Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

how do I build a ZDNS Server on RHEL 5.3?

Posted on 2011-02-25
9
426 Views
Last Modified: 2012-05-11
Hi ,
 I have 6 Linux RHEL Blade servers and a WIndows  2003 server.  The WIndows server is my DNS server but I want to change this.  I want to configure one of the servers as a Primary DNS server and another as Secondary.  I will probably keep the WIndows server configured but disable DNS ( as backup DNS).
I can't seem to find very clear instructions on how to install or configure a Linux REL DNS server. Can anyone help ?
0
Comment
Question by:Pete-Castillo
  • 4
  • 4
9 Comments
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 34986141
The dns server on rhel5.3 (when you want to be  the authorative server) is BIND (Berkely Internet Name Daemon).
First install the packages you are likely going to need:
(all commands in a shell, as root)
<code>yum install bind bind-utils</code>
Accept any additional packages to satisfy dependencies.
Aftr installation the service will be (by default) disabled. Check with:
<code>chkconfig --list|grep named</code>
If it lists off for all runlevels you can enable it with:
<code>chkconfig --on named</code>
This ensures the service will be startd after a reboot (or runlevel change)
The service has not been started yet, there is no point it must first be configured.
Going over the configuration is duplication of some good documentation please refer to http://www.linuxtopia.org/online_books/rhel5/rhel5_administration/rhel5_ch-bind.html first
After doing the configuration and setting up the appropriate zone files don't forget to start the named:
<code>service named start</code>

This should get you underway, just let us know where you hit the speedbumps :)
0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 34987598
Pete-Castillo,

What you are requesting is likely a very un-optimal solution -- unless your Windows Server 2003 system is NOT an Active Directory Server, is NOT the DHCP server, is NOT an Exchange Server, and is NOT an MS-SQL server.

If ANY of those options are FALSE (if your Windows 2003 IS actually providing one or more of those services), then you should NOT attempt to remove the DNS server capability from the Windows Server, as it will eventually (probably quickly) BREAK those other services.

I completely understand the desire to offload the DNS servicing to one or more of the Linux servers -- but making them the "primary" DNS server in the LAN is not the answer.

Before I go on, a couple of caveats:
 1) the issue above with being "the" DNS server relates to the Windows Server being the LOCAL DOMAIN's DNS server. Those services won't care where the Internet Domain DNS comes from.
 2) There is no reason why the Internet Domain (recursive) DNS servers have to be the same set of DNS servers for the Local Domain(s)

Assuming that the Windows 2003 server IS actually an AD server (or the others), what you want to do is:
 A) Install DNS services on your Linux system as SLAVES to the Local Domain(s) -- listing the Windows Server as the Master, but also allowing recursive lookups for local clients (don't make yourself a public DNS server -- just allow the LAN hosts to do recursion, and don't let other IPs do anything.
 B) Configure your DHCP server (probably Windows 2003!) to tell clients to use the Linux Server(s) as their DNS servers (conveniently omitting the Windows Server as an available DNS server)
Voila! Clients access the Linux Servers for DNS, which get their zones from the Windows server.

NOTE: Many Windows optimization books will tell you NOT to do this -- but I've not seen any issues with this on more than 2-dozen implementations.

Just my thoughts...

Dan
IT4SOHO
0
 

Author Comment

by:Pete-Castillo
ID: 34989721
HI IT4SOSHO,
What you are proposing is exactly what I'd like to see done.  Ideally I want to keep my win2k03 server as primary DNS and use one of the linux servers as slave or secondary DNS.  This is an AD server and I don't want to break it but I don't have a secondary DNS and i'm having nightmares that this win2k03 server could fail.  
Having said all this,  Can you guide me in configuring one of these RHEL servers as a DNS server(slave)?
Thanks
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 34992520
Pete-Castillo,

There are TONS of examples out there (in the "general" Internet -- most of whom try ever harder and more complexedly to migrate all of the AD functionality to the Linux (BIND) services. My example isn't going to do that at all -- what I do in my environments is very simply to "slave" one or more BIND servers to the MS-DNS server, then tell the "client" systems to use the slave servers (with the MS-DNS server included LAST in the list of DNS servers -- just in case).

To do that, I take the following steps (I'm going to keep this generally high-level for now -- if you need more specifics, we might need to chat offline). NOTE: In the steps below I use the following:
 AD name = example.local
 AD server IP = 10.0.0.2 (runs MS-DNS)
 Linux server IP = 10.0.0.3 (runs BIND DNS)

FIRST, prepare your Windows Server
1) If not already done, create your AD (example.local) -- the dcpromo script will let you auto-configure MS-DNS and MS-DHCP... DO THIS!
2) Open the MS-DNS Server control panel, browse to your Forward Lookup Zone for example.local, right-click, and choose properties
     - Click the Zone Transfers tab, and add your linux server (10.0.0.3) to the list of servers allowed to transfer the domain
     - Repeat for the Reverse Lookup Zone
     - DO NOT change anything else -- specifically, do NOT add the linux server to the list of DNS servers!
       Explanation: the AD server must use itself and no other system for DNS for the AD domain.
3) Open the MS-DHCP Server control panel, and if not already authorized, authorize the MS-DHCP server for the AD Domain
     - Set your appropriate server and/or scope options -- but list the Linux server(s) FIRST in the list of DNS servers, and the AD server LAST
        NOTE: This won't eliminate the use of the MS-DNS server, but will offload much of the workload to the BIND resolvers

Next, move to your Linux server(s) and do the following:
1) If you haven't already done so, install bind (use yum -y install bind bind-chroot bind-utils bind-libs -- unless you're on a 64-bit OS, in which case you should use yum -y install bind.x86_64 bind-chroot.x86_64 bind-utils.x86_64 bind-libs.x86_64
2) Make the appropriate entry in /etc/sysconfig/named (e.g.: ROOTDIR=/var/named/chroot)
3) Create a named.conf file in /var/named/chroot/etc/ -- it should include ZONE records that look like this:

zone "example.local" IN {
        type    slave;
        file    "slaves/zone.example.local";
        masters { 10.0.0.2; };
        allow-transfer  { none; };
};

zone "0.0.10.in-addr.arpa" IN {
        type    slave;
        file    "slaves/zone.0.0.10.in-addr.arpa";
        masters { 10.0.0.2; };
        allow-transfer  { none; };
};


4) If you're working from a "standard" BIND install, the location that the transferred zone files will go will be /var/named/chroot/var/named/slaves/ -- make sure this folder exists and is writable to the "named" user and group.
5) START the BIND service (service named start) and check the entries in /var/log/messages (tail /var/log/messages) to make sure BIND (the named process) started OK -- you should also see messages about the ZONE transfers.
6) Check for the presence of the 2 zone files in the folder /var/named/chroot/var/named/slaves/ to make sure they're there
7) If so, then you're pretty good to go -- make BIND startup at boot time with chkconfig named on

BY FAR the most common complaint with this setup is that MS-DNS doesn't propagate changes to the BIND-DNS servers fast enough -- typically, the zone timeouts are set to about 10 mins, so updates may take 10 minutes to update.

Best of luck!

Dan
IT4SOHO
0
 

Author Comment

by:Pete-Castillo
ID: 35010505
Hi IT4SOSHO,

I've done everything.  WIndows says it has successfuly transferred the zone data  but I get the following from the linux server 192.168.4.3


root@cusnet2 slaves]# tail /var/log/messages
Mar  1 11:19:53 cusnet2 named[20006]: client 192.168.4.2#53672: received notify for zone '4.168.192.in-addr.arpa'
Mar  1 11:19:53 cusnet2 named[20006]: zone 4.168.192.in-addr.arpa/IN: Transfer started.
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: connected using 192.168.4.3#51157
Mar  1 11:19:53 cusnet2 named[20006]: dumping master file: slaves/tmp-tkItRP9Zw3: open: file not found
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 11:20:58 cusnet2 named[20006]: zone customs.gov.bz/IN: Transfer started.
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: connected using 192.168.4.3#60086
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: failed while receiving responses: REFUSED
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: end of transfer
0
 

Author Comment

by:Pete-Castillo
ID: 35012259
Sorry IT4SOHO
I corrected the domain name but still getting the errors

[root@cusnet2 etc]# tail /var/log/messages
Mar  1 14:29:38 cusnet2 named[21283]: zone 4.168.192.in-addr.arpa/IN: Transfer started.
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: connected using 192.168.4.3#54450
Mar  1 14:29:38 cusnet2 named[21283]: dumping master file: slaves/tmp-PWK9JiQej2: open: file not found
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 14:29:53 cusnet2 named[21283]: zone bzcustoms.net/IN: Transfer started.
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: connected using 192.168.4.3#57359
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: failed while receiving responses: REFUSED
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: end of transfer
Mar  1 14:32:27 cusnet2 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team

0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 35012537
First of all, make sure your target folder (/var/named/chroot/var/named/slaves is what I use) is read/write/execyte for the user:group of named:named.
Suggest you cd to the parent, then execute chown named:named slaves ; chmod 770 slaves

Next, check the settings in your WINDOWS DNS server -- it appears that you allow zone transfers for the REVERSE DNS zone, but not the FORWARD zone. (The former fails on trying to open the local target file, the latter fails in permissions).

Dan
IT4SOHO
0
 

Author Comment

by:Pete-Castillo
ID: 35012693
Did those and now I'm getting the following:

Mar  1 15:25:40 cusnet2 named[22581]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: Transfer started.
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: connected using 192.168.4.3#44613
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: gc._msdcs.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc1.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc2.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc3.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: dumping master file: slaves/tmp-eNLhIlZE12: open: file not found
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: end of transfer

0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 500 total points
ID: 35017674
OK... it looks like the transfer of the REVERSE completed successfully (the first line in your post above), so we need to look specifically at the transfer of the FORWARD zone. could you post the full transcript of that transfer and confirm that you have created the zone file?

If you used my example above, the reverse zone file should be named zone.0.4.168.192.in-addr.arpa and should be located at /var/named/chroot/var/named/slaves

If that is true (that is, if the reverse zone transferred correctly), then look at your zone definition in the named.conf file -- specifically at the differences in the filenames in the two... perhaps you said something like slave/zone.forward.com instead of slaves/zone.forward.com or something -- the error message basically says it couldn't create the filename during the transfer, so that's where we need to look.

Dan
IT4SOHO
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team. In brief, Scavenging is used as follows: Each record in a zone which has been dynamically registered with an MS DNS Server will have…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question