The next obvious step in the process is to extend your bind configuration so that a local DNS service can be used for the vServers you create. This would give name resolution for guests that you do not want included in the external DNS service.
The first step is to setup bind or the named daemon as described in my earlier blog entry. Ensure that the vServer you are using for the DNS service is connected to an EoIB network and the shared storage, this will mean that it becomes attached to three networks in total.
- the EoIB network which will give it access to the main DNS service in the datacenter,
- the vServer-shared-storage which will allow the ZFS appliance to use this as a DNS server
- the IPoIB-virt-admin network. This is a network that is connected to all vServers so if we make the vServer a full member of this network as described earlier in a post about setting up LDAP on the rack then all vServers created can utilise the DNS services. All we need to is to configure the network to use the domain service.
Once bind is operational then we can extend the named configuration to include details for an internal domain to the Exalogic rack. So in this example our datacenter DNS runs on a domain of mycompany.com, for lookups internal to the Exalogic we want to use the domain el01.mycompany.com where el01 represents the Exalogic rack name. The first step is to edit the main configuration file and add another section to specify that the bind service will be the master for the el01.mycompany.com domain.
# cat /etc/named.conf options { directory "/var/named"; # Hide version string for security version "not currently available"; # Listen to the loopback device and internal networks only listen-on { 127.0.0.1; 172.16.0.14; 172.17.0.41; }; listen-on-v6 { ::1; }; # Do not query from the specified source port range # (Adjust depending your firewall configuration) avoid-v4-udp-ports { range 1 32767; }; avoid-v6-udp-ports { range 1 32767; }; # Forward all DNS queries to your DNS Servers forwarders { 10.5.5.4; 10.5.5.5; }; forward only; # Expire negative answer ASAP. # i.e. Do not cache DNS query failure. max-ncache-ttl 3; # 3 seconds # Disable non-relevant operations allow-transfer { none; }; allow-update-forwarding { none; }; allow-notify { none; }; }; zone "el01.mycompany.com" in{ type master; file "el01"; allow-update{none;}; }; |
The extra section specifies that we will have a zone or DNS domain el01.mycompany.com. Within this zone this DNS server will be the master or authoritative source for all name resolution. There is a file called el01 which will be the source of all the IP addresses that are served by this server. Earlier in the configuration is the line
directory "/var/named";
This specifies the directory that the named daemon will search in for the file called el01. The content of the file is as shown below.
# cat el01 ; zone file for el01.mycompany.com $TTL 2d ; 172800 secs default TTL for zone $ORIGIN el2h.mycompany.com. @ IN SOA proxy.el01.mycompany.com. hostmaster.el01.mycompany.com. ( 2003080800 ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS proxy.el01.mycompany.com. MX 10 proxy.el01.mycompany.com. ; Server names for resolution in the el01.mycompany.com domain el01sn-priv IN A 172.17.0.9 proxy IN A 172.16.0.12 ldap-proxy IN CNAME proxy |
The properties or directives in the zone file are:-
- TTL - Time to live. If there are downstream name servers then this directive lets them know how long their cache can be valid for.
- ORIGIN - Defines the domain name that will be appended to any unqualified lookups.
- SOA - Start of Authority details
- The @ symbol places the domain name specified in the ORIGIN as the namespace being defined by this SOA record.
- The SOA directive is followed by the primary DNS server for the namespace and the e-mail address for the domain. (Not used in our case but it needs to be present)
- The serial number is incremented each time the zone file is updated. This allows the named to recognise that it needs to reload the content.
- The other values indicate time periods to wait for updates or to force refresh slave servers.
- NS - Name service - Determines the fully qualified domain for servers that are authoritative in this domain.
- MX - Mail eXchange, defines the mail server where mail sent to this domain is to be sent.
- A - Address record is used to specify the IP address for a particular name
- CNAME - The Cannonical Name which can be used to create aliases for a particular server.
- The storage head under the name el01sn-priv. This means that all vServers will automatically be able to resolve by name the storage for use with NFS mounts.
- proxy (or ldap-proxy) is the name that we are using for a server where OTD is installed and configured to be a proxy for an external directory. Thus enabling all vServers to access LDAP for authentication. (Useful for NFSv4 mounts from the shared storage.)
No comments:
Post a Comment