Steps to set up the DNS server for IBM Storage Fusion HCI System appliance.
Before you begin
Note: Ensure that the VIP address for Ingress and API are in the same subnet as machine CIDR.
About this task
Forward and reverse lookup must match to ensure that no network spoofing exists. It is a
security issue where the hostname points to a wrong IP address. For MAC address, IBM Storage Fusion HCI System installation needs static IPs for its nodes
and each node has its own specific hostname. To facilitate this requirement, DHCP is setup to map
MAC address with an IP and hostname. In DNS service, similar mapping is configured between IP and
hostname and vice-verse.Note: The samples in this procedure are based on Red Hat® Enterprise Linux. If you are on Microsoft® Linux®, then use equivalent commands.
Procedure
- Run the following command to suspend updates to all dynamic zones:
- Edit your forward lookup (zonefile.db) at
/var/named/ folder:
Note: Forward look up returns the IP address of a hostname.
Samples forward lookup file:
$TTL 1W
@ IN SOA ns1.isf.mycompany.com. root (
2021052608 ; serial
3H ; refresh (3 hours)
30M ; retry (30 minutes)
2W ; expiry (2 weeks)
1W ) ; minimum (1 week)
;
ns1 IN A <dns-vip-ip>
api IN A 10.44.100.143
; Ingress LB (apps)
*.apps IN A 10.44.100.144 //<wildcard-ingress-lb-ip>;
; bootstrap entry
bootstrap IN A 10.44.100.151
; Create entries for the master nodes
control-1-ru2 IN A 10.44.100.145
control-1-ru3 IN A 10.44.100.146
control-1-ru4 IN A 10.44.100.147
;
; Create entries for the worker nodes
compute-1-ru5 IN A 10.44.100.148
compute-1-ru6 IN A 10.44.100.149
compute-1-ru7 IN A 10.44.100.150
; AFM nodes
compute-1-ru23 IN A 10.44.100.156
compute-1-ru24 IN A 10.44.100.157
; GPU nodes
compute-1-ru25 IN A 10.44.100.158
compute-1-ru27 IN A 10.44.100.159
;
;EOF
- Edit the reverse lookup file (reverse.db) at
/var/named/reverse.db folder.
Reverse look up returns the hostname of an IP address.
Sample reverse lookup file:
$TTL 1W
@ IN SOA ns1.isf.mycompany.com. root (
2021052608 ; serial
3H ; refresh (3 hours)
30M ; retry (30 minutes)
2W ; expiry (2 weeks)
1W ) ; minimum (1 week)
IN NS ns1.isf.mycompany.com.
;
143 IN PTR api.isf.mycompany.com.
151 IN PTR bootstrap.isf.mycompany.com.
;
; syntax is "last octet" and the host must have fqdn with trailing dot
145 IN PTR control-1-ru2.isf.mycompany.com.
146 IN PTR control-1-ru3.isf.mycompany.com.
147 IN PTR control-1-ru4.isf.mycompany.com.
;
148 IN PTR compute-1-ru5.isf.mycompany.com.
149 IN PTR compute-1-ru6.isf.mycompany.com.
150 IN PTR compute-1-ru7.isf.mycompany.com.
156 IN PTR compute-1-ru23.isf.mycompany.com.
157 IN PTR compute-1-ru24.isf.mycompany.com.
158 IN PTR compute-1-ru25.isf.mycompany.com.
159 IN PTR compute-1-ru27.isf.mycompany.com.
;
;EOF
In this example, the IP addresses 10.44.100.143-159
points to the corresponding fully qualified domain name.
- Ensure that your named.conf file in the /etc
folder contains details of your forward and reverse lookup files.
Sample
named.conf file:
[root@provisioner named]# cat /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
.......
.......
###### Add what's between these comments ###########
zone "isf.mycompany.com" IN {
type master;
file "zonefile.db";
};
zone "100.44.10.in-addr.arpa" IN {
type master;
file "reverse.db";
};
########################################################
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- On the DNS server, run the following commands to open the firewall port for DNS:
firewall-cmd --zone=public --add-service=dns --permanent
firewall-cmd --reload