Printable Version of Topic

Click here to view this topic in its original format

Linuxhelp _ Guides Forum _ Creating A Dns Server On A Rhel Clone

Posted by: hughesjr Jun 19 2004, 02:45 PM

Creating a DNS server on a RHEL clone (Like WBEL / TaoLinux / CentOS)

Before starting this guide, you need at least a minimal install of an RHEL clone as outlined in the http://www.hughesjr.com/content/view/27/2/.

This guide will not use the RedHat GUI configure tool for BIND (called http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/sysadmin-guide/ch-bindconf.html), because this install is being performed on a NON-GUI server.

[quote]*****---WARNING---WARNING---WARNING---*****
If you use redhat-config-bind, DO NOT manually edit your ZONE files as described in this guide, as the next time redhat-config-bind is run, it will totally trash the ZONE files (probably beyond repair).  It has been my experience that redhat-config-bind is not nearly ready for use on a production server ... and even without manual editing, it randomly  trashes ZONE files for no good reason.  My recommendation: do not install redhat-config-bind, do not use redhat-config-bind ... and if redhat-config-bind is installed on your distro, remove it immediately (so you don't accidentally run it). (That has been my personal experience with, and is my personal opinion of, redhat-config-bind; as always, your mileage may vary.[/quote]

If you still want to use redhat-config-bind (you have been warned), you would use the command yum install bind redhat-config-bind to get the required packages installed, then use the https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/sysadmin-guide/ch-bindconf.html for redhat-config-bind to add zones.

Here are some other BIND references:
http://www.csd.uwo.ca/staff/magi/doc/bind9/

http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/ch-bind.html

Please read Chapter 1 of the BIND 9 manual and Section 13.1 of the RHEL Ref. Guide above to help you understand the terms Domains, zones, Primary Master, slave servers, forwarding servers and caching-only servers ... as these terms will be used throughout the rest of this document.

This guide is going to show you how to create a Primary Master BIND DNS server for your domain.
[quote]Note:
This guide assumes, at least, a minimal install of a RHEL clone distribution as outlined in the http://www.hughesjr.com/content/view/27/2/.

Make sure to assign a static IP address and a name to any machine you want to make a DNS server.  In this example, the DNS server is going to be named ns1.test.home.local ... and the domain we will the primary DNS for is going to be test.home.local

Make sure to assign an already working DNS server to this machine initially when giving it an IP address, we will assign it as its own DNS server later.[/quote]

1. Install the packages required to run BIND. Use this command:

yum install bind bind-devel bind-utils caching-nameserver

BIND stores its configuration files in the following locations:

* /etc/named.conf — The configuration file for the named daemon.

* /var/named/ directory — The named working directory which stores zone, statistic, and cache files.

2. Now we will setup the named daemon (what BIND will be called throughout the rest of this guide) to start on system boot up with the following commands:

chkconfig --add named
chkconfig --levels 2345 named on
chkconfig --levels 016 named off


Now we will check that the system will function as we want (DNS will start on RunLevels 2, 3, 4 and 4 ... and will stop on RunLevels 0, 1, and 6). Use the command:

chkconfig --list | grep named

the result should be:

named 0:off 1:off 2:on 3:on 4:on 5:on 6:off

3. Now we will restart the named daemon with the command:

/etc/init.d/named restart

(note: the shutdown of named my fail, since it may not be running after the initial install)

4. Let's look in the /var/log/messages file and see if the named daemon started without error. Use the command:

less /var/log/messages

press Shift-G to go to the bottom of the file and review the information for named, the output should look similar to this:

CODE
Jun 19 10:45:17 ns1 named[2630]: starting BIND 9.2.2 -u named
Jun 19 10:45:17 ns1 named[2630]: using 1 CPU
Jun 19 10:45:17 ns1 named[2630]: loading configuration from '/etc/named.conf'
Jun 19 10:45:17 ns1 named[2630]: no IPv6 interfaces found
Jun 19 10:45:17 ns1 named[2630]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 19 10:45:17 ns1 named[2630]: listening on IPv4 interface eth0, 192.168.0.29#53
Jun 19 10:45:17 ns1 named: named startup succeeded
Jun 19 10:45:17 ns1 named[2630]: command channel listening on 127.0.0.1#953
Jun 19 10:45:17 ns1 named[2630]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Jun 19 10:45:17 ns1 named[2630]: zone localhost/IN: loaded serial 42
Jun 19 10:45:17 ns1 named[2630]: running

(except your IP address and computer name will be listed instead of 192.168.0.29 and ns1).

Press q to exit less.

5. If there were no errors in named, then you have a fully functional caching nameserver. Let's check it out and see if it works....

a. Issue the command:

nslookup -sil

You should now be at the nslookup prompt (that looks like this):

>

b. Issue the command:
server

You should see the IP Address or name of the DNS you added when configuring the IP address of the this machine. Now issue the command:

server 192.168.0.29
(you would substitute the IP address you used (instead of 192.168.0.29) above and throughout the rest of this guide)

The result will be:

Default server: 192.168.0.29
Address: 192.168.0.29#53


c. Now we are using the newly installed caching server to do name lookups. First let's try an internet name. Type this at the prompt and press enter:

www.linuxhelp.ca

Here is the result I got:
CODE
Server:         192.168.0.29
Address:        192.168.0.29#53

Non-authoritative answer:
Name:   www.linuxhelp.ca
Address: 216.187.106.215


If that worked OK, lets see if the localhost zone is working. Enter the following:

localhost

the result should be:
CODE
Server:         192.168.0.29
Address:        192.168.0.29#53

Name:   localhost
Address: 127.0.0.1


And then try this:

127.0.0.1

The result should be:
CODE
Server:         192.168.0.29
Address:        192.168.0.29#53

1.0.0.127.in-addr.arpa  name = localhost.


If everything is working so far, you have a fully functional Caching Nameserver. Yipee, next will will add a new zone to our name server ... one that we are the Primary DNS server for.

6. The file /etc/named.conf is the main configuration file for the named daemon. The zones are created in the directory /var/named.

First, let's create a zone file for a new domain. I am going to create a domain named test.home.local. I will use the file name /var/named/test.home.local.zone as the zone file for the new domain. (You would obviously pick a different filename based on the name of your domain).

I will use vim to edit the text file, nano is another console editor also available in the default minimal install. You can use any text editor to create this file ... if you use an MS Windows editor (like notepad), make sure to run the command dos2unix filename after putting it on your server.

The first line of the zone file is this:

$TTL 10800

It is the Time-To-Live (in seconds). This is the minimum time that someone else's name server can cache your information before it looks again at the authoritative server for the answer. As you can see, you can control this for your domain. RFC2308 suggests a value of 1-3 hours ... we will use 3 hours (10800 seconds).
---------------------
The SOA Record
The next section of the zone file is the Start of Authority (SOA) record. It looks like this:
CODE
@    IN    SOA    ns1.test.home.local. hostmaster.test.home.local.    (
   21; serial
   7200; refresh
   7200; retry
   1814400; expire
   10800; ttl
   )


Here is what everything means:

The First Line of the SOA record.

The first three columns in the first line (@ IN SOA) means this is an SOA record.

the fourth column on the first line is the fully qualified domain name of the DNS server that is master for this zone (in our case it is this server we are working on right now .. in my case it is ns1.test.home.local. (notice the . after the name, it is critical).

The fifth column is the e-mail address of the administrator of the domain. hostmaster is a default contact name used for dns issues, so if you are running a domain and control the e-mail addressees, you should create a hostmaster@yourdomain). Notice that there is no @ in this address. The first . is converted to an @. You can use a different e-mail address than hostmaster if you want. I could use jhughes.hughesjr.com , for example.

The ( is just the open parentheses for the other options ... at the bottom of the SOA record is the closing parentheses.

The second line of the SOA record.

21 ; serial

This is the serial number of the Zone file ... it must be changed everytime you change an entry. I increment it by one after each change ... so I would make it 22 after the next change. This is not in keeping with the recommendation of RFC1912 2.2. It recommends that you use a serial number like 2004061901. That would be the first change {01} on June 19th, 2004 {20040619}. The next change on June 19, 2004 would have the serial number 2004061902, etc. Do the serial number as you want, as long as you remember that you must change it to the next serial number after you make any changes to the zone file.

The third line of the SOA record

7200 ; refresh

This is the SOA REFRESH interval. This value determines how often secondary/slave nameservers check with the master for updates. A value that is too high will cause DNS changes to be in limbo for a long time.

RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours) ... www.dnsreports.com recommends a value between 3600 - 7200 seconds.

The fourth line in the SOA record.

7200 ; retry

The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed (dnsreports.com recommends 120-7200 seconds).

The fifth line in the SOA record

1814400 ; expire

This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver. Both dnsreports.com and RFC1912 recommend 2-4 weeks. 1814400 seconds is 21 days (or 3 weeks).

The sixth line in the SOA record

10800 ; ttl

Should be the same as the zone $TTL entry which was line 1 ...

The closed parentheses ends the SOA record section.
------------------
The next section of the file is the Name Server section of the Zone file. It is only one line per Name server (in this example, there is only 1 name server) and looks like this:
CODE
 NS    ns1

since ns1 is in this domain, I don't need to include the full domain name in this record ... also notice there is no . after the name ns1

When there is no . after a name in a NS record (or other records like A or MX), the domain of this ZONE is automatically added (in this example, it would be ns1 would become ns1.test.home.local). Another valid way to enter this record would be:
CODE
 NS    ns1.test.home.local.

(notice the . at the end of the name, which means that this is a fully qualified domain name and nothing is appended to it)
------------------
The next section is the Mail Exchanger (MX) section of the Zone file. There is also one entry for every record in this section. Here is an example:
CODE
 MX    10 mail


The 10 is a priority. The lower the priority, the more likely this server is to handle your mail. If we had 2 mail servers, and mail.test.home.local and mail2.test.home.local then we would have 2 entries like this:
CODE
 MX    10 mail
 MX    20 mail2

OR
CODE
 MX    10 mail.test.home.local.
 MX    20 mail2.test.home.local.

(these are equivalent)
-----------------
The next section is the A records section. It contains 1 line for every record as well. Here are the records I created:

CODE
ns1  A    192.168.0.29
mail  A    192.168.0.2
mail2  A    192.168.0.3
server1  A    192.168.0.1


There is another record, called a CNAME record (CNAME means Canonical NAME). It is used to have one IP address be related to several names. Let's say you want to put a Web Server on the backup mail server (mail2). You can use a CNAME record to do this ... like so:
CODE
www    CNAME mail2


There are some rules for CNAME records. You can't point a CNAME record to another CNAME record (so if you wanted to also name have the name fileserver1 associated with the ip address 192.168.0.3, you would use this line:
CODE
fileserver1    CNAME mail2


but this is wrong:
CODE
fileserver1    CNAME www

(since www is itself a CNAME record).

Another CNAME rule is that MX or SOA record should not refer to a CNAME record. So you should create seperate A records (with the same address) if your Name server and your E-mail server are on the same IP address.

http://www.hughesjr.com/wbel/test.home.local.zone.txt is the zone file I created for the domain test.home.local (save as /var/named/test.home.local.zone).
-------------------------------
Now we are ready to add the zone to our /etc/named.conf file and restart the named daemon. Edit /etc/named.conf and add the test.home.local section after the:

CODE
zone "0.0.127.in-addr.arpa" IN {
       type master;
       file "named.local";
       allow-update { none; };
};




but before the include "/etc/rndc.key"; line.

Here is the text we need to add:
CODE
zone "test.home.local" {
       type master;
       notify no;
       file "/var/named/test.home.local.zone";
};


http://www.hughesjr.com/wbel/named.conf.txt is the full /etc/named.conf file for this example.
------------------------
The Reverse Zone
A reverse zone is required for full internet access, and in the case of my 192.168.0.x network, I can add this zone to my name server. The reverse zone file is very similar to the forward zone file named test.home.local.zone

I named my reverse zone file /var/named/192.168.0.x.in-addr.arpa. It has an SOA record and individual IP records for each IP address in the 192.168.0.0 network (that is from 1 to 254). Here is the zone file for our example:
[quote]$TTL 10800

;SOA Record
@ IN SOA ns1.test.home.local. hostmaster.test.home.local. (
    21; serial
    7200; refresh
    7200; retry
    1814400; expire
    10800; ttl
    )

;name server records
  NS ns1.test.home.local.
1 PTR server1.test.home.local.
2 PTR mail.test.home.local.
3 PTR mail2.test.home.local.
29 PTR ns1.test.home.local.[/quote]

Official reverse zones are for a minimum of a full Class "C" network...and can't be split any lower than that, except with CNAME records (see the 3 links following this discussion).

Most of the time, if you are controlling a zone of less than 255 addresses (ie, less than a Class "C" network), the provider adds generic reverse lookup information. In almost all cases, as long as there is any name in the reverse lookup zone for an IP, it is good enough. For example, type the command:

nslookup

and enter the IP address:

24.155.104.171

the result is:

171.104.155.24.in-addr.arpa. 18067 IN PTR 24-155-104-171.dyn.grandenetworks.net.

If I wanted the name changed to mail.billsauto.com, the ISP could do it ... but I can not.

However, almost anything you need to do only requires that the address have a reverse lookup, not that the name matches exactly with the forward name.

I will refer you to 3 places concerning reverse names and mapping less than a Class "C":

http://www.ietf.org/rfc/rfc2317.txt
http://www.acmebw.com/askmrdns/archive.php?question=7
http://ldp.linuxhelp.ca/HOWTO/DNS-HOWTO-5.html#ss5.5

You will need to work with your ISP to make this happen, if it is required for some reason. Like I said though, if you have less than a Class "C" network, and if there is a name in the reverse zone, you probably won't have to worry about trying to change it.

Here are some other good DNS guides:
http://ldp.hughesjr.com/HOWTO/DNS-HOWTO.html
http://linux.maruhn.com/sec/dns-howto.html

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)