Setting up DNS

Steps to set up the DNS server for IBM Fusion HCI System appliance.

Before you begin

Note: Ensure that the VIP address for Ingress and API are in the same subnet as machine CIDR.

About this task

Forward and reverse lookup must match to ensure that no network spoofing exists. It is a security issue where the hostname points to a wrong IP address. For MAC address, IBM Fusion HCI System installation needs static IPs for its nodes and each node has its own specific hostname. To facilitate this requirement, DHCP is setup to map MAC address with an IP and hostname. In DNS service, similar mapping is configured between IP and hostname and vice-verse.
Note: The samples in this procedure are based on Red Hat® Enterprise Linux. If you are on Microsoft® Linux®, then use equivalent commands.

Procedure

  1. Run the following command to suspend updates to all dynamic zones:
    rndc freeze
  2. Edit your forward lookup (zonefile.db) at /var/named/ folder:
    Note: Forward look up returns the IP address of a hostname.
    Samples forward lookup file:
    
    $TTL 1W
    @	IN	SOA	ns1.isf.mycompany.com.	root (
    			2021052608	; serial
    			3H		; refresh (3 hours)
    			30M		; retry (30 minutes)
    			2W		; expiry (2 weeks)
    			1W )		; minimum (1 week)
    	IN	NS	ns1.isf.mycompany.com.
    	IN	MX 10	smtp.isf.mycompany.com.
    ;
    ns1	    IN	A	10.9.20.17
    smtp	IN	A	10.9.20.17
    ;
    api		    IN	A	10.9.20.127
    ;
    ; Ingress LB (apps)
    *.apps		IN	A	10.9.20.128
    ;
    bootstrap   IN  A   10.0.20.135
    ;
    ; Create entries for the master nodes
    control-1-ru2	IN	A	10.9.20.129
    control-1-ru3	IN	A	10.9.20.130
    control-1-ru4	IN	A	10.9.20.131
    ;
    ; Create entries for the worker nodes
    compute-1-ru5	IN	A	10.9.20.132
    compute-1-ru6	IN	A	10.9.20.133
    compute-1-ru7	IN	A	10.9.20.134
    servicenode-1	IN	A	10.9.20.222
    ;
    ;
    ;EOF
    Note: The servicenode-<rackid> is used for servicenode hostname and for single rack it is always 1. For multi rack, it depends on the rackid used for the base rack.
  3. Edit the reverse lookup file (reverse.db) at /var/named/reverse.db folder.

    Reverse look up returns the hostname of an IP address.

    Sample reverse lookup file:

    
    $TTL 1W
    @	IN	SOA	ns1.isf.mycompany.com.	root (
    			2021052608	; serial
    			3H		; refresh (3 hours)
    			30M		; retry (30 minutes)
    			2W		; expiry (2 weeks)
    			1W )	; minimum (1 week)
    	IN	NS	ns1.isf.mycompany.com.
    ; gen2003 rack
    127	IN	PTR	api.isf.mycompany.com.
    135	IN	PTR	bootstrap.isf.mycompany.com.
    ;
    ; syntax is "last octet" and the host must have fqdn with trailing dot
    129	IN	PTR	control-1-ru2.isf.mycompany.com.
    130	IN	PTR	control-1-ru3.isf.mycompany.com.
    131	IN	PTR	control-1-ru4.isf.mycompany.com.
    132	IN	PTR	compute-1-ru5.isf.mycompany.com.
    133	IN	PTR	compute-1-ru6.isf.mycompany.com.
    134	IN	PTR	compute-1-ru7.isf.mycompany.com.
    222	IN	PTR	servicenode-1.isf.mycompany.com.
    ;

    In this example, the IP addresses 10.9.20.127-222 points to the corresponding fully qualified domain name.

  4. Ensure that your named.conf file in the /etc folder contains details of your forward and reverse lookup files.
    Sample named.conf file:
    [root@provisioner named]# cat /etc/named.conf
    
    options {
    	listen-on port 53 { any; };
    	listen-on-v6 port 53 { ::1; };
    	directory 	"/var/named";
    	dump-file 	"/var/named/data/cache_dump.db";
    	statistics-file "/var/named/data/named_stats.txt";
    	memstatistics-file "/var/named/data/named_mem_stats.txt";
    	allow-query     { any; };
        .......
        .......
    ###### Add what's between these comments ###########
    zone "isf.mycompany.com" IN {
    	type	master;
    	file	"zonefile.db";
    };
    zone "100.44.10.in-addr.arpa" IN {
    	type	master;
    	file	"reverse.db";
    };
    ########################################################
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
  5. On the DNS server, run the following commands to open the firewall port for DNS:
    firewall-cmd --zone=public --add-service=dns --permanent
    firewall-cmd --reload