Transcript Unix System Administration

DNS server & Client
• Objectives
– to learn how to setup dns servers
• Contents
–
–
–
–
–
–
–
–
An Introduction to DNS
How To Download and Install The BIND Packages
How To Get BIND Started
The /etc/resolv.conf File
Configuring A Caching Nameserver
Important File Locations
Configuring A Regular Nameserver
Troubleshooting BIND
Download and Install The DNS Package
• Download the DNS server as RPM
– SuSE keep a lot of RPM files for bind
# wget ftp://ftp.suse.com//pub/suse/i386/9.3/suse/i586/bind*
• Install the caching only DNS and the normal DNS RPM’s
– To get started we need at least bind
– SuSE bind keeps it’s configuration in /etc/named.conf and /var/lib/named
# rpm -ivh bind-lwresd-9.3.1-3.i586.rpm
# rpm -ivh bind-9.3.1-3.i586.rpm
• You can also obtain dhcp sources directly from
http://www.isc.org/index.pl?/sw/bind/
– This is the standard bind in Unix world
– It keeps configuration files in /etc/named.conf and /var/named
• Modern bind is places in chroot jail by security reasons
How To Get BIND Started
• Set named/bind startup at boot:
You can use the insserv or chkconfig command to get BIND configured to start at boot:
# insserv named
• To start/stop/restart BIND after booting
# rcnamed start
# rcnamed stop
# rcnamed restart
• Without any configuration bind act as cache only
• lwresd is an deligated cache only nameserver
# rclwresd start
# rclwresd stot
# rclwresd restart
Do not run bind and lwresd at same time
The client /etc/resolv.conf File
• Sample resolv.conf file:
domain my-site.com
search my-site.com net my-site.net my-site.org
nameserver 192.168.0.1
nameserver 192.168.0.22
The client server's main domain is my-site.com, but it also is a member of
domains my-site.net and my-site.org which should be searched for short hand
references to other servers.
Two nameservers, 192.168.0.1 and 192.168.0.22 provide DNS name resolution.
• Don’t forget /etc/nsswitch.conf and host.conf
hosts: files dns
order hosts,bind
• The nameserver need loopback as first nameserver:
nameserver 127.0.0.1
Configuring A Caching Nameserver
• Two caching only nameservers
–Normal bind without configuration
–The deligated lwresd
• Using normal bind
In /etc/resolv.conf:
Example old Entry
nameserver 192.168.0.1
Example New Entry
# nameserver 192.168.0.1
or:
nameserver 127.0.0.1
This must be first in the list of nameservers, if there are more!
Configuring A Regular Nameserver
• Configuring /etc/resolv.conf
You'll have to make your DNS server refer to itself for all DNS queries by
configuring the /etc/resolv.conf file to only reference localhost.
• Configuring /etc/named.conf home/port
This is the head
of named.conf
options {
directory "/var/named";
query-source port 53;
};
Forward resoulution:
zone ”my-site.com" {
type master;
notify no;
allow-query { any; };
file ”master/my-site.com";
};
Revers resolution:
zone ”0.168.192.in-addr.arpa" {
type master;
notify no;
file ” master/192.168.0.rev";
};
Configuring A Regular Nameserver ”extras”
• Activate logging
After the ”head” in
/etc/named.conf
Here we log only
zone transfers and
mandatory messages:-
• Masterzone
Example
logging {
category xfer-out {
default_syslog;
};
category xfer-in {
default_syslog;
};
category lame-servers
{
null;
};
};
Masterzone, that notify 2 slaves:
zone ”my-site.com" {
type master;
file ”master/my-site.com";
allow-query { any; };
allow-transfer { 194.22.190.13;
80.84.32.10; localhost; };
notify yes;
};
Configuring the Zone Files SOA
In the head of /var/lib/named/master/my-site.com:
• Time to Live Value on first line: $TTL 3D
Cache lifetime of this file, allways in top of zonefile!
• The SOA (Start Of Authority) Record
my-site.com. is this zonefile served domain
ns.my-site.com. is the nameserver fqdn
root.my-site.com. is the mail address [email protected] (dns-admin)
my-site.com. IN SOA ns.my-site.com. root.my-site.com. (
2003037
; incremental serial number (s)
10800
; slave refresh ratio (s)
3600
; slave retry interval (s)
604800
; slave retry expires (s)
86400 )
; cache TTL
• The serial number is extremely important. You MUST increment it after editing
the file or else BIND will not apply the changes you made when you restart "named".
Next in the zonefile is NS & MX RECORD’s
• The IN NS name server record’s for the domain
Tells who resolve names for the domain
my-site.com. is the served domain
ns.my-site.com. is the nameserver fqdn for this domain.
; Define the nameservers
my-site.com.
IN
NS
my-site.com.
IN
NS
slave
ns.my-site.com. ; master
ns2.other-site.com. ;
• The IN MX name server record’s
Tells who handle email in the domain
my-site.com. is the served domain
mail.my-site.com. is the primary mailserver
mail2.my-site.com. is the secondary mailserver
; Define the mailservers
IN
MX
10 mail.my-site.com.
IN
MX
20 mail2.my-site.com.
Populate zonefile with IN A & CNAME records
• The IN A (InterNet Address) record’s for the domain
ns will be extended to ns.my-site.com since we did not end with .
mail will be extended to mail.my-site.com
; Define the hosts in this zone
ns
IN
A
192.168.0.1
mail
IN
A
192.168.0.2
mail2
IN
A
192.168.0.3
Zyxel
IN
A
192.168.0.4
;
;
;
;
primary nameserver
pri mailserver
sec mailserver
zyxel router
• The CNAME record’s for the domain
ftp will be extended to ftp.my-site.com with mail’s IP
www will be extended to www.my-site.com with ns’s IP
; alias
ftp
student
www
ntp
names
CNAME
CNAME
CNAME
CNAME
mail.my-site.com.
mail2.my-site.com.
ns.my-site.com.
mail1.my-site.com.
The reverse Zone File
• File has the same SOA format as the forward
Exept the SOA opening statement which is reverse:
$ttl 3d
0.168.192.in-addr.arpa. IN
SOA
ns.my-site.com.
root.my-site.com. ( same SOA as on page 8 of 17 )
• The PTR reverse pointer record’s look like:
; nameservers
0.168.192.in-addr.arpa. IN NS
ns.my-site.com.
; normal pointers
1.0.168.192.in-addr.arpa. IN PTR ns.my-site.com.
2.0.168.192.in-addr.arpa. IN PTR mail.my-site.com.
3.0.168.192.in-addr.arpa. IN PTR mail2.my-site.com.
4.0.168.192.in-addr.arpa. IN PTR zyxel.my-site.com.
; alias names
ftp.my-site.com.
IN CNAME
mail.my-site.com.
Student.my-site.com.
IN CNAME
mail2.my-site.com.
www.my-site.com.
IN CNAME
ns.my-site.com.
ntp.my-site.com.
IN CNAME
mail2.my-site.com.
Loopback reverse and forward lookup
• Needed for named loopback reverse lookups
/var/lib/named/127.0.0.1.zone
$TTL
@
3D
IN
SOA
1
IN
IN
NS
PTR
ns.my-site.com. root.my-site.com.
20011121 ; Serial
28800
; Refresh
14400
; Retry
3600000
; Expire
86400 )
; Minimum
ns.my-site.com.
localhost.
• Needed for named loopback forward lookups
/var/lib/named/localhost.zone
(
Root servers file (cache root servers)
• Root servers file
/var/named/root.hint
; formerly NS.INTERNIC.NET
.
3600000
A.ROOT-SERVERS.NET.
3600000
; formerly NS1.ISI.EDU
.
3600000
B.ROOT-SERVERS.NET.
3600000
. Means all network
3600000 Timeout set to max
IN
NS
A
A.ROOT-SERVERS.NET.
198.41.0.4
NS
A
B.ROOT-SERVERS.NET.
128.9.0.107
Internal/External queries
• Different name lookups for internal and external
networks: /etc/named.conf
• view internal
view "internal" { // What the internal network will see
add your zones
}
• view external
view "external" { // What the public network will see
add your zones
}
Now it’s time to test your configurations
• Restart your nameserver
# rcnamed restart
Check your /var/log/messages file for errors, and correct!
• Check forward resolution
# nslookup ns.my-site.com
Name: ns.my-site.com
Address: 192.168.0.1
• Check reverse resolution
# nslookup 192.168.0.1
1.0.168.192.in-addr.arpa
name = ns.my-site.com.
Check your /var/log/messages file for errors, and correct!
Dynamic DNS main configuration
• Dynamic DNS allow clients to add hostname to
domain name
• Dynamic DNS updates comes from DHCP server
– The DHCP server updates the zonefiles
– DHCP server need to be configured as in chapter 2 of unix-netadmin
• DNSSEC is used for the updates
– Makes the updates much more secure than classic updates
• Master protection key entry
– In /etc/named.conf file:
– Key was generated in
chapter 2 of unix-netadmin
copy and paste here.
key DHCP-UPDATER {
algorithm HMAC-MD5;
secret ”<key-data";
};
Dynamic DNS zonefile configuration
• Forward and Reverse Zones to update must allow
updates
– DHCP server ac as shadow master and make faked zone file updates
zone ”my-site.com" {
type master;
notify no;
allow-query { any; };
allow-update { key DHCP-UPDATER; };
file ”master/my-site.zone";
};
zone ”0.168.192.in-addr.arpa" {
type master;
notify no;
allow-update { key DHCP-UPDATER; };
file ” master/192.168.0.rev";
};
Summary
•
•
•
•
•
•
•
•
•
•
•
•
•
DNS server is used to resolve name and IP
Configuration sit in /etc/named.conf
Zonefiles are in /var/named/
Zone transfter from master to slaves
Cache only nameserver is default setting
You have two files for each zone
Hosts can share same IP with CNAME
Stop dns server with /etc/init.d/named stop
Reload dns server with /etc/init.d/named restart
ACL and view can policy quieries
It takes time for names to update globaly
DNS server has 127.0.0.1 as first entry in /etc/resolv.conf
Dynamic DNS uses DHCP for zonefile updates