Tuesday, September 18, 2012

DNS / BIND Server Configuration


What is DNS?
DNS is called as Domain name system. DNS is name resolution service which resolves human friendly name (such as Example Web Page) into IP  address (192.168.0.10) DNS is a hierarchical distributed database that contains resolving of domain name into IP address.
Why DNS?
Because people and applications try to connect the network computer by  specifying name. DNS has superior scalability,security and compatibility with internet.
Different types of DNS servers are:-
1. Primary DNS server
A primary DNS server is created when a primary zone is added. It is a DNS server which holds primary zones for a particular domain. Primary DNS server acts as the zone’s central point of update. Newly created zones are always this type.
2. Secondary DNS server
It is a DNS server hosting a secondary zone is called as secondary DNS server. That can be any number of secondary servers for a primary. If primary server is down then a secondary server provides a name resolution in zone until the  primary server is available.
3. Caching only serves
This type of DNS servers does not have any zones in it, and purely depends on caching. They contain the information of what has been cached while resolving queries.
4. Stub servers
It is a DNS server hosting a stub zone. This kind of servers has a copy of a zone containing only a list of the authoritative DNS servers for its master zone.
5. Forwarders
Forwarders is the process of resolving external queries using forwarders. It  reduces network traffic on WAN links. It acts as a firewall which provides a
layer of security from external network.Here we are going to set up a Primary DNS server on a RHEL 6 / CENTOS 6 server.Scenario
This is the setup of a typical organization Example.com. It consists of web server, mail server, ftp server on the internal network. The internal network uses 172.16.0.0/16 IP addressing scheme. We need to set up a primary DNS server that is best suited for my network.
I used a RHEL 6 x86_64 bit server to host the dns server named  server.example.com. The server has 2 nics eth0 and eth1 which are connected to internet and internal network respectively. The server’s network configuration is
eth0
IP address - 192.168.1.254
Subnet mask - 255.255.255.0
Gateway - 192.168.1.1  ------->>>> address of internet modem
DNS server - 192.168.1.1 ------->>>> address of internet modem

eth1
IP address - 172.16.0.1
Subnet mask - 255.255.255.0
DNS server - 172.16.0.1
Setting up DNS server
Packages required -
 bind-9.7.0-5.P2.el6.x86_64.rpm
bind-chroot-9.7.0-5.P2.el6.x86_64.rpm
For setting dns server we need to install the BIND package using yum repo.
[root@server ~]# yum install bind*
or simply
[root@server ~]# yum install bind
If you have correctly configure your yum repository with your installation media, above command will install BIND dns server components.
Configuration files -
/etc/named.conf
/var/named/chroot/etc/named.conf
By default,BIND is configured as caching only name server and allows queries from localhost.We need to modify the file “/var/named/chroot/etc/named.conf” file to allow queries from any outside client and listen over all interfaces for incoming connections.
And also we should have to create zones for our domain “example.com”. So for that make your configuration file “/var/named/chroot/etc/named.conf” as like below.
 [root@server ~]# vim /var/named/chroot/etc/named.conf

===========================================================================
// Red Hat BIND Configuration Tool
// Default initial "Caching Only" name server configuration
acl "example" { 172.16.0.0/16; };
options {
listen-on port 53 { 172.16.0.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
allow-recursion { example; };
allow-transfer { none; };
allow-query { any; };
notify no;
transfer-format many-answers;
interface-interval 0;
max-transfer-time-in 60;
version "Not Available";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below.  Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
// a caching only nameserver config
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; rndc-key; };
};
server 172.16.0.1 {
keys { rndckey; };
};
zone "." IN {
type hint;
file "named.root";
};
// Now register your domain name and database/zone file
// record better before the line "include /etc/rndc.key"
// You can include separate zone entry
// file with "include /etc/myinternalzonefile.zones" within this named.conf file.
//Name Zone Registration
zone "example.com" IN {
type master;
file "example.for";
allow-transfer { none; };
};
// Reverse Zone Rsegistration
zone "0.16.172.in-addr.arpa" IN {
type master;
file "example.rev";
allow-transfer { none; };
};
//include the rndc key like below (copy-past from rndc.key created earlier)
key rndckey {
algorithm hmac-md5;
secret "Hi1V+y3WixmfEfGqrebKRA==";
};
key rndc-key {
algorithm hmac-md5;
secret "AoXEyjm6UUKu4cKqFoFMRg==";
};
trusted-keys {
dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
};
===========================================================================
save and quit.  (Esc:wq)
Here we have said that the forward zone file is “example.for” whose exact location is “/var/named/chroot/var/named/example.for” and also for the reverse zone is “/var/named/chroot/var/named/example.rev”.
So edit these files as below.
[root@server ~]# vim /var/named/chroot/var/named/example.for

==========================================================================
$TTL 86400
@    IN    SOA    server.example.com. hostmaster.example.com. (
2010041106 ; Serial
1H ; Refresh
1M ; Retry
1W ; Expire
1D ; Minimum Time to TTL
)
IN NS   server.example.com.
server  IN A    172.16.0.1
@       IN      MX      10      mail.example.com.
server  IN      A       172.16.0.1
www     IN      CNAME   server
mail    IN      CNAME   server
pop     IN      CNAME   server

 station1        IN      A       172.16.0.101
station2        IN      A       172.16.0.102
station3        IN      A       172.16.0.103
station4        IN      A       172.16.0.104
station5        IN      A       172.16.0.105

www1    IN      CNAME   station1
www2    IN      CNAME   station2
www3    IN      CNAME   station3
www4    IN      CNAME   station4
www5    IN      CNAME   station5
==========================================================================
save and quit (Esc :wq)
and
[root@server ~]# vim /var/named/chroot/var/named/example.rev

===========================================================================
$TTL 86400
@ IN SOA        server.example.com.   hostmaster.example.com. (
2010041102; Serial
1H; Refresh
1M; Retry
1W; Expire
1D; Minimum TimeToLive
)
IN  NS   server.example.com.
1       IN  PTR  server.example.com.
=========================================================================
save and quit (Esc :wq)
Thats all done. Now you can check the syntax of your current configuration.
[root@server ~]# named-checkzone example.com /var/named/chroot/var/named/example.for
[root@server ~]# named-checkzone example.com /var/named/chroot/var/named/example.rev
This will display the errors you have done.

Client side configuration
Check your “/etc/resolv.conf” file
[root@server ~]# vim /etc/resolv.conf

==========================================================================
# Generated by NetworkManager
search example.com
nameserver 172.16.0.1
nameserver 192.168.1.1
==========================================================================
check “/etc/hosts” file
[root@server ~]# vim /etc/hosts

==========================================================================
192.168.1.254   server.example.com      server  # Added by NetworkManager
127.0.0.1        localhost.localdomain   localhost
::1             localhost6.localdomain6 localhost6
172.16.0.1      server.example.com      server
==========================================================================
also your “/etc/sysconfig/network” file
[root@server ~]# vim /etc/sysconfig/network

==========================================================================
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=server.example.com
==========================================================================
Now start the service bind.
[root@server ~]# service named start
[root@server ~]# chkconfig named on
Verify that your dns server is answer queries using “nslookup” and “dig” tools.
[root@server ~]# dig example.com NS
; <> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <> example.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57698
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com.            IN    NS
;; ANSWER SECTION:
example.com.        86400    IN    NS    server.example.com.
;; ADDITIONAL SECTION:
server.example.com.    86400    IN    A    172.16.0.1
;; Query time: 0 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Wed Oct  5 17:37:10 2011
;; MSG SIZE  rcvd: 66
[root@server ~]# nslookup server.example.com
Server:        172.16.0.1
Address:    172.16.0.1#53

Name:    server.example.com
Address: 172.16.0.1
[root@server ~]# nslookup www.example.com
Server:        172.16.0.1
Address:    172.16.0.1#53

www.example.com    canonical name = server.example.com.
Name:    server.example.com
Address: 172.16.0.1
[root@server ~]# dig server.example.com
; <> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <> server.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33948
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;server.example.com.        IN    A
;; ANSWER SECTION:
server.example.com.    86400    IN    A    172.16.0.1
;; AUTHORITY SECTION:
example.com.        86400    IN    NS    server.example.com.
;; Query time: 17 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Wed Oct  5 17:35:50 2011
;; MSG SIZE  rcvd: 66
[root@server ~]# dig www.example.com
; <> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17712
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.example.com.        IN    A
;; ANSWER SECTION:
www.example.com.    86400    IN    CNAME    server.example.com.
server.example.com.    86400    IN    A    172.16.0.1
;; AUTHORITY SECTION:
example.com.        86400    IN    NS    server.example.com.
;; Query time: 0 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Wed Oct  5 17:36:08 2011
;; MSG SIZE  rcvd: 84
[root@server ~]# nslookup 172.16.0.1
Server:        172.16.0.1
Address:    172.16.0.1#53
1.0.16.172.in-addr.arpa    name = server.example.com.
Thats all done with your dns server.

0 comments: