DNS on FreeBSD 4.7: Part 1
Master and Slave DNS using BIND 9
Part II
Problem:
The configuration of a Master and Slave DNS pair using BIND9
where the Master will be configured to automatically update the
Slave using Zone Transfers (AXFR) via NOTIFIES.
Please note that this is just for testing BIND9, not for
deploying in a real world setting.
Context:
The two DNS Servers are running on two different FreeBSD
4.7 boxes.
nsmaster.weberbrown.cam 10.0.0.250
nsslave.weberbrown.cam 10.0.0.251
Quick Install of BIND9 on FreeBSD 4.7
There are many ways to do this but this worked for me.
cd /usr/ports/net/bind9
make clean
make
make install
This installs the key BIND files in the following locations:
/usr/local/sbin/named -- named binary
/usr/local/etc/named.conf -- named conf file
/usr/local/sbin/rndc -- named admin tool
------------------------------------------------------------------------
Create the Master DNS Server (10.0.0.250)
1. Create /usr/local/etc/named.conf:
-------------snip here-----------------
options {
directory "/var/nsdata";
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
};
zone "weberbrown.cam" {
type master;
file "db.weberbrown.cam";
};
zone "0.0.10.in-addr.arpa" {
type master;
file "db.10.0.0";
};
-------------snip end here-----------------
2. Create the three zone files and download the
hints file. We shall cover them one by one.
A. /var/nsdate/db.10.0.0
B. /var/nsdata/db.weberbrown.cam
C. /var/nsdata/db.127.0.0
D. /var/nsdata/named.root
A. Contents of /var/nsdata/db.10.0.0
-------------snip here-----------------
$TTL 86400
@ IN SOA nsmaster.weberbrown.cam. root.weberbrown.cam. (
1 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
;------------------------------------------------------
;NAME SERVER RESOURCE RECORDS
IN NS nsmaster.weberbrown.cam.
IN NS nsslave.weberbrown.cam.
250 IN PTR nsmaster.weberbrown.cam.
251 IN PTR nsslave.weberbrown.cam.
;----------------------------------------------------
;PTR RESOURCE RECORDS -- OTHER
;----------------------------------------------------
1 IN PTR orion.weberbrown.cam.
2 IN PTR dionysos.weberbrown.cam.
3 IN PTR hermes.weberbrown.cam.
4 IN PTR zeus.weberbrown.cam.
-------------snip end here-----------------
B. Contents of /var/nsdata/db.weberbrown.cam
-------------snip here-----------------
$TTL 86400
@ IN SOA nsmaster.weberbrown.cam. root.weberbrown.cam. (
1 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
;------------------------------------------------------
;NAME SERVER RESOURCE RECORDS
;------------------------------------------------------
IN NS nsmaster.weberbrown.cam.
IN NS nsslave.weberbrown.cam.
nsmaster IN A 10.0.0.250
nsslave IN A 10.0.0.251
;----------------------------------------------------------
;A RESOURCE RECORDS -- OTHER
;----------------------------------------------------------
orion IN A 10.0.0.1
dionysos IN A 10.0.0.2
hermes IN A 10.0.0.3
zeus IN A 10.0.0.4
-------------snip end here-----------------
C. Contents of /var/nsdata/db.127.0.0
-------------snip here-----------------
$TTL 86400
@ IN SOA nsmaster.weberbrown.cam. root.weberbrown.cam. (
1 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
IN NS nsmaster.weberbrown.cam.
1 IN PTR localhost.
-------------snip end here-----------------
d. Download /var/nsdata/named.root
ftp ftp.rs.internic.net
download named.root from the domain directory and copy it to
/var/nsdata
The FreeBSD version of BIND9 may have a copy somewhere but where
I do not know and actually I don't care!
3. RNDC Setup
RNDC is a useful/necessary mechanism for administering your DNS server.
Anyway if it is not configured, BIND gripes about it. Here are the steps.
To start we need to determine the locations where RNDC expects to find
its configuration files.
# /usr/local/sbin/rndc status
rndc: neither /usr/local/etc/rndc.conf nor /usr/local/etc/rndc.key was found
Once this has been determined, two steps are required:
1. /usr/local/sbin/rndc-confgen >> /usr/local/etc/rndc.conf
2. Now we need to copy the following part of the just generated
/usr/local/etc/rndc.conf to /usr/local/etc/named.conf:
----- snipped -----
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "3I9P+ubxl5vNhKNgzsk3kQ==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
This should result in the following RNDC'd /usr/local/etc/named.conf
file:
-------------snip here-----------------
key "rndc-key" {
algorithm hmac-md5;
secret "3I9P+ubxl5vNhKNgzsk3kQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/nsdata";
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
};
zone "weberbrown.cam" {
type master;
file "db.weberbrown.cam";
};
zone "0.0.10.in-addr.arpa" {
type master;
file "db.10.0.0";
};
-------------snip end here-----------------
4. For good measure let us configure some logging for
debugging. You will need to create /var/log/named.log
for these settings to work. Just tack the following on
to the end of the /usr/local/etc/named.conf from above.
-------------snip here-----------------
logging {
channel "default_syslog" {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/named.log";
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
-------------snip end here-----------------
4. Now we need to make sure that we do not have any other versions
of named running on our BSD box:
# ps -auxww | grep named
# kill "pid" of any named processes running.
5. Finally, start the new version of BIND9:
# /usr/local/sbin/named
# tail -f /var/log/messages
# tail -f /var/log/named.log
(Look for BIND error messages and such)
6. To test out the Master as domain server, create
/etc/resolv.conf with one entry:
nameserver 10.0.0.250
Next use dig or nslookup to query the DNS Master: e.g.
# dig zeus.weberbrown.cam
# dig -x 10.0.0.1
# dig @nsmaster.weberbrown.cam weberbrown.cam axfr
(Cool! A zone transfer!)
Create the Slave DNS Server (10.0.0.251)
1. Build and install BIND9 on 10.0.0.251 as described above
for 10.0.0.250
2. Create /usr/local/etc/named.conf with logging configured.
Create /var/log/named.log
-------------snip here-----------------
options {
directory "/var/nsdata";
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
};
zone "weberbrown.cam" {
type slave;
file "bkup.weberbrown.cam";
masters {10.0.0.250;};
};
zone "0.0.10.in-addr.arpa" {
type slave;
file "bkup.10.0.0";
masters {10.0.0.250;};
};
logging {
channel "default_syslog" {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/named.log";
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
-------------snip end here-----------------
3. Create one zone file and download the hints file.
We do not need to create bkup.weberbrown.cam nor
bkup.10.0.0 since they will be downloaded from
the Master when the Slave starts up.
A. /var/nsdata/db.127.0.0
B. /var/nsdata/named.root
A. Contents of /var/nsdata/db.127.0.0
-------------snip here-----------------
$TTL 86400
@ IN SOA nsmaster.weberbrown.cam. root.weberbrown.cam. (
1 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
IN NS nsmaster.weberbrown.cam.
1 IN PTR localhost.
-------------snip end here-----------------
B. Download /var/nsdata/named.root
ftp ftp.rs.internic.net
download named.root from the domain directory and copy it to
/var/nsdata
4. Configure RNDC as described above
5. Kill off currently running named processes.
Ensure that the Master on 10.0.0.250 is running.
Start the new BIND:
/usr/local/sbin/named
6. Edit /etc/resolve so that only entry is:
nameserver 10.0.0.251
7. Run dig commands using this new resolver entry.
AXFR NOTIFY Test
What we want to do here is to first update the Master's Zone files (more
accurately its Serial number) in order to initiate secondly a Zone Transfer
via BIND's built-in NOTIFY mechanism.
By default BIND9 DNS Servers will transfer Zone files to all the Name Servers
listed in its NS records, unless that NS record matches the Master Server's
MNAME record, that is, the record immediately following the SOA field.
In other words, nsmaster.weberbrown.cam will consult its NS records:
IN NS nsmaster.weberbrown.cam.
IN NS nsslave.weberbrown.cam.
then it will consult its MNAME field:
@ IN SOA nsmaster.weberbrown.cam. root.weberbrown.cam.
^^^^^^^^^^^^^^^^^^^^^^^^
and drop this machine from the NOTIFY list before sending NOTIFIES to the
remaining NS's.
The steps to do this are relatively simple. However, all of them must be
performed on 10.0.0.250, the Master DNS Server. The basics are:
1. Add a new A record to db.weberbrown.cam
2. Update the Serial number on db.weberbrown.cam
(which is currently 1 and set it to 2)
3. Add a new PTR record to db.10.0.0
4. Update the Serial number on db.10.0.0
(which is currently 1 and set it to 2.)
For our purposes let us create the new workstation:
ajax.weberbrown.cam 10.0.0.5
After adding this machine to both db.10.0.0 and db.weberbrown.cam,
and after updating the Serial number to 2, save both files.
Next, use RNDC to reload the Zone.
# rndc reload
If you run tail -f /var/log/named.log on the Master you should see the following
log messages:
Feb 11 01:20:34.396 zone 0.0.10.in-addr.arpa/IN: sending notifies (serial 2)
Feb 11 01:20:34.404 zone weberbrown.cam/IN: sending notifies (serial 2)
Feb 11 01:20:34.409 client 10.0.0.251#1048: query: 0.0.10.in-addr.arpa IN SOA
Feb 11 01:20:34.514 client 10.0.0.251#1046: query: 0.0.10.in-addr.arpa IN IXFR
Feb 11 01:20:34.516 client 10.0.0.251#1046: transfer of '0.0.10.in-addr.arpa/IN': AXFR-style IXFR started
Feb 11 01:20:34.913 client 10.0.0.251#1048: query: weberbrown.cam IN SOA
Feb 11 01:20:35.014 client 10.0.0.251#1047: query: weberbrown.cam IN IXFR
Feb 11 01:20:35.015 client 10.0.0.251#1047: transfer of 'weberbrown.cam/IN': AXFR-style IXFR started
It is clear that an AXFR has taken place.
Here is a snippet of /var/log/named.log from the Slave during another AFXR
later that day (not the same AXFR as above but similar).
Feb 11 11:08:00.312 transfer of '0.0.10.in-addr.arpa/IN' from 10.0.0.250#53: end of transfer
Feb 11 11:08:00.314 zone 0.0.10.in-addr.arpa/IN: sending notifies (serial 7)
Feb 11 11:08:00.833 transfer of 'weberbrown.cam/IN' from 10.0.0.250#53: end of transfer
Feb 11 11:08:00.834 zone weberbrown.cam/IN: sending notifies (serial 7)
Finally run a Query on 10.0.0.251 (Slave):
# dig ajax.weberbrown.cam
;; ANSWER SECTION:
ajax.weberbrown.cam. 1D IN A 10.0.0.5
It is clear that the Slave now knows about the new workstation.
While on the Slave run:
# tail -f /var/log/named
Feb 11 11:11:57.379 client 192.168.1.2#32771: query: ajax.weberbrown.cam IN A
Boom! It definitely works!
==============================================================================
==============================================================================
=================== JUNK =====================================================
First attempt at upgrading BIND on FreeBSD
This did not work at all;
Here for my reference only; Actually it may have worked
but I got pissed off with the ambiguous ports' instructions
in the FreeBSD Handbook -- e.g. turn right 3 miles before
you turned left after the last right 3 miles later.
1. # mkdir -p /usr/etc # Needed by Bind9
2. # make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \
DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin \
DESTHELP=/usr/share/misc install
3. # /usr/sbin/named -v
# BIND 9.2.1
--------------------------------------------------------------------