/var/named/chroot/etc/named.conf:
options {
directory "/var/named";
forwarders { 192.168.0.2; 192.168.0.3; 192.168.0.4; };
};
zone "." in {
type hint;
file "data/db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "data/db.127.0.0";
};
Next create the root hints file for your dns server. This is the list of root dns servers that your server will use when trying to look for a dns record.
[root@server0 etc]# cd /var/named/chroot/var/named/data/ [root@server0 data]# dig @a.root-servers.net . ns > db.cacheAlternatively, if you already have dns servers configured for your machine, you can use dig's built in capabilities to get the root list back.
[root@server0 data]# grep nameserver /etc/resolv.conf nameserver xxx.xxx.xxx.xxx [root@server0 data]# dig +nocmd . NS +noall +answer +additional >db.cache
Or you can just download the root list from the Internic ftp server.
[root@server0 data]# wget ftp://ftp.internic.net/domain/named.root -O db.cache
--16:28:51-- ftp://ftp.internic.net/domain/named.root
=> `db.cache'
Resolving ftp.internic.net... 208.77.188.26
Connecting to ftp.internic.net|208.77.188.26|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD /domain ... done.
==> SIZE named.root ... 2940
==> PASV ... done. ==> RETR named.root ... done.
Length: 2940 (2.9K)
100%[=======================================>] 2,940 --.-K/s in 0s
16:29:02 (280 MB/s) - `db.cache' saved [2940]
Next, you'll need to create a zone file for the 127.0.0.1 zone. Zone files are what bind (named) uses to map between ipaddresses and names. The 127.0.0.0/8 range of ipaddresses is reserved for local or loopback addresses (addresses which all resolve to the machine you are working on).
/var/named/chroot/var/named/data/db.127.0.0
$TTL 3D @ IN SOA localhost. root.localhost. ( 00 ; Serial 86400 ; Refresh 7200 ; Retry 2592000 ; Expire 345600 ) ; Minimum NS localhost. 1 PTR localhost.
This file is the minimum required to serve up 127.0.0.0/8. With these 3 files in place, we're ready to try out our new name server.
[root@server0 data]# service named start Starting named: [ OK ] [root@server0 data]# nslookup localhost localhost Server: localhost Address: 127.0.0.1#53 Non-authoritative answer: Name: localhost Address: 127.0.0.1 [root@server0 data]# nslookup www.google.com localhost Server: localhost Address: 127.0.0.1#53 Non-authoritative answer: www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 74.125.47.99 Name: www.l.google.com Address: 74.125.47.103 Name: www.l.google.com Address: 74.125.47.104 Name: www.l.google.com Address: 74.125.47.147 [root@server0 data]#Assuming that worked, we can put in the zone file for example.com. We will use 192.168.0.1** as the address of our new server. /var/named/chroot/var/named/data/db.example.com
$TTL 3D @ IN SOA ns1.example.com. root.example.com. ( 00 ; Serial 86400 ; Refresh 7200 ; Retry 2592000 ; Expire 345600 ) ; Minimum NS ns1 ns0 IN A 192.168.0.1 server0 IN A 192.168.0.1
And update named.conf to include the new zone.
/var/named/chroot/etc/named.conf
options {
directory "/var/named";
forwarders { xxx.xxx.xxx.xxx; yyy.yyy.yyy.yyy; zzz.zzz.zzz.zzz; };
};
zone "." in {
type hint;
file "data/db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "data/db.127.0.0";
};
zone "example.com." in {
type master;
file "data/db.example.com";
};
Restart named to use the updated named.conf and zone file, then verify that your record is being served properly.
[root@server0 etc]# service named restart Stopping named: [ OK ] Starting named: [ OK ] [root@server0 etc]# host ns1.example.com localhost Using domain server: Name: localhost Address: 127.0.0.1#53 Aliases: ns0.example.com has address 192.168.0.1
One more step and we are done with dns. Right now dns is only available from the server (localhost), we'll need to open up a hole in the firewall on our machine to allow dns queries through. We do this with iptables
[root@server0 data]# iptables -A INPUT -p udp --destination-port 53 -j ACCEPT [root@server0 data]# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --destination-port 53 -j ACCEPT
Now that dns is configured we can move on to installing the web server and making sure files are available for installation.
iptables
The default iptables configuration on most distributions today is to only allow tcp port 22 (ssh) through the incoming firewall. (The outgoing firewall is unfiltered on all that I have seen). To access the dns service running on server1, a hole has to be made in the firewall. To do this, first find the name of the INPUT chain.[root@server0 data]# iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhereWhat this means is that the INPUT chain has one target called RH-Firewall-1-INPUT+. This means to know what our INPUT rules are, we need to look at RH-Firewall-1-INPUT.
[root@server0 install]# iptables -L RH-Firewall-1-INPUT Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedConfiguring iptables properly is a separate discussion. We will build up a set of rules while we are constructing our install server, but the reader should spend some time getting to know how iptables works and how to configure it properly. The above rules setup some fairly good defaults. The rule that is most interesting to us is the second from the bottom that ends in state NEW tcp dpt:ssh. This rule allows connections on tcp port 22 (ssh) to our server. DNS runs on port 53++, so we need to allow udp and tcp connections on port 53 to our machine.
[root@server0 data]# iptables -I RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT [root@server0 data]# iptables -I RH-Firewall-1-INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT [root@server0 data]# iptables -L RH-Firewall-1-INPUT Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW,RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedUsing iptables -I, we insert our rules at the beginning of the ruleset, we need to have our rules come before the REJECT rule at the bottom of our chain. Now we can test access to our nameserver from another machine.
[user@client0 ~]$ nslookup ns1.example.com 192.168.0.1 Server: 192.168.0.1 Address: 192.168.0.1#53 Name: ns0.example.com Address: 192.168.0.1We are almost done, in order for our new rules to be used the next time server1 is rebooted, we need to save the iptables rules into the configuration file.
[root@server0 data]# cd /etc/sysconfig [root@server0 sysconfig]# cp iptables iptables.$(date +%Y-%m-%d) [root@server0 sysconfig]# iptables-save >iptablesOur iptables rules should be saved now and will be used on the next reboot our our server. Since we will be giving out addresses on the 192.168.0.0/24 subnet, we will also serve out this zone with our named server and add a few records to our example.com zone file.
db.192.168
$TTL 3D @ IN SOA localhost. root.localhost. ( 00 ; Serial 86400 ; Refresh 7200 ; Retry 2592000 ; Expire 345600 ) ; Minimum NS ns0.example.com. 1 PTR server0.example.com. 16 PTR client0.example.com. 17 PTR client1.example.com. 18 PTR client2.example.com. 19 PTR client3.example.com. 20 PTR client4.example.com. 21 PTR client5.example.com. 22 PTR client6.example.com. 23 PTR client7.example.com. 24 PTR client8.example.com. 25 PTR client9.example.com. 26 PTR client10.example.com. 27 PTR client11.example.com. 28 PTR client12.example.com. 29 PTR client13.example.com. 30 PTR client14.example.com. 31 PTR client15.example.com.
In order for named to use this file, we need to add it a zone definition to named.conf
zone "0.168.192.in-addr.arpa" in {
type master;
file "data/db.192.168.0";
};
example.com
$TTL 3D @ IN SOA ns0.example.com. root.example.com. ( 00 ; Serial 86400 ; Refresh 7200 ; Retry 2592000 ; Expire 345600 ) ; Minimum NS ns0 ns0 IN A 192.168.0.1 server0 IN A 192.168.0.1 client0 IN A 192.168.0.16 client1 IN A 192.168.0.17 client2 IN A 192.168.0.18 client3 IN A 192.168.0.19 client4 IN A 192.168.0.20 client5 IN A 192.168.0.21 client6 IN A 192.168.0.22 client7 IN A 192.168.0.23 client8 IN A 192.168.0.24 client9 IN A 192.168.0.25 client10 IN A 192.168.0.26 client11 IN A 192.168.0.27 client12 IN A 192.168.0.28 client13 IN A 192.168.0.29 client14 IN A 192.168.0.30 client15 IN A 192.168.0.31We can now move on to configuring the webserver to allow access to the installation files we need.
*If this is the first server on your network then you might not have any dns servers yet, you can leave the forwarders line out of the named.conf in this case. Optionally you may wish to use the DNS servers provided by your ISP. **IP addresses in the range 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255 are reserved for use by organisations internally and are not routable on the internet (http://www.faqs.org/rfcs/rfc1597.html). As such, we will use 192.168.0.1 as the ip address of our installation server and 192.168.0.0/24 as the domain (192.168.0.0/24 is shorthand for saying our machines will have addresses in the range 192.168.0.1 - 192.168.0.254) +This is the default name on RedHat Enterprise Linux (RHEL) derived distributions. On fedora the name remains INPUT. ++You can determine which port a service is running on using lsof or by looking in /etc/services. Using lsof you can grep for open tcp ports
[root@server0 install]# lsof -i -n |grep named named 5808 named 20u IPv4 159190 UDP 127.0.0.1:domain named 5808 named 21u IPv4 159191 TCP 127.0.0.1:domain (LISTEN) named 5808 named 22u IPv4 159192 UDP 192.168.0.1:domain named 5808 named 23u IPv4 159193 TCP 192.168.0.1:domain (LISTEN) named 5808 named 24u IPv4 159194 UDP *:33883 named 5808 named 25u IPv6 159195 UDP *:41551 named 5808 named 26u IPv4 159196 TCP 127.0.0.1:rndc (LISTEN) named 5808 named 27u IPv6 159197 TCP [::1]:rndc (LISTEN)From this output, we can see that named is LISTENing on the port domain, by looking in /etc/services, we see that domain is port 53.
[root@server0 install]# grep -w ^domain /etc/services domain 53/tcp # name-domain server domain 53/udpnamed uses both tcp and udp, we can see this by the first line in our grep output UDP 127.0.0.1:domain. We also see in /etc/services that domain is registered for both tcp and udp connections.