|
|
| Line 1: |
Line 1: |
| - | This document describes the basic setup of a fake DNS domain for use in testing NFSv4 (with IPA, Kerberos, Cross-Realm Auth, etc) on [http://fedoraproject.org/ fedora] 15.
| |
| | | | |
| - | To use a fake DNS domain, you must run a named server locally and configure all of the clients to use it as the only nameserver.
| |
| - |
| |
| - | DNS domain: '''example.fake'''
| |
| - |
| |
| - | Hosts:
| |
| - | * '''server.example.fake''' (192.168.56.20)
| |
| - | * '''client1.example.fake''' (192.168.56.40)
| |
| - | * ...
| |
| - |
| |
| - | = Install and configure a server for the fake DNS domain =
| |
| - |
| |
| - | The first step is to install the name server ("bind", aka "named") on the server (192.168.56.20).
| |
| - |
| |
| - | == Install named on the server ==
| |
| - |
| |
| - | <pre>
| |
| - | [root@server ~]# sudo yum install bind
| |
| - | </pre>
| |
| - |
| |
| - | == Configure the DNS zone ==
| |
| - |
| |
| - | This creates a DNS zone for "example.fake".
| |
| - |
| |
| - | Three services are defined for use with FreeIPA (XXX link??).
| |
| - |
| |
| - | Create the file "/var/named/example.fake.zone":
| |
| - |
| |
| - | <pre>
| |
| - | $TTL 3D
| |
| - | @ IN SOA ns1.example.fake. hostmaster.example.fake. (
| |
| - | 201107111 ; serial#
| |
| - | 3600 ; refresh, seconds
| |
| - | 3600 ; retry, seconds
| |
| - | 3600 ; expire, seconds
| |
| - | 3600 ) ; minimum, seconds
| |
| - |
| |
| - | NS ns1 ; Inet Address of nameserver
| |
| - | example.fake. MX 10 mail ; Primary Mail Exchanger
| |
| - |
| |
| - | ns1 A 192.168.56.20
| |
| - | server A 192.168.56.20
| |
| - |
| |
| - | client1 A 192.168.56.40
| |
| - |
| |
| - | ipa CNAME server
| |
| - |
| |
| - | ; DNS auto discovery of services
| |
| - | _ldap._tcp SRV 10 10 389 server.example.fake.
| |
| - | _kerberos._udp SRV 10 10 88 server.example.fake.
| |
| - | _kerberos._tcp SRV 10 10 88 server.example.fake.
| |
| - | </pre>
| |
| - |
| |
| - | == Configure the reverse mapping ==
| |
| - |
| |
| - | This defines the reverse mapping for the hosts you just defined. Services and CNAMEs don't need to have reverse mappings, but the A records they point to do (as do all A records).
| |
| - |
| |
| - | Create the file "/var/named/192-168-56.zone":
| |
| - |
| |
| - | <pre>
| |
| - | $TTL 2d ; 172800 seconds
| |
| - | $ORIGIN 56.168.192.IN-ADDR.ARPA.
| |
| - | @ IN SOA ns1.example.fake. hostmaster.example.fake. (
| |
| - | 201107111 ; serial number
| |
| - | 3600 ; refresh, seconds
| |
| - | 3600 ; retry, seconds
| |
| - | 3600 ; expire, seconds
| |
| - | 3600 ) ; minimum, seconds
| |
| - |
| |
| - | IN NS ns1.example.fake.
| |
| - | 20 IN PTR server.example.fake.
| |
| - | 40 IN PTR client1.example.fake.
| |
| - | </pre>
| |
| - |
| |
| - |
| |
| - | == Modify named config ==
| |
| - |
| |
| - | Named needs to be configured to use the new zone files and to run as the DNS server for the local network.
| |
| - |
| |
| - | Add these sections to file "/etc/named.conf":
| |
| - |
| |
| - | <pre>
| |
| - | zone "example.fake" IN {
| |
| - | type master;
| |
| - | file "example.fake.zone";
| |
| - | };
| |
| - |
| |
| - | zone "56.168.192.in-addr.arpa" IN {
| |
| - | type master;
| |
| - | file "192-168-56.zone";
| |
| - | };
| |
| - | </pre>
| |
| - |
| |
| - | Then edit the "options" section of the same file "/etc/named.conf":
| |
| - |
| |
| - | * change the "listen-on" option to include the server's external address "{ localhost; 192.168.56.20; }"
| |
| - | * change "allow-query" option to "{ localhost; 192.168.56.0/24; }"
| |
| - | * change "dnssec-enable" option to "no"
| |
| - | * change "dnssec-validation" option to "no"
| |
| - |
| |
| - | '''WARNING:''' Turning off DNSsec is probably not a good idea. Be careful.
| |
| - |
| |
| - | The resulting /etc/named.conf:
| |
| - |
| |
| - | <pre>
| |
| - | //
| |
| - | // named.conf
| |
| - | //
| |
| - | // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
| |
| - | // server as a caching only nameserver (as a localhost DNS resolver only).
| |
| - | //
| |
| - | // See /usr/share/doc/bind*/sample/ for example named configuration files.
| |
| - | //
| |
| - |
| |
| - | options {
| |
| - | listen-on port 53 { 127.0.0.1; 192.168.56.20; };
| |
| - | listen-on-v6 port 53 { ::1; };
| |
| - | directory "/var/named";
| |
| - | dump-file "/var/named/data/cache_dump.db";
| |
| - | statistics-file "/var/named/data/named_stats.txt";
| |
| - | memstatistics-file "/var/named/data/named_mem_stats.txt";
| |
| - | allow-query { localhost; 192.168.56.0/24; };
| |
| - | recursion yes;
| |
| - |
| |
| - | dnssec-enable yes;
| |
| - | dnssec-validation no;
| |
| - | dnssec-lookaside auto;
| |
| - |
| |
| - | /* Path to ISC DLV key */
| |
| - | bindkeys-file "/etc/named.iscdlv.key";
| |
| - |
| |
| - | managed-keys-directory "/var/named/dynamic";
| |
| - | };
| |
| - |
| |
| - | logging {
| |
| - | channel default_debug {
| |
| - | file "data/named.run";
| |
| - | severity dynamic;
| |
| - | };
| |
| - | };
| |
| - |
| |
| - | zone "." IN {
| |
| - | type hint;
| |
| - | file "named.ca";
| |
| - | };
| |
| - |
| |
| - | zone "example.fake" IN {
| |
| - | type master;
| |
| - | file "example.fake.zone";
| |
| - | };
| |
| - |
| |
| - | zone "56.168.192.in-addr.arpa" IN {
| |
| - | type master;
| |
| - | file "192-168-56.zone";
| |
| - | };
| |
| - |
| |
| - | include "/etc/named.rfc1912.zones";
| |
| - | include "/etc/named.root.key";
| |
| - | </pre>
| |
| - |
| |
| - | == Restart named ==
| |
| - |
| |
| - | Restart named to pick up the changes:
| |
| - |
| |
| - | <pre>
| |
| - | [root@server ~]# service named restart
| |
| - | Restarting named (via systemctl): [ OK ]
| |
| - | </pre>
| |
| - |
| |
| - | = All hosts should use the fake DNS server =
| |
| - |
| |
| - | All of the hosts within this testing environment should be configured to use server.example.fake (192.168.56.20) as their only DNS server. This is only needed because the example uses a fake domain name. This step is not required with a real DNS domain.
| |
| - |
| |
| - | == Configure server and client(s) to use the fake DNS server ==
| |
| - |
| |
| - | Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the "DNS1" line to:
| |
| - |
| |
| - | <pre>
| |
| - | DNS1=192.168.56.20
| |
| - | </pre>
| |
| - |
| |
| - | You should make sure there aren't any other "DNS" lines.
| |
| - |
| |
| - | == Restart network to pick up the change ==
| |
| - |
| |
| - | <pre>
| |
| - | [root@server ~]# service network restart
| |
| - | Restarting network (via systemctl): [ OK ]
| |
| - | </pre>
| |
| - |
| |
| - | == Test fake DNS domain ==
| |
| - |
| |
| - | Make sure the right nameserver is being used:
| |
| - |
| |
| - | <pre>
| |
| - | [root@client1 ~]# cat /etc/resolv.conf
| |
| - | # Generated by NetworkManager
| |
| - | search example.fake
| |
| - | nameserver 192.168.56.20
| |
| - | </pre>
| |
| - |
| |
| - | Lookup the server:
| |
| - |
| |
| - | <pre>
| |
| - | [root@client1 ~]# nslookup server.example.fake
| |
| - | Server: 192.168.56.20
| |
| - | Address: 192.168.56.20#53
| |
| - |
| |
| - | Name: server.example.fake
| |
| - | Address: 192.168.56.20
| |
| - |
| |
| - | </pre>
| |
| - |
| |
| - | Now do the reverse lookup on the server:
| |
| - |
| |
| - | <pre>
| |
| - | [root@client1 ~]# nslookup 192.168.56.20
| |
| - | Server: 192.168.56.20
| |
| - | Address: 192.168.56.20#53
| |
| - |
| |
| - | 20.56.168.192.in-addr.arpa name = server.example.fake.
| |
| - |
| |
| - | </pre>
| |
| - |
| |
| - | = Common problems =
| |
| - |
| |
| - | XXX
| |
