Pages

Monday, September 28, 2009

Install DNS server on Red Hat Enterprise Linux (RHEL) AS 4 Update 8

Normally, DBA is far away from DNS server configuration. However, Oracle Database 11g Release 2 introduced an exciting new RAC feature SCAN (Single Client Access Name) witch needs to work with DNS. It becomes the motivation for DBA to study DNS configuration.

Here, I am going to build a DNS server as the name resolving solution in my lab network. The server configuration as following

  OS:  Red Hat Enterprise Linux AS 4 update 8
  Host Name: ns01.lab.dbaplus.ca
  NIC 1: 10.10.25.254
  NIC 2: 192.168.25.254
  Domain Name: lab.dbaplus.ca

1. install DNS packages BIND and BIND-CHROOT
[root@ns01]# rpm -iv bind-9.2.4-30.el4_7.2.x86_64.rpm
warning: bind-9.2.4-30.el4_7.2.x86_64.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing packages for installation...
bind-9.2.4-30.el4_7.2

[root@ns01]# rpm -iv bind-chroot-9.2.4-30.el4_7.2.x86_64.rpm
warning: bind-chroot-9.2.4-30.el4_7.2.x86_64.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing packages for installation...
bind-chroot-9.2.4-30.el4_7.2

The package files bind-9.2.4-30.el4_7.2.x86_64.rpm and bind-chroot-9.2.4-30.el4_7.2.x86_64.rpm can be found from the OS installation CD/DVD.

File bind-9.2.4-30.el4_7.2.x86_64.rpm is for package BIND. Package BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

File bind-chroot-9.2.4-30.el4_7.2.x86_64.rpm is for package BIND-CHROOT. Package BIND-CHROOT contains a tree of files which can be used as a chroot jail for the named program from the BIND package. It makes sure named service is chrooted.

2. Start named service
[root@ns01]# service named start
Starting named:                                            [  OK  ]

3. Confirm named is running
[root@ns01]# service named status
number of zones: 2
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running
named (pid 3586) is running...

The named service is running and its pid is 3586. If the service is not started, it looks as following
[root@ns01]# service named status
rndc: connect failed: connection refused
named is stopped

4. Check if named service is running in chrooted jail
[root@ns01]# pidof named
3586
[root@ns01]# ls -l /proc/3586/root
lrwxrwxrwx  1 named named 0 Aug 13 19:59 /proc/3586/root -> /var/named/chroot
[root@ns01]#

We can see that named service is using directory '/var/named/chroot' as root directory, it is running in chrooted jail. If it is not chrooted, the output looks as following,
[root@ns01]# ls -l /proc/3586/root
lrwxrwxrwx  1 named named 0 Aug 13 19:59 /proc/3586/root -> /


5. Configure named service to be started automatically after system is started
[root@ns01]# chkconfig --list named
named           0:off   1:off   2:off   3:off   4:off   5:off   6:off

[root@ns01]# chkconfig --level 345 named on

[root@ns01]# chkconfig --list named
named           0:off   1:off   2:off   3:on    4:on    5:on    6:off

The named service will be automatically started when OS starts at level 3, 4 or 5.

6. Configure file "/var/named/chroot/etc/named.conf"

File "named.conf" is located in directory "/var/named/chroot/etc" because package BIND-CHROOT is installed and named is chrooted. Otherwise, it should be located in '/etc'. It is master configuration file for named and consists of statements and comments.

Comments support following styles,

   C style: /* */

   C++ style: // to end of line

   Unix style: # to end of line

Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. Current version of named supports ten different statements. Here, I only focus on following two,

  options - controls global server configuration options and sets defaults for other statements.
  
  zone    - defines a zone.

6.1 Add following sub-statements to options statement  
  
Define IP Addresses where DNS server (named) will listen on
listen-on port 53 { any; };

It will listen on all IP addresses configured on this server, this is default configuration. Following configuration limits the server to only respond to DNS query on local network interface or IP 10.10.25.254.
listen-on port 53 { 127.0.0.1; 10.10.25.254; };

Allow any clients send in query request
allow-query     { any; };

Or only allow clients in listed subnet to query 
allow-query     { 127.0.0.0; 10.10.25.0; };

By default, DNS server will drop the request if query requests cannot be resolved by this server. If you want un-resolved request forwarded to outside DNS servers (Usually, they are DNS servers provided by your Internet Serivce Provider), following sub-statement is needed, 
forwarders { 8.8.8.8; };

Here, 8.8.8.8 has to be replaced with your ISP's DNS servers.

6.2 Add zone statements

A zone statement takes the following form:
zone <zone-name> <zone-class> {
<zone-options>;
[<zone-options>; ...]
};

Define zone statement for my domain lab.dbaplus.ca,
zone "lab.dbaplus.ca." IN {
        type master;
        file "lab.dbaplus.ca.zone";
        allow-update { none; };
};

The file "lab.dbaplus.ca.zone" should be created later.

Define zone statement for reverse lookup for my public network (10.10.25.0/24)
zone "25.10.10.in-addr.arpa." IN {
        type master;
        file "25.10.10.in-addr.arpa";
        allow-update { none; };
};

The file "25.10.10.in-addr.arpa" should be created later.

The final contents of named.conf on my system look as following
options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        //Listen on all NIC
        listen-on port 53 { any; };
        //All all clients' query
        allow-query     { any; };
        //Forward the query which cannot be resolved to these DNS servers
        //forwarders { 8.8.8.8; };
};

zone "lab.dbaplus.ca." IN {
        type master;
        file "lab.dbaplus.ca.zone";
        allow-update { none; };
};

zone "25.10.10.in-addr.arpa." IN {
        type master;
        file "25.10.10.in-addr.arpa";
        allow-update { none; };
};

include "/etc/rndc.key";

Check if there are configuration file syntax errors
[root@ns01 ~]# named-checkconf

If command "named-checkconf" does not return any messages, it means there is no error.

7. Create zone files which are referenced in configuration file "named.conf"

Create file "lab.dbaplus.ca.zone" under directory "/var/named/chroot/var/named" with following lines
$ORIGIN lab.dbaplus.ca.
$TTL    86400
@          IN SOA  ns01.lab.dbaplus.ca. admin.lab.dbaplus.ca. (
                                 2009092701 ; Serial
                                 28800      ; Refresh
                                 14400      ; Retry
                                 3600000    ; Expire
                                 86400 )    ; Minimum
           IN NS   ns01.lab.dbaplus.ca.
ns01       IN A    10.10.25.254
host01     IN A    10.10.25.100
rac01      IN A    10.10.25.101
rac02      IN A    10.10.25.102

Creatr file "25.10.10.in-addr.arpa" under directory "/var/named/chroot/var/named" with following lines
$ORIGIN 25.10.10.in-addr.arpa.
$TTL    86400
@          IN SOA  ns01.lab.dbaplus.ca. admin.lab.dbaplus.ca. (
                                 2009092707 ; Serial
                                 28800      ; Refresh
                                 14400      ; Retry
                                 3600000    ; Expire
                                 86400 )    ; Minimum
25.10.10.in-addr.arpa.   IN NS  ns01.lab.dbaplus.ca.

254     IN PTR  ns01.lab.dbaplus.ca.
100     IN PTR  host01.lab.dbaplus.ca.
101     IN PTR  rac01.lab.dbaplus.ca.
102     IN PTR  rac02.lab.dbaplus.ca.

Validate the zone files using command "named-checkzone"
[root@ns01]# named-checkzone lab.dbaplus.ca /var/named/chroot/var/named/lab.dbaplus.ca.zone
zone lab.dbaplus.ca/IN: loaded serial 2009092701
OK
[root@ns01]# named-checkzone 25.10.10.in-addr.arpa /var/named/chroot/var/named/25.10.10.in-addr.arpa
zone 25.10.10.in-addr.arpa/IN: loaded serial 2009092707
OK

8. Reload and test new configuration

Reload new configuration using command "service named reload"
[root@ns01]# service named reload
Reloading named:                                           [  OK  ]
[root@ns01]#

Test new configuration using command "nslookup"
[root@ns01]# nslookup host01.lab.dbaplus.ca
Server:         10.10.25.254
Address:        10.10.25.254#53

Name:   host01.lab.dbaplus.ca
Address: 10.10.25.100

[root@ns01]#
[root@ns01]# nslookup 10.10.25.101
Server:         10.10.25.254
Address:        10.10.25.254#53

101.25.10.10.in-addr.arpa       name = rac01.lab.dbaplus.ca.

No comments: