New to Linux and looking for friendly assistance.
My company is re-configuring our network DNS infrastructure to point our internal DNS servers at two new CentOS 7 / BIND 9 machines in our DMZ instead of reaching straight out to resolve unknown hosts. I've installed CentOS core, configured the IP, Mask, and GW for the network the servers are on, and verified IP connectivity is working.
# cat /etc/sysconfig/network-scripts/ifcfg-ens160
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="ens160"
UUID="939ac388-1804-487d-a38c-307b7fa8ac18"
DEVICE="ens160"
ONBOOT="yes"
IPADDR="10.1xx.x.x"
PREFIX="24"
GATEWAY="10.1xx.x.1"
DNS1="127.0.0.1"
DNS2="8.8.8.8"
DNS3="198.41.0.4"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_PRIVACY="no"
I was then able to install BIND and BIND-UTILS. After that everything has gone down hill. I can't perform nslookups on anything from either server or from my internal test DNS server. I've worked with our firewall engineer and he has verified DNS traffic is allowed between my internal test DNS server to the two DMZ DNS cache servers and from them out to the world; trying to reach him now to make sure the external NAT is working.
I have localhost, 8.8.8.8, and 198.41.0.4 configured as the DNS servers for both DNS Cache servers.
# cat /etc/resolv.conf
# Generated by NetworkManager
search <my.domain>
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 198.41.0.4
Hosts file:
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Network file:
cat /etc/sysconfig/network
# Created by anaconda
I have also tried disabling the firewall on both servers, but there is no change in behavior.
I hate for this to be the hold up on the project, but I really hate to use Windows servers for this… 🙂
Any assistance would be greatly appreciated.
———– UPDATE ————
Thank you all for your replies. The 127.0.0.1 is there as a place holder that will be replaced with the IP of the other server in the pair. The thought being that if one doesn't have a record in it's cache the other might so ask it first before reaching out to the world for information. I have removed 127.0.0.1 from the list for now, restarted the server, and nslookups are working now. 🙂 IP connectivity has always been working even though DNS resolution was not, this allowed me to update Root hints yesterday morning. As for not using Linux and running with Windows, not my decision… Management wants to use Linux for this and I got tagged to make it happen. Thus my reaching out for help from folks that have more experience with it. I'll be spending my weekend buried in www.Pluralsight.com trying to learn more.
# dig +short @198.41.0.4 serverfault.com
# dig +short @8.8.8.8 serverfault.com
104.16.46.232
104.16.48.232
104.16.49.232
104.16.47.232
104.16.45.232
# dig +short @127.0.0.1 serverfault.com
;; connection timed out; no servers could be reached
# systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-04-08 13:36:46 EDT; 5s ago
Process: 1867 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 1878 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1876 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 1881 (named)
CGroup: /system.slice/named.service
1881 /usr/sbin/named -u named
Apr 08 13:36:46 <DNS Cache Server> named[1881]: managed-keys-zone: journal file is out of date: removi...file
Apr 08 13:36:46 <DNS Cache Server> named[1881]: managed-keys-zone: loaded serial 3
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone localhost.localdomain/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone localhost/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...al 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: all zones loaded
Apr 08 13:36:46 <DNS Cache Server> named[1881]: running
Apr 08 13:36:46 <DNS Cache Server> systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.
# ping www.eye4u.com
PING www.eye4u.com (208.91.197.132) 56(84) bytes of data.
64 bytes from 208.91.197.132: icmp_seq=1 ttl=244 time=46.4 ms
64 bytes from 208.91.197.132: icmp_seq=2 ttl=244 time=52.2 ms
...
--- www.eye4u.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 26201ms
rtt min/avg/max/mdev = 45.103/49.591/54.753/3.257 ms
# nslookup
> www.bermuda.com
Server: 4.2.2.2
Address: 4.2.2.2#53
Non-authoritative answer:
www.bermuda.com canonical name = bermuda.com.
Name: bermuda.com
Address: 104.27.191.246
Name: bermuda.com
Address: 104.27.190.246
# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl trusted {
<internal DNS 1 IP>
<internal DNS 2 IP>
<internal DNS 3 IP>
<internal DNS 4 IP>
<internal DNS 5 IP>
<internal DNS 6 IP>
localhost;
};
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
#allow-transfer {}
allow-query { trusted; };
allow-query { localhost; };
forwarders { 198.41.0.4; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
************** UPDATE 2 **************
After posting the first update I noticed the "listen-on port 53" option was still set for "{ 127.0.0.1; };" so I added the IP of the cache server to the list and restarted named. Our internal DNS servers still couldn't query the cache servers so I checked the firewall status since I had restarted the cache server earlier. BINGO – I forgot to set a rule to enable the port 53 traffic. Things are happy now. If you see any settings in the config that could be improved please let me know. Thanks again for all your help.
Best Answer
I had a similar issue. Well, the below step worked for me, might be helpful for you.
and replace
SELINUX=disabledand restart the server.example after the edit would be as below: