fbpx Building a secondary DNS server on CentOS
24/7/365 Support

Building a secondary (slave) DNS server on CentOS

To guarantee high-availability in your network, it can be useful to operate more than one DNS server in your environment to catch up with any server failures. This is particularly true if you run a public DNS server where continuous access to the service is crucial and where it is not uncommon to have five and more DNS servers at once. Since configuring and managing multiple DNS servers can be time-consuming, the BIND DNS server uses the feature of transferring zone files between the nodes so that every DNS server has the same domain resolving and configuration information. In order to do this, we need to define one primary and one or more secondary or slave DNS servers. Then we only have to adjust our zone file once on the primary server which will transfer the current version to all our secondary servers, keeping everything consistent and up-to-date. For a client, it will then make no difference which DNS server they are connecting to.

To Start With: What Do You Need?

To complete this process, you will require at least two CentOS 7 servers in the same network which can see and ping each other. An Internet connection will be required to download and install the BIND server software on all the computers we want to include in our DNS server farm. In this example, we have two servers, 192.168.1.7 which is already installed and configured as a BIND server, and 192.168.1.15 which will be our second BIND server within the subnet 192.168.1.0/24. You should also have read and applied the zone file process from this chapter division and create a forward and reverse zone file because this is what we want to transfer between DNS servers.

The Process

We begin this process by installing BIND on every CentOS 7 computer we want to include in our BIND DNS server cluster. To do this, follow the process, Setting up an authoritative-only DNS server for all the remaining systems. Before we can start, we need to define which server will be our primary DNS server. For simplicity in our example, we will choose the server with the IP address 192.168.1.7. Now let’s make all our DNS server nodes aware of their role.

Changes to the primary DNS server

  1. Let’s log in as root on the primary server and open its main configuration:
    vi /etc/named.conf
  2. Now we define which secondary DNS server(s) will be allowed to receive the zone files at all, write the following command somewhere between the options curly brackets in a new line (we only have one secondary DNS server with the IP address 192.168.1.15, change accordingly):
    allow-transfer { 192.168.1.15; };
    notify yes;
  3. Also, we must allow the other nameservers to connect to our primary nameserver. In order to do this, you need to change your listen-on directive to include the DNS server’s primary network interface (in our example 192.168.1.7 , so change appropriately):
    listen-on port 8053 { 127.0.0.1;192.168.1.7; };
  4. Save and close the file. Now open the new port 8053 in your server’s firewall (or you can create a firewalld service for it )
    firewall-cmd --permanent --zone=public --add-port=8053/tcp --addport=8053/udp;firewall-cmd --reload
  5. Save and close the file. Next, update the zone files we created earlier to include the IP addresses of all the new nameservers we have available in the system. Change both the forward and reverse zone files, /var/named/centos7.home.db and /var/named/db.1.168.192, to include our new secondary DNS server. In the forward zone file, add the following lines (you can also use the nsupdate program to do this) into the appropriate sections:
    NS ns2.centos7.home.
    ns2 A 192.168.1.15
  6. In the reverse zone file, add instead into the appropriate sections:
    NS ns2.centos7.home. 15 PTR ns2.centos7.home.
  7. Finally, restart BIND and recheck the configuration file:
    named-checkconf && systemctl restart named

Changes to the secondary DNS server(s)

For simplicity and to demonstrate, just install named on any server you want to use as a BIND slave (we only show the important configuration here):

  1. Log in to the new server as root, install BIND, and open its main configuration:
    yum install bind; vi /etc/named.conf
  2. Now locate the line include /etc/named.rfc1912.zones;. Immediately following this line, create a space for your work and add the following zones (replace the zone and file names appropriately):
    zone "centos7.home" IN {
        type slave;
        masters port 8053 { 192.168.1.7; };
        file "/var/named/centos7.home.db";
    };
    zone "1.168.192.in-addr.arpa" IN {
         type slave;
         masters port 8053{ 192.168.1.7; };
         file "/var/named/db.1.168.192.db";
    };
  3. Save and close the file. Then fix some incorrect BIND folder permissions and enable named to write into its zone file directory before restarting BIND:
    chown :named /var/named -R; chmod 775 /var/named -R
    setsebool -P named_write_master_zones 1
    named-checkconf && systemctl restart named
  4. Now initiate a new zone transfer using:
    rndc refresh centos7.home.
  5. After waiting a while, to test if our secondary DNS server is working as expected, check if the master zone files have been transferred:
    ls /var/named/*.db
  6. Finally, we can now test if we can query our local domain on the secondary DNS server too:
    dig @127.0.0.1 client2.centos7.home.

How Does It Work?

In this process, we showed you how to set up secondary BIND servers in your network which can help in increasing the stability and availability of your DNS server system.

So what did we learn from this experience?

We started our journey by deciding which of our servers should be the primary and which should be the slave DNS servers. Then we opened the BIND main configuration file on the primary server and introduced two lines of code to configure our server to be the head of our DNS cluster. The allow-transfer directive defines to which clients we want to transfer our updated zone files while the notify yes directive enables automatic transfer when any changes to the zone files happen. If you have got several secondary BIND DNS servers, you can add more than one IP address into the allow-transfer directive, separated by semicolons. Then we opened our zone files we created in a former process and introduced a new line IN NS <IP address> which defines the IP address of our secondary DNS servers we need to be aware on every DNS node in our system. If we have got multiple servers, then we introduce multiple IN NS lines. Finally, we introduced a small comment to easily check the successful zone file transfer on our secondary servers.

Afterwards, we configured our slave DNS server(s). Here we introduced the same zone file definitions as on the primary server’s BIND configuration, with the exceptions that we used type slave instead of master to denote we are a secondary DNS server and will get a copy of the zone files from the master node by defining the primary DNS server’s IP address using the masters directive (please do not forget that our master BIND is listening on the non-default port 8053 in our example).

Since we had not created or copied the zone files ourselves on the slave DNS server, it was then easy to check if the zone file transfer had been successful after restarting the BIND service using the ls command. Finally, we verified the transferred zone file content by running test queries using dig or nslookup to see if we could resolve the same local hostnames on our secondary DNS server. Remember if you later make changes to your master’s zone files you have to increase their serial number in order that those changes get transferred to all your slaves.

 

Help Category:

What Our Clients Say