My RHEL6 boxes don't have internet access, so this has been a little bit awkward for me to test. I essentially set up a master DNS server and then modified the /var/named/named.ca file in the caching name server, where I changed the ip address of one the servers to be my master dns server, like this:
M.ROOT-SERVERS.NET. 3600000 IN A 10.168.20.233I think I might be getting a little bit ahead of myself. Let's start from the beginning and install Bind:
yum install bind -yYou'll now need to edit the bind configuration file /etc/named.conf and make a few changes:
listen-on port 53 { any; };Given the fact that I had not configured DNSSec properly I also commented the dnssec lines out.
allow-query { any; };
/* dnssec-enable yes;Ensure that the Bind daemon is set to run at boot time:
dnssec-validation yes;
dnssec-lookaside auto;
*/
chkconfig named onOpen up the firewall and save the changes:
iptables -I INPUT -p udp --dport 53 -j ACCEPT; iptables -I INPUT -p tcp --dport 53 -j ACCEPT;service iptables saveYou can now start named:
service named startThe best way to test this is to use dig and look at the times it takes to run a query. In my case, I can just turn off the master dns server and if the results are cached, then I will get a response, e.g.:
dig myserver.domain.com
;; Query time: 2 msec
;; SERVER: 10.168.20.234#53(10.168.20.234)
dig myserver.domain.comThis feels a little bit unsatisfying, so I used the tc command to add a 200 milisecond delay to all traffic on eth0 (note that this is done in the master dns server)
;; Query time: 0 msec
;; SERVER: 10.168.20.234#53(10.168.20.234)
tc qdisc add dev eth0 root netem delay 200msI bounced the caching server and tried again with dig:
dig myserver.domain.com
;; Query time: 202 msec
;; SERVER: 10.168.20.234#53(10.168.20.234)
dig myserver.domain.comA lot better this time :). It now makes a bit more sense to have a caching name server.
;; Query time: 0 msec
;; SERVER: 10.168.20.234#53(10.168.20.234)
Note that the cache is stored in memory and therefore will disappear after a reboot of the server or of named itself, see here.
Also note, that there are no SELinux settings related to this objective and that in order to prevent hosts from accessing the service you should use an iptables rule.
No comments:
Post a Comment