Friday, June 29, 2012

Secondary DNS Server in CentOS 6

Please consult this article to check how the primary DNS Server is configured in chroot environment.

A secondary DNS Server is used as a backup DNS Server in case the primary fails. The configuration is almost identical.

Here are the details:
Domain: testdom.inv
Primary: ns1.testdom.inv (192.168.1.13)
Secondary: ns2.testdom.inv (192.168.1.14)

 

Secondary DNS Server

Phase1:

Again, the host names must be properly specified. We have to modify the following lines in the mentioned files -

[root@centu ~]# vim /etc/sysconfig/network

HOSTNAME=ns2.testdom.inv


[root@ns2 ~]# vim /etc/hosts

192.168.1.14    ns2.testdom.inv   ns2


Finally, we set the resolver IP to the primary DNS Server

[root@ns2 ~]# vim /etc/resolv.conf
nameserver 192.168.1.13
nameserver 192.168.1.14

 

 Phase 2:

Now we set up necessary packages -

[root@ns2 ~]# yum install bind bind-chroot
Loaded plugins: fastestmirror, presto
Determining fastest mirrors
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.i686 32:9.7.0-5.P2.el6 set to be updated
---> Package bind-chroot.i686 32:9.7.0-5.P2.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================
 Package                     Arch                 Version                           Repository             Size
================================================================================================================
Installing:
 bind                        i686                 32:9.7.0-5.P2.el6                 myyum                 3.5 M
 bind-chroot                 i686                 32:9.7.0-5.P2.el6                 myyum                  65 k

Transaction Summary
================================================================================================================
Install       2 Package(s)
Upgrade       0 Package(s)

Total download size: 3.5 M
Installed size: 6.4 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 3.5 M
----------------------------------------------------------------------------------------------------------------
Total                                                                            22 MB/s | 3.5 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : 32:bind-9.7.0-5.P2.el6.i686                                                              1/2 
  Installing     : 32:bind-chroot-9.7.0-5.P2.el6.i686                                                       2/2 

Installed:
  bind.i686 32:9.7.0-5.P2.el6                         bind-chroot.i686 32:9.7.0-5.P2.el6                        

Complete!



Phase 3:

Preparing the configuration file -

[root@ns2 ~]# cp /usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones /var/named/chroot/etc/named.conf 
[root@ns2 ~]# vim /var/named/chroot/etc/named.conf 

##### ADD/MODIFY THE FOLLWOING LINES #####

options {
        directory "/var/named";
        forwarders {4.2.2.1; };

};

zone "testdom.inv" IN {
        type slave;
        file "testdom-fz";
        //allow-update { none; };
        allow-transfer {192.168.1.13/32; };  //the primary server
        masters {192.168.1.13; };
};

zone "1.168.192.in-addr.arpa" IN {
        type slave;
        file "testdom-rz";
//      allow-update { none; };
        allow-transfer {192.168.1.13/32; };  //the primary server
        masters {192.168.1.13; };
};




And we set necessary permissions to the directory /var/named/chroot/var/named

[root@ns2 ~]# chmod 770 /var/named/chroot/var/named


Phase 4:

Time to start the service.

[root@ns2 ~]# service named restart; chkconfig named on
Stopping named:                                            [  OK  ]
Starting named:                                            [  OK  ]
[root@ns2 ~]# 


Now the secondary DNS Server is ready. The zone files from the primary server will be automatically copied to the secondary server.

Testing

To test, we could do the following-
  1. In the client, we can set the primary and the secondary DNS IP as the IP addresses of servers ns1 and ns2
  2. Stop the named service in the primary server.
  3. Checking from client whether the DNS query gets answered or not. If there queries are answered, we could check which server answered the query.

NOTE

While configuring the secondary DNS Server, the following should be kept in mind -
  1. We don't need to define the zone files in the secondary DNS Server. It will automatically be transferred from primary DNS Server.
  2. While updating the zone files in the primay DNS Server, the serial number has to be updated. The secondary DNS Server will transfer zone files only if the serial number is different.

Troubleshooting

  1. Check /var/log/messages. It may provide useful clue such as whether there is a permission issue i.e. the working directory is not writable.
  2. Check whether the named service is listening to the necessary ports by using the command netstat  -tulpn

Hope this helps ^_^

Reference

Primary DNS Configuration in CentOS 6 (with chroot)

This tutorial is based on a previous article. The configuration of the DNS Servers using chroot and not using chroot are almost identical. Here's how it's done -

 

Objective

We would be configuring the primary DNS Server for the domain testdom.inv (yes, the top level domain is inv i.e. 'invalid').  The FQDN (Fully Qualified Domain Name) of the server is ns1.testdom.inv. This is a simulation, so you better get your Server off the Internet-
  1. make sure the Server does not have any real IP
  2. make sure that the file /etc/resolv.conf does not contain any IP address of a valid DNS Server.

Here is the IP Database
  • DNS Server 192.168.1.13
  • Web Server 192.168.1.12
  • FTP Server 192.168.1.11

Procedure

Phase1:

The first thing when it comes to configuring any Server is setting up the hostname of the Server properly. We have to modify the following lines in the mentioned files -

[root@centu ~]# vim /etc/sysconfig/network

HOSTNAME=ns1.testdom.inv


[root@centu ~]# vim /etc/hosts

192.168.1.13    ns1.testdom.inv   ns1

Changing hostname like this sometimes takes effect after a Server reboot. To avoid that, we also set the hostname as ns1.testdom.inv temporarily until the next reboot.

[root@centu ~]# hostname ns1.testdom.inv
[root@centu ~]# hostname
ns1.testdom.inv 

Finally, we set the resolver IP

[root@ns1 ~]# vim /etc/resolv.conf

nameserver 192.168.1.13

Phase 2:

We would be setting up the package bind to provide DNS service.The package can be easily installed using yum. First we remove any previous version of bind, bind-chroot and then we install the required packages.


[root@ns1 ~]# yum install bind bind-chroot
Loaded plugins: fastestmirror, presto
Determining fastest mirrors
 * base: ossm.utm.my
 * extras: ossm.utm.my
 * rpmforge: mirror.oscc.org.my
 * updates: ossm.utm.my
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Processing Dependency: bind-libs = 32:9.7.3-8.P3.el6_2.3 for package: 32:bin                                             d-9.7.3-8.P3.el6_2.3.i686
--> Processing Dependency: liblwres.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.                                             3.i686
--> Processing Dependency: libisccfg.so.62 for package: 32:bind-9.7.3-8.P3.el6_2                                             .3.i686
--> Processing Dependency: libisccc.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.                                             3.i686
--> Processing Dependency: libisc.so.62 for package: 32:bind-9.7.3-8.P3.el6_2.3.                                             i686
--> Processing Dependency: libdns.so.69 for package: 32:bind-9.7.3-8.P3.el6_2.3.                                             i686
--> Processing Dependency: libbind9.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.                                             3.i686
---> Package bind-chroot.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Running transaction check
---> Package bind-libs.i686 32:9.7.3-8.P3.el6_2.3 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch       Version                       Repository     Size
================================================================================
Installing:
 bind              i686       32:9.7.3-8.P3.el6_2.3         updates       3.9 M
 bind-chroot       i686       32:9.7.3-8.P3.el6_2.3         updates        68 k
Installing for dependencies:
 bind-libs         i686       32:9.7.3-8.P3.el6_2.3         updates       851 k

Transaction Summary
================================================================================
Install       3 Package(s)
Upgrade       0 Package(s)

Total download size: 4.8 M
Installed size: 9.2 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
updates/prestodelta                                                                                   | 394 kB     00:13
Processing delta metadata
Package(s) data still to download: 4.8 M
(1/3): bind-9.7.3-8.P3.el6_2.3.i686.rpm                                                               | 3.9 MB     02:25
(2/3): bind-chroot-9.7.3-8.P3.el6_2.3.i686.rpm                                                        |  68 kB     00:01
(3/3): bind-libs-9.7.3-8.P3.el6_2.3.i686.rpm                                                          | 851 kB     00:27
-----------------------------------------------------------------------------------------------------------------------------
Total                                                                                         28 kB/s | 4.8 MB     02:56
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing     : 32:bind-libs-9.7.3-8.P3.el6_2.3.i686                                                                  1/3
  Installing     : 32:bind-9.7.3-8.P3.el6_2.3.i686                                                                       2/3
  Installing     : 32:bind-chroot-9.7.3-8.P3.el6_2.3.i686                                                                3/3

Installed:
  bind.i686 32:9.7.3-8.P3.el6_2.3                           bind-chroot.i686 32:9.7.3-8.P3.el6_2.3

Dependency Installed:
  bind-libs.i686 32:9.7.3-8.P3.el6_2.3

Complete!

Phase 3:

 Now we prepare the configuration file /var/named/chroot/etc/named.conf


[root@ns1 ~]# cp /usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones /var/named/chroot/etc/named.conf

[root@ns1 ~]# vim /var/named/chroot/etc/named.conf

#### Please add/modify the following lines ####

options {
        directory "/var/named"; // the path of the zone files
        forwarders {4.2.2.1; }; // in case of DNS query failure, the IP of the next DNS Server where the queries would be forwarded
};


// declaration of the forward zone
zone "testdom.inv" IN {
        type master;
        file "testdom-fz"; //forward zone file stored in /var/named
        allow-update { none; };
};

// declaration of reverse zone
zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "testdom-rz"; // reverse zone file stored in /var/named
        allow-update { none; };
};



Phase 4:

Now it's time to prepare the zone files. The zone files are stored in /var/named/chroot/var/named. The character '@' denotes a 'NULL' value in these files. Please be careful while writing as syntax errors in these files can easily occur. 
IMPORTANT: Every FQDN declared in the zone files has a '.' in the end.

Forward Zone

[root@ns1 ~]# cd /var/named/chroot/var/named
[root@ns1 named]# cp named.localhost testdom-fz
[root@ns1 named]# vim testdom-fz 

;Comment: this is the forward zone file

; IMPORTANT every FQDN has a trailing dot '.'

$TTL 1D
;Comment: FORMAT
;Comment: @      IN SOA  FQDN email (user.domain.tld) (

@       IN SOA  ns1.testdom.inv. admin.testdom.inv. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN NS      ns1.testdom.inv.
        IN A       192.168.1.13
ns1     IN A       192.168.1.13
www     IN A       192.168.1.12
ftp     IN A       192.168.1.11

Reverse Zone

[root@ns1 ~]# cd /var/named/chroot/var/named
[root@ns1 named]# cp testdom-fz testdom-rz
[root@ns1 named]# vim testdom-rz 

;this is the reverse zone file

; IMPORTANT every FQDN has a trailing dot '.'

$TTL 1D
;FORMAT
;@      IN SOA  FQDN email (user.domain.tld) (

@       IN SOA  ns1.testdom.inv. admin.testdom.inv. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.testdom.inv.
13      IN PTR  ns1.testdom.inv.
12      IN PTR  www.testdom.inv.
11      IN PTR  ftp.testdom.inv.


Now, we have to change the ownership of the zone files to match the permission of the other files in the directory.

[root@ns1 named]# cd /var/named/chroot/var/named
[root@ns1 named]# chgrp named testdom-*

[root@ns1 named]# ls -l test*
total 48
-rw-r----- 1 root  named  325 May 31 11:16 testdom-fz
-rw-r----- 1 root  named  318 May 31 11:12 testdom-rz



Finally it's time to start the DNS Service.

[root@ns1 named]# service named restart
Stopping named:                             [  OK  ]
Starting named:                             [  OK  ]
[root@ns1 named]# chkconfig named on


Phase 5:

Finally it's time for testing.
[root@ns1 named]# yum install bind-utils
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.i686 32:9.7.0-5.P2.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch         Version                    Repository     Size
================================================================================
Installing:
 bind-utils         i686         32:9.7.0-5.P2.el6          myyum         173 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 173 k
Installed size: 419 k
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 173 k
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : 32:bind-utils-9.7.0-5.P2.el6.i686                        1/1 

Installed:
  bind-utils.i686 32:9.7.0-5.P2.el6                                             

Complete!
[root@ns1 named]# 


We would be using the command dig for testing DNS configuration. The command dig sends a query and waits for answers. Here is a demo -

IMPORTANT: The first thing to look for is in the status NOERROR . If the value is anything other, then there is a problem i.e. NXDOMAIN - Non eXisting DOMAIN, SERVFAIL - SERVer FAILure

[root@ns1 named]# dig ns1.testdom.inv

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> ns1.testdom.inv
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37595
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.testdom.inv.        IN    A

;; ANSWER SECTION:
ns1.testdom.inv.    86400    IN    A    192.168.1.13

;; AUTHORITY SECTION:
testdom.inv.        86400    IN    NS    ns1.testdom.inv.

;; Query time: 1 msec
;; SERVER: 192.168.1.13#53(192.168.1.13)
;; WHEN: Thu May 31 11:39:52 2012
;; MSG SIZE  rcvd: 63


As we can see from the output, the ANSWER SECTION states that the A Record i.e. IP address of ns1.testdom.inv. is 192.168.1.13


[root@ns1 named]# dig -x 192.168.1.13

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> -x 192.168.1.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6969
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;13.1.168.192.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
13.1.168.192.in-addr.arpa. 86400 IN    PTR    ns1.testdom.inv.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa.    86400    IN    NS    ns1.testdom.inv.

;; ADDITIONAL SECTION:
ns1.testdom.inv.    86400    IN    A    192.168.1.13

;; Query time: 2 msec
;; SERVER: 192.168.1.13#53(192.168.1.13)
;; WHEN: Thu May 31 11:41:27 2012
;; MSG SIZE  rcvd: 102


Again, as we can see from the output, the ANSWER SECTION states that the IP address 192.168.1.13 points to i.e. PTR Record ns1.testdom.inv.

The DNS Server should also work for www or ftp servers in testdom.inv. You can also check using nslookup and ping.

Hope this helps.

Tuesday, June 12, 2012

Nagios Ping Problem

I'm using Nagios3 in my Debian 6 box for monitoring my network. My system pings www.google.com periodically to check whether the Internet connection is okay or not.

The weird thing happened is that, when Nagios checks whether www.google.com is reachable or not, it says "Network not found". However, I can ping www.google.com manually.

root@dragonfly:~# /usr/lib/nagios/plugins/check_ping -H www.google.com -c 100,90% -w 100,90%

CRITICAL - Network Unreachable (www.google.com)



root@dragonfly:~# ping www.google.com
PING www.l.google.com (74.125.236.208) 56(84) bytes of data.
64 bytes from maa03s17-in-f16.1e100.net (74.125.236.208): icmp_req=1 ttl=53 time=210 ms
64 bytes from maa03s17-in-f16.1e100.net (74.125.236.208): icmp_req=2 ttl=53 time=229 ms
^C
--- www.l.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 210.611/219.867/229.124/9.268 ms


After a bit of googling, here's what I found.

8-Jun was IPv6 day. A large portion used (even currently using) IPv6. When my Nagios Server tried to communicate with google.com, it tried to communicate with the IPv6 address. My Nagios Server itself does not have any IPv6 address, so naturally, the communication did not work.

So, I forced Nagios to use IPv4, and it worked like a charm

root@dragonfly:~# /usr/lib/nagios/plugins/check_ping -4 -H www.google.com -w 100,90% -c 100,90%

PING OK - Packet loss = 0%, RTA = 73.09 ms|rta=73.092003ms;100.000000;100.000000;0.000000 pl=0%;90;90;0

Now that the problem has been identified, time to tweak Nagios so it uses IPv4 to check whether a host is alive.

root@dragonfly:~# vim /etc/nagios-plugins/config/ping.cfg 


##### ADDING -4 PARAMETER #####
# 'check-host-alive' command definition
define command{
        command_name    check-host-alive
        command_line    /usr/lib/nagios/plugins/check_ping -4 -H '$HOSTADDRESS$' -w 5000,100% -c 5000,100% -p 1
        }

root@dragonfly:~# /etc/init.d/nagios3 restart

And it is done. Hope this helps. ^_^

Reference: http://serverfault.com/questions/278196/nagios-bizare-ping-behaviour