Labeled NFS/Demo/Manual/DNS

From SELinux Wiki
Revision as of 13:13, 11 December 2008 by CraigGrube (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Setting Up DNS for testing

This is a brief HOWTO on setting up the BIND DNS server for the example domains used throughout this tutorial.

One of the pre-requisites for Kerberos and LDAP is that important machines must have matching forward and reverse DNS names. This means that you cannot simply assign an alias (i.e. CNAME) to an existing machine and have it work.

The host command can help you determine if forward and reverse DNS match (see test after setup).

First, install the BIND nameserver:

# yum install bind bind-utils

named configuration

This example configuration file uses the private network, with being the DNS/Kerberos/LDAP/NFSv4 server.

Add two zones to /etc/named.conf; one for forward and one for reverse.

zone "" in{
  type master;
  file "";
// reverse map for class C
zone "201.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.201.rev";

The default configuration file will only listen on the localhost address. You will need to set the listen-on and allow-query addresses in the options section so that named can respond to queries on the local network.

options {
   // ...
   listen-on port 53 {;; };
   allow-query {;; };


Forward zone

Create /var/named/

@               IN      SOA (
                                200806256       ; Serial
                                1H      ; Refresh
                                300     ; Retry
                                2D      ; Expire
                                12H)     ; Minimum TTL
localhost     A

; address of machine acting as DNS server
dns           A

; one machine for all three services. A record for machine, CNAMEs for services.
; NOTE: use sefos in all kerberos/nfs/ldap configuration files!
sefos         A
kerberos      CNAME   sefos
nfs           CNAME   sefos
ldap          CNAME   sefos

seclient      A
client2       A
client3       A

Reverse DNS

Create /var/named/192.168.201.rev:

@               IN      SOA (
                                200806201       ; Serial
                                1H      ; Refresh
                                300     ; Retry
                                2D      ; Expire
                                12H)     ; Minimum TTL
13      IN PTR

50      IN PTR
51      IN PTR
52      IN PTR

Start named

In targeted mode:

service named start

In MLS mode:

run_init service named start

Configure Local Name Resolution

Add the local interface to the resolver search path in /etc/resolv.conf, above any other nameservers. This step will also have to be performed on any clients (unless they are dhcp clients, and your dhcp server is configured to hand out the new name server).

# search domain, so short names can be used
#(e.g. 'sefos' instead of

# new nameserver

# old nameserver, as a fallback

Test reverse DNS

# host sefos has address
# host domain name pointer

Turn on named at boot

chkconfig named on


The following lines should be added to /etc/sysconfig/iptables before the INPUT REJECT rule to allow udp queries to port 53/udp:

-A INPUT -m udp -p udp --dport 53 -j ACCEPT

Then iptables should be restarted:

# service iptables restart