2007 Feb 14 - Wed
Monitoring Server: DNS with BIND
When doing diagnostics with network devices and their interfaces, it is helpful to have forward and
reverse lookups on a number of ip addresses. These lookups can be implemented within Active Directory or
under
a separate DNS server. Use the following instructions if you wish to use a separate dns server, based upon Bind.
You'll
need to choose a different domain or a delegated domain than what is used in Active Directory or your other primary
DNS server.
Installation
Install bind:
The service starts upon installation.
Choose a domain for the network devices. For example, if your regular network domain is
'example.com', use something like 'netdevices.example.com'. You'll need to make a number of changes to files
in
the /etc/bind directory.
Create a file called 'db.netdevices.example.com'. It's content should look
similar to:
;
; BIND data file for network devices
;
$TTL 604800
@ IN SOA netdevices.example.com root.localhost. (
2006051501 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
device01 IN A 10.1.6.30 ;device 01 on network
Edit 'named.conf.local'. Uncomment the line which includes 'zones.rfc1918'. Add
a reference to the zone file you just created. You should have something that looks
like:
include "/etc/bind/zones.rfc1918";
zone "netdevices.example.com" {
type master;
file "/etc/bind/db.netdevices.example.com";
};
Update the
forwarders entry in 'named.conf.options'. This should be your Active Directory or similar servers. On
those servers, you should delegate the netdevices.example.com domain to this server.
options {
directory "/var/cache/bind";
forwarders {
10.1.1.154;
10.1.1.159;
};
auth-nxdomain no; # conform to RFC1035
};
Depending upon the ip blocks in which your devices reside, you'll need to create some
reverse lookup files. For example, create a file called 'db.6.1.10.in-addr.arpa' to hold the reverse lookups
for rfc1918 ip addresses.
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2006060901 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
30 IN PTR device01
Now edit zones.rfc1918 and add a zone line so it uses your new file.
For example, our change should show as:
zone "6.1.10.in-addr.arpa" { type master; file "/etc/bind/db.6.1.10.in-addr.arpa"; };
Restart the service. Check /var/log/syslog to be
sure things started properly with no errors.
/etc/init.d/bind9 restart
Edit /etc/resolv.conf so you have the following. If you are running dhcp, this may not work properly as
the file may get over-written.
search netdevices.example.com example.com
nameserver 10.1.1.154
nameserver 10.1.1.159
Active Directory Changes
You need to configure forward and reverse delegations in Active Directory DNS to allow the monitoring
server to resolve the monitoring subnet.
To provide forward delegation:
- Look in the Forward Lookup Zones and select the internal domain
- Right click and select New Delegation
- In 'Delegated Domain', put 'netdevices'
- Add the fully qualified domain name, 'server.netdevices.example.com', and it's ip address
- finish to apply the change
To provide reverse delegation (assuming that a complete subnet
has been assigned to the network monitoring server):
- Look in Reverse Lookup Zones
- Add a new Active Directory integrated zone
- Put in the first octet ONLY of the network id (for example 10)
- Finish
- Right click on the new reverse zone (such as 10.in-addr.arpa) and create a new Domain
- If the second octet of the domain is '1', use 1 as the domain id and Finish
- Right click on the new domain and add a new delegation
- If the third octet is 6, put 6 in as the delegated domain
- For the server name, put in the fully qualified domain name and ip address of the monitoring server running Bind
- Finish
To test, on the active directory server, start nslookup. Put in the fully
qualified domain name of the bind server to see if resolves. Put in the ip address of the bind server to see
if it resolves.
|
