lpic207 - dns

labs/lpic2/lpic207

Overview [LAB LPIC2 207]

In this lab we will setup an authoritative name server using the domain ctlabs.internal.

Subnets:

Running the ansible playbook

domain 'ctlabs.internal' configuration - ns1.ctlabs.internal

First we will install the bind software on the primary name server which will be in the ns1 container. 

Packages:

/etc/named.conf

To setup the zone file we first need to define the zone in the named.conf configuration file which is located in the /etc directory. We need to add the ip that is assigned to the eth1 interface in the ns1 container to the listen-on directive. As well we add the subnet 192.168.0.0/16 to the allow-query directive so that the other container in our lab environment will be able to query named. We also add a zone defintion for the domain ctlabs.internal.

root@ns1:/etc# vi named.conf

// named.conf

options {

  listen-on               port 53 { 127.0.0.1; 192.168.10.11; };

  listen-on-v6            port 53 { ::1; };

  directory               "/var/named";

  dump-file               "/var/named/data/cache_dump.db";

  statistics-file         "/var/named/data/named_stats.txt";

  memstatistics-file      "/var/named/data/named_mem_stats.txt";

  secroots-file           "/var/named/data/named.secroots";

  recursing-file          "/var/named/data/named.recursing";


  allow-query             { localhost; 192.168.0.0/16; };

  // set only to yes for resolver; set no for authoritative server

  recursion               no;


  dnssec-enable           yes;

  dnssec-validation       yes;


  managed-keys-directory  "/var/named/dynamic";

  pid-file                "/run/named/named.pid";

  session-keyfile         "/run/named/session.key";

  include                 "/etc/crypto-policies/back-ends/bind.config";

};


logging {

  channel default_debug {

    file     "data/named.run";

    severity dynamic;

  };

};


zone "." IN {

  type hint;

  file "named.ca";

};


zone "ctlabs.internal" IN {

  type master;

  file "data/ctlabs.internal.db";

};


include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

Configuration File:

Options

Zone:

/var/named/data/ctlabs.internal.db

Now that we have defined a new zone we need to configure the zone details. We create a file /var/named/data/ctlabs.internal.db with following content:

root@ns1:/# cd /var/named/data/

root@ns1:/var/named/data# vi ctlabs.internal.db

; /var/named/data/ctlabs.internal.db


$ORIGIN ctlabs.internal.

$TTL    3600


ctlabs.internal.   IN   SOA   ns1.ctlabs.internal. root.ctlabs.internal. (

                              2024012502   ; serial

                              3600         ; refresh

                              600          ; retry

                              86400        ; expire

                              600          ; negative chache ttl

);


; define the name servers

@                  IN   NS    ns1.ctlabs.internal.

@                  IN   NS    ns2.ctlabs.internal.


; name servers need to have an A-record

ns1                IN   A     192.168.10.11

ns2                IN   A     192.168.20.11


; address records

www                IN   A     192.168.10.12

www2               IN   CNAME www.ctlabs.internal.


; txt records

secret_key         IN   TXT   secret_value

_acme_challenge    IN   TXT   "ab938e2fa2403827d"

@                  IN   TXT   "season=winter"

Zone File:

We use the command named-checkzone to check the content of the file ctlabs.internal.db. For future changes we also need to make sure that the serial is increased before we load a changed zone file . The serial is used to identify if a client is using the latest zone details.

Starting named.service

We start the named.service and make sure it's started in the future automatically.

With the dig command we can check if named is responding to requests for the ctlabs.internal domain properly. First we check the SOA record:

Next we check the nameserver records for the domain. We can see in the output below that each nameserver has a corresponding A record.

By providing the flag +short we can make the output of the dig command less verbose:

domain 'ctlabs.internal' configuration - ns2.ctlabs.internal

Now let's add the secondary server. The named.conf file is almost identical with the primary one. It differs in 

// named.conf

options {

  listen-on               port 53 { 127.0.0.1; 192.168.20.11; };

  listen-on-v6            port 53 { ::1; };

  directory               "/var/named";

  dump-file               "/var/named/data/cache_dump.db";

  statistics-file         "/var/named/data/named_stats.txt";

  memstatistics-file      "/var/named/data/named_mem_stats.txt";

  secroots-file           "/var/named/data/named.secroots";

  recursing-file          "/var/named/data/named.recursing";


  allow-query             { localhost; 192.168.20.0/24; };

  // set only to yes for resolver; set no for authoritative server

  recursion               no;


  dnssec-enable           yes;

  dnssec-validation       yes;


  managed-keys-directory  "/var/named/dynamic";

  pid-file                "/run/named/named.pid";

  session-keyfile         "/run/named/session.key";

  include                 "/etc/crypto-policies/back-ends/bind.config";

};


logging {

  channel default_debug {

    file     "data/named.run";

    severity dynamic;

  };

};


zone "." IN {

  type hint;

  file "named.ca";

};


zone "ctlabs.internal" IN {

  type slave;

  masters { 192.168.10.11; };

};


include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";