| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 140080 | 2015-08-15 10:13:00 | Linux gurus - need help with DNS server configuration | chiefnz (545) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1406703 | 2015-08-15 10:13:00 | Please excuse the long post but I figure I need to provide as much info as possible - Disclaimer - I'm a Novice Linux user... So I'm trying to setup a Linux based DNS server, this is for a uni assignment. I have managed to setup BIND, added the desired address to the various files as you will see below and I get no errors with bringing up/shutting down the named service... well not anymore after I discovered a few syntax errors in my "named.conf" file. All of this is setup on VMware workstation; I'm using bridged connections as my home network is on the 192.168.15.0/24 network range already. Domain - itc514.edu Name server - williams.itc514.edu (running Centos 7 fully updated) IP address - 192.168.15.100 Mask - 255.255.255.0 Gateway - 192.168.15.230 DNS - 192.168.15.100 client - centostest.itc514.edu IP address - 192.168.15.101 Mask - 255.255.255.0 Gateway - 192.168.15.230 name server - 192.168.100 resolv.conf file on the client # Generated by NetworkManager domain itc514.edu search itc514.edu nameserver 192.168.15.100 resolv.conf on the DNS server # Generated by NetworkManager search itc514.edu nameserver 192.168.15.100 nameserver 192.168.15.230 These are the DNS entries needed to "fullfil" the assignment; host1 - 192.168.15.10 host2 - 192.168.15.11 host3 - 192.168.15.12 CNAME for host1 - www CNAME for host2 - dc1 The problem - I can't resolve any of the host entries above from a linux client or a windows client. Configuration files as follow; I think I have all the relevant ones, let me know if I need to post anything else; named.conf on the DNS server I removed the "listen on" lines for IP v4 and IP v6 so the server would list on all - which I believe is the default? Even with the entries there name resolution still would not work // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { 192.168.15.0/24 ; }; allow-transfer { localhost ; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion no; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint ; file "named.ca"; }; zone "itc514.edu" IN { type master; file "forward.itc514"; allow-update { none; }; }; zone "15.168.192.in-addr.arpa" IN { type master; file "reverse.itc514"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; forward.itc514 - the forward lookup table $TTL 86400 @ IN SOA williams.itc514.edu. root.itc514.edu. ( 2011071001 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) @ IN NS williams.itc514.edu. @ IN A 192.168.15.100 @ IN A 192.168.15.101 @ IN A 192.168.15.10 @ IN A 192.168.15.11 @ IN A 192.168.15.12 williams IN A 192.168.15.100 centostest IN A 192.168.15.101 host1 IN A 192.168.15.10 host2 IN A 192.168.15.11 host3 IN A 192.168.15.12 www IN CNAME host1.itc514.edu. dc1 IN CNAME host2.itc514.edu. reverse.itc514 - the reverse lookup table $TTL 86400 @ IN SOA williams.itc514.edu. root.itc514.edu. ( 2011071001 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) @ IN NS williams.itc514.edu. @ IN PTR itc514.edu. williams IN A 192.168.15.100 centostest IN A 192.168.15.101 host1 IN A 192.168.15.10 host2 IN A 192.168.15.11 host3 IN A 192.168.15.12 100 IN PTR williams.itc514.edu. 101 IN PTR centostest.itc514.edu. 10 IN PTR host1.itc514.edu. 11 IN PTR host2.itc514.edu. 12 IN PTR host3.itc514.edu. ifcfg-eno16777736 config file for the vNIC on the DNS server. I note that this directory & file did not exist on the client machine. TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" NAME="eth0" UUID="4eedbe97-2983-4ca7-bddc-f4a1d0e3ddee" DEVICE="eno16777736" ONBOOT="yes" HWADDR="00:0C:29:C5:8B:E7" DNS1="192.168.15.100" IPADDR="192.168.15.100" PREFIX="24" GATEWAY="192.168.15.230" DNS1="192.168.15.100" DNS2="192.168.15.230" IPV6_PEERDNS="yes" IPV6_PEERROUTES="yes" IPV6_PRIVACY="no" This is the output from nslookup itc514.edu and dig itc514.edu [root@centostest ~]# nslookup host1 Server: 192.168.15.230 Address: 192.168.15.230#53 ** server can't find host1: NXDOMAIN [root@centostest ~]# dig itc514.edu ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> itc514.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20520 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;itc514.edu. IN A ;; AUTHORITY SECTION: edu. 894 IN SOA a.edu-servers.net. nstld.verisign-grs.com. 1439630262 1800 900 604800 86400 ;; Query time: 447 msec ;; SERVER: 192.168.15.230#53(192.168.15.230) ;; WHEN: Sat Aug 15 21:18:03 NZST 2015 ;; MSG SIZE rcvd: 114 Any pointers will be handy, I just need a fresh pair of eyes on the problem. Thanks in advance. |
chiefnz (545) | ||
| 1406704 | 2015-08-15 23:06:00 | Can your clients ping your DNS server? (i.e is your vmware bridge working properly?) What is 192.168.15.230? Your home router? Both your posted lookups are querying that server. What does dig & nslookup return if you specify to query 192.168.15.100? |
fred_fish (15241) | ||
| 1406705 | 2015-08-16 01:45:00 | 06:05 16.08.2015 In your "forward lookup table" there is 192.168.15.100 and 192.168.15.101 I sorta think those should be NS entries, not IN. even though you have IN PTR'ed them Has it been specified that 192.168.15.100 and .101 are "NameServers"in the question? check resolv.conf Resolv.conf should be on the clients named www and dc1 Is resolv.conf something on DNS Server? check both resolv.conf They seem to not match: resolv.conf file on the client Code: # Generated by NetworkManager domain itc514.edu search itc514.edu (this should be on the nameserver?) nameserver 192.168.15.100 (arent there two nameservers?) resolv.conf on the DNS server Code: # Generated by NetworkManager search itc514.edu nameserver 192.168.15.100 nameserver 192.168.15.230 Is it .230? or is it .101? How to verify dns propagation: nslookup >server 192.168.15.100 >set querytype=CNAME Then [root@centostest ~]# nslookup www [root@centostest ~]# nslookup dc1 if this doesnt work, I have to look into the question itself. Check if this forum allows Private Messaging. Thanks, L.Mohan Arun Google my name for this and that This should work |
lmohanarun (17390) | ||
| 1406706 | 2015-08-16 01:52:00 | 16.08.2015 06:15 For uni.assignments of this type I advise preparing a MS-Word document simplify the assignment. Compare with the question. Nameservers=x and y Gateway=x CNAME= x and y Client IPs = host1, host2, host3 .10 .11 and .12 those are A records Source: technet.microsoft.com L.Mohan Arun catchall at the rate of mohanarun (dotcom) |
lmohanarun (17390) | ||
| 1406707 | 2015-08-16 05:56:00 | So problem solved... The issue or issues at least was I had both firewalld and iptables running as well, I did not know this from the start as nothing in the initial server install pointed to either of these being installed. So first thing I did was disable "iptables" in favour of "firewalld". I did this mainly because I prefer to have the GUI option that "firewalld" comes with. Next thing was to configure "firewalld" zones. I opted to set my network 192.168.15.0/24 as a "Trusted Zone" source and finally set an allow rule for "DNS" services. Once this was done everything worked fine... Thanks for the replies and suggestions. I've answered your various questions below for the sake of completeness and good forum etiquette. Can your clients ping your DNS server? (i.e is your vmware bridge working properly?) What is 192.168.15.230? Your home router? Both your posted lookups are querying that server. What does dig & nslookup return if you specify to query 192.168.15.100? Not a bridging issue. There is no problem with pinging any of the computers or the router. Correct it is my home router/gateway - I have deliberately put this in the config... I know it's not necessary but I configure all my computers this way. NSLOOKUP command results in a "connection timeout" message. DIG results in some random Internet based address being returned... which is obviously not correct. 06:05 16.08.2015 In your "forward lookup table" there is 192.168.15.100 and 192.168.15.101 I sorta think those should be NS entries, not IN. even though you have IN PTR'ed them Has it been specified that 192.168.15.100 and .101 are "NameServers"in the question? check resolv.conf Resolv.conf should be on the clients named www and dc1 Is resolv.conf something on DNS Server? check both resolv.conf They seem to not match: resolv.conf file on the client Code: # Generated by NetworkManager domain itc514.edu search itc514.edu (this should be on the nameserver?) nameserver 192.168.15.100 (arent there two nameservers?) resolv.conf on the DNS server Code: # Generated by NetworkManager search itc514.edu nameserver 192.168.15.100 nameserver 192.168.15.230 Is it .230? or is it .101? How to verify dns propagation: nslookup >server 192.168.15.100 >set querytype=CNAME Then [root@centostest ~]# nslookup www [root@centostest ~]# nslookup dc1 if this doesnt work, I have to look into the question itself. Check if this forum allows Private Messaging. Thanks, L.Mohan Arun Google my name for this and that This should work 100 is the DNS server and 101 is the client machine I'm using to test that DNS lookups work. I know I don't need to have 101 in there but from a best practise point it's always good to have your statically assigned IPs in the lookup table... well I think so at least. I did remove the 101 entry once I got DNS working though. In terms of having the 230 address in the resolv.conf file for the DNS server... again I know I don't need it there but it's a habit for me to designate the default gateway as one of my DNS servers. 16.08.2015 06:15 For uni.assignments of this type I advise preparing a MS-Word document simplify the assignment. Compare with the question. Nameservers=x and y Gateway=x CNAME= x and y Client IPs = host1, host2, host3 .10 .11 and .12 those are A records Source: technet.microsoft.com L.Mohan Arun catchall at the rate of mohanarun (dotcom) |
chiefnz (545) | ||
| 1406708 | 2015-08-16 17:08:00 | So first thing I did was disable "iptables" in favour of "firewalld". I did this mainly because I prefer to have the GUI option that "firewalld" comes with. Iptables and firewalld are something about kernel component firewall. Unrelated to the assignment! The assignment is: setup a Linux based DNS server after installing BIND Next thing was to configure "firewalld" zones. I opted to set my network 192.168.15.0/24 as a "Trusted Zone" source and finally set an allow rule for "DNS" services. No-no. You dont "allow" DNS services, even though it seems to work in your case. I think I am right. You dont set "Trusted Zone" those are related to DMZ's and that is not what the question is about!! Name resolution is the function of DNS and is a resort whereby the computer resorts to a "looksup" - lookup what is the IP address of a given text-based address to its equivalent IP address. Setting "Trusted Zone" is not the answer!! designate the default gateway as one of my DNS servers. No-no. You have gotten the default gateway concept wrong. The subnet mask, is a (1 & only) for each component of a set of IP Config. The default gateway. is a (1 & only) for each component of a set of IP Config. There could be Multiple addresses for DNS servers. (multiple, for each component of a set of IP config.) Default gateway is different. Dont set the default gateway as one of your DNS servers. It is like... getting the basics wrong out of the horse's mouth. 100 is the DNS server and 101 is the client machine I'm using to test that DNS lookups work. You should be testing from host1 and host2 (www and dc1) and NOT from 101. Dont create anymore IP addresses than necessary!! This is incorrect on the DNS server's resolv.conf. incorrect. nameserver 192.168.15.230 <------------ incorrect avoid something .230 if not specified in the question. solve the assignment with what the assignment tells you to. Dont invent any more than what has been specified as part of the assignment. nameserver 192.168.15.100 <---- this is- the DNS server, no need to specify the same nameserver IP in resolv.conf. @ IN NS williams.itc514.edu. @ IN A 192.168.15.100 @ IN A 192.168.15.101 <incorrect @ IN A 192.168.15.10 <no-no=incorrect. I think this and .10. 11 and .12 lines to be deleted. @ IN A 192.168.15.11 <delete delete @ IN A 192.168.15.12 <delete delete williams IN A 192.168.15.100 centostest IN A 192.168.15.101 host1 IN A 192.168.15.10 host2 IN A 192.168.15.11 host3 IN A 192.168.15.12 www IN CNAME host1.itc514.edu. <drop ".itc514" etc. just "host1" should do. dc1 IN CNAME host2.itc514.edu. L.Mohan Arun Cisco Certified Network Associate (in the year 2000!) 6692 6691 16.08.2015 21:38 MohanArun dotcom |
lmohanarun (17390) | ||
| 1406709 | 2015-08-17 06:23:00 | Your post doesn't format correctly on my phone, but it does sound like you've done way too much for something as simple as this. The only changes required be inside named.conf. I usually comment out the listen-on port 53, listen-on-v6 to none, allow-query and allow-transfer should be localhost and network, usually allow-transfer is if using a secondary dns, not sure if theres any harm setting it though. There's alot more changes that is too much to list in the view internal section, and i can't remember it off the top of my head since im not staring at the named.conf file. Also, for servers, you are better to get use to non gui ways, firewalld would be my default, so i would do 'firewall-cmd --add-service=dns --permanent' then reload it. That's as simple as I can explain it, without being able to see your files. Cheers, KK P.S. Hope you rank up in the Linux world, I've lived/loved it for milleniums. |
Kame (312) | ||
| 1406710 | 2015-08-17 08:00:00 | Ummm ok, the assignment isn't that complicated... well at least not for someone who has good Linux/networking background. The purpose of the assignment is to get DNS working based on the following deliverables; 1) Setup the DNS configuration - this includes setting up 3 static host addresses in the "zone". These are the A records plus 2 CNAME records. 2) Prove or show that DNS resolution works from a different client on the same network. 3) The was no need for a firewall to be in place - but I configured the firewall as I saw fit to get DNS working... there is a caveat here that I most likely am not using best practise but this isn't an enterprise system so there are no specific firewall requirements. I could have just as easily disabled the firewall on the server and gotten the job done that way but I elected to use the firewall with a specific configuration to allow hosts from the "trusted zone" I set. I don't see this as a bad move, generally software firewalls are not installed on actual servers within the network, the firewall (appliance or whatever is in use) normally sits between the Internet and the internal network (my router has a firewall enabled and configured) so I didn't see an issue with this... it was good practice for me. I am aware that some businesses have "internal" and "external" firewalls but realistically this assignment did not require this level of consideration to be taken into account to answer the questions. 4) As for your comment about my understanding regarding gateways... if you read carefully I state that I know this is not the way it would normally be done but I choose to do this and have done for many years on my local network... again as per above this is not an enterprise environment... I removed the gateway entry as a 2nd nameserver in my final solution so that isn't an issue now. 5) I don't see what the DMZ suggestion has to do with anything, I am not trying to segregate this network from the "Internet" which is what I understand a DMZ to be for... in my opinion that's just complicating things. Another point to note is that the deliverables in the assignment can be achieved in multiple ways... if there was a specific solution required from students then the questions would have been a lot more detailed and would include things like firewall configurations and DMZ etc. So first thing I did was disable "iptables" in favour of "firewalld". I did this mainly because I prefer to have the GUI option that "firewalld" comes with. Iptables and firewalld are something about kernel component firewall. Unrelated to the assignment! The assignment is: setup a Linux based DNS server after installing BIND Next thing was to configure "firewalld" zones. I opted to set my network 192.168.15.0/24 as a "Trusted Zone" source and finally set an allow rule for "DNS" services. No-no. You dont "allow" DNS services, even though it seems to work in your case. I think I am right. You dont set "Trusted Zone" those are related to DMZ's and that is not what the question is about!! Name resolution is the function of DNS and is a resort whereby the computer resorts to a "looksup" - lookup what is the IP address of a given text-based address to its equivalent IP address. Setting "Trusted Zone" is not the answer!! designate the default gateway as one of my DNS servers. No-no. You have gotten the default gateway concept wrong. ......... edited for the sake of brevity Thanks Kame, yes I agree and you're probably right, there is likely to be an easier/simpler way for me to have done this but I have to say the learning experience I got out of this is immeasurable and for the 1st time (out of many attempts) I don't feel like using Linux is too difficult... it is just different and having being a Windows slave for so long I have found this a very gratifying undertaking. Thanks for all the advice and tips. I'm likely to run into more issues when the next assignment comes around but I'm geared up for it which is exciting for me. Cheers, Your post doesn't format correctly on my phone, but it does sound like you've done way too much for something as simple as this. The only changes required be inside named.conf. I usually comment out the listen-on port 53, listen-on-v6 to none, allow-query and allow-transfer should be localhost and network, usually allow-transfer is if using a secondary dns, not sure if theres any harm setting it though. There's alot more changes that is too much to list in the view internal section, and i can't remember it off the top of my head since im not staring at the named.conf file. Also, for servers, you are better to get use to non gui ways, firewalld would be my default, so i would do 'firewall-cmd --add-service=dns --permanent' then reload it. That's as simple as I can explain it, without being able to see your files. Cheers, KK P.S. Hope you rank up in the Linux world, I've lived/loved it for milleniums. |
chiefnz (545) | ||
| 1406711 | 2015-08-18 06:24:00 | I managed to take a look at your configs when I was on a computer, now I am back on my phone. First off, misconception about firewalls, they are all software based, what you are specifically mentioning is hardware dedicated for firewall only filtering. As in that was what their purpose was built for. I gave you the commands to set it correctly, I see you just added your network to the trusted zone, in other words, you may as well have just disabled it. systemctl stop firewalld; systemctl disable firewalld Instead of deleting lines from your configs, commenting them out is better practise. So you should have commented (#) the listen on port and should have made the v6 none if you dont use ipv6. Also I would turn disable ipv6 in your grub config. Another thing I would turn off SELinux unless you know how to correctly configure policies for it. To alter your network manager configs, we use the nmcli, usually you list the devices to get the name, and if you prefer old naming conventions, you too add a command into the grub config to revert back to those ways. Anyways, apart from that, your configs look sort of OK except I am uncertain if your SOA serial reflects the changes you have made in your records, any changes need to increment your serial as this information remains cached and does not renew unless serial is incremented or it reaches its expiry length of time. If I wasn't on my phone, I would have set up a few virtual machine based your information and show you my end results of my configs etc that would work for you, but more importantly, kept the file looking clean and manageable. It's good to do house keeping, leave yourself comments, because it can be months or years when you return to those configs and if you're not constantly looking at them, you do forget a lot. I had to rethink most of this again as its a set and forget job once its setup correctly. Cheers, KK |
Kame (312) | ||
| 1406712 | 2015-08-18 08:14:00 | Hi KAME, All valid points and I don't disagree with any of it. I guess being in the throws of trying to complete studies and work full-time leave a lot of room for not learning what best practise is. Time works against you and as you pointed if I had the time I would most definitely tried to get it "right" the first time round so that I could "set it and forget it. Definitely invigorated with this new experience and keen to power on once I have more time. I'm even considering a Linux based desktop OS to use so that I can improve my knowledge. Cheers, |
chiefnz (545) | ||
| 1 | |||||