first install bind in server.
bind-9.9.4-61.el7.x86_64.rpm
bind-chroot-9.9.4-61.el7.x86_64.rpm
bind-devel-9.9.4-61.el7.x86_64.rpm
bind-dyndb-ldap-11.1-4.el7.x86_64.rpm
bind-lite-devel-9.9.4-61.el7.x86_64.rpm
bind-pkcs11-9.9.4-61.el7.x86_64.rpm
bind-pkcs11-devel-9.9.4-61.el7.x86_64.rpm
bind-pkcs11-libs-9.9.4-61.el7.x86_64.rpm
bind-pkcs11-utils-9.9.4-61.el7.x86_64.rpm
bind-sdb-9.9.4-61.el7.x86_64.rpm
bind-sdb-chroot-9.9.4-61.el7.x86_64.rpm
then configure file "/etc/named.conf" as follows:-
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.60.1; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.60.0/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "db.net" IN {
type master;
file "db.forward.zone";
allow-update { none; };
};
zone "60.168.192.in-addr.arpa" IN {
type master;
file "db.reverse.zone";
allow-update { none; };
};
here "db.net" is mine domain name. Files "db.forward.zone" and "db.reverse.zone" are located in /var/named". zone "db.net" is forward zone i.e.file "db.forward.zone" will translate hostname to ipaddress. And "60.168.192.in-addr.arpa" is reverse zone in this zone you have to write ip zone in reverse order ( it is mandatory ) but not last octat of your ipaddress ( in my case mine server's ipaddress is 192.168.60.1) . then wrtite following file "/var/named/db.forward.zone" and "/var/named/db.reverse.zone". as follows :-
db.forward.zone is :-
---------------------
$TTL 1D
@ IN SOA db.net. admin.db.net. (
2019112901; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS server75.db.net.
@ IN A 192.168.60.1
server75 IN A 192.168.60.1
serverora11gr2 IN A 192.168.60.2
centos6client IN A 192.168.60.3
centos7client IN A 192.168.60.4
server5 IN A 192.168.60.5
server6 IN A 192.168.60.6
db.reverse.zone :-
------------------
$TTL 1D
@ IN SOA db.net. admin.db.net. (
2019112901; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS server75.db.net.
@ IN PTR db.net.
1 IN PTR server75.db.net.
2 IN PTR serverora11gr2.db.net.
3 IN PTR centos6client.db.net.
4 IN PTR centos7client.db.net.
5 IN PTR server5.db.net.
6 IN PTR server6.db.net.
Note : be remember for spaces, there should not be any space before "@" in "db.forward.zone" and "db.reverse.zone". Those are strictly touched in editor's zeroth column. And if errors check for spaces as here in files, this is also true for "named.conf".
@ means this zone SOA:The SOA record stores information about the name of the server that supplied the data for the zone root.example.com. (don‘t forget period at the end) is mail address resposibile person for zone (although it dosen‘t seems as e-mail address),remeber @ means ― this zone in this case 2019112901 is serial zone number.It’s purpose in DNS zone files is to provide a way for the server to verify that the contents of a zone file are up-to-date. If the serial number in a zone file hasn‘t changed since that zone was last loaded, named figures that it can ignore the file.I put datetime as number,followed with 01 at the end,you can put any number you like
Refresh: Indicates the time when the slave will try to refresh the zone from the master (if we have another DNS server which transfers zone files from master server)
Retry:Defines the time between retries if the slave (secondary) fails to contact the master when refresh (above) has expired
Expire:Indicates when the zone data are considered incorrect by slave server,then slave tries to get update from master server
Minimum: defines the duration in seconds that the record may be cached We don‘t have slave server so accept default values
then fire following command :-
# firewall-cmd –zone=public –add-service=dns –permanent
# firewall-cmd –reload
change group name and owner name :-
# chown named:named -Rf /var/named/
to check configure of named run following command :-
# named-checkconf /etc/named.conf
if this is not showing any output then everything is fine.
then
# systemctl restart named
if this is not showing any output then everything is fine.
then run following command
# named-checkzone db.forward.zone /var/named/db.forward.zone
this will show following output :-
zone db.forward.zone/IN: loaded serial 2019112901
OK
for reverse zone :-
# named-checkzone db.reverse.zone /var/named/db.reverse.zone
this will show following output:-
zone db.reverse.zone/IN: loaded serial 2019112901
OK
then check dns by following following command ( in server side ):-
[root@server75 rahul]# dig @localhost server75.db.net
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> @localhost server75.db.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7725
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server75.db.net. IN A
;; ANSWER SECTION:
server75.db.net. 86400 IN A 192.168.60.1
;; AUTHORITY SECTION:
db.net. 86400 IN NS server75.db.net.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 14 17:04:47 IST 2020
;; MSG SIZE rcvd: 74
resolv.conf will be :-
----------------------
# cat /etc/resolv.conf
# Generated by NetworkManager
search db.net
nameserver 202.56.224.153
nameserver 59.144.127.17
nameserver 192.168.60.1
on client side :-
-----------------
set following :-
in /etc/resove.conf :-
search db.net
nameserver 192.168.60.1
nameserver 202.56.224.153
nameserver 59.144.127.17
here last two nameservers are from ISP.
run following command ( in client side ):-
------------------------------------------
# dig server75.db.net
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> server75.db.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23182
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;server75.db.net. IN A
;; ANSWER SECTION:
server75.db.net. 86400 IN A 192.168.60.1
;; AUTHORITY SECTION:
db.net. 86400 IN NS server75.db.net.
;; Query time: 2 msec
;; SERVER: 192.168.60.1#53(192.168.60.1)
;; WHEN: Tue Jan 14 17:12:25 2020
;; MSG SIZE rcvd: 63
and also this command :-
------------------------
# host server75
server75.db.net has address 192.168.60.1
now try both commands ( dig and host ) from every client.
Note: if you first "ON" in server in VM then clinet in VM, then do this :-
# ping serverora11gr2.db.net
# ping 192.168.60.2
and wait for at least 10-15 seconds.
here mine serverora11gr2.db.net is one of client's host name and ip address listed in db.foward.zone" and in "db.reverse.zone".
Note : If your hosts are not pinging, then restart named in server and then ping to needed clients. As follows :-
# systemctl named restart
# ping serverora11gr2.db.net
--- done.
No comments:
Post a Comment