Creating a DNS Secondary Zone in Universal DDI (2576)

Scenario

The clients on your network need reliable access to the domain ddip.org, which is owned and operated by a training provider outside your organization. You could set up a forward zone, but local clients cannot resolve names in this domain during a network outage. For local survivability considerations, you decided to set up a secondary zone. You have contacted the administrators of ddip.org to allow zone transfer access. Now you need to complete the setup by creating a secondary zone on the Infoblox Portal and map the zone to your DNS servers.

Estimated Completion Time

• 15 to 20 minutes

Prerequisites

• Administrative access to the Infoblox Portal

• Permission to perform zone transfer from external primary DNS server

• Lab 2801: Deploying NIOS-X Servers

• Lab 2570: Configuring DHCP Services in Universal DDI

• Lab 2571: Creating DHCP Networks in Universal DDI

• Lab 2573: Configuring DNS Services in Universal DDI

• Lab 2574: Creating a DNS Primary Zone in Universal DDI

Course References

• BloxOne DDI: Configuring DNS Services

Tasks

1. Creating a DNS Server Group

2. Creating a Secondary Zone ddip.org

3. Validating the DNS zones and records from a client

Task 1: Creating a DNS Server Group

The administrators of ddip.org have granted zone transfer access by providing a TSIG key. The key is stored in a file named tsig_xfer_sha256.txt, located in the Shared Drive on the jump-desktop VM. They have also provided the IP address of their external primary name server: mimosa.techblue.io (45.120.106.133).

You will create an Authoritative DNS Server Group that includes this external server (mimiosa) and the provided TSIG key. This server group will later be used to configure a secondary zone for ddip.org.

Task 2: Creating a Secondary Zone ddip.org

Use the DNS Server Group created in Task 1 to create a secondary zone for ddip.org in the Infoblox Portal.

Task 3: Validating the DNS zone and records from a client

Verify that the zone transfer has completed successfully by confirming that clients can resolve records from the secondary zone. Use the testing-linux virtual machine to check for the A record of lms.ddip.org.

Solutions

Task 1 Solution: Creating a DNS Server Group

1. Log in to your lab’s jump-desktop

2. Use your Education Infoblox Portal Credentials to log into the Infoblox Portal

3. Navigate to Configure → Networking → DNS

4. Click the DNS Server Groups tab.

5. Click on the DNS view default

6. Click the Create button and select Authoritative DNS Server Group from the list.

   

7. In the Name field, enter: external-ns-group.

8. Under External Primary Servers, click Add and select External Primary.

9. Enter the following details:

   • Name: mimosa.techblue.io

   • Address: 45.120.106.133 (You can verify this using the command dig @8.8.8.8 mimosa.techblue.io. in the terminal)

10. Check the Use TSIG option and select New TSIG Key.

11. To retrieve the TSIG key details:

    1. On the Jump-Desktop VM, click the Start menu and open the Geany application (text editor).

    2. In Geany, navigate to File → Open, then browse to and open the file:
       /mnt/shared/tsig_xfer_sha256.txt

12. In the New TSIG Key section, fill in the following fields using the values from the file:

    1. Enter the Key Name as shown in the file

    2. Select the Algorithm from the dropdown to match the one listed

    3. Copy and paste the Secret exactly as provided in the file

       

13. Click Add

14. Under NIOS-X BloxOne Secondary DNS Servers, click the arrow next to both of your DNS service instances to move them to the list of Secondary DNS Servers

    

15. Click Save & Close
    

Task 2 Solution: Creating a Secondary Zone ddip.org

1. Navigate to Configure → Networking → DNS

2. Select the Zones tab

3. Click on the DNS view default

4. Click the Create button and select Secondary Zone from the list. This launches the Create Secondary Zone dialog window

   

5. For the Name field, enter ddip.org

6. Expand the DNS Server Groups section.

7. From the Available list, select external-ns-group, and then click the arrow to move it to the Selected column.

   

8. Click Save & Close

Task 3 Solution: Validating the DNS zone and records from a client

1. On testing-linux VM, open a Terminal window.

2. Set the IP address as a fixed address with the command sudo set-network-static-bloxone to allow a route to the DNS server. If prompted for a password, use infoblox.

3. Query the NIOS-X DNS server for the secondary zone we just configured with the following command:

   dig @10.100.0.110 lms.ddip.org. A

4. Check the dig response. It should return an Authoritative Answer (aa) with NOERROR. This confirms that the server 10.100.0.110 has a copy of the authoritative zone data.