|
|
Line 1: |
Line 1: |
- | This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on [http://fedoraproject.org/ fedora] 15.
| |
| | | |
- | To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver.
| |
- |
| |
- | DNS domain: '''example.fake'''
| |
- |
| |
- | Hosts:
| |
- | * '''server.example.fake''' (192.168.56.20)
| |
- | * '''client1.example.fake''' (192.168.56.40)
| |
- | * ...
| |
- |
| |
- | = Install and configure a server for the fake DNS domain =
| |
- |
| |
- | The first step is to install the name server ("bind", aka "named") on the server (192.168.56.20).
| |
- |
| |
- | == Install named on the server ==
| |
- |
| |
- | <pre>
| |
- | [root@server ~]# sudo yum install bind
| |
- | </pre>
| |
- |
| |
- | == Configure the DNS zone ==
| |
- |
| |
- | This creates a DNS zone for "example.fake".
| |
- |
| |
- | Three services are defined for use with FreeIPA (XXX link??).
| |
- |
| |
- | Create the file "/var/named/example.fake.zone":
| |
- |
| |
- | <pre>
| |
- | $TTL 3D
| |
- | @ IN SOA ns1.example.fake. hostmaster.example.fake. (
| |
- | 201107111 ; serial#
| |
- | 3600 ; refresh, seconds
| |
- | 3600 ; retry, seconds
| |
- | 3600 ; expire, seconds
| |
- | 3600 ) ; minimum, seconds
| |
- |
| |
- | NS ns1 ; Inet Address of nameserver
| |
- | example.fake. MX 10 mail ; Primary Mail Exchanger
| |
- |
| |
- | ns1 A 192.168.56.20
| |
- | server A 192.168.56.20
| |
- |
| |
- | client1 A 192.168.56.40
| |
- |
| |
- | ipa CNAME server
| |
- |
| |
- | ; DNS auto discovery of services
| |
- | _ldap._tcp SRV 10 10 389 server.example.fake.
| |
- | _kerberos._udp SRV 10 10 88 server.example.fake.
| |
- | _kerberos._tcp SRV 10 10 88 server.example.fake.
| |
- | </pre>
| |
- |
| |
- | == Configure the reverse mapping ==
| |
- |
| |
- | This defines the reverse mapping for the hosts you just defined. Services and CNAMEs don't need to have reverse mappings, but the A records they point to do (as do all A records).
| |
- |
| |
- | Create the file "/var/named/192-168-56.zone":
| |
- |
| |
- | <pre>
| |
- | $TTL 2d ; 172800 seconds
| |
- | $ORIGIN 56.168.192.IN-ADDR.ARPA.
| |
- | @ IN SOA ns1.example.fake. hostmaster.example.fake. (
| |
- | 201107111 ; serial number
| |
- | 3600 ; refresh, seconds
| |
- | 3600 ; retry, seconds
| |
- | 3600 ; expire, seconds
| |
- | 3600 ) ; minimum, seconds
| |
- |
| |
- | IN NS ns1.example.fake.
| |
- | 20 IN PTR server.example.fake.
| |
- | 40 IN PTR client1.example.fake.
| |
- | </pre>
| |
- |
| |
- |
| |
- | == Modify named config ==
| |
- |
| |
- | Named needs to be configured to use the new zone files and to run as the DNS server for the local network.
| |
- |
| |
- | Add these sections to file "/etc/named.conf":
| |
- |
| |
- | <pre>
| |
- | zone "example.fake" IN {
| |
- | type master;
| |
- | file "example.fake.zone";
| |
- | };
| |
- |
| |
- | zone "56.168.192.in-addr.arpa" IN {
| |
- | type master;
| |
- | file "192-168-56.zone";
| |
- | };
| |
- | </pre>
| |
- |
| |
- | Then edit the "options" section of the same file "/etc/named.conf":
| |
- |
| |
- | * change the "listen-on" option to include the server's external address "{ localhost; 192.168.56.20; }"
| |
- | * change "allow-query" option to "{ localhost; 192.168.56.0/24; }"
| |
- | * change "dnssec-enable" option to "no"
| |
- | * change "dnssec-validation" option to "no"
| |
- |
| |
- | '''WARNING:''' Turning off DNSsec is probably not a good idea. Be careful.
| |
- |
| |
- | The resulting /etc/named.conf:
| |
- |
| |
- | <pre>
| |
- | //
| |
- | // named.conf
| |
- | //
| |
- | // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
| |
- | // server as a caching only nameserver (as a localhost DNS resolver only).
| |
- | //
| |
- | // See /usr/share/doc/bind*/sample/ for example named configuration files.
| |
- | //
| |
- |
| |
- | options {
| |
- | listen-on port 53 { 127.0.0.1; 192.168.56.20; };
| |
- | listen-on-v6 port 53 { ::1; };
| |
- | directory "/var/named";
| |
- | dump-file "/var/named/data/cache_dump.db";
| |
- | statistics-file "/var/named/data/named_stats.txt";
| |
- | memstatistics-file "/var/named/data/named_mem_stats.txt";
| |
- | allow-query { localhost; 192.168.56.0/24; };
| |
- | recursion yes;
| |
- |
| |
- | dnssec-enable yes;
| |
- | dnssec-validation no;
| |
- | dnssec-lookaside auto;
| |
- |
| |
- | /* Path to ISC DLV key */
| |
- | bindkeys-file "/etc/named.iscdlv.key";
| |
- |
| |
- | managed-keys-directory "/var/named/dynamic";
| |
- | };
| |
- |
| |
- | logging {
| |
- | channel default_debug {
| |
- | file "data/named.run";
| |
- | severity dynamic;
| |
- | };
| |
- | };
| |
- |
| |
- | zone "." IN {
| |
- | type hint;
| |
- | file "named.ca";
| |
- | };
| |
- |
| |
- | zone "example.fake" IN {
| |
- | type master;
| |
- | file "example.fake.zone";
| |
- | };
| |
- |
| |
- | zone "56.168.192.in-addr.arpa" IN {
| |
- | type master;
| |
- | file "192-168-56.zone";
| |
- | };
| |
- |
| |
- | include "/etc/named.rfc1912.zones";
| |
- | include "/etc/named.root.key";
| |
- | </pre>
| |
- |
| |
- | == Restart named ==
| |
- |
| |
- | Restart named to pick up the changes:
| |
- |
| |
- | <pre>
| |
- | [root@server ~]# service named restart
| |
- | Restarting named (via systemctl): [ OK ]
| |
- | </pre>
| |
- |
| |
- | = All hosts should use the fake DNS server =
| |
- |
| |
- | All of the hosts within this testing environment should be configured to use server.example.fake (192.168.56.20) as their only DNS server. This is only needed because the example uses a fake domain name. This step is not required with a real DNS domain.
| |
- |
| |
- | == Configure server and client(s) to use the fake DNS server ==
| |
- |
| |
- | Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the "DNS1" line to:
| |
- |
| |
- | <pre>
| |
- | DNS1=192.168.56.20
| |
- | </pre>
| |
- |
| |
- | You should make sure there aren't any other "DNS" lines.
| |
- |
| |
- | == Restart network to pick up the change ==
| |
- |
| |
- | <pre>
| |
- | [root@server ~]# service network restart
| |
- | Restarting network (via systemctl): [ OK ]
| |
- | </pre>
| |
- |
| |
- | == Test fake DNS domain ==
| |
- |
| |
- | Make sure the right nameserver is being used:
| |
- |
| |
- | <pre>
| |
- | [root@client1 ~]# cat /etc/resolv.conf
| |
- | # Generated by NetworkManager
| |
- | search example.fake
| |
- | nameserver 192.168.56.20
| |
- | </pre>
| |
- |
| |
- | Lookup the server:
| |
- |
| |
- | <pre>
| |
- | [root@client1 ~]# nslookup server.example.fake
| |
- | Server: 192.168.56.20
| |
- | Address: 192.168.56.20#53
| |
- |
| |
- | Name: server.example.fake
| |
- | Address: 192.168.56.20
| |
- |
| |
- | </pre>
| |
- |
| |
- | Now do the reverse lookup on the server:
| |
- |
| |
- | <pre>
| |
- | [root@client1 ~]# nslookup 192.168.56.20
| |
- | Server: 192.168.56.20
| |
- | Address: 192.168.56.20#53
| |
- |
| |
- | 20.56.168.192.in-addr.arpa name = server.example.fake.
| |
- |
| |
- | </pre>
| |
- |
| |
- | = Common problems =
| |
- |
| |
- | XXX
| |