Fake DNS Realm
From Linux NFS
Line 1: | Line 1: | ||
- | This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with Kerberos, etc). | + | This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on [http://fedoraproject.org/ fedora] 15. |
To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver. | To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver. | ||
Line 8: | Line 8: | ||
* '''server.example.fake''' (192.168.56.20) | * '''server.example.fake''' (192.168.56.20) | ||
* '''client1.example.fake''' (192.168.56.40) | * '''client1.example.fake''' (192.168.56.40) | ||
+ | * ... | ||
= Install and configure a server for the fake DNS domain = | = Install and configure a server for the fake DNS domain = |
Revision as of 03:48, 20 July 2011
This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on fedora 15.
To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver.
DNS domain: example.fake
Hosts:
- server.example.fake (192.168.56.20)
- client1.example.fake (192.168.56.40)
- ...
Contents |
Install and configure a server for the fake DNS domain
The first step is to install the name server ("bind", aka "named") on the server (192.168.56.20).
Install named on the server
[root@server ~]# sudo yum install bind
Configure the DNS zone
This creates a DNS zone for "example.fake".
Three services are defined for use with FreeIPA (XXX link??).
Create the file "/var/named/example.fake.zone":
$TTL 3D @ IN SOA ns1.example.fake. hostmaster.example.fake. ( 201107111 ; serial# 3600 ; refresh, seconds 3600 ; retry, seconds 3600 ; expire, seconds 3600 ) ; minimum, seconds NS ns1 ; Inet Address of nameserver example.fake. MX 10 mail ; Primary Mail Exchanger ns1 A 192.168.56.20 server A 192.168.56.20 client1 A 192.168.56.40 ipa CNAME build ; DNS auto discovery of services _ldap._tcp SRV 10 10 389 server.example.fake. _kerberos._udp SRV 10 10 88 server.example.fake. _kerberos._tcp SRV 10 10 88 server.example.fake.
Configure the reverse mapping
This defines the reverse mapping for the hosts you just defined. Services and CNAMEs don't need to have reverse mappings, but the A records they point to do (as do all A records).
Create the file "/var/named/192-168-56.zone":
$TTL 2d ; 172800 seconds $ORIGIN 56.168.192.IN-ADDR.ARPA. @ IN SOA ns1.example.fake. hostmaster.example.fake. ( 201107111 ; serial number 3600 ; refresh, seconds 3600 ; retry, seconds 3600 ; expire, seconds 3600 ) ; minimum, seconds IN NS ns1.example.fake. 20 IN PTR server.example.fake. 40 IN PTR client1.example.fake.
Modify named config
Named needs to be configured to use the new zone files and to run as the DNS server for the local network.
Add these sections to file "/etc/named.conf":
zone "example.fake" IN { type master; file "example.fake.zone"; }; zone "56.168.192.in-addr.arpa" IN { type master; file "192-168-56.zone"; };
Then edit the "options" section of the same file "/etc/named.conf":
- change the "listen-on" option to include the server's external address "{ localhost; 192.168.56.20; }"
- change "allow-query" option to "{ localhost; 192.168.56.0/24; }"
- change "dnssec-enable" option to "no"
- change "dnssec-validation" option to "no"
WARNING: Turning off DNSsec is probably not a good idea. Be careful.
The resulting /etc/named.conf:
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.56.20; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.56.0/24; }; recursion yes; dnssec-enable yes; dnssec-validation no; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.fake" IN { type master; file "example.fake.zone"; }; zone "56.168.192.in-addr.arpa" IN { type master; file "192-168-56.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Restart named
Restart named to pick up the changes:
[root@server ~]# service named restart Restarting named (via systemctl): [ OK ]
All hosts should use the fake DNS server
All of the hosts within this testing environment should be configured to use server.example.fake (192.168.56.20) as their only DNS server. This is only needed because the example uses a fake domain name. This step is not required with a real DNS domain.
Configure server and client(s) to use the fake DNS server
Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the "DNS1" line to:
DNS1=192.168.56.20
You should make sure there aren't any other "DNS" lines.
Restart network to pick up the change
[root@server ~]# service network restart Restarting network (via systemctl): [ OK ]
Test fake DNS domain
Make sure the right nameserver is being used:
[root@client1 ~]# cat /etc/resolv.conf # Generated by NetworkManager search example.fake nameserver 192.168.56.20
Lookup the server:
[root@client1 ~]# nslookup server.example.fake Server: 192.168.56.20 Address: 192.168.56.20#53 Name: server.example.fake Address: 192.168.56.20
Now do the reverse lookup on the server:
[root@client1 ~]# nslookup 192.168.56.20 Server: 192.168.56.20 Address: 192.168.56.20#53 20.56.168.192.in-addr.arpa name = server.example.fake.
Common problems
XXX