Steps to set up the DNS server for IBM Fusion HCI appliance. It is applicable for both static
and DHCP.
Before you begin
- Ensure that the VIP address for Ingress and API are in the same subnet as machine CIDR.
- For IBM Fusion HCI with static IP, configure DNS
server to disallow
nslookup on IP range 169.253.0.0/24. This IP
range belongs to the provisioning network and DNS must not try to resolve it. On Linux named server
do the following configuration changes:
- Edit
/etc/named.conf to add the following
content:zone "253.169.in-addr.arpa" {
type master;
file "/var/named/db.blocked-253.169";
};
- Create zone config file
/var/named/db.blocked-253.169 and add the following
configuration: $TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum
IN NS localhost.
- Run the following command to restart the named server:
sudo systemctl restart named
- Test whether the
nslookup on the IP range returns no
response:nslookup 169.253.2.53 <DNS server IP>
Output:
** server can't find 53.2.253.169.in-addr.arpa: NXDOMAIN
About this task
Forward and reverse lookup must match to ensure that no network spoofing exists. It is a
security issue where the hostname points to a wrong IP address. For MAC address, IBM Fusion HCI installation needs static IPs for its nodes
and each node has its own specific hostname. To facilitate this requirement, DHCP is setup to map
MAC address with an IP and hostname. In DNS service, similar mapping is configured between IP and
hostname and vice-verse.Note: The samples in this procedure are based on Red Hat® Enterprise Linux. If you are on Microsoft® Linux®, then use equivalent commands.
Procedure
- Run the following command to suspend updates to all dynamic zones:
- Edit your forward lookup (zonefile.db) at
/var/named/ folder:
Note: Forward look up returns the IP address of a hostname.
Samples forward lookup file:
$TTL 1W
@ IN SOA ns1.isf.mycompany.com. root (
2021052608 ; serial
3H ; refresh (3 hours)
30M ; retry (30 minutes)
2W ; expiry (2 weeks)
1W ) ; minimum (1 week)
IN NS ns1.isf.mycompany.com.
IN MX 10 smtp.isf.mycompany.com.
;
ns1 IN A 10.9.20.17
smtp IN A 10.9.20.17
;
api IN A 10.9.20.127
;
; Ingress LB (apps)
*.apps IN A 10.9.20.128
;
bootstrap IN A 10.0.20.135
;
; Create entries for the master nodes
control-1-ru2 IN A 10.9.20.129
control-1-ru3 IN A 10.9.20.130
control-1-ru4 IN A 10.9.20.131
;
; Create entries for the worker nodes
compute-1-ru5 IN A 10.9.20.132
compute-1-ru6 IN A 10.9.20.133
compute-1-ru7 IN A 10.9.20.134
servicenode-1 IN A 10.9.20.222
;
;
;EOF
Note: The servicenode-<rackid> is used for servicenode hostname and for single rack it is always
1. For multi rack, it depends on the rackid used for the base rack.
- Edit the reverse lookup file (reverse.db) at
/var/named/reverse.db folder.
Reverse look up returns the hostname of an IP address.
Sample reverse lookup file:
$TTL 1W
@ IN SOA ns1.isf.mycompany.com. root (
2021052608 ; serial
3H ; refresh (3 hours)
30M ; retry (30 minutes)
2W ; expiry (2 weeks)
1W ) ; minimum (1 week)
IN NS ns1.isf.mycompany.com.
; gen2003 rack
127 IN PTR api.isf.mycompany.com.
135 IN PTR bootstrap.isf.mycompany.com.
;
; syntax is "last octet" and the host must have fqdn with trailing dot
129 IN PTR control-1-ru2.isf.mycompany.com.
130 IN PTR control-1-ru3.isf.mycompany.com.
131 IN PTR control-1-ru4.isf.mycompany.com.
132 IN PTR compute-1-ru5.isf.mycompany.com.
133 IN PTR compute-1-ru6.isf.mycompany.com.
134 IN PTR compute-1-ru7.isf.mycompany.com.
222 IN PTR servicenode-1.isf.mycompany.com.
;
In this example, the IP addresses 10.9.20.127-222 points
to the corresponding fully qualified domain name.
Note: Ensure that the subdomain consists of lowercase alphanumeric characters, '-' or '.', and
starts and ends with an alphanumeric character. For example, example.com.
The regex used for validation is 'a-z0-9?(\.a-z0-9?)*')",
- Ensure that your named.conf file in the /etc
folder contains details of your forward and reverse lookup files.
Sample
named.conf file:
[root@provisioner named]# cat /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
.......
.......
###### Add what's between these comments ###########
zone "isf.mycompany.com" IN {
type master;
file "zonefile.db";
};
zone "100.44.10.in-addr.arpa" IN {
type master;
file "reverse.db";
};
########################################################
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- On the DNS server, run the following commands to open the firewall port for DNS:
firewall-cmd --zone=public --add-service=dns --permanent
firewall-cmd --reload
- Restart the DNS service.
sudo systemctl restart named.service