Labeled NFS/Demo/Manual/DNS

From SELinux Wiki
Jump to: navigation, search

Setting Up DNS for testing

This is a brief HOWTO on setting up the BIND DNS server for the example domains used throughout this tutorial. The information regarding DNS configuration at the beginning of the automated installation instructions assumes a separate system (from the server) provides DNS services. The manual instructions place the DNS server with the other server components on one system, however there is no reason why the steps can not be modified to move the DNS server component to a separate system.

One of the pre-requisites for Kerberos and LDAP is that important machines must have matching forward and reverse DNS names. This means that you cannot simply assign an alias (i.e. CNAME) to an existing machine and have it work.

The host command can help you determine if forward and reverse DNS match (see test after setup).

First, install the BIND nameserver:

# yum install bind bind-utils

named configuration

This example configuration file uses the private network 192.168.201.0, with 192.168.201.13 being the DNS/Kerberos/LDAP/NFSv4 server.

Add two zones to /etc/named.conf; one for forward and one for reverse.

zone "example.com" in{
  type master;
  file "example.com";
};
// reverse map for class C 192.168.201.0
zone "201.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.201.rev";
};

The default configuration file will only listen on the localhost address. You will need to set the listen-on and allow-query addresses in the options section so that named can respond to queries on the local network.

options {
   // ...
   listen-on port 53 { 192.168.201.13; 127.0.0.1; };
   allow-query { 192.168.201.0/24; 127.0.0.1/32; };

};

Forward zone

Create /var/named/example.com

$TTL 6D
@               IN      SOA     dns.example.com. root.example.com. (
                                200806256       ; Serial
                                1H      ; Refresh
                                300     ; Retry
                                2D      ; Expire
                                12H)     ; Minimum TTL
                        NS      dns.example.com.
;
localhost     A       127.0.0.1

; address of machine acting as DNS server
dns           A       192.168.201.13

; one machine for all three services. A record for machine, CNAMEs for services.
; NOTE: use sefos in all kerberos/nfs/ldap configuration files!
seserver         A       192.168.201.13

seclient      A       192.168.201.50
client2       A       192.168.201.51
client3       A       192.168.201.52

Reverse DNS

Create /var/named/192.168.201.rev:

$TTL 6D
@               IN      SOA     dns.example.com. root.example.com. (
                                200806201       ; Serial
                                1H      ; Refresh
                                300     ; Retry
                                2D      ; Expire
                                12H)     ; Minimum TTL
                        NS      dns.example.com.
;
;
13      IN PTR  seserver.example.com.


50      IN PTR seclient.example.com.
51      IN PTR client2.example.com.
52      IN PTR client3.example.com.

Start named

In targeted mode:

service named start

In MLS mode:

run_init service named start

Configure Local Name Resolution

Add the local interface to the resolver search path in /etc/resolv.conf, above any other nameservers. This step will also have to be performed on any clients (unless they are dhcp clients, and your dhcp server is configured to hand out the new name server).

# search domain, so short names can be used
#(e.g. 'sefos' instead of sefos.example.com
search example.com

# new nameserver
nameserver 192.168.201.13

# old nameserver, as a fallback
nameserver 192.168.201.1

Test reverse DNS

# host sefos
sefos.example.com has address 192.168.201.13
# host 192.168.201.13
13.201.168.192.in-addr.arpa domain name pointer sefos.example.com.

Turn on named at boot

chkconfig named on

Firewalls

The following lines should be added to /etc/sysconfig/iptables before the INPUT REJECT rule to allow udp queries to port 53/udp:

-A INPUT -m udp -p udp --dport 53 -j ACCEPT

Then iptables should be restarted:

# service iptables restart