User Tools

Site Tools


hannibal:bind

The DNS server

DNS data stored in LDAP

The Hannibal project is centralized around an LDAP store. So, why not put the DNS data into it. The option below describes a method to do this.

Part 1: the Authorative zones

Ldapdns

The backend authorative nameserver for our project is Ldapdns. It's fast, robust and secure. No LDAP to DNS conversion or restarting daemons is required after DNS mutations. Note: Ldapdns is only serving our local zone(s)! We also need a caching-nameserver to allow clients to lookup foreign zones. This is described below.

Install the software

apt-get install ldapdns

Configure /etc/ldapdns.conf

DNS="."
IP="192.168.1.51"
HOSTMASTER="root@intra.example.com"
DEFAULT_REFRESH=86400
DEFAULT_RETRY=7200
DEFAULT_EXPIRE=604800
DEFAULT_MINIMUM=172800
LOG="syslog"
LDAP_HOST="192.168.1.12"
ROOT="/var/lib/ldapdns"
LDAP_AUTH="anonymous"
LDAP_AUTH_NAME=""
LDAP_SUFFIX="ou=Domains,dc=intra,dc=example,dc=com "
SCHEMA=cosine
HANDLERS="128"
THREADS="2"
RUN_UID="$(id -u ldapdns)"
RUN_GID="$(id -g ldapdns)"

In the chapter on installing the Fedora Directory Server we already mentioned the custom LDAP-scheme that is required for Ldapdns usage (63ldapdns.ldif). We assume you are using this scheme.

Restart the ldapdns-server

/etc/init.d/ldapdns restart

Let's load some DNS-data for Ldapdns in the directory server. An example ldif file is available at hannibal-dnsstuff.

/opt/fedora-ds/slapd-ldap/ldif2ldap "cn=Directory Manager" yourpassword /opt/hannibal-dnsstuff.ldif

Part 2: the non-Autorative zones

To serve all other zones, ie. the non-autorative zones, a caching nameserver is used. Two options:

A caching nameserver with ISC-Bind

Earlier on we documented how to create an LDAP-backend for our local zone(s) using Ldapdns. In addition to an autorative nameserver we also need a solution that allows our clients to lookup foreign zones. This is called a caching nameserver.

Although from a technical point of view we prefer 'Dnscache', a utility that forms part of the 'Djbdns' software stack, it's license doesn't allow for binary distribution. For this reason we'll choose Bind as a caching nameserver. However, after describing Bind, we'll also document howto create a caching nameserver using Djbdns!

First install the software

apt-get install bind9

Make Bind listen on a unique IP. Remember that you already have Ldapdns running!

Edit /etc/bind/named.conf.options

options {
       directory "/var/cache/bind";
       listen-on { 192.168.1.11; };
       auth-nxdomain no;
};

Next we'll tell Bind to forward requests regarding our local zone(s) to Ldapdns. Edit the file /etc/bind/named.conf.local

zone "1.168.192.in-addr.arpa"{
    type forward;
    forwarders { 192.168.1.51; };
};

zone "intra.example.com"{
    type forward;
    forwarders { 192.168.1.51; };
};

After you're done, reload Bind

/etc/init.d/bind9 force-reload

Now you can use the new born caching nameserver on all clients. Configure /etc/resolv.conf like so:

search intra.example.com
nameserver 192.168.1.11
A caching nameserver with Djbdns

In addition to ldapdns we can use dnscache (part of djbdns) as the caching nameserver. In order to run dnscache we also need the daemontools. Our project doesn't support Dynamic DNS and DNSSEC. Due to licensing issues with djbdns and daemontools it's not allowed to distribute binaries for these packages. However Debian GNU/Linux provides the packages 'daemontools-installer' and 'djbdns-installer'. If one follows the instructions after installing these packages, binary packages will be created on the fly. As a result some additional packages will be installed on your system. For this reason we build the binaries on a separate development machine and copy the results to the production machine. You might want to read the Hannibal Development-server howto.

Logon to your development machine and build the daemontools and djbdns packages.

apt-get install daemontools-installer djbdns-installer

Follow the instructions during this proces, transfer the binary packages to your DNS-server then issue:

dpkg -i daemontools_0.76-9_i386.deb djbdns_1.05-11_i386.deb #use the names here of the .deb's you just created

Set up local dnscache:

mkdir /var/lib/svscan
dnscache-conf dnscache dnslog /var/lib/svscan/dnscache 192.168.1.11
ln -s /var/lib/svscan/dnscache /service
touch /var/lib/svscan/dnscache/root/ip/192.168.1
touch /var/lib/svscan/dnscache/root/ip/127.0.0.1

This generates a local cache. Clients on the 192.168.1.x network can use this dnscache. Next we'll make the dnscache search our ldapdns-server. In this example the dnscache listens on 192.168.1.11 while the ldapdns server listens on 192.168.1.51.

/var/lib/svscan/dnscache/root/servers/1.168.192.in-addr.arpa

192.168.1.51

/var/lib/svscan/dnscache/root/servers/intra.example.com

192.168.1.51

Restart the dnscache

/etc/init.d/djbdns restart

Now you can use the new born caching nameserver on all clients. Configure /etc/resolv.conf like so:

search intra.example.com
nameserver 192.168.1.11

DNS data stored in plain files

The other option is to just use a standard primary/secondary DNS setup using ISC-Bind.

Primary

/etc/bind/named.conf:

options {
        directory "/var/named";
        allow-transfer{
                127.0.0.1;
                10.0.6.0/24;
        };
        listen-on{
                127.0.0.1;
                10.0.6.11;
        };
        recursion yes;
        auth-nxdomain yes;
        forwarders {
                172.17.1.11;
                172.17.1.31;
        };
};
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};
zone "hannibal.local"{
        type master;
        file "db.hannibal.local";
        notify yes;
};
zone "6.0.10.in-addr.arpa" {
        type master;
        file "db.6.0.10.in-addr.arpa";
};

/var/named/db.hannibal.local

$ORIGIN .
$TTL 7200       ; 2 hours
hannibal.local   IN SOA  ns1.hannibal.local. hostmaster.hannibal.local. (
                                2007120102 ; serial
                                14400      ; refresh (4 hours)
                                1800       ; retry (30 minutes)
                                1209600    ; expire (2 weeks)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.hannibal.local.
                        NS      ns2.hannibal.local.
                        MX      10 mail.hannibal.local.
$ORIGIN hannibal.local.
localhost               A       127.0.0.1
router                  A       10.0.6.1
                        TXT     "logical router"
dom0                    A       10.0.6.3
ns1                     A       10.0.6.11
                        TXT     "logical primary dns"
ns                     CNAME   ns1.hannibal.local.
ldap1                   A       10.0.6.12
                        TXT     "logical LDAP primary"
ldap                    CNAME   ldap1.hannibal.local.
mail                    A       10.0.6.14
                        TXT     "logical smtp"
smtp                    CNAME   mail.hannibal.local.
imap                    CNAME   mail.hannibal.local.

/var/named/db.6.0.10.in-addr.arpa

$TTL    7200
6.0.10.in-addr.arpa.   IN  SOA  ns1.hannibal.local.  hostmaster.hannibal.local. (
                                2007120102 ; serial
                                14400      ; refresh (4 hours)
                                1800       ; retry (30 minutes)
                                1209600    ; expire (2 weeks)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.hannibal.local.
                        NS      ns2.hannibal.local.
1         IN      PTR     router.hannibal.local.
3         IN      PTR     dom0.hannibal.local.
11        IN      PTR     ns1.hannibal.local.
12        IN      PTR     ldap1.hannibal.local.
14        IN      PTR     smtp.hannibal.local.
16        IN      PTR     fileserver.hannibal.local.
20        IN      PTR     www.hannibal.local.
31        IN      PTR     ns2.hannibal.local.
32        IN      PTR     ldap2.hannibal.local.

Secondary

/etc/bind/named.conf

options {
        directory "/var/named";
        allow-transfer{
                10.0.6.101;
                10.0.6.0/24;
        };
        listen-on{
                127.0.0.1;
                10.0.6.31;
        };
        recursion yes;
        auth-nxdomain yes;
};
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};
zone "hannibal.local"{
        type slave;
        file "sec/db.hannibal.local";                                              
        masters { 10.0.6.11; };                                                                          
        allow-query { any; };                                                   
                                                   
};
zone "6.0.10-in-addr.arpa"{
        type slave;
        file "sec/db.6.0.10-in-addr.arpa";
        masters { 10.0.6.31; };  
        allow-query { any; };
};
hannibal/bind.txt · Last modified: 2008/06/25 12:43 by Olivier Brugman