Wednesday, January 13, 2010

RHEL / Fedora BIND DNS - Primary Slave Howto


Introduction:
================================================
Berkeley Internet Name Domain is the most commonly used DNS server on the Internet, especially on Unix-like systems, where it is a de facto standard. Supported by Internet Systems Consortium. BIND was originally created by four graduate students with CSRG at the University of California, Berkeley and first released with 4.3BSD. Paul Vixie started maintaining it in 1988 while working for DEC.
History:
================================================
BIND was originally written in the early 1980s under a DARPA grant. In the mid-1980s, DEC employees took over BIND development. One of these employees was Paul Vixie, who continued to work on BIND after leaving DEC. He eventually helped start the ISC, which became the entity responsible for maintaining BIND.
The development of BIND 9 was done with a combination of commercial and military contracts. Most of the features of BIND 9 were funded by UNIX vendors who wanted to ensure that BIND stayed competitive with Microsoft's DNS offerings; the DNSSEC features were funded by the US military who felt that DNS security was important.
Things Covered:
================================================
• Two DNS Servers (Master and Slave) [Internal External]
• Internal DNS server exists on private non-routable network (192.168.X.X)
• External DNS server is visible to the internet (142.25.97.X)
• Internal DNS server has three private computer A record entries (mythical)
• Internal DNS server receives updates from external master server (every 3 hours)
• External DNS server does not contain internal A record entries
• Internal Server is not to be visible/routable on the internet
• External DNS server contains all entries for Apache Sites #1 - #7 (site1, site2)
• Restrict recursive queries from people not within the 142 network
• The DNS server must run in a chroot environment where it is secure
• External DNS server is configured to update slave (internal server)
• A veritas backup of your DNS server

Network Configuration:
================================================
-1 Linksys run of the mill router
-2 RHEL 5 machines that will act as primary and secondary DNS
-2 Optional machines that will act as end users or apache servers on the primary network and the secondary.(142.25.97.90 and 10.0.0.20 respectively)
Primary DNS servers IP is 142.25.97.89 and has the fully qualified domain name of ns.orangespike.ca
Secondary DNS servers IP is 10.0.0.10 and has the fully qualified domain name of slave.orangespike.ca
The gateway for the router is 142.25.97.40 and is port forwarding 53 UDP/TCP to the secondary DNS.
network

Installation:
================================================
yum install bind*
yum install caching-nameserver

(If you do not know how to yum , that is a different issueJ)
vi etc/hosts and add the following entry ( IP and qualified domain name of that server ):
142.25.97.89 ns.orangespike.ca
Next, set the static IP with utility setup from terminal and check the following file:
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=MAC address of adapter
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=142.25.97.89
GATEWAY=142.25.97.254
TYPE=Ethernet
Now go to /var/named/chroot/etc/ and do a ls -la
You should see about three or four files: localtime, named.conf, named.rfc1912.zones, rndc.key
Note if there is no named.conf, and you have a named.caching-nameserver.conf use cp to create a named.conf in the terminal by:
cp named.caching-nameserver.conf named.conf
Goto /var/named/chroot/var/named/ and touch the following files:
touch orangespike.com.zone
touch orangespike.com.rev.zone

Do a ls -la notice that they are owned by the wrong user. Correct this:
chown root:named orangespike*
Zone Record Creation:
================================================
Lets enter and create the zone file:
vi /var/named/chroot/var/named/orangespike.com.zone
$ORIGIN orangespike.com.
$TTL 3600 @ IN SOA ns.orangespike.ca. root.localhost. (
2008020403 ; Serial 4char year 2mm 2dd 2vv
10800 ; REFRESH
10800 ; retry after 3 hours which forces it on the slave
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day orangespike.com. IN NS ns.orangespike.ca. ;note orangespike.com. IN A 142.25.97.90
www IN A 142.25.97.90
site1.orangespike.com. IN A 142.25.97.90
site2.orangespike.com. IN A 142.25.97.90
localhost A 127.0.0.1
Reverse Zone Record Creation:
================================================
Enter and create the reverse zone file:
vi /var/named/chroot/var/named/orangespike.com.rev.zone
$ORIGIN 97.25.142.in-addr.arpa. ;
$TTL 86400 @ IN SOA ns.orangespike.ca. root.localhost. (
2008020402 ; serial
10800 ; REFRESH 3 hour
10800 ; retry after 3 hours
604800 ; expire after 1 week
86400) ; Min TTL of 1 day 97.25.142.in-addr.arpa. NS ns.orangespike.ca.
90.97.25.142.in-addr.arpa. IN PTR orangespike.com.
Edit The Primary named.conf File:
================================================
vi /var/named/chroot/etc/named.conf
//DNS PRIMARY SERVER
acl good-hosts {
142.25.97.0/24;
10.0.0.0/24;
127.0.0.0/8;
};
options {
listen-on port 53 {142.25.97.89; 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
listen-on { 142.25.97.89; 127.0.0.1; };
allow-transfer { 10.0.0.10; 142.25.97.40; 127.0.0.1; };
allow-recursion { 10.0.0.10/24; 142.25.97.0/24; 127.0.0.1; };
forwarders { 142.25.97.254; 142.25.115.12; 142.25.115.1; 127.0.0.1; };
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "orangespike.com." IN {
type master;
notify no;
allow-query { any; };
file "orangespike.com.zone";
allow-transfer {142.25.115.12; 142.25.97.40; 127.0.0.1; };
allow-update { 142.25.115.12; 142.25.97.40; 127.0.0.1; };
};
zone "97.25.142.in-addr.arpa." IN {
type master;
notify no;
file "orangespike.com.rev.zone";
allow-transfer {142.25.115.12; 142.25.97.40; 127.0.0.1; };
allow-update {142.25.115.12; 142.25.97.40; 127.0.0.1; };
};
include "/etc/named.rfc1912.zones";
include "/etc/rndc.key";
Testing:
================================================
On another machine on the same network as the Primary the output for nslookup should look similar to below:
orangespike.com
Server: 142.25.97.254
Address: 142.25.97.254#53
Non-authoritative answer:
Name: orangespike.com
Address: 142.25.97.90
The output of dig should look similar to this:
; <<>> DiG 9.3.3rc2 <<>> orangespike.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23820
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;orangespike.com. IN A
;; ANSWER SECTION:
orangespike.com. 3047 IN A 142.25.97.90
;; Query time: 3 msec
;; SERVER: 142.25.97.254#53(142.25.97.254)
;; WHEN: Tue Feb 5 15:33:45 2008
;; MSG SIZE rcvd: 49
On the actual Primary server if you use those two commands they may not work correctly, except for nslookup within reason. It will use its loopback address or localhost address.
NOTE::: this is not great for testing on the secondary slave server.
Secondary Slave Name Server Configuration And named.conf:
================================================
On a second machine on the private network install bind and packages like the above primary server and prepare named.conf again like previous.
Set the static IP with the setup command again, but to an IP that is behind and on that LAN.
Continuing on, make the following simple changes. Its pretty self explanitory, but one major note is the bottom of this conf file. The masters, and slave keywords establish the relationship with the master server.
//==========================================================
//DNS named.conf file for DNS slave:
//==========================================================
options {
listen-on port 53 {10.0.0.10; 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer{ 192.168.1.3; 142.25.97.40; 127.0.0.1;};
allow-recursion{142.25.97.0/24; 10.0.0.0/24; };
forwarders{ 142.25.97.40; 10.0.0.1; 127.0.0.1; };
recursion yes;
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "internal" {
match-clients { 10.0.0/24; 127.0.0.1/30; };
zone "." IN {
type hint;
file "named.ca";
};
zone "sub.orangespike.com" {
type master;
file "inside/sub.orangespike.com";
};
zone "0.0.10.in-addr.arpa." IN {
type master;
file "inside/sub.orangespike.com.rev.zone";
};
};
view "outside" {
match-clients{ any; };
zone "." IN {
type hint;
file "named.ca";
};
zone "orangespike.com" in {
type slave;
file "slaves/orangespike.com.zone";
masters{ 142.25.97.89; };
};
};
include "/etc/rndc.key";
Further On The Slave:
================================================
Create the directories outside and inside:
cd /var/named/chroot/var
mkdir inside
mkdir outside
chown root:named outside
chown root:named inside
Create the zone and rev zone files for the slave:
================================================
In the folder you just created: (inside ) I created the zone file sub.orangespike.com -
The point of this file is to act as a subdomain for the internal/private network.
The outside cannot see this nameserver, nor can the big brother nameserver (ns.orangespike.ca)
$ORIGIN sub.orangespike.com.
$TTL 3600 ; 1 hr
@ IN SOA slave.orangespike.ca. root.localhost. (
2008020502 ; serial
3600 ; refresh 1 hr
3600 ; retry 1 hr
1209600 ; expire 2 weeks
3600) ; minimum 1 hr
sub.orangespike.com. IN NS slave.orangespike.ca.
test.sub.orangespike.com. IN A 10.0.0.20
test2.sub.orangespike.com. IN A 10.0.0.20
test3.sub.orangespike.com. IN A 10.0.0.20
Now create the rev zone file which I called sub.orangespike.com.rev.zone in the same directory that you had made the previous file.
$ORIGIN 0.0.10.in-addr.arpa. ;
$TTL 86400
@ IN SOA slave.orangespike.ca. root.localhost. (
2008020503 ; serial
3600 ; refresh after 1 hour
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400) ; Min TTL of 1 day
0.0.10.in-addr.arpa. NS slave.orangespike.ca.
20.0.0.10.in-addr.arpa. IN PTR test.sub.orangespike.com.
20.0.0.10.in-addr.arpa. IN PTR test2.sub.orangespike.com.
20.0.0.10.in-addr.arpa. IN PTR test3.sub.orangespike.com.
One final change before you restart the slave named service is to edit the slave hosts resolve file.
The reason for this is that we want it to use the big brother ( ns.orangespike.ca ) as its DNS.
vi /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 142.25.97.89
search orangespike.ca
Now restart named with the following command and hopefully you get no errors:
service named restart
Additional Private Network Configuration:
================================================
On that router that we had previously configured, we want it to use the DNS server wejust made. I gave mine a static IP address of 10.0.0.10 just to clarify again and told the router to use my DNS server.
Also on the other box, we want it to use DNS of the slave so change /etc/resolv.conf to use 10.0.0.10 and presto we are almost done :)
On another machine use dig and nslookup like you had previously to test the primary nameserver and the output should look similar.
dig test.sub.orangespike.com
; <<>> DiG 9.3.3rc2 <<>> test.sub.orangespike.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37578
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.sub.orangespike.com. IN A
;; ANSWER SECTION:
test.sub.orangespike.com. 3600 IN A 10.0.0.20
;; AUTHORITY SECTION:
sub.orangespike.com. 3600 IN NS slave.orangespike.ca.
;; Query time: 24 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: Sat Oct 27 04:29:30 2007
;; MSG SIZE rcvd: 92
Backing Up The DNS Servers:
================================================
The easiest way to backup the DNS servers is to just backup their conf files and zones with a simple bash script to another location. Then putting that script into the CHRON and scheduling it every so often if needed.
Example script:
#====================================================
#====================================================
#!/bin/sh
mkdir /backupdirectory
cp /var/named/chroot/etc/ /backupdirectory
cp /var/named/chroot/etc/ /backupdirectory
#====================================================
Run bind in chroot:
#====================================================
1.) Check and see if bind-chroot is installed with the command rpm -qa | grep bind-chroot
-If it is great if not, yum install it.
2.) In the terminal: usermod -d /var/named/chroot named
-In /etc/sysconfig/named and if you see the following line then your done:) If not change it to the following:
ROOTDIR=/var/named/chroot
Troubleshooting:
#====================================================
String used to troubleshoot errors when trying to start named:
/usr/sbin/named -g -u named -t /var/named/chroot
Note:: must grep for this command and kill all named processes. They will continue to run unless the machine is restarted or the processes are killed.
#====================================================
Resources:
#====================================================


No comments:

Post a Comment