Monday, 10 February 2014

DNS ON CENTOS 6

How to install and configure DNS on Centos?

How to install and configure Bind on Centos?

How to install and configure Caching only DNS Server?

## Install bind on centos using 'yum'
yum install bind*

## edit configuration file
vi /etc/named.conf

##Caching Only DNS Server
/etc/named.conf
// CACHING NAME SERVER for EXAMPLE.
//
//
options {
 directory "/var/named";
 // version statement - inhibited for security
 // (avoids hacking any known weaknesses)
 version "BIND 9";
 // disables all zone transfer requests
 allow-transfer{"none";};
 // Closed DNS - permits only local IPs to issue queries
 // remove if an Open DNS required to support all users
 // or add additional IP ranges
 // in this case either allow-query or allow-recursion can be used
 allow-query {192.168.3.0/24;};
};
//
// log to /var/log/example.log all events
// from info UP in severity (no debug)
// defaults to use 3 files in rotation
// BIND 8.x logging MUST COME FIRST in this file
// BIND 9.x parses the whole file before using the log
// failure messages up to this point are in (syslog)
// typically /var/log/messages
//
 logging{
 channel example_log{
  file "/var/log/named/example.log" versions 3 size 2m;
  severity info;
  print-severity yes;
  print-time yes;
  print-category yes;
};
category default{
 example_log;
};
};
// required zone for recursive queries
zone "." {
 type hint;
 file "
root.servers";
};
// required local host domain
zone "localhost" in{
 type master;
 file "
master.localhost";
 allow-update{none;};
};
// localhost reverse map
zone "0.0.127.in-addr.arpa" in{
 type master;
 file "
localhost.rev";
 allow-update{none;};
};

root.servers in /var/named/
;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  "
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.root
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:    Jan 29, 2004
;       related version of root zone:   2004012900
;
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File

master.localhost in /var/named
$TTL 86400 ; 24 hours could have been written as 24h
$ORIGIN localhost.
; line below = localhost 1D IN SOA localhost root.localhost
@  1D  IN SOA @ root (
     2002022401 ; serial
     3H ; refresh
     15 ; retry
     1w ; expire
     3h ; minimum
    )
@  1D  IN  NS @
  1D  IN  A  127.0.0.1  

localhost.rev in /var/named/
$TTL 86400 ;
; could use $ORIGIN 0.0.127.IN-ADDR.ARPA.
@       IN      SOA     localhost. root.localhost.  (
                       1997022700 ; Serial
                       3h      ; Refresh
                       15      ; Retry
                       1w      ; Expire
                       3h )    ; Minimum
       IN      NS      localhost.
1       IN      PTR     localhost.

## Check the Service Status
service named status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
named-sdb (pid  17961) is running...

TROUBLESHOOTING BIND ISSUES
##Resolve rndc issue
rndc-confgen -a -c /etc/rndc.key 

 or

rndc-confgen >> /etc/rndc.conf

cat /etc/rndc.conf

# Start of rndc.conf
key "rndc-key" {
     algorithm hmac-md5;
     secret "J8Y41D8CHJlEvmQwRSU1Dg==";
};

options {
     default-key "rndc-key";
     default-server 127.0.0.1;
     default-port 953;
};

# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#    algorithm hmac-md5;
#    secret "J8Y41D8CHJlEvmQwRSU1Dg==";
# };
#
# controls {
#    inet 127.0.0.1 port 953
#            allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

put above key section in named.conf file at the end and restart it will resolve the rndc.conf and rndc.key issue.
service named restart
service named status
version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 (not currently available)
CPUs found: 2
worker threads: 2
number of zones: 18
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named-sdb (pid  18103) is running...

To enable and disable query logging run below command
rndc querylog

DNS log issue
Jun 30 11:54:25 localhost named-sdb[1689]: logging channel 'named_log' file '/var/named/chroot/var/log/named.log': permission denied
Jun 30 11:54:25 localhost named-sdb[1689]: isc_log_open '/var/named/chroot/var/log/named.log' failed: permission denied

touch /var/named/chroot/var/log/named.log

chown named:named /var/named/chroot/var/log/named.log

Managed Keys Issue
30-Jun-2012 16:08:28.773 general: error: managed-keys-zone ./IN: loading from master file dynamic/managed-keys.bind failed: file not found

touch /var/named/dynamic/managed-keys.bind

chown named:named managed-keys.bind

Forward or Reverse Map Issue:
Jul  2 11:21:29 localhost dhcpd: Unable to add forward map from my-pc.warproxy.com. to 192.168.5.22: timed out

// required local host domain

zone "warproxy.com" in{
  type master;
  file "master.localhost";
  notify yes;
  allow-update { key rndc-key; };
};

// localhost reverse map
zone "5.168.192.in-addr.arpa" in{
  type master;
  file "localhost.rev";
  notify yes;
  allow-update { key rndc-key; };
};

add two bold lines in named.conf 
add below in dhcpd.conf at top
ddns-updates on;
ddns-domainname "warproxy.com.";
ddns-rev-domainname "in-addr.arpa.";
ddns-update-style interim;
allow client-updates;

key "rndc-key" {
    algorithm hmac-md5;
    secret "J8Y41D8CHJlEvmQwRSU1Dg==";
}

add below two in subnet { } in dhcpd.conf file
zone warproxy.com. {
             primary 192.168.5.5;
             key "rndc-key";
     }

     zone 5.168.192.in-addr.arpa. {
             primary 192.168.5.5;
             key "rndc-key";
     }

restart dhcpd and named and check logs

forward and reverse file .jnl files created and maps adding in those files

My DNS configuration fully working.
++++++++++++++++++++++++++++++++++++++++++++++++
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/named.rfc1912.zones";

################################################
// CACHING NAME SERVER for EXAMPLE.
// 
//
options {
  directory "/var/named";
  // version statement - inhibited for security
  // (avoids hacking any known weaknesses)
  version "not currently available";
  // disables all zone transfer requests
  allow-transfer{"none";};
  // Closed DNS - permits only local IPs to issue queries
  // remove if an Open DNS required to support all users
  // or add additional IP ranges
  // in this case either allow-query or allow-recursion can be used
  allow-query {192.168.5.0/24;};
  allow-recursion {192.168.5.0/24;};
  dump-file    "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  bindkeys-file "/etc/named.iscdlv.key";
};

//
// log to /var/log/example.log all events
// from info UP in severity (no debug)
// defaults to use 3 files in rotation
// BIND 8.x logging MUST COME FIRST in this file
// BIND 9.x parses the whole file before using the log
// failure messages up to this point are in (syslog)
// typically /var/log/messages
//

  logging{
   channel named_log{
 file "/var/named/chroot/var/log/named.log" versions 3 size 2m;
 severity info;
 print-severity yes;
 print-time yes;
 print-category yes;
   };

#   logging {
# channel null { null; };
# category lame-servers { null; };
#   };

 category default{
 named_log;
   };

  };

// required zone for recursive queries
zone "." {
  type hint;
  file "root.servers";
};

// required local host domain
zone "warproxy.com" in{
  type master;
  file "master.localhost";
  notify yes;
  allow-update { key rndc-key; };
};

// localhost reverse map
zone "5.168.192.in-addr.arpa" in{
  type master;
  file "localhost.rev";
  notify yes;
  allow-update { key rndc-key; };
};

# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
    algorithm hmac-md5;
    secret "J8Y41D8CHJlEvmQwRSU1Dg==";
};

controls {
    inet 192.168.5.5 port 953
    allow { 192.168.5.5; } keys { "rndc-key"; };
};

# End of named.conf
++++++++++++++++++++++++++++++++++++++++++++++++

No comments:

Post a Comment