I have a problem with correctly setting up a working infrastructure for testing mail spoof preventing mechanisms. As stated in a graph below, I have 2 mail servers (centos1 & 2) and 2 DNS servers. It is obligatory to have one DNS per host to test SPF records.
The problem is, that two DNS cannot communicate with each other. I mean, they can ping but I do not really know how to set up them to provide A or MX records for other domain. In real networks those local DNS servers have to communicate to root DNS that provides domain names to the local ones. Should I set up additional root DNS server? If so, how to do it? I have looked almost everywhere on the internet and found nothing...
For example, I want to send an email from xyz@example.local to zyx@another.local, but when I do so, mail exchange demon shows up a following message:
<xyz@another.local>: Host or domain name not found. Name service error for
name=another.local type=A: Host not found
My present configuration for one DNS is (the second one is just like that with only difference in domain name):
Forward zone:
$TTL 1D
@ IN SOA dns1.example.local. root.example.local. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns1.example.local.
@ IN A 192.168.21.131
dns1 IN A 192.168.21.131
host IN A 192.168.21.131
centos1 IN A 192.168.21.128
centos2 IN A 192.168.21.129
another.local IN A 192.168.21.130
example.local IN MX 5 centos1.example.local.
Reverse zone:
$TTL 1D
@ IN SOA dns1.example.local. root.example.local. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns1.example.local.
@ IN PTR example.local.
dns1 IN A 192.168.21.131
host IN A 192.168.21.131
centos1 IN A 192.168.21.128
centos2 IN A 192.168.21.129
131 IN PTR dns1.example.local.
128 IN PTR centos1.example.local.
129 IN PTR centos2.another.local.
And named.conf
options {
listen-on port 53 { 127.0.0.1;192.168.21.131; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.local" IN {
type master;
file "forward.example.local";
allow-update {none; };
};
zone "21.168.192.in-addr.arpa" IN {
type master;
file "reverse.example.local";
allow-update {none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
To sum up, how to make my mail servers able to exchange mails with one DNS for every one of them? Please be sure to check the graph below, I think it can explain a lot.
Looking forward to hearing from you! :D
