Wednesday, October 24, 2012

bind / DNS quick start


DNS setup is again something I do once every few years (here I'm testing an Oracle RAC setup...).
So today I am writing down a short memo on a minimal setup to get started:

Example: Internal network 192.168.0.* , which I call 'philtortoise.com'
using 'bind9' on ubuntu 12.04


  • First, forward the requests to ISP (or Corporate top server). Here simply back to my router:
in /etc/bind/named.conf:

    forwarders {
         192.168.0.1;
    };


This forwards queries it cant answer to the name server at this IP . If  no answers: will try root servers
( Note: If we don't want to try root servers -in corporate environment- add the line:     forward-only;  )

  • Then define the zones and associated resource record files  (again in named.conf)

    zone "philtortoise.com" {
        type master;         file "/etc/bind/db.philtortoise.com";
    };     

    zone "168.192.0.in-addr.arpa" {
 
       type master;
   
    file "/etc/bind/db.192.168.0";
    };


  • Then create the "RR" Resource Record files
    This is running on machine 192.168.0.4 called "opti", and I have a couple hosts: opti, ngear (my router), rac1, rac2 (the RAC machines) etc..

in /etc/bind/db.philtortoise.com:
;
; resource record for my own local network on 192.168.0.0/24
;
$TTL    604800
@    IN    SOA    opti.philtortoise.com. philtortoise.gmail.com. (
             123362        ; Serial
             604800        ; Refresh
              86400        ; Retry
            2419200        ; Expire
             604800 )      ; Negative Cache TTL
;
@       IN      NS      opti.philtortoise.com.
opti    IN      A       192.168.0.4
ngear   IN      A       192.168.0.1
;
rac1    IN      A       192.168.0.201
rac2    IN      A       192.168.0.202
racvip  IN      A       192.168.0.203
docrac-scan IN  A       192.168.0.213
docrac-scan IN  A       192.168.0.214
docrac-scan IN  A       192.168.0.215
Explanation of some syntax:
$TTL  (T)ime (T)o (L)ive - How long to cache the resource record
@     abreviation for the domain (replaces: "philtortoise.com." )
SOA   (S)tart (O)f (A)uthority
      before: domain it's authoritative for, after: primary DNS, and e-mail (without @)
      the number in () are to instruct slave(s) how frequently to check for new data
      the serial should be increased when there is new data
NS    Name Server: Which machine is NS (in prod, several listed)
      it needs an (A)dress specified later on.
A         Definition of an address ( AAAA for IPv6 )
              (We may define multiple addresses as for the docrac-scan entry
              Closest network is chosen, or round-robin)

IN          This mean simply "Internet" historically DNS has been used for other protocols.

Others:
CNAME (C)anonical NAME: a pointer from a name to another.
      Typically used to redirect, say www.philtortoise.com to the current server doing the job
PTR   See below, pointer for reverse translation from address to name
MX    Mail exchange: points to mail server(s) for a domain, with priorities:
      hp.com. IN MX 0 mailserver1.it-usa.hp.com.
      hp.com. IN MX 1 postoffice1.it-eur.hp.com.

  • Tips to test:

# service bind9 stop
# /usr/sbin/named -g -d 3 -u bind

As it turns out:
'-g' is necessary to both be foreground and see all messages (force stderr).
And below debug level 3 (-d 3)  I don't see all DNS requests!

Then I test with the 'host' command, which conveniently let choose the DNS IP on the command line:


# host rac1.philtortoise.com 192.168.0.4
Using domain server:
Name: 192.168.0.4
Address: 192.168.0.4#53
Aliases:

rac1.philtortoise.com has address 192.168.0.201

Other tools:
nslookup rac1.philtortoise.com 192.168.0.4
dig...


Reverse lookup:

If needed to find back the name from the IP (many programs try to do that for logging, for example sshd, apache - depending of the conf)
We need to provide a file where the other way around is solved:

# cat /etc/bind/db.192.168.0
;
; BIND reverse data file for 192.268.0.*
;
$TTL    604800
@    IN    SOA    philtortoise.com. root.philtortoise.com. (
                  1        ; Serial
             604800        ; Refresh
              86400        ; Retry
            2419200        ; Expire
             604800 )      ; Negative Cache TTL
;
@      IN    NS     localhost.
1      IN    PTR    ngear.philtortoise.com.
4      IN    PTR    opti.philtortoise.com.
;
201    IN    PTR    rac1.philtortoise.com.
202    IN    PTR    rac2.philtortoise.com.
203    IN    PTR    racvip.philtortoise.com.


Test reverse lookup:
# host 192.168.0.202
202.0.168.192.in-addr.arpa domain name pointer rac2.philtortoise.com.




References:

As always, some versions may vary slightly. It's always better to look at the doc included with the package we're using!
/usr/share/doc/bind9 

Also a good read:
O'Reilly "DNS and Bind"


No comments:

Post a Comment