BIND can be configured as master or slave to serve the DNS request for each zone. When the BIND is configured as a slave, it obtains the copy of zone data from the master server by using the zone transfer method.
In the previous post, we had configured the DNS server on CentOS 7 which will act as a source for the slave server.
Environment
| Domain Name: itzgeek.local | ||
|---|---|---|
| primary.itzgeek.local | 192.168.1.10 | Master DNS Server |
| secondary.itzgeek.local | 192.168.1.20 | Slave DNS Server |
In this, we have two servers named primary and secondary. The primary has already been configured as a master for itzgeek.local domain.
Now we will configure secondary as a slave DNS server for itzgeek.local.
On Master Server
Configure BIND on the master server to allow zone transfer to a secondary server, edit the /etc/named.conf file in primary.itzgeek.local.
vi /etc/named.conf
Add the following entry in the file. The servers that are mentioned in the allow-transfer will able to transfer zones from the master server.
options {
. . .
allow-transfer { 192.168.1.20; };
also-notify { 192.168.1.20; };
. . .
}
Add your secondary DNS server information in forward lookup file at primary.itzgeek.local.
vi /var/named/fwd.itzgeek.local.db
Records will look like below.
@ IN SOA primary.itzgeek.local. root.itzgeek.local. (
1002 ;Serial
3H ;Refresh
15M ;Retry
1W ;Expire
1D ;Minimum TTL
)
;Name Server Information
@ IN NS primary.itzgeek.local.
;Secondary Name server
@ IN NS secondary.itzgeek.local.
;IP address of Primary Name Server
primary IN A 192.168.1.10
;IP address of Secondary Name Server
secondary IN A 192.168.1.20
;Mail exchanger
itzgeek.local. IN MX 10 mail.itzgeek.local.
;A - Record HostName To IP Address
www IN A 192.168.1.100
mail IN A 192.168.1.150
;CNAME record
ftp IN CNAME www.itgeek.local.
Restart BIND service.
systemctl restart named
Add a allow rule in the firewall to allow transfer zones from the master server.
firewall-cmd --permanent --add-port=53/tcp firewall-cmd --reload
On Slave Server
It is the time to add a slave zone declaration on the secondary server, make sure you to install the following packages on the secondary server.
yum -y install bind bind-utils
Edit /etc/named.conf file. Comment out the following line to enable BIND to listen on all interfaces.
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
Add your network in the following line. I’ve added 192.168.1.0/24 to allow the clients from 192.168.1.0/24 network can query the DNS for the name to IP translation.
options {
. . .
allow-query { localhost; 192.168.1.0/24; };
. . .
}
Add the slave zone like below.
zone "itzgeek.local" IN {
type slave;
masters { 192.168.1.10; };
file "slaves/fwd.itzgeek.local.db";
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.1.10; };
file "slaves/1.168.192.db";
};
itzgeek.local – Domain name
slave – Secondary DNS
fwd.itzgeek.local.db & 1.168.192.db – Slave forward & Reverse lookup file
Restart BIND service at secondary.itzgeek.local
systemctl restart named
Add a allow rule in the firewall to let clients can connect to DNS server for name resolution.
firewall-cmd --permanent --add-port=53/udp firewall-cmd --reload
Verify lookup for www.itzgeek.local using secondary.itzgeek.local (192.168.1.20)
[root@client ~]# dig @192.168.1.20 www.itzgeek.local
Output:
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @192.168.1.20 www.itzgeek.local ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5314 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.itzgeek.local. IN A ;; ANSWER SECTION: www.itzgeek.local. 604800 IN A 192.168.1.100 ;; AUTHORITY SECTION: itzgeek.local. 604800 IN NS secondary.itzgeek.local. itzgeek.local. 604800 IN NS primary.itzgeek.local. ;; ADDITIONAL SECTION: primary.itzgeek.local. 604800 IN A 192.168.1.10 secondary.itzgeek.local. 604800 IN A 192.168.1.20 ;; Query time: 0 msec ;; SERVER: 192.168.1.20#53(192.168.1.20) ;; WHEN: Wed Jul 17 21:53:45 IST 2019 ;; MSG SIZE rcvd: 140
Record Update
Whenever you change a DNS record at the master server, do not forget to change the serial number in the zone file and run the following command on the master server to reload the zone.
Change itzgeek.local & 1.168.192.in-addr.arpa with your zone names.
### Forward Zone ### rndc reload itzgeek.local ### Reverse Zone ### rndc reload 1.168.192.in-addr.arpa
Conclusion
That’s All. I hope you learned how to set up a slave DNS server on CentOS 7 / RHEL 7.
This works 100%. Thanks!
I have tried setting up a secondary DNS and I encounter 2 problems:
1. On the primary server, if I add the “@ IN NS secondary.my.local.” I get “Job for named.service failed because the control process exited with error code. See “systemctl status named.service” and “journalctl -xe” for details.” Details of the error: “Unit named.service entered failed state.
named.service failed.
Unregistered Authentication Agent for unix-process:2158:443406196 (system bus name :1.2505, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)”
2. On digging with @secondaryIP gives me a timeout. (But slave zone file do get transfered and appear on the secondary server).
You should get answer when you query slave server as well.
Make sure the service is running or slave, and the configuration has allow-query parameter set for your network
Services are running, query is allowed. If I run a check from MXtools I get “Local NS list does not match Parent NS list” for the slave DNS and “At least one name server failed to respond in a timely manner” .