Configuring a small DNS server for SCAN

A few users asked what to do if there is no DNS server available for configuring the SCAN names when installing oracle grid infrastructure.

Most asked if they can use hosts file entries. The short answer is: Nope. The grid infrastructure will install fine but the cluster verification utility will fail.

So my suggestion is as follows: Create your own small DNS server on your rac nodes. This is quite fast and easy and described in this article.

Installing required packages

Oracle Enterprise Linux as well as RedHat and even SuSE ship with rpm packages for the name server “bind”. Bind is developed by the ISC (Internet systems consortium) and is the most used dns server. More information can be found here.

In this article we will install bind on our rac system with oracle enterprise 5 update 3. If you use an other distribution or release your version numbers and/or package names might be different.

So for OEL 5U3 we need at least the following packages installed:

  • bind-libs-9.3.4-10.P1.el5
  • bind-9.3.4-10.P1.el5
  • bind-utils-9.3.4-10.P1.el5

In addition to that you can also install the “bind-chroot” package which runs bind in a chroot environment. A chroot environment increases the security and is recommended for running in production. For our test system we will do not install bind chrootet to keep the complexity low.

Configuring the first (master) dns server

In the first step we will create the master DNS server which will reside on any node. In our case the master dns server resides on node “rac1.regner.de” with ip ip “>adress 172.23.15.1. The secondary dns server will be on node “rac2.regner.de” with ip address 172.23.15.2.

Later we will add a secondary DNS server on the second node. This is required for a working name resolution if one node is down.

Note that for a “quick and dirty” configuration one configured dns server is enough to complete the cluster verification tests. Make sure that you specified all node names (private, public and vip named) in your /etc/hosts file!

Creating the required files

All you need to do is to create the files in the named locations (attention: on SuSE /var/named will be probably /var/lib/named !). If you want to you can replace the string “regner.de” with your domain and correct the host names and IPs.

/etc/named.conf

[root@rac1 named]# cat /etc/named.conf
options {

 # The directory statement defines the name server's working directory

 directory "/var/named";

 # Write dump and statistics file to the log subdirectory.  The
 # pathenames are relative to the chroot jail.

 dump-file "/var/log/named_dump.db";
 statistics-file "/var/log/named.stats";

 # The forwarders record contains a list of servers to which queries
 # should be forwarded.  Enable this line and modify the IP address to
 # your provider's name server.  Up to three servers may be listed.

 #forwarders { 192.0.2.1; 192.0.2.2; };

 # Enable the next entry to prefer usage of the name server declared in
 # the forwarders section.

 #forward first;

 # The listen-on record contains a list of local network interfaces to
 # listen on.  Optionally the port can be specified.  Default is to
 # listen on all interfaces found on your system.  The default port is
 # 53.

 #listen-on port 53 { 127.0.0.1; };

 # The listen-on-v6 record enables or disables listening on IPv6
 # interfaces.  Allowed values are 'any' and 'none' or a list of
 # addresses.

 listen-on-v6 { none; };

 # The next three statements may be needed if a firewall stands between
 # the local server and the internet.

 #query-source address * port 53;
 #transfer-source * port 53;
 #notify-source * port 53;

 # The allow-query record contains a list of networks or IP addresses
 # to accept and deny queries from. The default is to allow queries
 # from all hosts.

 #allow-query { 127.0.0.1; };

 # If notify notify ">is set to yes (default), notify messages are sent to other
 # name servers when the the zone data is changed.  Instead of setting
 # a global 'notify' statement in the 'options' section, a separate
 # 'notify' can be added to each zone definition.

 notify no;
};

logging {
 # Log queries to a file limited to a size of 100 MB.
 channel query_logging {
 file "/var/named/named_querylog"
 versions 3 size 100M;
 print-time yes;                 // timestamp log entries
 };
 category queries {
 query_logging;
 };

 # Or log this kind alternatively to syslog.
 channel syslog_queries {
 syslog user;
 severity info;
 };
 category queries { syslog_queries; };

 # Log general name server errors to syslog.
 channel syslog_errors {
 syslog user;
 severity error;
 };
 category default { syslog_errors;  };

 # Don't log lame server messages.
 category lame-servers { null; };
};

acl acl_transf { 172.23.15.2; };

# The following zone definitions don't need any modification.  The first one
# is the definition of the root name servers.  The second one defines
# localhost while the third defines the reverse lookup for localhost.

#zone "." in {
# type hint;
# file "root.hint";
#};

zone "localhost" in {
 type master;
 file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
 type master;
 file "127.0.0.zone";
};

zone "regner.de" in {
 type master;
 file "db.regner.de";
 allow-transfer { acl_transf; };
};

Note the following line:

acl acl_transf { 172.23.15.2; };

this line will later allow the secondary dns server to fetch the zone files from the master server. In our test environment “rac1.regner.de” (172.23.15.1) is the master dns server while “rac2.regner.de” (172.23.15.2) is the secondary one which fetched the zone files. In your environemt you must adjust the line according to your used IPs. You cannot use names here!

/var/named/127.0.0.zone

$TTL 1W
@               IN SOA          localhost.   root.localhost. (
 42              ; serial (d. adams)
 2D              ; refresh
 4H              ; retry
 6W              ; expiry
 1W )            ; minimum

 IN NS           localhost.
1               IN PTR          localhost.

/var/named/localhost.zone

$TTL 1W
@               IN SOA  @   root (
 42              ; serial (d. adams)
 2D              ; refresh
 4H              ; retry
 6W              ; expiry
 1W )            ; minimum

 IN NS           @
 IN A            127.0.0.1

/var/named/db.regner.de

$ORIGIN .
regner.de               SOA     rac1.regner.de. rac1.regner.de. (
 22         ; serial
 900        ; refresh (15 minutes)
 600        ; retry (10 minutes)
 86400      ; expire (1 day)
 3600       ; minimum (1 hour)
 )
 NS      rac1.regner.de.
 NS      rac2.regner.de.
$ORIGIN regner.de.
rac1                    A       172.23.15.1
rac2                    A       172.23.15.2
rac1-vip                A       172.23.15.10
rac2-vip                A       172.23.15.20
rac1-priv               A       192.168.181.10
rac2-priv               A       192.168.181.20
rac-scan                A       172.23.15.3
rac-scan                A       172.23.15.4
rac-scan                A       172.23.15.5

Starting for the first time

Before staing for the first time we need to change permissions:

[root@rac1 named]# touch /var/named/named_querylog
[root@rac1 named]# chown -R named:named /var/named/
[root@rac1 named]# chown named:named /etc/named.conf

After that we can start for the first time by entering:

/etc/init.d/named start

You message log should look like this:

Oct 15 09:51:25 rac1 named[22380]: starting BIND 9.3.4-P1 -u named
Oct 15 09:51:25 rac1 named[22380]: found 1 CPU, using 1 worker thread
Oct 15 09:51:25 rac1 named[22380]: loading configuration from '/etc/named.conf'
Oct 15 09:51:25 rac1 named[22380]: listening on IPv4 interface lo, 127.0.0.1#53
Oct 15 09:51:25 rac1 named[22380]: listening on IPv4 interface bond0, 172.23.15.1#53
Oct 15 09:51:25 rac1 named[22380]: listening on IPv4 interface bond0:3, 172.23.15.10#53
Oct 15 09:51:25 rac1 named[22380]: listening on IPv4 interface bond0:4, 172.23.15.3#53
Oct 15 09:51:25 rac1 named[22380]: listening on IPv4 interface bond0:5, 172.23.15.5#53
Oct 15 09:51:25 rac1 named[22380]: listening on IPv4 interface bond1, 192.168.181.10#53
Oct 15 09:51:25 rac1 named[22380]: command channel listening on 127.0.0.1#953
Oct 15 09:51:25 rac1 named[22380]: command channel listening on ::1#953

There must be no error messages. If you have some errors in the configuration files you need to fix.

Checking configuration

If named started without error messages you can check if host name resolution works. For checking we use “dig” which is part of the bind-utils package. The calling syntax is:

dig @<server> <hostname to query>

In our environment this evaluates to:

[root@rac1 named]# dig @172.23.15.1 rac1.regner.de

; <<>> DiG 9.3.4-P1 <<>> @172.23.15.1 rac1.regner.de
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27024
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;rac1.regner.de.                        IN      A

;; ANSWER SECTION:
rac1.regner.de.         3600    IN      A       172.23.15.1

;; AUTHORITY SECTION:
regner.de.              3600    IN      NS      rac1.regner.de.

;; Query time: 31 msec
;; SERVER: 172.23.15.1#53(172.23.15.1)
;; WHEN: Thu Oct 15 09:48:07 2009
;; MSG SIZE  rcvd: 62

The output consists of two parts:

  • question section
  • answer section

The interesting part is in the answer section. We queried for “rac1.regner.de” (see question section) and got the following answer section:

;; ANSWER SECTION:
rac1.regner.de.         3600    IN      A       172.23.15.1

The answer section states the host named “regner1.regner.de” has the ip address of 172.23.15.1. Just as we configured it in the zone file. If you changed names and/or IPs your adjusted value must appear in the answer section.

The next query will query for the SCAN name we also configured  in the zone file:

[root@rac1 named]# dig @172.23.15.1 rac-scan.regner.de

; <<>> DiG 9.3.4-P1 <<>> @172.23.15.1 rac-scan.regner.de
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33081
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;rac-scan.regner.de.            IN      A

;; ANSWER SECTION:
rac-scan.regner.de.     3600    IN      A       172.23.15.4
rac-scan.regner.de.     3600    IN      A       172.23.15.5
rac-scan.regner.de.     3600    IN      A       172.23.15.3

;; AUTHORITY SECTION:
regner.de.              3600    IN      NS      rac1.regner.de.

;; ADDITIONAL SECTION:
rac1.regner.de.         3600    IN      A       172.23.15.1

;; Query time: 3 msec
;; SERVER: 172.23.15.1#53(172.23.15.1)
;; WHEN: Thu Oct 15 09:48:21 2009
;; MSG SIZE  rcvd: 119

This time the answer section contained three IP addresses:

;; ANSWER SECTION:
rac-scan.regner.de.     3600    IN      A       172.23.15.4
rac-scan.regner.de.     3600    IN      A       172.23.15.5
rac-scan.regner.de.     3600    IN      A       172.23.15.3

Thats completely fine as oracle needs at least one better three IPs for the scan names. As you can see from the output we configured the recommended amount of three IPs. Oracle will use these IPs for configuring the listeners to listen at this IPs. For more information about SCAN refer here.

Using configuration

In order to use our fresh configured name servers replace the file /etc/resolv.conf with a file like this:

nameserver 172.23.15.1
nameserver 172.23.15.2
search regner.de

The /etc/resolv.conf configures the dns server to use for ip adress resolution. The argument “nameserver” defines the dns server which “search” configures one or more domain suffixes to be appended. In the example listed there are two name servers which will be queried. If one server is unreachable there will be a transparent failover to the second one. The second server will be configured now.

Configuring the second (slave) dns server

Creating the required files

/etc/named.conf

[root@rac2 named]# cat /etc/named.conf
options {

 # The directory statement defines the name server's working directory

 directory "/var/named";

 # Write dump and statistics file to the log subdirectory.  The
 # pathenames are relative to the chroot jail.

 dump-file "/var/log/named_dump.db";
 statistics-file "/var/log/named.stats";

 # The forwarders record contains a list of servers to which queries
 # should be forwarded.  Enable this line and modify the IP address to
 # your provider's name server.  Up to three servers may be listed.

 #forwarders { 192.0.2.1; 192.0.2.2; };

 # Enable the next entry to prefer usage of the name server declared in
 # the forwarders section.

 #forward first;

 # The listen-on record contains a list of local network interfaces to
 # listen on.  Optionally the port can be specified.  Default is to
 # listen on all interfaces found on your system.  The default port is
 # 53.

 #listen-on port 53 { 127.0.0.1; };

 # The listen-on-v6 record enables or disables listening on IPv6
 # interfaces.  Allowed values are 'any' and 'none' or a list of
 # addresses.

 listen-on-v6 { none; };

 # The next three statements may be needed if a firewall stands between
 # the local server and the internet.

 #query-source address * port 53;
 #transfer-source * port 53;
 #notify-source * port 53;

 # The allow-query record contains a list of networks or IP addresses
 # to accept and deny queries from. The default is to allow queries
 # from all hosts.

 #allow-query { 127.0.0.1; };

 # If notify is set to yes (default), notify messages are sent to other
 # name servers when the the zone data is changed.  Instead of setting
 # a global 'notify' statement in the 'options' section, a separate
 # 'notify' can be added to each zone definition.

 notify no;
};

logging {
 # Log queries to a file limited to a size of 100 MB.
 channel query_logging {
 file "/var/named/named_querylog"
 versions 3 size 100M;
 print-time yes;                 // timestamp log entries
 };
 category queries {
 query_logging;
 };

 # Or log this kind alternatively to syslog.
 channel syslog_queries {
 syslog user;
 severity info;
 };
 category queries { syslog_queries; };

 # Log general name server errors to syslog.
 channel syslog_errors {
 syslog user;
 severity error;
 };
 category default { syslog_errors;  };

 # Don't log lame server messages.
 category lame-servers { null; };
};

# The following zone definitions don't need any modification.  The first one
# is the definition of the root name servers.  The second one defines
# localhost while the third defines the reverse lookup for localhost.

#zone "." in {
# type hint;
# file "root.hint";
#};

zone "localhost" in {
 type master;
 file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
 type master;
 file "127.0.0.zone";
};

zone "regner.de" in {
 type slave;
 file "db.regner.de";
 masters { 172.23.15.1; };
};

/var/named/127.0.0.zone

$TTL 1W
@               IN SOA          localhost.   root.localhost. (
 42              ; serial (d. adams)
 2D              ; refresh
 4H              ; retry
 6W              ; expiry
 1W )            ; minimum

 IN NS           localhost.
1               IN PTR          localhost.

/var/named/localhost.zone

$TTL 1W
@               IN SOA  @   root (
 42              ; serial (d. adams)
 2D              ; refresh
 4H              ; retry
 6W              ; expiry
 1W )            ; minimum

 IN NS           @
 IN A            127.0.0.1

/var/named/db.regner.de

You do not need to create the zone file because it will be fetched from the master server.

Starting for the first time

Before staring for the first time we need to change permissions:

[root@rac2 named]# touch /var/named/named_querylog
[root@rac2 named]# chown -R named:named /var/named/
[root@rac2 named]# chown named:named /etc/named.conf

After that we can start for the first time by entering:

/etc/init.d/named start

You message log should look like this:

Oct 15 10:30:02 rac2 named[23116]: starting BIND 9.3.4-P1 -u named
Oct 15 10:30:02 rac2 named[23116]: found 1 CPU, using 1 worker thread
Oct 15 10:30:02 rac2 named[23116]: loading configuration from '/etc/named.conf'
Oct 15 10:30:02 rac2 named[23116]: listening on IPv4 interface lo, 127.0.0.1#53
Oct 15 10:30:02 rac2 named[23116]: listening on IPv4 interface bond0, 172.23.15.2#53
Oct 15 10:30:02 rac2 named[23116]: listening on IPv4 interface bond0:1, 172.23.15.4#53
Oct 15 10:30:02 rac2 named[23116]: listening on IPv4 interface bond0:2, 172.23.15.20#53
Oct 15 10:30:02 rac2 named[23116]: listening on IPv4 interface bond1, 192.168.181.20#53
Oct 15 10:30:02 rac2 named[23116]: command channel listening on 127.0.0.1#953
Oct 15 10:30:02 rac2 named[23116]: command channel listening on ::1#953

There must be no error messages. If you have some errors in the configuration files you need to fix.

Checking configuration

The first this to check is the existence of the file /var/named/db.regner.de:

[root@rac2 named]# ll /var/named/
total 20
-rw-r--r-- 1 named named  192 Oct 15 10:28 127.0.0.zone
drwxrwx--- 2 named named 4096 Jan 21  2009 data
-rw-r--r-- 1 named named  498 Oct 15 10:30 db.regner.de
-rw-r--r-- 1 named named  158 Oct 15 10:28 localhost.zone
-rw-r--r-- 1 named named    0 Oct 15 10:30 named_querylog
drwxrwx--- 2 named named 4096 Jan 21  2009 slaves

The file is there and was transfered from the master server.

We will now query the secondary dns server just like we did with the primary server:

[root@rac2 named]# dig @172.23.15.2 rac1.regner.de

; <<>> DiG 9.3.4-P1 <<>> @172.23.15.2 rac1.regner.de
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9789
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;rac1.regner.de.                        IN      A

;; ANSWER SECTION:
rac1.regner.de.         3600    IN      A       172.23.15.1

;; AUTHORITY SECTION:
regner.de.              3600    IN      NS      rac1.regner.de.

;; Query time: 227 msec
;; SERVER: 172.23.15.2#53(172.23.15.2)
;; WHEN: Thu Oct 15 10:32:23 2009
;; MSG SIZE  rcvd: 62
[root@rac2 named]# dig @172.23.15.2 rac-scan.regner.de

; <<>> DiG 9.3.4-P1 <<>> @172.23.15.2 rac-scan.regner.de
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;rac-scan.regner.de.            IN      A

;; ANSWER SECTION:
rac-scan.regner.de.     3600    IN      A       172.23.15.5
rac-scan.regner.de.     3600    IN      A       172.23.15.3
rac-scan.regner.de.     3600    IN      A       172.23.15.4

;; AUTHORITY SECTION:
regner.de.              3600    IN      NS      rac1.regner.de.

;; ADDITIONAL SECTION:
rac1.regner.de.         3600    IN      A       172.23.15.1

;; Query time: 1 msec
;; SERVER: 172.23.15.2#53(172.23.15.2)
;; WHEN: Thu Oct 15 10:32:34 2009
;; MSG SIZE  rcvd: 119

Troubleshooting

If you experience problems check out the following files for more information:

  • /var/log/messages
  • /var/named/named_querylog

The second file records all received dns queries and can be extremely helpful in debugging dns-related problems.

More Information

For information how to change/add/delete dns records refer to the bind documentation.

28 thoughts on “Configuring a small DNS server for SCAN”

  1. hi

    /etc/named.conf
    /var/named/127.0.0.zone
    /var/named/localhost.zone

    These files do not exist by default.in oel 5.4 do i need to just create it?Or do i need to install any packages? i already have :

    [root@pc-2 ~]# rpm -qa | grep bind
    bind-9.3.6-4.P1.el5
    system-config-bind-4.0.3-4.0.1.el5
    bind-utils-9.3.6-4.P1.el5
    ypbind-1.19-12.el5
    bind-chroot-9.3.6-4.P1.el5
    bind-libs-9.3.6-4.P1.el5
    kdebindings-3.5.4-6.el5

    ls /var/named/
    chroot data slaves
    named directory contains only chroot data and slaves.
    do i need to change any over there?

    regards

  2. hi

    as i did not have them i created them by my own hand but got a result eg.

    [root@pc-2 ~]# /etc/init.d/named restart
    Stopping named: [ OK ]
    Locating /var/named/chroot//etc/named.conf failed:
    [FAILED]
    [root@pc-2 ~]#

    regards

    1. Hi,

      the VIP addresses are created automatically by Grid Infrastructure installer. You are prompted for them during installation.

    1. Basically non-local host names in DNS are enough. If you dont have a working DNS you can put them into your /etc/hosts file.

  3. @Ronny Egner

    sorry to say(dnt know the reason).the fact is that: i diid not get vip to work until and unless i mentioned them my /etc/hosts,where as ping results nslookup and dig results was perfect.

    if you have any explanation,plz let me know here….

    regards

  4. I have 2 nodes on Solaris 10 and I’m trying to upgrade to the 11gR2 Grid Infrastructure. The SA set up a DNS with a single ip for SCAN. I can nslookup the host, not ping because it’s interface is unplumbed, it was but in testing we detached it as part of the troubleshooting. We can nslookup each node from the other. Any ideas about what else we might need to look at?

    1. For an upgrade you need to configure at least one scan ip. This ip will be a virtual interface residing on top of your public interface. The SCAN ip will be assigned by the clusterware upon installation.

      On my Solaris box one node interfaces look like this:

      bge0: flags=1000843 mtu 1500 index 2
      inet 10.11.64.63 netmask fffffe00 broadcast 10.11.65.255
      bge0:1: flags=1040843 mtu 1500 index 2
      inet 10.11.65.102 netmask fffffe00 broadcast 10.11.65.255
      bge0:2: flags=1040843 mtu 1500 index 2
      inet 10.11.65.104 netmask fffffe00 broadcast 10.11.65.255
      bge0:3: flags=1040843 mtu 1500 index 2
      inet 10.11.65.103 netmask fffffe00 broadcast 10.11.65.255
      bge1: flags=1000843 mtu 1500 index 4
      inet 192.168.100.2 netmask ffffff00 broadcast 192.168.100.255

      bge1 = private interconnect
      bge0 = nodes public ip
      bge0:0 = nodes vip ip
      bge0:1 to bge0:2 = scan IP 1 and scan IP 2

  5. We have:
    ce0 = public ip
    ce0:1 = vip
    ce9 = interconnect

    There is no ce0:2 (we only have one ip set aside for now) because we unplumbed it. Is this something the SA should do beforehand or that is done by the installer.

    Right now we have the DNS running, we can nslookup on each node but only one dns configured. We have the names configured in the /etc/hosts and the resolv.conf configured. Do you know if there is anything else I should be doing pre-installation or should a working dns be enough. Do you know what oracle uses to check for the available ip? I appreciate you taking the time to answer questions. I have been reading a lot but it seems like some details of the configuration are missing. I have read note 887522.1, the GRID installation guide (kind of painful) and forums but I guess I can’t figure out the “glue” to some of these pieces. Thanks for your help and time!

    v/r
    Va.

    ps Apologize if I ended up posting this somewhere else or twice, I hit submit and it disappeared…

    1. Hi,

      the virtual IP for the SCAN IP will be set up by the installer. Do NOT set it up yourself. All you need to setup is a working dns configuration as shown in my guides for linux. You need to make sure the name -scan. resolves to at least one (better three) IPs. These IPs resolved via DNS will be used by the installer (!!! ; not you!) to set up virtual network interfaces.

  6. Ok, so after reading Sayantan’s forum post I saw at the very end… to restart universal installer.. *sigh*

    Thanks!

  7. Nice Article.
    Looking for DNS configuration for 11g R2 grid infrastructure installation….I will try it out.

    Thanks for posting this article as it good explanation for DNS setup.

    Regards,
    VJ

Leave a Reply

Your email address will not be published.