Solved

how do I build a ZDNS Server on RHEL 5.3?

Posted on 2011-02-25
9
421 Views
Last Modified: 2012-05-11
Hi ,
 I have 6 Linux RHEL Blade servers and a WIndows  2003 server.  The WIndows server is my DNS server but I want to change this.  I want to configure one of the servers as a Primary DNS server and another as Secondary.  I will probably keep the WIndows server configured but disable DNS ( as backup DNS).
I can't seem to find very clear instructions on how to install or configure a Linux REL DNS server. Can anyone help ?
0
Comment
Question by:Pete-Castillo
  • 4
  • 4
9 Comments
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 34986141
The dns server on rhel5.3 (when you want to be  the authorative server) is BIND (Berkely Internet Name Daemon).
First install the packages you are likely going to need:
(all commands in a shell, as root)
<code>yum install bind bind-utils</code>
Accept any additional packages to satisfy dependencies.
Aftr installation the service will be (by default) disabled. Check with:
<code>chkconfig --list|grep named</code>
If it lists off for all runlevels you can enable it with:
<code>chkconfig --on named</code>
This ensures the service will be startd after a reboot (or runlevel change)
The service has not been started yet, there is no point it must first be configured.
Going over the configuration is duplication of some good documentation please refer to http://www.linuxtopia.org/online_books/rhel5/rhel5_administration/rhel5_ch-bind.html first
After doing the configuration and setting up the appropriate zone files don't forget to start the named:
<code>service named start</code>

This should get you underway, just let us know where you hit the speedbumps :)
0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 34987598
Pete-Castillo,

What you are requesting is likely a very un-optimal solution -- unless your Windows Server 2003 system is NOT an Active Directory Server, is NOT the DHCP server, is NOT an Exchange Server, and is NOT an MS-SQL server.

If ANY of those options are FALSE (if your Windows 2003 IS actually providing one or more of those services), then you should NOT attempt to remove the DNS server capability from the Windows Server, as it will eventually (probably quickly) BREAK those other services.

I completely understand the desire to offload the DNS servicing to one or more of the Linux servers -- but making them the "primary" DNS server in the LAN is not the answer.

Before I go on, a couple of caveats:
 1) the issue above with being "the" DNS server relates to the Windows Server being the LOCAL DOMAIN's DNS server. Those services won't care where the Internet Domain DNS comes from.
 2) There is no reason why the Internet Domain (recursive) DNS servers have to be the same set of DNS servers for the Local Domain(s)

Assuming that the Windows 2003 server IS actually an AD server (or the others), what you want to do is:
 A) Install DNS services on your Linux system as SLAVES to the Local Domain(s) -- listing the Windows Server as the Master, but also allowing recursive lookups for local clients (don't make yourself a public DNS server -- just allow the LAN hosts to do recursion, and don't let other IPs do anything.
 B) Configure your DHCP server (probably Windows 2003!) to tell clients to use the Linux Server(s) as their DNS servers (conveniently omitting the Windows Server as an available DNS server)
Voila! Clients access the Linux Servers for DNS, which get their zones from the Windows server.

NOTE: Many Windows optimization books will tell you NOT to do this -- but I've not seen any issues with this on more than 2-dozen implementations.

Just my thoughts...

Dan
IT4SOHO
0
 

Author Comment

by:Pete-Castillo
ID: 34989721
HI IT4SOSHO,
What you are proposing is exactly what I'd like to see done.  Ideally I want to keep my win2k03 server as primary DNS and use one of the linux servers as slave or secondary DNS.  This is an AD server and I don't want to break it but I don't have a secondary DNS and i'm having nightmares that this win2k03 server could fail.  
Having said all this,  Can you guide me in configuring one of these RHEL servers as a DNS server(slave)?
Thanks
0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 34992520
Pete-Castillo,

There are TONS of examples out there (in the "general" Internet -- most of whom try ever harder and more complexedly to migrate all of the AD functionality to the Linux (BIND) services. My example isn't going to do that at all -- what I do in my environments is very simply to "slave" one or more BIND servers to the MS-DNS server, then tell the "client" systems to use the slave servers (with the MS-DNS server included LAST in the list of DNS servers -- just in case).

To do that, I take the following steps (I'm going to keep this generally high-level for now -- if you need more specifics, we might need to chat offline). NOTE: In the steps below I use the following:
 AD name = example.local
 AD server IP = 10.0.0.2 (runs MS-DNS)
 Linux server IP = 10.0.0.3 (runs BIND DNS)

FIRST, prepare your Windows Server
1) If not already done, create your AD (example.local) -- the dcpromo script will let you auto-configure MS-DNS and MS-DHCP... DO THIS!
2) Open the MS-DNS Server control panel, browse to your Forward Lookup Zone for example.local, right-click, and choose properties
     - Click the Zone Transfers tab, and add your linux server (10.0.0.3) to the list of servers allowed to transfer the domain
     - Repeat for the Reverse Lookup Zone
     - DO NOT change anything else -- specifically, do NOT add the linux server to the list of DNS servers!
       Explanation: the AD server must use itself and no other system for DNS for the AD domain.
3) Open the MS-DHCP Server control panel, and if not already authorized, authorize the MS-DHCP server for the AD Domain
     - Set your appropriate server and/or scope options -- but list the Linux server(s) FIRST in the list of DNS servers, and the AD server LAST
        NOTE: This won't eliminate the use of the MS-DNS server, but will offload much of the workload to the BIND resolvers

Next, move to your Linux server(s) and do the following:
1) If you haven't already done so, install bind (use yum -y install bind bind-chroot bind-utils bind-libs -- unless you're on a 64-bit OS, in which case you should use yum -y install bind.x86_64 bind-chroot.x86_64 bind-utils.x86_64 bind-libs.x86_64
2) Make the appropriate entry in /etc/sysconfig/named (e.g.: ROOTDIR=/var/named/chroot)
3) Create a named.conf file in /var/named/chroot/etc/ -- it should include ZONE records that look like this:

zone "example.local" IN {
        type    slave;
        file    "slaves/zone.example.local";
        masters { 10.0.0.2; };
        allow-transfer  { none; };
};

zone "0.0.10.in-addr.arpa" IN {
        type    slave;
        file    "slaves/zone.0.0.10.in-addr.arpa";
        masters { 10.0.0.2; };
        allow-transfer  { none; };
};


4) If you're working from a "standard" BIND install, the location that the transferred zone files will go will be /var/named/chroot/var/named/slaves/ -- make sure this folder exists and is writable to the "named" user and group.
5) START the BIND service (service named start) and check the entries in /var/log/messages (tail /var/log/messages) to make sure BIND (the named process) started OK -- you should also see messages about the ZONE transfers.
6) Check for the presence of the 2 zone files in the folder /var/named/chroot/var/named/slaves/ to make sure they're there
7) If so, then you're pretty good to go -- make BIND startup at boot time with chkconfig named on

BY FAR the most common complaint with this setup is that MS-DNS doesn't propagate changes to the BIND-DNS servers fast enough -- typically, the zone timeouts are set to about 10 mins, so updates may take 10 minutes to update.

Best of luck!

Dan
IT4SOHO
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Pete-Castillo
ID: 35010505
Hi IT4SOSHO,

I've done everything.  WIndows says it has successfuly transferred the zone data  but I get the following from the linux server 192.168.4.3


root@cusnet2 slaves]# tail /var/log/messages
Mar  1 11:19:53 cusnet2 named[20006]: client 192.168.4.2#53672: received notify for zone '4.168.192.in-addr.arpa'
Mar  1 11:19:53 cusnet2 named[20006]: zone 4.168.192.in-addr.arpa/IN: Transfer started.
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: connected using 192.168.4.3#51157
Mar  1 11:19:53 cusnet2 named[20006]: dumping master file: slaves/tmp-tkItRP9Zw3: open: file not found
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 11:20:58 cusnet2 named[20006]: zone customs.gov.bz/IN: Transfer started.
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: connected using 192.168.4.3#60086
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: failed while receiving responses: REFUSED
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: end of transfer
0
 

Author Comment

by:Pete-Castillo
ID: 35012259
Sorry IT4SOHO
I corrected the domain name but still getting the errors

[root@cusnet2 etc]# tail /var/log/messages
Mar  1 14:29:38 cusnet2 named[21283]: zone 4.168.192.in-addr.arpa/IN: Transfer started.
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: connected using 192.168.4.3#54450
Mar  1 14:29:38 cusnet2 named[21283]: dumping master file: slaves/tmp-PWK9JiQej2: open: file not found
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 14:29:53 cusnet2 named[21283]: zone bzcustoms.net/IN: Transfer started.
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: connected using 192.168.4.3#57359
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: failed while receiving responses: REFUSED
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: end of transfer
Mar  1 14:32:27 cusnet2 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team

0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 35012537
First of all, make sure your target folder (/var/named/chroot/var/named/slaves is what I use) is read/write/execyte for the user:group of named:named.
Suggest you cd to the parent, then execute chown named:named slaves ; chmod 770 slaves

Next, check the settings in your WINDOWS DNS server -- it appears that you allow zone transfers for the REVERSE DNS zone, but not the FORWARD zone. (The former fails on trying to open the local target file, the latter fails in permissions).

Dan
IT4SOHO
0
 

Author Comment

by:Pete-Castillo
ID: 35012693
Did those and now I'm getting the following:

Mar  1 15:25:40 cusnet2 named[22581]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: Transfer started.
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: connected using 192.168.4.3#44613
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: gc._msdcs.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc1.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc2.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc3.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: dumping master file: slaves/tmp-eNLhIlZE12: open: file not found
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: end of transfer

0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 500 total points
ID: 35017674
OK... it looks like the transfer of the REVERSE completed successfully (the first line in your post above), so we need to look specifically at the transfer of the FORWARD zone. could you post the full transcript of that transfer and confirm that you have created the zone file?

If you used my example above, the reverse zone file should be named zone.0.4.168.192.in-addr.arpa and should be located at /var/named/chroot/var/named/slaves

If that is true (that is, if the reverse zone transferred correctly), then look at your zone definition in the named.conf file -- specifically at the differences in the filenames in the two... perhaps you said something like slave/zone.forward.com instead of slaves/zone.forward.com or something -- the error message basically says it couldn't create the filename during the transfer, so that's where we need to look.

Dan
IT4SOHO
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now