Lab 2.1 - Install OKD Cluster - Setup DNS Server

1. SSH to podX-bastion host and install bind with related packages

ssh root@labX.btech.id -pXXXXX
dnf update -y && dnf install epel-release -y
dnf install -y vim bind bind-utils screen htop curl

2. Define zone in the named.conf file

mv /etc/named.conf /etc/named.conf.bak
vim /etc/named.conf
...
options {
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
    allow-query     { localhost;10.6X.6X.0/24; };
    listen-on port 53 { any; };

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;
        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
    dnssec-enable yes;
    dnssec-validation yes;

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "openshift.podX.io" {
        type master;
        file "dynamic/forward.db";
};

zone "6X.6X.10.in-addr.arpa" {
        type master;
        file "dynamic/reverse.db";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
...

3. And then create a zone file named forward.db

vim /var/named/dynamic/forward.db
...
$TTL 1W
@       IN      SOA     ns1.openshift.podX.io. root (
                        2020092301      ; serial
                        3H                  ; refresh (3 hours)
                        30M                 ; retry (30 minutes)
                        2W              ; expiry (2 weeks)
                        1W )            ; minimum (1 week)
        IN      NS      ns1.openshift.podX.io.
        IN      MX 10   smtp.openshift.podX.io.
;
; 
ns1     IN      A       10.6X.6X.3
smtp    IN      A       10.6X.6X.3
;
helper  IN      A       10.6X.6X.3
helper  IN      A       10.6X.6X.3
;
; The api points to the IP of your load balancer
api             IN      A       10.6X.6X.3
api-int         IN      A       10.6X.6X.3
;
; The wildcard also points to the load balancer
*.apps          IN      A       10.6X.6X.3
;
; Create entry for the bootstrap host
bootstrap       IN      A       10.6X.6X.4
;
; Create entries for the master hosts
master1         IN      A       10.6X.6X.5
master2         IN      A       10.6X.6X.6
master3         IN      A       10.6X.6X.7
;
; Create entries for the worker hosts
worker1         IN      A       10.6X.6X.8
worker2         IN      A       10.6X.6X.9
;
; The ETCd cluster lives on the masters...so point these to the IP of the masters
etcd1  IN      A       10.6X.6X.5
etcd2  IN      A       10.6X.6X.6
etcd3  IN      A       10.6X.6X.7
;
; The SRV records are IMPORTANT....make sure you get these right...note the trailing dot at the end...
_etcd-server-ssl._tcp   IN      SRV     0 10 2380 etcd1.openshift.podX.io.
_etcd-server-ssl._tcp   IN      SRV     0 10 2380 etcd2.openshift.podX.io.
_etcd-server-ssl._tcp   IN      SRV     0 10 2380 etcd3.openshift.podX.io.
;
...

4. Create reverse zone file named reverse.db

vim /var/named/dynamic/reverse.db
...
$TTL 1W
@       IN      SOA     ns1.openshift.podX.io. root (
                        2020092301      ; serial
                        3H                  ; refresh (3 hours)
                        30M                 ; retry (30 minutes)
                        2W                  ; expiry (2 weeks)
                        1W )            ; minimum (1 week)
        IN      NS      ns1.openshift.podX.io.
;
; syntax is "last octet" and the host must have fqdn with trailing dot
5       IN      PTR     master1.openshift.podX.io.
6       IN      PTR     master2.openshift.podX.io.
7       IN      PTR     master3.openshift.podX.io.
;
4       IN      PTR     bootstrap.openshift.podX.io.
;
3       IN      PTR     api.openshift.podX.io.
3       IN      PTR     api-int.openshift.podX.io.
;
8       IN      PTR     worker1.openshift.podX.io.
9       IN      PTR     worker2.openshift.podX.io.
;
...

5. Enable and start bind service

systemctl enable named
systemctl restart named
systemctl status named

6. Allow firewall for dns service

firewall-cmd  --add-service=dns --zone=public  --permanent
firewall-cmd --reload

7. Change DNS Server on Bastion

nmtui

vim /etc/resolv.conf
...
#nameserver 8.8.8.8
nameserver 10.6X.6X.3
...

8. Verify DNS Server works

nslookup api.openshift.podX.io
ping yahoo.com -c 3

Daftar Materi