DNS Workshop Hands-On Session Documentation

DNS Workshop Doc for Sunday 26th May 2013.
Created by ElectroMech Corporation Team
With the aim of sharing knowledge with hands-on, including concept and fundamental
we had conducted this workshop as invitation bases, although we had not charged
anything due to limited space we kept it as invitation based. But documents are
open for all. The documents contain everything we conducted in seminar.
We want to finished it within 3-4 hours, but some how it was stretched for 6
hours.
Total participants were 24 (almost all ElectroMech RHCE certified candidate).
First time I have seen all the invited person were present. 100% attendance.
We are looking for more such hands on session on invitation basis only due to
limited space.

DNS workshop at ElectroMech Corporation
Operating system and bind version............................................................................................................4
Forwarders and Caching dns /named configuration..............................................................................8
Configuration of named.conf................................................................................................................8
Testing with dig command..................................................................................................................10
Master zone DNS configuration...............................................................................................................11
Zone definition / creation of zone in /etc/named.conf.........................................................................11
Population / creating entry RR (Resource Record) in zone file..........................................................11
Testing zone RR with dig....................................................................................................................12
Now let's Add one CNAME and MX record.......................................................................................13
Testing CNAME record with dig....................................................................................................13
Testing MX record with dig............................................................................................................14
Reverse zone and PTR record.............................................................................................................15
Declaration of zone for reverse lookup in /etc/named.conf............................................................15
Adding RR PTR in zone file...........................................................................................................15
Testing PTR record with dig...........................................................................................................15
Spf record............................................................................................................................................16
Testing spf record with dig.............................................................................................................17
SRV Record.........................................................................................................................................17
Testing SRV record with dig...........................................................................................................17
SLAVE ZONE..........................................................................................................................................18
Slave Zone declaration in named.conf................................................................................................20
Master zone configuration /etc/named.conf........................................................................................21
Importance of Serial Number at master zone......................................................................................21
Checking the log for zone transfer......................................................................................................21
Bind split dns with views.........................................................................................................................22
Defining views in /etc/named.conf......................................................................................................22
Dynamic Bind DNS with nsupdate..........................................................................................................23
Concept for dynamic DNS with nsupdate...........................................................................................23
Configuration of zone in /etc/named.conf...........................................................................................25
Using nsupdate command to add / delete the record...........................................................................25
Journal File for Dynamic Update...................................................................................................26
Testing the dynamic update of Record with dig..................................................................................26
Checking update with zone file also....................................................................................................27
nsupdate with TSIG key...........................................................................................................................27
Generating TSIG key with dnssec-keygen command.........................................................................27
Configuration of key at views named.conf.........................................................................................28
nsupdate command to update RR with key.........................................................................................28
Checking the dynamic update of RR added or not with dig...............................................................29
Log file for updated record..................................................................................................................29
TSIG with slave transfer..........................................................................................................................30
Configuration on master for TSIG in /etc/named.conf........................................................................30
On slave server adding key to /etc/named.conf...................................................................................30
Testing of zone transfer with dynamic update with nsupdate.............................................................31
Checking for local update on master with dig.....................................................................................31
Checking for record transfer at slave zone with dig............................................................................31

Checking log on master zone..............................................................................................................32
Checking log on slave zone.................................................................................................................32
Howto Create Master DNS and SUB domain with Bind.........................................................................34
Scenario...............................................................................................................................................34
First main domain server.....................................................................................................................34
Configuration of main domain on 192.168.0.2 named.conf...........................................................34
Populating the RR at main domain.................................................................................................35
Testing the zone record with dig.....................................................................................................35
Edit main domin (test.com) data file..............................................................................................36
Configure name server on second server(192.168.0.102)...................................................................36
Configuration of subdomain zone at named.conf...........................................................................38
Populating zone for subdomain......................................................................................................39
Testing of subdomain......................................................................................................................40

Operating system and bind version
Os Version .: Centos 6.2 64 bit
Master server ip : 192.168.0.37 with hostname desktop37.example.com
Kernel Version
[root@desktop37 ~]# uname -r
2.6.32-220.el6.x86_64
[root@desktop37 ~]# cat /etc/redhat-release
CentOS release 6.2 (Final)
[root@desktop37 ~]#
Checking yum repository working or not.
[root@desktop37 ~]# yum repolist
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
repo id repo name status
centos Centos Repository 6,294
repolist: 6,294
[root@desktop37 ~]#
Installing software
[root@desktop37 ~]# yum -y install bind bind-utils
Setting up Install Process
Package 32:bind-utils-9.7.3-8.P3.el6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.7.3-8.P3.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================
====================================================
Package Arch Version
Repository Size
==================================================================================
====================================================
Installing:
bind x86_64 32:9.7.3-8.P3.el6
centos 3.9 M
Transaction Summary
==================================================================================
====================================================
Install 1 Package(s)
Total download size: 3.9 M
Installed size: 7.0 M
Downloading Packages:

bind-9.7.3-8.P3.el6.x86_64.rpm
| 3.9 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 32:bind-9.7.3-8.P3.el6.x86_64 1/1
Installed:
bind.x86_64 32:9.7.3-8.P3.el6
Complete!
[root@desktop37 ~]#
Listing important file
[root@desktop37 ~]# ls /etc/named*
/etc/named.conf /etc/named.iscdlv.key /etc/named.rfc1912.zones
/etc/named.root.key
/etc/named:
[root@desktop37 ~]#
Checking status for bind AKA named
[root@desktop37 ~]# /etc/init.d/named status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
named is stopped
Restarting named service
[root@desktop37 ~]# /etc/init.d/named restart
Stopping named: [ OK ]
Starting named: [ OK ]
Again checking status of named after restarting
named (pid 2368) is running...
As such in this version, /etc/rndc.conf is not generated automatically, it has to
be created with following command.
[root@desktop37 ~]# rndc-confgen -a
wrote key file "/etc/rndc.key"
Need to setup proper group ownership and permission.
[root@desktop37 ~]# ls -l /etc/rndc.key
-rw-------. 1 root root 77 May 25 15:51 /etc/rndc.key
[root@desktop37 ~]# chmod 640 /etc/rndc.key
[root@desktop37 ~]# chgrp named /etc/rndc.key
Once setup need to restart named to check everything is ok or not.

Stopping named: . [ OK ]
Again checking status
version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6
CPUs found: 1
worker threads: 1
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@desktop37 ~]#
Listing the port used by named services with netstat command.
[root@desktop37 ~]# netstat -ntpul | grep named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
2422/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
2422/named
tcp 0 0 ::1:53 :::* LISTEN
2422/named
tcp 0 0 ::1:953 :::* LISTEN
2422/named
udp 0 0 127.0.0.1:53 0.0.0.0:*
2422/named
udp 0 0 ::1:53 :::*
2422/named
[root@desktop37 ~]#
named is working on tcp / udp port number 53 and rndc work on 953
Let us check the default configuration access with nc from local and other remote
computer.
Default configuration not allow to access 53 number port from remote computer
[root@desktop13 ~]# nc -v 192.168.0.37 53
nc: connect to 192.168.0.37 port 53 (tcp) failed: No route to host
[root@desktop13 ~]#
From remote computer 192.168.0.37

If nc is not install install it first.
[root@desktop37 ~]# yum install nc
---> Package nc.x86_64 0:1.84-22.el6 will be installed
==================================================================================
====================================================
Repository Size
==================================================================================
====================================================
Installing:
nc x86_64 1.84-22.el6
centos 57 k
Transaction Summary
==================================================================================
====================================================
Total download size: 57 k
Installed size: 109 k
Is this ok [y/N]: y
nc-1.84-22.el6.x86_64.rpm
| 57 kB 00:00
Running Transaction
Installing : nc-1.84-22.el6.x86_64
1/1
Installed:
nc.x86_64 0:1.84-22.el6
Complete!
Let us test now with nc
[root@desktop37 ~]# nc -v localhost 53
Connection to localhost 53 port [tcp/domain] succeeded!
^C
[root@desktop37 ~]#
The default configuration of named.conf

[root@desktop37 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
[root@desktop37 ~]#
Forwarders and Caching dns /named configuration
Configuration of named.conf
Change To
[root@desktop37 ~]# vim /etc/named.conf
//
// named.conf

//
//
//
options {
listen-on port 53 { 127.0.0.1; 192.168.0.37; };
allow-query { localhost; 192.168.0.0/24; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
};
logging {
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
[root@desktop37 ~]#
Now let us check again the ports and ip
[root@desktop37 ~]# netstat -ntpul | grep named
tcp 0 0 192.168.0.37:53 0.0.0.0:* LISTEN
2487/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
2487/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
2487/named
tcp 0 0 ::1:53 :::* LISTEN
2487/named
tcp 0 0 ::1:953 :::* LISTEN
2487/named
udp 0 0 192.168.0.37:53 0.0.0.0:*
2487/named
udp 0 0 127.0.0.1:53 0.0.0.0:*
2487/named

udp 0 0 ::1:53 :::*
2487/named
[root@desktop37 ~]#
If necessary stop the firewall
[root@desktop37 ~]# /etc/init.d/iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
[root@desktop37 ~]#
Checking with nc from remote computer
[root@desktop13 ~]# nc -v 192.168.0.37 53
Connection to 192.168.0.37 53 port [tcp/domain] succeeded!
^C
[root@desktop13 ~]#
Testing with dig command
dig @dns-server-ip hostname
[root@desktop37 ~]# dig @localhost www.electromech.info
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> @localhost www.electromech.info
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22286
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 16
;; QUESTION SECTION:
;www.electromech.info. IN A
;; ANSWER SECTION:
www.electromech.info. 14400 IN A 50.57.221.21
;; AUTHORITY SECTION:
electromech.info. 86399 IN NS njbh241982.mercury.orderbox-dns.com.
electromech.info. 86399 IN NS njbh241982.venus.orderbox-dns.com.
electromech.info. 86399 IN NS njbh241982.mars.orderbox-dns.com.
electromech.info. 86399 IN NS njbh241982.earth.orderbox-dns.com.
;; Query time: 1178 msec
-----omited.......
Dig and check again only the query time

Master zone DNS configuration
Now for creating Master DNS for example.com zone we will add one new zone. as
below
To host and configure domain, two steps to be needed
1. create entry in /etc/named.conf
2. Population zone file with RR
Zone definition / creation of zone in /etc/named.conf
create entry in /etc/named.conf
following configuration is for “example.com” and the Resource Record will be
stored at “/var/named/example.com.zone” file
zone "example.com" IN {
type master;
file "example.com.zone";
};
Population / creating entry RR (Resource Record) in zone file
To populate resource record named.localhost can be used as template.
If the file not found always try (/user/share/doc/bind-version/) directory
[root@desktop37 ~]# cat /var/named/named.localhost
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
[root@desktop37 ~]#
[root@desktop37 ~]# cat /var/named/named.localhost > /var/named/example.com.zone
[root@desktop37 ~]# ls -l /var/named/
total 32
drwxrwx---. 2 named named 4096 Dec 8 2011 data
drwxrwx---. 2 named named 4096 May 25 15:58 dynamic
-rw-r--r--. 1 root root 152 May 25 16:06 example.com.zone
-rw-r-----. 1 root named 1892 Feb 18 2008 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Dec 8 2011 slaves

Assigning proper permission and owenership
[root@desktop37 ~]# chgrp named /var/named/example.com.zone
[root@desktop37 ~]# vim /var/named/example.com.zone
[root@desktop37 ~]# cat /var/named/example.com.zone
$TTL 1D
@ IN SOA desktop37.example.com. root. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.example.com.
ns1.example.com. A 192.168.0.37
desktop37.example.com. A 192.168.0.37
[root@desktop37 ~]#
Once record setup named service should be restarted.
Testing zone RR with dig
Testing with dig command for the record configured
[root@desktop37 ~]# dig @localhost ns1.example.com
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> @localhost ns1.example.com
; (2 servers found)
;; Got answer:
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;ns1.example.com. IN A
;; ANSWER SECTION:
ns1.example.com. 86400 IN A 192.168.0.37
example.com. 86400 IN NS ns1.example.com.
;; SERVER: ::1#53(::1)
;; WHEN: Sat May 25 16:09:59 2013
;; MSG SIZE rcvd: 63
[root@desktop37 ~]#

Now let's Add one CNAME and MX record
[root@desktop37 ~]# cat /var/named/example.com.zone
$TTL 1D
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.example.com.
ns1.example.com. IN A 192.168.0.37
desktop37.example.com. IN A 192.168.0.37
;Cname Record
www.example.com. IN CNAME desktop37.example.com.
mail.example.com. IN CNAME desktop37.example.com.
mail1.example.com. IN CNAME desktop37.example.com.
;MX Record
example.com. IN MX 5 mail.example.com.
example.com. IN MX 10 mail1.example.com.
[root@desktop37 ~]#
Testing CNAME record with dig
[root@desktop37 ~]# dig -t cname @localhost www.example.com
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> -t cname @localhost www.example.com
; (2 servers found)
;; Got answer:
;www.example.com. IN CNAME
;; ANSWER SECTION:
www.example.com. 86400 IN CNAME desktop37.example.com.
;; ADDITIONAL SECTION:
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 27 15:29:15 2013
[root@desktop37 ~]#
[root@desktop37 ~]# dig @localhost www.example.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> @localhost www.example.com
; (2 servers found)
;; Got answer:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 86400 IN CNAME desktop37.example.com.
desktop37.example.com. 86400 IN A 192.168.0.37
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 27 16:56:22 2013
[root@desktop37 ~]#
Testing MX record with dig
[root@desktop37 ~]# dig -t mx @localhost example.com
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> -t mx @localhost example.com
; (2 servers found)
;; Got answer:
;example.com. IN MX
;; ANSWER SECTION:
example.com. 86400 IN MX 10 mail1.example.com.
example.com. 86400 IN MX 5 mail.example.com.
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 27 15:27:39 2013
[root@desktop34 ~]#

Reverse zone and PTR record
Now Let's Add PTR record for that first let's Create zone in /etc/named.conf as
below
Declaration of zone for reverse lookup in /etc/named.conf
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
};
Again let us used named.loopback as template to create PTR record.
[root@desktop37 ~]# cat /var/named/named.loopback > /var/named/192.168.0.zone
[root@desktop37 ~]# chgrp named /var/named/192.168.0.zone
[root@desktop37 ~]#
Adding RR PTR in zone file
[root@desktop37 ~]# vim /var/named/192.168.0.zone
[root@desktop37 ~]# cat /var/named/192.168.0.zone
$TTL 1D
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.example.com.
37 PTR desktop37.example.com.
[root@desktop37 ~]#
Testing PTR record with dig
Testing PTR record is working ok or not.
[root@desktop37 ~]# dig @localhost -x 192.168.0.37
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> @localhost -x 192.168.0.37
; (2 servers found)
;; Got answer:
;37.0.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
37.0.168.192.in-addr.arpa. 86400 IN PTR desktop37.example.com.
0.168.192.in-addr.arpa. 86400 IN NS ns1.example.com.
;; SERVER: ::1#53(::1)
;; WHEN: Sat May 25 16:54:11 2013
[root@desktop37 ~]#
Spf record
SPF was initiated by Meng Weng Wong of pobox.com to enable validation of
legitimate sources of email for a domain and is now an IETF standard (RFC 4408).
Briefly, the design intent of the SPF resource record (RR) is to allow a receiving
MTA (Message Transfer Agent) to interrogate the Name Server (DNS) of the domain
which appears in the email (the sender) and determine if the originating IP of the
mail (the source) is authorized to send mail for the sender's domain. The mail
sender is required to publish an SPF RR (documented here) in the DNS zone file for
their domain but this is transparent to the sending MTA.
The SPF information SHOULD be defined in a standard TXT resource record (RR) and
MAY now be defined in an SPF RR type (BIND releases from 9.4.0 support the SPF RR
type - see also RFC 4408).
If a SPF (or TXT) RR exists and authorizes the source IP address the mail can be
accepted by the MTA. If the SPF (or TXT) RR does not authorize the IP address the
mail can be bounced - it did not originate from an authorized source for the
sender's domain.
Most Open Source MTAs (as well as commercial mail software) have been modified (or
have plug-ins) to use the SPF record. There is no down-side (assuming you get the
SPF RR right) and plenty of potential up-side (elimination/reduction of some spam
categories) in implementing the SPF record.
We use the following terminology to try to simplify the descriptions below:
sender - the full email address of the originator of the mail item (typically uses
return-path in the actual SPF checks), for instance, me@example.com
source-ip - the IP address of the SMTP server trying to send this message
sender-domain the domain name part of the sender's email address e.g. assume the
sender is info@example.com the sender-domain is example.com.
The SPF record defines one or more tests to carry out to verify the sender. Each
test returns a condition code (pre below). The first test to pass will terminate
SPF processing.
The standard TXT and SPF record format is defined as:

name ttl class TXT text
name ttl class SPF text
;spf record
example.com. IN TXT "v=spf1 a -all"
example.com. IN A 192.168.0.100
;spf with mx record
example.com. IN TXT "v=spf1 mx -all"
example.com. IN MX 5 mail.example.com.
Testing spf record with dig
SRV Record
srvce.prot.name ttl class rr pri weight port target
_http._tcp.example.com. IN SRV 0 5 80 www.example.com.
# Service.Proto.Name Class SRV Priority Weight Port Target
_http._tcp.www.example.com. IN SRV 0 2 80 www.example.com.
IN SRV 0 1 80 www2.example.com.
IN SRV 1 1 8080 www3.example.com.
In the record above requests for the website www.example.com will go to port 80 on
www.example.com and www2.example.com. The host www.example.com will get twice the
queries that www2.example.com gets. If both hosts go down, the queries will go to
www3.example.com on port 8080. For a better detailed explanation of SRV records
see RFC 2782.
How fantastically simple is that! All in a DNS record. This is a record almost all
DNS servers support right now. You can put in a record for any service you want to
run (FTP,IMAP,POP,etc) and you get all that great stuff
Testing SRV record with dig
[root@emc ~]# dig @localhost -t SRV _http._tcp.www.example.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> @localhost -t SRV
_http._tcp.www.example.com
; (1 server found)
;; Got answer:
;_http._tcp.www.example.com. IN SRV
;; ANSWER SECTION:
_http._tcp.www.example.com. 3600 IN SRV 1 1 8080 www3.example.com.

_http._tcp.www.example.com. 3600 IN SRV 0 2 80 www.example.com.
_http._tcp.www.example.com. 3600 IN SRV 0 1 80 www2.example.com.
example.com. 86400 IN NS emc.example.com.
www.example.com. 3600 IN A 192.168.0.100
www2.example.com. 3600 IN A 192.168.0.101
www3.example.com. 3600 IN A 192.168.0.102
emc.example.com. 86400 IN A 192.168.0.100
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 26 01:37:58 2013
[root@emc ~]#
SLAVE ZONE
Let's create Slave zone and transfer all records on desktop38.example.com, with IP
192.168.0.38
[root@desktop38 ~]# yum -y install bind
---> Package bind.x86_64 32:9.7.3-8.P3.el6 will be installed
==================================================================================
====================================================
Repository Size
==================================================================================
====================================================
Installing:
bind x86_64 32:9.7.3-8.P3.el6
centos 3.9 M
Transaction Summary
==================================================================================
====================================================
bind-9.7.3-8.P3.el6.x86_64.rpm
| 3.9 MB 00:00

Running Transaction
Installing : 32:bind-9.7.3-8.P3.el6.x86_64
1/1
Installed:
bind.x86_64 32:9.7.3-8.P3.el6
Complete!
Restarting named service
Generating rndc key and assigning proper permission and group ownership
[root@desktop38 ~]# rndc-confgen -a
wrote key file "/etc/rndc.key"
[root@desktop38 ~]# ll /etc/rndc.key
-rw-------. 1 root root 77 May 25 16:57 /etc/rndc.key
[root@desktop38 ~]# chmod 640 /etc/rndc.key
[root@desktop38 ~]# chgrp named /etc/rndc.key
Restarting named service for final check
version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6
CPUs found: 1
worker threads: 1
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@desktop38 ~]#
Let us create zone entry, for slave zone we do not need to create zone file. It
will be generated automatically if configuration of both master and slave is ok.

Slave Zone declaration in named.conf
[root@desktop38 ~]# vim /etc/named.conf
//
// named.conf
//
//
//
options {
listen-on port 53 { 127.0.0.1; 192.168.0.38; };
recursion yes;
// dnssec-enable yes;
};
logging {
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
type slave;
masters { 192.168.0.37; };
file "slaves/example.com.zone";
allow-transfer { none; };
};
type slave;
masters { 192.168.0.37; };
file "slaves/192.168.0.zone";

};
[root@desktop38 ~]#
Master zone configuration /etc/named.conf
now in master zone (on 192.168.0.37) named.conf file make below changes in both
zone sections
type master;
allow-transfer { 192.168.0.38; };
also-notify { 192.168.0.38; };
};
type master;
file "192.168.0.zone";
allow-transfer { 192.168.0.38; };
also-notify { 192.168.0.38; };
};
Change serial numbers in master zone file, The serial number is a key to replicate
the resource record or transferring resource record automatically from master zone
to slave zone.
Once the notification received slave server compare the serial number is higher
than the record transfer will be done other wise not.
Importance of Serial Number at master zone
$TTL 1D
2013052501 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS desktop37.example.com.
NS desktop38.example.com.
Checking the log for zone transfer
It can be easily understood by log
[root@desktop37 ~]# tail -f /var/log/messages
May 25 17:54:23 desktop38 named[23611]: client 192.168.0.37#11389: received notify
for zone 'example.com'

May 25 17:54:23 desktop38 named[23611]: zone example.com/IN: Transfer started.
May 25 17:54:23 desktop38 named[23611]: transfer of 'example.com/IN' from
192.168.0.37#53: connected using 192.168.0.38#47486
May 25 17:54:23 desktop38 named[23611]: zone example.com/IN: transferred serial
2013052502
192.168.0.37#53: Transfer completed: 1 messages, 13 records, 324 bytes, 0.004 secs
(81000 bytes/sec)
May 25 17:54:23 desktop38 named[23611]: zone example.com/IN: sending notifies
(serial 2013052502)
[root@desktop38 ~]# ls /var/named/slaves/
192.168.0.zone example.com.zone
[root@desktop38 ~]#
Bind split dns with views
Defining views in /etc/named.conf
//
// named.conf
//
//
//
options {
listen-on port 53 { 127.0.0.1; 192.168.0.37; };
recursion yes;
dnssec-enable no;
// bindkeys-file "/etc/named.iscdlv.key";
};
logging {
severity dynamic;
};
};
view "local_resolver" {
match-clients { 127.0.0.1; };

zone "." IN {
type hint;
file "named.ca";
};
};
view "internal" {
match-clients { 192.168.0.0/24; };
zone "." IN {
type hint;
file "named.ca";
};
type master;
allow-transfer { 192.168.0.38; };
also-notify { 192.168.0.38; };
};
type master;
file "192.168.0.zone";
allow-transfer { 192.168.0.38; };
also-notify { 192.168.0.38; };
};
};
Dynamic Bind DNS with nsupdate
Concept for dynamic DNS with nsupdate
Dynamic Update is a method for adding, replacing or deleting records in a master
server by sending it a special form of DNS messages. The format and meaning of
these messages is specified in RFC 2136.
Dynamic update is enabled by including an allow-update or an update-policy clause
in the zone statement.
If the zone's update-policy is set to local, updates to the zone will be permitted
for the key local-ddns, which will be generated by named at startup. See the
section called “Dynamic Update Policies” for more details.
Dynamic updates using Kerberos signed requests can be made using the TKEY/GSS
protocol by setting either the tkey-gssapi-keytab option, or alternatively by
setting both the tkey-gssapi-credential and tkey-domain options. Once enabled,
Kerberos signed requests will be matched against the update policies for the zone,
using the Kerberos principal as the signer for the request.
Updating of secure zones (zones using DNSSEC) follows RFC 3007: RRSIG, NSEC and
NSEC3 records affected by updates are automatically regenerated by the server

using an online zone key. Update authorization is based on transaction signatures
and an explicit server policy.
The journal file
All changes made to a zone using dynamic update are stored in the zone's journal
file. This file is automatically created by the server when the first dynamic
update takes place. The name of the journal file is formed by appending the
extension .jnl to the name of the corresponding zone file unless specifically
overridden. The journal file is in a binary format and should not be edited
manually.
The server will also occasionally write ("dump") the complete contents of the
updated zone to its zone file. This is not done immediately after each dynamic
update, because that would be too slow when a large zone is updated frequently.
Instead, the dump is delayed by up to 15 minutes, allowing additional updates to
take place. During the dump process, transient files will be created with the
extensions .jnw and .jbk; under ordinary circumstances, these will be removed when
the dump is complete, and can be safely ignored.
When a server is restarted after a shutdown or crash, it will replay the journal
file to incorporate into the zone any updates that took place after the last zone
dump.
Changes that result from incoming incremental zone transfers are also journalled
in a similar way.
The zone files of dynamic zones cannot normally be edited by hand because they are
not guaranteed to contain the most recent dynamic changes — those are only in the
journal file. The only way to ensure that the zone file of a dynamic zone is up to
date is to run rndc stop.
If you have to make changes to a dynamic zone manually, the following procedure
will work: Disable dynamic updates to the zone using rndc freeze zone. This will
also remove the zone's .jnl file and update the master file. Edit the zone file.
Run rndc thaw zone to reload the changed zone and re-enable dynamic updates.
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a
name server. This allows resource records to be added or removed from a zone
without manually editing the zone file. A single update request can contain
requests to add or remove more than one resource record.
Zones that are under dynamic control via nsupdate or a DHCP server
should not be edited by hand. Manual edits could conflict with dynamic
updates and cause data to be lost.
The resource records that are dynamically added or removed with
nsupdate have to be in the same zone. Requests are sent to the zone´s
master server. This is identified by the MNAME field of the zone´s SOA
record.
The -d option makes nsupdate operate in debug mode. This provides
tracing information about the update requests that are made and the
replies received from the name server.
The -D option makes nsupdate report additional debugging information to
-d.

Transaction signatures can be used to authenticate the Dynamic DNS
updates. These use the TSIG resource record type described in RFC 2845
or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS-TSIG as
described in RFC 3645. TSIG relies on a shared secret that should only
be known to nsupdate and the name server. Ensure that you select the
appropriate algorithms for the applications as well as the key when
authenticating each other. For instance, suitable key and server
statements would be added to /etc/named.conf so that the name server
can associate the appropriate secret key and algorithm with the IP
address of the client application that will be using TSIG
authentication. SIG(0) uses public key cryptography. To use a SIG(0)
key, the public key must be stored in a KEY record in a zone served by
the name server. nsupdate does not read /etc/named.conf.
nsupdate can be run in a local-host only mode using the -l flag. This
sets the server address to localhost (disabling the server so that the
server address cannot be overridden). Connections to the local server
will use a TSIG key found in /var/run/named/session.key, which is
automatically generated by named if any local master zone has set
update-policy to local. The location of this key file can be overridden
with the -k option.
By default, nsupdate uses UDP to send update requests to the name
server unless they are too large to fit in a UDP request in which case
TCP will be used. The -v option makes nsupdate use a TCP connection.
This may be preferable when a batch of update requests is made.
Configuration of zone in /etc/named.conf
On master "allow-update { any; };" entry should be added.
type master;
allow-transfer { 192.168.0.38; };
also-notify { 192.168.0.38; };
allow-update { any; };
};
It is not good configuration, it should be allowed from one or two authorized
computer only. (Later you will know howto encrypt and protect it with TSIG).
Some thing like allow-update { 192.168.0.xx; };
Using nsupdate command to add / delete the record
From other computer
[root@desktop13 ~]# nsupdate -v
> server 192.168.0.37
> zone example.com
> update add desktop40.example.com 3600 IN A 192.168.0.40
> show
Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.com. IN SOA
;; UPDATE SECTION:
> send
> quit
Journal File for Dynamic Update
[root@desktop38 ~]# ll /var/named/example.com.zone*
-rw-r--r--. 1 named named 838 May 26 16:04 /var/named/example.com.zone
-rw-r--r--. 1 root named 916 May 26 14:59 /var/named/example.com.zone.ext
-rw-r--r--. 1 named named 913 May 26 15:50 /var/named/example.com.zone.jnl
[root@desktop38 ~]#
Testing the dynamic update of Record with dig
Checking RR added or not
Hey ! This is magic without restarting named daemon the records are updated and
can be dig. And sync automatically with slave server also.
[root@desktop13 ~]# dig @192.168.0.37 desktop40.example.com
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> @192.168.0.37 desktop40.example.com
; (1 server found)
;; Got answer:
;desktop40.example.com. IN A
;; ANSWER SECTION:
example.com. 86400 IN NS desktop38.example.com.
;; SERVER: 192.168.0.37#53(192.168.0.37)
;; WHEN: Sat May 25 18:06:43 2013
It is working :)

Checking update with zone file also.
Let us check the record is updated on slave or not.
Checking from slave zone whether the record is updated or not.
; (1 server found)
;; Got answer:
;; ANSWER SECTION:
;; SERVER: 192.168.0.38#53(192.168.0.38)
;; WHEN: Sat May 25 18:07:12 2013
[root@desktop38 ~]#
Did you notice the number increment in zone file is not needed ? ;)
nsupdate with TSIG key
Generating TSIG key with dnssec-keygen command.
[root@desktop37 ~]# dnssec-keygen -a hmac-md5 -b 128 -n USER nupdate
Knupdate.+157+36968
[root@desktop37 ~]# ls
anaconda-ks.cfg Desktop install.log.syslog
Knupdate.+157+36968.private Templates
CentOS-Base.repo Documents Kdesktop37-desktop38.+163+28210.key Music
Videos
CentOS-Debuginfo.repo Downloads Kdesktop37-desktop38.+163+28210.private
Pictures

CentOS-Media.repo install.log Knupdate.+157+36968.key
Public
[root@desktop37 ~]# cat Knupdate.+157+36968.key
nupdate. IN KEY 0 3 157 rvdaS5nzgygJ9c8Jq2riAg==
Configuration of key at views named.conf
Add the key configuration as below in named.conf file
view "internal" {
match-clients { 192.168.0.0/24; };
key nupdate. {
algorithm hmac-md5;
secret "rvdaS5nzgygJ9c8Jq2riAg==";
};
zone "." IN {
type hint;
file "named.ca";
};
type master;
allow-transfer { 192.168.0.38; };
also-notify { 192.168.0.38; };
//allow-update { 127.0.0.1; 192.168.0.13; 192.168.0.37; };
// allow-update { any; };
allow-update { key nupdate.; };
};
Without TSIG key it will not allow to add record.
> server 192.168.0.37
> zone example.com
> update add desktop42.example.com. 3600 IN A 192.168.0.42
> send
update failed: REFUSED
> quit
nsupdate command to update RR with key
Let try with TSIG
> server 192.168.0.37
> zone example.com
> key nupdate. rvdaS5nzgygJ9c8Jq2riAg==
> show
Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.com. IN SOA
> send
> quit
Checking the dynamic update of RR added or not with dig
Let us check whether success or not
; (1 server found)
;; Got answer:
;; ANSWER SECTION:
;; SERVER: 192.168.0.37#53(192.168.0.37)
;; WHEN: Sat May 25 18:40:39 2013
[root@desktop13 ~]#
Log file for updated record.
From log file
May 25 18:40:22 desktop37 named[25677]: client 192.168.0.13#49217: view internal:
signer "nupdate" approved
updating zone 'example.com/IN': adding an RR at 'desktop42.example.com' A
May 25 18:40:22 desktop37 named[25677]: zone example.com/IN/internal: sending
notifies (serial 2013052504)

transfer of 'example.com/IN': IXFR started
transfer of 'example.com/IN': IXFR ended
TSIG with slave transfer
Configuration on master for TSIG in /etc/named.conf
on master
view "internal" {
match-clients { 192.168.0.0/24; };
key nupdate. {
algorithm hmac-md5;
};
zone "." IN {
type hint;
file "named.ca";
};
type master;
// allow-transfer { 192.168.0.38; };
allow-transfer { key nupdate.; };
also-notify { 192.168.0.38; };
//allow-update { 127.0.0.1; 192.168.0.13; 192.168.0.37; };
// allow-update { any; };
allow-update { key nupdate.; };
};
On slave server adding key to /etc/named.conf
zone "." IN {
type hint;
file "named.ca";
};
key nupdate. {
algorithm hmac-md5;
};
server 192.168.0.37 {
keys { nupdate.; };
};
type slave;
masters { 192.168.0.37; };

file "slaves/example.com.zone";
};
Testing of zone transfer with dynamic update with nsupdate
> server 192.168.0.37
> zone example.com
> key nupdate. rvdaS5nzgygJ9c8Jq2riAg==
> send
> quit
Checking for local update on master with dig
Checking with dig command for newly added record.
; (1 server found)
;; Got answer:
;; ANSWER SECTION:
;; SERVER: 192.168.0.37#53(192.168.0.37)
;; WHEN: Sat May 25 18:58:00 2013
Checking for record transfer at slave zone with dig
On slave zone

; (1 server found)
;; Got answer:
;; ANSWER SECTION:
;; SERVER: 192.168.0.38#53(192.168.0.38)
;; WHEN: Sat May 25 18:58:04 2013
Checking log on master zone
On master log
received notify for zone '0.168.192.in-addr.arpa': TSIG 'nupdate'
signer "nupdate" approved
updating zone 'example.com/IN': adding an RR at 'desktop43.example.com' A
May 25 18:57:35 desktop37 named[25733]: zone example.com/IN/internal: sending
notifies (serial 2013052505)
transfer of 'example.com/IN': IXFR started: TSIG nupdate
transfer of 'example.com/IN': IXFR ended
Checking log on slave zone
On slave log
May 25 18:57:36 desktop38 named[23826]: client 192.168.0.37#19452: received notify
for zone 'example.com'
May 25 18:57:36 desktop38 named[23826]: zone example.com/IN: Transfer started.

192.168.0.37#53: connected using 192.168.0.38#40492
May 25 18:57:36 desktop38 named[23826]: zone example.com/IN: transferred serial
2013052505: TSIG 'nupdate'
192.168.0.37#53: Transfer completed: 1 messages, 5 records, 290 bytes, 0.192 secs
(1510 bytes/sec)
May 25 18:57:36 desktop38 named[23826]: zone example.com/IN: sending notifies
(serial 2013052505)

Howto Create Master DNS and SUB domain with Bind
Scenario
Main domain name : test.com
Main domain host ip : 192.168.0.2
Subdomain name : dom1.test.com
Sub domain host ip : 192.168.0.102
First main domain server
Configuration of main domain on 192.168.0.2 named.conf
Change the /etc/named.conf or /var/named/chroot/etc/named.conf if using
chrooted environment.
//
// named.conf
//
//
//
options {
listen-on port 53 { 127.0.0.1; 192.168.0.2; };
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
};
logging {
severity dynamic;
};
};
zone "." IN {
type hint;

file "named.ca";
};
// For testing purpose I have added test.com zone as below.
zone "test.com" IN {
type master;
file "test.com.fwdb";
};
//---------end of named.con----------
Populating the RR at main domain.
Now it is time to populate zone records
cd /var/named/chroot/var/named
cat named.localhost > test.com.fwdb
change the test.com.fwdb, which will look like below after changes.
[root@desktop2 ~]# cat /var/named/chroot/var/named/test.com.fwdb
$TTL 1D
test.com. IN SOA desktop2.example.com. root.test.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
test.com. NS ns1.test.com.
ns1.test.com. A 192.168.0.2
[root@desktop2 ~]#
Change the group ownership of newly created file
[root@desktop2 ~]# chgrp named /var/named/chroot/var/named/*.fwdb
Restart the named services and check for any errors
It is suggested that you keep log file open with tail command so any error can be
check, open one more terminal and give following command.
Testing the zone record with dig
[root@desktop2 ~]# dig @localhost ns1.test.com
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> @localhost ns1.test.com

; (2 servers found)
;; Got answer:
;ns1.test.com. IN A
;; ANSWER SECTION:
ns1.test.com. 86400 IN A 192.168.0.2
test.com. 86400 IN NS ns1.test.com.
;; SERVER: ::1#53(::1)
;; WHEN: Fri May 3 20:29:10 2013
[root@desktop2 ~]#
We want to create now subdomain entry our main domain is test.com and the
sumdomain is dom1.test.com
Edit main domin (test.com) data file
Point out ns record of subdomain to other computer in our example 192.168.0.102
Add folowing two record to zone data file /var/named/chroot/var/named/
ns1.dom1.test.com. A 192.168.0.102
dom1.test.com. NS ns1.dom1.test.com.
Finally it looks like below
[root@desktop2 ~]# cat /var/named/chroot/var/named/test.com.fwdb
$TTL 1D
test.com. IN SOA desktop2.example.com. root.test.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
test.com. NS ns1.test.com.
ns1.test.com. A 192.168.0.2
ns1.dom1.test.com. A 192.168.0.102
[root@desktop2 ~]#
That's all from main domain server side in our case test.com
Configure name server on second server(192.168.0.102)
On second server (192.168.0.102)
[root@server2 ~]# yum install -y bind-*

Loaded plugins: refresh-packagekit, rhnplugin
This system is not registered with RHN.
RHN support will be disabled.
GLS | 1.3 kB 00:00
GLS/primary | 943 B 00:00
GLS 2/2
Updates | 951 B 00:00
Updates/primary | 358 kB 00:00
Updates 175/175
base | 3.7 kB 00:00
base/primary_db | 2.9 MB 00:00
optional | 951 B 00:00
optional/primary | 803 kB 00:00
optional 2593/2593
Package 32:bind-libs-9.7.0-5.P2.el6.x86_64 already installed and latest version
Package 32:bind-utils-9.7.0-5.P2.el6.x86_64 already installed and latest version
---> Package bind.x86_64 32:9.7.0-5.P2.el6 set to be updated
---> Package bind-chroot.x86_64 32:9.7.0-5.P2.el6 set to be updated
---> Package bind-devel.x86_64 32:9.7.0-5.P2.el6 set to be updated
---> Package bind-dyndb-ldap.x86_64 0:0.1.0-0.9.b.el6 set to be updated
---> Package bind-sdb.x86_64 32:9.7.0-5.P2.el6 set to be updated
--> Processing Dependency: libpq.so.5()(64bit) for package: 32:bind-sdb-9.7.0-
5.P2.el6.x86_64
---> Package postgresql-libs.x86_64 0:8.4.4-2.el6 set to be updated
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
bind x86_64 32:9.7.0-5.P2.el6 base 3.5 M
bind-chroot x86_64 32:9.7.0-5.P2.el6 base 65 k
bind-devel x86_64 32:9.7.0-5.P2.el6 optional 362 k
bind-dyndb-ldap x86_64 0.1.0-0.9.b.el6 base 47 k
bind-sdb x86_64 32:9.7.0-5.P2.el6 optional 276 k
Installing for dependencies:
postgresql-libs x86_64 8.4.4-2.el6 base 188 k
Transaction Summary
================================================================================
Upgrade 0 Package(s)
(1/6): bind-9.7.0-5.P2.el6.x86_64.rpm | 3.5 MB 00:00
(2/6): bind-chroot-9.7.0-5.P2.el6.x86_64.rpm | 65 kB 00:00
(3/6): bind-devel-9.7.0-5.P2.el6.x86_64.rpm | 362 kB 00:00
(4/6): bind-dyndb-ldap-0.1.0-0.9.b.el6.x86_64.rpm | 47 kB 00:00
(5/6): bind-sdb-9.7.0-5.P2.el6.x86_64.rpm | 276 kB 00:00
(6/6): postgresql-libs-8.4.4-2.el6.x86_64.rpm | 188 kB 00:00

--------------------------------------------------------------------------------
Total 23 MB/s | 4.4 MB 00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
base/gpgkey | 6.3 kB 00:00 ...
Importing GPG key 0xFD431D51 "Red Hat, Inc. (release key 2) " from /etc/pki/rpm-
gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0x2FA658E0 "Red Hat, Inc. (auxiliary key) " from /etc/pki/rpm-
gpg/RPM-GPG-KEY-redhat-release
Running Transaction
Warning: RPMDB altered outside of yum.
gnome-user-share-2.28.2-3.el6.x86_64 has missing requires of httpd >= ('0',
'2.2.0', None)
Installing : 32:bind-9.7.0-5.P2.el6.x86_64 1/6
Installing : postgresql-libs-8.4.4-2.el6.x86_64 2/6
Installing : 32:bind-sdb-9.7.0-5.P2.el6.x86_64 3/6
Installing : bind-dyndb-ldap-0.1.0-0.9.b.el6.x86_64 4/6
Installing : 32:bind-chroot-9.7.0-5.P2.el6.x86_64 5/6
Installing : 32:bind-devel-9.7.0-5.P2.el6.x86_64 6/6
Installed:
bind.x86_64 32:9.7.0-5.P2.el6 bind-chroot.x86_64 32:9.7.0-5.P2.el6
bind-devel.x86_64 32:9.7.0-5.P2.el6 bind-dyndb-ldap.x86_64 0:0.1.0-0.9.b.el6
bind-sdb.x86_64 32:9.7.0-5.P2.el6
Dependency Installed:
postgresql-libs.x86_64 0:8.4.4-2.el6
Complete!
The final modified file
Configuration of subdomain zone at named.conf
[root@server2 ~]# vim /etc/named.conf
[root@server2 ~]# cat /etc/named.conf
//
// named.conf
//
//
//
options {
listen-on port 53 { 127.0.0.1; 192.168.0.102; };
recursion yes;

# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
};
logging {
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "dom1.test.com" IN {
type master;
file "dom1.test.com.fwdb";
};
[root@server2 ~]#
[root@server2 ~]# /etc/init.d/named restart
Populating zone for subdomain.
[root@server2 ~]# cd /var/named/chroot/var/named/
[root@server2 named]# vim dom1.test.com.fwdb
[root@server2 ~]# cat /var/named/chroot/var/named/dom1.test.com.fwdb
$TTL 1D
dom1.test.com. IN SOA server2.example.com. root.dom1.test.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
ns1.dom1.test.com. A 192.168.0.102
www.dom1.test.com. A 192.168.0.103
ftp.dom1.test.com. A 192.168.0.104
[root@server2 ~]#
[root@server2 named]# ll
total 36

drwxr-x---. 6 root named 4096 May 3 19:47 chroot
drwxrwx---. 2 named named 4096 May 3 19:48 data
-rw-r--r--. 1 root root 267 May 3 19:49 dom1.test.com.fwdb
drwxrwx---. 2 named named 4096 May 3 19:48 dynamic
-rw-r-----. 1 root named 1892 Feb 18 2008 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 May 26 2010 slaves
[root@server2 named]# chgrp named dom1.test.com.fwdb
[root@server2 named]# service iptables stop
[root@server2 named]# /etc/init.d/named restart
Stopping named: umount: /var/named/chroot/var/named: device is busy.
(In some cases useful info about processes that use
the device is found by lsof(8) or fuser(1))
[ OK ]
[root@server2 named]# cd
[root@server2 ~]# /etc/init.d/named restart
[root@server2 ~]#
Testing of subdomain
Now final testing time
On main server (192.168.0.2) give following command.
[root@desktop2 ~]# dig @localhost www.dom1.test.com
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> @localhost www.dom1.test.com
; (2 servers found)
;; Got answer:
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;www.dom1.test.com. IN A
;; ANSWER SECTION:
www.dom1.test.com. 85708 IN A 192.168.0.103
dom1.test.com. 85708 IN NS ns1.dom1.test.com.
ns1.dom1.test.com. 85708 IN A 192.168.0.102

;; SERVER: ::1#53(::1)
;; WHEN: Fri May 3 20:25:53 2013
In above dig query, the query is for A record to local dns server, so
www.dom1.test.com is a host on subdomain dom1.example.com.
The name server (ns record on localhost) (main server) will be found from test.com
and it is dom1.test.com, so it will check the name server record, and it is
pinting out to ns1.dom1.test.com which is nothing but our second server
192.168.0.102
Then A record comes from second server that is
;; ANSWER SECTION:
www.dom1.test.com. 85708 IN A 192.168.0.103
That's perfect, add some more records to server2 zonefile and check
again.

DNS Workshop Hands-On Session Documentation

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie DNS Workshop Hands-On Session Documentation

Ähnlich wie DNS Workshop Hands-On Session Documentation (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

DNS Workshop Hands-On Session Documentation