Thursday, December 28, 2017

Setup a DNS Server in RHEL using Bind

Introduction
BIND Installation
BIND Configuratoin
Configure DNS on Hosts

Introduction

What is a DNS Server ?

DNS = Domain Naming Service (or) Domain Name System DNS will resolve the host name for the particular IP address across an organization.
This article provides the basic DNS configuration steps necessary to use the Single Client Access Name (SCAN) introduced in Oracle 11g Release 2 RAC.

Here we will be using a separate linux Server to setup the DNS using BIND

Create a VM and install Linux 6 on it. Click here for installation steps.

Below is the Linux version which we will be using in this setup: 
[root@dns ~]# lsb_release -a
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: OracleServer
Description:    Oracle Linux Server release 6.7
Release:        6.7
Codename:       n/a
And we will use the below Hostname & IP address for the DNS Server: 
IP Address : 192.168.0.67
Hostname   : dns.oracleapps.com
Following are the node machines which we will be configuring in the DNS Server for resolving:
IP Address :  192.168.0.101  ## Hostname : rac1.oracleapps.com
IP Address :  192.168.0.102  ## Hostname : rac2.oracleapps.com
IP Address :  192.168.0.111  ## Hostname : rac1-vip.oracleapps.com
IP Address :  192.168.0.112  ## Hostname : rac2-vip.oracleapps.com
IP Address :  192.168.1.101  ## Hostname : rac1-priv.oracleapps.com
IP Address :  192.168.1.102  ## Hostname : rac1-priv.oracleapps.com
IP Address :  192.168.0.121  ## Hostname : rac-scan.oracleapps.com
IP Address :  192.168.0.122  ## Hostname : rac-scan.oracleapps.com
IP Address :  192.168.0.123  ## Hostname : rac-scan.oracleapps.com
IP Address :  192.168.0.201  ## Hostname : apps1.oracleapps.com
IP Address :  192.168.0.202  ## Hostname : apps2.oracleapps.com
Steps that need to be performed on DNS Server:

BIND Installation

Assuming there is internet connectivity for your machine, install the DNS server (BIND):
[root@dns ~]# yum install bind* -y
BIND Configuration

Make the following changes in /etc/named.conf file:

Listen-on: Add the IP of local server on which DNS port which will be answered.
listen-on port 53 { 127.0.0.1; 192.168.0.67;};
Allow-query: change it from { localhost; } to { any; }
allow-query     { any; };
Configure DNS zones(Forward Lookup): Now we will have to create zone files in which DNS records will be configured. Add following lines in named.conf file: 
zone "oracleapps.com" IN {
  type master;
  file "oracleapps.com.zone";
  allow-update { none; };
};
Configure DNS zones(Reverse Lookup): After adding Forward lookup we will now have to configure reverse DNS. Add following in named.conf file: 
zone"0.168.192.in-addr.arpa" IN {
  type master;
  file "0.168.192.in-addr.arpa.zone";
  allow-update { none; };
};

zone"1.168.192.in-addr.arpa" IN {
  type master;
  file "1.168.192.in-addr.arpa.zone";
  allow-update { none; };
};
Here, in my setup I am using two different IP subnet’s for databases, they are 192.168.0.x and 192.168.1.x. So I have added records for both.

NOTE: If you are using more  IP subnets you will have to add reverse DNS for each and every subnet.

Here is the full file content of my config file:
[root@dns ~]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1; 192.168.0.67;};
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "oracleapps.com" IN {
        type master;
        file "oracleapps.com.zone";
        allow-update { none; };
};

zone"0.168.192.in-addr.arpa" IN {
        type master;
        file "0.168.192.in-addr.arpa.zone";
        allow-update { none; };
};

zone"1.168.192.in-addr.arpa" IN {
        type master;
        file "1.168.192.in-addr.arpa.zone";
        allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Now we will create the zone files which we mentioned in named.conf:

Setup DNS Zone -1 (Forward Lookup):
[root@dns ~]# cd /var/named
[root@dns named]# cat oracleapps.com.zone
$TTL 86400
@       IN SOA  dns.oracleapps.com. root.oracleapps.com. (
        2014051001      ; serial
          3600    ; refresh
          1800    ; retry
          604800  ; expire
          86400   ; minimum
)
@               IN      NS      dns.oracleapps.com.
dns             IN      A       192.168.0.67
rac1            IN      A       192.168.0.101
rac2            IN      A       192.168.0.102
rac1-vip        IN      A       192.168.0.111
rac2-vip        IN      A       192.168.0.112
rac1-priv       IN      A       192.168.1.101
rac2-priv       IN      A       192.168.1.102
rac-scan        IN      A       192.168.0.121
rac-scan        IN      A       192.168.0.122
rac-scan        IN      A       192.168.0.123
apps1           IN      A       192.168.0.201
apps2           IN      A       192.168.0.202
Setup DNS Zone -2 (Reverse Lookup for subnet 192.168.0.x):
[root@dns named]# cat 0.168.192.in-addr.arpa.zone
$TTL 86400
@       IN SOA  dns.oracleapps.com. root.oracleapps.com. (
        2014051001      ; serial
          3600    ; refresh
          1800    ; retry
          604800  ; expire
          86400   ; minimum
)
@               IN      NS      dns.oracleapps.com.
dns             IN      A       192.168.0.67
67              IN      PTR     dns.oracleapps.com.
101             IN      PTR     rac1.oracleapps.com.
102             IN      PTR     rac2.oracleapps.com.
111             IN      PTR     rac1-vip.oracleapps.com.
112             IN      PTR     rac2-vip.oracleapps.com.
121             IN      PTR     rac-scan.oracleapps.com.
122             IN      PTR     rac-scan.oracleapps.com.
123             IN      PTR     rac-scan.oracleapps.com.
201             IN      PTR     apps1.oracleapps.com.
202             IN      PTR     apps2.oracleapps.com.
Setup DNS Zone -3 (Reverse Lookup for subnet 192.168.1.x):
[root@dns named]# cat 1.168.192.in-addr.arpa.zone
$TTL 86400
@       IN SOA  dns.oracleapps.com. root.oracleapps.com. (
        2014051001      ; serial
          3600    ; refresh
          1800    ; retry
          604800  ; expire
          86400   ; minimum
)
@               IN      NS      dns.oracleapps.com.
dns             IN      A       192.168.0.67
101             IN      PTR     rac1-priv.oracleapps.com.
102             IN      PTR     rac2-priv.oracleapps.com.
The zone files which we created will be under root group, we need to change those to group "named".

List the files and see the permissions and group of those created zone files:
[root@dns named]# ls -lrt *.zone
-rw-r--r--. 1 root  root  788 Nov  6 22:10 oracleapps.com.zone
-rw-r--r--. 1 root  root  914 Nov  6 22:17 0.168.192.in-addr.arpa.zone
-rw-r--r--. 1 root  root  571 Nov  6 22:19 1.168.192.in-addr.arpa.zone
Change the group to named using below Command:
[root@dns named]# chgrp named /var/named/oracleapps.com.zone
[root@dns named]# chgrp named /var/named/0.168.192.in-addr.arpa.zone
[root@dns named]# chgrp named /var/named/1.168.192.in-addr.arpa.zone
List the files again:
[root@dns named]# ls -lrt *.zone
-rw-r--r--. 1 root named 788 Nov  6 22:10 oracleapps.com.zone
-rw-r--r--. 1 root named 914 Nov  6 22:17 0.168.192.in-addr.arpa.zone
-rw-r--r--. 1 root named 571 Nov  6 22:19 1.168.192.in-addr.arpa.zone
Then we need to check the Context of the all files which we edited so far:
[root@dns named]# ls -lZd /etc/named.conf
-rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named.conf

[root@dns named]# ls -lZd /var/named/oracleapps.com.zone
-rw-r--r--. root named unconfined_u:object_r:named_zone_t:s0 /var/named/oracleapps.com.zone

[root@dns named]# ls -lZd /var/named/0.168.192.in-addr.arpa.zone
-rw-r--r--. root named unconfined_u:object_r:named_zone_t:s0 /var/named/0.168.192.in-addr.arpa.zone

[root@dns named]# ls -lZd /var/named/1.168.192.in-addr.arpa.zone
-rw-r--r--. root named unconfined_u:object_r:named_zone_t:s0 /var/named/1.168.192.in-addr.arpa.zone
 They need to be in the context of named_conf_t, if its different, then we need to restore the context using:
[root@dns named] restorecon /etc/named.conf 
Now we need to check if there are any typo errors in the conf file and zone files:
[root@dns named]# named-checkconf /etc/named.conf
/etc/named.conf:11: missing ';' before '}' 
Above if you can see there is typo error at line 11, I fixed it and ran the command again:
[root@dns named]# vi /etc/named.conf
[root@dns named]# named-checkconf /etc/named.conf

[root@dns named]# named-checkzone oracleapps.com /var/named/oracleapps.com.zone
zone oracleapps.com/IN: loaded serial 2014051001
OK

[root@dns named]# named-checkzone oracleapps.com /var/named/0.168.192.in-addr.arpa.zone
zone oracleapps.com/IN: loaded serial 2014051001
OK

[root@dns named]# named-checkzone oracleapps.com /var/named/1.168.192.in-addr.arpa.zone
zone oracleapps.com/IN: loaded serial 2014051001
OK
Once everything looks OK, restart the DNS Service:
[root@dns named]# service named restart
Stopping named:                                            [  OK  ]
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]
Make the named Service in runlevels:
[root@dns named]# chkconfig named on
[root@dns named]# chkconfig --list named
named           0:off   1:off   2:on    3:on    4:on    5:on    6:off
Deploy iptables rules to allow DNS service run on port 53:
[root@dns named]# iptables -A INPUT -i lo -j ACCEPT
[root@dns named]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@dns named]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[root@dns named]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
[root@dns named]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
[root@dns named]# iptables -A INPUT -j DROP
Save the iptables using:
[root@dns named]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
It is best approach to restart the iptables after a configuration change:
[root@dns named]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
Make the iptables service in runlevels:
[root@dns named]# chkconfig iptables on
[root@dns named]# chkconfig --list iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
Restart the network interface cards:
[root@dns ~]# service network restart
Shutting down interface eth0:  Device state: 3 (disconnected)             [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  Active connection state: activated
Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/2              [  OK  ]
Set the search domain and nameserver information in the /etc/resolv.conf for IP resolution:
[root@dns ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search oracleapps.com
nameserver 192.168.0.67
Check the DNS server using Dig Command:
[root@dns named]#  dig dns.oracleapps.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> dns.oracleapps.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3506
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dns.oracleapps.com.            IN      A
;; ANSWER SECTION:
dns.oracleapps.com.     86400   IN      A       192.168.0.67
;; AUTHORITY SECTION:
oracleapps.com.         86400   IN      NS      dns.oracleapps.com.
;; Query time: 4 msec
;; SERVER: 192.168.0.67#53(192.168.0.67)
;; WHEN: Mon Nov  6 22:27:45 2017
;; MSG SIZE  rcvd: 66
Check for IP resolution for all the hosts mentioned in the zone files:
[root@dns named]# nslookup rac1
Server:         192.168.0.67
Address:        192.168.0.67#53
Name:   rac1.oracleapps.com
Address: 192.168.0.101

[root@dns named]# nslookup rac2
Server:         192.168.0.67
Address:        192.168.0.67#53
Name:   rac2.oracleapps.com
Address: 192.168.0.102

[root@dns named]# nslookup rac-scan
Server:         192.168.0.67
Address:        192.168.0.67#53
Name:   rac-scan.oracleapps.com
Address: 192.168.0.122
Name:   rac-scan.oracleapps.com
Address: 192.168.0.123
Name:   rac-scan.oracleapps.com
Address: 192.168.0.121

[root@dns named]# nslookup rac-scan
Server:         192.168.0.67
Address:        192.168.0.67#53
Name:   rac-scan.oracleapps.com
Address: 192.168.0.123
Name:   rac-scan.oracleapps.com
Address: 192.168.0.121
Name:   rac-scan.oracleapps.com
Address: 192.168.0.122
Configure DNS for Hosts

Log in to one of the host machines, here we are doing the DNS settings on rac1.oracleapps.com

Right-Click network Icon on task bar and select Edit Connections

Select System eth0 -> Edit

Check Connect automatically

Click tab IPv4 Settings
    Select Method to Manual from drop down list, then click Add and fill the following fields:
    Address: 192.168.0.101, Netmask: 255.255.255.0, Gateway: 192.168.0.1, DNS Servers: 192.168.0.67, Search domains: oracleapps.com
    Click Apply

Select System eth1 -> Edit then Check Connect automatically

Click tab IPv4 Settings
    Select Method to Manual from drop down list, then click Add and fill the following fields:
    Address: 192.168.1.101, Netmask: 255.255.255.0, Gateway: 192.168.1.1, DNS Servers: 192.168.0.67, Search domains: oracleapps.com
    Click Apply

Now restart the network cards, file /etc/resolv.conf should reflect the nameserver and search entries: 

[root@rac1 ~]# service network restart

[root@rac1 ~]# cat /etc/resolv.conf
# Generated by Networkmanager
nameserver 192.168.0.64
search oracleapps.com
nameserver 192.168.0.1
Once everything is setup, now test the IP lookup with nslookup command: 
[root@rac1 ~]# nslookup rac1
Server:  192.168.0.67
Address: 192.168.0.67#53

Name: rac1.oracleapps.com
Address: 192.168.0.101

[root@rac1 ~]# nslookup rac2
Server:  192.168.0.67
Address: 192.168.0.67#53

Name: rac2.oracleapps.com
Address: 192.168.0.102

[root@rac1 ~]# nslookup rac1-priv
Server:  192.168.0.67
Address: 192.168.0.67#53

Name: rac1-priv.oracleapps.com
Address: 192.168.1.101

[root@rac1 ~]# nslookup ebsrac-scan
Server:  192.168.0.67
Address: 192.168.0.67#53

Name: rac-scan.oracleapps.com
Address: 192.168.0.123
Name: rac-scan.oracleapps.com
Address: 192.168.0.121
Name: rac-scan.oracleapps.com
Address: 192.168.0.122

[root@rac1 ~]# nslookup ebsrac-scan
Server:  192.168.0.67
Address: 192.168.0.67#53

Name: rac-scan.oracleapps.com
Address: 192.168.0.121
Name: rac-scan.oracleapps.com
Address: 192.168.0.122
Name: rac-scan.oracleapps.com
Address: 192.168.0.123

[root@rac1 ~]# nslookup 192.168.0.101
Server:  192.168.0.67
Address: 192.168.0.67#53

101.0.168.192.in-addr.arpa name = rac1.oracleapps.com.

[root@rac1 ~]# nslookup 192.168.1.101
Server:  192.168.0.67
Address: 192.168.0.67#53

101.1.168.192.in-addr.arpa name = rac1-priv.oracleapps.com.
You need to do the above settings on each node if you want to use DNS.
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)