Difference between revisions of "DNS server unique zone"
(→Disable IPv6 DNS requests) |
|||
(7 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Linux]] | [[Category:Linux]] | ||
− | |||
− | |||
− | |||
− | |||
− | |||
Here, I will present the installation of: | Here, I will present the installation of: | ||
− | |||
* Local domain (.local) | * Local domain (.local) | ||
+ | That means '''all the INTERNAL resources are private'''. Nothing is reachable from the outside. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | In the following example I'll be using: | |
− | + | * INTERNAL zone: ''smartcards.'''local''''' | |
− | + | * DNS server name: ''smartcard-gw'' | |
− | + | * Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | =Zone configuration (name to IP @)= | ||
− | ==Declare the new | + | ==Declare the new zone== |
Edit configuration file: | Edit configuration file: | ||
Line 93: | Line 28: | ||
Uncomment and adjust the file content | Uncomment and adjust the file content | ||
− | <syntaxhighlight lang=" | + | <syntaxhighlight lang="apache"> |
zone "smartcards.local" { | zone "smartcards.local" { | ||
type master; | type master; | ||
Line 102: | Line 37: | ||
− | == | + | ==Zone configuration file== |
− | Create the | + | Create the zone configuration file from a local template: |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Line 121: | Line 56: | ||
Adjust the file content | Adjust the file content | ||
− | <syntaxhighlight lang=" | + | <syntaxhighlight lang="apache"> |
; | ; | ||
− | ; BIND data file for smartcards.local | + | ; BIND data file for smartcards.local |
; | ; | ||
$TTL 604800 | $TTL 604800 | ||
Line 142: | Line 77: | ||
@ IN NS smartcard-gw.smartcards.local. | @ IN NS smartcard-gw.smartcards.local. | ||
smartcard-gw IN A 172.16.50.2 | smartcard-gw IN A 172.16.50.2 | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
; | ; | ||
Line 185: | Line 112: | ||
− | + | =Reverse zone (IP @ to name)= | |
− | |||
Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name. | Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name. | ||
Line 203: | Line 129: | ||
Add the following reverse | Add the following reverse | ||
− | <syntaxhighlight lang=" | + | <syntaxhighlight lang="apache"> |
# Our reverse zone | # Our reverse zone | ||
# Server IP 172.16.50.2 | # Server IP 172.16.50.2 | ||
Line 221: | Line 147: | ||
− | + | ==Configure reverse zone== | |
Line 239: | Line 165: | ||
The content is basically the same as /etc/bind/smartcards.local: | The content is basically the same as /etc/bind/smartcards.local: | ||
− | <syntaxhighlight lang=" | + | <syntaxhighlight lang="apache"> |
; | ; | ||
; BIND reverse data file for local 172.16.50.XXX net | ; BIND reverse data file for local 172.16.50.XXX net | ||
Line 282: | Line 208: | ||
− | + | =Take changes into account= | |
Line 289: | Line 215: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Line 413: | Line 237: | ||
Add a A or AAAA entry: | Add a A or AAAA entry: | ||
− | <syntaxhighlight lang=" | + | <syntaxhighlight lang="apache"> |
my-new-host IN A 172.16.50.60 | my-new-host IN A 172.16.50.60 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 431: | Line 255: | ||
Add a A or AAAA entry: | Add a A or AAAA entry: | ||
− | <syntaxhighlight lang=" | + | <syntaxhighlight lang="apache"> |
60 IN PTR my-new-host.smartcards.local. | 60 IN PTR my-new-host.smartcards.local. | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 443: | Line 267: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Line 486: | Line 285: | ||
* http://doc.ubuntu-fr.org/bind9 (in French) | * http://doc.ubuntu-fr.org/bind9 (in French) | ||
+ | |||
+ | |||
+ | Bug fixes: | ||
+ | |||
+ | * no forwarding due to DNS-SEC errors (broken trust chain): http://pewetheb.blogspot.se/2013/11/named-error-broken-trust-chain.html |
Latest revision as of 14:16, 22 August 2014
Here, I will present the installation of:
- Local domain (.local)
That means all the INTERNAL resources are private. Nothing is reachable from the outside.
In the following example I'll be using:
- INTERNAL zone: smartcards.local
- DNS server name: smartcard-gw
- Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
Contents
Zone configuration (name to IP @)
Declare the new zone
Edit configuration file:
vim /etc/bind/named.conf.local
Uncomment and adjust the file content
zone "smartcards.local" {
type master;
file "/etc/bind/smartcards.local";
};
Zone configuration file
Create the zone configuration file from a local template:
cp /etc/bind/db.local /etc/bind/smartcards.local
Edit configuration file:
vim /etc/bind/smartcards.local
Adjust the file content
;
; BIND data file for smartcards.local
;
$TTL 604800
@ IN SOA smartcard-gw.smartcards.local. root.smartcards.local. (
20140603 ; Serial
; As the serial be changed everytime you edit this file
; it is recommended to use the pattern "yyyyMMdd"
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@ IN NS smartcard-gw.smartcards.local.
smartcard-gw IN A 172.16.50.2
;
; Gateway (router)
;
cisco-router IN A 172.16.50.1
;
; Declare your servers and networks hosts
;
smarcartd-prod-00 IN A 172.16.50.50
smarcartd-prod-01 IN A 172.16.50.51
smarcartd-prod-02 IN A 172.16.50.52
smarcartd-prod-03 IN A 172.16.50.53
; Create an alias to an existing record
;wwww IN CNAME smartcard-gw
Notes:
- Don't forget to adjust the serial every-time you edit the file !
- NS = Name server
- A = IP v4 entry
- AAAA = IP v6 entry
- CNAME = Alias to a previous A or AAAA entry
Reverse zone (IP @ to name)
Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.
Declare reverse zone
Edit configuration file:
vim /etc/bind/named.conf.local
Add the following reverse
# Our reverse zone
# Server IP 172.16.50.2
zone "50.16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.172";
};
Key points:
- Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
- Name the zone file /etc/bind/db.172 : it should match the first octet of your network.
Configure reverse zone
Now create the /etc/bind/db.172 file:
cp /etc/bind/db.127 /etc/bind/db.172
Edit the new file:
vim /etc/bind/db.172
The content is basically the same as /etc/bind/smartcards.local:
;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL 604800
@ IN SOA smartcard-gw.smartcards.local. root.smartcards.local. (
20140603 ; Serial
; As the serial be changed everytime you edit this file
; it is recommended to use the pattern "yyyyMMdd"
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; Local server
;
@ IN NS smartcard-gw.
2 IN PTR smartcard-gw.smartcards.local.
; Gateway (router)
1 IN PTR cisco-router.smartcards.local
;
; Other components and hosts
;
50 IN PTR smartcard-prod-00.smartcards.local.
51 IN PTR smartcard-prod-01.smartcards.local.
52 IN PTR smartcard-prod-02.smartcards.local.
53 IN PTR smartcard-prod-03.smartcards.local.
Notes:
- Don't forget to adjust the serial every-time you edit the file !
- You only need to put the last byte value in the reverse
- PTR = redirection to A entry
Take changes into account
service bind9 restart
Add new hostname
This is how we had a new host-name into the network:
Update LOCAL zone
Edit local zone:
vim /etc/bind/smartcards.local
Add a A or AAAA entry:
my-new-host IN A 172.16.50.60
Update REVERSE zone
Edit local zone:
vim /etc/bind/db.172
Add a A or AAAA entry:
60 IN PTR my-new-host.smartcards.local.
Restart service
service bind9 restart
Sources
You can find a lot of information about DNS on the web. I used the following tutorials:
- http://doc.ubuntu-fr.org/bind9 (in French)
Bug fixes:
- no forwarding due to DNS-SEC errors (broken trust chain): http://pewetheb.blogspot.se/2013/11/named-error-broken-trust-chain.html