Great, we finally finished setting up our nameserver fulfilling all of the basic necessities our business needs and boom, all the sudden the nameserver’s network goes down, suddenly no machines are able to resolve DNS.
Once the issue is resolved, the business owner decides it’s time to add multiple DNS servers for redundancy in case the situation happens again.
This is where Master/Slave DNS server configurations come in for redundancy.
Generally what this does is we have a master server (our previous rhel92 server) which copies/transfers/sends record updates to our new slave servers (in our case this will be rhel92-2 with IP 192.168.0.79).
First things first, on our -current- bind server (rhel92), we need to allow transfers to the slave.
Open /etc/named.conf and in the options section, we’re going to add the ‘allow-transfer’ option with our slave server’s IP:
# vim /etc/named.conf
options {
....
allow-transfer { localhost; 192.168.0.79; };
notify yes;
also-notify { 192.168.0.79; };
....
}Then:
# systemctl reload named-chroot.What do these options do?
- allow-transfer defines a match list e.g. IP address(es) that are allowed to transfer (copy) the zone information to/from the server (master or slave for the zone).
- also-notify tells our master to send notifications for record updates to the specified IP addresses (our slave)
Doing this allows us to make changes on the master and have them automatically propagate to any slaves without having to manually copy over each modified zone file to each slave.
Now let’s go ahead and set up rhel92-2 with the same /etc/resolv.conf settings as our first server, and set its hostname:
rhel92-2:
# hostname rhel92-2.fakedomain.devOn all of our clients, we need to add this new second DNS server:
rhel89, rhel88:
# echo 'nameserver 192.168.0.79' >> /etc/resolv.dnsmasqBack on rhel92-2, basically what we’ve done is copied the /etc/named.conf over from our ‘master’ server.
Now we need to change it to do a few things:
1. Listen on the correct IP address and allow receiving notifications from master. We also want to make sure our received transferred records save in plain-text format.
# vim /etc/named.conf
....
listen-on port 53 { 127.0.0.1;192.168.0.79; };
allow-notify { localhost; 192.168.0.66; };
masterfile-format text;
....2. On our slave server we need to edit our forward and reverse zones so that they retrieve records from the master instead of us having to create them:
# vim /etc/named.conf
....
zone "fakedomain.dev" {
type slave;
file "slaves/fakedomain.dev.zone";
masters { 192.168.0.66; };
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "slaves/0.168.192.in-addr.arpa.zone";
masters { 192.168.0.66; };
};
....Once again reload:
# systemctl reload named-chrootAnd like magic, our secondary slave server can be queried for any of the same records as our master from any of our servers:
[root@rhel88 ~]# nslookup webapp
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: webapp.fakedomain.dev
Address: 192.168.0.63
[root@rhel88 ~]# nslookup webapp 192.168.0.66
Server: 192.168.0.66
Address: 192.168.0.66#53
Name: webapp.fakedomain.dev
Address: 192.168.0.63
[root@rhel88 ~]# nslookup webapp 192.168.0.79
Server: 192.168.0.79
Address: 192.168.0.79#53
Name: webapp.fakedomain.dev
Address: 192.168.0.63PLOT TWIST: Now let’s say the business ownder decides to change the IP of the webapp server to 192.168.0.64.
Let’s go change it on the master:
Now let’s say you decide to change the IP of the webapp server to 192.168.0.64. Let’s go change it on the master:
rhel92:
# vim /var/named/fakedomain.dev.zone
.........
$TTL 8h
@ IN SOA ns1.fakedomain.dev. fakedomain.dev. (
2022070601 ; serial number
1d ; refresh period
3h ; retry period
3d ; expire time
3h ) ; minimum TTL
IN NS ns1.fakedomain.dev.
ns1 IN A 192.168.0.66
rhel92 IN A 192.168.0.66
rhel89 IN A 192.168.0.63
rhel88 IN A 192.168.0.67
webapp IN A 192.168.0.64
.........# vim /var/named/0.168.192.in-addr.arpa.zone
.........
$TTL 8h
@ IN SOA ns1.fakedomain.dev. fakedomain.dev. (
2022070601 ; serial number
1d ; refresh period
3h ; retry period
3d ; expire time
3h ) ; minimum TTL
IN NS ns1.fakedomain.dev.
66 IN PTR ns1.fakedomain.dev.
66 IN PTR rhel92.fakedomain.dev.
63 IN PTR rhel89.fakedomain.dev.
64 IN PTR webapp.fakedomain.dev.
67 IN PTR rhel88.fakedomain.dev.
.........Reload:
# systemctl reload named-chrootCheck from another server:
[root@rhel88 ~]# nslookup webapp 192.168.0.66
Server: 192.168.0.66
Address: 192.168.0.66#53
Name: webapp.fakedomain.dev
Address: 192.168.0.64Now check the slave:
[root@rhel88 ~]# nslookup webapp 192.168.0.79
Server: 192.168.0.79
Address: 192.168.0.79#53
Name: webapp.fakedomain.dev
Address: 192.168.0.63UH-OH! There’s a problem here! Our slave still has the old IP. How do we fix this?
GENERALLY After the TTL expires for the zone (ours is configured for 8 hours) it auto-refreshes. But we need this fixed for production. How do we force the transfer?
- If you really need to force a zone transfer to a slave immediately, you’ll have to delete the backup zone data file and restart — not reload — the name server.
However, to correct the situation for the future, once you realize that you ‘done goofed’ and found that 8 hours is way too long for your TTL, first go edit the TTL on the master server zone files. Since we want our example to refresh very fast, we’re going to set it to 60 (1 minute), but something like 3600 (1 hr) is typical:
# vim /var/named/fakedomain.dev.zone
$TTL 60
@ IN SOA ns1.fakedomain.dev. fakedomain.dev. (
2022070601 ; serial number
60 ; refresh period
60 ; retry period
60 ; expire time
60 ) ; minimum TTL# vim /var/named/0.168.192.in-addr.arpa.zone
$TTL 60
@ IN SOA ns1.fakedomain.dev. fakedomain.dev. (
2022070601 ; serial number
60 ; refresh period
60 ; retry period
60 ; expire time
60 ) ; minimum TTL# systemctl reload named-chrootNow, as mentioned to fix our blooper we’ll have to delete the zone files from our slave server:
rhel92-2:
rm -Rf /var/named/slaves
rm -Rf /var/named/chroot/var/named/slaves# systemctl restart named-chrootFinally, both servers should return the same value from our other non-dns servers:
[root@rhel88 ~]# nslookup webapp 192.168.0.79
Server: 192.168.0.79
Address: 192.168.0.79#53
Name: webapp.fakedomain.dev
Address: 192.168.0.64
[root@rhel88 ~]# nslookup webapp 192.168.0.66
Server: 192.168.0.66
Address: 192.168.0.66#53
Name: webapp.fakedomain.dev
Address: 192.168.0.64And if we change it again on the primary rhel92:
/var/named/fakedomain.dev.zone
webapp IN A 192.168.0.65/var/named/0.168.192.in-addr.arpa.zone
65 IN PTR webapp.fakedomain.dev.# systemctl reload named-chrootThen wait a short time (roughly 60 seconds), the TTL should auto-update the changes on our slave now:
[root@rhel88 ~]# nslookup webapp 192.168.0.79
Server: 192.168.0.79
Address: 192.168.0.79#53
Name: webapp.fakedomain.dev
Address: 192.168.0.65
[root@rhel88 ~]# nslookup webapp 192.168.0.66
Server: 192.168.0.66
Address: 192.168.0.66#53
Name: webapp.fakedomain.dev
Address: 192.168.0.65Hurray! \o/