Solved

how to configure dns slave and dhcp

Posted on 2012-03-19
18
1,257 Views
Last Modified: 2012-04-27
We are implementing MPLS VPN (hub and spoke) HUB has fortigate300 firewall and Router (fortigate300 same box works as router and firewall, DHCP is disabled for the reason ubuntu linux working as DDNS )
HUB network subnet is 192.168.1.0/24
Linux DDNS is configured behind the fortigate300, presently for servers and other workstations static IP's are assigned
DHCP is enabled for the mobile devices laptops everything is working fine.

Now that implementation is going on and for one spoke the installation got completed the spoke subnet is of 192.168.11.0/24, 192.168.1.11.1 is the router ip.

Router used at spoke are Router 861 and at HUB the MPLS router is Router 1905 from here the termination to the fortigate 300

requirement is all the spoke locations should be able to access the HUB hosted applications like http, ftp and data and also few users should get internet from the HUB location

My doubt is here at HUB central office the zone files and dhcp is configured for 192.168.1.0/24 series now all the spokes are with different network starting from 192.168.11.0 in this case how to configure the DNS salve for different network

Can anybody help me how to configure for the below:
1. Setup a slave DNS server at each spoke, along with a DHCP server for that subnet that dynamically updates the master DNS server
2. Can both DNS slave and DHCP Server be configured on Router 861 at spoke locations is possible will ask the ISP technical support to configure accordingly
3. if above 1 is possible then how to configure Ubuntu  Linux DDNS as of now working for 192.168.1.0/24 to work for all spokes of different network starting from 192.168.11.0/24 ----28/24 which all the configuration files to be worked on.

Thanks in advance.
0
Comment
Question by:D_wathi
  • 9
  • 9
18 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 37740279
Dns slave should be configured on a system rather than have a end forwarder configured on the router. Having a local copy will be advantageous when the primary/master is unavailable.

When setting up, you must first on he master configure allow-transfer and deine the spoke DNS servers in the list.

You would then define the zone with type slave and masters pointing to the ip of the master.
For changes to propagate if you do not include the sope dns servers in the zone, you should use the also-notify rule on the master and include all the spoke DNS servers.a change in the zone a notification will be sent to the spokes to update.
0
 

Author Comment

by:D_wathi
ID: 37743867
Sir, Thank you very much for the reply,

1. I too exactly want to host one linux box at each spoke and also able to manage to dedicate one linux box to function as dns slave where ever 15 and above users at spoke locations this linux box will work as dns slave but the ISP provider's cisco router at the spoke will be configured as DHCP server or dhcp realy please suggest me is this going to work.

2. we have many spoke locations where users are less than 05 here planning to tell ISP service provider to configure the cisco router at the spoke to point or forward to master dns  IP and also configure the same router for DHCP server .

3. At spoke is it required to configure DHCP server or DHCP realy please suggest

Request you to please suggest me in the above 1, 2  and 3, Thanks in advance.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37743974
The spoke becomes useless when it looses connectivity to the HUB.
Setting up a local DHCP and DNS server would let the spoke function if access to the HUB is lost.

Other than the HUB and Spoke setup, I have no idea what the inter dependencies there might be such that the spoke is useless if the HUB is inaccessible. etc.

What are the interactions if any, between/among the spoke users?

You could as point 2 suggest centralize everything where each spoke will forward the DHCP requests and dns queries back to servers at the HUB.
0
 

Author Comment

by:D_wathi
ID: 37762776
"you must first on the master configure allow-transfer and deny the spoke DNS servers in the list"

1. I did not understand deny the spoke DNS servers in the list  # request to please explain
2. How to deny the spoke DNS servers

Thanks in advance.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37763136
I do not believe I ever suggested a deny for the spoke.  Not sure what you mean; could you clarify.
Oh, the type should be define.
When setting up, you must first on he master configure allow-transfer and define the spoke DNS servers in the list.

allow-transfer {spokeA;spokeb;spokec;defined_acl;}
also-notify {spokeA;spokeB;spokeC;defined_acl;}

This can be within the options section at the top to apply globally, or per zone
zone "domain" {
type master;
file "pathtofile/domain';
allow-transfer {IPs; defined_acl;};
also-notify {IPs;defined_acl;};
}
0
 

Author Comment

by:D_wathi
ID: 37765165
Sir, sorry it is my mistake of understanding, finally before closing the post can you please tell me is it required to create the zone files at the slave server or only adding below entries in the named.conf.local file will do , master will automatically trasnfer the zones to slave, please help.

 [...]

        zone "orange.com" {
             type slave;
             file "/var/cache/bind/db.orange.com";
             masters { @ip_master; };
        };

        [...]

        zone "1.168.192.in-addr.arpa" {
             type slave;
             file "/var/cache/bind/db.192";
             masters { @ip_master; };
        };

        -------------------------------------------------------------
0
 
LVL 76

Expert Comment

by:arnold
ID: 37765704
You must create the entry for the zone in /etc/named.conf or the include file depending on your setup.

The file will be created when the zone is transferred in from the master.

Just to be clear the master does not transfer anything to the slave, the mechanism is that the slave contacts the master and retrieves the information.
The only thing the master does is to notify the slave instance that a change has occurred.
In your example above the notification will go out only if and when the NS record in the zone points to the slave dns server as well as the master.
In the event that the zone does not have an NS reference to the slave the refresh,retry is what will govern when the slave dns server will check with the master to see whether the zone has changed.
0
 

Author Comment

by:D_wathi
ID: 37827168
Hi sir, please suggest me

what entry should contain in the etc/resolv.conf of secondary master/save # should it require to point to the primary master server IP, please suggest.

2. in the secondary master/salve what should be the entry in the /etc/bind/named.conf.options, should it require to point to the primary master server IP address as the forwarder.

3. Also have added the A and PTR record of the secondary/slave server in the primary master server, i mean  seconday master/salve gets resolved by the primary master name server as these entries are added in the primary master server.

Please help , Thanks in advance.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37827930
The /etc/resolve.conf should refer to itself as the primary resolver this is what its task is, putting something else would at times get the local named service to send out the requests to resolve to the server listed there.

You have two issues here. In your setup, the named instance has two duties.
1) provide authoritative information about data in zones that it is retrieving from the master server.
2) Provide domain name resolution to local clients.

a forwarder falls into the second group.
Creating a forwarder on the slave instance that points to the master will mean that when the master server becomes inaccessible, the slave instance becomes useless since it will continue to forward requests to a system that is no longer available.
It is best to let each name service resolve information directly.  You could if you wish/must use forwarders to point them to the ISPs name servers (note you have to keep them up to date if the ISP changes) the forwarders from ISP1 will not respond to requests from IPs on ISP2.

When you add an entry to the zone on the master server and update the serial number, the master server notifies all servers listed in the Zone with the NS record and if your master configuration has also-notify {ip}; the IP.
Upon receipt of a notification, the slave instance will schedule the zone for a refresh this is why updating the serial number is extremely important.

If you do not list the slave server with an NS record in the zone and/or do not have the also-notify {slave;};, a notice will not be received and the zone will only be checked on the schedule set in the refresh setting.
If you do not update the serial number of the zone, the slave will no download the zone since it will not see a change. i.e. it has serialnumber for zone A as 12, you've updated zone A on the master server 20 times without altering the serial number.  Each time the slave bind service checks with the master effectively saying what is your serialnumber for zone A which always comes back as 12 which is what the serial number on the slave is.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:D_wathi
ID: 37832680
Hi sir, thank you very much for the explaination, so far i am not updating serial number at the master as i use nsupdate for adding the A and PTR . please suggest me as long as i use nsupdate for adding entries of hosts updating the serial number manually is not required.

Please suggest me is this correct if wrong request to correct.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37833876
nsupdate automatically adjusts the serial numbers
nslookup -q=soa yorudomain.com master_server
nsupdate
nslookup -q=soa yorudomain.com master_server

The serial should be incremented by one.

Now all that remains is to make sure that both master and slave are referenced within the zone with ns records.
nslookup -q=NS yorudomain.com master_server

echo "update add yourdomain.com. IN NS <hostname of the slave>
" | nsupdate -v
then make sure your named.conf file is configured with the also-notify {slave_server_ip;}

Future updates will propagate at a quicker rate .
0
 

Author Comment

by:D_wathi
ID: 37891105
Hi sir, thanks for your valuable support, finally before closing the the post can i understand the below:

"For changes to propagate if you do not include the spoke dns servers in the zone, you should use the also-notify rule on the master and include all the spoke DNS servers"

Is it like if  A and PTR record of the spoke dns slave entries are added in the master zone file in this case also-notify is not required.

Please suggest.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37891855
Any zone that is accessed by the slaves should have the also-notify to make sure an addition is propagated in a timely fashion.
Listing all the slave servers as an NS record within each zone that is slaved.
0
 

Author Comment

by:D_wathi
ID: 37895807
Hi sir, thank you very much , added also-notify for each forward zone
Doubt:
is it required to define  notify no; for the reverse zones like the below or even in the reverse zone also notify to be defined please suggest.

zone "1.168.192.in-addr.arpa" {
        type master;
        notify no;
        file "/var/cache/bind/db.1.168.192.in-addr.arpa";
--------------------------------
0
 
LVL 76

Expert Comment

by:arnold
ID: 37896759
Why would you want to maintain the reverse zone without the data or at least without accurate data?
0
 

Author Comment

by:D_wathi
ID: 37898960
I am sorry for the confusion, since also-notify is defined in the options when so ever zone is updated also notify triggers the slave.  we are in the MPLS hub and spoke, master at hub and dns slave at each spoke location,

"I have created zone files for all the spokes in the master server with the "A "and "PTR" records of all the desktops/workstations available at each spoke,  when the DNS slave is configured at the spoke location, salve will contact the master and retrives the information hence on that particular spoke for all desktop/workstations salve becomes the dns server  hence not required to add A and PTR on the spoke dns slave

Please correct me if the above is wrong.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37899840
There is no need to explicitly specify notify no, which is the question of why you are adding it.

also-notify as a global setting is there in the event the zone omits a name server reference or a name server that was at that location has been replaced but was not replaced in the zone.

If you forget to update the list of the IPs in the also-notify {nameservers;}; where nameservers is an acl that includes all the name servers that you have, some spokes will have outdated information for reverse zone it might be ok, for the forward zones it could lead to some requests for hosts whose changes did not propagate as an issue.

The local DNS server will usually be the one that will receive the update from the local clients which the local dns server then will forward to its master server. When it reaches the server that has authority over the zone, the record will be added and the subordinates will be notified that a change has occurred.
I believe I previously covered the update cycle.
0
 

Author Closing Comment

by:D_wathi
ID: 37903871
Thank you very much
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now