Section 5 - DNS

Configure a Cacheing-only Name Server

## install the required packages [root@rhel7server1 ~]# yum -y install bind bind-utils Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager ... ================================================================================================================ Package Arch Version Repository Size ================================================================================================================ Installing: bind x86_64 32:9.9.4-50.el7 InstallMedia 1.8 M bind-utils x86_64 32:9.9.4-50.el7 InstallMedia 203 k Transaction Summary ================================================================================================================ ... Installed: bind.x86_64 32:9.9.4-50.el7 bind-utils.x86_64 32:9.9.4-50.el7 Complete! [root@rhel7server1 etc]# cd /etc [root@rhel7server1 etc]# vi named.conf ## modify the following, save and exit

   listen-on port 53 { any; };

                        ...

                           allow-query     { any; };

                        ...

                           dnssec-validation no;

## validate the config [root@rhel7server1 etc]# named-checkconf ## update our firewall rules [root@rhel7server1 etc]# firewall-cmd --permanent --add-service=dns success [root@rhel7server1 etc]# firewall-cmd --reload success [root@rhel7server1 etc]# systemctl enable named Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service. [root@rhel7server1 etc]# systemctl start named [root@rhel7server1 etc]# systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-06-14 22:50:59 EDT; 7s ago Process: 3960 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 3958 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 3963 (named) CGroup: /system.slice/named.service └─3963 /usr/sbin/named -u named -c /etc/named.conf Jun 14 22:50:59 rhel7server1 named[3963]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0....al 0 Jun 14 22:50:59 rhel7server1 named[3963]: zone localhost.localdomain/IN: loaded serial 0 Jun 14 22:50:59 rhel7server1 named[3963]: zone localhost/IN: loaded serial 0 Jun 14 22:50:59 rhel7server1 systemd[1]: Started Berkeley Internet Name Domain (DNS). Jun 14 22:50:59 rhel7server1 named[3963]: all zones loaded Jun 14 22:50:59 rhel7server1 named[3963]: running Jun 14 22:50:59 rhel7server1 named[3963]: error (network unreachable) resolving './DNSKEY/IN': 2001:500:1::53#53 Jun 14 22:50:59 rhel7server1 named[3963]: error (network unreachable) resolving './NS/IN': 2001:500:1::53#53 Jun 14 22:50:59 rhel7server1 named[3963]: error (network unreachable) resolving './DNSKEY/IN': 2001:503:b...0#53 Jun 14 22:50:59 rhel7server1 named[3963]: error (network unreachable) resolving './NS/IN': 2001:503:ba3e:...0#53 Hint: Some lines were ellipsized, use -l to show in full. ## test nslookup using your network name servers [root@rhel7server1 etc]# nslookup www.myfaqbase.com Server: 192.168.1.254 Address: 192.168.1.254#53 Non-authoritative answer: www.myfaqbase.com canonical name = myfaqbase.com. Name: myfaqbase.com Address: 13.250.9.23 ## test nslookup using your locally installed name server [root@rhel7server1 etc]# nslookup www.myfaqbase.com 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: www.myfaqbase.com canonical name = myfaqbase.com. Name: myfaqbase.com Address: 13.250.9.23 ## test from a remote client [root@rhel7client1 ~]# nslookup www.myfaqbase.com rhel7server1 Server: rhel7server1 Address: 192.168.0.10#53 Non-authoritative answer: www.myfaqbase.com canonical name = myfaqbase.com. Name: myfaqbase.com Address: 54.251.77.247 ## ALTERNATIVE - Using unbound package instead of bind ## enable and start the service systemctl enable unbound systemctl start unbound ## Edit /etc/unbound/unbound.cf: interface: 0.0.0.0 Accept connections from every interface. access-control: 192.168.0.0/24 allow Accept requests from these IP addresses. domain-insecure: myexample.com Bypass internal domains which not have been configured with DNS-SEC. forward-zone: name: "." forward-addr: 192.168.x.x Forward all requests to your Network's DNS server ## validate the config ## validation may fail with "/etc/unbound/unbound_server.key" does not exist error if ## we have not started unbound before. Start it first before edit the config unbound-checkconf ## restart systemctl restart unbound

back to Objectives

Troubleshoot DNS Client Issues



            ## Ensure same network as the DNS server or have route to the DNS server

            

            [root@rhel7client1 ~]# ping -c 1 rhel7server1.myexample.com

            PING rhel7server1 (192.168.0.10) 56(84) bytes of data.

            64 bytes from rhel7server1 (192.168.0.10): icmp_seq=1 ttl=64 time=0.506 ms

            

            [root@rhel7client1 ~]# traceroute rhel7server1.myexample.com

            traceroute to rhel7server1.myexample.com (192.168.0.10), 30 hops max, 60 byte packets

             1  rhel7server1 (192.168.0.10)  0.320 ms !X  0.200 ms !X  0.232 ms !X

            

            [root@rhel7client1 ~]# ip addr show

            1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1

                link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

                inet 127.0.0.1/8 scope host lo

                   valid_lft forever preferred_lft forever

                inet6 ::1/128 scope host 

                   valid_lft forever preferred_lft forever

            2: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

                link/ether 08:00:27:4e:cd:a8 brd ff:ff:ff:ff:ff:ff

                inet 192.168.0.20/24 brd 192.168.0.255 scope global enp0s9

                   valid_lft forever preferred_lft forever

                inet6 fe80::745b:f9e9:9efb:54f1/64 scope link 

                   valid_lft forever preferred_lft forever

            

            ## test with nslookup

            

            [root@rhel7client1 ~]# nslookup www.myfaqbase.com rhel7server1.myexample.com

            Server:        rhel7server1.myexample.com

            Address:    192.168.0.10#53

            

            Non-authoritative answer:

            www.myfaqbase.com    canonical name = myfaqbase.com.

            Name:    myfaqbase.com

            Address: 13.250.9.23

            

            ## test with dig

            

            root@rhel7client1 ~]# dig @rhel7server1.myexample.com mail.myfaqbase.com

            

                         ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @rhel7server1.myexample.com mail.myfaqbase.com

            ; (1 server found)

            ;; global options: +cmd

            ;; Got answer:

            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53558

            ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

            

            ;; OPT PSEUDOSECTION:

            ; EDNS: version: 0, flags:; udp: 4096

            ;; QUESTION SECTION:

            ;mail.myfaqbase.com.        IN    A

            

            ;; ANSWER SECTION:

            mail.myfaqbase.com.    3600    IN    A    52.77.220.72

            

            ;; AUTHORITY SECTION:

            myfaqbase.com.        1959    IN    NS    ns67.domaincontrol.com.

            myfaqbase.com.        1959    IN    NS    ns68.domaincontrol.com.

            

            ;; ADDITIONAL SECTION:

            ns68.domaincontrol.com.    171159    IN    A    173.201.71.44

            ns68.domaincontrol.com.    171159    IN    AAAA    2603:5:2274::2c

            ns67.domaincontrol.com.    171159    IN    A    97.74.103.44

            ns67.domaincontrol.com.    171159    IN    AAAA    2603:5:2174::2c

            

            ;; Query time: 182 msec

            ;; SERVER: 192.168.0.10#53(192.168.0.10)

            ;; WHEN: Sun Jun 14 23:20:15 EDT 2020

            ;; MSG SIZE  rcvd: 203

            

            ## test with telnet 

            

            [root@rhel7client1 ~]# telnet rhel7server1.myexample.com 53

            Trying 192.168.0.10...

            Connected to rhel7server1.myexample.com.

            Escape character is '^]'

            

            ## configure name servers to use with nmtui or Network Manager GUI

            

            [root@rhel7client1 ~]# nmtui

             

            

            ## confirm name resolution setting

            

            root@rhel7client1 ~]# cat /etc/resolv.conf

            # Generated by NetworkManager

            nameserver 192.168.0.10

            

            ## test the name server

            

            [root@rhel7client1 ~]# nslookup www.myfaqbase.com

            Server:        192.168.0.10

            Address:    192.168.0.10#53

            

            Non-authoritative answer:

            www.myfaqbase.com    canonical name = myfaqbase.com.

            Name:    myfaqbase.com

            Address: 13.250.9.23

back to Objectives