Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

how do I build a ZDNS Server on RHEL 5.3?

Hi ,
 I have 6 Linux RHEL Blade servers and a WIndows  2003 server.  The WIndows server is my DNS server but I want to change this.  I want to configure one of the servers as a Primary DNS server and another as Secondary.  I will probably keep the WIndows server configured but disable DNS ( as backup DNS).
I can't seem to find very clear instructions on how to install or configure a Linux REL DNS server. Can anyone help ?
0
Pete-Castillo
Asked:
Pete-Castillo
  • 4
  • 4
1 Solution
 
de2ZotjesCommented:
The dns server on rhel5.3 (when you want to be  the authorative server) is BIND (Berkely Internet Name Daemon).
First install the packages you are likely going to need:
(all commands in a shell, as root)
<code>yum install bind bind-utils</code>
Accept any additional packages to satisfy dependencies.
Aftr installation the service will be (by default) disabled. Check with:
<code>chkconfig --list|grep named</code>
If it lists off for all runlevels you can enable it with:
<code>chkconfig --on named</code>
This ensures the service will be startd after a reboot (or runlevel change)
The service has not been started yet, there is no point it must first be configured.
Going over the configuration is duplication of some good documentation please refer to http://www.linuxtopia.org/online_books/rhel5/rhel5_administration/rhel5_ch-bind.html first
After doing the configuration and setting up the appropriate zone files don't forget to start the named:
<code>service named start</code>

This should get you underway, just let us know where you hit the speedbumps :)
0
 
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Pete-Castillo,

What you are requesting is likely a very un-optimal solution -- unless your Windows Server 2003 system is NOT an Active Directory Server, is NOT the DHCP server, is NOT an Exchange Server, and is NOT an MS-SQL server.

If ANY of those options are FALSE (if your Windows 2003 IS actually providing one or more of those services), then you should NOT attempt to remove the DNS server capability from the Windows Server, as it will eventually (probably quickly) BREAK those other services.

I completely understand the desire to offload the DNS servicing to one or more of the Linux servers -- but making them the "primary" DNS server in the LAN is not the answer.

Before I go on, a couple of caveats:
 1) the issue above with being "the" DNS server relates to the Windows Server being the LOCAL DOMAIN's DNS server. Those services won't care where the Internet Domain DNS comes from.
 2) There is no reason why the Internet Domain (recursive) DNS servers have to be the same set of DNS servers for the Local Domain(s)

Assuming that the Windows 2003 server IS actually an AD server (or the others), what you want to do is:
 A) Install DNS services on your Linux system as SLAVES to the Local Domain(s) -- listing the Windows Server as the Master, but also allowing recursive lookups for local clients (don't make yourself a public DNS server -- just allow the LAN hosts to do recursion, and don't let other IPs do anything.
 B) Configure your DHCP server (probably Windows 2003!) to tell clients to use the Linux Server(s) as their DNS servers (conveniently omitting the Windows Server as an available DNS server)
Voila! Clients access the Linux Servers for DNS, which get their zones from the Windows server.

NOTE: Many Windows optimization books will tell you NOT to do this -- but I've not seen any issues with this on more than 2-dozen implementations.

Just my thoughts...

Dan
IT4SOHO
0
 
Pete-CastilloAuthor Commented:
HI IT4SOSHO,
What you are proposing is exactly what I'd like to see done.  Ideally I want to keep my win2k03 server as primary DNS and use one of the linux servers as slave or secondary DNS.  This is an AD server and I don't want to break it but I don't have a secondary DNS and i'm having nightmares that this win2k03 server could fail.  
Having said all this,  Can you guide me in configuring one of these RHEL servers as a DNS server(slave)?
Thanks
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Pete-Castillo,

There are TONS of examples out there (in the "general" Internet -- most of whom try ever harder and more complexedly to migrate all of the AD functionality to the Linux (BIND) services. My example isn't going to do that at all -- what I do in my environments is very simply to "slave" one or more BIND servers to the MS-DNS server, then tell the "client" systems to use the slave servers (with the MS-DNS server included LAST in the list of DNS servers -- just in case).

To do that, I take the following steps (I'm going to keep this generally high-level for now -- if you need more specifics, we might need to chat offline). NOTE: In the steps below I use the following:
 AD name = example.local
 AD server IP = 10.0.0.2 (runs MS-DNS)
 Linux server IP = 10.0.0.3 (runs BIND DNS)

FIRST, prepare your Windows Server
1) If not already done, create your AD (example.local) -- the dcpromo script will let you auto-configure MS-DNS and MS-DHCP... DO THIS!
2) Open the MS-DNS Server control panel, browse to your Forward Lookup Zone for example.local, right-click, and choose properties
     - Click the Zone Transfers tab, and add your linux server (10.0.0.3) to the list of servers allowed to transfer the domain
     - Repeat for the Reverse Lookup Zone
     - DO NOT change anything else -- specifically, do NOT add the linux server to the list of DNS servers!
       Explanation: the AD server must use itself and no other system for DNS for the AD domain.
3) Open the MS-DHCP Server control panel, and if not already authorized, authorize the MS-DHCP server for the AD Domain
     - Set your appropriate server and/or scope options -- but list the Linux server(s) FIRST in the list of DNS servers, and the AD server LAST
        NOTE: This won't eliminate the use of the MS-DNS server, but will offload much of the workload to the BIND resolvers

Next, move to your Linux server(s) and do the following:
1) If you haven't already done so, install bind (use yum -y install bind bind-chroot bind-utils bind-libs -- unless you're on a 64-bit OS, in which case you should use yum -y install bind.x86_64 bind-chroot.x86_64 bind-utils.x86_64 bind-libs.x86_64
2) Make the appropriate entry in /etc/sysconfig/named (e.g.: ROOTDIR=/var/named/chroot)
3) Create a named.conf file in /var/named/chroot/etc/ -- it should include ZONE records that look like this:

zone "example.local" IN {
        type    slave;
        file    "slaves/zone.example.local";
        masters { 10.0.0.2; };
        allow-transfer  { none; };
};

zone "0.0.10.in-addr.arpa" IN {
        type    slave;
        file    "slaves/zone.0.0.10.in-addr.arpa";
        masters { 10.0.0.2; };
        allow-transfer  { none; };
};


4) If you're working from a "standard" BIND install, the location that the transferred zone files will go will be /var/named/chroot/var/named/slaves/ -- make sure this folder exists and is writable to the "named" user and group.
5) START the BIND service (service named start) and check the entries in /var/log/messages (tail /var/log/messages) to make sure BIND (the named process) started OK -- you should also see messages about the ZONE transfers.
6) Check for the presence of the 2 zone files in the folder /var/named/chroot/var/named/slaves/ to make sure they're there
7) If so, then you're pretty good to go -- make BIND startup at boot time with chkconfig named on

BY FAR the most common complaint with this setup is that MS-DNS doesn't propagate changes to the BIND-DNS servers fast enough -- typically, the zone timeouts are set to about 10 mins, so updates may take 10 minutes to update.

Best of luck!

Dan
IT4SOHO
0
 
Pete-CastilloAuthor Commented:
Hi IT4SOSHO,

I've done everything.  WIndows says it has successfuly transferred the zone data  but I get the following from the linux server 192.168.4.3


root@cusnet2 slaves]# tail /var/log/messages
Mar  1 11:19:53 cusnet2 named[20006]: client 192.168.4.2#53672: received notify for zone '4.168.192.in-addr.arpa'
Mar  1 11:19:53 cusnet2 named[20006]: zone 4.168.192.in-addr.arpa/IN: Transfer started.
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: connected using 192.168.4.3#51157
Mar  1 11:19:53 cusnet2 named[20006]: dumping master file: slaves/tmp-tkItRP9Zw3: open: file not found
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 11:19:53 cusnet2 named[20006]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 11:20:58 cusnet2 named[20006]: zone customs.gov.bz/IN: Transfer started.
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: connected using 192.168.4.3#60086
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: failed while receiving responses: REFUSED
Mar  1 11:20:58 cusnet2 named[20006]: transfer of 'customs.gov.bz/IN' from 192.168.4.2#53: end of transfer
0
 
Pete-CastilloAuthor Commented:
Sorry IT4SOHO
I corrected the domain name but still getting the errors

[root@cusnet2 etc]# tail /var/log/messages
Mar  1 14:29:38 cusnet2 named[21283]: zone 4.168.192.in-addr.arpa/IN: Transfer started.
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: connected using 192.168.4.3#54450
Mar  1 14:29:38 cusnet2 named[21283]: dumping master file: slaves/tmp-PWK9JiQej2: open: file not found
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 14:29:38 cusnet2 named[21283]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 14:29:53 cusnet2 named[21283]: zone bzcustoms.net/IN: Transfer started.
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: connected using 192.168.4.3#57359
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: failed while receiving responses: REFUSED
Mar  1 14:29:53 cusnet2 named[21283]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: end of transfer
Mar  1 14:32:27 cusnet2 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team

0
 
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
First of all, make sure your target folder (/var/named/chroot/var/named/slaves is what I use) is read/write/execyte for the user:group of named:named.
Suggest you cd to the parent, then execute chown named:named slaves ; chmod 770 slaves

Next, check the settings in your WINDOWS DNS server -- it appears that you allow zone transfers for the REVERSE DNS zone, but not the FORWARD zone. (The former fails on trying to open the local target file, the latter fails in permissions).

Dan
IT4SOHO
0
 
Pete-CastilloAuthor Commented:
Did those and now I'm getting the following:

Mar  1 15:25:40 cusnet2 named[22581]: transfer of '4.168.192.in-addr.arpa/IN' from 192.168.4.2#53: end of transfer
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: Transfer started.
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: connected using 192.168.4.3#44613
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: gc._msdcs.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc1.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc2.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: zone bzcustoms.net/IN: bzbc_riskmanpc3.bzcustoms.net/A: bad owner name (check-names)
Mar  1 15:25:44 cusnet2 named[22581]: dumping master file: slaves/tmp-eNLhIlZE12: open: file not found
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: failed while receiving responses: file not found
Mar  1 15:25:44 cusnet2 named[22581]: transfer of 'bzcustoms.net/IN' from 192.168.4.2#53: end of transfer

0
 
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
OK... it looks like the transfer of the REVERSE completed successfully (the first line in your post above), so we need to look specifically at the transfer of the FORWARD zone. could you post the full transcript of that transfer and confirm that you have created the zone file?

If you used my example above, the reverse zone file should be named zone.0.4.168.192.in-addr.arpa and should be located at /var/named/chroot/var/named/slaves

If that is true (that is, if the reverse zone transferred correctly), then look at your zone definition in the named.conf file -- specifically at the differences in the filenames in the two... perhaps you said something like slave/zone.forward.com instead of slaves/zone.forward.com or something -- the error message basically says it couldn't create the filename during the transfer, so that's where we need to look.

Dan
IT4SOHO
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now