Time and DNS services using NTP 4.2 and BIND 9.9 on CentOS 7.2.1511 - rharmonson/richtech GitHub Wiki
Time and DNS services using NTP 4.2 and BIND 9.9 on CentOS 7.2.1511
Published October 28, 2016
Purpose
The purpose of this article is to provide a guide on building time and DNS services for internal use only. NO PUBLIC QUERIES. My specific use-case is the development of virtualization clusters where both DNS and time are perquisites. The use of /etc/hosts and rtc will work but are not an ideal replacement for a DNS and NTP services.
Time
Remove chrony
For each host.
[root@ns1 ~]# systemctl stop chronyd
[root@ns1 ~]# systemctl disable chronyd
Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service.
[root@ns1 ~]# yum remove chrony
Loaded plugins: fastestmirror
Resolving Dependencies
--> Running transaction check
---> Package chrony.armv7hl 0:2.1.1-1.el7 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Removing:
chrony armv7hl 2.1.1-1.el7 @centos-base_rbf 439 k
Transaction Summary
================================================================================
Remove 1 Package
Installed size: 439 k
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : chrony-2.1.1-1.el7.armv7hl 1/1
warning: /etc/chrony.keys saved as /etc/chrony.keys.rpmsave
warning: /etc/chrony.conf saved as /etc/chrony.conf.rpmsave
Verifying : chrony-2.1.1-1.el7.armv7hl 1/1
Removed:
chrony.armv7hl 0:2.1.1-1.el7
Complete!
[root@ns1 ~]# rm /etc/chrony.*
rm: remove regular file '/etc/chrony.conf.rpmsave'? y
rm: remove regular file '/etc/chrony.keys.rpmsave'? y
[root@ns1 ~]#
Install NTP
For each host.
[root@ns1 ~]# yum install ntp
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package ntp.armv7hl 0:4.2.6p5-22.el7.2 will be installed
--> Processing Dependency: ntpdate = 4.2.6p5-22.el7.2 for package: ntp-4.2.6p5-22.el7.2.armv7hl
--> Processing Dependency: libopts.so.25 for package: ntp-4.2.6p5-22.el7.2.armv7hl
--> Running transaction check
---> Package autogen-libopts.armv7hl 0:5.18-5.el7 will be installed
---> Package ntpdate.armv7hl 0:4.2.6p5-22.el7.2 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
ntp armv7hl 4.2.6p5-22.el7.2 updates 513 k
Installing for dependencies:
autogen-libopts armv7hl 5.18-5.el7 base 62 k
ntpdate armv7hl 4.2.6p5-22.el7.2 updates 83 k
Transaction Summary
================================================================================
Install 1 Package (+2 Dependent packages)
Total download size: 657 k
Installed size: 1.5 M
Is this ok [y/d/N]: y
Downloading packages:
(1/3): autogen-libopts-5.18-5.el7.armv7hl.rpm | 62 kB 00:00
(2/3): ntpdate-4.2.6p5-22.el7.2.armv7hl.rpm | 83 kB 00:00
(3/3): ntp-4.2.6p5-22.el7.2.armv7hl.rpm | 513 kB 00:01
--------------------------------------------------------------------------------
Total 402 kB/s | 657 kB 00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ntpdate-4.2.6p5-22.el7.2.armv7hl 1/3
Installing : autogen-libopts-5.18-5.el7.armv7hl 2/3
Installing : ntp-4.2.6p5-22.el7.2.armv7hl 3/3
Verifying : ntp-4.2.6p5-22.el7.2.armv7hl 1/3
Verifying : autogen-libopts-5.18-5.el7.armv7hl 2/3
Verifying : ntpdate-4.2.6p5-22.el7.2.armv7hl 3/3
Installed:
ntp.armv7hl 0:4.2.6p5-22.el7.2
Dependency Installed:
autogen-libopts.armv7hl 0:5.18-5.el7 ntpdate.armv7hl 0:4.2.6p5-22.el7.2
Complete!
Configure NTP
Update vi /etc/ntp.conf for each host with values such as:
..
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
#restrict ::1
# Hosts on local network are less restricted.
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst
..
Enable NTP
For each host.
[root@ns1 ~]# systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
[root@ns1 ~]# systemctl start ntpd
[root@ns1 ~]# systemctl status ntpd
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-10-28 21:30:39 PDT; 3s ago
Process: 710 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 711 (ntpd)
CGroup: /system.slice/ntpd.service
└─711 /usr/sbin/ntpd -u ntp:ntp -g
Oct 28 21:30:39 ns1.mydomain.net ntpd[711]: Listen normally on 2 lo...
Oct 28 21:30:39 ns1.mydomain.net ntpd[711]: Listen normally on 3 et...
Oct 28 21:30:39 ns1.mydomain.net ntpd[711]: Listen normally on 4 lo...
Oct 28 21:30:39 ns1.mydomain.net ntpd[711]: Listen normally on 5 et...
Oct 28 21:30:39 ns1.mydomain.net ntpd[711]: Listening on routing so...
Oct 28 21:30:39 ns1.mydomain.net systemd[1]: Started Network Time S...
Oct 28 21:30:39 ns1.mydomain.net ntpd[711]: 0.0.0.0 c016 06 restart
Oct 28 21:30:39 ns1.mydomain.net ntpd[711]: 0.0.0.0 c012 02 freq_se...
Oct 28 21:30:39 ns1.mydomain.net ntpd[711]: 0.0.0.0 c011 01 freq_no...
Oct 28 21:30:40 ns1.mydomain.net ntpd[711]: 0.0.0.0 c614 04 freq_mode
Hint: Some lines were ellipsized, use -l to show in full.
DNS
Reference: https://www.unixmen.com/setting-dns-server-centos-7/
Install Bind
For each host.
[root@ns1 ~]# yum install bind bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package bind.armv7hl 32:9.9.4-29.el7.4 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-29.el7.4 for package: 32:bind-9.9.4-29.el7.4.armv7hl
--> Processing Dependency: liblwres.so.90 for package: 32:bind-9.9.4-29.el7.4.armv7hl
--> Processing Dependency: libisccfg.so.90 for package: 32:bind-9.9.4-29.el7.4.armv7hl
--> Processing Dependency: libisccc.so.90 for package: 32:bind-9.9.4-29.el7.4.armv7hl
--> Processing Dependency: libisc.so.95 for package: 32:bind-9.9.4-29.el7.4.armv7hl
--> Processing Dependency: libdns.so.100 for package: 32:bind-9.9.4-29.el7.4.armv7hl
--> Processing Dependency: libbind9.so.90 for package: 32:bind-9.9.4-29.el7.4.armv7hl
---> Package bind-utils.armv7hl 32:9.9.4-29.el7.4 will be installed
--> Running transaction check
---> Package bind-libs.armv7hl 32:9.9.4-29.el7.4 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
bind armv7hl 32:9.9.4-29.el7.4 updates 1.8 M
bind-utils armv7hl 32:9.9.4-29.el7.4 updates 203 k
Installing for dependencies:
bind-libs armv7hl 32:9.9.4-29.el7.4 updates 936 k
Transaction Summary
================================================================================
Install 2 Packages (+1 Dependent package)
Total download size: 2.9 M
Installed size: 6.9 M
Is this ok [y/d/N]: y
Downloading packages:
(1/3): bind-libs-9.9.4-29.el7.4.armv7hl.rpm | 936 kB 00:02
(2/3): bind-9.9.4-29.el7.4.armv7hl.rpm | 1.8 MB 00:02
(3/3): bind-utils-9.9.4-29.el7.4.armv7hl.rpm | 203 kB 00:00
--------------------------------------------------------------------------------
Total 657 kB/s | 2.9 MB 00:04
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-libs-9.9.4-29.el7.4.armv7hl 1/3
Installing : 32:bind-utils-9.9.4-29.el7.4.armv7hl 2/3
Installing : 32:bind-9.9.4-29.el7.4.armv7hl 3/3
Verifying : 32:bind-libs-9.9.4-29.el7.4.armv7hl 1/3
Verifying : 32:bind-utils-9.9.4-29.el7.4.armv7hl 2/3
Verifying : 32:bind-9.9.4-29.el7.4.armv7hl 3/3
Installed:
bind.armv7hl 32:9.9.4-29.el7.4 bind-utils.armv7hl 32:9.9.4-29.el7.4
Dependency Installed:
bind-libs.armv7hl 32:9.9.4-29.el7.4
Complete!
Configure Bind
Master
# vi /etc/named.conf
[root@ns1 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.1.252; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.0.0/16; };
allow-transfer { localhost; 192.168.1.253; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
dnssec-enable yes;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "mydomain.net" IN {
type master;
file "master/db.mydomain.net";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "master/db.192.168.1";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Configure Slave
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.1.253; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.0.0/16; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
dnssec-enable yes;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "mydomain.net" IN {
type slave;
file "slaves/db.mydomain.net";
masters { 192.168.1.252; };
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/db.192.168.1";
masters { 192.168.1.252; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Enable DNS
Enable named for each DNS host.
[root@ns1 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@ns1 ~]# systemctl start named
[root@ns1 ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-10-28 22:30:09 PDT; 3s ago
Process: 573 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 568 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 574 (named)
CGroup: /system.slice/named.service
└─574 /usr/sbin/named -u named
Oct 28 22:30:09 ns1.mydomain.net named[574]: zone 1.0.0.0.0.0.0.0.0...
Oct 28 22:30:09 ns1.mydomain.net named[574]: zone mydomain...
Oct 28 22:30:09 ns1.mydomain.net named[574]: zone 1.168.192.in-ad...
Oct 28 22:30:09 ns1.mydomain.net named[574]: zone localhost.localdo...
Oct 28 22:30:09 ns1.mydomain.net named[574]: zone localhost/IN: loa...
Oct 28 22:30:09 ns1.mydomain.net named[574]: all zones loaded
Oct 28 22:30:09 ns1.mydomain.net named[574]: running
Oct 28 22:30:09 ns1.mydomain.net named[574]: zone 1.168.192.in-ad...
Oct 28 22:30:09 ns1.mydomain.net named[574]: zone mydomain...
Oct 28 22:30:09 ns1.mydomain.net systemd[1]: Started Berkeley Inter...
Hint: Some lines were ellipsized, use -l to show in full.
Zone Files
In the named.conf we configure the zones mydomain.net and 1.168.192.in-addr.arpa so the files master/db.mydomain.net and slaves/db.192.168.1 but be created in /var/named prior to starting the service.
/var/named/master/db.mydomain.net
$ORIGIN harmonson.net.
$TTL 86400
@ IN SOA ns1.mydomain.net. root.mydomain.net. (
2017041401 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS ns1.mydomain.net.
@ IN NS ns2.mydomain.net.
ns1 IN A 192.168.1.252
ns2 IN A 192.168.1.253
www IN A 192.168.1.1
/var/named/slaves/db.192.168.1
$TTL 86400
@ IN SOA ns1.mydomain.net. root.mydomain.net. (
2017040701 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS ns1.mydomain.net.
@ IN NS ns2.mydomain.net.
252 IN PTR ns1.mydomain.net.
253 IN PTR ns2.mydomain.net.
1 IN PTR www.mydomain.net.