lpic207 - dns
labs/lpic2/lpic207
Overview [LAB LPIC2 207]
In this lab we will setup an authoritative name server using the domain ctlabs.internal.
Starting the Lab Environment: ctlabs.rb
Subnets:
natgw: 192.168.15.0/29
sw1 : 192.168.10.0/24
sw2 : 192.168.20.0/24
Running the ansible playbook
domain 'ctlabs.internal' configuration - ns1.ctlabs.internal
First we will install the bind software on the primary name server which will be in the ns1 container.
Packages:
bind
bind-utils
/etc/named.conf
To setup the zone file we first need to define the zone in the named.conf configuration file which is located in the /etc directory. We need to add the ip that is assigned to the eth1 interface in the ns1 container to the listen-on directive. As well we add the subnet 192.168.0.0/16 to the allow-query directive so that the other container in our lab environment will be able to query named. We also add a zone defintion for the domain ctlabs.internal.
root@ns1:/etc# vi named.conf
// named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.10.11; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.0.0/16; };
// set only to yes for resolver; set no for authoritative server
recursion no;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "ctlabs.internal" IN {
type master;
file "data/ctlabs.internal.db";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Configuration File:
/etc/named.conf
Options
listen-on
allow-query
Zone:
type master
file <path>
/var/named/data/ctlabs.internal.db
Now that we have defined a new zone we need to configure the zone details. We create a file /var/named/data/ctlabs.internal.db with following content:
root@ns1:/# cd /var/named/data/
root@ns1:/var/named/data# vi ctlabs.internal.db
; /var/named/data/ctlabs.internal.db
$ORIGIN ctlabs.internal.
$TTL 3600
ctlabs.internal. IN SOA ns1.ctlabs.internal. root.ctlabs.internal. (
2024012502 ; serial
3600 ; refresh
600 ; retry
86400 ; expire
600 ; negative chache ttl
);
; define the name servers
@ IN NS ns1.ctlabs.internal.
@ IN NS ns2.ctlabs.internal.
; name servers need to have an A-record
ns1 IN A 192.168.10.11
ns2 IN A 192.168.20.11
; address records
www IN A 192.168.10.12
www2 IN CNAME www.ctlabs.internal.
; txt records
secret_key IN TXT secret_value
_acme_challenge IN TXT "ab938e2fa2403827d"
@ IN TXT "season=winter"
Zone File:
SOA - Start of Authority
NS - Name Server
A - Address (IPv4)
CNAME - Canonical Name
TXT - Text
We use the command named-checkzone to check the content of the file ctlabs.internal.db. For future changes we also need to make sure that the serial is increased before we load a changed zone file . The serial is used to identify if a client is using the latest zone details.
Starting named.service
We start the named.service and make sure it's started in the future automatically.
With the dig command we can check if named is responding to requests for the ctlabs.internal domain properly. First we check the SOA record:
Next we check the nameserver records for the domain. We can see in the output below that each nameserver has a corresponding A record.
By providing the flag +short we can make the output of the dig command less verbose:
domain 'ctlabs.internal' configuration - ns2.ctlabs.internal
Now let's add the secondary server. The named.conf file is almost identical with the primary one. It differs in
the listen ip
the zone definition for "ctlabs.internal"
// named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.20.11; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.20.0/24; };
// set only to yes for resolver; set no for authoritative server
recursion no;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "ctlabs.internal" IN {
type slave;
masters { 192.168.10.11; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";