Professional Documents
Culture Documents
Development
We have two CentOS 7 (minimal) servers installed which we want to configure as follows:
[admin1]# iptables -A INPUT -s 10.11.1.0/24 -p tcp -m state --state NEW --dport 53 -j ACCEPT
[admin1]# iptables -A INPUT -s 10.11.1.0/24 -p udp -m state --state NEW --dport 53 -j ACCEPT
Logs Directory
Do automatic rndc configuration, and use an authentication key of 512 bits. Note that the default
key name is rndc-key.
The content of the master configuration file /etc/named.conf can be seen below.
Note how the internal zone updates are only allowed for the servers that know the key.
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/rndc.key";
controls {
};
acl "clients" {
127.0.0.0/8;
10.11.1.0/24;
};
options {
listen-on-v6 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
tcp-clients 50;
version none;
hostname none;
server-id none;
recursion yes;
recursive-clients 50;
allow-recursion { clients; };
allow-query { clients; };
auth-nxdomain no;
notify no;
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
# Specifications of what to log, and where the log messages are sent
logging {
channel "common_log" {
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "hl.local" {
type master;
file "data/db.hl.local";
notify yes;
};
zone "1.11.10.in-addr.arpa" {
type master;
file "data/db.1.11.10";
notify yes;
};
2018010700 ; Serial
@ NS dns1.hl.local.
@ NS dns2.hl.local.
@ A 10.11.1.2
@ A 10.11.1.3
dns1 A 10.11.1.2
dns2 A 10.11.1.3
admin1 A 10.11.1.2
admin2 A 10.11.1.3
katello A 10.11.1.4
mikrotik A 10.11.1.1
pve A 10.11.1.5
2018010700 ; Serial
@ NS dns1.hl.local.
@ NS dns2.hl.local.
@ PTR hl.local.
dns1 A 10.11.1.2
dns2 A 10.11.1.3
2 PTR dns1.hl.local.
3 PTR dns2.hl.local.
1 PTR mikrotik.hl.local.
2 PTR admin1.hl.local.
3 PTR admin2.hl.local.
4 PTR katello.hl.local.
5 PTR pve.hl.local.
Ensure that file ownership is sane and SELinux file context applied.
OK
OK
nameserver 10.11.1.2
CPUs found: 1
worker threads: 1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
; (1 server found)
;; Got answer:
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;hl.local. IN NS
;; ANSWER SECTION:
;; ADDITIONAL SECTION:
;; SERVER: 10.11.1.2#53(10.11.1.2)
This part is the same as for the master server. Install packages:
[admin2]# iptables -A INPUT -s 10.11.1.0/24 -p tcp -m state --state NEW --dport 53 -j ACCEPT
[admin2]# iptables -A INPUT -s 10.11.1.0/24 -p udp -m state --state NEW --dport 53 -j ACCEPT
Logs Directory
The content of the slave configuration file /etc/named.conf can be seen below.
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
acl "clients" {
127.0.0.0/8;
10.11.1.0/24;
};
options {
listen-on-v6 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
tcp-clients 50;
version none;
hostname none;
server-id none;
recursion yes;
recursive-clients 50;
allow-recursion { clients; };
allow-query { clients; };
allow-transfer { none };
auth-nxdomain no;
notify no;
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
# Specifications of what to log, and where the log messages are sent
logging {
channel "common_log" {
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca";
};
# Internal zone definitions
zone "hl.local" {
type slave;
file "data/db.hl.local";
masters { 10.11.1.2; };
allow-notify { 10.11.1.2; };
};
zone "1.11.10.in-addr.arpa" {
type slave;
file "data/db.1.11.10";
masters { 10.11.1.2; };
allow-notify { 10.11.1.2; };
};
nameserver 10.11.1.3
nameserver 10.11.1.2
; (1 server found)
;; Got answer:
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;hl.local. IN NS
;; ANSWER SECTION:
;; ADDITIONAL SECTION:
;; SERVER: 10.11.1.3#53(10.11.1.3)
Dynamic DNS editor, nsupdate, is used to make edits on a dynamic DNS without the need to edit
zone files and restart the DNS server. Because we have declared a zone dynamic, this is the way
that we should be making edits.
For example, to delete all records of any type attached to a domain name, we can do:
# nsupdate -k /etc/rndc.key
> send
> quit
Now we can edit the zone file if required. When done, we can allow dynamic updates again:
Conclusion
This helps to keep a service always active and stable even if something fails