Try   HackMD

Setup DNS server

tags: dns bind9

Setup master&slave DNS servers on Rocky 8.4

Servers:

Preparation

1. yum update
$ sudo yum update -y
2. enable dmesg logging

create /etc/systemd/system/dmesg.service

[Unit]
Description=Create /var/log/dmesg on boot
ConditionPathExists=/var/log/dmesg

[Service]
ExecStart=/usr/bin/dmesg
StandardOutput=file:/var/log/dmesg

[Install]
WantedBy=multi-user.target

touch /var/log/dmesg and verify SELinux contexts

touch /var/log/dmesg
$ restorecon -v /var/log/dmesg

enable dmesg

$ systemctl enable dmesg
3. enable syslog/messages
$ yum install rsyslog -y
$ systemctl enable rsyslog --now

Setup Master DNS server

1. configure hostname
$ hostnamectl set-hostname masterdns.homelab.com
2. install bind packages
[root@masterdns ~]# yum install bind bind-utils -y
Last metadata expiration check: 1:05:08 ago on Wed 11 May 2022 09:24:17 AM AEST.
Package bind-utils-32:9.11.26-6.el8.x86_64 is already installed.
Dependencies resolved.
====================================================================================================================
 Package               Architecture            Version                             Repository                  Size
====================================================================================================================
Installing:
 bind                  x86_64                  32:9.11.26-6.el8                    appstream                  2.1 M

Transaction Summary
====================================================================================================================
Install  1 Package

Total download size: 2.1 M
Installed size: 4.5 M
Downloading Packages:
bind-9.11.26-6.el8.x86_64.rpm                                                       3.1 MB/s | 2.1 MB     00:00    
--------------------------------------------------------------------------------------------------------------------
Total                                                                               1.6 MB/s | 2.1 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                            1/1 
  Running scriptlet: bind-32:9.11.26-6.el8.x86_64                                                               1/1 
  Installing       : bind-32:9.11.26-6.el8.x86_64                                                               1/1 
  Running scriptlet: bind-32:9.11.26-6.el8.x86_64                                                               1/1 
  Verifying        : bind-32:9.11.26-6.el8.x86_64                                                               1/1 

Installed:
  bind-32:9.11.26-6.el8.x86_64                                                                                      

Complete!
3. enable and start dns service
[root@masterdns ~]# systemctl enable named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@masterdns ~]# systemctl start named
[root@masterdns ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-05-11 10:35:43 AEST; 5s ago
  Process: 2572 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 2569 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkcon>
 Main PID: 2574 (named)
    Tasks: 4 (limit: 11405)
   Memory: 57.9M
   CGroup: /system.slice/named.service
           └─2574 /usr/sbin/named -u named -c /etc/named.conf

May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:500:2::c#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:7fd::1#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#>
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
May 11 10:35:43 masterdns.homelab.com named[2574]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53

[root@masterdns ~]# named -v
BIND 9.11.26-RedHat-9.11.26-6.el8 (Extended Support Version) <id:3ff8620>
4. configure DNS (BIND) named.conf
# edit "/etc/named.conf" with those lines

 11         listen-on port 53 { 127.0.0.1; 192.168.122.66; };  # add master DNS server IP

 19         allow-query     { localhost; 192.168.122.0/24; };  # add subnet 
 20         allow-transfer  { localhost; 192.168.122.67; };  # add slave DNS server IP

 32         recursion no;  # disable recursion
 
 58 zone "homelab.com" IN {  # name of domain to administer
 59         type master;
 60         file "forward.homelab";
 61         allow-update {none;};
 62 };
 63 zone "0.122.168.192.in-addr.arpa" IN {  # for reverse zone
 64         type master;
 65         file "reverse.homelab";
 66         allow-update {none;};
 67 };
5. create zone files
$ cd /var/named/
$ touch forward.homelab
$ touch reverse.homelab

edit forward.homelab file

$TTL	86400  ; 24 hours could have been written as 24h or 1D

@ IN SOA masterdns.homelab.com. root.homelab.com. (
        2022051101  ; serial
        3H  ; refresh
        15  ; retry
        1w  ; expire
        3h  ; minimum
)

; name servers
@ IN NS masterdns.homelab.com.
@ IN NS slavedns.homelab.com.

; name server to IP resolve
@ IN A 192.168.122.66
@ IN A 192.168.122.67

masterdns IN A 192.168.122.66
slavedns IN A 192.168.122.67
kmaster IN A 192.168.122.10  ; k8s master node

edit reverse.homelab file

$TTL    86400  ; 24 hours could have been written as 24h or 1D

@ IN SOA masterdns.homelab.com. root.homelab.com. (
        2002022401  ; serial
        3H  ; refresh
        15  ; retry
        1w  ; expire
        3h  ; minimum
)

@ IN NS masterdns.homelab.com.
@ IN NS slavedns.homelab.com.
@ IN PTR homelab.com.

; IP to hostname
masterdns IN A 192.168.122.66
slavedns IN A 192.168.122.67
kmaster IN A 192.168.122.10

66 IN PTR masterdns.homelab.com.
67 IN PTR slavedns.homelab.com.
10 IN PTR kmaster.
6. restart named
[root@masterdns named]# systemctl restart named
[root@masterdns named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-05-11 15:44:14 AEST; 5s ago
  Process: 3558 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, >
  Process: 3944 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 3941 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkcon>
 Main PID: 3946 (named)
    Tasks: 4 (limit: 11405)
   Memory: 53.7M
   CGroup: /system.slice/named.service
           └─3946 /usr/sbin/named -u named -c /etc/named.conf

May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './NS/IN': 2001:500:2::c#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './NS/IN': 2001:dc3::35#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
May 11 15:44:14 masterdns.homelab.com named[3946]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
May 11 15:44:14 masterdns.homelab.com named[3946]: managed-keys-zone: Key 20326 for zone . acceptance timer complet>
May 11 15:44:14 masterdns.homelab.com named[3946]: resolver priming query complete
7. permit tcp&udp port 53 in firewall
[root@masterdns named]# firewall-cmd --permanent --add-port=53/tcp
success
[root@masterdns named]# firewall-cmd --permanent --add-port=53/udp
success
[root@masterdns named]# firewall-cmd --reload
success
8. check bind config
[root@masterdns named]# named-checkconf /etc/named.conf
[root@masterdns named]# named-checkzone homelab.com /var/named/forward.homelab 
zone homelab.com/IN: loaded serial 2002022401
OK
[root@masterdns named]# named-checkzone homelab.com /var/named/reverse.homelab
zone homelab.com/IN: loaded serial 2002022401
OK

Configure client and test DNS

1. configure DNS on client

edit /etc/NetworkManager/NetworkManager.conf, append dns=none in main section

[main]
#plugins=ifcfg-rh
dns=none

edit /etc/resolv.conf to point nameserver to master DNS server IP

nameserver 192.168.122.66

restart network manager

$ systemctl restart NetworkManager

# Or
$ nmcli networking off
$ nmcli networking on

$ systemctl status NetworkManager
$ nmcli -o
2. test dns server on the client
[root@clientdns ~]# dig masterdns.homelab.com

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> masterdns.homelab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39545
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7d9f5fbf60d6ab125e48f8d4627b539b75931132247c261d (good)
;; QUESTION SECTION:
;masterdns.homelab.com.		IN	A

;; ANSWER SECTION:
masterdns.homelab.com.	86400	IN	A	192.168.122.66

;; AUTHORITY SECTION:
homelab.com.		86400	IN	NS	masterdns.homelab.com.
homelab.com.		86400	IN	NS	slavedns.homelab.com.

;; ADDITIONAL SECTION:
slavedns.homelab.com.	86400	IN	A	192.168.122.67

;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 16:11:39 AEST 2022
;; MSG SIZE  rcvd: 147

[root@clientdns ~]# dig -x 192.168.122.66

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> -x 192.168.122.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1630
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 78b4aba5e3b240ff4272eae1627b54174691dfada974c494 (good)
;; QUESTION SECTION:
;66.122.168.192.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
122.168.192.in-addr.arpa. 10800	IN	SOA	masterdns.homelab.com. root.homelab.com.122.168.192.in-addr.arpa. 2002022401 10800 15 604800 10800

;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 16:13:44 AEST 2022
;; MSG SIZE  rcvd: 158

[root@clientdns ~]# nslookup masterdns.homelab.com
Server:		192.168.122.66
Address:	192.168.122.66#53

Name:	masterdns.homelab.com
Address: 192.168.122.66

[root@clientdns ~]# nslookup kmaster.homelab.com
Server:		192.168.122.66
Address:	192.168.122.66#53

Name:	kmaster.homelab.com
Address: 192.168.122.10

Setup Slave DNS server

1. configure hostname
$ hostnamectl set-hostname slavedns.homelab.com
2. install bind packages
$ yum install bind bind-utils -y
3. edit bind configuration /etc/named.conf
 11         listen-on port 53 { 127.0.0.1; 192.168.122.67; };  # add slave server IP

 19         allow-query     { localhost; 192.168.122.0/24; };  # add subnet

 31         recursion no;  # set no

 57 zone "homelab.com" IN {
 58         type slave;
 59         file "slaves/homelab.forward.zone";
 60         masters {192.168.122.66;};
 61 };
 62 zone "122.168.192.in-addr.arpa" IN {
 63         type slave;
 64         file "slaves/homelab.reverse.zone";
 65         masters {192.168.122.66;};
 66 };
4. enable and start bind service
[root@slavedns ~]# systemctl enable named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@slavedns ~]# systemctl start named

check zone files are replicated from the master

[root@slavedns ~]# ls -l /var/named/slaves/
total 8
-rw-r--r--. 1 named named 403 May 11 16:54 homelab.forward.zone
-rw-r--r--. 1 named named 647 May 11 16:54 homelab.reverse.zone
5. permit tcp&udp port 53 in firewall
[root@slavedns ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@slavedns ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@slavedns ~]# firewall-cmd --reload
success

Configure client with slave DNS server and test

edit /etc/resolv.conf to add slave DNS server IP

nameserver 192.168.122.66
nameserver 192.168.122.67

[root@clientdns ~]# dig kmaster.homelab.com

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> kmaster.homelab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31038
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3cd0bac00c540b12b6aea24d627b66bff6b5d13bf7f03b32 (good)
;; QUESTION SECTION:
;kmaster.homelab.com.		IN	A

;; ANSWER SECTION:
kmaster.homelab.com.	86400	IN	A	192.168.122.10

;; AUTHORITY SECTION:
homelab.com.		86400	IN	NS	masterdns.homelab.com.
homelab.com.		86400	IN	NS	slavedns.homelab.com.

;; ADDITIONAL SECTION:
masterdns.homelab.com.	86400	IN	A	192.168.122.66
slavedns.homelab.com.	86400	IN	A	192.168.122.67

;; Query time: 0 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 17:33:18 AEST 2022
;; MSG SIZE  rcvd: 171

[root@clientdns ~]# dig masterdns.homelab.com

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> masterdns.homelab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14769
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 84e5c144d21c0477af1ce614627ba6791a8562dec6758642 (good)
;; QUESTION SECTION:
;masterdns.homelab.com.		IN	A

;; ANSWER SECTION:
masterdns.homelab.com.	86400	IN	A	192.168.122.66

;; AUTHORITY SECTION:
homelab.com.		86400	IN	NS	slavedns.homelab.com.
homelab.com.		86400	IN	NS	masterdns.homelab.com.

;; ADDITIONAL SECTION:
slavedns.homelab.com.	86400	IN	A	192.168.122.67

;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 22:05:12 AEST 2022
;; MSG SIZE  rcvd: 147

[root@clientdns ~]# dig slavedns.homelab.com

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> slavedns.homelab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20928
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ef75601e4be9fe0749919a2a627ba6a830054e0244d205da (good)
;; QUESTION SECTION:
;slavedns.homelab.com.		IN	A

;; ANSWER SECTION:
slavedns.homelab.com.	86400	IN	A	192.168.122.67

;; AUTHORITY SECTION:
homelab.com.		86400	IN	NS	slavedns.homelab.com.
homelab.com.		86400	IN	NS	masterdns.homelab.com.

;; ADDITIONAL SECTION:
masterdns.homelab.com.	86400	IN	A	192.168.122.66

;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 22:06:00 AEST 2022
;; MSG SIZE  rcvd: 147


[root@clientdns ~]# nslookup kmaster.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server:		192.168.122.67
Address:	192.168.122.67#53

Name:	kmaster.homelab.com
Address: 192.168.122.10
;; Got recursion not available from 192.168.122.66, trying next server

[root@clientdns ~]# nslookup masterdns.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server:		192.168.122.67
Address:	192.168.122.67#53

Name:	masterdns.homelab.com
Address: 192.168.122.66
;; Got recursion not available from 192.168.122.66, trying next server

[root@clientdns ~]# nslookup slavedns.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server:		192.168.122.67
Address:	192.168.122.67#53

Name:	slavedns.homelab.com
Address: 192.168.122.67
;; Got recursion not available from 192.168.122.66, trying next server

use recurse or no recurse in nslookup command

[root@clientdns ~]# nslookup 
> set norec
> kmaster.homelab.com
Server:		192.168.122.66
Address:	192.168.122.66#53

Name:	kmaster.homelab.com
Address: 192.168.122.10
> set rec
> 
> kmaster.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server:		192.168.122.67
Address:	192.168.122.67#53

Name:	kmaster.homelab.com
Address: 192.168.122.10
;; Got recursion not available from 192.168.122.66, trying next server

reverse lookup

[root@clientdns ~]# dig -x 192.168.122.10

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> -x 192.168.122.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31257
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bcb907f106749e75cfbaeae6627bb1737662c91a35e0ec46 (good)
;; QUESTION SECTION:
;10.122.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
10.122.168.192.in-addr.arpa. 86400 IN	PTR	kmaster.

;; AUTHORITY SECTION:
122.168.192.in-addr.arpa. 86400	IN	NS	masterdns.homelab.com.
122.168.192.in-addr.arpa. 86400	IN	NS	slavedns.homelab.com.

;; ADDITIONAL SECTION:
masterdns.homelab.com.	86400	IN	A	192.168.122.66
slavedns.homelab.com.	86400	IN	A	192.168.122.67

;; Query time: 1 msec
;; SERVER: 192.168.122.66#53(192.168.122.66)
;; WHEN: Wed May 11 22:52:02 AEST 2022
;; MSG SIZE  rcvd: 195

Caching and forwarding mode

edit /etc/named.conf, add "forwarders" option and enable recursion.

 10 options {
 11         listen-on port 53 { 127.0.0.1; 192.168.122.66; };  # add master DNS server IP
 12         listen-on-v6 port 53 { ::1; };
 13         directory       "/var/named";
 14         dump-file       "/var/named/data/cache_dump.db";
 15         statistics-file "/var/named/data/named_stats.txt";
 16         memstatistics-file "/var/named/data/named_mem_stats.txt";
 17         secroots-file   "/var/named/data/named.secroots";
 18         recursing-file  "/var/named/data/named.recursing";
 19         allow-query     { localhost; 192.168.122.0/24; };  # add subnet 
 20         allow-transfer  { localhost; 192.168.122.67; };  # add slave DNS server IP
 21 
 22         /* 
 23          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 24          - If you are building a RECURSIVE (caching) DNS server, you need to enable 
 25            recursion. 
 26          - If your recursive DNS server has a public IP address, you MUST enable access 
 27            control to limit queries to your legitimate users. Failing to do so will
 28            cause your server to become part of large scale DNS amplification 
 29            attacks. Implementing BCP38 within your network would greatly
 30            reduce such attack surface 
 31         */
 32         recursion yes;  # enable recursion
 33 
 34         dnssec-enable yes;
 35         dnssec-validation yes;
 36 
 37         managed-keys-directory "/var/named/dynamic";
 38 
 39         pid-file "/run/named/named.pid";
 40         session-keyfile "/run/named/session.key";
 41 
 42         /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
 43         include "/etc/crypto-policies/back-ends/bind.config";
 44 
 45         forward only;
 46         forwarders {
 47                 8.8.8.8;
 48                 8.8.4.4;
 49         };
 50 };

Set alias (CNAME)

edit /var/named/forward.homelab, add alias

 19 ; A records to resolve ip from name
 20 masterdns IN A 192.168.122.66
 21 slavedns IN A 192.168.122.67
 22 kmaster IN A 192.168.122.10  ; k8s master node
 23 kubernetes.homelab.com. IN CNAME kmaster  ; alias, use FQDN
 24 k8s IN CNAME kmaster  ; alias, just hostname, it equal k8s.homelab.com.

[root@clientdns ~]# nslookup k8s.homelab.com
Server:		192.168.122.66
Address:	192.168.122.66#53

k8s.homelab.com	canonical name = kmaster.homelab.com.
Name:	kmaster.homelab.com
Address: 192.168.122.10

[root@clientdns ~]# nslookup kubernetes.homelab.com
Server:		192.168.122.66
Address:	192.168.122.66#53

kubernetes.homelab.com	canonical name = kmaster.homelab.com.
Name:	kmaster.homelab.com
Address: 192.168.122.10

Tcpdump DNS query

Recursion "yes" on master DNS server
[root@clientdns ~]# nslookup kubernetes.homelab.com
Server:		192.168.122.66
Address:	192.168.122.66#53

kubernetes.homelab.com	canonical name = kmaster.homelab.com.
Name:	kmaster.homelab.com
Address: 192.168.122.10

Client sents dns query with "recursion" flag, tell DNS server to do query recursively.

Master DNS server return answer and also tell client that the server can do query recursively.

Recursion "no" on master and slave.
[root@clientdns ~]# nslookup kmaster.homelab.com
;; Got recursion not available from 192.168.122.66, trying next server
Server:		192.168.122.67
Address:	192.168.122.67#53

Name:	kmaster.homelab.com
Address: 192.168.122.10
;; Got recursion not available from 192.168.122.66, trying next server

Client sents query with "recursion" flag, tell DNS server to do query recursively.


Master DNS server returns answer and tell client that the server can't do recursive queries.

Client sent query with "recursion" flag to the slave DNS server. (because both master and slave are configured in /etc/resolv.conf, noslookup tries next nameserver)

[root@clientdns ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.122.66
nameserver 192.168.122.67


Slave DNS server returns answer and tell client that the server can't do recursive queries.

KB

recursion

If yes, and a DNS query requests recursion, then the server attempts to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it returns a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server’s cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect of the server’s internal operation, such as NOTIFY address lookups.

zone file syntax
  • Comments start with a semicolon ";" and go to the end of line.
  • Empty lines are allowed; any combination of tabs and spaces acts as a delimiter.
  • RR are defined line by line as :
    [Name] [TTL] [CLASS] TYPE RDATA
    • if no Name, the name is taken from the last stated RR
    • if Name exists, it starts at the first character of the line
    • if Name is not dot-terminated (non FQDN), the default domain name defined by $ORIGIN directives is concatenated to Name
    • if no TTL, the TTL is defined by $TTL directives.
    • if no CLASS, the CLASS is taken from the last stated RR
    • TTL and CLASS can be exchanged.
  • $TTL integer_value sets the default value of TTL for following RRs in file (RFC2308, bind>8.1)
  • $ORIGIN fqdn_name sets the default value of domain name for following RRs in file. Initially, in BIND, the value is set to the current zone name.
  • $INCLUDE filename inserts the named file into the current file. NB: be careful about value of $TTL or $ORIGIN after a $INCLUDE
  • "@" is used to denote the current default domain name.
  • "(" and ")" are used to group data that crosses a line boundary. Line terminations are not recognized within parentheses
  • "" is used to quote special characters. Ex : "." can be used to place a dot character in a label; "\223" is the 8-bit character corresponding to decimal value 223.
stylistic hints
  • Organize RR : Start with SOA, NS and MX of the zone, continue with delegation (NS) and glue. Group RR by names.
  • Comments are useful
  • Use spaces or tabulations for vertical alignment
  • Start file with a $ORIGIN and a $TTL
  • Try to avoid writing of the zone name in the file
  • Generate serial number in SOA as : year/month/day/version 4+2+2+2.
  • BE CAREFUL: Modify the serial number each time the master file is modified
dig command query with tcp
$ dig +tcp kmaster.homelab.com
for centos 8, update yum repos mirror
$ sudo su -
$ cd /etc/yum.repos.d/
$ sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
$ sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
$ sudo yum update -y
install dns tools (dig and drill command)
apt install dnsutils ldnsutils

Reference

https://www.linuxteck.com/how-to-install-and-configure-master-slave-dns-in-centos-rhel-7-6/
http://www-inf.int-evry.fr/~hennequi/CoursDNS/NOTES-COURS_eng/syntax.html
https://techglimpse.com/failed-metadata-repo-appstream-centos-8/
https://bind9.readthedocs.io/en/v9_16_6/reference.html
https://medium.com/liveonnetwork/need-a-refresher-on-dns-concepts-4dcdfda6365d

Last changed by 
Yu-Jung Cheng
Blog & Knowledge Base 3.0 - Here I stores collection of command usage, testing, and knowledge I used in work. Also include other topics I interested.
0
822

Read more

Ueful actions and tips

Notes for couple useful actions and syntax.

Oct 10, 2024
Gnu Privacy Guard

Use GPG for file encription and decryption and basic usage.

Mar 10, 2024
Deploy OpenStack using Kolla-Ansible

last update: 2022-12-09

Nov 20, 2023
OverlayFS

####: reference

Nov 14, 2023
Read more from Yu-Jung Cheng
Published on HackMD