Running your own DNS server (Part 2)

Right, you need to read part one in order for this (a) to make sense or (b) to work – so if you haven’t done that already – Go !

Looking at a domain ...

Looking at a domain …

So, right now you have a working domain name server, just the one mind you, and it is configured to allow you replicate it over to another server … We are going to set up that second server now, so that we have some resiliency in case something horrible happens to the first one. Just as a side note – my two servers are both hosted at Digital Ocean – a great, cheap, provider of virtual hosts. They have a number of data centres world wide, so it would make no sense at all to have my resilient server located in the same place as my main server. To that end – one is in London, the other in Frankfurt. I figure that as a majority of my business is European, sticking them anywhere else is a bit pointless ! There is nothing, however, in future to stop me from either migrating or adding additional servers …

Anyhoo, onto the configuration. The first part is identical:

yum update -y
yum install bind bind-utils bind-chroot -y

Back into /etc/named.conf we go … ( vi 😉 ) and this time we make the following changes:

options {
 listen-on-v6 port 53 { ::1; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query { any; };

 recursion no;

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

 managed-keys-directory "/var/named/dynamic";
 pid-file "/run/named/";
 session-keyfile "/run/named/session.key";

Note that the only real difference here is the removal of the “allow-transfer” line. This server shouldn’t allow transfer to anyone anywhere, so it is omitted entirely and it default to off.

Then, as with the master, we need to add the relevant zone entry so the server knows what it is looking after.

zone "" IN {
 type slave;
 masters {; };
 file "";

You can see the difference from the earlier one, this is slave entry and it points at the master IP address ( fill in your own domain and IPs here … )

This being done we can kick off the BIND process and get it added into the boot sequence as we did on the first server, troubleshooting as required. ( Which, go figure, I needed to do again, because I missed a darn “;” ! )

service named restart
chkconfig named on

Again, now we should be able to query that nameserver directly about our domain, so, using nslookup as we did before double check that it works.

Assuming it did, congratulations, you now have redundant name servers managing your DNS for your domain.

There is one last thing to cover, and that is making changes.

To make a change to an existing zone:

1) Edit the zone file on the master changing:

a) the serial ( incrementing )

b) the entry that you need to alter

2) Reload the zone files using the command

rndc reload

This will reload the zone file and the changes will propagate over to the slave ( if and only if you increment the serial though ! )

To make a change to add / remove a whole zone basically follow the same steps as for adding the first zone from Part 1. You’ll need to create the new zone file and populate it with the information that you require, and add the zone into the named.conf. You’ll also need to let the slave know about the zone in it’s named.conf. In this case use:

service named restart

To restart the service so that it reloads the named.conf file and is aware of the new zones.

I hope that your own DNS server gives you back some of the control that you would like of your digital estate. I will write more on this as I progress through the migration of the other 81 domains and also cover off things like round-robin DNS load balancing and MX entries for e-mail … Along with the trials and tribulations of getting everything migrated !


Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: