Domain Name Servers DNS, or nameserver, maps devices
hostnames with their respective IP addresses. DNS is normally
implemented using a central server/s that is authoritative for a
domain and refer to other DNS servers for other domains. There are
four DNS server configuration types :
Master
It has the authoritative zone records for the domain that act as DNS server. Answers directly queries about the authoritative domain and forwards other domain queries to other DNS servers.
Slave
Slave DNS server acts as an authoritative DNS server getting the zone records from the DNS master server.
Caching-only
Caching-only DNS server is not authoritative for any zone, all queries are forwarded to other DNS servers if they are not stored in the DNS-cache zone. Answers for all queries are cached in DNS-cache zone for a time.
Forwarding
As caching-only DNS server, forwarding DNS server is not authoritative for any zone, all queries are forwarded to a specific list of nameservers.
Master
It has the authoritative zone records for the domain that act as DNS server. Answers directly queries about the authoritative domain and forwards other domain queries to other DNS servers.
Slave
Slave DNS server acts as an authoritative DNS server getting the zone records from the DNS master server.
Caching-only
Caching-only DNS server is not authoritative for any zone, all queries are forwarded to other DNS servers if they are not stored in the DNS-cache zone. Answers for all queries are cached in DNS-cache zone for a time.
Forwarding
As caching-only DNS server, forwarding DNS server is not authoritative for any zone, all queries are forwarded to a specific list of nameservers.
A nameserver can be master for some zones, slave for
others and offer forwarding to others.
Packages
On RHEL6 DNS is based on the named daemon which
is installed on the bind package developed through the
Internet Source Consortium and some additional packages:
bind-chroot
Provides a isolated 'chroot-jail' which limit the access if DNS is compromised.
bind-devel
Includes development libraries from bind.
bind-libbind-devel
Contains the libbind resolve library.
bind-libs
Adds library files used by the bind and bind-utils packages.
bind-sdb
Supports alternative databases for bind.
bind-utils
Includes tools such dig that provides DNS information about an internet device.
bind-chroot
Provides a isolated 'chroot-jail' which limit the access if DNS is compromised.
bind-devel
Includes development libraries from bind.
bind-libbind-devel
Contains the libbind resolve library.
bind-libs
Adds library files used by the bind and bind-utils packages.
bind-sdb
Supports alternative databases for bind.
bind-utils
Includes tools such dig that provides DNS information about an internet device.
DNS client
/etc/nsswitch.conf
When a linux computer looks for another computer IP it
looks for the information in two files : /etc/hosts and
/etc/resolv.conf. The order in which the files are consulted
is configured on /etc/nsswitch.conf:
$ cat /etc/nsswitch.conf
hosts: files,dns
Search first on files (/etc/hosts) and then on dns (/etc/resolv.conf).
$ cat /etc/nsswitch.conf
hosts: files,dns
Search first on files (/etc/hosts) and then on dns (/etc/resolv.conf).
/etc/hosts
This file is a simple database that relates a numeric
IP with a hostname. It can be edited as a normal file with 'vi'
command in order to add more information.
# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.1 server.info.net server
The first line maps the 127.0.0.1 IP to the hostnames localhost, short hostname, and localhost.localdomain, FQHN hostname. The second line maps the 192.168.1.1 IP to server and server.info.net hostname.
# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.1 server.info.net server
The first line maps the 127.0.0.1 IP to the hostnames localhost, short hostname, and localhost.localdomain, FQHN hostname. The second line maps the 192.168.1.1 IP to server and server.info.net hostname.
/etc/resolv.conf
In order to configure a linux computer as a DNS client
the file /etc/resolv.conf must be used.
# cat /etc/resolv.conf
search info.net
nameserver 192.168.1.1
In this case all DNS queries launched from the computer will be addressed to the nameserver on 192.168.1.1. If a short hostname is provided it will be complemented automatically with 'info.net' domain.
Note: By default if a DNS query is done and can be answered from /etc/hosts the nameserver configured on /etc/resolv.conf is not consulted. Only the information obtained from /etc/hosts is taken as valid.
# cat /etc/resolv.conf
search info.net
nameserver 192.168.1.1
In this case all DNS queries launched from the computer will be addressed to the nameserver on 192.168.1.1. If a short hostname is provided it will be complemented automatically with 'info.net' domain.
Note: By default if a DNS query is done and can be answered from /etc/hosts the nameserver configured on /etc/resolv.conf is not consulted. Only the information obtained from /etc/hosts is taken as valid.
DNS server with bind
In order to install bind nameserver service, the bind
package must be installed :
# yum install bind
The bind nameserver root directory is on /var/named and the configuration files are stored on /etc as usual :
/etc/sysconfig/named
Configuration file that set up how is executed on the system the bind daemon.
/etc/named.conf
Main DNS configuration file that includes data from other files.
/etc/named.rfc1912.zones
It contains appropriate zones for localhost names and addresses.
/var/named/my.internal.zone.db
Zone file for the local network.
/var/named/slaves/my.slave.internal.zone.db
Zone file for a slave nameserver.
/var/named/localdomain.zone
Zone file for localhost domain.
/var/named/localhost.zone
Zone file for localhost computer.
/var/named/named.broadcast
Broadcast record for localhost.
/var/named/named.ca
List of the root DNS servers for the Internet consulted by nameserver when a nameserver resolution can not be done by the nameserver.
/var/named/named.ip6.local
IPv6 version of named.local.
/var/named/named.zero
Defaults to the broadcast record for the localhost.
/var/named/data/named.stats.txt
Nameserver statistics.
Templates of these files can be found on /usr/share/doc/bind*/sample. If the package bind-chroot is installed the nameserver root directory will be in /var/named/chroot/var/named and the configuration directory will be in /var/named/chroot/etc.
# yum install bind
The bind nameserver root directory is on /var/named and the configuration files are stored on /etc as usual :
/etc/sysconfig/named
Configuration file that set up how is executed on the system the bind daemon.
/etc/named.conf
Main DNS configuration file that includes data from other files.
/etc/named.rfc1912.zones
It contains appropriate zones for localhost names and addresses.
/var/named/my.internal.zone.db
Zone file for the local network.
/var/named/slaves/my.slave.internal.zone.db
Zone file for a slave nameserver.
/var/named/localdomain.zone
Zone file for localhost domain.
/var/named/localhost.zone
Zone file for localhost computer.
/var/named/named.broadcast
Broadcast record for localhost.
/var/named/named.ca
List of the root DNS servers for the Internet consulted by nameserver when a nameserver resolution can not be done by the nameserver.
/var/named/named.ip6.local
IPv6 version of named.local.
/var/named/named.zero
Defaults to the broadcast record for the localhost.
/var/named/data/named.stats.txt
Nameserver statistics.
Templates of these files can be found on /usr/share/doc/bind*/sample. If the package bind-chroot is installed the nameserver root directory will be in /var/named/chroot/var/named and the configuration directory will be in /var/named/chroot/etc.
Caching-only nameserver
When a DNS query is performed against a cache-only name
server the query will be forwarded to another nameserver if the
answer for this query is not located on the dns caching-only name
server cache. When the external nameserver answers to the DNS query
the caching-only name server puts the answer on his cache and
forwards the answer to the client who has made the query. If somebody
repeats the same query against the caching-only name server it will
be answered directly (faster) from the caching-only nameserver
because the answer for this query will be on the cache.
In order to configure a caching-only name server for all your LAN the file /etc/named.conf installed by default by bind rpm must be changed in just two lines:
listen-on port 53 {127.0.0.1; }; --> listen-on port 53 {127.0.0.1; 192.168.1.10; };
allow-query {localhost; }; --> allow-query{localhost; 192.168.1.0/24; };
The first line will put the bind service listening on the localhost (127.0.0.1) and LAN (192.168.1.10) network interfaces. The second line will give access to all hosts on 192.168.1.0/24 LAN to use this server as nameserver, once the service will be started and the firewall open.
The configuration file for a caching-only nameserver is as follows :
# cat /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.1.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
Once this is done the next step is start bind daemon and make sure it will start on boot. Make sure that security considerations described on 'DNS security' are also applied. :
# /etc/init.d/named start
# chkconfig named on
With this configuration a cache-only nameserver will be serving name resolution on 192.168.1.10 for all 192.168.1.0/24 LAN. Have a look on lab1...
In order to configure a caching-only name server for all your LAN the file /etc/named.conf installed by default by bind rpm must be changed in just two lines:
listen-on port 53 {127.0.0.1; }; --> listen-on port 53 {127.0.0.1; 192.168.1.10; };
allow-query {localhost; }; --> allow-query{localhost; 192.168.1.0/24; };
The first line will put the bind service listening on the localhost (127.0.0.1) and LAN (192.168.1.10) network interfaces. The second line will give access to all hosts on 192.168.1.0/24 LAN to use this server as nameserver, once the service will be started and the firewall open.
The configuration file for a caching-only nameserver is as follows :
# cat /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.1.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
Once this is done the next step is start bind daemon and make sure it will start on boot. Make sure that security considerations described on 'DNS security' are also applied. :
# /etc/init.d/named start
# chkconfig named on
With this configuration a cache-only nameserver will be serving name resolution on 192.168.1.10 for all 192.168.1.0/24 LAN. Have a look on lab1...
Forward nameserver
This kind of nameserver only needs a simple
configuration option on /etc/named.conf file that configures the
nameservers that the forwarding nameserver will forward all DNS
queries. The /etc/named.conf from caching-only nameserver that is
installed by default with bind RPM can be used to generate the
forward nameserver configuration file just adding the following lines
at 'option' section :
# Set nameserver type to forward
forward only;
# Configures the nameservers IPs where DNS queries will be forwarded
forwarders {192.168.1.20; 192.168.1.30; }
The configuration file for a forwarding-only nameserver is as follows :
# cat /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.1.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24; };
recursion yes;
forward only;
forwarders {192.168.1.20; 192.168.1.30; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
With this configuration the nameserver will be configured to forward all DNS queries that are not cached only to 192.168.1.20 , 192.168.1.30 DNS servers. The nameserver is caching + forward.
Once this is done the next step is start bind daemon and make sure it will start on boot. Make sure that security considerations described on 'DNS security' are also applied. :
# /etc/init.d/named start
# chkconfig named on
# Set nameserver type to forward
forward only;
# Configures the nameservers IPs where DNS queries will be forwarded
forwarders {192.168.1.20; 192.168.1.30; }
The configuration file for a forwarding-only nameserver is as follows :
# cat /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.1.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24; };
recursion yes;
forward only;
forwarders {192.168.1.20; 192.168.1.30; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
With this configuration the nameserver will be configured to forward all DNS queries that are not cached only to 192.168.1.20 , 192.168.1.30 DNS servers. The nameserver is caching + forward.
Once this is done the next step is start bind daemon and make sure it will start on boot. Make sure that security considerations described on 'DNS security' are also applied. :
# /etc/init.d/named start
# chkconfig named on
Master nameserver
When the nameserver is configured to serve name
resolution for an specified domain (local domain or Internet domain)
that server has the authoritative DNS records for that domain. This
nameserver is consulted by other nameservers when a resolution for
the domain where it is authoritative is performed on others servers.
In order to configure a nameserver as master nameserver for a domain the bind RPM must be installed. Next step is copy the file /usr/share/doc/bind*/sample/etc/named.conf to /etc/named.conf file (or /var/named/chroot/etc/named.conf if the package bind-chroot also has been installed ) and perform the following changes :
# Make named daemon to listen on the nameserver IPv4 network IP (192.168.1.10 in this case) plus the localhost IP (127.0.0.1)
listen-on port 53 { 127.0.0.1; 192.168.1.10 };
# Allow only query from clients on your LAN plus localhost
allow-query { localhost; 192.168.1.0/24; };
allow-query-cache { localhost; 192.168.1.0/24; };
# Introduce on the 'view localhost_resolver' and 'view internal' the direct and reverse zone file. The direct file maps your domain hostnames with the numerical IP address, the reverse zone file maps the numerical IP values with their correspondents hostnames
view localhost_resolver {
... # Direct authoritative zone file for our domain 'info.net'
zone "info.net" {
type master;
file "info.net.zone";
};
# Reverse authoritative zone file for our domain 'info.net'
zone "1.168.192.in-addr.arpa" IN {
type master;
file "info.net.rr.zone";
allow-update { none; };
};
};
# The same for 'view internal'. On this view substitute 'zone "my.internal.zone"' by 'zone "info.net"' and create the reverse zone 'view localhost_resolver'.
# On 'view internal' comment all 'zone "my.ddns.internal.zone', this nameserver is not going to be updated dynamically...
# In order to prevent unauthorized access to the named daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf and the rndc configuration file, /etc/rndc.conf.
key ddns_key {
algorithm hmac-md5;
secret "N7ypFzAWQrEo2nzwigHPKA==";
};
# Remove 'view external' section, in this case this nameserver is not going to allow DNS queries from clients outside the LAN.
After all this changes the file /etc/named.conf will be as follows :
# cat /etc/named.conf
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
listen-on port 53 { 127.0.0.1; 192.168.1.10; };
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { any; };
//listen-on-v6 port 53 { ::1; };
allow-query { localhost; 192.168.1.0/24; };
allow-query-cache { localhost; 192.168.1.0/24; };
// Enable/disable recursion - recursion yes/no;
recursion yes;
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* Enable DLV by default, use built-in ISC DLV key. */
dnssec-lookaside auto;
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
recursion yes;
# all views must contain the root hints zone:
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
zone "info.net" {
type master;
file "info.net.zone";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "info.net.rr.zone";
allow-update { none; };
};
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
//zone "mynternal.zone".internal.zone" {
// type master;
// file "my.internal.zone.db";
//};
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
};
//zone "my.ddns.internal.zone" {
// type master;
// allow-update { key ddns_key; };
// file "dynamic/my.ddns.internal.zone.db";
// // put dynamically updateable zones in the slaves/ directory so named can update them
//};
zone "info.net" {
type master;
file "info.net.zone";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "info.net.rr.zone";
allow-update { none; };
};
};
key ddns_key
{
algorithm hmac-md5;
secret "N7ypFzAWQrEo2nzwigHPKA==";
};
...
Now is time to create the direct and reverse zone files on /var/named directory for our domain 'info.net' :
# cat /var/named/info.net.zone
$TTL 86400
@ IN SOA rhel6.info.net. root.rhel6.info.net. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS rhel6
IN MX 10 rhel6
node01 IN A 192.168.1.101
node02 IN A 192.168.1.102
rhel6 IN A 192.168.1.10
server IN CNAME rhel6
www IN CNAME rhel6
ftp IN CNAME rhel6
# cat /var/named/info.net.rr.zone
@ IN SOA rhel6.info.net. root.rhel6.info.net. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS rhel6.info.net.
101 IN PTR node01.info.net.
102 IN PTR node02.info.net.
10 IN PTR rhel6.info.net.
Once the direct and reverse zone files has been created the ownership must be changed to named user and restart the named service :
# chown named:named info.net.zone info.net.rr.zone
# /etc/init.d/named restart
Now from node01, configuring rhel6 server as nameserver for info.net domain , we can test direct and reverse name resolution against info.net domain:
node01> cat /etc/resolv.conf
search info.net
nameserver 192.168.1.10
# Direct www.info.net name resolution
node01> dig www.info.net
...
;; ANSWER SECTION:
www.info.net. 86400 IN CNAME rhel6.info.net.
rhel6.info.net. 86400 IN A 192.168.1.10
...
;; SERVER: 192.168.1.10#53(192.168.1.10)
# Reverse 192.168.1.102 resolution
node01> dig -x 192.168.1.102
...
;; ANSWER SECTION:
102.1.168.192.in-addr.arpa. 86400 IN PTR node02.info.net.
...
;; SERVER: 192.168.1.10#53(192.168.1.10)
In order to configure a nameserver as master nameserver for a domain the bind RPM must be installed. Next step is copy the file /usr/share/doc/bind*/sample/etc/named.conf to /etc/named.conf file (or /var/named/chroot/etc/named.conf if the package bind-chroot also has been installed ) and perform the following changes :
# Make named daemon to listen on the nameserver IPv4 network IP (192.168.1.10 in this case) plus the localhost IP (127.0.0.1)
listen-on port 53 { 127.0.0.1; 192.168.1.10 };
# Allow only query from clients on your LAN plus localhost
allow-query { localhost; 192.168.1.0/24; };
allow-query-cache { localhost; 192.168.1.0/24; };
# Introduce on the 'view localhost_resolver' and 'view internal' the direct and reverse zone file. The direct file maps your domain hostnames with the numerical IP address, the reverse zone file maps the numerical IP values with their correspondents hostnames
view localhost_resolver {
... # Direct authoritative zone file for our domain 'info.net'
zone "info.net" {
type master;
file "info.net.zone";
};
# Reverse authoritative zone file for our domain 'info.net'
zone "1.168.192.in-addr.arpa" IN {
type master;
file "info.net.rr.zone";
allow-update { none; };
};
};
# The same for 'view internal'. On this view substitute 'zone "my.internal.zone"' by 'zone "info.net"' and create the reverse zone 'view localhost_resolver'.
# On 'view internal' comment all 'zone "my.ddns.internal.zone', this nameserver is not going to be updated dynamically...
# In order to prevent unauthorized access to the named daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf and the rndc configuration file, /etc/rndc.conf.
key ddns_key {
algorithm hmac-md5;
secret "N7ypFzAWQrEo2nzwigHPKA==";
};
# Remove 'view external' section, in this case this nameserver is not going to allow DNS queries from clients outside the LAN.
After all this changes the file /etc/named.conf will be as follows :
# cat /etc/named.conf
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
listen-on port 53 { 127.0.0.1; 192.168.1.10; };
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { any; };
//listen-on-v6 port 53 { ::1; };
allow-query { localhost; 192.168.1.0/24; };
allow-query-cache { localhost; 192.168.1.0/24; };
// Enable/disable recursion - recursion yes/no;
recursion yes;
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* Enable DLV by default, use built-in ISC DLV key. */
dnssec-lookaside auto;
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
recursion yes;
# all views must contain the root hints zone:
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
zone "info.net" {
type master;
file "info.net.zone";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "info.net.rr.zone";
allow-update { none; };
};
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
//zone "mynternal.zone".internal.zone" {
// type master;
// file "my.internal.zone.db";
//};
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
};
//zone "my.ddns.internal.zone" {
// type master;
// allow-update { key ddns_key; };
// file "dynamic/my.ddns.internal.zone.db";
// // put dynamically updateable zones in the slaves/ directory so named can update them
//};
zone "info.net" {
type master;
file "info.net.zone";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "info.net.rr.zone";
allow-update { none; };
};
};
key ddns_key
{
algorithm hmac-md5;
secret "N7ypFzAWQrEo2nzwigHPKA==";
};
...
Now is time to create the direct and reverse zone files on /var/named directory for our domain 'info.net' :
# cat /var/named/info.net.zone
$TTL 86400
@ IN SOA rhel6.info.net. root.rhel6.info.net. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS rhel6
IN MX 10 rhel6
node01 IN A 192.168.1.101
node02 IN A 192.168.1.102
rhel6 IN A 192.168.1.10
server IN CNAME rhel6
www IN CNAME rhel6
ftp IN CNAME rhel6
# cat /var/named/info.net.rr.zone
@ IN SOA rhel6.info.net. root.rhel6.info.net. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS rhel6.info.net.
101 IN PTR node01.info.net.
102 IN PTR node02.info.net.
10 IN PTR rhel6.info.net.
Once the direct and reverse zone files has been created the ownership must be changed to named user and restart the named service :
# chown named:named info.net.zone info.net.rr.zone
# /etc/init.d/named restart
Now from node01, configuring rhel6 server as nameserver for info.net domain , we can test direct and reverse name resolution against info.net domain:
node01> cat /etc/resolv.conf
search info.net
nameserver 192.168.1.10
# Direct www.info.net name resolution
node01> dig www.info.net
...
;; ANSWER SECTION:
www.info.net. 86400 IN CNAME rhel6.info.net.
rhel6.info.net. 86400 IN A 192.168.1.10
...
;; SERVER: 192.168.1.10#53(192.168.1.10)
# Reverse 192.168.1.102 resolution
node01> dig -x 192.168.1.102
...
;; ANSWER SECTION:
102.1.168.192.in-addr.arpa. 86400 IN PTR node02.info.net.
...
;; SERVER: 192.168.1.10#53(192.168.1.10)
Slave nameserver
In order to configure a nameserver as slave nameserver
for a domain, the following configuration must be added on the
internal view :
zone "example.org" IN {
type slave;
file "slaves/example.com.org";
masters {
192.168.1.50
};
};
The task for a slave server is easier; it periodically checks with the master DNS server (in this case 192.168.1.50.) When it does, it automatically reads the master DNS server data and creates the slave.example.com. zone file in the /var/named/slaves directory.
The dig command can be used to force a zone transfer from the master nameserver to the slave nameserver. From slave nameserver execute the following command:
# dig @master_nameserver_ip example.org axfr
zone "example.org" IN {
type slave;
file "slaves/example.com.org";
masters {
192.168.1.50
};
};
The task for a slave server is easier; it periodically checks with the master DNS server (in this case 192.168.1.50.) When it does, it automatically reads the master DNS server data and creates the slave.example.com. zone file in the /var/named/slaves directory.
The dig command can be used to force a zone transfer from the master nameserver to the slave nameserver. From slave nameserver execute the following command:
# dig @master_nameserver_ip example.org axfr
DNS security
As said before the bind nameserver service can be
secured running it into an isolated chroot-jail on /var/named/chroot
just installing the bind-chroot package. All the files described in
this session will be valid from bind-chroot service, but they will be
placed on the chroot-jail on /var/named/chroot :
# yum install bind-chroot
# yum install bind-chroot
Nameserver service can be secured via firewall. The
port 53 TCP/IP and UDP must be accessible to the clients :
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
It can also be secured using SElinux, if it is active the nameserver service will be executed in a confined environment similar to the chroot jail installed by bind-chroot RPM. If this is the case the following SElinux parameter must be configured in order to get running nameserver service with SElinux :
# setsebool -P named_write_master_zones 1
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
It can also be secured using SElinux, if it is active the nameserver service will be executed in a confined environment similar to the chroot jail installed by bind-chroot RPM. If this is the case the following SElinux parameter must be configured in order to get running nameserver service with SElinux :
# setsebool -P named_write_master_zones 1
DNS and Internet
DNS is an Internet-wide database that maps domain names
and IP addresses. The information that goes into the database must be
up to date and properly formatted. Many network problems are caused
from poorly administered DNS servers :
*Time
Changes made on your DNS connected to Internet can take more than 48h to be propagated on all Internet.
* Increment the serial number
Every time a change on the zone file is done the serial number parameter must be increased in order to advise other DNS servers of the change before the service restart. If the serial number is not increased the change is NOT propagated on Internet.
*Time
Changes made on your DNS connected to Internet can take more than 48h to be propagated on all Internet.
* Increment the serial number
Every time a change on the zone file is done the serial number parameter must be increased in order to advise other DNS servers of the change before the service restart. If the serial number is not increased the change is NOT propagated on Internet.
No comments :
Post a Comment