Normally, DBA is far away from DNS server configuration. However, Oracle Database 11g Release 2 introduced an exciting new RAC feature SCAN (Single Client Access Name) witch needs to work with DNS. It becomes the motivation for DBA to study DNS configuration.
Here, I am going to build a DNS server as the name resolving solution in my lab network. The server configuration as following
OS: Red Hat Enterprise Linux AS 4 update 8
Host Name: ns01.lab.dbaplus.ca
NIC 1: 10.10.25.254
NIC 2: 192.168.25.254
Domain Name: lab.dbaplus.ca
1. install DNS packages BIND and BIND-CHROOT
[root@ns01]# rpm -iv bind-9.2.4-30.el4_7.2.x86_64.rpm
warning: bind-9.2.4-30.el4_7.2.x86_64.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing packages for installation...
bind-9.2.4-30.el4_7.2
[root@ns01]# rpm -iv bind-chroot-9.2.4-30.el4_7.2.x86_64.rpm
warning: bind-chroot-9.2.4-30.el4_7.2.x86_64.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing packages for installation...
bind-chroot-9.2.4-30.el4_7.2
The package files bind-9.2.4-30.el4_7.2.x86_64.rpm and bind-chroot-9.2.4-30.el4_7.2.x86_64.rpm can be found from the OS installation CD/DVD.
File bind-9.2.4-30.el4_7.2.x86_64.rpm is for package BIND. Package BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
File bind-chroot-9.2.4-30.el4_7.2.x86_64.rpm is for package BIND-CHROOT. Package BIND-CHROOT contains a tree of files which can be used as a chroot jail for the named program from the BIND package. It makes sure named service is chrooted.
2. Start named service
[root@ns01]# service named start
Starting named: [ OK ]
3. Confirm named is running
[root@ns01]# service named status
number of zones: 2
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running
named (pid 3586) is running...
The named service is running and its pid is 3586. If the service is not started, it looks as following
[root@ns01]# service named status
rndc: connect failed: connection refused
named is stopped
4. Check if named service is running in chrooted jail
[root@ns01]# pidof named
3586
[root@ns01]# ls -l /proc/3586/root
lrwxrwxrwx 1 named named 0 Aug 13 19:59 /proc/3586/root -> /var/named/chroot
[root@ns01]#
We can see that named service is using directory '/var/named/chroot' as root directory, it is running in chrooted jail. If it is not chrooted, the output looks as following,
[root@ns01]# ls -l /proc/3586/root
lrwxrwxrwx 1 named named 0 Aug 13 19:59 /proc/3586/root -> /
5. Configure named service to be started automatically after system is started
[root@ns01]# chkconfig --list named
named 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@ns01]# chkconfig --level 345 named on
[root@ns01]# chkconfig --list named
named 0:off 1:off 2:off 3:on 4:on 5:on 6:off
The named service will be automatically started when OS starts at level 3, 4 or 5.
6. Configure file "/var/named/chroot/etc/named.conf"
File "named.conf" is located in directory "/var/named/chroot/etc" because package BIND-CHROOT is installed and named is chrooted. Otherwise, it should be located in '/etc'. It is master configuration file for named and consists of statements and comments.
Comments support following styles,
C style: /* */
C++ style: // to end of line
Unix style: # to end of line
Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. Current version of named supports ten different statements. Here, I only focus on following two,
options - controls global server configuration options and sets defaults for other statements.
zone - defines a zone.
6.1 Add following sub-statements to options statement
Define IP Addresses where DNS server (named) will listen on
listen-on port 53 { any; };
It will listen on all IP addresses configured on this server, this is default configuration. Following configuration limits the server to only respond to DNS query on local network interface or IP 10.10.25.254.
listen-on port 53 { 127.0.0.1; 10.10.25.254; };
Allow any clients send in query request
allow-query { any; };
Or only allow clients in listed subnet to query
allow-query { 127.0.0.0; 10.10.25.0; };
By default, DNS server will drop the request if query requests cannot be resolved by this server. If you want un-resolved request forwarded to outside DNS servers (Usually, they are DNS servers provided by your Internet Serivce Provider), following sub-statement is needed,
forwarders { 8.8.8.8; };
Here, 8.8.8.8 has to be replaced with your ISP's DNS servers.
6.2 Add zone statements
A zone statement takes the following form:
zone <zone-name> <zone-class> {
<zone-options>;
[<zone-options>; ...]
};
Define zone statement for my domain lab.dbaplus.ca,
zone "lab.dbaplus.ca." IN {
type master;
file "lab.dbaplus.ca.zone";
allow-update { none; };
};
The file "lab.dbaplus.ca.zone" should be created later.
Define zone statement for reverse lookup for my public network (10.10.25.0/24)
zone "25.10.10.in-addr.arpa." IN {
type master;
file "25.10.10.in-addr.arpa";
allow-update { none; };
};
The file "25.10.10.in-addr.arpa" should be created later.
The final contents of named.conf on my system look as following
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
//Listen on all NIC
listen-on port 53 { any; };
//All all clients' query
allow-query { any; };
//Forward the query which cannot be resolved to these DNS servers
//forwarders { 8.8.8.8; };
};
zone "lab.dbaplus.ca." IN {
type master;
file "lab.dbaplus.ca.zone";
allow-update { none; };
};
zone "25.10.10.in-addr.arpa." IN {
type master;
file "25.10.10.in-addr.arpa";
allow-update { none; };
};
include "/etc/rndc.key";
Check if there are configuration file syntax errors
[root@ns01 ~]# named-checkconf
If command "named-checkconf" does not return any messages, it means there is no error.
7. Create zone files which are referenced in configuration file "named.conf"
Create file "lab.dbaplus.ca.zone" under directory "/var/named/chroot/var/named" with following lines
$ORIGIN lab.dbaplus.ca.
$TTL 86400
@ IN SOA ns01.lab.dbaplus.ca. admin.lab.dbaplus.ca. (
2009092701 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns01.lab.dbaplus.ca.
ns01 IN A 10.10.25.254
host01 IN A 10.10.25.100
rac01 IN A 10.10.25.101
rac02 IN A 10.10.25.102
Creatr file "25.10.10.in-addr.arpa" under directory "/var/named/chroot/var/named" with following lines
$ORIGIN 25.10.10.in-addr.arpa.
$TTL 86400
@ IN SOA ns01.lab.dbaplus.ca. admin.lab.dbaplus.ca. (
2009092707 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
25.10.10.in-addr.arpa. IN NS ns01.lab.dbaplus.ca.
254 IN PTR ns01.lab.dbaplus.ca.
100 IN PTR host01.lab.dbaplus.ca.
101 IN PTR rac01.lab.dbaplus.ca.
102 IN PTR rac02.lab.dbaplus.ca.
Validate the zone files using command "named-checkzone"
[root@ns01]# named-checkzone lab.dbaplus.ca /var/named/chroot/var/named/lab.dbaplus.ca.zone
zone lab.dbaplus.ca/IN: loaded serial 2009092701
OK
[root@ns01]# named-checkzone 25.10.10.in-addr.arpa /var/named/chroot/var/named/25.10.10.in-addr.arpa
zone 25.10.10.in-addr.arpa/IN: loaded serial 2009092707
OK
8. Reload and test new configuration
Reload new configuration using command "service named reload"
[root@ns01]# service named reload
Reloading named: [ OK ]
[root@ns01]#
Test new configuration using command "nslookup"
[root@ns01]# nslookup host01.lab.dbaplus.ca
Server: 10.10.25.254
Address: 10.10.25.254#53
Name: host01.lab.dbaplus.ca
Address: 10.10.25.100
[root@ns01]#
[root@ns01]# nslookup 10.10.25.101
Server: 10.10.25.254
Address: 10.10.25.254#53
101.25.10.10.in-addr.arpa name = rac01.lab.dbaplus.ca.
No comments:
Post a Comment