Fake DNS Zone

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
(Created page with "This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on [http://fedoraproject.org/ fedora] 15. To us...")
(Blanked the page)
 
Line 1: Line 1:
-
This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on [http://fedoraproject.org/ fedora] 15.
 
-
To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver.
 
-
 
-
DNS domain: '''example.fake'''
 
-
 
-
Hosts:
 
-
* '''server.example.fake''' (192.168.56.20)
 
-
* '''client1.example.fake''' (192.168.56.40)
 
-
* ...
 
-
 
-
= Install and configure a server for the fake DNS domain =
 
-
 
-
The first step is to install the name server ("bind", aka "named") on the server (192.168.56.20).
 
-
 
-
== Install named on the server ==
 
-
 
-
<pre>
 
-
[root@server ~]# sudo yum install bind
 
-
</pre>
 
-
 
-
== Configure the DNS zone ==
 
-
 
-
This creates a DNS zone for "example.fake".
 
-
 
-
Three services are defined for use with FreeIPA (XXX link??).
 
-
 
-
Create the file "/var/named/example.fake.zone":
 
-
 
-
<pre>
 
-
$TTL 3D
 
-
@      IN      SOA    ns1.example.fake. hostmaster.example.fake. (
 
-
                      201107111      ; serial#
 
-
                      3600            ; refresh, seconds
 
-
                      3600            ; retry, seconds
 
-
                      3600            ; expire, seconds
 
-
                      3600 )          ; minimum, seconds
 
-
 
-
                NS      ns1            ; Inet Address of nameserver
 
-
example.fake.  MX      10 mail        ; Primary Mail Exchanger
 
-
 
-
ns1            A      192.168.56.20
 
-
server          A      192.168.56.20
 
-
 
-
client1        A      192.168.56.40
 
-
 
-
ipa            CNAME  server
 
-
 
-
; DNS auto discovery of services
 
-
_ldap._tcp      SRV 10 10 389 server.example.fake.
 
-
_kerberos._udp  SRV 10 10 88 server.example.fake.
 
-
_kerberos._tcp  SRV 10 10 88 server.example.fake.
 
-
</pre>
 
-
 
-
== Configure the reverse mapping ==
 
-
 
-
This defines the reverse mapping for the hosts you just defined.  Services and CNAMEs don't need to have reverse mappings, but the A records they point to do (as do all A records).
 
-
 
-
Create the file "/var/named/192-168-56.zone":
 
-
 
-
<pre>
 
-
$TTL 2d  ; 172800 seconds
 
-
$ORIGIN 56.168.192.IN-ADDR.ARPA.
 
-
@      IN        SOA        ns1.example.fake.  hostmaster.example.fake. (
 
-
                            201107111          ; serial number
 
-
                            3600              ; refresh, seconds
 
-
                            3600              ; retry, seconds
 
-
                            3600              ; expire, seconds
 
-
                            3600 )            ; minimum, seconds
 
-
 
-
                IN      NS      ns1.example.fake.
 
-
20              IN      PTR    server.example.fake.
 
-
40              IN      PTR    client1.example.fake.
 
-
</pre>
 
-
 
-
 
-
== Modify named config ==
 
-
 
-
Named needs to be configured to use the new zone files and to run as the DNS server for the local network.
 
-
 
-
Add these sections to file "/etc/named.conf":
 
-
 
-
<pre>
 
-
zone "example.fake" IN {
 
-
type master;
 
-
file "example.fake.zone";
 
-
};
 
-
 
-
zone "56.168.192.in-addr.arpa" IN {
 
-
type master;
 
-
file "192-168-56.zone";
 
-
};
 
-
</pre>
 
-
 
-
Then edit the "options" section of the same file "/etc/named.conf":
 
-
 
-
* change the "listen-on" option to include the server's external address "{ localhost; 192.168.56.20; }"
 
-
* change "allow-query" option to "{ localhost; 192.168.56.0/24; }"
 
-
* change "dnssec-enable" option to "no"
 
-
* change "dnssec-validation" option to "no"
 
-
 
-
'''WARNING:''' Turning off DNSsec is probably not a good idea. Be careful.
 
-
 
-
The resulting /etc/named.conf:
 
-
 
-
<pre>
 
-
//
 
-
// named.conf
 
-
//
 
-
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 
-
// server as a caching only nameserver (as a localhost DNS resolver only).
 
-
//
 
-
// See /usr/share/doc/bind*/sample/ for example named configuration files.
 
-
//
 
-
 
-
options {
 
-
listen-on port 53 { 127.0.0.1; 192.168.56.20; };
 
-
listen-on-v6 port 53 { ::1; };
 
-
directory "/var/named";
 
-
dump-file "/var/named/data/cache_dump.db";
 
-
        statistics-file "/var/named/data/named_stats.txt";
 
-
        memstatistics-file "/var/named/data/named_mem_stats.txt";
 
-
allow-query    { localhost; 192.168.56.0/24; };
 
-
recursion yes;
 
-
 
-
dnssec-enable yes;
 
-
dnssec-validation no;
 
-
dnssec-lookaside auto;
 
-
 
-
/* Path to ISC DLV key */
 
-
bindkeys-file "/etc/named.iscdlv.key";
 
-
 
-
managed-keys-directory "/var/named/dynamic";
 
-
};
 
-
 
-
logging {
 
-
        channel default_debug {
 
-
                file "data/named.run";
 
-
                severity dynamic;
 
-
        };
 
-
};
 
-
 
-
zone "." IN {
 
-
type hint;
 
-
file "named.ca";
 
-
};
 
-
 
-
zone "example.fake" IN {
 
-
        type master;
 
-
        file "example.fake.zone";
 
-
};
 
-
 
-
zone "56.168.192.in-addr.arpa" IN {
 
-
        type master;
 
-
        file "192-168-56.zone";
 
-
};
 
-
 
-
include "/etc/named.rfc1912.zones";
 
-
include "/etc/named.root.key";
 
-
</pre>
 
-
 
-
== Restart named ==
 
-
 
-
Restart named to pick up the changes:
 
-
 
-
<pre>
 
-
[root@server ~]# service named restart
 
-
Restarting named (via systemctl):                          [  OK  ]
 
-
</pre>
 
-
 
-
= All hosts should use the fake DNS server =
 
-
 
-
All of the hosts within this testing environment should be configured to use server.example.fake (192.168.56.20) as their only DNS server.  This is only needed because the example uses a fake domain name.  This step is not required with a real DNS domain.
 
-
 
-
== Configure server and client(s) to use the fake DNS server ==
 
-
 
-
Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the "DNS1" line to:
 
-
 
-
<pre>
 
-
DNS1=192.168.56.20
 
-
</pre>
 
-
 
-
You should make sure there aren't any other "DNS" lines.
 
-
 
-
== Restart network to pick up the change ==
 
-
 
-
<pre>
 
-
[root@server ~]# service network restart
 
-
Restarting network (via systemctl):                        [  OK  ]
 
-
</pre>
 
-
 
-
== Test fake DNS domain ==
 
-
 
-
Make sure the right nameserver is being used:
 
-
 
-
<pre>
 
-
[root@client1 ~]# cat /etc/resolv.conf
 
-
# Generated by NetworkManager
 
-
search example.fake
 
-
nameserver 192.168.56.20
 
-
</pre>
 
-
 
-
Lookup the server:
 
-
 
-
<pre>
 
-
[root@client1 ~]# nslookup server.example.fake
 
-
Server: 192.168.56.20
 
-
Address: 192.168.56.20#53
 
-
 
-
Name: server.example.fake
 
-
Address: 192.168.56.20
 
-
 
-
</pre>
 
-
 
-
Now do the reverse lookup on the server:
 
-
 
-
<pre>
 
-
[root@client1 ~]# nslookup 192.168.56.20
 
-
Server: 192.168.56.20
 
-
Address: 192.168.56.20#53
 
-
 
-
20.56.168.192.in-addr.arpa name = server.example.fake.
 
-
 
-
</pre>
 
-
 
-
= Common problems =
 
-
 
-
XXX
 

Latest revision as of 02:37, 1 March 2012

Personal tools