• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Friday, March 14, 2014

    How to configure BIND-9.8 DNS server in Red Hat Linux 6

    In my earlier post I had shown you the step by step configuration guide for BIND DNS server but since that time I had used older version of bind rpm so most of the parameters used in that tutorial would not work with bind 9.8 so I thought of posting another article for the same.

    I will use chroot i.e.jail environment for configuring dns server as it is considered to be much more safer than normal bind.

    Video Link



    NOTE: Please take a copy of the original configuration file before making any changes to it.

    Pre-requisites:
    Make sure you have all the required packages
    # rpm -q bind
    package bind is not installed

    # rpm -q bind-chroot
    package bind-chroot is not installed

    Install the required package using yum
    # yum -y install bind bind-chroot
    By default all the bind files would not be copied inside chroot so we will have to manually do that

    Next copy the required files inside chroot directory.
    NOTE: Use -p argument along with cp command to preserve the permission and ownership of all the files and directories
    # cp -rvpf /etc/named.* /var/named/chroot/etc/
    `/etc/named.conf' -> `/var/named/chroot/etc/named.conf'
    `/etc/named.iscdlv.key' -> `/var/named/chroot/etc/named.iscdlv.key'
    `/etc/named.rfc1912.zones' -> `/var/named/chroot/etc/named.rfc1912.zones'
    `/etc/named.root.key' -> `/var/named/chroot/etc/named.root.key'

    # cp -rvpf /var/named/named.* /var/named/chroot/var/named/
    `/var/named/named.ca' -> `/var/named/chroot/var/named/named.ca'
    `/var/named/named.empty' -> `/var/named/chroot/var/named/named.empty'
    `/var/named/named.localhost' -> `/var/named/chroot/var/named/named.localhost'
    `/var/named/named.loopback' -> `/var/named/chroot/var/named/named.loopback'

    # cp -prvf /var/named/data/ /var/named/chroot/var/named/
    `/var/named/data/' -> `/var/named/chroot/var/named/data'

    # cp -prvf /var/named/dynamic/ /var/named/chroot/var/named/
    `/var/named/dynamic/' -> `/var/named/chroot/var/named/dynamic'

    # cp -prvf /var/named/slaves/ /var/named/chroot/var/named/
    `/var/named/slaves/' -> `/var/named/chroot/var/named/slaves'

    Now lets start editing our main configuration file
    # cd /var/named/chroot/etc/

    # vi named.conf
    options {
            listen-on port 53 { 127.0.0.1;
    192.168.1.11; };
            listen-on-v6 port 53 { ::1; };
            directory       "/var/named";
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
            allow-query     { localhost; 192.168.1.0/24; };
            recursion yes;

            dnssec-enable yes;
            dnssec-validation yes;
            dnssec-lookaside auto;

            /* Path to ISC DLV key */
            bindkeys-file "/etc/named.iscdlv.key";

            managed-keys-directory "/var/named/dynamic";
    };

    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };

    zone "." IN {
            type hint;
            file "named.ca";
    };

    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";

    Chane the IP Address of your local machine in the resolv.conf file and ifcfg-eth file
    # vi /etc/resolv.conf
    search example
    nameserver
    192.168.1.11

    NOTE: DNS entry has to made in ifcfg-eth file only for Red Hat Linux 6 and above. For Red Hat Linux 5 DNS entry is made only in resolv.conf file
    # vi /etc/sysconfig/network-scripts/ifcfg-eth0
    DNS1=192.168.1.11

    Verify your hostname
    # vi /ets/sysconfig/network
    HOSTNAME=test2.example

    Run this command on the terminal
    # hostname test2.example
    If you use the below command on the terminal your hostname should reflect as STD out
    # hostname
    test2.example

    Restart your network services
    # service network restart
    Shutting down interface eth0:                              
    [  OK  ]
    Shutting down loopback interface:                          [  OK  ]
    Bringing up loopback interface:                            [  OK  ]
    Bringing up interface eth0:  Determining if ip address 192.168.1.11 is already in use for device eth0...
                                                               [  OK  ]

    # service named restart
    Stopping named:                                            [  OK  ]
    Generating /etc/rndc.key:                                  [  OK  ]
    Starting named:                                            [  OK  ]

    NOTE: In case your system stucks at
    Generating /etc/rndc.key:
    Try this command
    # rndc-confgen -a -r /dev/urandom
    wrote key file "/etc/rndc.key"

    and again retry to restart your named services

    Why the system gets stuck while generating rndc.key and solution?

    Input from Thomas (in comment section)
    If your system is getting stuck at generating the /etc/rndc.key file, it is because the random pool is starved for entropy. Which makes /dev/random block. You can check how much entropy you have in the pool using "cat /proc/sys/kernel/random/entropy_avail". Values under 300 indicate problems (but are unfortunately common on virtual machines).

    One of the best solutions is to just wait for it to finish (it will take 5-15 minutes).

    Other suggestions I have seen would be to ping the machine from multiple source machines (maybe even "ping -f address" to flood-ping). Or if there is a physical mouse/keyboard attached, the Linux kernel will grab entropy from typing / moving the mouse around.

    Logging into the machine a second or third time and generating network traffic or running things like disk tests or CPU heavy workloads may also help generate more entropy at a faster rate.

    Other options are things like hardware entropy keys or daemons like "haveged".

    References
    Generating rndc key

    Verify your Internet Connection

    # ping google.com
    PING google.com (74.125.236.71) 56(84) bytes of data.
    64 bytes from maa03s05-in-f7.1e100.net (74.125.236.71): icmp_seq=1 ttl=56 time=223 ms
    64 bytes from maa03s05-in-f7.1e100.net (74.125.236.71): icmp_seq=2 ttl=56 time=319 ms
    ^C
    --- google.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1349ms
    rtt min/avg/max/mdev = 223.861/271.853/319.846/47.995 ms

    So our DNS server is working fine now let us configure forward and reverse zone
    # vi /var/named/chroot/etc/named.rfc1912.zones
    (Make new entry as shown below)

    # Forward Zone Entry #
    zone "example" IN {
            type master;
            file "example.zone";
            allow-update { none; };
    };

    # Reverse Zone Entry #
    zone "1.168.192.in-addr.arpa" IN {
            type master;
            file "192.168.1.zone";
            allow-update { none; };
    };

    Create the zone files as mentioned in named.rfc1912.zones file above

    Now if you view named.localhost and named.loopback file inside /var/named/chroot/var/named, then you will notice that they resemble to forward and reverse lookup file respectively. So instead of creating new file we will just copy the content from their respective duplicates
    # pwd
    /var/named/chroot/var/named

    # cp -p named.loopback 192.168.1.zone

    # cp -p named.localhost example.zone

    Forward Zone file

    # vi example.zone
    $TTL 1D
    @       IN SOA  example. hostmaster.example. (
                                            0       ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
                    IN NS           example.
                    IN A            192.168.1.11
    test2           IN CNAME        example.
    mail.example.   IN A            192.168.1.11
    example.        IN MX           10 mail.example.

    Reverse Zone file

    # vi 192.168.1.zone
    $TTL 1D
    @       IN SOA  example.  hostmaster.example. (
                                            0       ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
            IN NS   example.
    11      IN PTR  example.

    Verify the permissions


    IMPORTANT NOTE:
    The permission on all the bind related files should be 640 and for all directories it should be 770 with root as user owner and named as group owner
    # ll
    total 36
    -rw-r-----. 1
    root  named  207 Mar 14 18:36 192.168.1.zone
    drwxrwx---. 2 named named 4096 Jan 20 23:10 data
    drwxrwx---. 2 named named 4096 Jan 20 23:10 dynamic
    -rw-r-----. 1 root  named  242 Mar 14 18:32 example.zone
    -rw-r-----. 1 root  named 1892 Feb 18  2008 named.ca
    -rw-r-----. 1 root  named  152 Dec 15  2009 named.empty
    -rw-r-----. 1 root  named  152 Jun 21  2007 named.localhost
    -rw-r-----. 1 root  named  168 Dec 15  2009 named.loopback
    drwxrwx---. 2 named named 4096 Jan 20 23:10 slaves

    Before you restart the named services verify if the changes you have made are reflecting using named-checkzone
    # named-checkzone example example.zone
    zone example/IN: loaded serial 0
    OK


    # named-checkzone test2.example  example.zone
    zone test2.example/IN: loaded serial 0
    OK


    # named-checkzone 192.168.1.11 192.168.1.zone
    zone 192.168.1.11/IN: loaded serial 0
    OK

    So looks like all our zone field are reflecting correctly.

    Restart named services
    # service named restart
    Stopping named: .                                          
    [  OK  ]
    Starting named:                                            [  OK  ]

    Verify both the zones
    # nslookup example
    Server:         192.168.1.11
    Address:        192.168.1.11#53

    Name:  
    example
    Address: 192.168.1.11

    # dig -x 192.168.1.11
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -x 192.168.1.11
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60861
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;11.1.168.192.in-addr.arpa.     IN      PTR

    ;; ANSWER SECTION:
    11.1.168.192.in-addr.arpa. 86400 IN     PTR     example.

    ;; AUTHORITY SECTION:
    1.168.192.in-addr.arpa. 86400   IN      NS      example.

    ;; ADDITIONAL SECTION:
    example.            86400   IN      A       192.168.1.11

    ;; Query time: 2 msec
    ;; SERVER: 192.168.1.11#53(192.168.1.11)
    ;; WHEN: Fri Mar 14 18:35:24 2014
    ;; MSG SIZE  rcvd: 98

    So we are getting outputs for forward and reverse lookup entries. Everything is working as expected.

    Let me know your success and failures

    Related Articles
    How to configure a caching only bind DNS server in Red Hat Linux
    What is the difference between DNS A record and CNAME record?
    How does a DNS query works when you type a URL on your browser?
    DNS server related errors
    Configure your BIND DNS server on different port no.
    How to configure BIND-9.2 DNS server in Red Hat Linux

    Follow the below links for more tutorials

    Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
    Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
    How to configure Samba 4 Secondary Domain Controller
    How to secure Apache web server in Linux using password (.htaccess)
    How to register Red Hat Linux with RHN (Red Hat Network )
    Red hat Enterprise Linux 5.5 Installation Guide (Screenshots)
    15 tips to enhance security of your Linux machine
    Why is Linux more secure than windows and any other OS
    What is the difference between "su" and "su -" in Linux?
    What is kernel-PAE in Linux?
    What is swappiness and how do we change its value?
    How to log iptables messages in different log file
    What are the s and k scripts in the etc rcx.d directories
    What is virtual memory, paging and swap space?
    10 examples to help you understand top command usage in Unix/Linux


    7 comments:

    1. This is excellent blog for step by step dns setup.One more thing for this great blog, please add cd /var/named/ before the "cp -rvpf named.* chroot/var/named/" section. Otherwise it will be creating little confusion for newbie.

      ReplyDelete
      Replies
      1. Nice catch. Appreciate your feedback. Article has been updated.

        Delete
    2. If your system is getting stuck at generating the /etc/rndc.key file, it is because the random pool is starved for entropy. Which makes /dev/random block. You can check how much entropy you have in the pool using "cat /proc/sys/kernel/random/entropy_avail". Values under 300 indicate problems (but are unfortunately common on virtual machines).

      One of the best solutions is to just wait for it to finish (it will take 5-15 minutes).

      Other suggestions I have seen would be to ping the machine from multiple source machines (maybe even "ping -f address" to flood-ping). Or if there is a physical mouse/keyboard attached, the Linux kernel will grab entropy from typing / moving the mouse around.

      Logging into the machine a second or third time and generating network traffic or running things like disk tests or CPU heavy workloads may also help generate more entropy at a faster rate.

      Other options are things like hardware entropy keys or daemons like "haveged".

      ReplyDelete
      Replies
      1. Thanks Thomas for your valuable info. I have updated the article with your input.

        Delete
    3. it is working thanks. But if i type dnsdomainname command i got reply as "(none)"
      my question is with this settings can i add client to this server??? if it is more what are the services should i want to configure??
      plz help me i'm beginner LINUX

      ReplyDelete
      Replies
      1. I am not sure if I got your question correctly.

        what command are you trying to use exactly?
        By adding client to your server if you mean adding various records for multiple clients under the same domain name then yes you can use the zone files to add multiple clients but all those clients should use the same dns address as of the server for example which in my case above is 192.168.1.11

        Once the client has this dns address all the hostnames under your zone files would work as expected.

        Regards
        Deepak

        Delete