# Setup DNS server
###### tags: `dns` `bind9`
Setup master&slave DNS servers on Rocky 8.4
Servers:
- Master DNS server
- Hostname: masterdns.homelab.com
- IP: 192.168.122.66/24
- Slave DNS server
- Hostname: slavedns.homelab.com
- IP: 192.168.122.67/24
- Client
- Hostname: clientdns.homelab.com
- IP: 192.168.122.65/24
#### Preparation
###### 1. yum update
```
$ sudo yum update -y
```
###### 2. enable dmesg logging
create /etc/systemd/system/dmesg.service
```
[Unit]
Description=Create /var/log/dmesg on boot
ConditionPathExists=/var/log/dmesg
[Service]
ExecStart=/usr/bin/dmesg
StandardOutput=file:/var/log/dmesg
[Install]
WantedBy=multi-user.target
```
touch /var/log/dmesg and verify SELinux contexts
```
touch /var/log/dmesg
$ restorecon -v /var/log/dmesg
```
enable dmesg
```
$ systemctl enable dmesg
```
###### 3. enable syslog/messages
```
$ yum install rsyslog -y
$ systemctl enable rsyslog --now
```
#### Setup Master DNS server
###### 1. configure hostname
```
$ hostnamectl set-hostname masterdns.homelab.com
```
###### 2. install bind packages
```
[root@masterdns ~]# yum install bind bind-utils -y
Last metadata expiration check: 1:05:08 ago on Wed 11 May 2022 09:24:17 AM AEST.
Package bind-utils-32:9.11.26-6.el8.x86_64 is already installed.
Dependencies resolved.
====================================================================================================================
Package Architecture Version Repository Size
====================================================================================================================
Installing:
bind x86_64 32:9.11.26-6.el8 appstream 2.1 M
Transaction Summary
====================================================================================================================
Install 1 Package
Total download size: 2.1 M
Installed size: 4.5 M
Downloading Packages:
bind-9.11.26-6.el8.x86_64.rpm 3.1 MB/s | 2.1 MB 00:00
--------------------------------------------------------------------------------------------------------------------
Total 1.6 MB/s | 2.1 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: bind-32:9.11.26-6.el8.x86_64 1/1
Installing : bind-32:9.11.26-6.el8.x86_64 1/1
Running scriptlet: bind-32:9.11.26-6.el8.x86_64 1/1
Verifying : bind-32:9.11.26-6.el8.x86_64 1/1
Installed:
bind-32:9.11.26-6.el8.x86_64
Complete!
```
###### 3. enable and start dns service
```
[root@masterdns ~]# systemctl enable named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@masterdns ~]# systemctl start named
[root@masterdns ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-05-11 10:35:43 AEST; 5s ago
Process: 2572 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2569 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkcon>
Main PID: 2574 (named)
Tasks: 4 (limit: 11405)
Memory: 57.9M
CGroup: /system.slice/named.service
└─2574 /usr/sbin/named -u named -c /etc/named.conf
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:500:2::c#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:7fd::1#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#>
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
```
```
[root@masterdns ~]# named -v
BIND 9.11.26-RedHat-9.11.26-6.el8 (Extended Support Version) <id:3ff8620>
```
###### 4. configure DNS (BIND) named.conf
```
# edit "/etc/named.conf" with those lines
11 listen-on port 53 { 127.0.0.1; 192.168.122.66; }; # add master DNS server IP
19 allow-query { localhost; 192.168.122.0/24; }; # add subnet
20 allow-transfer { localhost; 192.168.122.67; }; # add slave DNS server IP
32 recursion no; # disable recursion
58 zone "homelab.com" IN { # name of domain to administer
59 type master;
60 file "forward.homelab";
61 allow-update {none;};
62 };
63 zone "0.122.168.192.in-addr.arpa" IN { # for reverse zone
64 type master;
65 file "reverse.homelab";
66 allow-update {none;};
67 };
```
###### 5. create zone files
```
$ cd /var/named/
$ touch forward.homelab
$ touch reverse.homelab
```
edit forward.homelab file
```
$TTL 86400 ; 24 hours could have been written as 24h or 1D
@ IN SOA masterdns.homelab.com. root.homelab.com. (
2022051101 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; minimum
)
; name servers
@ IN NS masterdns.homelab.com.
@ IN NS slavedns.homelab.com.
; name server to IP resolve
@ IN A 192.168.122.66
@ IN A 192.168.122.67
masterdns IN A 192.168.122.66
slavedns IN A 192.168.122.67
kmaster IN A 192.168.122.10 ; k8s master node
```
edit reverse.homelab file
```
$TTL 86400 ; 24 hours could have been written as 24h or 1D
@ IN SOA masterdns.homelab.com. root.homelab.com. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; minimum
)
@ IN NS masterdns.homelab.com.
@ IN NS slavedns.homelab.com.
@ IN PTR homelab.com.
; IP to hostname
masterdns IN A 192.168.122.66
slavedns IN A 192.168.122.67
kmaster IN A 192.168.122.10
66 IN PTR masterdns.homelab.com.
67 IN PTR slavedns.homelab.com.
10 IN PTR kmaster.
```
###### 6. restart named
```
[root@masterdns named]# systemctl restart named
[root@masterdns named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-05-11 15:44:14 AEST; 5s ago
Process: 3558 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, >
Process: 3944 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 3941 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkcon>
Main PID: 3946 (named)
Tasks: 4 (limit: 11405)
Memory: 53.7M
CGroup: /system.slice/named.service
└─3946 /usr/sbin/named -u named -c /etc/named.conf
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './NS/IN': 2001:500:2::c#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './NS/IN': 2001:dc3::35#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
May 11 15:44:14 masterdns.homelab.com named[3946]: managed-keys-zone: Key 20326 for zone . acceptance timer complet>
May 11 15:44:14 masterdns.homelab.com named[3946]: resolver priming query complete
```
###### 7. permit tcp&udp port 53 in firewall
```
[root@masterdns named]# firewall-cmd --permanent --add-port=53/tcp
success
[root@masterdns named]# firewall-cmd --permanent --add-port=53/udp
success
[root@masterdns named]# firewall-cmd --reload
success
```
###### 8. check bind config
```
[root@masterdns named]# named-checkconf /etc/named.conf
[root@masterdns named]# named-checkzone homelab.com /var/named/forward.homelab
zone homelab.com/IN: loaded serial 2002022401
OK
[root@masterdns named]# named-checkzone homelab.com /var/named/reverse.homelab
zone homelab.com/IN: loaded serial 2002022401
OK
```
#### Configure client and test DNS
###### 1. configure DNS on client
edit /etc/NetworkManager/NetworkManager.conf, append dns=none in main section
```
[main]
#plugins=ifcfg-rh
dns=none
```
edit /etc/resolv.conf to point nameserver to master DNS server IP
```
nameserver 192.168.122.66
```
restart network manager
```
$ systemctl restart NetworkManager
# Or
$ nmcli networking off
$ nmcli networking on
```
```
$ systemctl status NetworkManager
$ nmcli -o
```
###### 2. test dns server on the client
```
[root@clientdns ~]# dig masterdns.homelab.com
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> masterdns.homelab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39545
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7d9f5fbf60d6ab125e48f8d4627b539b75931132247c261d (good)
;; QUESTION SECTION:
;masterdns.homelab.com. IN A
;; ANSWER SECTION:
masterdns.homelab.com. 86400 IN A 192.168.122.66
;; AUTHORITY SECTION:
homelab.com. 86400 IN NS masterdns.homelab.com.
homelab.com. 86400 IN NS slavedns.homelab.com.
;; ADDITIONAL SECTION:
slavedns.homelab.com. 86400 IN A 192.168.122.67
;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 16:11:39 AEST 2022
;; MSG SIZE rcvd: 147
```
```
[root@clientdns ~]# dig -x 192.168.122.66
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> -x 192.168.122.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1630
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 78b4aba5e3b240ff4272eae1627b54174691dfada974c494 (good)
;; QUESTION SECTION:
;66.122.168.192.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
122.168.192.in-addr.arpa. 10800 IN SOA masterdns.homelab.com. root.homelab.com.122.168.192.in-addr.arpa. 2002022401 10800 15 604800 10800
;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 16:13:44 AEST 2022
;; MSG SIZE rcvd: 158
```
```
[root@clientdns ~]# nslookup masterdns.homelab.com
Server: 192.168.122.66
Address: 192.168.122.66#53
Name: masterdns.homelab.com
Address: 192.168.122.66
[root@clientdns ~]# nslookup kmaster.homelab.com
Server: 192.168.122.66
Address: 192.168.122.66#53
Name: kmaster.homelab.com
Address: 192.168.122.10
```
#### Setup Slave DNS server
###### 1. configure hostname
```
$ hostnamectl set-hostname slavedns.homelab.com
```
###### 2. install bind packages
```
$ yum install bind bind-utils -y
```
###### 3. edit bind configuration /etc/named.conf
```
11 listen-on port 53 { 127.0.0.1; 192.168.122.67; }; # add slave server IP
19 allow-query { localhost; 192.168.122.0/24; }; # add subnet
31 recursion no; # set no
57 zone "homelab.com" IN {
58 type slave;
59 file "slaves/homelab.forward.zone";
60 masters {192.168.122.66;};
61 };
62 zone "122.168.192.in-addr.arpa" IN {
63 type slave;
64 file "slaves/homelab.reverse.zone";
65 masters {192.168.122.66;};
66 };
```
###### 4. enable and start bind service
```
[root@slavedns ~]# systemctl enable named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@slavedns ~]# systemctl start named
```
check zone files are replicated from the master
```
[root@slavedns ~]# ls -l /var/named/slaves/
total 8
-rw-r--r--. 1 named named 403 May 11 16:54 homelab.forward.zone
-rw-r--r--. 1 named named 647 May 11 16:54 homelab.reverse.zone
```
###### 5. permit tcp&udp port 53 in firewall
```
[root@slavedns ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@slavedns ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@slavedns ~]# firewall-cmd --reload
success
```
#### Configure client with slave DNS server and test
edit /etc/resolv.conf to add slave DNS server IP
```
nameserver 192.168.122.66
nameserver 192.168.122.67
```
```
[root@clientdns ~]# dig kmaster.homelab.com
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> kmaster.homelab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31038
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3cd0bac00c540b12b6aea24d627b66bff6b5d13bf7f03b32 (good)
;; QUESTION SECTION:
;kmaster.homelab.com. IN A
;; ANSWER SECTION:
kmaster.homelab.com. 86400 IN A 192.168.122.10
;; AUTHORITY SECTION:
homelab.com. 86400 IN NS masterdns.homelab.com.
homelab.com. 86400 IN NS slavedns.homelab.com.
;; ADDITIONAL SECTION:
masterdns.homelab.com. 86400 IN A 192.168.122.66
slavedns.homelab.com. 86400 IN A 192.168.122.67
;; Query time: 0 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 17:33:18 AEST 2022
;; MSG SIZE rcvd: 171
[root@clientdns ~]# dig masterdns.homelab.com
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> masterdns.homelab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14769
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 84e5c144d21c0477af1ce614627ba6791a8562dec6758642 (good)
;; QUESTION SECTION:
;masterdns.homelab.com. IN A
;; ANSWER SECTION:
masterdns.homelab.com. 86400 IN A 192.168.122.66
;; AUTHORITY SECTION:
homelab.com. 86400 IN NS slavedns.homelab.com.
homelab.com. 86400 IN NS masterdns.homelab.com.
;; ADDITIONAL SECTION:
slavedns.homelab.com. 86400 IN A 192.168.122.67
;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 22:05:12 AEST 2022
;; MSG SIZE rcvd: 147
[root@clientdns ~]# dig slavedns.homelab.com
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> slavedns.homelab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20928
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ef75601e4be9fe0749919a2a627ba6a830054e0244d205da (good)
;; QUESTION SECTION:
;slavedns.homelab.com. IN A
;; ANSWER SECTION:
slavedns.homelab.com. 86400 IN A 192.168.122.67
;; AUTHORITY SECTION:
homelab.com. 86400 IN NS slavedns.homelab.com.
homelab.com. 86400 IN NS masterdns.homelab.com.
;; ADDITIONAL SECTION:
masterdns.homelab.com. 86400 IN A 192.168.122.66
;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 22:06:00 AEST 2022
;; MSG SIZE rcvd: 147
```
```
[root@clientdns ~]# nslookup kmaster.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server: 192.168.122.67
Address: 192.168.122.67#53
Name: kmaster.homelab.com
Address: 192.168.122.10
;; Got recursion not available from 192.168.122.66, trying next server
[root@clientdns ~]# nslookup masterdns.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server: 192.168.122.67
Address: 192.168.122.67#53
Name: masterdns.homelab.com
Address: 192.168.122.66
;; Got recursion not available from 192.168.122.66, trying next server
[root@clientdns ~]# nslookup slavedns.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server: 192.168.122.67
Address: 192.168.122.67#53
Name: slavedns.homelab.com
Address: 192.168.122.67
;; Got recursion not available from 192.168.122.66, trying next server
```
use recurse or no recurse in nslookup command
```
[root@clientdns ~]# nslookup
> set norec
> kmaster.homelab.com
Server: 192.168.122.66
Address: 192.168.122.66#53
Name: kmaster.homelab.com
Address: 192.168.122.10
> set rec
>
> kmaster.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server: 192.168.122.67
Address: 192.168.122.67#53
Name: kmaster.homelab.com
Address: 192.168.122.10
;; Got recursion not available from 192.168.122.66, trying next server
```
reverse lookup
```
[root@clientdns ~]# dig -x 192.168.122.10
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> -x 192.168.122.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31257
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bcb907f106749e75cfbaeae6627bb1737662c91a35e0ec46 (good)
;; QUESTION SECTION:
;10.122.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.122.168.192.in-addr.arpa. 86400 IN PTR kmaster.
;; AUTHORITY SECTION:
122.168.192.in-addr.arpa. 86400 IN NS masterdns.homelab.com.
122.168.192.in-addr.arpa. 86400 IN NS slavedns.homelab.com.
;; ADDITIONAL SECTION:
masterdns.homelab.com. 86400 IN A 192.168.122.66
slavedns.homelab.com. 86400 IN A 192.168.122.67
;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 22:52:02 AEST 2022
;; MSG SIZE rcvd: 195
```
#### Caching and forwarding mode
edit /etc/named.conf, add "forwarders" option and enable recursion.
```
10 options {
11 listen-on port 53 { 127.0.0.1; 192.168.122.66; }; # add master DNS server IP
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 secroots-file "/var/named/data/named.secroots";
18 recursing-file "/var/named/data/named.recursing";
19 allow-query { localhost; 192.168.122.0/24; }; # add subnet
20 allow-transfer { localhost; 192.168.122.67; }; # add slave DNS server IP
21
22 /*
23 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
24 - If you are building a RECURSIVE (caching) DNS server, you need to enable
25 recursion.
26 - If your recursive DNS server has a public IP address, you MUST enable access
27 control to limit queries to your legitimate users. Failing to do so will
28 cause your server to become part of large scale DNS amplification
29 attacks. Implementing BCP38 within your network would greatly
30 reduce such attack surface
31 */
32 recursion yes; # enable recursion
33
34 dnssec-enable yes;
35 dnssec-validation yes;
36
37 managed-keys-directory "/var/named/dynamic";
38
39 pid-file "/run/named/named.pid";
40 session-keyfile "/run/named/session.key";
41
42 /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
43 include "/etc/crypto-policies/back-ends/bind.config";
44
45 forward only;
46 forwarders {
47 8.8.8.8;
48 8.8.4.4;
49 };
50 };
```
#### Set alias (CNAME)
edit /var/named/forward.homelab, add alias
```
19 ; A records to resolve ip from name
20 masterdns IN A 192.168.122.66
21 slavedns IN A 192.168.122.67
22 kmaster IN A 192.168.122.10 ; k8s master node
23 kubernetes.homelab.com. IN CNAME kmaster ; alias, use FQDN
24 k8s IN CNAME kmaster ; alias, just hostname, it equal k8s.homelab.com.
```
```
[root@clientdns ~]# nslookup k8s.homelab.com
Server: 192.168.122.66
Address: 192.168.122.66#53
k8s.homelab.com canonical name = kmaster.homelab.com.
Name: kmaster.homelab.com
Address: 192.168.122.10
[root@clientdns ~]# nslookup kubernetes.homelab.com
Server: 192.168.122.66
Address: 192.168.122.66#53
kubernetes.homelab.com canonical name = kmaster.homelab.com.
Name: kmaster.homelab.com
Address: 192.168.122.10
```
#### Tcpdump DNS query
###### Recursion "yes" on master DNS server
```
[root@clientdns ~]# nslookup kubernetes.homelab.com
Server: 192.168.122.66
Address: 192.168.122.66#53
kubernetes.homelab.com canonical name = kmaster.homelab.com.
Name: kmaster.homelab.com
Address: 192.168.122.10
```
Client sents dns query with "recursion" flag, tell DNS server to do query recursively.
Master DNS server return answer and also tell client that the server can do query recursively.
###### Recursion "no" on master and slave.
```
[root@clientdns ~]# nslookup kmaster.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server: 192.168.122.67
Address: 192.168.122.67#53
Name: kmaster.homelab.com
Address: 192.168.122.10
;; Got recursion not available from 192.168.122.66, trying next server
```
Client sents query with "recursion" flag, tell DNS server to do query recursively.
Master DNS server returns answer and tell client that the server can't do recursive queries.
Client sent query with "recursion" flag to the slave DNS server. (because both master and slave are configured in /etc/resolv.conf, noslookup tries next nameserver)
```
[root@clientdns ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.122.66
nameserver 192.168.122.67
```
Slave DNS server returns answer and tell client that the server can't do recursive queries.
#### KB
###### recursion
If yes, and a DNS query requests recursion, then the server attempts to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it returns a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server’s cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect of the server’s internal operation, such as NOTIFY address lookups.
###### zone file syntax
- Comments start with a semicolon ";" and go to the end of line.
- Empty lines are allowed; any combination of tabs and spaces acts as a delimiter.
- RR are defined line by line as :
[Name] [TTL] [CLASS] TYPE RDATA
- if no Name, the name is taken from the last stated RR
- if Name exists, it starts at the first character of the line
- if Name is not dot-terminated (non FQDN), the default domain name defined by $ORIGIN directives is concatenated to Name
- if no TTL, the TTL is defined by $TTL directives.
- if no CLASS, the CLASS is taken from the last stated RR
- TTL and CLASS can be exchanged.
- $TTL integer_value sets the default value of TTL for following RRs in file (RFC2308, bind>8.1)
- $ORIGIN fqdn_name sets the default value of domain name for following RRs in file. Initially, in BIND, the value is set to the current zone name.
- $INCLUDE filename inserts the named file into the current file. NB: be careful about value of $TTL or $ORIGIN after a $INCLUDE
- "@" is used to denote the current default domain name.
- "(" and ")" are used to group data that crosses a line boundary. Line terminations are not recognized within parentheses
- "\" is used to quote special characters. Ex : "\." can be used to place a dot character in a label; "\223" is the 8-bit character corresponding to decimal value 223.
###### stylistic hints
- Organize RR : Start with SOA, NS and MX of the zone, continue with delegation (NS) and glue. Group RR by names.
- Comments are useful
- Use spaces or tabulations for vertical alignment
- Start file with a $ORIGIN and a $TTL
- Try to avoid writing of the zone name in the file
- Generate serial number in SOA as : year/month/day/version 4+2+2+2.
- BE CAREFUL: Modify the serial number each time the master file is modified
###### dig command query with tcp
```
$ dig +tcp kmaster.homelab.com
```
###### for centos 8, update yum repos mirror
```
$ sudo su -
$ cd /etc/yum.repos.d/
$ sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
$ sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
$ sudo yum update -y
```
###### install dns tools (dig and drill command)
```
apt install dnsutils ldnsutils
```
#### Reference
https://www.linuxteck.com/how-to-install-and-configure-master-slave-dns-in-centos-rhel-7-6/
http://www-inf.int-evry.fr/~hennequi/CoursDNS/NOTES-COURS_eng/syntax.html
https://techglimpse.com/failed-metadata-repo-appstream-centos-8/
https://bind9.readthedocs.io/en/v9_16_6/reference.html
https://medium.com/liveonnetwork/need-a-refresher-on-dns-concepts-4dcdfda6365d
Sign in with Wallet
Connect another wallet