Redundant caching-DNS

From OpenBSD-Wiki

[edit] Introduction

This is a redundant model for caching-only name servers. This model is very useful in both ISP and Webhosting networks, where DNS servers that are otherwise not authoritative for any particular domain are still necessary to resolve common traffic, and must be available at all times.

danno 11:22, 18 December 2007 (CST) UNDER CONSTRUCTION!!! More will be written here from a deployment I recently did at my job.

[edit] Network Setup

This section will explain how CARP is used to have the two physical servers redundant for two IP addresses that will be used by BIND to listen/respond to DNS requests.

[edit] The IP Addressing

To keep things manageable, we'll create a /29 network for this setup. A /29 (subnetmask 255.255.255.248) allows for 5 usable hosts, only one more than we need in this setup (which could be used for a third server, for instance.) In this case we will use the 10.10.230.0/29 network-

[edit] Interface Configuration

Here is where the interface connfigurations for the regular interfaces and the CARP interfaces are shown. We will assume for this setup that the network cards on either box are Intel 100Mbps Fast Ethernet cards, referred to by the OS as fxp0 (if it's the first Intel NIC we are referring to on the system.)

[edit] Actual Interfaces

First you will need to setup the actual physical interfaces with the addresses 10.10.230.2 and 10.10.230.3, respectively.

[edit] CARP Interfaces

Setup the CARP interfaces to answer for 10.10.230.4 and 10.10.230.5. Each server will need to have both addresses configured. This is so that both .4 and .5 will still answer for queries regardless of whether DNS1 or DNS2 is operational. To be clever, have DNS1 be the primary for .4, and have DNS2 be the primary for .5, by setting the advskew to 100 on the CARP interface that the respective server will be in standby for -

CARP Configurations for DNS1-

inet 10.10.230.4 255.255.255.248 10.10.230.7 vhid 1 pass luc3nt carpdev fxp0

inet 10.10.230.5 255.255.255.248 10.10.230.7 vhid 2 pass p00ps advskew 100 carpdev fxp0

CARP Configurations for DNS2-

inet 10.10.230.4 255.255.255.248 10.10.230.7 vhid 2 pass luc3nt advskew 100 carpdev fxp0

inet 10.10.230.5 255.255.255.248 10.10.230.7 vhid 2 pass p00ps carpdev fxp0

.

[edit] BIND Setup

This section will explain how to configure BIND for a basic, caching-only name server that will provide recursive lookups only for hosts you trust.

I took out the boilerplate from the config so it was easier to break down and understand. The first thing I did in the configuration is create the acl known as "clients". This includes not only the server itself, but the network of hosts the server belongs to, and some additional other networks this DNS server will resolve for.

This exact configuration is to be used on both servers.

acl clients {
	localnets; 192.168.100.0/24 ; 127.0.0.1 ; 10.168.224/20 ; 10.10.144/22 ; 192.168.92/23 ;
	::1;
};

options {
	version "";	// remove this to allow version queries

	listen-on    { any; };

	allow-recursion { clients; };

	recursive-clients 5000;

};

logging {
	category lame-servers { null; };
};

// Standard zones
//
zone "." {
	type hint;
	file "standard/root.hint";
};

zone "localhost" {
	type master;
	file "standard/localhost";
	allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
	type master;
	file "standard/loopback";
	allow-transfer { localhost; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
	type master;
	file "standard/loopback6.arpa";
	allow-transfer { localhost; };
};

zone "com" {
	type delegation-only;
};

zone "net" {
	type delegation-only;
};



key "rndc-key" {
    algorithm       hmac-md5;
    secret          "jIpKqniOSfP7NrblahyDkw==";
};

controls {
    inet            127.0.0.1 port 953
                    allow { 127.0.0.1; }
                    keys { "rndc-key"; };
};