=====The DNS server=====
====DNS data stored in LDAP====
The Hannibal project is centralized around an LDAP store. So, why not put the DNS data into it. The option below describes a method to do this.
===Part 1: the Authorative zones===
==Ldapdns==
The backend authorative nameserver for our project is Ldapdns. It's fast, robust and secure. No LDAP to DNS conversion or restarting daemons is required after DNS mutations. Note: Ldapdns is only serving our local zone(s)!
We also need a caching-nameserver to allow clients to lookup foreign zones. This is described below.
Install the software
apt-get install ldapdns
Configure /etc/ldapdns.conf
DNS="."
IP="192.168.1.51"
HOSTMASTER="root@intra.example.com"
DEFAULT_REFRESH=86400
DEFAULT_RETRY=7200
DEFAULT_EXPIRE=604800
DEFAULT_MINIMUM=172800
LOG="syslog"
LDAP_HOST="192.168.1.12"
ROOT="/var/lib/ldapdns"
LDAP_AUTH="anonymous"
LDAP_AUTH_NAME=""
LDAP_SUFFIX="ou=Domains,dc=intra,dc=example,dc=com "
SCHEMA=cosine
HANDLERS="128"
THREADS="2"
RUN_UID="$(id -u ldapdns)"
RUN_GID="$(id -g ldapdns)"
In the chapter on installing the Fedora Directory Server we already mentioned the custom LDAP-scheme that is required for Ldapdns usage ([[63ldapdns.ldif]]). We assume you are using this scheme.
Restart the ldapdns-server
/etc/init.d/ldapdns restart
Let's load some DNS-data for Ldapdns in the directory server. An example ldif file is available at [[hannibal-dnsstuff]].
/opt/fedora-ds/slapd-ldap/ldif2ldap "cn=Directory Manager" yourpassword /opt/hannibal-dnsstuff.ldif
===Part 2: the non-Autorative zones===
To serve all other zones, ie. the non-autorative zones, a caching nameserver is used. Two options:
==A caching nameserver with ISC-Bind==
Earlier on we documented how to create an LDAP-backend for our local zone(s) using Ldapdns. In addition to an autorative nameserver we also need a solution that allows our clients to lookup foreign zones. This is called a caching nameserver.
Although from a technical point of view we prefer 'Dnscache', a utility that forms part of the 'Djbdns' software stack, it's license doesn't allow for binary distribution.
For this reason we'll choose Bind as a caching nameserver. However, after describing Bind, we'll also document howto create a caching nameserver using Djbdns!
First install the software
apt-get install bind9
Make Bind listen on a unique IP. Remember that you already have Ldapdns running!
Edit /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
listen-on { 192.168.1.11; };
auth-nxdomain no;
};
Next we'll tell Bind to forward requests regarding our local zone(s) to Ldapdns. Edit the file /etc/bind/named.conf.local
zone "1.168.192.in-addr.arpa"{
type forward;
forwarders { 192.168.1.51; };
};
zone "intra.example.com"{
type forward;
forwarders { 192.168.1.51; };
};
After you're done, reload Bind
/etc/init.d/bind9 force-reload
Now you can use the new born caching nameserver on all clients.
Configure /etc/resolv.conf like so:
search intra.example.com
nameserver 192.168.1.11
==A caching nameserver with Djbdns==
In addition to ldapdns we can use dnscache (part of djbdns) as the caching nameserver. In order to run dnscache we also need the daemontools. Our project doesn't support Dynamic DNS and DNSSEC.
Due to licensing issues with djbdns and daemontools it's not allowed to distribute binaries for these packages. However Debian GNU/Linux provides the packages 'daemontools-installer' and 'djbdns-installer'. If one follows the instructions after installing these packages, binary packages will be created on the fly. As a result some additional packages will be installed on your system. For this reason we build the binaries on a separate development machine and copy the results to the production machine. You might want to read [[hannibal:devserver|the Hannibal Development-server howto]].
Logon to your development machine and build the daemontools and djbdns packages.
apt-get install daemontools-installer djbdns-installer
Follow the instructions during this proces, transfer the binary packages to your DNS-server then issue:
dpkg -i daemontools_0.76-9_i386.deb djbdns_1.05-11_i386.deb #use the names here of the .deb's you just created
Set up local dnscache:
mkdir /var/lib/svscan
dnscache-conf dnscache dnslog /var/lib/svscan/dnscache 192.168.1.11
ln -s /var/lib/svscan/dnscache /service
touch /var/lib/svscan/dnscache/root/ip/192.168.1
touch /var/lib/svscan/dnscache/root/ip/127.0.0.1
This generates a local cache. Clients on the 192.168.1.x network can use this dnscache.
Next we'll make the dnscache search our ldapdns-server. In this example the dnscache listens on 192.168.1.11 while the ldapdns server listens on 192.168.1.51.
/var/lib/svscan/dnscache/root/servers/1.168.192.in-addr.arpa
192.168.1.51
/var/lib/svscan/dnscache/root/servers/intra.example.com
192.168.1.51
Restart the dnscache
/etc/init.d/djbdns restart
Now you can use the new born caching nameserver on all clients.
Configure /etc/resolv.conf like so:
search intra.example.com
nameserver 192.168.1.11
====DNS data stored in plain files====
The other option is to just use a standard primary/secondary DNS setup using ISC-Bind.
===Primary===
/etc/bind/named.conf:
options {
directory "/var/named";
allow-transfer{
127.0.0.1;
10.0.6.0/24;
};
listen-on{
127.0.0.1;
10.0.6.11;
};
recursion yes;
auth-nxdomain yes;
forwarders {
172.17.1.11;
172.17.1.31;
};
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "hannibal.local"{
type master;
file "db.hannibal.local";
notify yes;
};
zone "6.0.10.in-addr.arpa" {
type master;
file "db.6.0.10.in-addr.arpa";
};
/var/named/db.hannibal.local
$ORIGIN .
$TTL 7200 ; 2 hours
hannibal.local IN SOA ns1.hannibal.local. hostmaster.hannibal.local. (
2007120102 ; serial
14400 ; refresh (4 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
86400 ; minimum (1 day)
)
NS ns1.hannibal.local.
NS ns2.hannibal.local.
MX 10 mail.hannibal.local.
$ORIGIN hannibal.local.
localhost A 127.0.0.1
router A 10.0.6.1
TXT "logical router"
dom0 A 10.0.6.3
ns1 A 10.0.6.11
TXT "logical primary dns"
ns CNAME ns1.hannibal.local.
ldap1 A 10.0.6.12
TXT "logical LDAP primary"
ldap CNAME ldap1.hannibal.local.
mail A 10.0.6.14
TXT "logical smtp"
smtp CNAME mail.hannibal.local.
imap CNAME mail.hannibal.local.
/var/named/db.6.0.10.in-addr.arpa
$TTL 7200
6.0.10.in-addr.arpa. IN SOA ns1.hannibal.local. hostmaster.hannibal.local. (
2007120102 ; serial
14400 ; refresh (4 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
86400 ; minimum (1 day)
)
NS ns1.hannibal.local.
NS ns2.hannibal.local.
1 IN PTR router.hannibal.local.
3 IN PTR dom0.hannibal.local.
11 IN PTR ns1.hannibal.local.
12 IN PTR ldap1.hannibal.local.
14 IN PTR smtp.hannibal.local.
16 IN PTR fileserver.hannibal.local.
20 IN PTR www.hannibal.local.
31 IN PTR ns2.hannibal.local.
32 IN PTR ldap2.hannibal.local.
===Secondary===
/etc/bind/named.conf
options {
directory "/var/named";
allow-transfer{
10.0.6.101;
10.0.6.0/24;
};
listen-on{
127.0.0.1;
10.0.6.31;
};
recursion yes;
auth-nxdomain yes;
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "hannibal.local"{
type slave;
file "sec/db.hannibal.local";
masters { 10.0.6.11; };
allow-query { any; };
};
zone "6.0.10-in-addr.arpa"{
type slave;
file "sec/db.6.0.10-in-addr.arpa";
masters { 10.0.6.31; };
allow-query { any; };
};