Intro
This article is short step-by-step how-to about configuring slave DNS server based on CentOS7 and managed by "Slave DNS Manager" on Plesk.
I already created a virtual server based on CentOS7 in a cloud environment. The server has public IP-address on eth0 interface. In other words, the slave server is not behind NAT.
So, I had next information:
- Plesk' IP-address: 188.x.y.z
- IP-address of slave DNS: 138.a.b.c
- Domain: test-for-forum.com
Steps
1. Update OS.
Code:
slaveDNS# yum update -y
[...] Complete!
slaveDNS#
2. Check SELinux status.
Code:
slaveDNS# sestatus
SELinux status: disabled
slaveDNS#
3. Start new kernel after update OS.
Code:
slaveDNS# reboot
slaveDNS#
4. Install BIND.
Code:
slaveDNS# yum install -y bind bind-utils
[...] Complete!
slaveDNS#
5. Change option 'listen-on' inside named.conf.
Code:
slaveDNS# sed -i 's/listen-on port 53 { 127.0.0.1; };/listen-on port 53 { any; };/;' /etc/named.conf
slaveDNS#
6. Change option 'recursion' inside named.conf.
Code:
slaveDNS# sed -i 's/recursion yes;/recursion no;/;' /etc/named.conf
slaveDNS#
7. Add option 'allow-query' inside named.conf.
Code:
slaveDNS# sed -i 's/allow-query { localhost; };/allow-query { any; };/;' /etc/named.conf
slaveDNS#
8. Add option 'allow-new-zones' inside named.conf.
Code:
slaveDNS# sed -i 's/options {/options {\n allow-new-zones yes;/;' /etc/named.conf
slaveDNS#
9. Add a new server in Slave DNS extensions in Plesk.
10. Add section with master-key inside named.conf (change `secret`-key and `pleskIp` below):
Code:
slaveDNS# cat <<EOF >> /etc/named.conf
key "rndc-key-master" {
algorithm hmac-md5;
secret "OTY_________________________OQ==";
};
controls {
inet * port 953 allow { 188.x.y.z; 127.0.0.1; } keys { "rndc-key-master"; };
};
EOF
slaveDNS#
11. Add write perminission for named for /var/named.
Code:
slaveDNS# chmod g+w /var/named/
slaveDNS#
12. Enable named service.
Code:
slaveDNS# systemctl enable named.service
slaveDNS#
13. Start named service.
Code:
slaveDNS# systemctl start named.service
slaveDNS#
14. Check current /var/log/messages
Apr 26 08:45:54 digitalocean yum[8668]: Installed: 32:bind-9.9.4-38.el7_3.3.x86_64
Apr 26 08:45:54 digitalocean yum[8668]: Installed: 32:bind-utils-9.9.4-38.el7_3.3.x86_64
Apr 26 08:49:54 digitalocean systemd: Starting Cleanup of Temporary Directories...
Apr 26 08:49:54 digitalocean systemd: Started Cleanup of Temporary Directories.
Apr 26 09:01:01 digitalocean systemd: Started Session 2 of user root.
Apr 26 09:01:01 digitalocean systemd: Starting Session 2 of user root.
Apr 26 09:15:39 digitalocean systemd: Reloading.
Apr 26 09:15:43 digitalocean systemd: Starting Generate rndc key for BIND (DNS)...
Apr 26 09:15:43 digitalocean generate-rndc-key.sh: Generating /etc/rndc.key:[ OK ]
Apr 26 09:15:43 digitalocean systemd: Started Generate rndc key for BIND (DNS).
Apr 26 09:15:43 digitalocean systemd: Starting Berkeley Internet Name Domain (DNS)...
Apr 26 09:15:43 digitalocean bash: zone localhost.localdomain/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone localhost/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: starting BIND 9.9.4-RedHat-9.9.4-38.el7_3.3 -u named
Apr 26 09:15:43 digitalocean named[8769]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
Apr 26 09:15:43 digitalocean named[8769]: ----------------------------------------------------
Apr 26 09:15:43 digitalocean named[8769]: BIND 9 is maintained by Internet Systems Consortium,
Apr 26 09:15:43 digitalocean named[8769]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Apr 26 09:15:43 digitalocean named[8769]: corporation. Support and training for BIND 9 are
Apr 26 09:15:43 digitalocean named[8769]: available at [...]
Apr 26 09:15:43 digitalocean named[8769]: ----------------------------------------------------
Apr 26 09:15:43 digitalocean named[8769]: adjusted limit on open files from 4096 to 1048576
Apr 26 09:15:43 digitalocean named[8769]: found 1 CPU, using 1 worker thread
Apr 26 09:15:43 digitalocean named[8769]: using 1 UDP listener per interface
Apr 26 09:15:43 digitalocean named[8769]: using up to 4096 sockets
Apr 26 09:15:43 digitalocean named[8769]: loading configuration from '/etc/named.conf'
Apr 26 09:15:43 digitalocean named[8769]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Apr 26 09:15:43 digitalocean named[8769]: initializing GeoIP Country (IPv4) (type 1) DB
Apr 26 09:15:43 digitalocean named[8769]: GEO-106FREE 20160607 Build 1 Copyright (c) 2016 MaxMind
Apr 26 09:15:43 digitalocean named[8769]: initializing GeoIP Country (IPv6) (type 12) DB
Apr 26 09:15:43 digitalocean named[8769]: GEO-106FREE 20160607 Build 1 Copy
Apr 26 09:15:43 digitalocean named[8769]: GeoIP ...
[...]
Apr 26 09:15:43 digitalocean named[8769]: GeoIP ...
Apr 26 09:15:43 digitalocean named[8769]: using default UDP/IPv4 port range: [1024, 65535]
Apr 26 09:15:43 digitalocean named[8769]: using default UDP/IPv6 port range: [1024, 65535]
Apr 26 09:15:43 digitalocean named[8769]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 26 09:15:43 digitalocean named[8769]: listening on IPv6 interface lo, ::1#53
Apr 26 09:15:43 digitalocean named[8769]: generating session key for dynamic DNS
Apr 26 09:15:43 digitalocean named[8769]: open: 3bf305731dd26307.nzf: file not found
Apr 26 09:15:43 digitalocean named[8769]: sizing zone task pool based on 6 zones
Apr 26 09:15:43 digitalocean named[8769]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Apr 26 09:15:43 digitalocean named[8769]: automatic empty zone: ...
[...]
Apr 26 09:15:43 digitalocean named[8769]: automatic empty zone: ...
Apr 26 09:15:43 digitalocean named[8769]: command channel listening on 0.0.0.0#953
Apr 26 09:15:43 digitalocean named[8769]: managed-keys-zone: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Started Berkeley Internet Name Domain (DNS).
Apr 26 09:15:43 digitalocean named[8769]: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Reached target Host and Network Name Lookups.
Apr 26 09:15:43 digitalocean named[8769]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Starting Host and Network Name Lookups.
Apr 26 09:15:43 digitalocean named[8769]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: zone localhost.localdomain/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: zone localhost/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: all zones loaded
Apr 26 09:15:43 digitalocean named[8769]: running
Apr 26 08:45:54 digitalocean yum[8668]: Installed: 32:bind-utils-9.9.4-38.el7_3.3.x86_64
Apr 26 08:49:54 digitalocean systemd: Starting Cleanup of Temporary Directories...
Apr 26 08:49:54 digitalocean systemd: Started Cleanup of Temporary Directories.
Apr 26 09:01:01 digitalocean systemd: Started Session 2 of user root.
Apr 26 09:01:01 digitalocean systemd: Starting Session 2 of user root.
Apr 26 09:15:39 digitalocean systemd: Reloading.
Apr 26 09:15:43 digitalocean systemd: Starting Generate rndc key for BIND (DNS)...
Apr 26 09:15:43 digitalocean generate-rndc-key.sh: Generating /etc/rndc.key:[ OK ]
Apr 26 09:15:43 digitalocean systemd: Started Generate rndc key for BIND (DNS).
Apr 26 09:15:43 digitalocean systemd: Starting Berkeley Internet Name Domain (DNS)...
Apr 26 09:15:43 digitalocean bash: zone localhost.localdomain/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone localhost/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: starting BIND 9.9.4-RedHat-9.9.4-38.el7_3.3 -u named
Apr 26 09:15:43 digitalocean named[8769]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
Apr 26 09:15:43 digitalocean named[8769]: ----------------------------------------------------
Apr 26 09:15:43 digitalocean named[8769]: BIND 9 is maintained by Internet Systems Consortium,
Apr 26 09:15:43 digitalocean named[8769]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Apr 26 09:15:43 digitalocean named[8769]: corporation. Support and training for BIND 9 are
Apr 26 09:15:43 digitalocean named[8769]: available at [...]
Apr 26 09:15:43 digitalocean named[8769]: ----------------------------------------------------
Apr 26 09:15:43 digitalocean named[8769]: adjusted limit on open files from 4096 to 1048576
Apr 26 09:15:43 digitalocean named[8769]: found 1 CPU, using 1 worker thread
Apr 26 09:15:43 digitalocean named[8769]: using 1 UDP listener per interface
Apr 26 09:15:43 digitalocean named[8769]: using up to 4096 sockets
Apr 26 09:15:43 digitalocean named[8769]: loading configuration from '/etc/named.conf'
Apr 26 09:15:43 digitalocean named[8769]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Apr 26 09:15:43 digitalocean named[8769]: initializing GeoIP Country (IPv4) (type 1) DB
Apr 26 09:15:43 digitalocean named[8769]: GEO-106FREE 20160607 Build 1 Copyright (c) 2016 MaxMind
Apr 26 09:15:43 digitalocean named[8769]: initializing GeoIP Country (IPv6) (type 12) DB
Apr 26 09:15:43 digitalocean named[8769]: GEO-106FREE 20160607 Build 1 Copy
Apr 26 09:15:43 digitalocean named[8769]: GeoIP ...
[...]
Apr 26 09:15:43 digitalocean named[8769]: GeoIP ...
Apr 26 09:15:43 digitalocean named[8769]: using default UDP/IPv4 port range: [1024, 65535]
Apr 26 09:15:43 digitalocean named[8769]: using default UDP/IPv6 port range: [1024, 65535]
Apr 26 09:15:43 digitalocean named[8769]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 26 09:15:43 digitalocean named[8769]: listening on IPv6 interface lo, ::1#53
Apr 26 09:15:43 digitalocean named[8769]: generating session key for dynamic DNS
Apr 26 09:15:43 digitalocean named[8769]: open: 3bf305731dd26307.nzf: file not found
Apr 26 09:15:43 digitalocean named[8769]: sizing zone task pool based on 6 zones
Apr 26 09:15:43 digitalocean named[8769]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Apr 26 09:15:43 digitalocean named[8769]: automatic empty zone: ...
[...]
Apr 26 09:15:43 digitalocean named[8769]: automatic empty zone: ...
Apr 26 09:15:43 digitalocean named[8769]: command channel listening on 0.0.0.0#953
Apr 26 09:15:43 digitalocean named[8769]: managed-keys-zone: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Started Berkeley Internet Name Domain (DNS).
Apr 26 09:15:43 digitalocean named[8769]: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Reached target Host and Network Name Lookups.
Apr 26 09:15:43 digitalocean named[8769]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Starting Host and Network Name Lookups.
Apr 26 09:15:43 digitalocean named[8769]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: zone localhost.localdomain/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: zone localhost/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: all zones loaded
Apr 26 09:15:43 digitalocean named[8769]: running
15. Disable/enable DNS for domain; check logs again.
Apr 26 09:22:33 digitalocean named[8769]: received control channel command 'refresh test-for-forum.com'
Apr 26 09:22:33 digitalocean named[8769]: received control channel command 'addzone test-for-forum.com { type slave; file "test-for-forum.com"; masters { 188.x.y.z; }; };'
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com added to view _default via addzone
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: Transfer started.
Apr 26 09:22:33 digitalocean named[8769]: transfer of 'test-for-forum.com/IN' from 188.x.y.z#53: connected using 138.a.b.c#36857
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: transferred serial 2017042605
Apr 26 09:22:33 digitalocean named[8769]: transfer of 'test-for-forum.com/IN' from 188.x.y.z#53: Transfer completed: 1 messages, 15 records, 416 bytes, 0.005 secs (83200 bytes/sec)
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: sending notifies (serial 2017042605)
Apr 26 09:22:33 digitalocean named[8769]: received control channel command 'addzone test-for-forum.com { type slave; file "test-for-forum.com"; masters { 188.x.y.z; }; };'
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com added to view _default via addzone
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: Transfer started.
Apr 26 09:22:33 digitalocean named[8769]: transfer of 'test-for-forum.com/IN' from 188.x.y.z#53: connected using 138.a.b.c#36857
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: transferred serial 2017042605
Apr 26 09:22:33 digitalocean named[8769]: transfer of 'test-for-forum.com/IN' from 188.x.y.z#53: Transfer completed: 1 messages, 15 records, 416 bytes, 0.005 secs (83200 bytes/sec)
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: sending notifies (serial 2017042605)
16. Check new files in named directory ("3bf305731dd26307.nzf", "test-for-forum.com")
Code:
slaveDNS# ls -la /var/named
total 44
drwxrwx--- 5 root named 4096 Apr 26 09:22 .
drwxr-xr-x. 20 root root 4096 Apr 26 08:45 ..
-rw-r--r-- 1 named named 100 Apr 26 09:22 3bf305731dd26307.nzf
drwxrwx--- 2 named named 4096 Apr 26 09:15 data
drwxrwx--- 2 named named 4096 Apr 26 09:16 dynamic
-rw-r----- 1 root named 2076 Jan 28 2013 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 4096 Apr 19 15:53 slaves
-rw-r--r-- 1 named named 876 Apr 26 09:22 test-for-forum.com
slaveDNS#
17. Look inside "3bf305731dd26307.nzf".
Code:
slaveDNS# cat /var/named/3bf305731dd26307.nzf
zone "test-for-forum.com" { type slave; file "test-for-forum.com"; masters { 188.x.y.z; }; };
slaveDNS#
Finish! So, we have configured the extension and slave DNS. Slave DNS can retrieve zone from master DNS.
Troubleshooting
1. Check /etc/named.conf, be sure options updated by command `sed`2. If one server does not connect to another, check firewall. In cloud environments check cloud firewall if it exists.
- Do not block 53/udp connection from anywhere to DNS servers.
- Do not block 53/tcp connection from slave DNS to master DNS.
- Do not block 953/tcp connection from master DNS to slave DNS.
4. If BIND does not start, check system logs and BIND logs. Maybe something wrong with config files.
5. Always check system' and BIND logs.
- /var/log/messages
Notes
1. If you want to use slave DNS with SElinux, you should use different steps. This steps not described here but it is possible too.2. If you want to use slave DNS in chrooted environment, you should use different steps. This steps not described here but it is possible too.
4. If you want to use master DNS (Plesk) behide NAT, you should use different steps. This steps not described here but it is possible too.
3. If you want to use slave DNS on Ubuntu or even Windows, you should use different steps. This steps not described here but it is possible too.
CHANGELOG:
Code:
2017.08.26
Added new steps:
#5: change "listen-on" address from "127.0.0.1" to "any"
#6: change "recursion" from "yes" to "no"
#7: change "allow-query" from "localhost" to "any"
Added new point in troubleshooting:
#1: check actual settings in "named.conf"
2017.06.29
First version of the article.