Introduction

This lab provides you with the instructions and practical experience to configure a name server as a slave for any zones that your primary master nameserver is authoritative for. When configuring a slave zone, there is no need to create the backup zone datafile: the name server will write the backup data after it has transferred the zone from the master name server that you designated. We will set up a slave name server for the master primary, ns.csait.ca at 10.100.1.150. This lab also continues to use dig and other tools to transfer zones, find out who is authoritative for a zone and to trace name resolution. Use the rndc command to dump our database and use rndc to flush the cached information.

Pre Lab Requirements:

You are responsible for reading and understanding DNS in the BSD Handbook

Sample of a slave zone in /etc/namedb/named.conf:

                zone "bar.example" {
                    type slave;
                    masters { IP address };
                    file "bak.bar.example";
                    optional settings;

                };

The most basic DNS lookup tool, is called host, if you run host www.mohawkcollege.ca it will return the ip address(es) of the website [A Records]
The host command also works in reverse, if you run host 142.222.6.1 it will return the name(s) associated with that IP address [PTR records]
There are more advanced DNS query tools, such as dig, this command returns more verbose output, as well as any additional records such as the NS records
If we wanted to know which servers control mail for mohawkcollege, we could run: dig mohawkcollege.ca MX
Other valid record types you can query with the dig tool are: A, AAAA, ANY, CNAME, MX, NS, PTR, SOA, SRV, and TXT (See the handbook for definitions)
Dig also allows you to specify a non-default DNS server to use for your query, instead of reading /etc/resolv.conf, to do this: dig @142.222.125.21 name TYPE
Transferring a zone using dig: dig @ns1.foo.example axfr foo.example
Checking a zone's delegation using dig : dig +trace cnn.com
Tracing name resolution using dig: dig @a.root-servers.net www.oreilly.com +norec
rndc command to flush your DNS cache
rndc to dump your database

Configuring a Name Server as a Slave for a Zone

Setup your /etc/resolv.conf so that your domain is csait.ca

/etc/resolve.conf will be overwritten by the dhcp server everytime it refreshes and we need to apply a work around. Edit the /etc/dhclient.conf and add this line prepend domain-name-servers 127.0.0.1;
for more information you can do a man on dhclient.conf

Enable "named" in /etc/rc.conf
The first time you start named, it needs to create some files, to do this, we use the command: /etc/rc.d/named forcestart
Any time after this, we can use the regular "start" and "stop" commands
Every time you change a config file, or a zone file (later) you must do: /etc/rc.d/named reload for it to load the changed files
The configuration directory for bind is /etc/namedb, and the main config file is named.conf in that directory
Go back to the /etc/resolv.conf and set your name server to 127.0.0.1
Now edit the BIND config file, and set the "forwarder" setting to 10.100.1.150, in the "options" block
Continuing to edit the config file, and using the example for slave forward and reverse zones, change the entries to reflect our csait.ca zone. Point your slave to 10.100.1.150 (your primary master). The filename should be meaningful and reflect the name of the zone that you are secondary for.
Check the entries in your named.conf file to make sure that there is a "." (root) zone defined and pointing to named.root (as a slave) and the 127.0.0.1 reverse zone configured.
Before applying your changes with the "restart" command, run tail -f /var/log/messages and tcpdump to watch for errors and to confirm a successful zone transfer
Tell named to "reload" its database files
If all goes well, your name server will query the master name server and initiate a zone transfer - check the log files to confirm
Whenever you apply new settings, you should check the log file /var/log/messages for problems with your changes
If your zone transfer was successful you should have a new zone file (whatever you named it in the named.conf file), under the slave directory. This zone file should contain all of the preconfigured DNS information that has been defined by the primary/master nameserver

Testing and Troubleshooting DNS:

Run tcpdump -n -p -s0 in another terminal while doing some queries (man tcpdump for explainations of switches)
Use dig or host or any type of query to confiirm that you have your nameserver configured properly
Use the dig command to transfer a zone.
Run host FQDN.of.you.choice while capturing packets with tcpdump, and answer these questions
Run the dig +trace command on a domain name and determine when a recursive query is used and when iterative queries are used.
Trace name resolution for a domain, starting at a root server and designate "no recursive", using the "authority section" send your next query to one of the name servers who has authority
Use the rndc command to flush your cache and test to see if it worked.
Dump cached database with rndc dumpdb command.
You can also run the rndc command with the dumpdb argument to look at the contents of the cache.

rndc dumpdb
the results will be in the /var/named/var/dump directory

Questions:

What nameserver was queried first?

What type of query was made?

What was the response from the nameserver?

Is your name server still caching information and how do you know?

How often does your slave nameserver initiate a zone transfer from its master? Where do you find this information?

Will the slave automatically transfer the database from the master at the next scheduled time?

Is the slave name server authoritative for this zone?

Can we transfer a zone from any name server?

Last updated: 2010-03-18
Written by: Cheri Weaver