Hi all. I run RL9 and have a local DNS server in my LAN. I am preparing a new server (“server.hartings.se”) to replace an 8 year old machine. I tried to follow the guidance on BIND given in the RockLinux on-line documentation. Sorry for a lengthy post, but I want to make sure, you hopefully get att required info on my set-up.
My domain is “hartings.se” (158.174.119.71) and the new local DNS server is called “server.hartings.se” (192.168.1.221). There are several machines connected to the LAN. The firewall is opened and active for DNS services and connected to the NCs
I tested the named setup with named-checkconf and named-checkzone (db and rev files) and both say all is OK. Systemctl status named also says all is up and running and OK.
[root@server ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2022-10-09 14:16:03 CEST; 43min ago
Process: 175395 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; e>
Process: 175398 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 175400 (named)
Tasks: 38 (limit: 98144)
Memory: 93.2M
CPU: 126ms
CGroup: /system.slice/named.service
└─175400 /usr/sbin/named -u named -c /etc/named.conf -4
Oct 09 14:16:03 server.hartings.se named[175400]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded >
Oct 09 14:16:03 server.hartings.se named[175400]: zone localhost/IN: loaded serial 0
Oct 09 14:16:03 server.hartings.se named[175400]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Oct 09 14:16:03 server.hartings.se named[175400]: zone hartings.se/IN: loaded serial 2019061800
Oct 09 14:16:03 server.hartings.se named[175400]: zone localhost.localdomain/IN: loaded serial 0
Oct 09 14:16:03 server.hartings.se named[175400]: all zones loaded
Oct 09 14:16:03 server.hartings.se named[175400]: running
Oct 09 14:16:03 server.hartings.se systemd[1]: Started Berkeley Internet Name Domain (DNS).
Oct 09 14:16:03 server.hartings.se named[175400]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Oct 09 14:16:03 server.hartings.se named[175400]: resolver priming query complete
[root@server ~]#
In order to fully test the setup, I stopped the presently active old local DNS server. When running nslookup, it finds instead the router (192.168.1.254), not the new local DNS server :
[root@server ~]# nslookup hartings.se
Server: 192.168.1.254
Address: 192.168.1.254#53
Non-authoritative answer:
Name: hartings.se
Address: 158.174.119.71
[root@server ~]#
When i remove the LAN cable from the new DNS server, I would certainly expect the new DNS server to reply (only machine available), being 127.0.0.1 or 192.168.1.221. But instead is doesn’t find any DNS server, though the only available machine is now the new DNS server (command given on new DNS server):
[root@server ~]# nslookup hartings.se
;; connection timed out; no servers could be reached
[root@server ~]#
When I go the the old (and for now again active!) DNS server (“server1”) and run nslookup, I get:
[root@server1 named]# nslookup hartings.se
Server: 213.80.98.2
Address: 213.80.98.2#53
Non-authoritative answer:
Name: hartings.se
Address: 158.174.119.71
[root@server1 named]#
Funny, it now shows my ISP DNS server as the answering DNS server. Why doesn’t my new server see this one? But of course, I want the new server (“server”) to be acting local DNS server!
My named-settings on the new server (“server”) are pretty simple and clean, se below.
[root@server ~]# more /var/named/hartings.se.db
$TTL 86400
@ IN SOA server.hartings.se. ralf.hartings.se. (
2019061800 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS server.hartings.se.
;IP for Name Server.
server IN A 192.168.1.221
;A Record for IP address to Hostname
ralf IN A 192.168.1.109
elly IN A 192.168.1.95
mediaserver IN A 192.168.1.151
backupserver IN A 192.168.1.93
[root@server ~]#
[root@server ~]# more /var/named/hartings.se.rev
$TTL 86400
@ IN SOA server.hartings.se. ralf.hartings.se. (
2019061800 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS server.hartings.se.
;Reverse lookup for Name Server
221 IN PTR server.hartings.se.
;PTR Record IP address to HostName
93 IN PTR backupserver.hartings.se.
95 IN PTR elly.hartings.se.
109 IN PTR ralf.hartings.se.
151 IN PTR mediaserver.hartings.se.
[root@server ~]#
My named.conf file looks like this (just to give you all required info) on the new server (“server”):
[root@server ~]# more /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.1.0/24; };
# filter-aaaa-on-v4 yes;
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
# dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
# primary forwward and reverse zones
//forward zone
zone "hartings.se" IN {
type master;
file "hartings.se.db";
allow-update { none; };
allow-query {any; };
};
//reverse zone
zone "1.168.192.in-addr.arpa" IN {
type master;
file "hartings.se.rev";
allow-update { none; };
allow-query { any; };
};
[root@server ~]#
I note that the referred file /var/named/data/named.recursing in /etc/named.conf does not exist. Is this a problem?
Any ideas on why the new local DNS server is not working? I have tried several variants for the xxx.db and xxx.rev files, but I cannot get it to work. Any help is appreciated!