Master-slave named configuration using Red Hat Enetrprise Linux 6.2 ( RHEL 6.2 )

In below text,I will create master-slave named replication using Red Hat Enterprise Linux RHEL 6.2.As base OS will use RHEL 6.2 but same process can be applied on all CENTOS-es/Fedora configurations as well.Necessary packages are present in baseOS channel on Red Hat Network what means after RHEL 6.2 installation and registration at RHN there is not need to subscribe your machine to any additional channel.In case you decide to use CentOS 6.x/Scientific Linux 6.X then all comes with default installation

To install necessary packages on master and slave named server run below

#yum install -y bind bind-chroot

After installation we will end with below packages installed ( some were present already on system )

bind-chroot-9.7.3-8.P3.el6.i686
bind-utils-9.7.3-8.P3.el6.i686
bind-9.7.3-8.P3.el6.i686
bind-libs-9.7.3-8.P3.el6.i686

Installing bind and bind-chroot it will lead to setting up bind in so-called “chroot” environment where all files related to bind will be “chroot”-ed in

/var/named/chroot

With this “named will run in its own “root” ( chroot ) space enforcing that way additional security

With RHEL 6.2 delivered bind and bind-chroot it does not provide example files in /var/named/chroot,so we will need copy them from

/usr/share/doc/bind-$version/sample

  1. cd /var/named/chroot/etc
  2. cp /usr/share/doc/bind-9.7.3/sample/etc/named.conf .
  1. pwd

/var/named/chroot/etc

  1. ls -lZ

-rw-r–r–. root root unconfined_u:object_r:etc_t:s0 localtime
drwxr-x—. root named system_u:object_r:etc_t:s0 named
-rw-r–r–. root root unconfined_u:object_r:etc_t:s0 named.conf
drwxr-xr-x. root root system_u:object_r:cert_t:s0 pki

It is necessary to set proper permissions and SELinux context to newly copied file named.conf in /var/named/chroot/etc

# pwd
/var/named/chroot/etc

  1. chown root.named named.conf
  2. restorecon -vFR named.conf

After these actions we will have below

  1. ls -lZ

-rw-r–r–. root root unconfined_u:object_r:etc_t:s0 localtime
drwxr-x—. root named system_u:object_r:etc_t:s0 named
-rw-r–r–. root named system_u:object_r:named_conf_t:s0 named.conf
drwxr-xr-x. root root system_u:object_r:cert_t:s0 pki

Configure your named.conf file.The sample files I use for this demonstration,you can find at end of this post

You will need to copy below files to /var/named/chroot/var/named

-rw-r–r–. 1 root named 1892 Jun 10 10:21 named.ca
-rw-r–r–. 1 root named 152 Jun 10 10:57 named.empty
-rw-r–r–. 1 root named 152 Jun 10 10:56 named.localhost
-rw-r–r–. 1 root named 168 Jun 10 10:56 named.loopback

if you use attached named.conf

Do not forget to set up proper permissions / ownership to files

# chown root.named named.*

  1. restorecon -vFR named.*

Check named.conf for eventual syntax errors

# named-checkconf named.conf

If it does not report errors then that means it is correct

Finally start named

# sevice named start

Edit /etc/resolv.conf
and instruct it to point to your newly created named server

In my case I have

# cat /etc/resolv.conf
search elvirzone.int
nameserver 192.168.122.45

From localhost ( or some other machine in network after adapting [[/etc/resov.conf]] to use new dns — and opening ports 53/tcp and 53/udp on master dns)

# dig @127.0.0.1 somedomain ( eg: google.com )

if all is fine should return information about your request

To allow access from other machines in your network,you will need to add below ( or something similar ) to your iptables firewall rules.

-A INPUT -m state –state NEW -m tcp -p tcp –dport 53 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 53 -j ACCEPT

You probably know why we need UDP / TCP at same time – and when they are used 🙂

By default named will send zone change notifications to all machines defined at NS stanza in zone file.

We have :

NS dnsnode1.elvirzone.int.
NS dnsnode2.elvirzone.int.

so named will send notification to dnsnode2.elvirzone.int without any further instructions in named.conf.

In case we want to send notifications to some other slave server which is not defined in zone file,then we would need to specify that directly in named.conf on master server using *also-notify* directive

For example

also-notify {192.168.122.100;};

will send notifications about zone updates to 192.168.122.100 too

Once master is up and running we can proceed with slave configuration

To configure slave named machine,we will need to do below

# scp named.conf root@dnsnode2:/var/named/chroot/etc/

Set up proper permissions on this file

# chown root.named named.conf

  1. restorecon -vFR named.conf

Edit it,and adapt to listen on correct interfaces and add masters stanza

zone "elvirzone.int" {
type slave;
file "slaves/elvirzone.int.db";
masters { 192.168.122.45; };
};
zone "122.168.192.in-addr.arpa" {
type slave;
file "slaves/122.168.192.in-addr.arpa.db";
masters { 192.168.122.45; };
};

Change I noticed when compared to RHEL 5 is that with RHEL 6, there is *no* directory [[/var/named/chroot/var/named/slaves]] and we need to create it

  1. cd /var/named/chroot/named
  2. mkdir slaves
  3. chown -R root.named slaves
  4. chmod -R 775 slaves

After above changes once is executed on slave ( please do not forget to open ports on slave )

# service named start

zone files will be transfered to [[/var/named/chroot/var/named/slaves]]

If you get errors as below in /var/log/messages followed by not updating records on slave server,

named[2199]: dumping master file: slaves/tmp-uG0eanHAl3: open: permission denied

then check permissions on /slave directory.named daemon need write access to it

Careful and security aware reader will already start ranting about dnssec and all its features.Yes,I agree to make this configuration better it would be good to use dnssec and created master-slave key which will be used by zone transfer.This will done in some future update of this article.

Advertisements