DNS is used for name resolution. In one of our previous post we saw HowTo install and configure Bind DNS on Linux for name resolutions. But we should always need to understand that DNS should have fault tolerance with DNS master Slave setup in which client faced to Slave DNS Server and Update should only permitted on Master DNS Server, so this will provide secure intranet setup for DNS infrastructure. So let see HowTo Configure BIND DNS Master/Slave Server on CentOS 7

Setup

In this post, we are trying setup one master DNS Server with one Slave DNS Server, we will update records in Master DNS Server that will replicate in Slave DNS Server.

DNS clients will Query to Slave DNS Server for Name resolution and Master DNS Server is not reachable for Clients.

Master DNS Server -- srv7-master.geekpills.com -- 192.168.12222.109

Slave DNS Server  -- srv7-sec.geekpills.com    -- 192.168.12222.121

Client Machine    -- srvu.geekpills.com	       -- 192.168.122.37

We are using CentOS7 as DNS Master/Slave DNS Server. Ubuntu using as DNS Client to Query DNS Server.

[root@srv7-master ~]# cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core) 

[root@srv7-sec ~]# cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core) 

root@srvu:~# lsb_release -d
Description:	Ubuntu 17.04

As mentioned above in previous post we already saw HowTo install and configure bind on single DNS Server.

Installation

Installation of Bind packages on CentOS7 with below command.

#yum install bind bind-utils 

Packages installation on Master and Salve DNS servers are same, so above yum install command will work for both DNS Servers.

bind and bind-utils are main packages required to work for DNS bind configuration. Below packages installed on my DNS machine.

[root@srv7-master ~]# rpm -qa |grep bind
bind-license-9.9.4-51.el7.noarch
bind-utils-9.9.4-51.el7.x86_64
rpcbind-0.2.0-38.el7_3.1.x86_64
bind-libs-9.9.4-51.el7.x86_64
bind-devel-9.9.4-51.el7.x86_64
bind-9.9.4-51.el7.x86_64
bind-libs-lite-9.9.4-51.el7.x86_64

Configure Master DNS

I hope you know how to configure Single DNS Server, In our earlier post we configured Single DNS machine. Now for Master DNS Server. we need to edit named.conf file again with some other derivatives.

options {
	listen-on port 53 { 127.0.0.1; 192.168.12222.109; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { 192.168.12222.121; 192.168.12222.109; 127.0.0.1; };

};


Zone    "geekpills.com" IN {
        type master;
        file "geekpills.com.zone";
	also-notify {192.168.12222.121;};
	allow-transfer {192.168.12222.121;};
};

Zone 	"122.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.12222.zone";
	also-notify {192.168.12222.121;};
	allow-transfer {192.168.12222.121;};
        };

As above in red font, I tried to highlight those derivatives that are required for Master DNS. let’s tried to understand these.

listen-on port 53 — This derivatives used for every DNS server and important as it would mentioned on which Internet protocol address (IP address) DNS service should listen on machine.

allow-query — Which host could allow to Query this DNS server, This derivative could used in every DNS machines. In Master DNS for security purpose i only used localhost, own IP and Slave DNS server IP address. Any other then this can’t query Master DNS server. This way we can isolate Master DNS server from any attack with LAN.

also-notify — This derivative is only relevant for Master DNS Server. It define Slave DNS IP address to notify them when Master zone file is reloaded.

allow-transfer — This derivative is only relevant for both Master or Slave DNS Server, this allow defied IP address to allow zone transfer (copy). We can use this globally or zone specific. The Default behaviour is to allow zone transfer towards any host, but more friendly and un-secure. It always suggested to enable transfer towards your slave DNS Server.

Now we have to build our zones file as we mentioned in named.conf above. So first work on forward lookup zone file.

Forward lookup Zone

I have created forward lookup zone with various types of DNS records. For details regarding records types please refer earlier DNS post.

$TTL    86400
@               IN SOA  geekpills.com. root.geekpills.com. (
                                        2017092101      ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        IN NS           srv7-master.geekpills.com.
                        IN NS           srv7-sec.geekpills.com.

                        IN MX 5 smtp.geekpills.com.

srv7-master.geekpills.com.   IN      A       192.168.122.109
srv7-sec.geekpills.com.      IN     A       192.168.122.121

sai1.geekpills.com.   IN      A       192.168.122.51
sai2.geekpills.com.   IN      A       192.168.122.52
sai3.geekpills.com.   IN      A       192.168.122.53
sai4.geekpills.com.   IN      A       192.168.122.54
sai5.geekpills.com.   IN      A       192.168.122.55

smtp.geekpills.com.   IN      A       192.168.122.200
                      IN      A       192.168.122.201

mail.geekpills.com.   IN      CNAME   smtp.geekpills.com.

webserver.geekpills.com. IN   A       192.168.122.111

sai-scan.geekpills.com.       IN      A       192.168.122.71
                              IN      A       192.168.122.72
                              IN      A       192.168.122.73
                              IN      TXT     "Round-robin IP for Scan"

geekpills.com.        IN      A       192.168.122.11
www                   IN      CNAME   webserver.geekpills.com.

Reverse lookup zone

Created below reverse lookup zone. Details mentioned in previous post.

$TTL    86400
@       IN      SOA     geekpills.com. root.geekpills.com.  (
                                      2017092101 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum

        NS      srv7-master.geekpills.com.

109      IN     PTR     srv7-master.geekpills.com.
121     IN      PTR     srv7-sec.geekpills.com.

51      IN      PTR     sai1.geekpills.com.
52      IN      PTR     sai2.geekpills.com.
53      IN      PTR     sai3.geekpills.com.
54      IN      PTR     sai4.geekpills.com.
55      IN      PTR     sai5.geekpills.com.
71      IN      PTR     sai-scan.geekpills.com.
72      IN      PTR     sai-scan.geekpills.com.
73      IN      PTR     sai-scan.geekpills.com.

11      IN      PTR     geekpills.com.

200     IN      PTR     smtp.geekpills.com.
201     IN      PTR     smtp.geekpills.com.

111     IN      PTR     webserver.geekpills.com.

Configuration over Master DNS server complete, let’s start configuring Slave DNS Server.

Start named service with command systemctl start named

Configure Slave DNS Server

Installation part of Slave DNS Server is same as of Master DNS Server. Packages required and installation method is same as of Master DNS Server.

To configure Slave DNS Server, it need to edit named.conf file of Slave DNS Server and start named service its should transfer zones file automatically. Let’s start editing named.conf for Slave DNS Server. Below is named.conf of Slave DNS Server

options {
	listen-on port 53 { i127.0.0.1; 192.168.122.121; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { 192.168.122.0/24; };
};
Zone    "geekpills.com" IN {
       	type slave;
	masters {192.168.122.109;};
	file "slaves/db.geekpills.com.zone";
};

Zone    "122.168.192.in-addr.arpa" IN {
	type slave;
	masters {192.168.122.109;};
       	file "slaves/db.192.168.122.zone";
        };

In this named.conf, we have some different derivatives than Master DNS. Let study them below.

allow-query     { 192.168.122.0/24; };

allow-query — This derivative used to query a complete subnet in comparison of Master where we only query for few Host for security purpose.

type slave;

type — This denote as slave as it used to mention slave zone file

masters {192.168.122.109;};

masters — This derivative is only relevant to Slave DNS as it defines Master DNS IP address of particular zone.

Now we need to start named service, this will transfer zone file from Master towards Slave DNS Server.

[root@srv7-sec slaves]# pwd
/var/named/slaves
[root@srv7-sec slaves]# ll
total 0
[root@srv7-sec slaves]# systemctl is-active named 
inactive
[root@srv7-sec slaves]# systemctl start named 
[root@srv7-sec slaves]# systemctl is-active named 
active
[root@srv7-sec slaves]# ll
total 8
-rw-r--r-- 1 named named 804 Sep 21 22:01 db.192.168.122.zone
-rw-r--r-- 1 named named 786 Sep 21 22:01 db.geekpills.com.zone

Configuration of DNS Clients

For Linux DNS Client, we need to mention DNS Server IP address in /etc/resolv.conf, like below

nameserver 192.168.1.121

We can mention many DNS server in /etc/resolv.conf, their order effect while client query for name resolution. Client requests first DNS server for resolution in case it resolve its good otherwise it request second one and so on further till it resolve or all mention DNS fails to resolve query.

We can even check DNS rescords without mentioning its IP address in /etc/resolv.conf. Below I am using dig command to resolve DNS records from particular DNS Server.

root@srvu:~# dig @192.168.122.121 geekpills.com NS

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.122.121 geekpills.com NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62901
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;geekpills.com.			IN	NS

;; ANSWER SECTION:
geekpills.com.		86400	IN	NS	srv7-master.geekpills.com.
geekpills.com.		86400	IN	NS	srv7-sec.geekpills.com.

;; ADDITIONAL SECTION:
srv7-master.geekpills.com. 86400 IN	A	192.168.122.109
srv7-sec.geekpills.com.	86400	IN	A	192.168.122.121

;; Query time: 2 msec
;; SERVER: 192.168.122.121#53(192.168.122.121)
;; WHEN: Thu Sep 21 22:42:54 IST 2017
;; MSG SIZE  rcvd: 123

We can use nslookup command to do same.

root@srvu:~# nslookup  -query=ns geekpills.com 192.168.122.121
Server:		192.168.122.121
Address:	192.168.122.121#53

geekpills.com	nameserver = srv7-master.geekpills.com.
geekpills.com	nameserver = srv7-sec.geekpills.com.

Register New records

Main reasons we configured this setup is that we only need to addition or deletion of resource records on Master DNS Server and it automatically transfer to Slave DNS Server.

Let add another record, for Client srvu.geekpills.com in Forward and reverse lookup zone.

[root@srv7-master ~]# egrep -i "srvu|serial" /var/named/geekpills.com.zone 
                                        2017180903      ; serial (d. adams)
srvu.geekpills.com.	IN	A	192.168.122.37
[root@srv7-master ~]# egrep -i "srvu|serial" /var/named/192.168.122.zone 
                                      2017180903 ; Serial
37	IN	PTR	srvu.geekpills.com.

Here we increment serial number as mentioned in above output.Now we need to reload named service on Master DNS Server.

systemctl reload named

Before and after reload of named service on Master DNS Server it replicate automatically on Slave DNS Server. I tried Query from client below.

Before reload Named Service
root@srvu:~# nslookup  -query=A srvu.geekpills.com 192.168.122.121
Server:		192.168.122.121
Address:	192.168.122.121#53

** server can't find srvu.geekpills.com: NXDOMAIN
Afterreload Named Service
root@srvu:~# nslookup  -query=A srvu.geekpills.com 192.168.122.121
Server:		192.168.122.121
Address:	192.168.122.121#53

Name:	srvu.geekpills.com
Address: 192.168.122.37

Same can be seen in /var/log/message as well of Master and Slave DNS Servers.

Master DNS Server log.

reloading configuration succeeded
reloading zones succeeded
ded Berkeley Internet Name Domain (DNS).
zone 122.168.192.in-addr.arpa/IN: loaded serial 2017180903
all zones loaded
running
zone geekpills.com/IN: loaded serial 2017180903
zone 122.168.192.in-addr.arpa/IN: sending notifies (serial 2017180903)
zone geekpills.com/IN: sending notifies (serial 2017180903)
client 192.168.122.121#52943 (122.168.192.in-addr.arpa): transfer of '122.168.192.in-addr.arpa/IN': AXFR-style IXFR started
client 192.168.122.121#52943 (122.168.192.in-addr.arpa): transfer of '122.168.192.in-addr.arpa/IN': AXFR-style IXFR ended
client 192.168.122.121#42678: received notify for zone '122.168.192.in-addr.arpa'
client 192.168.122.121#39635 (geekpills.com): transfer of 'geekpills.com/IN': AXFR-style IXFR started
client 192.168.122.121#39635 (geekpills.com): transfer of 'geekpills.com/IN': AXFR-style IXFR ended
client 192.168.122.121#11260: received notify for zone 'geekpills.com'

Slave DNS Server log.

client 192.168.122.109#52794: received notify for zone '122.168.192.in-addr.arpa'
zone 122.168.192.in-addr.arpa/IN: Transfer started.
transfer of '122.168.192.in-addr.arpa/IN' from 192.168.122.109#53: connected using 192.168.122.121#52943
zone 122.168.192.in-addr.arpa/IN: transferred serial 2017180903
transfer of '122.168.192.in-addr.arpa/IN' from 192.168.122.109#53: Transfer completed: 1 messages, 19 records, 496 bytes, 0.008 secs (62000 bytes/sec)
zone 122.168.192.in-addr.arpa/IN: sending notifies (serial 2017180903)
client 192.168.122.109#34021: received notify for zone 'geekpills.com'
zone geekpills.com/IN: Transfer started.
transfer of 'geekpills.com/IN' from 192.168.122.109#53: connected using 192.168.122.121#39635
zone geekpills.com/IN: transferred serial 2017180903
transfer of 'geekpills.com/IN' from 192.168.122.109#53: Transfer completed: 1 messages, 23 records, 542 bytes, 0.001 secs (542000 bytes/sec)
zone geekpills.com/IN: sending notifies (serial 2017180903)

So with all this, we can understand HowTo configure DNS Master / Slave.