Set Up Additional Local DNS – To Add Scan Addresses

In this document I demonstrate how to add an additional local DNS server to an existing DNS. I had this need when I wanted to create some additional IP addresses in the DNS for Real Application Cluster (VIP and SCAN).

My Testing Environment

My Private DNS Server

IP Address:
Host Name: localdns
OS: Oracle Linux Server release 7.5

Client Machine to Use DNS

IP Address:
Host Name: dbhost
OS: Oracle Linux Server release 7.4

Current Domain DNS

Secondary: 1

DNS Entry to Add

IP Address:
Host Name: dbhost-scan

Use the ping command to verify that the above IP address is not being used:

$ ping -c1 -w 1 >/dev/null 2>&1 ; if [ $? -eq 1 ]; then echo “This IP is Not used”; else echo “This IP is used”; fi
This IP is Not used

Install required packages:

$ sudo yum install bind* -y

Define zone files in the master configuration ‘named.conf‘ file:

$ sudo vim /etc/named.conf

Change 127.0.01 to any at the end zone sections.

Add the zone section at the end. Pay attention for the prefix (It is the reverse of the first three numbers of the DNS entry we want to add; this is important for reverse lookup.)

// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
// See the BIND Administrator’s Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory  “/var/named”;
dump-file  “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query     { 
any; };

– If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
– If you are building a RECURSIVE (caching) DNS server, you need to enable
– If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
recursion no;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;

managed-keys-directory “/var/named/dynamic”;

pid-file “/run/named/”;
session-keyfile “/run/named/session.key”;

logging {
channel default_debug {
file “data/”;
severity dynamic;

zone “mydomain.local” IN {
type master;
file “named.mydomain.fwd”;
allow-update { none; };
zone”” IN {
type master;
file “named.mydomain.rev”;
allow-update { none; };

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

Create zone files:

$ sudo cp /var/named/named.localhost /var/named/named.mydomain.fwd
$ sudo cp /var/named/named.loopback /var/named/named.mydomain.rev

Edit these zones files:

Forward zone configuration

$ sudo vi /var/named/named.mydomain.fwd

Make changes per your need:

@ IN SOA localdns.mydomain.local. root.mydomain.local. (
2014090401 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum
; Name server’s
@ IN NS 
; Name server hostname to IP resolve.
@ IN A
; Hosts in this Domain
@ IN A
dbhost-scan IN A
localdns IN A

Reverse zone configuration:

$ sudo vi /var/named/named.mydomain.rev

Make changes per your need:

$TTL 86400
localdns.mydomain.local. root.mydomain.local. (
2014090402 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum
; Name server’s
@ IN NS 
; Name server hostname to IP resolve.
localdns IN A
;Hosts in Domain
dbhost-scan IN A
123 IN PTR dbhost-scan.mydomain.local.
100 IN PTR localdns.mydomain.local.

Change the group to named:

$ sudo chgrp named /var/named/named.mydomain.fwd
$ sudo chgrp named /var/named/named.mydomain.rev

Check for errors in zone files:

$ sudo named-checkconf /etc/named.conf
$ sudo named-checkzone localdns.mydomain.local /var/named/named.mydomain.fwd
$ sudo named-checkzone localdns.mydomain.local /var/named/named.mydomain.rev

Run, enable, and check the named service:

$ sudo chkconfig named on
$ sudo service named start
$ sudo service named status

Add new DNS to be resolved on the client machine (dbhost):

$ sudo vi /etc/resolv.conf

Add the entry shown in red font to the file:

# Generated by NetworkManager
search mydomain.local
options timeout:1
options attempts:2

Check our new DNS:

$ nslookup
Address: name = dbhost-scan.mydomain.local.

$ nslookup dbhost-scan

Name: dbhost-scan.mydomain.local

$ nslookup dbhost-scan.mydomain.local

Name: dbhost-scan.mydomain.local