Last updated on August 23, 2020 by Sarmed Rahman
In the previous tutorial, we created a primary DNS server (ns1
) for a test domain example.tst
. In this tutorial, we will create a secondary DNS server (ns2
) for the same domain by using bind
package on CentOS.
When it comes to setting up a secondary DNS server, the following factors should be kept in mind.
serial
should be updated. The secondary DNS server will initiate synchronization (zone transfer) only if serial
at the primary server has been changed.
We assume that the IP address of the secondary DNS server to be set up is 172.16.1.4
. Let us start installing.
Just like the primary DNS server, the hostname of the secondary name server should be defined as FQDN properly.
# vim /etc/sysconfig/network
HOSTNAME=ns2.example.tst
Note that the hostname parameter specified in this file is used while the server is booting up. Therefore, the change does not take effect immediately. The following command can be used to change the hostname of a server immediately at run-time.
# hostname ns2.example.tst
Once set, hostname can be verified using the following command.
# hostname
ns2.example.tst
Before proceeding to the next step, make sure that the hostname of all three servers are set properly.
Just like a primary server, a secondary DNS server can be set up with or without chroot
. Necessary packages can be easily installed using yum
.
Without chroot
:
# yum install bind
With chroot
:
# yum install bind-chroot
The DNS server powered by bind
on CentOS will by default allow zone transfers for any requesting server. For security reasons, we need to configure the primary DNS server, such that it permits zone transfers to the secondary DNS server (172.16.1.4
) only.
Without chroot
:
# vim /etc/named.conf
With chroot
:
# vim /var/named/chroot/etc/named.conf
zone "example.tst" IN { type master; file "example-fz"; ## the zone file hosted at NS1 ## allow-update { none; }; allow-transfer {172.16.1.4; }; ## NS2 is permitted ## }; zone "1.16.172.in-addr.arpa" IN { type master; file "rz-172-16-1"; ##the zone file hosted at NS1## allow-update { none; }; allow-transfer {172.16.1.4; }; ## NS2 is permitted ## };
The default configuration file provided with the installation could be used to configure the secondary server. However, we will be using another sample configuration file as it is easier to tune.
Without chroot
:
# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones /etc/named.conf
With chroot
:
# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones /var/named/chroot/etc/named.conf
After the sample configuration file is copied over, the following lines are added/modified.
options { directory "/var/named"; forwarders {8.8.8.8; }; }; zone "example.tst" IN { type slave; ## NS2 role is defined ## file "example-fz"; ## the name of the zone file to be automatically created ## //allow-update { none; }; allow-transfer {172.16.1.3; }; ## NS1 is allowed for zone transfer when necessary ## masters {172.16.1.3; }; ## the master NS1 is defined ## }; zone "1.16.172.in-addr.arpa" IN { type slave; ## NS2 role is defined ## file "rz-172-16-1"; ## the name of the zone file to be automatically created ## // allow-update { none; }; allow-transfer {172.16.1.3; }; ## the master NS1 is defined ## masters {172.16.1.3; }; };
To make sure that there is no permission related issues, we need to adjust the following.
Without chroot
:
chmod 770 /var/named/
With chroot
, you need to modify the permission as follows after named
service has started.
# chmod 770 /var/named/chroot/var/named
Now that everything is ready, we can restart named
service. Also, make sure that named
service is added to startup list.
# service named restart # chkconfig named on
If all goes well, the secondary DNS server should request a zone transfer from the primary DNS server, and populate its own /var/named
. The log file /var/log/messages
should contain useful information about the status of the named
service as well as the zone transfer.
We can use dig
or nslookup
to test DNS operations. We will be demonstrating the use of nslookup
in this tutorial. Necessary packages can be installed using yum
.
# yum install bind-utils
# nslookup
> server 172.16.1.4 Default server: 172.16.1.4 Address: 172.16.1.4#53 > example.tst Server: 172.16.1.4 Address: 172.16.1.4#53 Name: example.tst Address: 172.16.1.3 > set type=mx > example.tst Server: 172.16.1.4 Address: 172.16.1.4#53 example.tst mail exchanger = 10 mail.example.tst. > exit
1. We do not need to create any zone files in the secondary DNS server. All the zone files will be synchronized from the primary server.
2. The named
service at the secondary server will periodically initiate zone transfers with the primary server. If you want to force a one-time zone transfer, the command "rndc retransfer <FQDN>
" can be used. For example:
# rndc retransfer example.tst
3. A secondary DNS server will update its zone files only if the serial
at the primary server has been modified/incremented.
4. Make sure that the directory /var/named
or /var/named/chroot/var/named
(in case of chroot
) is writable by named
user.
5. /var/log/messages
should contain useful information.
6. I have SELinux turned off.
7. Make sure UDP port 53 is allowed in the firewall.
Hope this helps.
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean