by Sergiu Moza

DNS - servfail response (SOA records)

August 29th, 2008 Posted in Networking | No Comments »

Today, I have had some issues with one of my DNS servers.

The configuration is: one master and one slave for the zone. Yesterday night the master failed due to hard-disk failure. Today when I was reinstalled / upgraded the master, the slave start to respond “servfail” to all the queries for that zone. The thing was very strange because the slave still was the nameserver for that zone. Fortunately I managed to fix. The problem was in the SOA record.

As you know from an earlier post the zone looks something like this:

$TTL 3600
@               IN SOA  example.com.    root.example.com. (
                                0605200803      ; serial (d. adams)
                                36000              ; refresh
                                36000              ; retry
                                36000              ; expiry 
                                36000 )            ; minimum 

                IN NS           example.com. 

example.com.    IN A            192.168.2.141
example.org.    IN A            192.168.2.142 

www             CNAME           example.com.

The expiry timer is set to 36000 that in seconds means 10 hours. So the zone on slave will expire in 10 hours if the master cannot be contacted in the meantime. Keep in mind that the timers are in seconds and the slave WILL NOT ANSWER ANY QUERY WHEN THE ZONE HAS EXPIRED (the answer will be SERVFAIL).

Promoting secondary domain controller to primary

August 29th, 2008 Posted in Server 2003 | 5 Comments »

In some cases we need to bring our secondary domain controller to primary for several reasons. One of them and I think the biggest one is when the original domain controller crashes forever with no hope to bring it back.
In such situations we have no other hope but to promote the secondary domain controller to primary until we reinstall the crashed one (if we reinstall, i say this in case the hardware is ok, but if something burned up then we can`t reinstall).

[Read more about this article]

Router on a Stick

August 25th, 2008 Posted in Networking | 1 Comment »

Will discuss here how to route multiple vlans when no layer3 switches are available. This was tested and worked in a lab environment. Always understand the impact of every command that you deliver to the router or switch. Don’t do that in your production network. The author cannot be made responsible for any damage that you may cause to your network.

The classic approach for routing is:

On the switch you configure the VLANs, assign the port VLAN membership, and for each VLAN assign a port from switch to one physical interface on router. So, for each routed VLAN we need one physical interface on the router and one physical port on switch. This solution is very good but is not scalable. What will we do if we have to route 20 VLANs? There is no router with 20 physical interfaces.

[Read more about this article]

Disable unneed CentOS services

July 17th, 2008 Posted in Linux | 4 Comments »

In many situations we need every bit of resources from our servers. The main resource needed on all systems is RAM. Disabling some unneeded services will free a lot of memory.

The proper way disabling a service from being started on boot is to use the “chkconfig” utility.

Here is a list of services that can be disabled without affecting the OS.

chkconfig acpid off
chkconfig atd off
chkconfig autofs off
chkconfig cpuspeed off
chkconfig cups off
chkconfig gpm off
chkconfig haldaemon off
chkconfig isdn off
chkconfig mdmonitor off
chkconfig messagebus off
chkconfig netfs off
chkconfig nfslock off
chkconfig openibd off
chkconfig pcmcia off
chkconfig portmap off
chkconfig rawdevices off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig smartd off
chkconfig xinetd off

You can disable same service typing in terminal the “setup” command and selecting System Services menu. You can turn off “microcode_ctl” if this is an AMD machine, and “irqbalance” if there is only one CPU. If you plan on using plug and play devices you should leave “haldaemon” and “messagebus” running. If you did not do a minimal install you’ll have more services enabled.

If you are not sure what something does, you can look in the particular service’s startup script to see the comments at the beginning. The scripts are in the /etc/init.d directory.

Install & Configure Dnsmasq on Linux

June 12th, 2008 Posted in Linux | No Comments »

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP/TFTP for network booting of diskless machines.

Dnsmasq is targeted at home networks using NAT and connected to the internet via a modem, cable-modem or ADSL connection but would be a good choice for any smallish network (up to 1000 clients is known to work) where low resource use and ease of configuration are important.

[Read more about this article]

Installing a DNS Server on CentOS 5

June 11th, 2008 Posted in Linux | 2 Comments »

About DNS
When hosts on a network connect to one another via a hostname, also called a fully qualified domain name (FQDN), DNS is used to associate the names of machines to the IP address for the host.

Use of DNS and FQDNs also has advantages for system administrators, allowing the flexibility to change the IP address for a host without effecting name-based queries to the machine. Conversely, administrators can shuffle which machines handle a name-based query.

DNS is normally implemented using centralized servers that are authoritative for some domains and refer to other DNS servers for other domains.

When a client host requests information from a nameserver, it usually connects to port 53. The nameserver then attempts to resolve the FQDN based on its resolver library, which may contain authoritative information about the host requested or cached data from an earlier query. If the nameserver does not already have the answer in its resolver library, it queries other nameservers, called root nameservers, to determine which nameservers are authoritative for the FQDN in question. Then, with that information, it queries the authoritative nameservers to determine the IP address of the requested host. If performing a reverse lookup, the same procedure is used, except the query is made with an unknown IP address rather than a name.

Example:

bob.example.com
mail.example.com
games.example3.com

[Read more about this article]