I've gotten the master DNS server On a Centos box running properly tho am having numerous difficulties getting the slave DNS on another Centos to work. For the most part, I followed this walkthrough:
https://www.itzgeek.com/how-tos/linu...-7-rhel-7.html
Here's what I have so far:
Master DNS Server named.conf
Code:
zone "luminous.ops" IN {
type master;
file "forward.luminous";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "reverse.luminous";
allow-update { none; };
};
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
allow-transfer { 192.168.1.3; };
also-notify { 192.168.1.3; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
"/etc/named.conf" 73L, 1956C
Master forward zone:
Code:
$TTL 86400
@ IN SOA acrab.luminous.ops. root.luminous.ops. (
5 ; Serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ; minimum ttl
)
@ IN NS acrab.luminous.ops.
@ IN NS caph.luminous.ops.
@ IN A 192.168.1.2
@ IN A 192.168.1.3
navi IN A 192.168.1.1
acrab IN A 192.168.1.2
caph IN A 192.168.1.3
mizar IN A 192.168.1.4
naos IN A 192.168.1.10
aludra IN A 192.168.1.11
mintaka IN A 192.168.1.12
almach IN A 192.168.1.13
schedar IN A 192.168.1.14
suhail IN A 192.168.1.15
nunki IN A 192.168.1.20
markab IN A 192.168.1.21
enif IN A 192.168.1.22
lawarag IN A 192.168.1.23
ankaa IN A 192.168.1.30
recens IN A 192.168.1.31
aljanah IN A 192.168.1.32
dobby IN A 192.168.1.33
munin IN A 192.168.1.34
general-toot IN A 192.168.1.35
Master reverse zone:
Code:
$TTL 86400
@ IN SOA acrab.luminous.ops. root.luminous.ops. (
5 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ; minimum TTL
)
@ IN NS acrab.luminous.ops.
@ IN NS caph.luminous.ops.
@ IN PTR luminous.ops.
1 IN PTR navi.luminous.ops.
2 IN PTR acrab.luminous.ops.
3 IN PTR caph.luminous.ops.
4 IN PTR mizar.luminous.ops.
5 IN PTR enif.luminous.ops.
10 IN PTR naos.luminous.ops.
11 IN PTR aludra.luminous.ops.
12 IN PTR mintaka.luminous.ops.
13 IN PTR almach.luminous.ops.
14 IN PTR schedar.luminous.ops.
15 IN PTR suhail.luminous.ops.
20 IN PTR nunki.luminous.ops.
21 IN PTR markab.luminous.ops.
22 IN PTR lawarag.luminous.ops.
23 IN PTR lawarag.luminous.ops.
30 IN PTR ankaa.luminous.ops.
31 IN PTR recens.luminous.ops.
32 IN PTR aljanah.luminous.ops.
33 IN PTR dobby.luminous.ops.
34 IN PTR munin.luminous.ops.
35 IN PTR general-toot.luminous.ops.
systemctl status named -l on master:
Code:
[root@acrab ~]# systemctl status -l named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-09-13 13:42:32 EDT; 28min ago
Process: 474085 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 474103 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 474099 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disable>
Main PID: 474105 (named)
Tasks: 11 (limit: 203940)
Memory: 67.8M
CGroup: /system.slice/named.service
└─474105 /usr/sbin/named -u named -c /etc/named.conf
Sep 13 14:10:40 acrab named[474105]: client @0x7f26201c90b0 192.168.1.2#43650 (getpocket.cdn.mozilla.net): query (cache) 'getpocket.cdn.mozilla.net/AAAA/IN' denied
Sep 13 14:10:40 acrab named[474105]: client @0x7f262018e170 192.168.1.2#43650 (getpocket.cdn.mozilla.net): query (cache) 'getpocket.cdn.mozilla.net/A/IN' denied
Sep 13 14:10:40 acrab named[474105]: client @0x7f26201c90b0 192.168.1.2#33876 (getpocket.cdn.mozilla.net): query (cache) 'getpocket.cdn.mozilla.net/AAAA/IN' denied
Sep 13 14:10:40 acrab named[474105]: client @0x7f262018e170 192.168.1.2#33876 (getpocket.cdn.mozilla.net): query (cache) 'getpocket.cdn.mozilla.net/A/IN' denied
Sep 13 14:10:40 acrab named[474105]: client @0x7f26201c90b0 192.168.1.2#48773 (getpocket.cdn.mozilla.net): query (cache) 'getpocket.cdn.mozilla.net/AAAA/IN' denied
Sep 13 14:10:40 acrab named[474105]: client @0x7f262018e170 192.168.1.2#48773 (getpocket.cdn.mozilla.net): query (cache) 'getpocket.cdn.mozilla.net/A/IN' denied
Sep 13 14:10:58 acrab named[474105]: client @0x7f262018e170 192.168.1.45#39364 (nrdp.prod.ftl.netflix.com): query (cache) 'nrdp.prod.ftl.netflix.com/A/IN' denied
Sep 13 14:11:00 acrab named[474105]: client @0x7f262018e170 192.168.1.41#59286 (ctldl.windowsupdate.com): query (cache) 'ctldl.windowsupdate.com/A/IN' denied
Sep 13 14:11:01 acrab named[474105]: client @0x7f26201709d0 192.168.1.45#50624 (connectivitycheck.gstatic.com): query (cache) 'connectivitycheck.gstatic.com/AAAA/IN' denied
Sep 13 14:11:01 acrab named[474105]: client @0x7f262018e170 192.168.1.45#50624 (connectivitycheck.gstatic.com): query (cache) 'connectivitycheck.gstatic.com/A/IN' denied
resolve.conf on master
Code:
[root@acrab ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search luminous.ops
nameserver 192.168.1.2
nameserver 192.168.1.3
Slave DNS named.conf:
Code:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
//
options {
// listen-on port 53 { any; };
// filter-aaaa-on-v4 yes;
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.1.0/24; };
allow-transfer { none; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "luminous.ops" IN {
type slave;
masters { 192.168.1.2; };
file "slaves/forward.luminous";
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.1.2; };
file "slaves/reverse.luminous";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
systemctl status named -l on Slave:
Code:
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2020-09-13 13:48:56 EDT; 29min ago
Process: 3697 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)
Sep 13 13:48:56 caph bash[3697]: /etc/named/named.conf.local:1: zone 'luminous.ops': already exists previous definition: /etc/named.conf:54
Sep 13 13:48:56 caph bash[3697]: /etc/named/named.conf.local:1: zone 'luminous.ops': missing 'masters' entry
Sep 13 13:48:56 caph bash[3697]: /etc/named/named.conf.local:3: writeable file 'slaves/forward.luminous': already in use: /etc/named.conf:57
Sep 13 13:48:56 caph bash[3697]: /etc/named/named.conf.local:6: zone '1.168.192.in-addr.arpa': already exists previous definition: /etc/named.conf:60
Sep 13 13:48:56 caph bash[3697]: /etc/named/named.conf.local:6: zone '1.168.192.in-addr.arpa': missing 'masters' entry
Sep 13 13:48:56 caph bash[3697]: /etc/named/named.conf.local:8: writeable file 'slaves/reverse.luminous': already in use: /etc/named.conf:63
Sep 13 13:48:56 caph systemd[1]: named.service: control process exited, code=exited status=1
Sep 13 13:48:56 caph systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Sep 13 13:48:56 caph systemd[1]: Unit named.service entered failed state.
Sep 13 13:48:56 caph systemd[1]: named.service failed.
