by: Babin LonstonPosted on:

Configuring BIND DNS Server for OKD HA Clusters

Introduction

The previous guide posted on BIND DNS Server for a single node OKD Cluster, in this guide covering BIND DNS Server for HA OKD/Openshift cluster.

If you’re looking Bind DNS server for both single-node and multi-node OKD clusters, you’re in the right place.

DNS Server IP - 192.168.11.100 | ns1.okd.linuxsysadmins.lan

Installing Bind DNS Server

Install the bind package and utility related to DNS query, make a backup of original file before making any chages.

$ dnf install bind bind-utils -y
$ cp /etc/named.conf /etc/named.conf-original

Configuring Bind DNS Server

Below is the complete content of the main DNS configuration file. I have defined separate forward zone files for the single-node and multi-node clusters, while the reverse zone will remain in the existing file.

$ vim /etc/named.conf
// named.conf
//

options {
  listen-on port 53 { 127.0.0.1; 192.168.11.100; };
  directory   "/var/named";
  dump-file   "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  secroots-file "/var/named/data/named.secroots";
  recursing-file  "/var/named/data/named.recursing";
  allow-query     { localhost; 192.168.11.0/24; };
  allow-recursion { localhost; 192.168.11.0/24; };
  forwarders { 192.168.11.1; };

  recursion yes;

  dnssec-validation yes;

  managed-keys-directory "/var/named/dynamic";
  geoip-directory "/usr/share/GeoIP";

  pid-file "/run/named/named.pid";
  session-keyfile "/run/named/session.key";

  include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
  category notify { zone_transfer_log; };
      category xfer-in { zone_transfer_log; };
      category xfer-out { zone_transfer_log; };
      channel zone_transfer_log {
          file "/var/named/log/transfer.log" versions 10 size 50m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
        };
};

zone "okd.linuxsysadmins.lan" {
    type master;
    file "/var/named/okd.linuxsysadmins.lan.zone";
    allow-query { localhost; 192.168.11.0/24; };
    allow-transfer { none; };
};

zone "okdcls.linuxsysadmins.lan" {
    type master;
    file "/var/named/okdcls.linuxsysadmins.lan.zone";
    allow-query { localhost; 192.168.11.0/24; };
    allow-transfer { none; };
};

zone "11.168.192.in-addr.arpa" {
    type master;
    file "/var/named/11.168.192.in-addr.arpa.zone";
    allow-query { localhost; 192.168.11.0/24; };
    allow-transfer { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Check for Syntax errors

$ named-checkconf

Create the required directory for logs with appropriate permission and ownership

$ mkdir /var/named/log/
$ chown named:named /var/named/log/
$ chmod 700 /var/named/log/
$ restorecon -RFv /var/named/log/

Defining forward Zones

The existing forward zone config file for single node cluster okd

$ vim /var/named/okd.linuxsysadmins.lan.zone

$TTL 8h
@ IN  SOA ns1.okd.linuxsysadmins.lan. root (
      2024080101  ; serial
      3H    ; refresh (3 hours)
      30M   ; retry (30 minutes)
      2W    ; expiry (2 weeks)
      1W )    ; minimum (1 week)
  IN  NS  ns1.okd.linuxsysadmins.lan.
  IN  MX 10 smtp.okd.linuxsysadmins.lan.

ns1.okd.linuxsysadmins.lan.       IN  A 192.168.11.100
smtp.okd.linuxsysadmins.lan.      IN  A 192.168.11.100

helper.linuxsysadmins.lan         IN  A 192.168.11.100
helper.okd.linuxsysadmins.lan.    IN  A 192.168.11.100

api.okd.linuxsysadmins.lan.       IN  A 192.168.11.101
api-int.okd.linuxsysadmins.lan.   IN  A 192.168.11.101
*.apps.okd.linuxsysadmins.lan.    IN  A 192.168.11.101

control-plane.okd.linuxsysadmins.lan. IN  A 192.168.11.101

bastion.okd.linuxsysadmins.lan.   IN  A 192.168.11.11
bootstrap.okd.linuxsysadmins.lan. IN  A 192.168.11.107

A separate forward zone file for new multi node cluster okdcls

$ vim /var/named/okdcls.linuxsysadmins.lan.zone

$ORIGIN okdcls.linuxsysadmins.lan.
$TTL 8h
@ IN  SOA ns1.okdcls.linuxsysadmins.lan.  root (
      2024080101  ; serial
      3H    ; refresh (3 hours)
      30M   ; retry (30 minutes)
      2W    ; expiry (2 weeks)
      1W )    ; minimum (1 week)
  IN  NS  ns1.okdcls.linuxsysadmins.lan.

ns1.okdcls.linuxsysadmins.lan.        IN  A 192.168.11.100
api.okdcls.linuxsysadmins.lan.        IN  A 192.168.11.100
api-int.okdcls.linuxsysadmins.lan.    IN  A 192.168.11.100
*.apps.okdcls.linuxsysadmins.lan.     IN  A 192.168.11.100

control-plane1.okdcls.linuxsysadmins.lan. IN  A 192.168.11.201
control-plane2.okdcls.linuxsysadmins.lan. IN  A 192.168.11.202
control-plane3.okdcls.linuxsysadmins.lan. IN  A 192.168.11.203

compute1.okdcls.linuxsysadmins.lan.   IN  A 192.168.11.204
compute2.okdcls.linuxsysadmins.lan.   IN  A 192.168.11.205
compute3.okdcls.linuxsysadmins.lan.   IN  A 192.168.11.206

bastion.okdcls.linuxsysadmins.lan.    IN  A   192.168.11.11
bootstrap.okdcls.linuxsysadmins.lan.    IN  A 192.168.11.107

Defining Reverse Zones

As said above, we are using the existing reverse zone file and include the new clusters zone information.

$ vim /var/named/11.168.192.in-addr.arpa.zone 

$TTL 8h
@   IN    SOA   ns1.okd.linuxsysadmins.lan. root (
          2024080101  ; serial
          3H    ; refresh (3 hours)
          30M   ; retry (30 minutes)
          2W    ; expiry (2 weeks)
          1W )    ; minimum (1 week)
      IN  NS  ns1.okd.linuxsysadmins.lan.

100.11.168.192.in-addr.arpa.  IN  PTR ns1.okd.linuxsysadmins.lan.
101.11.168.192.in-addr.arpa.  IN  PTR api.okd.linuxsysadmins.lan.
101.11.168.192.in-addr.arpa.  IN  PTR api-int.okd.linuxsysadmins.lan.

101.11.168.192.in-addr.arpa.  IN  PTR control-plane.okd.linuxsysadmins.lan.
11.11.168.192.in-addr.arpa.   IN  PTR bastion.okd.linuxsysadmins.lan.
107.11.168.192.in-addr.arpa.  IN  PTR bootstrap.okd.linuxsysadmins.lan.

100.11.168.192.in-addr.arpa.  IN  PTR api.okdcls.linuxsysadmins.lan.
100.11.168.192.in-addr.arpa.  IN  PTR api-int.okdcls.linuxsysadmins.lan.

201.11.168.192.in-addr.arpa.  IN  PTR control-plane1.okdcls.linuxsysadmins.lan.
202.11.168.192.in-addr.arpa.  IN  PTR control-plane2.okdcls.linuxsysadmins.lan.
203.11.168.192.in-addr.arpa.  IN  PTR control-plane3.okdcls.linuxsysadmins.lan.

204.11.168.192.in-addr.arpa.  IN  PTR compute1.okdcls.linuxsysadmins.lan.
205.11.168.192.in-addr.arpa.  IN  PTR compute2.okdcls.linuxsysadmins.lan.
206.11.168.192.in-addr.arpa.  IN  PTR compute3.okdcls.linuxsysadmins.lan.

11.11.168.192.in-addr.arpa.   IN  PTR bastion.okdcls.linuxsysadmins.lan.
107.11.168.192.in-addr.arpa.  IN  PTR bootstrap.okdcls.linuxsysadmins.lan.

Permission and Ownership of Zone files

Set the appropriate permission and ownership on created new zone files.

$ chown root:named /var/named/okd.linuxsysadmins.lan.zone 
$ chown root:named /var/named/11.168.192.in-addr.arpa.zone 

$ chmod 640 /var/named/okd.linuxsysadmins.lan.zone 
$ chmod 640 /var/named/11.168.192.in-addr.arpa.zone

Run named-checkzone file for any errors.

$ named-checkzone okd.linuxsysadmins.lan /var/named/okd.linuxsysadmins.lan.zone
$ named-checkzone 11.168.192.in-addr.arpa /var/named/11.168.192.in-addr.arpa.zone

Restore the SELinux labels 

$ restorecon -RFv /var/named/*.zone

Starting Service

Start and enable the service persistently

$ systemctl enable --now named
$ systemctl status named.service

Run dig command for both forward and reverse zone lookup to confirm the DNS resolution.

$ dig +short @localhost A ns1.okd.linuxsysadmins.lan
$ dig +short @localhost A api.okd.linuxsysadmins.lan
$ dig @localhost A api.okd.linuxsysadmins.lan
$ dig +short @localhost -x 192.168.11.10

Firewall Exclusion

Add firewall exclusion for DNS service.

$ firewall-cmd --permanent --add-service=dns
$ firewall-cmd --reload  
$ firewall-cmd --list-all

That’s it, our Bind DNS server is ready for both single node and multi node OKD cluster. This setup is more reliable and perfect for a home lab or for a small scale business.

Leave a Reply

Your email address will not be published. Required fields are marked *