Traditional DNS Howto - Page 8

Want to support HowtoForge? Become a subscriber!
 
Submitted by taft (Contact Author) (Forums) on Sun, 2006-03-12 11:00. ::

Our Secondary Name Server

Next let's set up our secondary name server ns0.centralsoft.org. It will act as a backup name server in case the primary (server1.centralsoft.org) fails so that people can still look up ccentralsoft.org and its subdomains.

ns0.centralsoft.org's named.conf resembles that of the primary name server very much, with a few differences:

options {
pid-file "/var/run/bind/run/named.pid";
directory "/etc/bind";
// query-source address * port 53;
};


zone "." {
type hint;
file "db.root";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "db.local";
};

zone "centralsoft.org" {
type slave;
file "sec.centralsoft.org";
masters { 70.253.158.42; };
};

The most important part is this one:

zone "centralsoft.org" {
type slave;
file "sec.centralsoft.org";
masters { 70.253.158.42; };
};

By writing type slave, we define that this is a slave zone, and in the masters line we specify the IP address of the primary name server. In the file line we specify the file name where the slave zone should be stored.

That's all we have to do. Restart named, and soon afterwards you should find the file /etc/bind/sec.centralsoft.org on your secondary name server. What has happened? The secondary has contacted the primary name server, and the primary name server has transferred the zone to the secondary.

Now whenever you update the zone on the primary name server, make sure you increase the serial number, otherwise the updated zone will not be transferred to the secondary!

Please make sure you have no firewall on the primary and the secondary name server that blocks port 53 (TCP and UDP) because otherwise zone transfers will fail!

A Word On Security

In our current configuration every name server is allowed to transfer our centralsoft.org zone from our primary name server. Since we want only our secondary name server (70.253.158.45) to be allowed to transfer the zone, we add the following line to the centralsoft.org zone in named.conf on our primary name server server1.centralsoft.org:

     allow-transfer { 70.253.158.45; };

So the zone should look like this:

zone "centralsoft.org" {
type master;
file "pri.centralsoft.org";
allow-transfer { 70.253.158.45; };
};

Congratulations! You have just set up your first zone!


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by ed (not registered) on Sat, 2014-05-03 08:42.

The settings on sec.centralsoft.org are  almost the same like in pri.centralsoft.org?

 

Submitted by Richard B (not registered) on Tue, 2010-03-09 18:54.

Fantastic job.  I have had problems due to reverse dns and other things that networksolutions doesn't support in it's hosted DNS... so I've had to setup my own DNS server.  I had already completed everything on my own before finding this, but I realize now that much of what I had setup was redundant and just wrong.  It still worked, but this has me down to just 4 files in my zone records and I have more stuff setup now for SPF and the tip mentioned here for "allow-recursion" within the options section of named.conf (though I had to do research to figure out how to list my ip block since I'm on what I now know to be a "moat" type setup and I only want the ip's on that network to contact me for dns lookup.

 Another tip I cam across... add the following to the options section in named.conf:

version "Nunyabeeswax";

Replace "Nunyabeeswax" with whatever you want.  This helps fight some hacking by hiding the version number of BIND... though it's probably mainly useful for those that refuse to upgrade old name servers.

 Again, excellent writeup.  I wanted to learn more and after digging through plenty of other articles, this was the most complete and understandable.

Other notes:

/var/named/ - default location in Slackware for Zone files

everything after ; in a zone file is a comment so be descriptive.

Submitted by Anonymous (not registered) on Fri, 2009-12-18 06:22.
Very informative HOW-TO and very simple to follow.
Submitted by Big Tone (not registered) on Sat, 2009-10-03 21:04.

I thought I knew a little about DNS ... until I installed Bind(9) on FreeBSD for the first time. That's when I realized I knew what DNS did and that's about it!

Thanks for this very informative tutorial that answered a LOT of questions.

Submitted by RChan (not registered) on Sat, 2009-04-18 19:36.
I've been a Unix SA for over 15 years now and I never took the time to really understand how to setup a DNS server.  At the companies I've worked for, they were usually setup before my time and I just had to maintain them and update A records or add CNAMEs.  This is by far the most informative writeup in very simple terms.  I would recommend this to any SA!
Submitted by Anonymous (not registered) on Wed, 2009-03-18 19:35.
Thank you very much for this HOWTO.  It is really really good for a SysAdmin.
Submitted by denu (not registered) on Tue, 2008-11-18 10:40.
...very much for this great HowTo!
Submitted by Anonymous (not registered) on Wed, 2006-06-14 06:52.

wow that's great HOWTO,

job well done,keep the good work dudes!!! more power!!

Submitted by Anonymous (not registered) on Mon, 2006-05-15 03:11.

This HOWTO imho puts DNS in layman terms. I truly appreciate it.

Now to tackle my own little DNS venture :D

Submitted by Anonymous (not registered) on Fri, 2006-04-21 17:05.
A DNS server on the Internet should normally only answer queries for the domains it is authoritative for. But unless you configure it otherwise bind will pass on requests for other domains up the hierarchy. This means it can potentially be used in a Denial of Service attack against other DNS servers. You can prevent this by restricting lookup via other DNS servers only to devices you trust. To do this add another line to the options section in the form...
options {

  ...

  allow-recursion { trusted.IP.subnet; };
It will still answer queries from anywhere for domains for which it is the authoritative server, but will now only do lookups via other DNS servers for requests from the trusted subnet.
Submitted by Anonymous (not registered) on Thu, 2006-04-20 18:13.

This is indeed the best DNS tutorial I have ever read.

I would definitely say that the author did a commendable job indeed.(SPF information was the crowning jewel

Well done,

Hope to see some more articles in the same tone.

Submitted by Anonymous (not registered) on Sat, 2006-03-18 13:03.
This is a superb howto. Also reminding us again the power of Linux that is we are free to configure it down to the configuration files. Many thanks :)
Submitted by Anonymous (not registered) on Tue, 2006-04-11 05:20.

the best tutorial for dns i've ever seen... woulda been nice to have this 2 weeks ago...

Submitted by Anonymous (not registered) on Wed, 2006-06-14 06:48.

wow that's great HOWTO ,job well done ,more power keep up the good work dudes!!!

Submitted by Anonymous (not registered) on Sat, 2008-12-20 13:42.
Excellent !
Submitted by sujay (not registered) on Tue, 2012-11-27 23:55.
It's really really awesome !!!!