rev.zone
Do a ls -la
notice that they are owned by the wrong user. Correct this:
chown root:named
orangespike*
Zone
Record Creation:
================================================
Lets enter and
create the zone file:
vi
/var/named/chroot/var/named/orangespike.com.zone
$ORIGIN
orangespike.com.
$TTL 3600 @ IN
SOA ns.orangespike.ca. root.localhost. (
2008020403 ;
Serial 4char year 2mm 2dd 2vv
10800 ; REFRESH
10800 ; retry
after 3 hours which forces it on the slave
604800 ; expire
after 1 week
86400 ) ; minimum
TTL of 1 day orangespike.com. IN NS ns.orangespike.ca. ;note orangespike.com.
IN A 142.25.97.90
www IN A
142.25.97.90
site1.orangespike.com.
IN A 142.25.97.90
site2.orangespike.com.
IN A 142.25.97.90
localhost A
127.0.0.1
Reverse
Zone Record Creation:
================================================
Enter and create the reverse zone
file:
vi
/var/named/chroot/var/named/orangespike.com.rev.zone
$ORIGIN
97.25.142.in-addr.arpa. ;
$TTL 86400 @ IN
SOA ns.orangespike.ca. root.localhost. (
2008020402 ;
serial
10800 ; REFRESH 3
hour
10800 ; retry
after 3 hours
604800 ; expire
after 1 week
86400) ; Min TTL
of 1 day 97.25.142.in-addr.arpa. NS ns.orangespike.ca.
90.97.25.142.in-addr.arpa.
IN PTR orangespike.com.
Edit
The Primary named.conf File:
================================================
vi
/var/named/chroot/etc/named.conf
//DNS PRIMARY
SERVER
acl good-hosts {
142.25.97.0/24;
10.0.0.0/24;
127.0.0.0/8;
};
options {
listen-on port 53
{142.25.97.89; 127.0.0.1; };
listen-on-v6 port
53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file
"/var/named/data/named_stats.txt";
memstatistics-file
"/var/named/data/named_mem_stats.txt";
allow-query {
any; };
listen-on {
142.25.97.89; 127.0.0.1; };
allow-transfer {
10.0.0.10; 142.25.97.40; 127.0.0.1; };
allow-recursion {
10.0.0.10/24; 142.25.97.0/24; 127.0.0.1; };
forwarders {
142.25.97.254; 142.25.115.12; 142.25.115.1; 127.0.0.1; };
};
controls {
inet 127.0.0.1
allow { localhost; } keys { rndckey; };
};
logging {
channel
default_debug {
file
"data/named.run";
severity dynamic;
};
};
zone
"." IN {
type hint;
file
"named.ca";
};
zone
"orangespike.com." IN {
type master;
notify no;
allow-query {
any; };
file
"orangespike.com.zone";
allow-transfer
{142.25.115.12; 142.25.97.40; 127.0.0.1; };
allow-update {
142.25.115.12; 142.25.97.40; 127.0.0.1; };
};
zone
"97.25.142.in-addr.arpa." IN {
type master;
notify no;
file
"orangespike.com.rev.zone";
allow-transfer
{142.25.115.12; 142.25.97.40; 127.0.0.1; };
allow-update
{142.25.115.12; 142.25.97.40; 127.0.0.1; };
};
include
"/etc/named.rfc1912.zones";
include
"/etc/rndc.key";
Testing:
================================================
On another
machine on the same network as the Primary the output for nslookup should look
similar to below:
orangespike.com
Server:
142.25.97.254
Address:
142.25.97.254#53
Non-authoritative
answer:
Name:
orangespike.com
Address:
142.25.97.90
The output of dig
should look similar to this:
;
<<>> DiG 9.3.3rc2 <<>> orangespike.com
;; global
options: printcmd
;; Got answer:
;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23820
;; flags: qr rd
ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION
SECTION:
;orangespike.com.
IN A
;; ANSWER
SECTION:
orangespike.com.
3047 IN A 142.25.97.90
;; Query time: 3
msec
;; SERVER:
142.25.97.254#53(142.25.97.254)
;; WHEN: Tue Feb
5 15:33:45 2008
;; MSG SIZE rcvd:
49
On the actual
Primary server if you use those two commands they may not work correctly,
except for nslookup within reason. It will use its loopback address or
localhost address.
NOTE::: this is
not great for testing on the secondary slave server.
Secondary
Slave Name Server Configuration And named.conf:
================================================
On a second
machine on the private network install bind and packages like the above primary
server and prepare named.conf again like previous.
Set the static IP
with the setup command again, but to an IP that is behind and on that LAN.
Continuing on,
make the following simple changes. Its pretty self explanitory, but one major
note is the bottom of this conf file. The masters, and slave keywords establish
the relationship with the master server.
//==========================================================
//DNS named.conf
file for DNS slave:
//==========================================================
options {
listen-on port 53
{10.0.0.10; 127.0.0.1; };
listen-on-v6 port
53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file
"/var/named/data/named_stats.txt";
memstatistics-file
"/var/named/data/named_mem_stats.txt";
allow-query {
any; };
allow-transfer{
192.168.1.3; 142.25.97.40; 127.0.0.1;};
allow-recursion{142.25.97.0/24;
10.0.0.0/24; };
forwarders{
142.25.97.40; 10.0.0.1; 127.0.0.1; };
recursion yes;
};
controls {
inet 127.0.0.1
allow { localhost; } keys { rndckey; };
};
logging {
channel
default_debug {
file
"data/named.run";
severity dynamic;
};
};
view
"internal" {
match-clients {
10.0.0/24; 127.0.0.1/30; };
zone
"." IN {
type hint;
file
"named.ca";
};
zone
"sub.orangespike.com" {
type master;
file
"inside/sub.orangespike.com";
};
zone "0.0.10.in-addr.arpa."
IN {
type master;
file
"inside/sub.orangespike.com.rev.zone";
};
};
view
"outside" {
match-clients{
any; };
zone
"." IN {
type hint;
file
"named.ca";
};
zone
"orangespike.com" in {
type slave;
file
"slaves/orangespike.com.zone";
masters{
142.25.97.89; };
};
};
include
"/etc/rndc.key";
Further
On The Slave:
================================================
Create the
directories outside and inside:
cd
/var/named/chroot/var
mkdir inside
mkdir outside
chown root:named
outside
chown root:named
inside
Create
the zone and rev zone files for the slave:
================================================
In the folder you
just created: (inside ) I created the zone file sub.orangespike.com -
The point of this
file is to act as a subdomain for the internal/private network.
The outside
cannot see this nameserver, nor can the big brother nameserver
(ns.orangespike.ca)
$ORIGIN
sub.orangespike.com.
$TTL 3600 ; 1 hr
@ IN SOA
slave.orangespike.ca. root.localhost. (
2008020502 ;
serial
3600 ; refresh 1
hr
3600 ; retry 1 hr
1209600 ; expire
2 weeks
3600) ; minimum 1
hr
sub.orangespike.com.
IN NS slave.orangespike.ca.
test.sub.orangespike.com.
IN A 10.0.0.20
test2.sub.orangespike.com.
IN A 10.0.0.20
test3.sub.orangespike.com.
IN A 10.0.0.20
Now create the
rev zone file which I called sub.orangespike.com.rev.zone in the same directory
that you had made the previous file.
$ORIGIN
0.0.10.in-addr.arpa. ;
$TTL 86400
@ IN SOA
slave.orangespike.ca. root.localhost. (
2008020503 ;
serial
3600 ; refresh
after 1 hour
3600 ; retry
after 1 hour
604800 ; expire
after 1 week
86400) ; Min TTL
of 1 day
0.0.10.in-addr.arpa.
NS slave.orangespike.ca.
20.0.0.10.in-addr.arpa.
IN PTR test.sub.orangespike.com.
20.0.0.10.in-addr.arpa.
IN PTR test2.sub.orangespike.com.
20.0.0.10.in-addr.arpa.
IN PTR test3.sub.orangespike.com.
One final change
before you restart the slave named service is to edit the slave hosts resolve
file.
The reason for
this is that we want it to use the big brother ( ns.orangespike.ca ) as its
DNS.
vi
/etc/resolv.conf
; generated by
/sbin/dhclient-script
nameserver
142.25.97.89
search
orangespike.ca
Now restart named
with the following command and hopefully you get no errors:
service named
restart
Additional
Private Network Configuration:
================================================
On that router
that we had previously configured, we want it to use the DNS server wejust
made. I gave mine a static IP address of 10.0.0.10 just to clarify again and
told the router to use my DNS server.
Also on the other
box, we want it to use DNS of the slave so change /etc/resolv.conf to use
10.0.0.10 and presto we are almost done :)
On another
machine use dig and nslookup like you had previously to test the primary
nameserver and the output should look similar.
dig
test.sub.orangespike.com
;
<<>> DiG 9.3.3rc2 <<>> test.sub.orangespike.com
;; global
options: printcmd
;; Got answer:
;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37578
;; flags: qr aa
rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION
SECTION:
;test.sub.orangespike.com.
IN A
;; ANSWER
SECTION:
test.sub.orangespike.com.
3600 IN A 10.0.0.20
;; AUTHORITY
SECTION:
sub.orangespike.com.
3600 IN NS slave.orangespike.ca.
;; Query time: 24
msec
;; SERVER:
10.0.0.10#53(10.0.0.10)
;; WHEN: Sat Oct
27 04:29:30 2007
;; MSG SIZE rcvd:
92
Backing
Up The DNS Servers:
================================================
The easiest way
to backup the DNS servers is to just backup their conf files and zones with a
simple bash script to another location. Then putting that script into the CHRON
and scheduling it every so often if needed.
Example script:
#====================================================
#====================================================
#!/bin/sh
mkdir
/backupdirectory
cp
/var/named/chroot/etc/ /backupdirectory
cp
/var/named/chroot/etc/ /backupdirectory
#====================================================
Run
bind in chroot:
#====================================================
1.) Check and see
if bind-chroot is installed with the command rpm -qa | grep bind-chroot
-If it is great
if not, yum install it.
2.) In the
terminal: usermod -d /var/named/chroot named
-In
/etc/sysconfig/named and if you see the following line then your done:) If not
change it to the following:
ROOTDIR=/var/named/chroot
Troubleshooting:
#====================================================
String used to
troubleshoot errors when trying to start named:
/usr/sbin/named
-g -u named -t /var/named/chroot
Note:: must grep
for this command and kill all named processes. They will continue to run unless
the machine is restarted or the processes are killed.
#====================================================
Resources:
#====================================================
No comments:
Post a Comment