2576 - Creating a Secondary Zone in BloxOne DDI

Scenario

The training department, which administrates training.techblue.net, wants to work with your team to implement local survivability for their DNS clients. Your DNS clients also use their services, like lms.training.infoblox.com, so this could help the efficiency of the DNS implementation as well.  We don't want to simply set up a forwarding zone, because we want the zone to still work if their DNS servers are not responding.

They want to keep administrating their domain as the primary for training.techblue.net, but they are using some other DNS server that we will need to add as an External Primary on a Secondary zone in our DNS environment. They will host their own DNS servers and they will maintain their own records but their DNS servers will allow ours to synchronize with theirs with a shared TSIG key for zone transfers. 

Estimated Completion Time

• 10 to 15 minutes

Prerequisites

• Administrative access to the CSP

• Lab 2801: Deploying BloxOne Hosts

• Lab 2570: Configuring DHCP Services in BloxOne DDI

• Lab 2571: Creating DHCP Networks in BloxOne DDI

• Lab 2573: Enabling and Configuring DNS Services

• Lab 2574: Creating a Primary Zone in BloxOne DDI

Course References

• 2159: BloxOne DDI Configuring DNS Services

Tasks

1. Creating a Secondary Zone training.techblue.net and Configuring Zone Transfer

2. Validating the DNS zones and records from a client

Task 1: Creating a Secondary Zone training.techblue.net and Configuring Zone Transfer

The training team has provided us with TSIG key information in a file named tsig_xfer_sha256.txt (This is in your jump-desktop filesystem folder 'Shared Drive') and the IP address of the DNS server we'll be adding as an External DNS Primary: imai.techblue.io (184.170.237.34). We'll need to create a secondary zone under techblue.net called training.techblue.net and use this External DNS server as the authoritative DNS server for this zone. Also, we should configure the TSIG key trust for the Zone Transfer to work.

Task 2: Validating the DNS zone and records from a client

We have set up the zone transfer for this domain so the resource records should be copied and available. But we should verify that when our clients try to get the records, they get what we expect. Use our testing-linux virtual machine to verify that we can get A records for lms.training.techblue.net.

Solutions

Task 1 Solution: Creating a Secondary Zone training.techblue.net and Configuring Zone Transfer

1. Switch to your CSP browser window, navigate to Manage → DNS

2. Select the Zones tab

3. Click on the default DNS View to go inside the view

4. Click on the zone techblue.net to go into the zone

5. Click the Create button and from the drop-down Zone list, select Secondary Zone

6. Enter the zone Name: training

7. Check that .techblue.net is selected from the suffix drop-down list

8. Expand the Authoritative DNS Servers section

9. Under External Primary Servers, click Add and fill out the required fields:

   • Name: imai.techblue.io

   • Address: 184.170.237.34 (we can get this name with a lookup on a terminal - dig @8.8.8.8 imai.techblue.io)

   • Check Use TSIG and fill out KeyName, Algorithm, and KeyValue based on the information in the lab environment file /mnt/shared/tsig_xfer_sha256.txt (This is in your jump-desktop filesystem folder Shared Drive)

10. Click Add

11. Under BloxOne Secondary DNS Servers click the arrow next to both of your DNS service instances to move them to the list of BloxOne Secondary DNS Servers

12. Click Save & Close

Task 2 Solution: Validating the DNS zone and records from a client

1. On testing-linux open a Terminal window

2. Set the IP address as a fixed address with the command sudo set-network-static-bloxone to allow a route to the DNS server.

3. Check the dig response for the following query should return an Authoritative Answer (aa) with NOERROR:
   

   dig @10.100.0.110 lms.training.techblue.net

   Answer: 203.0.113.99