Archives des DNS - CoffeeBreak Info

MODOP – Grafana/Promotheus pour DNS Primaire et Secondaire

chris — Tue, 20 Jul 2021 13:26:38 +0000

La machine sera une Fedora 33 Server en installation minimale

1°) Prérequis

MODOP – Configurer un DNS Primaire et Secondaire – Centos7

Serveur DNS et Secondaire
dns-pri.house.cpb => IP : 172.16.185.1
dns-sec.house.cpb => IP : 172.16.185.2

Inscription de la machine cliente grafana04 sur les DNS P et S

2°) Spécification machine

Machine Grafana04
IP : 192.168.1.6 (vSwitch vmbr0)
Host : grafanad.house.cpb
IP : 172.16.185.23 (vSwitch vmbr1)
Disque 1 – Système 10Go
RAM 2G

3°) Installation de Middleware

[root@grafana04 ~]# dnf -y update
[root@grafana04 ~]# dnf -y install nmap net-tools wget

4°) Suppression du selinux

[root@grafana04 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@grafana04 ~]# reboot

5°) Désactivation IPv6

[root@grafana04 ~]# vi /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.default.autoconf = 0

[root@grafana04 ~]# sysctl -p

6°) Installation Promotheus

Création User Promotheus

[root@grafana04 chris]# useradd --no-create-home --shell /bin/false prometheus

Récupération de promotheus

[root@grafana04 ~]# cd /tmp
[root@grafana04 tmp]# wget https://github.com/prometheus/prometheus/releases/download/v2.8.1/prometheus-2.8.1.linux-amd64.tar.gz
[root@grafana04 tmp]# tar xzvf prometheus-2.8.1.linux-amd64.tar.gz
[root@grafana04 tmp]# mv prometheus-2.8.1.linux-amd64 prometheuspackage

Création structure Promotheus

[root@grafana04 tmp]# mkdir /etc/prometheus
[root@grafana04 tmp]# mkdir /var/lib/prometheus
[root@grafana04 tmp]# chown prometheus:prometheus /etc/prometheus
[root@grafana04 tmp]# chown prometheus:prometheus /var/lib/prometheus

Copier les binaires sur la structure Promotheus

[root@grafana04 tmp]# cp prometheuspackage/prometheus /usr/local/bin/
[root@grafana04 tmp]# cp prometheuspackage/promtool /usr/local/bin/
[root@grafana04 tmp]# chown prometheus:prometheus /usr/local/bin/prometheus
[root@grafana04 tmp]# chown prometheus:prometheus /usr/local/bin/promtool

Copier les fichiers conf sur la structure Promotheus

[root@grafana04 tmp]# cp -r prometheuspackage/consoles /etc/prometheus
[root@grafana04 tmp]# cp -r prometheuspackage/console_libraries /etc/prometheus
[root@grafana04 tmp]# chown -R prometheus:prometheus /etc/prometheus/consoles
[root@grafana04 tmp]# chown -R prometheus:prometheus /etc/prometheus/console_libraries

Création du service Promotheus

[root@grafana04 tmp]# vi /etc/systemd/system/prometheus.service

[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target

[Service]
User=prometheus
Group=prometheus 
Type=simple
ExecStart=/usr/local/bin/prometheus \
--config.file /etc/prometheus/prometheus.yml \
--storage.tsdb.path /var/lib/prometheus/ \
--web.console.templates=/etc/prometheus/consoles \
--web.console.libraries=/etc/prometheus/console_libraries

[Install]
WantedBy=multi-user.target

Configurer Promotheus

[root@grafana04 tmp]# vi /etc/prometheus/prometheus.yml

global:
 scrape_interval: 10s
scrape_configs:
 - job_name: dns
 scrape_interval: 5s
 static_configs:
 - targets: ['dns-pri.house.cpb:9153']
 - targets: ['dns-sec.house.cpb:9153']

Démarrage du service Promotheus

[root@grafana04 tmp]# systemctl daemon-reload
[root@grafana04 tmp]# systemctl start prometheus && systemctl enable prometheus
[root@grafana04 tmp]# systemctl status prometheus

Régle de Firewall – Promotheus /Exporter

[root@grafana04 ~]# firewall-cmd --zone=public --add-port={9090,9153}/tcp --permanent
[root@grafana04 ~]# firewall-cmd  --reload

http://grafana.house.cpb:9090

7°) Installation Grafana

[root@grafana04 ~]# vi /etc/yum.repos.d/grafana.repo

[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

[root@grafana04 ~]# dnf update
[root@grafana04 ~]# dnf install grafana

Installation de font du Supplémentaire

[root@grafana04 ~]# dnf install fontconfig freetype* urw-fonts

Activer Grafana

[root@grafana04 ~]# systemctl start grafana-server && systemctl enable grafana-server [root@grafana04 ~]# systemctl status grafana-server

Régle de Firewall – grafana

[root@grafana04 ~]# firewall-cmd --zone=public --add-port=3000/tcp --permanent
[root@grafana04 ~]# firewall-cmd --reload

http://grafanad.house.cpb:3000

8°) Installer l’exporter BIND sur les 2 DNS P et S

Installation de GO

[root@dns-pri tmp]# yum update -y
[root@dns-pri tmp]# yum groupinstall 'Development Tools'
[root@dns-pri tmp]# cd /tmp;wget https://golang.org/dl/go1.15.3.linux-amd64.tar.gz
[root@dns-pri tmp]# tar -zxvf go1.15.3.linux-amd64.tar.gz -C /usr/local

[root@dns-pri tmp]# echo 'export GOROOT=/usr/local/go' | sudo tee -a /etc/profile
export GOROOT=/usr/local/go
[root@dns-pri tmp]#echo 'export PATH=$PATH:/usr/local/go/bin' | sudo tee -a /etc/profile
export PATH=$PATH:/usr/local/go/bin
[root@dns-pri tmp]# source /etc/profile

[root@dns-pri tmp]# go version
go version go1.15.3 linux/amd64

Compilation et Installation de BIND exporter

[root@dns-pri tmp]# https://github.com/prometheus-community/bind_exporter.git
[root@dns-pri tmp]# cd bind_exporter/
make
[root@dns-pri bind_exporter]# mv bind_exporter /usr/local/bin

Création Group/User privilège

[root@dns-pri tmp]# groupadd --system prometheus
[root@dns-pri tmp]# useradd -s /sbin/nologin --system -g prometheus prometheus

Création du service exporter_Bind

[root@dns-pri tmp]# vi /etc/systemd/system/bind_exporter.service

[Unit]
Description=Prometheus
Documentation=https://github.com/digitalocean/bind_exporter
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
User=prometheus
Group=prometheus
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/bind_exporter \
 --bind.pid-file=/var/run/named/named.pid \
 --bind.timeout=20s \
 --web.listen-address=0.0.0.0:9153 \
 --web.telemetry-path=/metrics \
 --bind.stats-url=http://localhost:8053/ \
 --bind.stats-groups=server,view,tasks
SyslogIdentifier=prometheus
Restart=always

[Install]
WantedBy=multi-user.target

[root@dns-pri tmp]# systemctl enable bind_exporter.service
[root@dns-pri tmp]# systemctl start bind_exporter.service
[root@dns-pri tmp]# systemctl status bind_exporter.service

Régle de Firewall – exporter

[root@dns-pri tmp]# firewall-cmd --zone=public --add-port=9153/tcp --permanent
[root@dns-pri tmp]# firewall-cmd --reload

9°) Configurer Service BIND pour l’exporter

[root@dns-pri etc]# vi /etc/named.conf

Ajouter

statistics-channels {
 inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};

[root@dns-pri etc]# systemctl reload named

10°) Configurer Prometheus et Grafana

http://grafanad.house.cpb:3000/

« Ajouter DATA source »

« Choisir la source »

« Inscrire l’adresse du serveur Promotheus »

Ajouter un Dasboard

« Import »

« Ajouter l’ID souhaité » puis « Load »

« Import »

« Arrivée des métriques »

11°) Ajouter le DNS Secondaire sur le DashBoard

Création Group/User privilège (Service)

[root@dns-sec ~]# groupadd --system prometheus
[root@dns-sec ~]# useradd -s /sbin/nologin --system -g prometheus prometheus

Copier l’exporter sur le DNS Secondaire

[root@dns-sec ~]# scp /usr/local/bin/bind_exporter root@dns-sec:/usr/local/bin/bind_exporter

Copier le service exporter Bind

[root@dns-sec bind_exporter]# scp/etc/systemd/system/bind_exporter.service root@dns-sec:/etc/systemd/system/bind_exporter.service

Activer les statistiques dans Bind

[root@dns-sec ~]# vi /etc/named.conf

Ajouter

statistics-channels {
 inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};

Lancer le service exporter

[root@dns-sec ~]# systemctl enable bind_exporter.service
[root@dns-sec ~]# systemctl start bind_exporter.service
[root@dns-sec ~]# systemctl status bind_exporter.service

Régle de Firewall – exporter sur le DNS Secondaire

[root@dns-pri tmp]# firewall-cmd --zone=public --add-port=9153/tcp --permanent
[root@dns-pri tmp]# firewall-cmd --reload

On récupère bien les deux DNS sur le Dasboard Grafana

L’article MODOP – Grafana/Promotheus pour DNS Primaire et Secondaire est apparu en premier sur CoffeeBreak Info.

MODOP – Configurer un DNS Primaire et Secondaire – Centos7

chris — Sat, 05 Jun 2021 17:09:30 +0000

Les deux machines DNS seront des machines Centos7

Elles vont répondre à toutes les requêtes envoyées par les VM du réseau VM et privé pour identifier
Les machines par leurs noms machines.

Spécification des machines
Le Pool « Server_DNS » va être composé de deux machines virtuelles

dns-pri.house.cpb => 172.16.185.1
- 2vCPU, 2G RAM, 32Go Disk
dns-pri.house.cpb => 172.16.185.2
- 2vCPU, 2G RAM, 32Go Disk

Désactiver SeLinux (sur les 2 machines)

[ @dns-pri ~]$ vi /etc/sysconfig/selinux
SELINUX=disabled

Reboot Machine.

Désactiver IPv6 (sur les 2 machines)

[chris@dns-pri ~]$ vi /etc/sysctl.d/disableipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1

Installation des paquets utiles (sur les 2 machines)

[root@dns-pri chris]# yum update && yum upgrade
[root@dns-pri chris]# yum install qemu-guest-agent
[root@dns-pri chris]# yum install htop nmap net-tools

Installer le serveur BIND (sur les 2 machines)

[root@dns-pri chris]# yum install -y bind bind-utils

1°) Mise en place Serveur Primaire (dns-pri.house.cpb)

Configuration du serveur Primaire (dns-pri.house.cpb)

[root@dns-pri chris]# cp /etc/named.conf{,-old}

[root@dns-pri chris]# vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 172.16.185.1 ; };
 #listen-on-v6 port 53 { ::1; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 recursing-file "/var/named/data/named.recursing";
 secroots-file "/var/named/data/named.secroots";
 allow-query { localhost; 172.16.185.0/24;};
 allow-transfer { localhost; 172.16.185.2; };

recursion yes;

dnssec-enable yes;
 dnssec-validation yes;

/* Path to ISC DLV key */
 bindkeys-file "/etc/named.root.key";
 managed-keys-directory "/var/named/dynamic";
 pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";
};

logging {
 channel default_debug {
 file "data/named.run";
 severity dynamic;
 };
};

zone "." IN {
 type hint;
 file "named.ca";
};

zone "house.cpb" IN {
 type master;
 file "forward.house.cpb";
 allow-update { none; };
};

zone "185.16.172.in-addr.arpa" IN {
 type master;
 file "reverse.house.cpb";
 allow-update { none; };
};

Création du fichier de Zone « forward.house.cpb » (dns-pri.house.cpb)

[root@dns-pri chris]# vi /var/named/forward.house.cpb
$TTL 86400
@ IN SOA dns-pri.house.cpb. root.house.cpb. (
 2021040601 ;Serial
 3600 ;Refresh
 1800 ;Retry
 604800 ;Expire
 86400 ;Minimum TTL
)
@ IN NS dns-pri.house.cpb.
@ IN NS dns-sec.house.cpb.
@ IN A 172.16.185.1
@ IN A 172.16.185.2
; Machine Serveur DNS
dns-pri IN A 172.16.185.1
dns-sec IN A 172.16.185.2

Création du fichier de Zone « reverse.house.cpb » (dns-pri.house.cpb)

[root@dns-pri chris]# vi /var/named/reverse.house.cpb
$TTL 86400
@ IN SOA dns-pri.house.cpb. root.house.cpb. (
 2021070601 ;Serial
 3600 ;Refresh
 1800 ;Retry
 604800 ;Expire
 86400 ;Minimum TTL
)
@ IN NS dns-pri.house.cpb.
@ IN NS dns-sec.house.cpb.
dns-pri IN A 172.16.185.1
dns-sec IN A 172.16.185.2
1 IN PTR dns-pri.house.cpb.
2 IN PTR dns-sec.house.cpb.

Ajustement des droits (dns-pri.house.cpb)

[root@dns-pri named]# chmod 640 /var/named/reverse.house.cpb /var/named/forward.house.cpb
[root@dns-pri named]# chown root.named /var/named/reverse.house.cpb /var/named/forward.house.cpb

Test des Configurations (dns-pri.house.cpb)

[root@dns-pri named]# named-checkconf /etc/named.conf
[root@dns-pri named]# named-checkzone house.cpb forward.house.cpb
zone house.cpb/IN: loaded serial 2021040601
OK
[root@dns-pri named]# named-checkzone house.cpb reverse.house.cpb
zone house.cpb/IN: loaded serial 2021070601
OK

Démarrage du DNS (dns-pri.house.cpb)

[root@dns-pri named]# systemctl start named
[root@dns-pri named]# systemctl enable named

Configuration du resolver.conf (dns-pri.house.cpb)

[root@dns-pri named]# vi /etc/resolv.conf
search house.cpb
#nameserver 192.168.1.1
nameserver 172.16.185.1
nameserver 172.16.185.2

Test de la résolution du domaine « house.cpb » (dns-pri.house.cpb)

[root@dns-pri named]# nslookup house.cpb
Server: 172.16.185.1
Address: 172.16.185.1#53

Name: house.cpb
Address: 172.16.185.2
Name: house.cpb
Address: 172.16.185.1

[root@dns-pri named]# dig house.cpb
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.4 <<>> house.cpb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1610
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;house.cpb. IN A

;; ANSWER SECTION:
house.cpb. 86400 IN A 172.16.185.1
house.cpb. 86400 IN A 172.16.185.2

;; AUTHORITY SECTION:
house.cpb. 86400 IN NS dns-pri.house.cpb.
house.cpb. 86400 IN NS dns-sec.house.cpb.

;; ADDITIONAL SECTION:
dns-pri.house.cpb. 86400 IN A 172.16.185.1
dns-sec.house.cpb. 86400 IN A 172.16.185.2

;; Query time: 0 msec
;; SERVER: 172.16.185.1#53(172.16.185.1)
;; WHEN: Tue Apr 06 19:35:27 CEST 2021
;; MSG SIZE rcvd: 146

Ouverture des Rules dans le firewall (dns-pri.house.cpb)

[root@dns-pri named]# firewall-cmd --zone=public --add-port=53/tcp --permanent
[root@dns-pri named]# firewall-cmd --zone=public --add-port=53/udp --permanent
[root@dns-pri named]# firewall-cmd --reload
[root@dns-pri named]# firewall-cmd --list-ports
53/tcp 53/udp

2°)Mise en place Serveur secondaire (dns-sec.house.cpb)

Configuration du serveur Secondaire (dns-sec.house.cpb)

[root@dns-sec cp219538]# cp /etc/named.conf{,-old}

[root@dns-sec cp219538]# vi /etc/named.conf
 
options {
        listen-on port 53 { 127.0.0.1;172.16.185.2; };
        #listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost;172.16.185.0/24; };
 
        recursion yes;
 
        dnssec-enable yes;
        dnssec-validation yes;
 
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";
 
        managed-keys-directory "/var/named/dynamic";
 
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
 
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
 
zone "." IN {
        type hint;
        file "named.ca";
};
 
zone "house.cpb" IN {
    type slave;
    file "slaves/forward.house.cpb";
    masters { 172.16.185.1; };
};
 
zone "185.16.172.in-addr.arpa" IN {
    type slave;
    file "slaves/reverse.house.cpb";
    masters { 172.16.185.1; };
};

Lancement serveur Secondaire (dns-sec.house.cpb)

[root@dns-sec cp219538]# systemctl start named
[root@dns-sec cp219538]# systemctl enable named

Ouverture des Rules dans le firewall (dns-sec.house.cpb)

[root@dns-sec named]# firewall-cmd --zone=public --add-port=53/tcp --permanent
[root@dns-sec named]# firewall-cmd --zone=public --add-port=53/udp --permanent
[root@dns-sec named]# firewall-cmd --reload
[root@dns-sec named]# firewall-cmd --list-ports
53/tcp 53/udp

Vérifions la réplication du serveur Primaire vers le secondaire

[root@dns-sec cp219538]# ls /var/named/slaves/
forward.house.cpb  reverse.house.cpb

Configuration du resolver.conf (dns-sec.house.cpb)

[root@dns-sec named]# vi /etc/resolv.conf
search house.cpb
#nameserver 192.168.1.1
nameserver 172.16.185.1
nameserver 172.16.185.2

3°) Ajouter des machines dans le DNS et propagation au DNS secondaire

Editer le fichier « forward.house.cpb »

[root@dns-pri chris]# vi /var/named/forward.house.cpb

On ajoute les machines suivantes et on augmente le numéro de série + 1 dans la Zone SOA

$TTL 86400
@ IN SOA dns-pri.house.cpb. root.house.cpb. (
2021051905 ;Serial
 3600 ;Refresh
 1800 ;Retry
 604800 ;Expire
 86400 ;Minimum TTL
)
@ IN NS dns-pri.house.cpb.
@ IN NS dns-sec.house.cpb.
@ IN A 172.16.185.1
@ IN A 172.16.185.2

; Serveur LAN VM - Mysql PERCONA
node01-sql IN A 172.16.185.9
node02-sql IN A 172.16.185.10
node03-sql IN A 172.16.185.11
node04-sql IN A 172.16.185.12

; Serveur LAN VM - Web Cluster
;Cluster NGINX
node01-web IN A 172.16.185.13
node02-web IN A 172.16.185.14
node03-web IN A 172.16.185.15

Editer le fichier « forward.house.cpb »

[root@dns-pri chris]# vi /var/named/reverse.house.cpb

On ajoute les nouvelles machines dans le fichier de reverse et on augmente le numéro de série + 1 dans la Zone SOA

$TTL 86400
@ IN SOA dns-pri.house.cpb. root.house.cpb. (
 2021042106 ;Serial
 3600 ;Refresh
 1800 ;Retry
 604800 ;Expire
 86400 ;Minimum TTL
)
@ IN NS dns-pri.house.cpb.
@ IN NS dns-sec.house.cpb.
@ IN MX 1 mail.house.cpb.

; LAN VM - Mysql PERCONA
9 IN PTR node01-sql.house.cpb.
10 IN PTR node02-sql.house.cpb.
11 IN PTR node03-sql.house.cpb.
12 IN PTR node04-sql.house.cpb.

; LAN VM - WEB
13 IN PTR node01-web.house.cpb.
14 IN PTR node02-web.house.cpb.
15 IN PTR node03-web.house.cpb.

Test des Configurations (dns-pri.house.cpb)

[root@dns-pri named]# named-checkzone house.cpb forward.house.cpb
zone house.cpb/IN: loaded serial 2021051905
OK
[root@dns-pri named]# named-checkzone house.cpb reverse.house.cpb
zone house.cpb/IN: loaded serial 2021042106
OK

Recharger la zone DNS Primaire et secondaire

[root@dns-pri named]# systemctl reload named

Coté Logs DNS Primaire

Côté logs DNS Secondaire

La propagation est OK.

Test sur un client Lambda.

[root@test1 ~]# yum install bind-utils
[root@test1 ~]# nslookup node01-sql.house.cpb
[root@test1 ~]# nslookup node02-sql.house.cpb
[root@test1 ~]# nslookup node03-sql.house.cpb
[root@test1 ~]# nslookup node04-sql.house.cpb

La résolution des noms machine est OK

L’article MODOP – Configurer un DNS Primaire et Secondaire – Centos7 est apparu en premier sur CoffeeBreak Info.