Notes for Lab 3 Dynamic DNS updates Fedo
Notes for Lab 3 – Dynamic DNS updates
Fedora Core 6 Bind Configuration for Dynamic zones
February 2007
0. Check the version of bind on your Linux system.
start named and check the syslog output (mostly being written to /var/log/messages.
For recent version of BIND, use the command:
/usr/sbin/named -v
Make sure that you have the following RPM packages installed:
bind-libs-9.3.2-41
bind-chroot-9.3.2-41
bind-utils-9.3.2-41
bind-9.3.2-41
caching-nameserver-9.3.2-41
1. Configuration file
chroot configuration : /etc/sysconfig/named
main configuration: /etc/named.conf
chroot rootdir = /var/named/chroot
To run named under chroot jail, must store named.conf and rndc.key to the “etc”
directory under the ROOTDIR directory
To run named under the chroot environment, create the file named.conf with the
following contents in $ROOTDIR/etc/ directory:
//
// named.conf for FC6 caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
// query-source address * port 53;
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
Dynamic DNS Update
Page 1 of 7
Lab 3
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
include "/etc/rndc.key";
Dynamic DNS Update
Page 2 of 7
Lab 3
You should have the following files in /var/named/chroot/var/named directory:
named.ca
localdomain.zone
localhost.zone
named.local
named.ip6.local
named.broadcast
named.zero
and two subdirectories
data/
slaves/
Create a symbolic link to /var/named/chroot/etc/named.conf in /etc directory.
( use the command ln -s /var/named/chroot/etc/named.conf /etc/named.conf)
2. Test run your caching only DNS server. You can view the system log file
/var/log/messages and look for diagnostic/warning/error messages. Ask for help if
you don't know how to resolve all the problems. You should keep SELinux enabled.
3. Enable Dynamic DNS Update
Dynamic DNS zone allows add, modify or delete records or RRsets in the
master zone file
For a full details see RFC2136
enable zone-by-zone with “allow-update” or “update-policy” clause
4. Add the following two zones to allow dynamic updates. Examples: add to the file
“named.conf” (in /var/named/chroot/etc/ directory) one entry for the forward lookup
zone “myfoo.com” and one entry for the reverse lookup zone “1.16.172.inaddr.arpa” if you are using the 172.16.1.0. Use your own network number for the
reverse zone.
zone "myfoo.com" IN {
type master;
file "slaves/db-myfoo.com";
allow-update { localhost; 172.16.1.1; };
};
zone "1.16.172.in-addr.arpa" IN {
type master;
file "slaves/db-1.16.172.in-addr.arpa";
allow-update { localhost; 172.16.1.1; };
};
Dynamic DNS Update
Page 3 of 7
Lab 3
If you are using the network 172.16.2.0, you should add the reverse zone “2.16.172.inaddr.arpa”. The IPs in the allow-update clause should be the IP addresses of the DNS
update client(s).
5. Add zone date to the files db-mydomain.com and db-1.16.172.in-addr.arpa and put
them under the directory “/var/named/chroot/var/named/slaves/”. If you want, you
may change the host names and their IP addresses to match your network. Both files
should be owned by root.named and have read/write permission set for owner and
group.
db-myfoo.com
$TTL 1d1h
myfoo.com.
IN SOA
myfoo.com.
ns1
rh9
fedora
host
IN
IN
IN
IN
IN
A
A
A
A
ns1.myfoo.com. (
root.myfoo.com.
20070201
1h
15m
30d
1h )
ns1.myfoo.com.
172.16.1.2
172.16.1.8
172.16.1.24
172.16.1.1
db-1.16.172.in-addr.arpa
$TTL 1d1h
@
IN SOA
2
8
24
1
PTR
PTR
PTR
PTR
IN
IN
IN
IN
ns1.myfoo.com. (
root.myfoo.com.
20070201
1h
15m
30d
1h )
ns1.myfoo.com.
rh9.myfoo.com.
fedora.myfoo.com.
host.myfoo.com.
6. Restart BIND and check the log in “/var/log/messages” to confirm that BIND is
running properly.
7. Try “nslookup” to verify that the DNS server answers query properly.
Dynamic DNS Update
Page 4 of 7
Lab 3
8. Run “nsupdate” to add an A record for “myhost.myfoo.com” and a PTR record of
39.1.16.172.in-addr.arpa.
Add an A record for myhost.myfoo.com
#> nsupdate -d
> server 10.0.2.2 update delete 29.1.16.172.in-addr.arpa
> send
Reply from SOA query:
;; ->>HEADERHEADER send
Reply from SOA query:
;; ->>HEADERHEADERcat db-1.16.172.in-addr.arpa
$ORIGIN .
$TTL 90000
; 1 day 1 hour
1.16.172.in-addr.arpa
IN SOA
NS
$ORIGIN 1.16.172.in-addr.arpa.
1
PTR
2
PTR
24
PTR
$TTL 2400
; 40 minutes
29
PTR
$TTL 3600
; 1 hour
45
PTR
$TTL 90000
; 1 day 1 hour
8
PTR
ns1.myfoo.com. root.myfoo.com. (
20050201
; serial
3600
; refresh (1 hour)
900
; retry (15 minutes)
2592000
; expire (4 weeks 2 days)
3600
; minimum (1 hour)
)
ns1.myfoo.com.
host.myfoo.com.
ns1.myfoo.com.
fedora.myfoo.com.
myhost.myfoo.com.
innhost.myfoo.com.
rh9.myfoo.com.
9. If you still have time, read the document “Secure dynamic DNS howto” and try using
TSIG keys to perform dynamic DNS updates.
10. Make changes to “named.conf” so that the DNS server becomes the Authoritative
Name server for the domain podx.com and use “ddns.podx.com” for a dynamic zone.
List all the changes and email to your instructor.
Dynamic DNS Update
Page 7 of 7
Lab 3
Fedora Core 6 Bind Configuration for Dynamic zones
February 2007
0. Check the version of bind on your Linux system.
start named and check the syslog output (mostly being written to /var/log/messages.
For recent version of BIND, use the command:
/usr/sbin/named -v
Make sure that you have the following RPM packages installed:
bind-libs-9.3.2-41
bind-chroot-9.3.2-41
bind-utils-9.3.2-41
bind-9.3.2-41
caching-nameserver-9.3.2-41
1. Configuration file
chroot configuration : /etc/sysconfig/named
main configuration: /etc/named.conf
chroot rootdir = /var/named/chroot
To run named under chroot jail, must store named.conf and rndc.key to the “etc”
directory under the ROOTDIR directory
To run named under the chroot environment, create the file named.conf with the
following contents in $ROOTDIR/etc/ directory:
//
// named.conf for FC6 caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
// query-source address * port 53;
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
Dynamic DNS Update
Page 1 of 7
Lab 3
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
include "/etc/rndc.key";
Dynamic DNS Update
Page 2 of 7
Lab 3
You should have the following files in /var/named/chroot/var/named directory:
named.ca
localdomain.zone
localhost.zone
named.local
named.ip6.local
named.broadcast
named.zero
and two subdirectories
data/
slaves/
Create a symbolic link to /var/named/chroot/etc/named.conf in /etc directory.
( use the command ln -s /var/named/chroot/etc/named.conf /etc/named.conf)
2. Test run your caching only DNS server. You can view the system log file
/var/log/messages and look for diagnostic/warning/error messages. Ask for help if
you don't know how to resolve all the problems. You should keep SELinux enabled.
3. Enable Dynamic DNS Update
Dynamic DNS zone allows add, modify or delete records or RRsets in the
master zone file
For a full details see RFC2136
enable zone-by-zone with “allow-update” or “update-policy” clause
4. Add the following two zones to allow dynamic updates. Examples: add to the file
“named.conf” (in /var/named/chroot/etc/ directory) one entry for the forward lookup
zone “myfoo.com” and one entry for the reverse lookup zone “1.16.172.inaddr.arpa” if you are using the 172.16.1.0. Use your own network number for the
reverse zone.
zone "myfoo.com" IN {
type master;
file "slaves/db-myfoo.com";
allow-update { localhost; 172.16.1.1; };
};
zone "1.16.172.in-addr.arpa" IN {
type master;
file "slaves/db-1.16.172.in-addr.arpa";
allow-update { localhost; 172.16.1.1; };
};
Dynamic DNS Update
Page 3 of 7
Lab 3
If you are using the network 172.16.2.0, you should add the reverse zone “2.16.172.inaddr.arpa”. The IPs in the allow-update clause should be the IP addresses of the DNS
update client(s).
5. Add zone date to the files db-mydomain.com and db-1.16.172.in-addr.arpa and put
them under the directory “/var/named/chroot/var/named/slaves/”. If you want, you
may change the host names and their IP addresses to match your network. Both files
should be owned by root.named and have read/write permission set for owner and
group.
db-myfoo.com
$TTL 1d1h
myfoo.com.
IN SOA
myfoo.com.
ns1
rh9
fedora
host
IN
IN
IN
IN
IN
A
A
A
A
ns1.myfoo.com. (
root.myfoo.com.
20070201
1h
15m
30d
1h )
ns1.myfoo.com.
172.16.1.2
172.16.1.8
172.16.1.24
172.16.1.1
db-1.16.172.in-addr.arpa
$TTL 1d1h
@
IN SOA
2
8
24
1
PTR
PTR
PTR
PTR
IN
IN
IN
IN
ns1.myfoo.com. (
root.myfoo.com.
20070201
1h
15m
30d
1h )
ns1.myfoo.com.
rh9.myfoo.com.
fedora.myfoo.com.
host.myfoo.com.
6. Restart BIND and check the log in “/var/log/messages” to confirm that BIND is
running properly.
7. Try “nslookup” to verify that the DNS server answers query properly.
Dynamic DNS Update
Page 4 of 7
Lab 3
8. Run “nsupdate” to add an A record for “myhost.myfoo.com” and a PTR record of
39.1.16.172.in-addr.arpa.
Add an A record for myhost.myfoo.com
#> nsupdate -d
> server 10.0.2.2 update delete 29.1.16.172.in-addr.arpa
> send
Reply from SOA query:
;; ->>HEADERHEADER send
Reply from SOA query:
;; ->>HEADERHEADERcat db-1.16.172.in-addr.arpa
$ORIGIN .
$TTL 90000
; 1 day 1 hour
1.16.172.in-addr.arpa
IN SOA
NS
$ORIGIN 1.16.172.in-addr.arpa.
1
PTR
2
PTR
24
PTR
$TTL 2400
; 40 minutes
29
PTR
$TTL 3600
; 1 hour
45
PTR
$TTL 90000
; 1 day 1 hour
8
PTR
ns1.myfoo.com. root.myfoo.com. (
20050201
; serial
3600
; refresh (1 hour)
900
; retry (15 minutes)
2592000
; expire (4 weeks 2 days)
3600
; minimum (1 hour)
)
ns1.myfoo.com.
host.myfoo.com.
ns1.myfoo.com.
fedora.myfoo.com.
myhost.myfoo.com.
innhost.myfoo.com.
rh9.myfoo.com.
9. If you still have time, read the document “Secure dynamic DNS howto” and try using
TSIG keys to perform dynamic DNS updates.
10. Make changes to “named.conf” so that the DNS server becomes the Authoritative
Name server for the domain podx.com and use “ddns.podx.com” for a dynamic zone.
List all the changes and email to your instructor.
Dynamic DNS Update
Page 7 of 7
Lab 3