Solved

Bind9 DNS Setup

Posted on 2011-02-15
14
360 Views
Last Modified: 2012-06-27
Hello,

Here's the goal I'm trying to achieve with Bind9:

Site A:
Address: 172.30.18.10
Master Zones: domain.com, sitea.domain.com
Slaves Zones: siteb.domain.com

Site B:
Address: 172.30.22.10
Master Zones: siteb.domain.com
Slaves Zones: domain.com

All hosts in both sites will do dynamic updates (host.sitea.domain.com). The master zone "domain.com" will host static records.

I want users to be able to access server.domain.com but I will need to be able to access host.sitea.domain.com.

Thank you.

0
Comment
Question by:we3kings
  • 7
  • 7
14 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34899595

How far have you got / what do you need help with?

Servers up at each site?

Primary / Secondary zones set?

Trouble with named.conf?

Chris
0
 

Author Comment

by:we3kings
ID: 34899653
Thanks for the reply. So far I have by named.conf.local setup on both servers and everything is fine in that regard. I guess my problem is with the zone files. I'm not really sure how to my nameserver (ns.sitea.domain.com) on both domain.com and sitea.domain.com. Thanks a bunch for the help!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34899714

Good stuff :) Are you willing to post named.conf for each server at all?

Are these public servers? Or is this all your own private network?

If it's private, you can pretty much make up the NS records. Personally I'd have:

ns1.domain.com.  IN A  172.30.18.10    (Site A)
ns2.domain.com.  IN A  172.30.22.10    (Site B)

Then I would make all zones use those addresses as NS. For example, records like this within their respective zones:

domain.com.     IN NS   ns1.domain.com.
domain.com.     IN NS   ns2.domain.com.

Given that sitea has no slave zone, were you intending to rely on a delegation in domain.com? Please don't hesitate to post snippets of your configuration / zone files or ask questions if anything I post is not clear.

Chris
0
 

Author Comment

by:we3kings
ID: 34900160
Okay, let me try it this way. I'll just post snippets of how I want it to look starting with siteA:

SiteA (This is the hub location where the IT department is located.)

zone "domain.com" {
type master;
file "domain.com.hosts";
allow-transfer { 172.30.22.10; };
}

Open in new window

@ IN SOA siteaNS. email.domain. (serial, etc)
@ IN NS siteaNS
IN A 172.30.18.10

Open in new window


zone "sitea.domain.com" {
type master;
file "sitea.domain.com.hosts";
}

Open in new window

@ IN SOA siteaNS. email.domain (serial, etc)
@ IN NS siteaNS
IN A 172.30.18.10

Open in new window


Sorry if this doesn't make sense. I'm kind of burned out at this point.

0
 

Author Comment

by:we3kings
ID: 34900202
Sorry, this is a private network.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34900268

It's no problem, we can go slowly.

I take it these are not literal examples? I want to make sure because syntax in zone files is important. That is, these two are not equivalent:

@ IN NS siteaNS

And:

@ IN NS siteaNS.

If you're fabricating names, can you use the same number of labels (that is ns1.realdomain.com becomes ns1.domain.example).

Anyway, making allowances for replacement, those look pretty okay. You'd have a slave configured on SiteB-NS, and that'd transfer the zone from A. You would want to include SiteB-NS in the NS record set in the zone on A though.

e.g.
; domain.com zone file
; The origin, @, zone name by default, will be appended to all unterminated names (no trailing .)
@        IN SOA     SiteA-NS  hostmaster (serial, etc)
         IN NS      SiteA-NS

         IN A       172.30.18.10

; A records for name servers
SiteA-NS IN A       172.30.18.10
SiteB-NS IN A       172.30.22.10

; Delegation for SiteA sub-domain (delegated to SiteA-NS only)
SiteA    IN NS      SiteA-NS

Open in new window

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34900305
Sorry, I still managed to miss SiteB-NS out of the NS record set.

Re-posting that sample:
; domain.com zone file
; The origin, @, zone name by default, will be appended to all unterminated names (no trailing .)
@        IN SOA     SiteA-NS  hostmaster (serial, etc)
         IN NS      SiteA-NS
         IN NS      SiteB-NS

         IN A       172.30.18.10

; A records for name servers
SiteA-NS IN A       172.30.18.10
SiteB-NS IN A       172.30.22.10

; Delegation for SiteA sub-domain (delegated to SiteA-NS only)
SiteA    IN NS      SiteA-NS

Open in new window

Chris
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:we3kings
ID: 34900821
Thanks so much for that! You inadvertently solved another problem I was having with nslookup. Anyway, do I need to have the part about delegation if I'm going to have an entirely different zone for sitea.domain.com? I'm not entirely sure how that works. The previous parts solve my domain.com problem, now I'm moving on to sitea.domain.com which is located on 172.30.18.10. Would it look pretty much identical to domain.com zone?

@	IN SOA	SiteA-NS hostmaster (serial, etc)
	IN NS	SiteA-NS
	IN A	172.30.18.10

Open in new window

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34900896
The delegation presents information for other people rather than information for your own server. For internal-only setup's it's rarely necessary as clients always talk to an authoritative server, however I generally include them for completion and consistency.

The sitea.domain.com zone is a bit different. The NS Record refers to a server outside of its own zone.
@	IN SOA	SiteA-NS.domain.com. hostmaster (serial, etc)
	IN NS	SiteA-NS.domain.com.

	IN A	172.30.18.10

Open in new window

Because you're referring back to the single entry for SiteA-NS.domain.com you need to reference the full name. You must include the trailing . or it will make it into "SiteA-NS.domain.com.sitea.domain.com" as it will append the zone name.

The e-mail address in the SOA, hostmaster, will become hostmaster.sitea.domain.com, as with the server address, you could simply reference hostmaster.domain.com. (again, including the trailing .).

With this, we don't need to include an A record for SiteA-NS in this sub-domain. You're using the record from the parent zone. It's the approach I would take as your name server entries would be consistent across all zones.

Chris
0
 

Author Comment

by:we3kings
ID: 34910204
Awesome, man! Thank you for going out of your way for me. All that worked like a charm... currently I have both sites set up. domain.com is transferring from sitea to siteb and both can access it's contents. sitea.domain.com and siteb.domain.com are both accepting dynamic updates. I've also set up forwarding zones on sitea to allow resolution of siteb.domain.com records. However, I do not need siteb to resolve any records from sitea.domain.com. Any clue how to do that? Also, when I look a nslookup in Windows, I get "Can't find server name from address 172.30.22.10: Non-existent domain", any idea on that?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34910308

The delegation for sitea is part of domain.com, so if SiteB-NS needs to resolve names for sitea it'll follow the delegation.

You could remove that, or you could restrict access to sitea, perhaps removing the delegation might be easiest at this stage?

And the Can't find server name... it happens because the MS version of nslookup tries to do this when it starts:

nslookup -q=ptr 172.30.22.10

Without a Reverse Lookup Zone and a PTR record that won't work so it throws the error.

You can ignore it if you like, it's pretty harmless. If you want to have reverse lookup as well you need a zone named like this:

18.30.172.in-addr.arpa

That covers SiteA. You could make a similar version for SiteB, or you could use a larger zone to cover both subnets:

30.172.in-addr.arpa

Chris
0
 

Author Comment

by:we3kings
ID: 34910427
Awesome! Sorry for the little bonus question there. Do you need a job, btw, haha? Thanks again for all the help.
0
 

Author Closing Comment

by:we3kings
ID: 34910431
Awesome responses!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34910466

You're welcome :)

Chris
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now