Setup and Test Bind DNS Zone File Replication to Slave Servers on CentOS

Scenario:

  • You are on-boarding/bringing up a new Bind DNS server (say NSHost3 – 198.164.12.103) to replace/upgrade your existing Bind DNS server (NSHost2 – 198.164.12.102)
  • You have installed Bind 9.8 as shown on the new server
  • [root@NSHost3 ~]#  named -v
    BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1
    [root@NSHost3 ~]#
  • You want to configure NSHost3 as slave server for some of the zones are primarily hosted on NSHost1 (198.164.12.101) in your other Data centre
  • You are NOT running or have allowed the tcp/udp port#53 in your iptables Firewall on both NSHost1 and NSHost3 servers
  •  

    Implementation:

    • Configuring your new server NSHost3 as slave to NSHost1 server requires updating named.conf file on both the servers as detailed here.
    • On NSHost1 (198.164.12.101) setup /etc/named.conf with below essential contents
    • options {
          listen-on port 53 { 198.164.12.101; }; //NSHost1 the master server in Data centre 1
          allow-notify { 198.164.12.103; }; //NSHost3 the new Slave server
          allow-transfer { 198.164.12.103; }; //NSHost3 the new Slave server
          ..
          …
      };
    • /* primary zones */
      zone “dc1.mydomain.com” {
          type master;
          file “dc1.mydomain.com.zone”;
      };

      /* Secondary zones */
      zone “dc2.mydomain.com” {
          type slave;
          masters { 198.164.12.103; };
          file “secondary/dc2.mydomain.com.zone”;
      }; 

  • On NSHost3 (198.164.12.103) setup /etc/named.conf with below essential contents
    • options {
          listen-on port 53 { 198.164.12.103; }; //NSHost3 the new Slave server
          allow-transfer { 198.164.12.101 }; //NSHost1 the master server in Data centre 1
          allow-notify { 198.164.12.101 }; //NSHost1 the master server in Data centre 1
          ..
          …
      };
    • /* primary zones */
      zone “dc2.mydomain.com” {
          type master;
          file “dc2.mydomain.com.zone”;
      };

    /* Secondary zones */
    zone “dc1.mydomain.com” {
        type slave;
        masters { 198.164.12.101; };  // Specifying the IP-address of NSHost1 which is hosting this zone.
        file “secondary/dc1.mydomain.com.zone”;
    };

  •  

    Troubleshooting:

    During the first time replication setup on RedHat Bind, most people encounter that despite successful file transfers the zone files does not get created on the Slave servers.  It results in below errors in /var/log/messages file.

    Oct 14 02:58:15 NSHost3 named-sdb[18253]: zone dc1.mydomain.com/IN: Transfer started.
    Oct 14 02:58:15 NSHost3 named-sdb[18253]: transfer of ‘dc1.mydomain.com/IN’ from 198.164.12.101#53: connected using 198.164.12.103#49611
    Oct 14 02:58:16 NSHost3 named-sdb[18253]: zone dc1.mydomain.com/IN: transferred serial 2014109804
    Oct 14 02:58:16 NSHost3 named-sdb[18253]: transfer of ‘dc1.mydomain.com/IN’ from 198.164.12.101#53: Transfer completed: 1 messages, 21 records, 529 bytes, 0.217 secs (2437 bytes/sec)
    Oct 14 02:58:16 NSHost3 named-sdb[18253]: zone dc1.mydomain.com/IN: sending notifies (serial 2014109804)
    Oct 14 02:58:16 NSHost3 named-sdb[18253]:
    dumping master file: secondary/tmp-IWDKG5gBFC: open: permission denied

    This is a known bug with RedHat Bind software as documented here: Bug 545128 – SELinux is preventing the named daemon from writing to the zone directory. You require to fix it by enabling the SELinux paramater named_write_master_zones boolean as shown below:

    <<Fix for error: dumping master file: open: permission denied >>
    [root@NSHost3 ~]# setsebool -P named_write_master_zones=1
    [root@NSHost3 ~]#

    <</>>

    Then restart the named service as shown below:

    [root@NSHost3 ~]# service named restart
    Stopping named: .                                          [  OK  ]
    Starting named:                                            [  OK  ]
    [root@NSHost3 ~]# service named status


     

    References: