DNS server unique zone
Here, I will present the installation of:
- Local domain (.local)
That means all the INTERNAL resources are private. Nothing is reachable from the outside.
In the following example I'll be using:
- INTERNAL zone: smartcards.local
- DNS server name: smartcard-gw
- Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
Contents
Zone configuration (name to IP @)
Declare the new zone
Edit configuration file:
vim /etc/bind/named.conf.local
Uncomment and adjust the file content
zone "smartcards.local" {
type master;
file "/etc/bind/smartcards.local";
};
Zone configuration file
Create the zone configuration file from a local template:
cp /etc/bind/db.local /etc/bind/smartcards.local
Edit configuration file:
vim /etc/bind/smartcards.local
Adjust the file content
;
; BIND data file for smartcards.local
;
$TTL 604800
@ IN SOA smartcard-gw.smartcards.local. root.smartcards.local. (
20140603 ; Serial
; As the serial be changed everytime you edit this file
; it is recommended to use the pattern "yyyyMMdd"
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@ IN NS smartcard-gw.smartcards.local.
smartcard-gw IN A 172.16.50.2
;
; Gateway (router)
;
cisco-router IN A 172.16.50.1
;
; Declare your servers and networks hosts
;
smarcartd-prod-00 IN A 172.16.50.50
smarcartd-prod-01 IN A 172.16.50.51
smarcartd-prod-02 IN A 172.16.50.52
smarcartd-prod-03 IN A 172.16.50.53
; Create an alias to an existing record
;wwww IN CNAME smartcard-gw
Notes:
- Don't forget to adjust the serial every-time you edit the file !
- NS = Name server
- A = IP v4 entry
- AAAA = IP v6 entry
- CNAME = Alias to a previous A or AAAA entry
Reverse zone (IP @ to name)
Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.
Declare reverse zone
Edit configuration file:
vim /etc/bind/named.conf.local
Add the following reverse
# Our reverse zone
# Server IP 172.16.50.2
zone "50.16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.172";
};
Key points:
- Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
- Name the zone file /etc/bind/db.172 : it should match the first octet of your network.
Configure reverse zone
Now create the /etc/bind/db.172 file:
cp /etc/bind/db.127 /etc/bind/db.172
Edit the new file:
vim /etc/bind/db.172
The content is basically the same as /etc/bind/smartcards.local:
;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL 604800
@ IN SOA smartcard-gw.smartcards.local. root.smartcards.local. (
20140603 ; Serial
; As the serial be changed everytime you edit this file
; it is recommended to use the pattern "yyyyMMdd"
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; Local server
;
@ IN NS smartcard-gw.
2 IN PTR smartcard-gw.smartcards.local.
; Gateway (router)
1 IN PTR cisco-router.smartcards.local
;
; Other components and hosts
;
50 IN PTR smartcard-prod-00.smartcards.local.
51 IN PTR smartcard-prod-01.smartcards.local.
52 IN PTR smartcard-prod-02.smartcards.local.
53 IN PTR smartcard-prod-03.smartcards.local.
Notes:
- Don't forget to adjust the serial every-time you edit the file !
- You only need to put the last byte value in the reverse
- PTR = redirection to A entry
Take changes into account
service bind9 restart
Add new hostname
This is how we had a new host-name into the network:
Update LOCAL zone
Edit local zone:
vim /etc/bind/smartcards.local
Add a A or AAAA entry:
my-new-host IN A 172.16.50.60
Update REVERSE zone
Edit local zone:
vim /etc/bind/db.172
Add a A or AAAA entry:
60 IN PTR my-new-host.smartcards.local.
Restart service
service bind9 restart
Sources
You can find a lot of information about DNS on the web. I used the following tutorials:
- http://doc.ubuntu-fr.org/bind9 (in French)
Bug fixes:
- no forwarding due to DNS-SEC errors (broken trust chain): http://pewetheb.blogspot.se/2013/11/named-error-broken-trust-chain.html