Thursday, 13 September 2007

Enslaving a bind DNS server on CentOS

One thing I have been trying to accomplish ever since I commissioned our server in Manchester almost 9 months ago now is getting it set up as a secondary DNS server, this I have finally accomplished and it is an experience worth sharing. There are many howto's on the Internet which tell you how to set up a DNS server on windows or Linux but what I was after was to setup BIND on Linux as a fail over system for our main Microsoft DNS server and this is a far less well documented scenario. Also contrary to what you might read its actually really easy just don't step off the path!

For those of you who don't know, DNS is the system which marshals the traffic around the Internet, for example in the absence of DNS you would have to type in 72.21.206.5 instead of amazon.com to get to your favourite e commerce merchant :o). So DNS is important for the Internet but also as local networks are now very much modeled upon the Internet scheme, without DNS it becomes very difficult to manage your network in a user friendly manner. Which as usual is great until it breaks!

So very quickly as your office network becomes more central to the workings of your business it is natural to want a secondary system in case the first one breaks, especially when you are using a VPN as we are as the loss of our central DNS server would render our remote systems unusable as well. So that's the background, here is the solution to setting up a secondary DNS server using BIND on Linux as a slave to an Active Directory DNS server. Bear in mind this is for CentOS 4.5 (RHEL 4 equivalent) using the command line, if you are using a GUI just use the GUI tool!

1. On the Microsoft box open DNS and right click on the forward lookup zone you wish to replicate, eg, somebiz.local. Under 'Name Servers' add the IP address of your Linux box.
2. If you have already been playing, completely remove your existing BIND installation (yum remove bind), and trash any files in /var/named/chroot/var/named.
3. Run yum install bind to install a fresh one.
4. Paste the following into /var/named/chroot/var/etc/named.conf


// Red Hat BIND Configuration Tool
// Default initial "Caching Only" name server configuration

options { directory "/var/named"; };

zone "mydomain.local" IN {
type slave;
file "slaves/mydomain.local";
masters { xxx.xxx.xxx.xxx port 53;};
};

include "/etc/rndc.key";

5. substitute your domain for mydomain.local and your active directory server's IP address in the xxx.xxx.xxx.xxx space.

6. Run service named start and make a cuppa cos your done!

Obviously this is not a comprehensive look at this subject, there is an awful lot more to play with in bind but that really is all you need to do to get going. Hope it helps..

5 comments:

JBC said...

Hey again Kieron,

Don;t know if you remember be but my name is Jack Loftus, News Writer for SearchEnterpriselinux.com.

Would you care to talk a bit more about this for a quick article/tip on our site? We're trying to expand coverage to include apps like BIND, etc, and how people are deploying and using them on Linux

I can be reached at jloftus@techtarget.com

Thanks!

-jack

A. Farber said...

Awesome thanks for your post - it has got me started. I suggest to more things though:

1) Add "check-names ignore;" to get rid of warnings about underscores in names
2) Add a reverse zone.

Here is config which works for me Win2003 -> CentOS 5.2:

http://lists.centos.org/pipermail/centos/2009-March/073023.html

options { directory "/var/named"; };

zone "internal.mycompany.com" IN {
type slave;
file "slaves/internal.mycompany.com";
masters { 10.121.42.40 port 53;};
check-names ignore;
};

zone "121.10.in-addr.arpa" IN {
type slave;
file "slaves/10.121";
masters { 10.121.42.40 port 53;};
check-names ignore;
};

include "/etc/rndc.key";

Unknown said...

This is great info. One other step that confounded me is:

In the same dialog box where you enter your Linux nameserver IP Address: click on the Zone Transfer tab to make sure Transfers are allowed. Otherwise it just won't work!

Thanks again!

Unknown said...

Hi,

I just wanted to say that I really enjoyed your blog and this post. You make some very informative points. Keep up the great work!

-
Delphi development

Anonymous said...

Just popping in to say nice site.

A view from the rack is the personal blog of an IT manager who works for a pub company - hence beer