Fake DNS Realm

From Linux NFS

Revision as of 02:37, 1 March 2012 by Weston Andros Adamson (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on fedora 15.

To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver.

DNS domain: example.fake

Hosts:

  • server.example.fake (192.168.56.20)
  • client1.example.fake (192.168.56.40)
  • ...

Contents

Install and configure a server for the fake DNS domain

The first step is to install the name server ("bind", aka "named") on the server (192.168.56.20).

Install named on the server

 [root@server ~]# sudo yum install bind

Configure the DNS zone

This creates a DNS zone for "example.fake".

Create the file "/var/named/example.fake.zone":

$TTL 3D
@       IN      SOA     ns1.example.fake. hostmaster.example.fake. (
                       201107111       ; serial#
                       3600            ; refresh, seconds
                       3600            ; retry, seconds
                       3600            ; expire, seconds
                       3600 )          ; minimum, seconds

                NS      ns1             ; Inet Address of nameserver
example.fake.   MX      10 mail         ; Primary Mail Exchanger

ns1             A       192.168.56.20
server          A       192.168.56.20

client1         A       192.168.56.40

ipa             CNAME   server

; DNS auto discovery of services
_ldap._tcp      SRV 10 10 389 server.example.fake.
_kerberos._udp  SRV 10 10 88 server.example.fake.
_kerberos._tcp  SRV 10 10 88 server.example.fake.

Configure the reverse mapping

This defines the reverse mapping for the hosts you just defined. Services and CNAMEs don't need to have reverse mappings, but the A records they point to do (as do all A records).

Create the file "/var/named/192-168-56.zone":

$TTL 2d  ; 172800 seconds
$ORIGIN 56.168.192.IN-ADDR.ARPA.
@       IN        SOA        ns1.example.fake.  hostmaster.example.fake. (
                            201107111          ; serial number
                            3600               ; refresh, seconds
                            3600               ; retry, seconds
                            3600               ; expire, seconds
                            3600 )             ; minimum, seconds

                IN      NS      ns1.example.fake.
20              IN      PTR     server.example.fake.
40              IN      PTR     client1.example.fake.

Modify named config

Named needs to be configured to use the new zone files and to run as the DNS server for the local network.

Add these sections to file "/etc/named.conf":

zone "example.fake" IN {
	type master;
	file "example.fake.zone";
};

zone "56.168.192.in-addr.arpa" IN {
	type master;
	file "192-168-56.zone";
};

Then edit the "options" section of the same file "/etc/named.conf":

  • change the "listen-on" option to include the server's external address "{ localhost; 192.168.56.20; }"
  • change "allow-query" option to "{ localhost; 192.168.56.0/24; }"
  • change "dnssec-enable" option to "no"
  • change "dnssec-validation" option to "no"

WARNING: Turning off DNSsec is probably not a good idea. Be careful.

The resulting /etc/named.conf:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { 127.0.0.1; 192.168.56.20; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; 192.168.56.0/24; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation no;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "example.fake" IN {
        type master;
        file "example.fake.zone";
};

zone "56.168.192.in-addr.arpa" IN {
        type master;
        file "192-168-56.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Enable forwarding

This is optional.

To have this nameserver forward requests to anther nameserver (192.168.56.2 in this example) instead of doing recursive queries on its own, add the following lines to the options section of /etc/named.conf:

        forward only ;
        forwarders { 192.168.56.2 ; } ;

Restart named

Restart named to pick up the changes:

[root@server ~]# service named restart
Restarting named (via systemctl):                          [  OK  ]

All hosts should use the fake DNS server

All of the hosts within this testing environment should be configured to use server.example.fake (192.168.56.20) as their only DNS server. This is only needed because the example uses a fake domain name. This step is not required with a real DNS domain.

Configure server and client(s) to use the fake DNS server

Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the "DNS1" line to:

DNS1=192.168.56.20

You should make sure there aren't any other "DNS" lines.

Restart network to pick up the change

[root@server ~]# service network restart
Restarting network (via systemctl):                        [  OK  ]

Test fake DNS domain

Make sure the right nameserver is being used:

[root@client1 ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search example.fake
nameserver 192.168.56.20

Lookup the server:

[root@client1 ~]# nslookup server.example.fake
Server:		192.168.56.20
Address:	192.168.56.20#53

Name:	server.example.fake
Address: 192.168.56.20

Now do the reverse lookup on the server:

[root@client1 ~]# nslookup 192.168.56.20
Server:		192.168.56.20
Address:	192.168.56.20#53

20.56.168.192.in-addr.arpa	name = server.example.fake.

Common problems

XXX

Personal tools