DNS setup is again something I do once every few years (here I'm testing an Oracle RAC setup...).
So today I am writing down a short memo on a minimal setup to get started:
Example: Internal network 192.168.0.* , which I call 'philtortoise.com'
using 'bind9' on ubuntu 12.04
- First, forward the requests to ISP (or Corporate top server). Here simply back to my router:
forwarders {
192.168.0.1;
};
This forwards queries it cant answer to the name server at this IP . If no answers: will try root servers
( Note: If we don't want to try root servers -in corporate environment- add the line: forward-only; )
- Then define the zones and associated resource record files (again in named.conf)
zone "philtortoise.com" {
type master; file "/etc/bind/db.philtortoise.com";
};
zone "168.192.0.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.0";
};
type master; file "/etc/bind/db.philtortoise.com";
};
zone "168.192.0.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.0";
};
- Then create the "RR" Resource Record files
This is running on machine 192.168.0.4 called "opti", and I have a couple hosts: opti, ngear (my router), rac1, rac2 (the RAC machines) etc..
in /etc/bind/db.philtortoise.com:
;
; resource record for my own local network on 192.168.0.0/24
;
$TTL 604800
@ IN SOA opti.philtortoise.com. philtortoise.gmail.com. (
123362 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS opti.philtortoise.com.
opti IN A 192.168.0.4
ngear IN A 192.168.0.1
;
rac1 IN A 192.168.0.201
rac2 IN A 192.168.0.202
racvip IN A 192.168.0.203
; resource record for my own local network on 192.168.0.0/24
;
$TTL 604800
@ IN SOA opti.philtortoise.com. philtortoise.gmail.com. (
123362 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS opti.philtortoise.com.
opti IN A 192.168.0.4
ngear IN A 192.168.0.1
;
rac1 IN A 192.168.0.201
rac2 IN A 192.168.0.202
racvip IN A 192.168.0.203
docrac-scan IN A 192.168.0.213
docrac-scan IN A 192.168.0.214
docrac-scan IN A 192.168.0.215
docrac-scan IN A 192.168.0.214
docrac-scan IN A 192.168.0.215
Explanation of some syntax:
$TTL (T)ime (T)o (L)ive - How long to cache the resource record
@ abreviation for the domain (replaces: "philtortoise.com." )
@ abreviation for the domain (replaces: "philtortoise.com." )
SOA (S)tart (O)f (A)uthority
before: domain it's authoritative for, after: primary DNS, and e-mail (without @)
before: domain it's authoritative for, after: primary DNS, and e-mail (without @)
the number in () are to instruct slave(s) how frequently to check for new data
the serial should be increased when there is new data
NS Name Server: Which machine is NS (in prod, several listed)
it needs an (A)dress specified later on.
A Definition of an address ( AAAA for IPv6 )the serial should be increased when there is new data
NS Name Server: Which machine is NS (in prod, several listed)
it needs an (A)dress specified later on.
(We may define multiple addresses as for the docrac-scan entry
Closest network is chosen, or round-robin)
IN This mean simply "Internet" historically DNS has been used for other protocols.
Others:
CNAME (C)anonical NAME: a pointer from a name to another.Typically used to redirect, say www.philtortoise.com to the current server doing the job
PTR See below, pointer for reverse translation from address to name
MX Mail exchange: points to mail server(s) for a domain, with priorities:
hp.com. IN MX 0 mailserver1.it-usa.hp.com.
hp.com. IN MX 1 postoffice1.it-eur.hp.com.
- Tips to test:
# service bind9 stop
# /usr/sbin/named -g -d 3 -u bind
As it turns out:
'-g' is necessary to both be foreground and see all messages (force stderr).
'-g' is necessary to both be foreground and see all messages (force stderr).
And below debug level 3 (-d 3) I don't see all DNS requests!
Then I test with the 'host' command, which conveniently let choose the DNS IP on the command line:
# host rac1.philtortoise.com 192.168.0.4
Using domain server:
Name: 192.168.0.4
Address: 192.168.0.4#53
Aliases:
rac1.philtortoise.com has address 192.168.0.201
Using domain server:
Name: 192.168.0.4
Address: 192.168.0.4#53
Aliases:
rac1.philtortoise.com has address 192.168.0.201
Other tools:
nslookup rac1.philtortoise.com 192.168.0.4
dig...
Reverse lookup:
If needed to find back the name from the IP (many programs try to do that for logging, for example sshd, apache - depending of the conf)
We need to provide a file where the other way around is solved:
# cat /etc/bind/db.192.168.0
;
; BIND reverse data file for 192.268.0.*
;
$TTL 604800
@ IN SOA philtortoise.com. root.philtortoise.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1 IN PTR ngear.philtortoise.com.
4 IN PTR opti.philtortoise.com.
;
201 IN PTR rac1.philtortoise.com.
202 IN PTR rac2.philtortoise.com.
203 IN PTR racvip.philtortoise.com.
Test reverse lookup:
# host 192.168.0.202
202.0.168.192.in-addr.arpa domain name pointer rac2.philtortoise.com.
References:
As always, some versions may vary slightly. It's always better to look at the doc included with the package we're using!
/usr/share/doc/bind9
Also a good read:
O'Reilly "DNS and Bind"
No comments:
Post a Comment