Steps to set up the DNS server for IBM Fusion HCI System appliance.
Before you begin
Note: Ensure that the VIP address for Ingress and API are in the same subnet as machine CIDR.
About this task
Forward and reverse lookup must match to ensure that no network spoofing exists. It is a
security issue where the hostname points to a wrong IP address. For MAC address, IBM Fusion HCI System installation needs static IPs for its nodes
and each node has its own specific hostname. To facilitate this requirement, DHCP is setup to map
MAC address with an IP and hostname. In DNS service, similar mapping is configured between IP and
hostname and vice-verse.Note: The samples in this procedure are based on Red Hat® Enterprise Linux. If you are on Microsoft® Linux®, then use equivalent commands.
Procedure
- Run the following command to suspend updates to all dynamic zones:
- Edit your forward lookup (zonefile.db) at
/var/named/ folder:
Note: Forward look up returns the IP address of a hostname.
Samples forward lookup file:
$TTL 1W
@ IN SOA ns1.isf.mycompany.com. root (
2021052608 ; serial
3H ; refresh (3 hours)
30M ; retry (30 minutes)
2W ; expiry (2 weeks)
1W ) ; minimum (1 week)
IN NS ns1.isf.mycompany.com.
IN MX 10 smtp.isf.mycompany.com.
;
ns1 IN A 10.9.20.17
smtp IN A 10.9.20.17
;
api IN A 10.9.20.127
;
; Ingress LB (apps)
*.apps IN A 10.9.20.128
;
bootstrap IN A 10.0.20.135
;
; Create entries for the master nodes
control-1-ru2 IN A 10.9.20.129
control-1-ru3 IN A 10.9.20.130
control-1-ru4 IN A 10.9.20.131
;
; Create entries for the worker nodes
compute-1-ru5 IN A 10.9.20.132
compute-1-ru6 IN A 10.9.20.133
compute-1-ru7 IN A 10.9.20.134
servicenode-1 IN A 10.9.20.222
;
;
;EOF
Note: The servicenode-<rackid> is used for servicenode hostname and for single rack it is always
1. For multi rack, it depends on the rackid used for the base rack.
- Edit the reverse lookup file (reverse.db) at
/var/named/reverse.db folder.
Reverse look up returns the hostname of an IP address.
Sample reverse lookup file:
$TTL 1W
@ IN SOA ns1.isf.mycompany.com. root (
2021052608 ; serial
3H ; refresh (3 hours)
30M ; retry (30 minutes)
2W ; expiry (2 weeks)
1W ) ; minimum (1 week)
IN NS ns1.isf.mycompany.com.
; gen2003 rack
127 IN PTR api.isf.mycompany.com.
135 IN PTR bootstrap.isf.mycompany.com.
;
; syntax is "last octet" and the host must have fqdn with trailing dot
129 IN PTR control-1-ru2.isf.mycompany.com.
130 IN PTR control-1-ru3.isf.mycompany.com.
131 IN PTR control-1-ru4.isf.mycompany.com.
132 IN PTR compute-1-ru5.isf.mycompany.com.
133 IN PTR compute-1-ru6.isf.mycompany.com.
134 IN PTR compute-1-ru7.isf.mycompany.com.
222 IN PTR servicenode-1.isf.mycompany.com.
;
In this example, the IP addresses 10.9.20.127-222 points
to the corresponding fully qualified domain name.
- Ensure that your named.conf file in the /etc
folder contains details of your forward and reverse lookup files.
Sample
named.conf file:
[root@provisioner named]# cat /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
.......
.......
###### Add what's between these comments ###########
zone "isf.mycompany.com" IN {
type master;
file "zonefile.db";
};
zone "100.44.10.in-addr.arpa" IN {
type master;
file "reverse.db";
};
########################################################
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- On the DNS server, run the following commands to open the firewall port for DNS:
firewall-cmd --zone=public --add-service=dns --permanent
firewall-cmd --reload