DNS Server Cleanup Help

carlosinfl · 04-04-2007, 03:30 PM

Ok guys - I will be really happy for any suggestions on helping me with the following task I have at work.

Task = Clean up dns1 and dns2 entries

The task sounds simple, no? All I have to do is clean up the fwd and rev. entires for our internal DNS. This basically involves removing hostnames bound to specific IP's that are no longer on the LAN and or the reverse of that.

Here is the problem.

We have 2 DNS servers. One is a master (net1) and the other is a slave (net2) & I think they both synchronize like every 4-5 hours or something like that.

Now this causes great annoyance as there are so many invalid entries in DNS and if I want to remove them or correct them, I have to run the following command to edit them on net1 since it is the primary:

Code:

[root@net1 named]# service named stop && vim something.org.hosts && service named start
Stopping named:                                            [  OK  ]
Starting named:                                            [  OK  ]
[root@net1 named]# service named stop && vim 1.1.10.in-addr.arpa.hosts && service named start
Stopping named:                                            [  OK  ]
Starting named:                                            [  OK  ]

As you can see I have edited the forward and reverse on the main DNS server but lets say you edit or delete close to 100 entires, do I know have to do the same thing to the slave (net2) server before it runs a sync? I did all the clean up on the primary dns server (net1) so I would assume that the slave should mirror the primary and not the other wat around but I did not set this thing up so I am not sure nor do I have any experience with DNS on Linux.

The above means I am editing 4 different files and some entries are only in 1 of 4 and then if so, what gets replicated? I am so confused.

The servers are running FC3 which I am trying to move off of to a RHEL4 but I would like to clean this up before I move them off the FC3 boxes.

Thanks for any info and I have no idea how the synchronization occurs or how to check so please feel free to add any info to help me.

Thanks!

bathory · 04-05-2007, 02:05 AM

First of all there is no need to stop named, edit your zone files and then restart named. You can edit the zone files all together and then restart named or reload just the zone you have edited.
Now about slave sync, if you have "notify=yes" either in the global part of named.conf, or in your zone definition, then once a zone has changed the master notifies the slave about the changes. Take a look here about the usage of "notify".

Regards

carlosinfl · 04-05-2007, 07:29 AM

Ahh - Yesterday I edited the zones om the master (net1) and now this morning, I look at the zones edited yesterday and all the useless entires I removed were added back. Now I am wondering if this was caused by one of two ways...

1 - Lets say a hostname is foo1 and that is what I saw on net1. However I edited to foo, I am thinking over night, the net1 server was notified that foo1 is on the LAN and has an IP of 192.168.0.110 and re-added as foo1 so now I have foo and foo1.

2 - The removed or edited entry was on net2 and the slave synced up the primary.

So here is an example from my named.conf

Code:

zone "1.1.10.in-addr.arpa" {
        type master;
        file "1.1.10.in-addr.arpa.hosts";
        allow-query    { any; }; // no restriction on queries
        allow-update   { key "ddns-updates"; dhcp-servers; }; // Allow DDNS Updates via DHCP Server
        allow-transfer { ide-nameservers; onesaf-nameservers; }; // restrict zone transfers
        notify yes;
};

/* CTIA Network */
zone "10.1.10.in-addr.arpa" {
        type master;
        file "10.1.10.in-addr.arpa.hosts";
        allow-query    { any; }; // no restriction on queries
        allow-update   { key "ddns-updates"; dhcp-servers; }; // Allow DDNS Updates via DHCP Server
        allow-transfer { ide-nameservers; onesaf-nameservers; }; // restrict zone transfers
        notify yes;

If I do not wish for them to sync with the slave (net2) server, do I simply chane notify to "no"?

ramram29 · 04-05-2007, 08:46 AM

You also need to add 1 to your serial number of the zone or the zone transfers will not happen. Also some versions of bind keep the zones in memory and write them back unless the serial number is changed. Usually the serial number is the date with two digits for the version. For example, 2007040501, 2007040502. Change the serial number on the master server only and everytime that you make a change to your zone, then reload the zone with command 'rndc zone reload' - I think.