Setup Primary (Master) DNS Server
Install bind9 packages on your server. Run the following command:
"yum install bind bind-utils -y"
1. Configure DNS Server
Edit ‘/etc/named.conf’ file.
vi /etc/named.conf
Add the lines as shown in bold:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; [Master-dns ip];}; ### Master DNS IP ###
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24;}; ### IP Range ###
allow-transfer{ localhost; [slave-dns ip]; }; ### Slave DNS IP ###
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "learnwithak.local" IN {
type master;
file "forward.learnwithak";
allow-update { none; };
};
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
2 Create Forward Zone
Create forward.learnwithak file in the ‘/var/named’ directory.
vi /var/named/forward.learnwithak
Add the following lines:
$TTL 86400 @ IN SOA ehs-dns-master.learnwithak.local. root.learnwithak.local. ( 2011071001 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) @ IN NS ehs-dns-master.lernwithak.local. @ IN NS ehs-dns-slave.learnwithak.local. @ IN A 172.16.4.10 @ IN A 172.16.4.11 @ IN A 172.16.4.9 @ IN A 172.16.4.8 @ IN A 172.16.4.7 @ IN A 172.16.4.6 @ IN A 172.16.4.5 @ IN A 172.16.4.4 @ IN A 172.16.5.2 @ IN A 172.16.5.3 @ IN A 172.16.5.4 ehs-dns-master IN A 172.16.4.10 ehs-dns-standby IN A 172.16.4.11 ehs-api-2 IN A 172.16.4.9 ehs-api-1 IN A 172.16.4.8 ehs-api-lb IN A 172.16.4.7 ehs-api-orchestration IN A 172.16.4.6 rabbit-standby IN A 172.16.4.5 rabbit-master IN A 172.16.4.4 db-slave IN A 172.16.5.2 db-master IN A 172.16.5.3 ehs-ldap IN A 172.16.5.4
3. Start the DNS service
Enable and start DNS service:
systemctl enable named systemctl start named
4. Firewall Configuration
We must allow the DNS service default port 53 through firewall.
Add the following lines in /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
5. Restart Firewall
Run the following command
sudo systemctl restart iptables
6. Configuring Permissions, Ownership, and SELinux
Run the following commands one by one:
chgrp named -R /var/namedchown -v root:named /etc/named.confrestorecon -rv /var/namedrestorecon /etc/named.conf
7. Test DNS configuration and zone files for any syntax errors
Check DNS default configuration file:
named-checkconf /etc/named.conf
If it returns nothing, your configuration file is valid.
Check Forward zone:
named-checkzone learnwithak.local /var/named/forward.learnwithak
Sample output:
zone learnwithak.local/IN: loaded serial 2011071001 OK
Add the DNS Server details in your network interface config file.
vi /etc/sysconfig/network-scripts/ifcfg-ens160
HWADDR=00:50:56:01:04:20 NAME=ens160 GATEWAY=172.16.4.1 DNS=172.16.4.10 DEVICE=ens160 ONBOOT=yes USERCTL=no BOOTPROTO=static NETMASK=255.255.255.0 IPADDR=172.16.4.10 PEERDNS=yes
check_link_down() {
return 1;
}
Edit file /etc/resolv.conf,
vi /etc/resolv.conf
Add the name server ip address:
nameserver 172.16.4.10
Save and close the file.
Restart network service:
systemctl restart network
8. Test DNS Server
dig ehs-dns-master.learnwithak.local
Sample Output:
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.1 <<>> ehs-dns-master.learnwithak.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ehs-dns-master.learnwithak.local. IN A
;; ANSWER SECTION: ehs-dns-master.learnwithak.local. 86400 IN A 172.16.4.10
;; AUTHORITY SECTION: learnwithak.local. 86400 IN NS ehs-dns-master.learnwithak.local. learnwithak.local. 86400 IN NS ehs-dns-standby.learnwithak.local.
;; ADDITIONAL SECTION: ehs-dns-standby.learnwithak.local. 86400 IN A 172.16.4.11
;; Query time: 0 msec ;; SERVER: 172.16.4.10#53(172.16.4.10) ;; WHEN: Wed Feb 22 13:15:23 UTC 2017 ;; MSG SIZE rcvd: 138
Server: 172.16.4.10
Address: 172.16.4.10#53
Address: 172.16.4.10#53
nslookup learnwithak.local
Sample Output:
Name: learnwithak.local
Address: 172.16.4.11
Name: learnwithak.local
Address: 172.16.5.4
Name: learnwithak.local
Address: 172.16.4.9
Name: learnwithak.local
Address: 172.16.5.2
Name: learnwithak.local
Address: 172.16.4.7
Name: learnwithak.local
Address: 172.16.4.4
Name: learnwithak.local
Address: 172.16.5.3
Name: learnwithak.local
Address: 172.16.4.8
Name: learnwithak.local
Address: 172.16.4.5
Name: learnwithak.local
Address: 172.16.4.6
Name: learnwithak.local
Address: 172.16.4.10
Address: 172.16.4.11
Name: learnwithak.local
Address: 172.16.5.4
Name: learnwithak.local
Address: 172.16.4.9
Name: learnwithak.local
Address: 172.16.5.2
Name: learnwithak.local
Address: 172.16.4.7
Name: learnwithak.local
Address: 172.16.4.4
Name: learnwithak.local
Address: 172.16.5.3
Name: learnwithak.local
Address: 172.16.4.8
Name: learnwithak.local
Address: 172.16.4.5
Name: learnwithak.local
Address: 172.16.4.6
Name: learnwithak.local
Address: 172.16.4.10
Now the Primary DNS server is ready to use.
It is time to configure our Secondary DNS server.
Setup Secondary(Slave) DNS Server
Install bind packages using the following command:
yum install bind bind-utils -y
1. Configure Slave DNS Server
Edit file ‘/etc/named.conf’:
vi /etc/named.conf
Make the changes as shown in bold.
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 172.16.4.11; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 172.16.4.0/24; };
.
.
.
.
zone "." IN {
type hint;
file "named.ca";
};
zone "learnwithak.local" IN {
type slave;
file "slaves/learnwithak.fwd";
masters { 172.16.4.10; };
};
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
2. Start the DNS Service
systemctl enable named systemctl start named
Now the forward zone is automatically replicated from Master DNS server to ‘/var/named/slaves/’ in Secondary DNS server.
ls /var/named/slaves/
Sample Output:
learnwithak.fwd
Comments
Post a Comment