In the previous article, we discussed how to set up a BIND DNS server on Rocky Linux 8. This guide will discuss how to configure a Slave BIND DNS server on Rocky Linux 8. It is a good practice to have a secondary node in your environment for redundancy purposes and also load balancing. A slave Bind DNS server works by obtaining DNS zone information from the Master BIND DNS server through a process known as zone transfer. The steps below will guide us on how to configure a Slave BIND DNS server on Rocky Linux 8.
Lab Environment
Master DNS Server:
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: master
IP Address: 172.29.10.4/24
Slave DNS Server:
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: slave
IP Address: 172.29.10.12/24
Managed subnet: 172.29.10.0/24
Domain name: example.com
Configure the Master Slave BIND DNS server
We need to configure the Master DNS server to work as a master.
Step-1: Install BIND Utilities on the Master server
Download and install BIND DNS packages
dnf install -y bind bind-chroot
Sample Output:
Step-2: Configure DNS server (named.conf)
Configure the named configuration to allow the named service on the master server to listen on any port. Also add the allow-transfer
and also-notify
option to the configuration file. The IP specified for the two entries is the Slave server's IP.
[root@master ~]# cat /etc/named.conf options { listen-on port 53 { 127.0.0.1; any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; any; }; allow-query-cache { localhost; any; }; allow-transfer { 172.29.10.12; }; notify yes; also-notify { 172.29.10.12; } recursion yes; ... include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Next create the DNS zone entries in the file /etc/named.rfc1912.zones.
This is where you will configure the forward and reverse zones
[root@master ~]# cat "/etc/named.rfc1912.zones"
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
zone "10.29.172.in-addr.arpa" IN {
type master;
file "example.com.rzone";
allow-update { none; };
};
Step-3: Configure Forward Zone file on the Master server
IF you followed our previous article on how to deploy BIND DNS server on Rocky Linux, there is no need to change these files on the master server as they are already configured.
Otherwise, create a file at /var/named/
with the contents similar to this:
cat /var/named/example.com.zone
Sample Output:
Step-4: Configure Reverse zone file on the Master server
Similar to the forward zone file, this file had already been configured in the previous article where we configured a master DNS server on rocky Linux. Always remember to increase the serial number of the forward and the reverse zone files whenever you add a new record.
cat /var/named/example.com.zone
Sample Output:
Step-5: Enable Chroot environment on the master server
Enable the chroot environment to run bind in a jail environment.
[root@master ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
Verify that the name files have been mounted in the chroot environment
[root@master ~]# mount | grep chroot /dev/mapper/rl-root on /var/named/chroot/etc/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755) /dev/mapper/rl-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/rndc.key type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/crypto-policies/back-ends/bind.config type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/services type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/usr/share/GeoIP type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755) /dev/mapper/rl-root on /var/named/chroot/var/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Step-6: Verify DNS configuration on the Master server
Verify that the DNS configuration is okay on the master server by checking the forward and reverse zone files configuration.
[root@master ~]# named-checkconf -t /var/named/chroot/ /etc/named.conf [root@master ~]# named-checkzone master.example.com /var/named/example.com.zone zone master.example.com/IN: loaded serial 5 OK [root@master ~]# named-checkzone master.example.com /var/named/example.com.rzone zone master.example.com/IN: loaded serial 5 OK
Step-7: Allow DNS service on Firewall of Master server
Allow DNS service through the firewall
firewall-cmd --add-service=dns --permanent firewall-cmd --reload
Step-8: Update DNS settings for the Master server (/etc/resolv.conf)
Update the DNS settings of the master server.
[root@master named]# echo "nameserver 172.29.10.4" >> /etc/resolv.conf
Step-9: Start and enable named-chroot service on the Master Server
Disable named service
[root@master named]# systemctl stop named [root@master named]# systemctl disable named
Start and enable the chroot bind service (named-chroot.service) on the master server.
[root@master ~]# systemctl enable --now named-chroot
Verify that the service has started and is running
[root@master named]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-08-10 07:34:32 EAT; 42s ago
Process: 1837 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 1955 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1952 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (cod>
Main PID: 1956 (named)
Tasks: 7 (limit: 4942)
Memory: 58.8M
CGroup: /system.slice/named-chroot.service
└─1956 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
Aug 10 07:34:32 master named[1956]: zone example.com/IN: loaded serial 5
Aug 10 07:34:32 master named[1956]: zone localhost.localdomain/IN: loaded serial 0
Aug 10 07:34:32 master named[1956]: zone localhost/IN: loaded serial 0
Aug 10 07:34:32 master named[1956]: all zones loaded
Aug 10 07:34:32 master named[1956]: running
Aug 10 07:34:32 master named[1956]: zone 10.29.172.in-addr.arpa/IN: sending notifies (serial 5)
Aug 10 07:34:32 master named[1956]: zone example.com/IN: sending notifies (serial 5)
Aug 10 07:34:32 master systemd[1]: Started Berkeley Internet Name Domain (DNS).
Aug 10 07:34:42 master named[1956]: resolver priming query complete
Configure Slave DNS server
With the primary server configured, let us proceed to the secondary server.
Step-10: Install BIND RPM packages
Install Bind RPM files on the slave server.
[root@slave ~]# dnf install -y bind bind-chroot
Sample Output:
Step-11: Configure named.conf for the Slave server
Configure the /etc/named.conf
file for the slave server to bind the DNS port on the IP and to assign the DNS server the role of a slave.
[root@slave ~]# cat /etc/named.conf options { listen-on port 53 { 127.0.0.1; 172.29.10.12; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; any; }; recursion yes; dnssec-enable yes; .... include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Step-12: Configure DNS zones on the slave server
Configure the DNS zones in /etc/named.rfc1912.zones
file.
[root@slave ~]# cat /etc/named.rfc1912.zones
.....
zone "example.com" IN {
type slave;
masters { 172.29.10.4; };
file "slaves/example.com.zone";
};
zone "10.29.172.in-addr.arpa" IN {
type slave;
masters { 172.29.10.4; };
file "slaves/example.com.rzone";
};
In the above configuration, we have specified the forward and reverse zones. We have also configured the server to run as a slave where it will be obtaining the zone files from the primary server. The zone files will be saved at/var/named/slave
as opposed to the primary node whose files are saved at /var/named.
You also have to specify the Master's IP in the zone configuration.
Step-13: Enable chroot environment for the slave server
Enable the chroot environment for the slave server to allow the bind service to run in jail mode.
[root@slave ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
Verify that the named files have been mounted in chroot.
[root@slave named]# mount | grep chroot /dev/mapper/rl-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/rndc.key type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/crypto-policies/back-ends/bind.config type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/services type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/etc/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) /dev/mapper/rl-root on /var/named/chroot/usr/share/GeoIP type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755) /dev/mapper/rl-root on /var/named/chroot/var/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Step-14: Verify DNS configuration and start service
Verify that the DNS configuration has been well done.
[root@slave ~]# named-checkconf -t /var/named/chroot/ /etc/named.conf
Add the primary and secondary DNS servers to the /etc/resolv.conf file of the slave server.
[root@slave ~]# cat /etc/resolv.conf
nameserver 172.29.10.4 #master
nameserver 172.29.10.12 #slave
Stop the default named service
[root@slave named]# systemctl stop named [root@slave named]# systemctl disable named
Start the named-chroot service
[root@slave ~]# systemctl start named-chroot
Verify that the slave server has obtained zone files from the master
[root@slave ~]# ls -l /var/named/slaves/
total 8
-rw-r--r-- 1 named named 510 Aug 10 05:31 example.com.rzone
-rw-r--r-- 1 named named 430 Aug 10 05:31 example.com.zone
Verify Master-Slave replication
To verify that there is replication between the master and the slave, we can check the logs on the slave server to see if it is getting notifications from the master node.
[root@slave ~]# tail /var/named/data/named.run
managed-keys-zone: loaded serial 3
zone 0.in-addr.arpa/IN: loaded serial 0
zone 10.29.172.in-addr.arpa/IN: loaded serial 5
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone example.com/IN: loaded serial 5
zone localhost.localdomain/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone localhost/IN: loaded serial 0
all zones loaded
running
The above output shows that the slave node has loaded the zone files from the primary node as indicated by the serial number.
We can also test by updating a record on the primary server.
[root@master ~]# vim /var/named/example.com.zone
$TTL 1D
@ IN SOA example.com root (
6 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
ns-master IN A 172.29.10.4
server1 IN A 172.29.10.5
server2 IN A 172.29.10.6
slave IN A 172.29.10.12
labserver IN A 172.29.10.50
Reload the named service
[root@master ~]# systemctl reload named-chroot
Proceed to the slave node and verify if the zone updates have been recorded.
[root@slave ~]# tail /var/named/data/named.run
client 172.29.10.12#953: received notify for zone 'example.com'
zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 172.29.10.4#53: connected using 172.29.10.12#44589
zone example.com/IN: transferred serial 6
transfer of 'example.com/IN' from 172.29.10.4#53: Transfer completed: 1 messages, 7 records, 280 bytes, 0.003 secs (127500 bytes/sec)
zone example.com/IN: sending notifies (serial 6)
We can then test from the slave server to verify if we can query the record:
[root@slave ~]# dig labserver.example.com.
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> labserver.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28493
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3412e77c7f3a38b60d8d955961113cf8ae9a72aa5461e69c (good)
;; QUESTION SECTION:
;labserver.example.com. IN A
;; ANSWER SECTION:
labserver.example.com. 86400 IN A 172.29.10.50
;; AUTHORITY SECTION:
example.com. 86400 IN NS ns-master.example.com.
example.com. 86400 IN NS slave.example.com.
;; ADDITIONAL SECTION:
ns-master.example.com. 86400 IN A 172.29.10.4
slave.example.com. 86400 IN A 172.29.10.12
;; Query time: 1 msec
;; SERVER: 172.29.10.12#53(172.29.10.12)
;; WHEN: Mon Aug 10 09:34:32 EAT 2021
;; MSG SIZE rcvd: 170
The above output confirms that replication is working.
Summary
In the above guide, we have demonstrated how to set up a Master Slave BIND DNS replication on Rocky Linux 8. I hope the guide is comprehensive enough. Feel free to reach out in case of any issue with the deployment.