This discussion is archived
3 Replies Latest reply: Jan 2, 2013 9:35 AM by Jan-Marten Spit RSS

Linux DNS server setup in VM for RAC in lab?

762942 Newbie
Currently Being Moderated
Hi All,

I am not a LINUX Admin but setting up a DNS server on VM for LAB environment required for RAC Database.
Wanted to know what is the purpose of allow-query { any; } or allow-update { none; } ?



a> allow-query { any; };
b> allow-update { none; };


vi /etc/named.conf
--------------------
zone "sangramkeshari.net" IN {
type master;
file "sangramkeshari.net.zone";
allow-update { none; };
};


--Configure a reverse proxy.
zone "56.168.192.in-addr.arpa" in {
type master;
file "56.168.192.in-addr.arpa.zone";
allow-update { none; };
};
  • 1. Re: Linux DNS server setup in VM for RAC in lab?
    damorgan Oracle ACE Director
    Currently Being Moderated
    There is no need to set up DNS for a lab implementation.

    If you want network engineering help my recommendation would be that you contact a network engineer.
  • 2. Re: Linux DNS server setup in VM for RAC in lab?
    BryanWood Explorer
    Currently Being Moderated
    With 11g and above, SCAN listeners are required (regardless if you elect to use them). When running OUI, you will encounter the following errors:
    INFO: Checking Single Client Access Name (SCAN)...
    INFO: Checking name resolution setup for "racnode-cluster-scan"...
    INFO: ERROR:
    INFO: PRVF-4657 : Name resolution setup check for "racnode-cluster-scan" (IP address: 216.24.138.153) failed
    INFO: ERROR:
    INFO: PRVF-4657 : Name resolution setup check for "racnode-cluster-scan" (IP address: 192.168.1.187) failed
    INFO: ERROR:
    INFO: PRVF-4664 : Found inconsistent name resolution entries for SCAN name "racnode-cluster-scan"
    INFO: Verification of SCAN VIP and Listener setup failed
    While you could choose to "ignore" the above error, Cluster Verification Utility (cluvfy) will continue to report the error on each and every invocation. There are workarounds for that too (http://www.oracle.com/technetwork/articles/hunter-rac11gr2-iscsi-3-088680.html).

    Oracle still strongly discourages using any of the aforementioned workarounds to avoid use of DNS, and there are plenty of other reasons why having a DNS implementation for a lab are worthwhile -- even if the entirety of your lab all runs from within a single laptop consisting of less than 4 VMs. A lab environment should mimic production as best possible and where feasible. Then of course there is the learning aspect of being familiar with exactly how SCAN hosted from DNS versus SCAN hosted from GNS function. Summarizing, I completely disagree with damorgan's assessment that DNS is unnecessary.

    Now onto SangramKeshariDash's original question:

    *|| what is the purpose of allow-query { any; }*

    This parameter controls which client IP addresses are allowed to query your nameserver. Resricting who can query your nameserver is one of many basic levels of security implemented by common DNS implementations. For ISC's BIND, here is more info:

    https://www.isc.org/software/bind/documentation/arm95
    // Two corporate subnets we wish to allow queries from.
    acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
    options {
         directory "/etc/namedb";           // Working directory
         allow-query { corpnets; };
    };
    *|| or allow-update { none; } ?*

    This parameter controls which client IP addresses (or TSIG key values) are allowed to change zone records. A common configuration for corporate networks is to allow DHCP clients to subsequently perform dynamic DNS updates using the client hostname. If your linux laptop is named "gandalf", the DNS records for your dynamically allocated IP address would get updated such that you can simply use "gandalf.sangramkeshari.net" to indentify your machine rather than trying to remember the current DHCP assigned IP address.

    You won't necessarily need an "allow-update" statement, but you will need "allow-query", but here is a link with more details for posterity:

    http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
    zone "fx.movie.edu" {
         type master;
         file "db.fx.movie.edu";
         allow-update { 192.253.253.100; }; // just our DHCP server
    };
    Or, preferably:
    zone "fx.movie.edu"
         type master;
         file "db.fx.movie.edu";
         allow-update { key dhcp-server.fx.movie.edu.; }; // allow only updates
                                                         // signed by the DHCP
                                                         // server's TSIG key
    };
    Here is a complete howto on configuring DHCP dynamic DNS updates using TSIG keys:
    http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/

    Feel free to post follow-up questions relating to DNS configuration, and I'd be glad to help!
  • 3. Re: Linux DNS server setup in VM for RAC in lab?
    Jan-Marten Spit Explorer
    Currently Being Moderated
    "There is no need to set up DNS for a lab implementation."

    Yes there is. In fact, i see no need to not use a DNS.

    Without a DNS (GNS) server, you cannot round-robin the SCAN addresses. That does affect the high in high availability tests. Not to mention that cluvfy will see the misconfiguration. Who knows what script may fail because of it in the future.

    Besides, setting up a DNS server is a piece of cake, and pretty instructive if you are new to it. If you use a DNS server+proxy like pdnsd, you can use it as a local proxy for a remote DNS (like your ISP's), and save yourself some lengthier roundtrips. Works like a charm.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points