LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-05-2003, 03:44 PM   #1
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Rep: Reputation: 30
First steps with DNS / BIND and now?


Hi all (again)....

I'm trying to shutdown my windoze server and change it to linux.

The first step i wanted to take was setting it up as a DNS server. (As my windowz server is now).
So, i left everything as it was default in the named.conf and added two zone's:
One for "mydomain.com"
and one for reverse lookup: "1.168.192.in-addr-arpa"

These seem to work ok, dig myserver.mydomain.com shows up with the ip adres of my server and said it queried my dns server. Also reverse is working.

Next step in this DNS adventure is to forward all queries my DNS server cannot resolve in its files to my ISP's DNS server.
I read something about forwarders, but I did not find a good example on the books or the web.

And finally, (as soon as my DHCP server is installed) i want to assign IP addresses and dynamically update the zone-files with the hostnames of the clients....

Anyone willing to point me in the right direction? (Or even better, help me with a complete solution?)

TIA!

Satch
 
Old 09-05-2003, 06:55 PM   #2
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora
Posts: 161

Rep: Reputation: 43
Use the latest ISC BIND and DHCP releases (http://www.isc.org) to do the dynamic updates of DNS from DHCP. The documentation covers setting up security keys and restricting DNS updates to authorised machines only.

Most of the DNS forwarding activity will be through the root zone. If your internet connection is always on, then the standard root zone files provided should work OK, just plug in the ISP's name server addresses.

If you dial up using PPP then the name server addresses can change each time. I capture them in the PPP scripts and pass them on to BIND via a generated config file. The root zone file I use is actually empty. It speeds up negative replies.

I'd consider not using "mydomain.com" unless you actually own the name. BIND will try asking the internet about unknown local hosts because of the ".com" ending, leaving you open to hackers. I use "xxx.localnet" with a block of 192.168 addresses. Any DNS confusion results in "host not found" without leaving the local network.

Have fun and happy hacking!

P.S. Don't forget to punch a hole in your firewall. I wasted a weekend over that!
 
Old 09-06-2003, 05:00 PM   #3
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Original Poster
Rep: Reputation: 30
Thanks for your reply! I wasn't going to use "mydomain.com" for my domainname. I have a registered domainname on the internet. (Lets just say its "bogus.net") The entries in there point to my external IPaddress.

Now, what I didn't get in your answer is "just plug in the ISP's name server addresses" and the empty root zone file, and the block of 192.168 address part. Can you please explain that to me? (Or post an example?)

And the firewall thingie: I now use my windowz server as a master DNS server for my "bogus.net" and its caching names for the rest of the domains. (It looks up addresses against my ISP). It works flawlessly, and there is no firewall issue what so ever. So should i open the port 53? Because everything seems to wotk ok with MS-DNS server.

Lots of questions again, but help is very much appreciated.

Sat

Last edited by Satriani; 09-06-2003 at 05:02 PM.
 
Old 09-08-2003, 08:19 AM   #4
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Original Poster
Rep: Reputation: 30
I found some more info on DNS, and it seems to work ok now,
only thing I still don't get is the caching / forwarders part:

I want to do a lookup against my ISP's DNS servers IF and ONLY IF the domain is not in my zone's. ( I have registered domainname on the internet, pointing to my external IP address, but on my lan, I use the same name, pointing to my internal IP addresses)

Also I would like to cache the names.

Any ideas?
 
Old 09-08-2003, 06:57 PM   #5
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora
Posts: 161

Rep: Reputation: 43
This is how my system is set up. Names and numbers have been altered to protect my innocence! All of the services are provided by one box (a 486!): DHCP server, DNS server, WINS server (Samba) and the firewall.

Firewall stuff (assumes netfilter with connection tracking):
The DNS server must accept port 53 TCP or UDP connections from the local subnet and it's loopback port.
It must be able to send port 53 TCP or UDP to the internet.
The DHCP server must be able to receive UDP port 67 and 68 on the broadcast address and output to port 68 on the local network.
e.g.
# Connection tracking
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS (on 192.168.1.1)
iptables -t filter -A INPUT -i eth0 -s 192.168.1.0/24 -d 192.168.1.1 -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -d [ISP-DNS1] -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -d [ISP-DNS2] -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -s 192.168.1.0/24 -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -d [ISP-DNS1] -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -d [ISP-DNS2] -p udp --dport 53 -j ACCEPT
# DHCP (serving 192.168.1.x)
iptables -t filter -A INPUT -i eth0 -d 192.168.1.255 -p udp --sport 67:68 --dport 67:68 -m state --state NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -d 192.168.1.255 -p udp --sport 67 --dport 68 -m start --state NEW -j ACCEPT

The rndc control path must also be opened up to allow DHCP to update BIND.

----------------------------------------
//
// named.conf -- bind/DNS configuration file
//
// Created by daveg, January 9, 2002
//

// alias for all "internal" (secure) subnets
acl "internal" { 192.168.1.0/24; };

// Global options
options {
directory "/var/named"; // Working directory
pid-file "/var/run/named.pid";
dump-file "/var/run/named_dump.db";
statistics-file "/var/run/named.stats";
listen-on { // Doesn't listen on internet port!
127.0.0.1; // Loopback for local resolution
192.168.1.1; // localhost port for internal network (eth0?)
}; // Only listen on internal ports
version "N/A"; // Don't give any help
allow-transfer { "localhost"; }; // No external zone transfers
allow-recursion { // Only query for local clients
"internal";
"localhost";
};
allow-query { // Only serve local clients
"internal";
"localhost";
};
};

// See BIND documentation (dnssec-keygen)
// Same key string used in /etc/dhcpd.conf and /etc/rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "like I'm gonna publish that!";
};

// For rndc external DNS control
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { "rndckey"; };
};

// Reverse mapping for loopback
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.dns";
};

// Forward master for local net
zone "mydomain.com" in {
type master;
file "mydomaind.com.dns";
allow-update { key "rndckey"; }; // For dynamic DHCP updates
};

// Reverse master for local net
zone "1.168.192.in-addr.arpa" in {
type master;
file "192.168.1.dns";
allow-update { key "rndckey"; }; // For dynamic DHCP updates
};

// Root zone - forward everything, no hint file
zone "." in {
type forward;
forward only;
forwarders {
212.74.114.193; // DNS1 from ISP
212.74.112.66; // DNS2 from ISP
};
};
----------------------------------------
The root zone is set to forward all queries to the ISP's servers and cache the results. The "standard" setup uses a root "hints" file that will cause BIND to start querying all over the internet. Why chew up your own bandwidth?

The "standard" setup also assumes that all the required "glue" records are in place to correctly delegate "mydomain.com" from ".com".

Also check /etc/resolv.conf and /etc/nsswitch.conf on the name server machine.

And for dynamic DHCP
----------------------------------------
#
# dhcpd.conf -- DHCP 3.0 server configuration file
#
# Created by daveg, January 24, 2003
#

# Global parameters
authoritative;
server-identifier 192.168.1.1;
default-lease-time 86400; # 1 day
max-lease-time 259200; # 3 days

# Global declarations

# Internal (secure) subnet
subnet 192.168.1.0 netmask 255.255.255.0 {
# Subnet declarations
range 192.168.1.32 192.168.93.64; # Dynamic addresse allocation range
deny bootp;
deny client-updates; # Keep it simple
default-lease-time 259200; # 3 day
max-lease-time 604800; # 7 days
# Subnet dhcp options
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1; # Firewall box
option domain-name "mydomain.com";
option domain-name-servers 192.168.93.1; # Name server box
# Subnet WINS options
option netbios-name-servers 192.168.93.1, 192.168.93.1; # Samba/NT WINS server
option netbios-node-type 2; # Hybrid
}

# DDNS glue
ddns-update-style interim;
# For debugging, logging, etc.
# update-optimization off;

key rndckey {
algorithm hmac-md5;
secret "like I'm gonna publish that!";
};

zone mydomain.com. {
primary 127.0.0.1; # Just happens to be on the same box
key rndckey;
}

zone 1.168.192.in-addr.arpa. {
primary 127.0.0.1; # Just happens to be on the same box
key rndckey;
}
----------------------------------------

One day I'll get round to putting this all on a web page or two!
The DNS-HOWTO was a good starting point but doesn't cover the dynamic updates.
The DHCP mini-HOWTO was also useful. See http://www.tlpd.org

Hope it helps!
 
Old 09-09-2003, 07:25 AM   #6
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Original Poster
Rep: Reputation: 30
DaveG!

Thank you sooooo much. I was struggling (googling) with it for a couple of days now, and didn't find any good example of what I wanted.
Your post is exactly the way I wanted to go. I think this is a very usefull post to all people with the same problem.

So, in 3 words: You are great!

Thanks again!

Sat
 
Old 09-09-2003, 02:45 PM   #7
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Original Poster
Rep: Reputation: 30
Okay, so now I ran into some strange problems....

I made some updates on my domains zone, and did:
rndc refresh bogus.net
It did not work: in /var/log/messages i see the error:
Code:
Sep  9 21:31:10 myserver named[11732]: zone bogus.net/IN: cannot refresh: no masters
Anyone ideas ?
 
Old 09-10-2003, 03:00 AM   #8
greggy69
LQ Newbie
 
Registered: Aug 2003
Location: The Netherlands
Distribution: Slackware 10.0, 2.6.13.3
Posts: 16

Rep: Reputation: 0
NOPe!

You tell us since you've got this thing working last night!

Cheers,
Greg
 
Old 09-10-2003, 06:04 AM   #9
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Original Poster
Rep: Reputation: 30
Im sorry Greggy... I got it working only half way:

It seems to work now, but I don't know why. And i'm not completely sure of it
Sometimes it works exactly as planned, other times i see the no masters error again.
Last night i did a dig on a record, and I got a SERVFAIL error.
So there must be something wrong.

Any help would be appreciated!
 
Old 09-10-2003, 08:27 AM   #10
GraemeK
Member
 
Registered: Aug 2003
Location: Essex, UK
Distribution: Windoze 2000, Fedora Core 3
Posts: 325

Rep: Reputation: 30
i got servfail errors with name lookups and narrowed it down to the file permissions...

change the file to full permissions for test purposes and restart the deamon.

see if that makes a differance, it did for me...

G
 
Old 09-10-2003, 10:01 AM   #11
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Original Poster
Rep: Reputation: 30
I did change all the filepermissions, set it all up again, and again....
Still: When I do:
Code:
rndc refresh bogus.net
I see in the /var/log/messages:
Code:
myserver named[11732]: zone bogus.net/IN: cannot refresh: no masters
I am really getting a bit frustrated now.. I checked with a friend of mine who knows a lot about bind, and he checked my conf's. They would be OK.
So really: Any help would be so appreciated! Im almost starting to regret my transfer to linux DNS instead of W2k DNS server....
(Cuz on W2k it worked just as I wanted it to.)
 
Old 09-11-2003, 04:08 AM   #12
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora
Posts: 161

Rep: Reputation: 43
Hi Satriani,

The rndc refresh command is for updating any local slave zones from a master server. e.g. failover and load ballancing. If you are using it to copy a zone from one machine to another, you need to set the zone type to "slave" in named.conf for the transfer.

If you just want to make zone file edits live, use the rndc reload command. Check near the end of Chapter 3 of the BIND 9 Administrator Reference Manual and take care - you need to do an rndc stop to force the dynamic DHCP records in to the zone file from cache.

P.S. Don't go back! Look how much you have learned about DNS! Configuring Linux is hard work the first time round, but for me, I think it was worth the effort.
 
Old 09-11-2003, 04:31 AM   #13
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Original Poster
Rep: Reputation: 30
DaveG: Thank you so much.
I must have overlooked the part of refresh, it was in the BIND-admin guide indeed! Also the part of rndc stop was in there, and i remember reading that. I didn't make the link with the refresh however.

I finally got it working now. Only thing I don't like about it is that indeed you need to stop your named to make any changes. But, that's why a second BIND server should be setup I presume....

And, to be frankly: I do not want to change back to windows. I must say that I am enjoying the basic computer things again since i switched to linux. But some things get so frustrating.....

Thanks! I think my server is up and running now for everything I wanted to do....
If i can return the favor, just ask.....

Last edited by Satriani; 09-11-2003 at 04:32 AM.
 
Old 09-11-2003, 06:06 AM   #14
greggy69
LQ Newbie
 
Registered: Aug 2003
Location: The Netherlands
Distribution: Slackware 10.0, 2.6.13.3
Posts: 16

Rep: Reputation: 0
Great! You are now allowed do it all again on my server!
 
Old 09-11-2003, 08:40 AM   #15
Satriani
Member
 
Registered: Mar 2003
Location: The Netherlands
Distribution: Red Hat 7.3, Red Hat 9, Solaris8, Slackware 10, Slax on USB, AIX, FreeBSD, WinXP, AIX, Ubuntu
Posts: 418

Original Poster
Rep: Reputation: 30
Yeah! And keep you from learning anything.... Just use this great thread, and you should be able to get it working...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS and bind kevinm2 Linux - Networking 1 06-15-2005 10:18 PM
DNS Bind TKS Linux - Networking 6 05-03-2004 12:30 AM
bind setup steps techhost Linux - Newbie 1 04-05-2004 06:05 AM
DNS and BIND buttnutt Linux - Networking 5 06-08-2002 06:02 PM
Bind and DNS thewoz Linux - Newbie 1 10-22-2001 04:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration