Difference between revisions of "Labeled NFS/Demo/Manual/DNS"
CraigGrube (Talk | contribs) (New page: = Setting Up DNS for testing = This is a brief HOWTO on setting up the BIND DNS server for the example domains used throughout this tutorial. One of the pre-requisites for Kerberos and LD...) |
CraigGrube (Talk | contribs) (→Setting Up DNS for testing) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Setting Up DNS for testing = | = Setting Up DNS for testing = | ||
− | This is a brief HOWTO on setting up the BIND DNS server for the example domains used throughout this tutorial. | + | This is a brief HOWTO on setting up the BIND DNS server for the example domains used throughout this tutorial. The information regarding DNS configuration at the beginning of the automated installation instructions assumes a separate system (from the server) provides DNS services. The manual instructions place the DNS server with the other server components on one system, however there |
+ | is no reason why the steps can not be modified to move the DNS server component to a separate system. | ||
One of the pre-requisites for Kerberos and LDAP is that important machines must have matching forward and reverse DNS names. This means that you cannot simply assign an alias (i.e. CNAME) to an existing machine and have it work. | One of the pre-requisites for Kerberos and LDAP is that important machines must have matching forward and reverse DNS names. This means that you cannot simply assign an alias (i.e. CNAME) to an existing machine and have it work. | ||
Line 57: | Line 58: | ||
; one machine for all three services. A record for machine, CNAMEs for services. | ; one machine for all three services. A record for machine, CNAMEs for services. | ||
; NOTE: use sefos in all kerberos/nfs/ldap configuration files! | ; NOTE: use sefos in all kerberos/nfs/ldap configuration files! | ||
− | + | seserver A 192.168.201.13 | |
− | + | ||
− | + | ||
− | + | ||
seclient A 192.168.201.50 | seclient A 192.168.201.50 | ||
Line 80: | Line 78: | ||
; | ; | ||
; | ; | ||
− | 13 IN PTR | + | 13 IN PTR seserver.example.com. |
Line 87: | Line 85: | ||
52 IN PTR client3.example.com. | 52 IN PTR client3.example.com. | ||
</pre> | </pre> | ||
− | |||
− | |||
== Start named == | == Start named == |
Latest revision as of 15:03, 12 December 2008
Contents
Setting Up DNS for testing
This is a brief HOWTO on setting up the BIND DNS server for the example domains used throughout this tutorial. The information regarding DNS configuration at the beginning of the automated installation instructions assumes a separate system (from the server) provides DNS services. The manual instructions place the DNS server with the other server components on one system, however there is no reason why the steps can not be modified to move the DNS server component to a separate system.
One of the pre-requisites for Kerberos and LDAP is that important machines must have matching forward and reverse DNS names. This means that you cannot simply assign an alias (i.e. CNAME) to an existing machine and have it work.
The host
command can help you determine if forward and reverse DNS match (see test after setup).
First, install the BIND nameserver:
# yum install bind bind-utils
named configuration
This example configuration file uses the private network 192.168.201.0, with 192.168.201.13 being the DNS/Kerberos/LDAP/NFSv4 server.
Add two zones to /etc/named.conf
; one for forward and one for reverse.
zone "example.com" in{ type master; file "example.com"; }; // reverse map for class C 192.168.201.0 zone "201.168.192.IN-ADDR.ARPA" in{ type master; file "192.168.201.rev"; };
The default configuration file will only listen on the localhost address. You will need to set the listen-on and allow-query addresses in the options section so that named can respond to queries on the local network.
options { // ... listen-on port 53 { 192.168.201.13; 127.0.0.1; }; allow-query { 192.168.201.0/24; 127.0.0.1/32; }; };
Forward zone
Create /var/named/example.com
$TTL 6D @ IN SOA dns.example.com. root.example.com. ( 200806256 ; Serial 1H ; Refresh 300 ; Retry 2D ; Expire 12H) ; Minimum TTL NS dns.example.com. ; localhost A 127.0.0.1 ; address of machine acting as DNS server dns A 192.168.201.13 ; one machine for all three services. A record for machine, CNAMEs for services. ; NOTE: use sefos in all kerberos/nfs/ldap configuration files! seserver A 192.168.201.13 seclient A 192.168.201.50 client2 A 192.168.201.51 client3 A 192.168.201.52
Reverse DNS
Create /var/named/192.168.201.rev
:
$TTL 6D @ IN SOA dns.example.com. root.example.com. ( 200806201 ; Serial 1H ; Refresh 300 ; Retry 2D ; Expire 12H) ; Minimum TTL NS dns.example.com. ; ; 13 IN PTR seserver.example.com. 50 IN PTR seclient.example.com. 51 IN PTR client2.example.com. 52 IN PTR client3.example.com.
Start named
In targeted mode:
service named start
In MLS mode:
run_init service named start
Configure Local Name Resolution
Add the local interface to the resolver search path in /etc/resolv.conf, above any other nameservers. This step will also have to be performed on any clients (unless they are dhcp clients, and your dhcp server is configured to hand out the new name server).
# search domain, so short names can be used #(e.g. 'sefos' instead of sefos.example.com search example.com # new nameserver nameserver 192.168.201.13 # old nameserver, as a fallback nameserver 192.168.201.1
Test reverse DNS
# host sefos sefos.example.com has address 192.168.201.13 # host 192.168.201.13 13.201.168.192.in-addr.arpa domain name pointer sefos.example.com.
Turn on named at boot
chkconfig named on
Firewalls
The following lines should be added to /etc/sysconfig/iptables before the INPUT REJECT rule to allow udp queries to port 53/udp:
-A INPUT -m udp -p udp --dport 53 -j ACCEPT
Then iptables should be restarted:
# service iptables restart