Skip to content

Instantly share code, notes, and snippets.

@roulette6

roulette6/linux-dns.md

Created February 21, 2018 02:13
Show Gist options
  • Save roulette6/b2733398dcbaf85f2497a1b67656467a to your computer and use it in GitHub Desktop.
Save roulette6/b2733398dcbaf85f2497a1b67656467a to your computer and use it in GitHub Desktop.
Download ZIP
Linux managing DNS servers (LPIC-2)
Raw
linux-dns.md

Linux managing DNS servers (LPIC-2)

Quick command reference

lsb_release -d          # get Linux distro and version
cat /etc/centos-release

# ubuntu
sudo /etc/init.d/bind9 {start | stop | restart}
sudo -u bind rndc status
sudo -u bind rndc-confgen

Centos
sudo -u named rndc status
sudo -u named rndc-confgen

rndc status
rndc reload             # restart the service

named-checkconf -v
named-checkzone example.com /etc/bind/db.example  # ubuntu
named-checkzone example.com /var/named/db.example # centos
named-checkzone -z      # check all zone files

netstat -ltnp           # listening, tcp, num, program

named -v                # DNS server version
named -V                # DNS server version, verbose
sudo -u bind cat /etc/bind/rndc.key

Understanding DNS

Server config files

Ubuntu

  • dpkg -L bind9
  • /etc/bind/named.conf
  • /etc/bind/named.conf.local
  • /etc/bind/named.conf.default-zones
  • /etc/bind/rndc.key
  • /etc/bind/named.conf.options
  • Zone files are also in /etc/bind/

CentOS

  • /etc/named.conf
  • /etc/named.iscdlv.key
  • /etc/named.rfc1912.zones
  • /etc/named.root.key
  • /var/named/

Understanding zone files

  • DNS info is stored in text files called zones.
  • Bind can automatically create entries with the $GENERATE command
  • You would have file such as /etc/bind/db.example as the example zone and /etc/bind/db.192.0.2 as the reverse lookup zone for PTR records.
  • Each zone the DNS server looks after is specified in the named.conf file.
  • Auto-generate PTR records via $GENERATE 10-254 $ dhcp-$.example.com where 10-254 is an IP range and $.
  • ls /var/named has the default zone files. Ubuntu has files named db.zone-name and CentOS has files named named.zone-name
  • ls -ld /var/named
  • cat /usr/lib/systemd/system/named.service
  • cat /etc/sysconfig/named

Controlling the DNS server

  • rndc controls the named service.
  • sudo -u bind rndc status
  • You don't need to restart the whole service to reload a single zone.

Additional tools

  • You can run syntax checks on the config and zone files.
  • sudo named-checkconf No output is good. You can pass -v option for the version.
  • sudo named-checkzone <zone-name> /etc/bind/<file-name>
    • E.g.: sudo named-checkzone localhost /etc/bind/db.local
    • Shows loaded serial number in output
    • You can sudo named-checkzone -z to check all zone files.
  • The dnsutils package provides client tools like dig and nslookup.
    • dig -t A www.pluralsight.com @127.0.0.1 DNS server may be optional if one is defined.
    • nslookup -query=A www.pluralsight.com

Installing BIND

# Ubuntu

root@ubuntu:/etc/init.d# apt-cache search bind9
bind9 - Internet Domain Name Server
apt-get install -y bind9

# CentOS
# The package is called "bind", but the service is called "named"

yum install -y bind bind-utils
systemctl enable named         # do this once for a symlink
systemctl start named
rndc status
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --reload

Server modes and configurations

  • Caching only server: blech
  • Forwarding server: Other servers perform the lookup
  • Master: We're looking after the zone files (read/write copy)
  • Slave: Read-only copy of the zone files
  • listen-on: Default is localhost, so need to indicate interfaces/IP addr to listen on in the /etc/named.conf file
  • allow-query: Need to enable networks that are allowed to query this server
  • Run rndc reload after configuring __named.

Extending DNS to host zones

Extending DNS to host zones

Forward zone. “IN” means Internet zone.

zone “example.com” IN {
type master;
file “db.example”;
allow-update {none};
};

Reverse zone (subnet is indicated backwards). In the example below, the subnet is 10.0.2

zone “2.0.10-in-addr.arpa” IN {
type master;
file “db.10.0.2”;
allow-update {none};
};

Adding zones to DNS config

  • Note the directory indicated in /etc/bind/named.conf. This is where zone files go.
  • You can add zones in named.conf.local or the appropriate file included in /etc/named.conf.
  • Run named-checkconf to check for syntax errors after editing. No output is good news. You can run named-checkconf -v to get a small amount of output regardless.

Understanding and creating zone data files

  • Anything after a ; is a comment.

  • You must change the group ownership to bind (Ubuntu) or named (CentOS) after you create the files.

  • Note that root.example.com. is an email address. Also, the lower the MX record number, the higher the preference.

  • The origin must end with a .

  • when you just have a domain name, the origin will be applied to it.

  • The different times indicated in hrs or weeks in the examples below can be indicated in seconds without any unit.

  • Note that these lines are equivalent, as the @ symbol indicates the origin should go there:

      example.com. IN SOA master.example.com. root.example.com. (2018010401 8h 4h 1w 1h)

  @ IN SOA master.example.com. root.example.com. (2018010401 8h 4h 1w 1h)

Forward

$TTL 3h
$ORIGIN example.com.
@ IN SOA master.example.com. root.example.com. (
    2018010401; serial
    8h; refresh interval for slaves
    4h; retry interval if unable to refresh
    1w; expire if unable to refresh
    1h; negative TTL (keep negative response and don't retry to resolve)
)

example.com. IN NS      master.example.com.
master       IN A       192.0.2.4
gw           IN A       192.0.2.1
mail         IN A       192.0.2.2

; Aliases
ns1          IN CNAME   master.example.com.

; Mail servers
example.com  IN MX    5 mail.example.com.

Reverse

$TTL 3h
$ORIGIN 2.0.10.in-addr.arpa.
@ IN SOA master.example.com. root.example.com (
2018010401; serial
8h; refresh interval for slaves
4h; retry interval if unable to refresh
1w; expire if unable to refresh
1h; negative TTL (keep negative response and don't retry to resolve)
)

@ IN NS  master.example.com.
1 IN PTR gw.example.com.
2 IN PTR mail.example.com.
4 IN PTR master.example.com.

Troubleshooting DNS and log files

Resource records and logging

  • CNAME (canonical name): Associate an alias with the canonical name of the real host. Aliases should never be on the right side in a zone file.

      ns1 IN CNAME master.example.com.

  • Multi-homed hosts or different hosts that have different IP addresses but the same FQDN can have two entries for the same FQDN to IP address mapping. You can have a unique record for each IP address so you can always hit it directly w/o communicating it. Name servers will return both records to any requester but will present an IP address first if it matches the requester's subnet, otherwise it will round robin.

      web  IN A 10.0.2.10
  web  IN A 10.0.3.10
  web2 IN A 10.0.2.10

  • TXT resource records: Administrative info about the host.

      web2 IN TXT "Network: office 1"

  • @: The @ symbol means the $ORIGIN value. You can also use a space or a tab to begin a line instead of @, if that was the last symbol used.

Client tools and resolving DNS issues

Client tools

  • The DNS server IP addresses are located in /etc/resolv.conf. This file can be overwritten by the network manager.
    • CentOS: NM_MANAGED=no in the appropriate interface file.
    • Ubuntu: Add NM_MANAGED=no to /etc/network/interfaces.
  • /etc/nsswitch.conf determines the order of name resolution.
  • Skipping video on working with /etc/resolv.conf

nslookup and dig

# single command
$ nslookup -querytype=mx pluralsight.com
$ nslookup -querytype=a pluralsight.com

# interactive
$ nslookup
> server 127.0.0.1
> set type=mx
> set debug         # optional
> pluralsight.com

$ dig pluralsight.com -t mx                 # verbose
$ dig pluralsight.com +short -t mx          # terse
$ dig pluralsight.com +short -t a @8.8.8.8  # specity name server
$ dig -x 1.2.3.4                            # reverse lookup

$ host www.pluralsight.com                  # returns A record
$ host 54.68.188.121                        # returns PTR record

Configuring DNS replication

Introduction to zone transfers

  • Slave servers use the zone transfer mechanism to replicate the zone at the interval value from the SOA record.

  • The zone files will not be created on the slaves by a human, but rather by named during initial replication.

  • Replication occurs only if the serial number has been incremented.

  • Transfer zones with dig axfr example.com @192.168.128.81. This copies the zone data file and should therefore be restricted on the other servers. You can do a zone transfer from one slave to another.

  • The slave is configured as type slave in the zone.conf file. You then have to specify the masters it will sync with.

      # named.conf file

  zone "example.com" IN {
      type slave;
      file "slaves/db.example";
      masters { 10.0.2.4; };
  };

  • You can verify that a zone transfer completed successfully by checking tail /var/log/messages in CentOS. Look for the following in the logs:

    • zone example.com
    • Transfer completed
    • Transferred serial

  • After waiting for the check interval and verifying the SN, you can force an unsuccessful transfer with rndc retransfer example.com.

Configuring a slave server

  • dig axfr example.com @10.0.2.4 Manually gets the zone from the master indicated by @.

In CentOS, open /etc/named.conf

zone "example.com" IN {
        type slave;
        file "slaves/db.example";
        masters { 192.168.128.81; };
};

zone "128.168.192.in-addr.arpa" IN {
        type slave;
        file "slaves/db.128.168.192.in-addr.arpa";
        masters { 192.168.128.81; };
};

Adding records and synchronizing

  • You need to add a NS record on the master for the secondary server.
  • You must increment the serial number.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment