Fake DNS Realm
From Linux NFS
(Difference between revisions)
(Created page with "This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (Kerberos, etc). To use a fake DNS domain, you must run a named server locally and configur...") |
(→Restart named) |
||
| (5 intermediate revisions not shown) | |||
| Line 1: | Line 1: | ||
| - | This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (Kerberos, etc). | + | This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on [http://fedoraproject.org/ fedora] 15. |
| - | To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as | + | To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver. |
| - | + | ||
| - | + | ||
DNS domain: '''example.fake''' | DNS domain: '''example.fake''' | ||
| Line 10: | Line 8: | ||
* '''server.example.fake''' (192.168.56.20) | * '''server.example.fake''' (192.168.56.20) | ||
* '''client1.example.fake''' (192.168.56.40) | * '''client1.example.fake''' (192.168.56.40) | ||
| + | * ... | ||
| + | |||
| + | = Install and configure a server for the fake DNS domain = | ||
| + | |||
| + | The first step is to install the name server ("bind", aka "named") on the server (192.168.56.20). | ||
== Install named on the server == | == Install named on the server == | ||
| Line 20: | Line 23: | ||
This creates a DNS zone for "example.fake". | This creates a DNS zone for "example.fake". | ||
| - | |||
| - | |||
Create the file "/var/named/example.fake.zone": | Create the file "/var/named/example.fake.zone": | ||
| Line 42: | Line 43: | ||
client1 A 192.168.56.40 | client1 A 192.168.56.40 | ||
| - | ipa CNAME | + | ipa CNAME server |
; DNS auto discovery of services | ; DNS auto discovery of services | ||
| Line 51: | Line 52: | ||
== Configure the reverse mapping == | == Configure the reverse mapping == | ||
| + | |||
| + | This defines the reverse mapping for the hosts you just defined. Services and CNAMEs don't need to have reverse mappings, but the A records they point to do (as do all A records). | ||
Create the file "/var/named/192-168-56.zone": | Create the file "/var/named/192-168-56.zone": | ||
| Line 68: | Line 71: | ||
40 IN PTR client1.example.fake. | 40 IN PTR client1.example.fake. | ||
</pre> | </pre> | ||
| - | |||
== Modify named config == | == Modify named config == | ||
| + | |||
| + | Named needs to be configured to use the new zone files and to run as the DNS server for the local network. | ||
Add these sections to file "/etc/named.conf": | Add these sections to file "/etc/named.conf": | ||
| Line 86: | Line 90: | ||
</pre> | </pre> | ||
| - | + | Then edit the "options" section of the same file "/etc/named.conf": | |
| - | + | * change the "listen-on" option to include the server's external address "{ localhost; 192.168.56.20; }" | |
| - | + | * change "allow-query" option to "{ localhost; 192.168.56.0/24; }" | |
| - | * change the "listen-on" option to include the server's external address | + | |
| - | * change "allow-query" option to "{ localhost; 192.168.56.0/24 }" | + | |
* change "dnssec-enable" option to "no" | * change "dnssec-enable" option to "no" | ||
* change "dnssec-validation" option to "no" | * change "dnssec-validation" option to "no" | ||
| + | |||
| + | '''WARNING:''' Turning off DNSsec is probably not a good idea. Be careful. | ||
The resulting /etc/named.conf: | The resulting /etc/named.conf: | ||
| Line 151: | Line 155: | ||
include "/etc/named.rfc1912.zones"; | include "/etc/named.rfc1912.zones"; | ||
include "/etc/named.root.key"; | include "/etc/named.root.key"; | ||
| + | </pre> | ||
| + | |||
| + | == Enable forwarding == | ||
| + | |||
| + | This is optional. | ||
| + | |||
| + | To have this nameserver forward requests to anther nameserver (192.168.56.2 in this example) instead of doing recursive queries on its own, add the following lines to the '''options''' section of '''/etc/named.conf''': | ||
| + | |||
| + | <pre> | ||
| + | forward only ; | ||
| + | forwarders { 192.168.56.2 ; } ; | ||
</pre> | </pre> | ||
== Restart named == | == Restart named == | ||
| + | |||
| + | Restart named to pick up the changes: | ||
<pre> | <pre> | ||
| Line 160: | Line 177: | ||
</pre> | </pre> | ||
| - | = | + | = All hosts should use the fake DNS server = |
| + | |||
| + | All of the hosts within this testing environment should be configured to use server.example.fake (192.168.56.20) as their only DNS server. This is only needed because the example uses a fake domain name. This step is not required with a real DNS domain. | ||
| - | + | == Configure server and client(s) to use the fake DNS server == | |
| - | Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the DNS1 line to: | + | Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the "DNS1" line to: |
<pre> | <pre> | ||
| Line 170: | Line 189: | ||
</pre> | </pre> | ||
| - | Restart | + | You should make sure there aren't any other "DNS" lines. |
| + | |||
| + | == Restart network to pick up the change == | ||
<pre> | <pre> | ||
| Line 177: | Line 198: | ||
</pre> | </pre> | ||
| - | + | == Test fake DNS domain == | |
| + | |||
| + | Make sure the right nameserver is being used: | ||
<pre> | <pre> | ||
| - | [root@ | + | [root@client1 ~]# cat /etc/resolv.conf |
# Generated by NetworkManager | # Generated by NetworkManager | ||
search example.fake | search example.fake | ||
nameserver 192.168.56.20 | nameserver 192.168.56.20 | ||
</pre> | </pre> | ||
| + | |||
| + | Lookup the server: | ||
<pre> | <pre> | ||
| - | [root@ | + | [root@client1 ~]# nslookup server.example.fake |
Server: 192.168.56.20 | Server: 192.168.56.20 | ||
Address: 192.168.56.20#53 | Address: 192.168.56.20#53 | ||
| Line 193: | Line 218: | ||
Name: server.example.fake | Name: server.example.fake | ||
Address: 192.168.56.20 | Address: 192.168.56.20 | ||
| + | |||
</pre> | </pre> | ||
| + | |||
| + | Now do the reverse lookup on the server: | ||
| + | |||
| + | <pre> | ||
| + | [root@client1 ~]# nslookup 192.168.56.20 | ||
| + | Server: 192.168.56.20 | ||
| + | Address: 192.168.56.20#53 | ||
| + | |||
| + | 20.56.168.192.in-addr.arpa name = server.example.fake. | ||
| + | |||
| + | </pre> | ||
| + | |||
| + | = Common problems = | ||
| + | |||
| + | XXX | ||
Latest revision as of 02:37, 1 March 2012
This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on fedora 15.
To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver.
DNS domain: example.fake
Hosts:
- server.example.fake (192.168.56.20)
- client1.example.fake (192.168.56.40)
- ...
Contents |
Install and configure a server for the fake DNS domain
The first step is to install the name server ("bind", aka "named") on the server (192.168.56.20).
Install named on the server
[root@server ~]# sudo yum install bind
Configure the DNS zone
This creates a DNS zone for "example.fake".
Create the file "/var/named/example.fake.zone":
$TTL 3D
@ IN SOA ns1.example.fake. hostmaster.example.fake. (
201107111 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds
NS ns1 ; Inet Address of nameserver
example.fake. MX 10 mail ; Primary Mail Exchanger
ns1 A 192.168.56.20
server A 192.168.56.20
client1 A 192.168.56.40
ipa CNAME server
; DNS auto discovery of services
_ldap._tcp SRV 10 10 389 server.example.fake.
_kerberos._udp SRV 10 10 88 server.example.fake.
_kerberos._tcp SRV 10 10 88 server.example.fake.
Configure the reverse mapping
This defines the reverse mapping for the hosts you just defined. Services and CNAMEs don't need to have reverse mappings, but the A records they point to do (as do all A records).
Create the file "/var/named/192-168-56.zone":
$TTL 2d ; 172800 seconds
$ORIGIN 56.168.192.IN-ADDR.ARPA.
@ IN SOA ns1.example.fake. hostmaster.example.fake. (
201107111 ; serial number
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds
IN NS ns1.example.fake.
20 IN PTR server.example.fake.
40 IN PTR client1.example.fake.
Modify named config
Named needs to be configured to use the new zone files and to run as the DNS server for the local network.
Add these sections to file "/etc/named.conf":
zone "example.fake" IN {
type master;
file "example.fake.zone";
};
zone "56.168.192.in-addr.arpa" IN {
type master;
file "192-168-56.zone";
};
Then edit the "options" section of the same file "/etc/named.conf":
- change the "listen-on" option to include the server's external address "{ localhost; 192.168.56.20; }"
- change "allow-query" option to "{ localhost; 192.168.56.0/24; }"
- change "dnssec-enable" option to "no"
- change "dnssec-validation" option to "no"
WARNING: Turning off DNSsec is probably not a good idea. Be careful.
The resulting /etc/named.conf:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.56.20; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.56.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.fake" IN {
type master;
file "example.fake.zone";
};
zone "56.168.192.in-addr.arpa" IN {
type master;
file "192-168-56.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Enable forwarding
This is optional.
To have this nameserver forward requests to anther nameserver (192.168.56.2 in this example) instead of doing recursive queries on its own, add the following lines to the options section of /etc/named.conf:
forward only ;
forwarders { 192.168.56.2 ; } ;
Restart named
Restart named to pick up the changes:
[root@server ~]# service named restart Restarting named (via systemctl): [ OK ]
All hosts should use the fake DNS server
All of the hosts within this testing environment should be configured to use server.example.fake (192.168.56.20) as their only DNS server. This is only needed because the example uses a fake domain name. This step is not required with a real DNS domain.
Configure server and client(s) to use the fake DNS server
Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the "DNS1" line to:
DNS1=192.168.56.20
You should make sure there aren't any other "DNS" lines.
Restart network to pick up the change
[root@server ~]# service network restart Restarting network (via systemctl): [ OK ]
Test fake DNS domain
Make sure the right nameserver is being used:
[root@client1 ~]# cat /etc/resolv.conf # Generated by NetworkManager search example.fake nameserver 192.168.56.20
Lookup the server:
[root@client1 ~]# nslookup server.example.fake Server: 192.168.56.20 Address: 192.168.56.20#53 Name: server.example.fake Address: 192.168.56.20
Now do the reverse lookup on the server:
[root@client1 ~]# nslookup 192.168.56.20 Server: 192.168.56.20 Address: 192.168.56.20#53 20.56.168.192.in-addr.arpa name = server.example.fake.
Common problems
XXX
