Here are the stpes to configure local nameservers which would help you to resolve DNS for local resource installed on the LAN and Faster nslookup queery which will help to resolve the name very fast for intranet users.
1. Install packages :
#yum install bind bind-chroot bind-libs bind-utils caching-nameserver
2. Configure RNDC :
#cd /var/named/chroot/etc
#rndc-confgen > rndc.key
# chown root:named rndc.key
3. Edit rndc.key so it looks like this, You may need to comment some lines on it.
[root@rc-025 ~]# cat /var/named/chroot/etc/rndc.key | sed '/ *#/d; /^ *$/d'
key "rndckey" {
algorithm hmac-md5;
secret "f5wyuMBPnEZBbO/333L4ig==";
};
4. Configure /var/named/chroot/etc/named.conf
// we include the rndckey (copy-paste from rndc.key created earlier)
key "rndckey" {
algorithm hmac-md5;
secret "f5wyuMBPnEZBbO/333L4ig==";
};
// we assume our server has the IP 192.168.254.207 serving the 192.168.254.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndckey"; };
inet 192.168.0.1 allow { 192.168.0.0/24; } keys { "rndckey"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
recursion yes;
allow-recursion {
127.0.0.1;
192.168.0.0/24;
};
// these are the opendns servers (optional)
forwarders {
125.2.4.12;
20.8.23.3;
};
listen-on {
127.0.0.1;
192.168.0.1;
192.168.0.25;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
// so people can't try to guess what version you're running
version "REFUSED";
allow-query {
127.0.0.1;
192.168.0.0/24;
};
};
server 192.168.0.1 {
keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
// forward zone
zone "rain-concert.intra" IN {
type master;
file "data/mydomain.local.zone";
allow-update { none; };
# // we assume we have a slave dns server with the IP 192.168.254.101
# allow-transfer { 192.168.254.101; };
};
#// reverse zone
zone "0.168.192.in-addr.arpa" IN {
type master;
file "data/192.168.0.zone";
allow-update { none; };
# // we assume we have a slave dns server with the IP 192.168.254.101
#allow-transfer { 192.168.254.101; };
};
Here,
1. I added rndckey which is created before in the config. file.
key “rndckey” {
algorithm hmac-md5;
secret “f5wyuMBPnEZBbO/333L4ig==”;
};
2. Dns server ip is 192.168.0.1 and network is 192.168.0.0/24
3. DNS forwarder name servers ip address are 125.2.4.12, 20.8.23.3 ( using diff. ISP’s)
4. listen-on : My name server is listing on 2 Nic cards ( failover) 192.168.01 and 192.168.0.25
5. forward zone : My forwarder zone name is “mydomain.local”
6: reverse zone : My reverse zone name is ” 0.168.192.in-addr.arpa“
Now you need to create your first Forward DNS Zone,
#vi /var/named/chroot/var/named/data/mydomain.local.zone
$ttl 38400
mydomain.local. IN SOA ns.mydomain.local. admin.mydomain.local. (
2007020400 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
mydomain.local. IN NS ns.mydomain.local.
mydomain.local. IN MX 1 mx.mydomain.local.
mydomain.local. IN MX 5 mx2.mydomain.local.
www.mydomain.local. IN A 192.168.0.1
ns.mydomain.local. IN A 192.168.0.1
ns1.mydomain.local. IN A 192.168.0.1
ns2.mydomain.local. IN A 192.168.0.8
mx.mydomain.local. IN A 192.168.0.26
mx2.mydomain.local. IN A 192.168.0.26
mail.mydomain.local. IN CNAME mx.mydomain.local.
intranet.mydomain.local. IN A 192.168.0.14
Admin-PC.mydomain.local. IN A 192.168.0.90
secured_share.mydomain.local. IN A 192.168.0.40
news.mydomain.local. IN A 192.168.0.14
dev_sites.mydomain.local. IN A 192.168.0.14
Now you need to create your first Reverse DNS Zone,
# vi /var/named/chroot/var/named/data/192.168.0.zone
$TTL 24h
0.168.192.in-addr.arpa. IN SOA mydomain.local. root.mydomain.local (
2007062800 ; serial number
3h ; refresh time
30m ; retry time
7d ; expire time
3h ; negative caching ttl
)
; Nameservers
0.168.192.in-addr.arpa. IN NS ns.mydomain.local.
; Hosts
26.0.168.192.in-addr.arpa. IN PTR rc-026.mydomain.local.
25.0.168.192.in-addr.arpa. IN PTR rc-025.mydomain.local.
14.0.168.192.in-addr.arpa. IN PTR rc-014.mydomain.local.
1.0.168.192.in-addr.arpa. IN PTR rc-001.mydomain.local.
26.0.168.192.in-addr.arpa. IN PTR mx.mydomain.local.
26.0.168.192.in-addr.arpa. IN PTR mx2.mydomain.local.
5. Start the service and make sure it’ll start at boot
#service named start
#chkconfig named on
6. Now you need to configure your resolv.conf file
[root@rc-025 ~]# cat /etc/resolv.conf
search mydomain.local
nameserver 127.0.0.1 // using local DNS
nameserver 125.224.7.125 // ISP name server
7. Make sure it’s running,
[root@rc-025 ~]# rndc status
number of zones: 2
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
8. Verifying DNS is working and local names are resolved.
Execute the command after login theDNS server
[root@rc-025 ~]# nslookup rc-001
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: rc-001.mydomain.local
Address: 192.168.0.1
9. Verifying the external domain nslookup query is resolved,
[root@rc-025 ~]# nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 209.85.231.104
10. Verifying Reverse DNS working : we can test it by using this nameserver’s ip Eg. host Which should returns a valid message like this,
[root@rc-025 ~]#
host 192.168.0.1
1.0.168.192.in-addr.arpa domain name pointer rc-001.mydomain.local
Verifying my mail server has RDNS set
[root@rc-025 ~]# host 192.168.0.26
26.0.168.192.in-addr.arpa domain name pointer rc-026.mydomain.local.
[root@rc-025 ~]#
Now All are set and ready to go !!
Pls note that Window Desktops will not accept any name server ip which has not RDNS set. This will lead to slowness of internet access.
-njoy