Tips on Setting UP a Slave Server for DNS

Creating a Slave for DNS on CentOS 6

This is an article which will help you create a slave server for your DNS on CentOS 6. We are using a past article as a base reference which can be found here:

http://beginlinux.com/blog/2010/06/bind-create-slave-zone-files/

Were just going to add a few tips that may help.

SELinux

SELinux can give you some problems if you do not realize that it is installed and preventing any zones to be written to the slave server. When the /etc/named.conf file is created make sure that you write the zone files to /var/named/dynamic. SELinux will not allow named to write in other locations. The zone file reference should look like this:

zone "example.com" in {

type master;

file "dynamic/bak.example.com.zone";

masters { 192.168.3.1; };

allow-transfer { none; };

};

zone "38.189.198.in-addr.arpa" in {

type slave;

file "dynamic/bak.zone.3.168.192.in-addr.arpa";

masters { 192.168.3.1; };

allow-transfer { none; };

};

When you check logs for SELinux and you are having problems using writing zone files this is what you will see:

8885.538:26206): avc: denied { write } for pid=9643 comm="named" name="named" dev=dm-0 ino=392706 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

type=SYSCALL msg=audit(1332488885.538:26206): arch=c000003e syscall=2 success=no exit=-13 a0=7fed74079648 a1=c2 a2=1b6 a3=a items=0 ppid=1 pid=9643 auid=0 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=115 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)

It is just saying, named cannot write to /var/named. It works fine once you change it to write to /var/named/dynamic.

Permission on the Slave Server

The /var/named permissions need to be changed so named can write the zone files as they are updated. Use this command to verify your permissions:

chmod 777 -Rvf /var/named

Reduce Access to Recursive Lookups

Recursive lookups require your server to search until it can locate a definitive answer. This is great for people on your network but you to not want to allow others as you will be using your resources for people that should be running their own DNS. Create an acl to limit access and then define your networks.

acl trusted {

192.168.2.0/24;

192.168.3.0.24;

192.168.4.0/24;

};

options {

allow-recursion { localhost; trusted; };

};

This then allows all of your users the access they need.

Allow The Slave to Listen

It is easy to miss this, you need to allow your slave to access DNS using the public IP Address. Just add it in the options section so you have the localhost and the IP Address of the box DNS is on.

options {

listen-on port 53 { 127.0.0.1; 192.168.4.1; };

};