DNS is one of the critical components of internet frame. Typical DNS architecture has Master, slave DNS servers and caching resolvers. All DNS data updates are populated into Master DNS servers and masters then replicate records on to slaves. Slaves are further exposed on internet where name caching servers query them for DNS records and cache them till TTL expiry.
Master DNS is 192.168.0.10 mns1.ns.mka.in
Slave DNS is 192.168.0.11 sns1.ns.mka.in
On the master DNS, 192.168.0.10
Create zone file /etc/bind/named.conf.corp-zones with zone config
zone "test.mka.in" {
type master;
file "/etc/bind/corp/test.mka.in";
};
Create sample zone data in /etc/bind/corp/test.mka.in file like
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS mns1.ns.mka.in.
@ IN NS sns1.ns.mka.in.
@ IN A 127.0.0.1
@ IN AAAA ::1
rec0 1500 IN A 10.1.1.1
rec1 1500 IN A 10.1.1.2
rec2 1500 IN A 10.1.1.3
Now edit /etc/bind/named.conf.options and add following lines to permit zone transfer on slave DNS, 192.168.0.11 and notify all NS server of zones. Notity will notify all servers which are in NS record of a zone whenever there is change in serial number of zone. Serial number of zone should be incremented after modifying zone data. otherwise slaves will never trigger zone transfer upon receiving notify message.
allow-transfer { 127.0.0.1; 192.168.0.11; };
notify yes;
Restart bind
root@mns1:/etc/bind# /etc/init.d/bind9 restart
[ ok ] Restarting bind9 (via systemctl): bind9.service.
root@mns1:/etc/bind#
Check startup messages at
tail -f /var/log/daemon.log
Aug 30 16:16:09 mns1 named[6640]: zone test.mka.in/IN: sending notifies (serial 6)
Also verify name resolution
dig +short rec1.test.mka.in @192.168.0.10
10.1.1.2
On the Slave DNS, 192.168.0.11
Create directory /var/lib/bind/corp/
make sure it is owned by bind user
root@sns1:/etc/bind# ls -ld /var/lib/bind/corp/
drwxr-xr-x 2 bind bind 4096 Aug 30 14:16 /var/lib/bind/corp/
Create zone file /etc/bind/named.conf.corp-zones with zone config
zone "test.mka.in" {
type slave;
masters { 192.168.0.10; };
file "/var/lib/bind/corp/test.mka.in";
};
No need to add any zone data in /var/lib/bind/corp/test.mka.in, zone data will be transferred from Master.
To ensure no one can do zone transfer and data updates on slave add following lines in /etc/bind/named.conf.options
allow-transfer { none; };
allow-update { none; };
Restart bind
root@sns1:/etc/bind# /etc/init.d/bind9 restart
[ ok ] Restarting bind9 (via systemctl): bind9.service.
root@sns1:/etc/bind#
Check startup messages at
tail -f /var/log/daemon.log
ug 30 16:16:10 sns1 named[4389]: zone test.mka.in/IN: Transfer started.
Aug 30 16:16:10 sns1 named[4389]: transfer of 'test.mka.in/IN' from 10.91.118.28#53: connected using 10.91.118.29#40581
Aug 30 16:16:10 sns1 named[4389]: zone test.mka.in/IN: transferred serial 6
Aug 30 16:16:10 sns1 named[4389]: transfer of 'test.mka.in/IN' from 10.91.118.28#53: Transfer status: success
Aug 30 16:16:10 sns1 named[4389]: transfer of 'test.mka.in/IN' from 10.91.118.28#53: Transfer completed: 1 messages, 15 records, 402 bytes, 0.002 secs (201000 bytes/sec)
Aug 30 16:16:10 sns1 named[4389]: zone test.mka.in/IN: sending notifies (serial 6)
Also verify name resolution
dig +short rec1.test.mka.in @192.168.0.11
10.1.1.2