Setup Master Slave BIND DNS server Rocky Linux 8 [Step-by-Step]


Rocky Linux, DNS

In the previous article, we discussed how to set up a BIND DNS server on Rocky Linux 8. This guide will discuss how to configure a Slave BIND DNS server on Rocky Linux 8. It is a good practice to have a secondary node in your environment for redundancy purposes and also load balancing. A slave Bind DNS server works by obtaining DNS zone information from the Master BIND DNS server through a process known as zone transfer. The steps below will guide us on how to configure a Slave BIND DNS server on Rocky Linux 8.

 

Lab Environment

Master DNS Server:
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: master
IP Address: 172.29.10.4/24

Slave DNS Server:
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: slave
IP Address: 172.29.10.12/24

Managed subnet: 172.29.10.0/24
Domain name: example.com

 

Configure the Master Slave BIND DNS server

We need to configure the Master DNS server to work as a master.

 

Step-1: Install BIND Utilities on the Master server

Download and install BIND DNS packages

dnf install -y bind bind-chroot

Sample Output:

Setup Master Slave BIND DNS server Rocky Linux 8 [Step-by-Step]

 

Step-2: Configure DNS server (named.conf)

Configure the named configuration to allow the named service on the master server to listen on any port. Also add the allow-transferand also-notifyoption to the configuration file. The IP specified for the two entries is the Slave server's IP.

[root@master ~]# cat /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any; };
        allow-query-cache { localhost; any; };
        allow-transfer  { 172.29.10.12; };
        notify  yes;
        also-notify { 172.29.10.12; }

        recursion yes;

...

include "/etc/named.rfc1912.zones"; 
include "/etc/named.root.key";

Next create the DNS zone entries in the file /etc/named.rfc1912.zones.This is where you will configure the forward and reverse zones

[root@master ~]# cat "/etc/named.rfc1912.zones"

zone "example.com" IN {
        type master;
        file "example.com.zone";
        allow-update { none; };
};

zone "10.29.172.in-addr.arpa" IN {
        type master;
        file "example.com.rzone";
        allow-update { none; };
};

 

Step-3: Configure Forward Zone file on the Master server

IF you followed our previous article on how to deploy BIND DNS server on Rocky Linux, there is no need to change these files on the master server as they are already configured.

Otherwise, create a file at /var/named/ with the contents similar to this:

cat /var/named/example.com.zone

Sample Output:

Setup Master Slave BIND DNS server Rocky Linux 8 [Step-by-Step]

 

Step-4: Configure Reverse zone file on the Master server

Similar to the forward zone file, this file had already been configured in the previous article where we configured a master DNS server on rocky Linux. Always remember to increase the serial number of the forward and the reverse zone files whenever you add a new record.

cat /var/named/example.com.zone

Sample Output:

Setup Master Slave BIND DNS server Rocky Linux 8 [Step-by-Step]

 

Step-5: Enable Chroot environment on the master server

Enable the chroot environment to run bind in a jail environment.

[root@master ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

Verify that the name files have been mounted in the chroot environment

[root@master ~]# mount | grep chroot
/dev/mapper/rl-root on /var/named/chroot/etc/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755)
/dev/mapper/rl-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/rndc.key type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/crypto-policies/back-ends/bind.config type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/services type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/usr/share/GeoIP type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755)
/dev/mapper/rl-root on /var/named/chroot/var/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)

 

Step-6: Verify DNS configuration on the Master server

Verify that the DNS configuration is okay on the master server by checking the forward and reverse zone files configuration.

​[root@master ~]# named-checkconf -t /var/named/chroot/ /etc/named.conf

[root@master ~]# named-checkzone master.example.com /var/named/example.com.zone
zone master.example.com/IN: loaded serial 5
OK

[root@master ~]# named-checkzone master.example.com /var/named/example.com.rzone
zone master.example.com/IN: loaded serial 5
OK

 

Step-7: Allow DNS service on Firewall of Master server

Allow DNS service through the firewall

firewall-cmd --add-service=dns --permanent
firewall-cmd --reload

 

Step-8: Update DNS settings for the Master server (/etc/resolv.conf)

Update the DNS settings of the master server.

[root@master named]# echo "nameserver 172.29.10.4" >> /etc/resolv.conf

 

Step-9: Start and enable named-chroot service on the Master Server

Disable named service

[root@master named]# systemctl stop named
[root@master named]# systemctl disable named

Start and enable the chroot bind service (named-chroot.service) on the master server.

[root@master ~]# systemctl enable --now named-chroot

Verify that the service has started and is running

[root@master named]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-08-10 07:34:32 EAT; 42s ago
  Process: 1837 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 1955 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1952 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (cod>
 Main PID: 1956 (named)
    Tasks: 7 (limit: 4942)
   Memory: 58.8M
   CGroup: /system.slice/named-chroot.service
           └─1956 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

Aug 10 07:34:32 master named[1956]: zone example.com/IN: loaded serial 5
Aug 10 07:34:32 master named[1956]: zone localhost.localdomain/IN: loaded serial 0
Aug 10 07:34:32 master named[1956]: zone localhost/IN: loaded serial 0
Aug 10 07:34:32 master named[1956]: all zones loaded
Aug 10 07:34:32 master named[1956]: running
Aug 10 07:34:32 master named[1956]: zone 10.29.172.in-addr.arpa/IN: sending notifies (serial 5)
Aug 10 07:34:32 master named[1956]: zone example.com/IN: sending notifies (serial 5)
Aug 10 07:34:32 master systemd[1]: Started Berkeley Internet Name Domain (DNS).
Aug 10 07:34:42 master named[1956]: resolver priming query complete

 

Configure Slave DNS server

With the primary server configured, let us proceed to the secondary server.

 

Step-10: Install BIND RPM packages

Install Bind RPM files on the slave server.

[root@slave ~]# dnf install -y bind bind-chroot

Sample Output:

Setup Master Slave BIND DNS server Rocky Linux 8 [Step-by-Step]

 

Step-11: Configure named.conf for the Slave server

Configure the /etc/named.conf file for the slave server to bind the DNS port on the IP and to assign the DNS server the role of a slave.

[root@slave ~]# cat /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; 172.29.10.12; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any; };
        
        recursion yes;

        dnssec-enable yes;
....

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

Step-12: Configure DNS zones on the slave server

Configure the DNS zones in /etc/named.rfc1912.zonesfile.

[root@slave ~]# cat /etc/named.rfc1912.zones
.....
zone "example.com" IN {
        type slave;
        masters { 172.29.10.4; };
        file "slaves/example.com.zone";
};

zone "10.29.172.in-addr.arpa" IN {
        type slave;
        masters { 172.29.10.4; };
        file "slaves/example.com.rzone";
};

In the above configuration, we have specified the forward and reverse zones. We have also configured the server to run as a slave where it will be obtaining the zone files from the primary server. The zone files will be saved at/var/named/slave as opposed to the primary node whose files are saved at /var/named.You also have to specify the Master's IP in the zone configuration.

 

Step-13: Enable chroot environment for the slave server

Enable the chroot environment for the slave server to allow the bind service to run in jail mode.

[root@slave ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

Verify that the named files have been mounted in chroot.

[root@slave named]# mount | grep chroot
/dev/mapper/rl-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/rndc.key type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/crypto-policies/back-ends/bind.config type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/services type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/etc/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/mapper/rl-root on /var/named/chroot/usr/share/GeoIP type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,mode=755)
/dev/mapper/rl-root on /var/named/chroot/var/named type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)

 

Step-14: Verify DNS configuration and start service

Verify that the DNS configuration has been well done.

[root@slave ~]# named-checkconf -t /var/named/chroot/ /etc/named.conf

Add the primary and secondary DNS servers to the /etc/resolv.conf file of the slave server.

[root@slave ~]# cat /etc/resolv.conf
nameserver 172.29.10.4 #master
nameserver 172.29.10.12 #slave

Stop the default named service

[root@slave named]# systemctl stop named
[root@slave named]# systemctl disable named

Start the named-chroot service

[root@slave ~]# systemctl start named-chroot

Verify that the slave server has obtained zone files from the master

[root@slave ~]# ls -l /var/named/slaves/
total 8
-rw-r--r-- 1 named named 510 Aug 10 05:31 example.com.rzone
-rw-r--r-- 1 named named 430 Aug 10 05:31 example.com.zone

 

Verify Master-Slave replication

To verify that there is replication between the master and the slave, we can check the logs on the slave server to see if it is getting notifications from the master node.

[root@slave ~]# tail /var/named/data/named.run
managed-keys-zone: loaded serial 3
zone 0.in-addr.arpa/IN: loaded serial 0
zone 10.29.172.in-addr.arpa/IN: loaded serial 5
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone example.com/IN: loaded serial 5
zone localhost.localdomain/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone localhost/IN: loaded serial 0
all zones loaded
running

The above output shows that the slave node has loaded the zone files from the primary node as indicated by the serial number.

We can also test by updating a record on the primary server.

[root@master ~]# vim /var/named/example.com.zone
$TTL 1D
@	IN SOA	example.com     root (
					6	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
		IN  NS	localhost
localhost	IN A	127.0.0.1
ns-master       IN A    172.29.10.4
server1         IN A    172.29.10.5
server2         IN A    172.29.10.6
slave           IN A    172.29.10.12
labserver       IN A    172.29.10.50

Reload the named service

[root@master ~]# systemctl reload named-chroot

Proceed to the slave node and verify if the zone updates have been recorded.

[root@slave ~]# tail /var/named/data/named.run
client 172.29.10.12#953: received notify for zone 'example.com'
zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 172.29.10.4#53: connected using 172.29.10.12#44589
zone example.com/IN: transferred serial 6
transfer of 'example.com/IN' from 172.29.10.4#53: Transfer completed: 1 messages, 7 records, 280 bytes, 0.003 secs (127500 bytes/sec)
zone example.com/IN: sending notifies (serial 6)

We can then test from the slave server to verify if we can query the record:

[root@slave ~]# dig labserver.example.com.

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> labserver.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28493
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3412e77c7f3a38b60d8d955961113cf8ae9a72aa5461e69c (good)
;; QUESTION SECTION:
;labserver.example.com.	IN	A

;; ANSWER SECTION:
labserver.example.com. 86400 IN	A	172.29.10.50

;; AUTHORITY SECTION:
example.com.	86400	IN	NS	ns-master.example.com.
example.com.	86400	IN	NS	slave.example.com.

;; ADDITIONAL SECTION:
ns-master.example.com.	86400	IN	A	172.29.10.4
slave.example.com.	86400	IN	A	172.29.10.12

;; Query time: 1 msec
;; SERVER: 172.29.10.12#53(172.29.10.12)
;; WHEN: Mon Aug 10 09:34:32 EAT 2021
;; MSG SIZE  rcvd: 170

The above output confirms that replication is working.

 

Summary

In the above guide, we have demonstrated how to set up a Master Slave BIND DNS replication on Rocky Linux 8. I hope the guide is comprehensive enough. Feel free to reach out in case of any issue with the deployment.

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment