Services/DNS

From popdata
Jump to: navigation, search

Internal DNS

  • Internal DNS is run via Bind on champlain.popdata.bc.ca. It maintains zones providing internal (10.*.*.*) addresses for:
  • Note that Gilbert is master for zone popdata.local
    • So from SRE machine, "nslookup SREfiles" gets SREfiles.popdata.local from Gilbert, which is independant from SREfiles.popdata.bc.ca
Zone Ext. NS Notes
popdata.bc.ca WebNames.ca
lists.popdata.bc.ca -none- (should be integrated with parent to match external)
chspr.ubc.ca hub.ubc.ca
lists.chspr.ubc.ca -none- (should be integrated with parent to match external)
earlylearning.ubc.ca hub.ubc.ca
help.ubc.ca hub.ubc.ca
phlo.ubc.ca hub.ubc.ca
snag.ubc.ca hub.ubc.ca
mintha.com register.com
vancouvergroup.net yourhostingaccount.com
cahspr.ca domaincontrol.com
healthcarefunding.ca yourhostingaccount.com
hospitalfunding.ca yourhostingaccount.com
pharmaceuticalpolicy.ca yourhostingaccount.com
pharmapolicy.ca yourhostingaccount.com
politiquespharmaceutiques.ca yourhostingaccount.com
help.local fwd=> 142.103.199.1 helpsvr1.help.ubc.ca Active Directory
popdatabc.local fwd=> 10.80.20.20 marquette.popdata.bc.ca
popdata.local fwd=> 10.80.20.30 gilbert.popdata.bc.ca (not marquette) Active Directory
soeh.local fwd=> 142.103.171.10 baqs.soeh.ubc.ca
10.in-addr.arpa reverse

internal DNS software options

  • disable IPv6 connection attempts (even if IPv6 enabled). Reduce logs and improve performance by not attempting hopeless connections to IPv6 addresses of name-servers.
    • /etc/default/bind9 : OPTIONS="-u bind -4"
  • Logs:
    • log queries directly to file specified in /etc/bind/named.conf.local (500M / month)
    • 2014-03-20 DL: /etc/logrotate.d/bind (weekly, rotate 12, compress; delaycompress; create 64- bind adm; postrotate [typo]/sbin/rndc reconfig)
      • 2014-07-07 DL: /etc/logrotate.d/bind : owner=root; postrotate /usr/sbin/rndc reconfig
    • Old logs moved to ~dlaplante/tmp.
    • Summarize using: ~dlaplante/src/NE-scripts/dns-qrylog-summ

internal DNS software : BIND on master Champlain

  • administer via webmin at https://champlain:10000
  • start/stop: /etc/init.d/bind9 [start | stop | reload | restart | status]
  • status: /usr/sbin/rndc status (default: 8 zones
  • Configs: /etc/bind/named.conf => include named.conf.options, named.conf.local
    • named.conf (on master Champlain) includes zones ".", "localhost", & reverse for 127, 0, 255); named.conf.default-zones (only on slave Cook) has the same.
    • named.conf.local includes zones "popdata.bc.ca", "phlo.ubc.ca", "snag.ubc.ca", "chspr.ubc.ca" (probably obsolete, should investigate)
  • Zones: /etc/bind/ , /var/cache/bind
  • dns-list-zones CONF_FILE to summarize zones in CONF_FILE
  • Workflow for changing DNS configuration and/or zone data. Note that master zones go on Champlain in /etc/bind/ , and slave zones on Cook appear in /var/cache/bind/
    • Edit the configuration and/or zone data file (keep a backup of the current version)
      • Don't forget to increase serial number of zone file (else zone will not propagate to slave server).
      If missing, add /usr/sbin to PATH: export PATH="/usr/sbin:${PATH}"
    • named-checkconf /etc/bind/named.conf and look for error messages about syntax. Add option "-p" to output all the configuration contents with comments stripped, and includes included.
    • named-checkzone ZONE_NAME   ZONE_FILE_NAME and look for serial number and error messages about syntax.
      EXAMPLE:
      $ /usr/sbin/named-checkzone popdata.bc.ca /etc/bind/popdata.bc.ca.hosts
      zone popdata.bc.ca/IN: loaded serial 1207768702
      OK
    • rndc status and review 10 lines of output. rndc for help summary.
    • rndc reload to reload configuration files and all zones. Or rndc reload ZONE_NAME to just reload zone "ZONE_NAME".
    • rndc status again just to be sure.

internal DNS software : BIND on slave Cook

internal DNS software : Microsoft DNS on master Gilbert

The ".local" domains are maintained by Active Directory server Gilbert.

  • .popdata.local
  • ...

Most machines register themselves.

Dynamic DNS changes

  • Either use dnsmasq and edit file-based record override
  • or use nsupdate with BIND - http://jpmens.net/2010/09/28/performing-dynamic-dns-updates-on-your-dns/
    • Configure BIND: in named.conf (or included file) put "key" statement, and inside "Zone" statement put "allow-update" or more granular "update-policy".
    • USE: nsupdate -k {KEYFILE} -v {FILENAME}
      • -k: key generated by ddns-confgen (key may be specified in {FILENAME}
      • -v: use TCP
      • {FILENAME} comtains commands like
        •  ; semicolon comment
        • server 10.80.20.100
        • zone popdata.bc.ca (maybe create new zone sre.podpata.bc.ca. )
        • prereq ... (some record must exist/not exist)
        • update delete {domain-name} [class] [type [data...]]
        • update add {domain-name} {ttl} [class] {type} {data...}
        • show (display current command)
        • send (or blank line: send current command)
        • answer (show answer)
    • Net::DNS::Update Perl module
    • http://www.dnspython.org/ "sudo pip install dnspython" on denis-desktop. Windows support.

SRE dynamic DNS

See Champlain:/home/dlaplante/src/etc_bind for tentative configuration changes

  • User enters project# as hostname, e.g. 99-t01
  • 99-t01 =CNAME=> V.sregrps.popdata.bc.ca
  • Pool V.sregrps.popdata.bc.ca. has IP addresses of available SRE machines from the sets:
    • First choice: round-robin from pool of VMs hosted on storage-server (Verendrye). Round-robin reduces risk of collision between nearly simultaneous requests.
    • If first choice all used up, any VM hosted on other servers
  • When a RDC login succeeds, login.py on Windows machine (via AD GP) opens "https://pds.popdata.bc.ca/users/lastlogin/%s/%s/%s/" % (user, dstamp, computer)
  • DNS update can be by django code on Sullivan (which currently updates database), or by login.py on SRE Windows machine (vulnerable to user action).
    • There are 3 DNS pools (V, N, D), one for each KVM host (Verendrye Noyon Drake). If possible, pool V is populated with 1 or more IPs from Verendrye; otherwise from other KVM hosts.
    • Upon login delete current IP from DNS pool. If no remaining addresses on local KVM host, populate it with addresses on other hosts.
    • Upon logout (or poll), add current IP to appropriate DNS pools. E.g. if pool V had no local IPs, remove all remote IPs and add current to pool V.
  • Other groups possible: software-specific (e.g. Stat/Transfer)

DNS client configuration

Starting 2012-03(?) DNS clients behind PopData firewall (with IP 10.*.*.*) should use Cook [10.80.20.100] as first-choice resolver, and master Champlain [10.80.20.80] as second-choice.

We still need to decide whether "dnsmasq" should run on separate virtual IP address, and provide dynamic aliasing for entries like "next-available-sre" or "...rtl" , and forward the rest to "named".

resolv.conf

  • nameserver IP_ADDRESS
  • domain or search
  • options: space-separated either in resolv.conf or overridden by $RES_OPTIONS
    • timeout:N [wait for first server. Seconds, default 5]
    • attempts:N [do a second run of all servers in list]
    • rotate [instead of failover]
    • edns0 [enable DNS extensions RFC2671, basically larger response size]

Suggest:

nameserver 10.80.20.100
nameserver 10.80.20.80
search popdata.bc.ca
options timeout:1 attempts:2

External DNS

External DNS points hosts in popdata.bc.ca and phlo.ubc.ca (and chspr.ubc.ca) to addresses in the 137.82.131.0/24 range. These all end up at the popdata firewall and are then routed to the correct internal address.

PopData

popdata.bc.ca is maintained at using webnames.ca's web based administration system. It is available at http://www.webnames.ca/

  • login
  • choose Manage Domains and Services
  • choose popdata.bc.ca
  • choose web settings tab
  • choose Enter/modify DNS info
  • 2014-12-03 different website layout:
    • tab:DOMAINS; column:My Domains;
    • Select domain "popdata.bc.ca" (or popdatabc.ca or popdatabc.org)
    • click on "Advanced DNS"
      • at bottom Min TTL (Neg cache) can't be set below 1hr

PHLO

phlo.ubc.ca is maintained via UBC's BlueCat system. It is administrated at https://mydns.ubc.ca

RedZone DNS

Internal DNS is run via Bind on mackenzie.popdata.bc.ca. It maintains zones for:

  • popdata.bc.ca
  • chspr.ubc.ca
  • pdrz.local (pointer to radisson Active Directory)
  • reverse zones for above

It can be administrated via webmin at https://mackenzie:10000

DNS troubleshooting

  • Displaying / flushing cache
    • Note that Windows VMs query Gilbert for DNS, so caching occurs on Gilbert and VM independantly. Also on our Windows machines for shares, the default zone is "popdata.local", which is independantly maintained on Gilbert. So short server names (ex: "\\drake) may get a different answer on some Windows applications than in Unix, which uses default zone "popdata.bc.ca" hosted on Champlain. 2018-04-18 for zone "popdata.local" the short entries for SREfiles, RTLfiles, SRTLfiles changed to point to servers fraser, drake, drake in zone .popdata.bc.ca ; Not changed: short server entries for drake, fidler, finlay, frobisher, gilbert, helsvr1, soehsvr1 (changing them from "A" to "CNAME" would require deleting and re-creating).
      If you change the address of a server used as short name in windows, check "DNS" management app on Gilbert.
      The default TTL on Popdata domains is 3 hours
    • windows 7: ipconfig/displaydns (display cache);
      • Flush: ipconfig/flushdns (or runas /user:popdata\Administrator "ipconfig /flushdns" (or "/user:popdata/dlaplante" or other member of Administrators group)
        Response: "Attempting to start ipconfig /flushdns as user ..." . Failure message "The requested operation requires elevation" or "RUNAS ERROR ..."
    • MacOsX 10.10 (yosemite): sudo discoveryutil udnscachestats; sudo discoveryutil udnscachedump (then search in Console for "discovery"). For multicast cache, use ... mdns...
      • Flush: sudo discoveryutil udnsflushcaches
    • macOsX 10.8-10.9 (Mountain Lion, Mavericks):
      • Flush: sudo killall -HUP mDNSResponder (10.8 &10.9);
    • BIND: rndc dumpdb (BIG) ; rndc flush
    • Ubuntu with dnsmask(default): sudo kill -HUP $(pgrep dnsmasq)
    • Ubuntu with plain Name Services Caching Daemon:
  • Diagnostic: ping will incidentally and show how the local system translates computer names into IP addresses, but often fails to detect whether the remote computer is up; nslookup does similar translation (bypassing system cache), and also tells us the preferred nameserver.
    • Mac: first open a Terminal application window (in SpotLight search enter "Terminal")
      • Type in "ping -c 1 -W 1 sre1" (or other SRE machine) and press [return] key.
      • The normal output is:
        • PING sre1.popdata.bc.ca (10.80.50.201): 56 data bytes
        • --- sre1.popdata.bc.ca ping statistics ---
        • 1 packets transmitted, 0 packets received, 100.0% packet loss
      • Then type in "nslookup sre1" and press return. The normal output is:
        • Server: 10.80.20.80
        • Address: 10.80.20.80#53
        • Name: sre1.popdata.bc.ca
        • Address: 10.80.50.201
      • Where "Server" is the numeric IP address of the PopData DNS server, and "Address:" is the IP address of the SRE1 machine.
    • Windows: first open a Command window: in Start menu search box type "CMD"; for windows 8, get search box via key combination Windows-C or move mouse to lower-right corner; click on magnifying glass; type in "CMD".
        • Type in "ping -n 1 -w 1 sre1" (or other SRE machine) and press Enter.
        • Normal output is:
        • Pinging sre1.popdata.local [10.80.50.201] with 32 bytes of data:
        • Request timed out.
        • Ping statistics for 10.80.50.201:
        • Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
      • Then type in "nslookup sre1" and press return. The normal output is:
        • Server: 10.80.20.80
        • Address: 10.80.20.80
        • Name: sre1.popdata.bc.ca
        • Address: 10.80.50.201