Fake DNS Realm
From Linux NFS
(→Configure the DNS zone) |
(→Restart named) |
||
(One intermediate revision not shown) | |||
Line 71: | Line 71: | ||
40 IN PTR client1.example.fake. | 40 IN PTR client1.example.fake. | ||
</pre> | </pre> | ||
- | |||
== Modify named config == | == Modify named config == | ||
Line 156: | Line 155: | ||
include "/etc/named.rfc1912.zones"; | include "/etc/named.rfc1912.zones"; | ||
include "/etc/named.root.key"; | include "/etc/named.root.key"; | ||
+ | </pre> | ||
+ | |||
+ | == Enable forwarding == | ||
+ | |||
+ | This is optional. | ||
+ | |||
+ | To have this nameserver forward requests to anther nameserver (192.168.56.2 in this example) instead of doing recursive queries on its own, add the following lines to the '''options''' section of '''/etc/named.conf''': | ||
+ | |||
+ | <pre> | ||
+ | forward only ; | ||
+ | forwarders { 192.168.56.2 ; } ; | ||
</pre> | </pre> | ||
Latest revision as of 02:37, 1 March 2012
This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on fedora 15.
To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver.
DNS domain: example.fake
Hosts:
- server.example.fake (192.168.56.20)
- client1.example.fake (192.168.56.40)
- ...
Contents |
Install and configure a server for the fake DNS domain
The first step is to install the name server ("bind", aka "named") on the server (192.168.56.20).
Install named on the server
[root@server ~]# sudo yum install bind
Configure the DNS zone
This creates a DNS zone for "example.fake".
Create the file "/var/named/example.fake.zone":
$TTL 3D @ IN SOA ns1.example.fake. hostmaster.example.fake. ( 201107111 ; serial# 3600 ; refresh, seconds 3600 ; retry, seconds 3600 ; expire, seconds 3600 ) ; minimum, seconds NS ns1 ; Inet Address of nameserver example.fake. MX 10 mail ; Primary Mail Exchanger ns1 A 192.168.56.20 server A 192.168.56.20 client1 A 192.168.56.40 ipa CNAME server ; DNS auto discovery of services _ldap._tcp SRV 10 10 389 server.example.fake. _kerberos._udp SRV 10 10 88 server.example.fake. _kerberos._tcp SRV 10 10 88 server.example.fake.
Configure the reverse mapping
This defines the reverse mapping for the hosts you just defined. Services and CNAMEs don't need to have reverse mappings, but the A records they point to do (as do all A records).
Create the file "/var/named/192-168-56.zone":
$TTL 2d ; 172800 seconds $ORIGIN 56.168.192.IN-ADDR.ARPA. @ IN SOA ns1.example.fake. hostmaster.example.fake. ( 201107111 ; serial number 3600 ; refresh, seconds 3600 ; retry, seconds 3600 ; expire, seconds 3600 ) ; minimum, seconds IN NS ns1.example.fake. 20 IN PTR server.example.fake. 40 IN PTR client1.example.fake.
Modify named config
Named needs to be configured to use the new zone files and to run as the DNS server for the local network.
Add these sections to file "/etc/named.conf":
zone "example.fake" IN { type master; file "example.fake.zone"; }; zone "56.168.192.in-addr.arpa" IN { type master; file "192-168-56.zone"; };
Then edit the "options" section of the same file "/etc/named.conf":
- change the "listen-on" option to include the server's external address "{ localhost; 192.168.56.20; }"
- change "allow-query" option to "{ localhost; 192.168.56.0/24; }"
- change "dnssec-enable" option to "no"
- change "dnssec-validation" option to "no"
WARNING: Turning off DNSsec is probably not a good idea. Be careful.
The resulting /etc/named.conf:
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.56.20; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.56.0/24; }; recursion yes; dnssec-enable yes; dnssec-validation no; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.fake" IN { type master; file "example.fake.zone"; }; zone "56.168.192.in-addr.arpa" IN { type master; file "192-168-56.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Enable forwarding
This is optional.
To have this nameserver forward requests to anther nameserver (192.168.56.2 in this example) instead of doing recursive queries on its own, add the following lines to the options section of /etc/named.conf:
forward only ; forwarders { 192.168.56.2 ; } ;
Restart named
Restart named to pick up the changes:
[root@server ~]# service named restart Restarting named (via systemctl): [ OK ]
All hosts should use the fake DNS server
All of the hosts within this testing environment should be configured to use server.example.fake (192.168.56.20) as their only DNS server. This is only needed because the example uses a fake domain name. This step is not required with a real DNS domain.
Configure server and client(s) to use the fake DNS server
Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the "DNS1" line to:
DNS1=192.168.56.20
You should make sure there aren't any other "DNS" lines.
Restart network to pick up the change
[root@server ~]# service network restart Restarting network (via systemctl): [ OK ]
Test fake DNS domain
Make sure the right nameserver is being used:
[root@client1 ~]# cat /etc/resolv.conf # Generated by NetworkManager search example.fake nameserver 192.168.56.20
Lookup the server:
[root@client1 ~]# nslookup server.example.fake Server: 192.168.56.20 Address: 192.168.56.20#53 Name: server.example.fake Address: 192.168.56.20
Now do the reverse lookup on the server:
[root@client1 ~]# nslookup 192.168.56.20 Server: 192.168.56.20 Address: 192.168.56.20#53 20.56.168.192.in-addr.arpa name = server.example.fake.
Common problems
XXX