Test Bind DNS Zone File Replication to Slave Servers (CentOS)

Posted onAuthorHeelpBook


To totally unlock this section you need to Log-in


Login

The Scenario

  • You are on-boarding/bringing up a new Bind DNS server (say NSHost3 – 198.164.12.103) to replace/upgrade your existing Bind DNS server (NSHost2 – 198.164.12.102).
  • You have installed Bind 9.8 as shown on the new server:
[root@NSHost3 ~]#  named -v
BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1
[root@NSHost3 ~]#

  • You want to configure NSHost3 as slave server for some of the zones are primarily hosted on NSHost1 (198.164.12.101) in your other Data Centre.
  • You are NOT running or have allowed the tcp/udp port#53 in your iptables Firewall on both NSHost1 and NSHost3 servers.

Configuring your new server NSHost3 as slave to NSHost1 server requires updating named.conf file on both the servers as detailed here.

NSHost1

On NSHost1 (198.164.12.101) setup /etc/named.conf with below essential contents:

options {
    listen-on port 53 { 198.164.12.101; }; //NSHost1 the master server in Data centre 1
    allow-notify { 198.164.12.103; }; //NSHost3 the new Slave server
    allow-transfer { 198.164.12.103; }; //NSHost3 the new Slave server
    ..
    …
};

/* primary zones */
zone “dc1.mydomain.com” {
    type master;
    file “dc1.mydomain.com.zone”;
};

/* Secondary zones */
zone “dc2.mydomain.com” {
    type slave;
    masters { 198.164.12.103; };
    file “secondary/dc2.mydomain.com.zone”;
};

NSHost3

On NSHost3 (198.164.12.103) setup /etc/named.conf with below essential contents:

options {
    listen-on port 53 { 198.164.12.103; }; //NSHost3 the new Slave server
    allow-transfer { 198.164.12.101 }; //NSHost1 the master server in Data centre 1
    allow-notify { 198.164.12.101 }; //NSHost1 the master server in Data centre 1
    ..
    …
};

/* primary zones */
zone “dc2.mydomain.com” {
    type master;
    file “dc2.mydomain.com.zone”;
};

/* Secondary zones */
zone “dc1.mydomain.com” {
    type slave;
    masters { 198.164.12.101; };  // Specifying the IP-address of NSHost1 which is hosting this zone.
    file “secondary/dc1.mydomain.com.zone”;
};

Troubleshooting

During the first time replication setup on RedHat Bind, most people encounter that despite successful file transfers the zone files does not get created on the Slave servers. It results in below errors in /var/log/messages file.

Oct 14 02:58:15 NSHost3 named-sdb[18253]: zone dc1.mydomain.com/IN: Transfer started.
Oct 14 02:58:15 NSHost3 named-sdb[18253]: transfer of ‘dc1.mydomain.com/IN’ from 198.164.12.101#53: 
connected using 198.164.12.103#49611
Oct 14 02:58:16 NSHost3 named-sdb[18253]: zone dc1.mydomain.com/IN: transferred serial 2014109804
Oct 14 02:58:16 NSHost3 named-sdb[18253]: transfer of ‘dc1.mydomain.com/IN’ from 198.164.12.101#53: 
Transfer completed: 1 messages, 21 records, 529 bytes, 0.217 secs (2437 bytes/sec)
Oct 14 02:58:16 NSHost3 named-sdb[18253]: zone dc1.mydomain.com/IN: sending notifies (serial 2014109804)
Oct 14 02:58:16 NSHost3 named-sdb[18253]: dumping master file: secondary/tmp-IWDKG5gBFC: open: permission denied

The above error is a known bug with RedHat Bind software as documented here: Bug 545128 – SELinux is preventing the named daemon from writing to the zone directory.

You require to fix it by enabling the SELinux paramater named_write_master_zones boolean as shown below:

##### Fix for error: dumping master file: open: permission denied #####
[root@NSHost3 ~]# setsebool -P named_write_master_zones=1
[root@NSHost3 ~]# 
##### Fix for error: dumping master file: open: permission denied #####

Then restart the named service (DNS) as shown below:

[root@NSHost3 ~]# service named restart
Stopping named: [  OK  ]
Starting named: [  OK  ]
[root@NSHost3 ~]# service named status

Go to source!

Language
English