Internal Errigal Collaboration Wiki

User Tools

Site Tools

Trace: footprints_component support_process_overview_internal weekly_reports supportrequestpageticket_management
databaseandnetworkmanagement:dns_service

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
databaseandnetworkmanagement:dns_service [2017/08/14 15:18] – created 1carew1databaseandnetworkmanagement:dns_service [2021/06/25 10:09] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== The DNS Service ======
 +===== Objective =====
 +The host files (/etc/hosts) deployed on Errigal machines and blade servers has got larger over time. The hosts file on QAAPPS1 contained 102 entries, of which there were 5 duplicates, and keeping all the hosts files on all the machines up to date is becoming unmanageable, it is time to deploy a Errigal domain name system (DNS) service which will translate domain names into IP address and vice a versa.
 +
 +The design goal is to have separate zones, .err for Errigal servers, .crc for Crown servers and .ext for Extenet servers. The IANA root DB was checked [26 November 2015] ] and at the time of writing the domains .err, .crc and .ext are not being used at this time, so there is a reduced risk of causing issues with the general domain name system, however this should be monitored.
 +
 +The purpose of this install guide is to explain how to setup the Errigal DNS service and also how to modify it to include a new entry or to remove an entry.
 +
 +{{ :databaseandnetworkmanagement:screenshot_2017-08-14_15.19.14.png |}}
 +
 +The Primary DNS Server (or) Master DNS Server:
 +IP Address :    10.91.100.71
 +Hostname   :    qadb2.err
 +
 +Secondary DNS Server (or) Slave DNS Server:
 +IP Address :    10.5.5.15
 +Hostname   :   pislavedns.err
 +
 +===== Install BIND on a Master blade server (RHEL 6) =====
 +BIND (Berkeley Internet Name Domain), is a DNS server included in Red Hat Enterprise Linux YUM repository and so to install it use:
 +
 +> yum install bind bind-chroot
 +
 +On this install BIND is run via bind-chroot. bind-chroot is a way of running named (the BIND server) in a chroot jail for security reasons.
 +
 +In order to get bind-chroot running correctly then the jail environment needs to be set up with the most important factor being that a separate user for BIND is created. The user is usually called named and a check of the /etc/passwd file will indicate if such a user was created during the install process.
 +
 +==== Edit main Configuration file ====
 +The main configuration file for BIND is called named.conf and the Errigal version of this file can be found in the git repo idms-environment under the folder install / dns / etc /.
 +This configuration file needs to be placed in the folder /var/named/chroot/etc of the DNS server.
 + > sudo cp named.conf /var/named/chroot/etc/.
 +
 +This named.conf needs to be edited for this specific installation. 
 + > sudo vi /var/named/chroot/etc/named.conf
 +
 +A change must be made to the listen-on port directive to have the IP address of the machine hosting this master DNS service added to it. In this case Blade 2 (10.91.100.71) is being used for the DNS service and so this IP address 10.91.100.71 must be added to the listen-on port directive:
 +
 +  listen-on port 53 { 127.0.0.1; 10.91.100.71;};
 +
 +If a slave DNS has been setup for the domain then a change must be made to the allow-transfer directive to have the IP address of the machine hosting the slave DNS service.
 +
 + allow-transfer  { localhost; 10.91.100.72; };
 +
 +Finally the group access to the named.conf needs to be set to named.
 + > sudo chgrp named /var/named/chroot/etc/named.conf
 +
 +==== Add ZONE files for the domain ====
 +A zone file contains the mappings between domain names and IP addresses and the hierarchical domain name structure of the DNS. For the Errigal environment there are 3 zones, .err for Errigal servers, .crc for Crown servers and .ext for Extenet servers. In the git repo idms-environment under the folder install / dns / var / there are 6 files which contain the forward and reverse mappings for the 3 zones Errigal, Crown and Extenet.
 +
 +These 6 files should be copied to the folder /var/named/chroot/var/named
 + > sudo cp dns/var/* /var/named/chroot/var/named/.
 +
 +Finally the group access to the forward and reverse files needs to be set to named.
 +> sudo chgrp named /var/named/chroot/var/named/forward.errigal
 +> sudo chgrp named /var/named/chroot/var/named/forward.crown
 +> sudo chgrp named /var/named/chroot/var/named/forward.extenet
 +> sudo chgrp named /var/named/chroot/var/named/reverse.crown
 +> sudo chgrp named /var/named/chroot/var/named/reverse.errigal
 +> sudo chgrp named /var/named/chroot/var/named/reverse.extenet
 +
 +
 +==== Check for errors in the conf file and zone file ====
 +There are some simple tools to check if there are errors in the configuration and zone files of BIND.
 +
 +> sudo named-checkconf /var/named/chroot/etc/named.conf
 +
 +Usually this will just drop down to the command line and so everything is fine with the configuration file, otherwise an error message will be displayed, which needs to be fixed.
 +
 +> sudo named-checkzone err /var/named/chroot/var/named/forward.errigal
 +
 +Should return an OK message.
 +
 +==== Moving default zones into place ====
 +It was found that the chroot doesn’t mount the local files correctly and so they have to be copied into place.
 +> sudo cp /var/named/named.localhost /var/named/chroot/var/named/.
 +> sudo chgrp named /var/named/chroot/var/named/named.localhost
 +> sudo cp /var/named/named.loopback /var/named/chroot/var/named/.
 +> sudo chgrp named /var/named/chroot/var/named/named.loopback
 +> sudo cp /var/named/named.empty /var/named/chroot/var/named/.
 +> sudo chgrp named /var/named/chroot/var/named/named.empty
 +> sudo cp /var/named/named.ca /var/named/chroot/var/named/.
 +> sudo chgrp named /var/named/chroot/var/named/named.ca 
 +
 +
 +==== Start the DNS Service ====
 +To start the BIND DNS service and to get it to load the Errigal configuration run the command
 +> service named restart
 +
 +This should return an [OK] message.
 +
 +Now is the time to have the DNS service to auto start on every boot up of this machine
 + > sudo chkconfig named on
 +
 +
 +The Errigal DNS service can now be tested. A random sample of hostnames in the Errigal, Crown and Extenet zones should be checked. Here’s one example check.
 +
 +> dig atlas.err @localhost
 +
 +Should provide the answer
 +;; ANSWER SECTION:
 +atlas.err. 86400 IN A 10.91.100.101
 + 
 +Notice how the @locahost was used. This is confirming that the local DNS service running on this Blade 2 machine is checked via the dig command. A failure to use the @localhost will lead to an incorrect answer being provided for atlas.err as there will be no other DNS service hosting that zone.
 +
 +A check from another blade server can also be done. SSH into Blade 1 and run the command
 + > dig atlas.err @10.91.100.71
 +
 +Should provide the answer
 +;; ANSWER SECTION:
 +atlas.err. 86400 IN A 10.91.100.101
 +
 +==== Adding a hostname/IP address to a zone ====
 +Here is an example of adding a new hostname to the Errigal .err zone file.
 +Host = newerrigal
 +IP = 10.91.100.140
 +
 +Update the Errigal forward and reverse zone files in the git repo IDMS Environment.
 +**REMEMBER TO UPDATE THE SERIAL NUMBERS IN THE EDITED FORWARD AND REVERSE FILES ELSE THEY WILL NOT REPLICATE TO SLAVES** (replication is based on checking to see if these serial numbers have changed where are at the top of the forward and reverse files so just increment by 1 on each)
 +The zone file(s) are contained in the folder  install / dns / var / 
 +Securely copy/sftp the updated files to the directory /var/named/chroot/var/named/ on the Master DNS server 10.91.100.71.
 +Make sure those new files have the correct group permissions
 +  * sudo chgrp named /var/named/chroot/var/named/forward.errigal
 +  * sudo chgrp named /var/named/chroot/var/named/reverse.errigal
 +  * # Restart the named service
 +  * sudo service named restart
 +
 +===== Test DNS =====
 +Test if change is reflected correctly.
 +You may have to refresh DNS cache.
 +Following command is for macOS Sierra
 +> sudo killall -HUP mDNSResponder
 +
 +==== Common Mistakes to Avoid ====
 +Use period correctly: In zone files, a period at the end of a domain name denotes a fully qualified domain name. If omitted, the named service will append the name of the zone or the value of $ORIGIN to complete it.
 +
 +Increment the serial number when editing a zone file: If the serial number is not incremented, the primary nameserver will have the correct, new information, but the secondary nameservers will never be notified of the change, and will not attempt to refresh their data of that zone.
 +
 +
 +===== Creating a Slave DNS =====
 +Please see [[toolsandtechnologies:raspberrypiDnsSlave| Setup Raspberry Pi as DNS Slave]] on how to create a slave DNS
 +
 +===== Basic Instructions (How-To, Tutorial, Guide) =====
 +[[https://docs.google.com/a/errigal.com/document/d/12tbIbQQdonkDwin62ONWo1b_lyEoFzdJTMttWmOH1WM/edit?usp=sharing|How-To - Basic DNS Setup]]
  

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki