Configure DNS SUB domain

The Domain Name System DNS has a tree structure or hierarchy, with each non-resource record node on the tree being a domain name. A subdomain is a domain that is part of larger domain, the only domain that is not also a subdomain is the root domain. For example sub1.zmailtech.com and sub2.zmailtech.com are subdomain of the zmailtech.com domain, which in turn is subdomain of the com top-level domain.

Main domain name : zmailtech.com

Main domain host ip : 192.168.10.2

Subdomain name : sub.zmailtech.com

Sub domain host ip : 192.168.10.40

 we have already create main domain in zmailtech.com in previous blog post. so here we are create and configure subdomain (sub1.zmailtech.com) domain in subdomain server.

# Add entry in main domain for resolve subdomain as like below.

[root@master ~]# vim /var/named/zmailtech.com.zone
[root@master ~]# cat /var/named/zmailtech.com.zone
$TTL 1D
@       IN SOA  ns1.zmailtech.com.      admin.zmailtech.com. (
                                        2018021002      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN      NS      ns1.zmailtech.com.
ns1     IN      A       192.168.10.2
master  IN      A       192.168.10.2
slave   IN      A       192.168.10.20

mail    IN      A       192.168.10.2
web     IN      A       192.168.10.2
web1    IN      A       192.168.10.2

;CNAME Record
www     IN      CNAME   master.zmailtech.com.
ftp     IN      CNAME   master.zmailtech.com.
smtp    IN      CNAME   master.zmailtech.com.

;MX Record
zmailtech.com.  IN      MX      10      mail.zmailtech.com.
zmailtech.com.  IN      MX      20      smtp.zmailtech.com.

;spf recrod
zmailtech.com.  IN      TXT     "v=spf1 a:192.168.10.2 mx:mail.zmailtech.com ptr:master.zmailtech.com -all"

;srv record
_web._tcp.zmailtech.com.   3600 IN    SRV 10       60     80 web.zmailtech.com.
_web._tcp.zmailtech.com.   3600 IN    SRV 10       20     80 web1.zmailtech.com.

;sub domain
sub1.zmailtech.com.     IN      NS      ns1.sub1.zmailtech.com.
ns1.sub1.zmailtech.com. IN      A       192.168.10.40
[root@master ~]#

Check subdomain with dig command

[root@master ~]# dig ns1.sub1.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> ns1.sub1.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59020
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.sub1.zmailtech.com.                IN      A

;; AUTHORITY SECTION:
sub1.zmailtech.com.     86400   IN      NS      ns1.sub1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.sub1.zmailtech.com. 86400   IN      A       192.168.10.40

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 16:03:51 IST 2018
;; MSG SIZE  rcvd: 81

[root@master ~]#

Now configure subdomain server 192.168.10.40 
#install bind and bind-utils in server

[root@sub1 ~]# yum install bind bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-50.el7 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-50.el7 for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: liblwres.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisccfg.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisccc.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisc.so.95()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libdns.so.100()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libbind9.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
---> Package bind-utils.x86_64 32:9.9.4-50.el7 will be installed
--> Running transaction check
---> Package bind-libs.x86_64 32:9.9.4-50.el7 will be installed
--> Finished Dependency Resolution
....
...
Output omitted
...
....
Running transaction
  Installing : 32:bind-libs-9.9.4-50.el7.x86_64
  Installing : 32:bind-9.9.4-50.el7.x86_64
  Installing : 32:bind-utils-9.9.4-50.el7.x86_64
  Verifying  : 32:bind-9.9.4-50.el7.x86_64
  Verifying  : 32:bind-libs-9.9.4-50.el7.x86_64
  Verifying  : 32:bind-utils-9.9.4-50.el7.x86_64

Installed:
  bind.x86_64 32:9.9.4-50.el7

Dependency Installed:
  bind-libs.x86_64 32:9.9.4-50.el7

Complete!
[root@sub1 ~]#


# start named service

[root@sub1 ~]# systemctl start named

# configure /etc/named.conf file in subdomain server.

[root@sub1 ~]# vim /etc/named.conf
[root@sub1 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.10.40; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

//      dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

//      managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "sub1.zmailtech.com" IN {
        type master;
        file "sub1.zmailtech.com.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@sub1 ~]#

# Create forward zone file /var/named/sub1.zmailtech.com.zone in subdomain server.

[root@sub1 ~]# cat /var/named/sub1.zmailtech.com.zone
$TTL 1D
@       IN SOA  sub1.zmailtech.com.     root.sub1.zmailtech.com. (
                                        2018021701      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN      NS      ns1.sub1.zmailtech.com.
        IN      A       192.168.10.40

ns1     IN      A       192.168.10.40
sub40   IN      A       192.168.10.40
[root@sub1 ~]#

# Change group own on /var/named/sub1.zmailtech.com.zone file 

[root@sub1 ~]# chgrp named /var/named/sub1.zmailtech.com.zone

# restart named service on subdomain server.

[root@sub1 ~]# systemctl restart named


# Check A record entry in master server.

[root@master ~]# dig sub40.sub1.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> sub40.sub1.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60733
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sub40.sub1.zmailtech.com.      IN      A

;; AUTHORITY SECTION:
sub1.zmailtech.com.     86400   IN      NS      ns1.sub1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.sub1.zmailtech.com. 86400   IN      A       192.168.10.40

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 16:36:23 IST 2018
;; MSG SIZE  rcvd: 87

[root@master ~]#

Configure TSIG in DNS

Transaction Signatures (TSIG) provide a secure method for communicating from a primary to a secondary Domain Name server (DNS). It is a simple and effective method for organizations to enhance their security. TSIG is not a requirement and many organizations choose to specify IP address-based permissions between DNS name servers. However, as the DNS is increasingly targeted by bad actors on the Internet, TSIG is a recommended design consideration.

# Create TSIG in DNS master server via dnssec-keygen command.

[root@master ~]# dnssec-keygen -a hmac-md5 -b 128 -n USER master
Kmaster.+157+64468
[root@master ~]# 

[root@master ~]# ls -l
total 12
-rw-------. 1 root root 1267 Dec 24 22:54 anaconda-ks.cfg
-rw-------. 1 root root   48 Feb 18 11:10 Kmaster.+157+64468.key
-rw-------. 1 root root  165 Feb 18 11:10 Kmaster.+157+64468.private
[root@master ~]#
 
# Check TSIG Key file 

[root@master ~]# cat Kmaster.+157+64468.key
master. IN KEY 0 3 157 rq1lO2vG1/9xT1R+k79G+w==
[root@master ~]#

# add TSIG key in /etc/named.conf file in master server.

[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.10.2; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        allow-transfer     { localhost; 192.168.10.20; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;

//      dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

key master. {
        algorithm hmac-md5;
        secret "rq1lO2vG1/9xT1R+k79G+w==";
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "zmailtech.com" IN {
        type master;
        file "zmailtech.com.zone";
//      allow-update { any; };
        allow-update { key master.; };
};

zone "10.168.192.in-addr.arpa" IN {
        type master;
        file "10.168.192.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@master ~]#

# restart named service in master server.
  
[root@master ~]# systemctl restart named
 





# Add TSIG Key in Slave server /etc/named.conf file.
 
[root@slave ~]# vim /etc/named.conf
[root@slave ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.10.20; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;

//      dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

key master. {
        algorithm hmac-md5;
        secret "rq1lO2vG1/9xT1R+k79G+w==";
};

server 192.168.10.2 {
        keys { master.; };
};zone "." IN {
        type hint;
        file "named.ca";
};

zone "zmailtech.com" IN {
        type slave;
        masters { 192.168.10.2; };
        file "slaves/zmailtech.com";
};

zone "10.168.192.in-addr.arpa" IN {
        type slave;
        masters { 192.168.10.2; };
        file "slaves/10.168.192.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@slave ~]#


# restart named service in slave server.

[root@slave ~]# systemctl restart named

# check Record of server15.zmailtech.com (not excited) on master server as well as slave server.
 
[root@master ~]# dig server15.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51210
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com.                IN      A

;; AUTHORITY SECTION:
zmailtech.com.          10800   IN      SOA     ns1.zmailtech.com. admin.zmailtech.com. 2018021002 86400 3600 604800 10800

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 11:28:57 IST 2018
;; MSG SIZE  rcvd: 97

[root@master ~]#


# add server15.zmailtech.com  A record via nsupdate command in master server.
 
[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> key master. rq1lO2vG1/9xT1R+k79G+w==
> update add server15.zmailtech.com. 3600 IN A 192.168.10.15
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;zmailtech.com.                 IN      SOA

;; UPDATE SECTION:
server15.zmailtech.com. 3600    IN      A       192.168.10.15

> send
> quit
[root@master ~]#


# Check server15.zmailtech.com A record in master server.

[root@master ~]# dig server15.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34698
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com.                IN      A

;; ANSWER SECTION:
server15.zmailtech.com. 3600    IN      A       192.168.10.15

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 1 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 15:06:45 IST 2018
;; MSG SIZE  rcvd: 101

[root@master ~]# 

 # Check server15.zmailtech.com A record in slave server.

[root@slave ~]# dig server15.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56647
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com.                IN      A

;; ANSWER SECTION:
server15.zmailtech.com. 3600    IN      A       192.168.10.15

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 0 msec
;; SERVER: 192.168.10.20#53(192.168.10.20)
;; WHEN: Sun Feb 18 15:06:11 IST 2018
;; MSG SIZE  rcvd: 101

[root@slave ~]#

Configure Dynamic Bind DNS with nsupdate

Dynamic Update is a method for adding, replacing or deleting records in a master server by sending 

it a special form of DNS messages.The format and meaning of these messages is specified in RFC 2136.

Dynamic update is enabled by including an allow-update or an update-policy clause in the zone statement. 

If the zone's update-policy is set to local, updates to the zone will be permitted for the key local-ddns,

which will be generated by named at startup. 

Dynamic updates using Kerberos signed requests can be made using the TKEY/GSS protocol by 

setting either the tkey-gssapi-keytab option, or alternatively by setting both the tkey-gssapi-credential

and tkey-domain options. Once enabled, Kerberos signed requests will be matched against the update

policies for the zone, using the Kerberos principal as the signer for the request. 

Updating of secure zones (zones using DNSSEC) follows RFC 3007: RRSIG, NSEC and NSEC3 records 

affected by updates are automatically regenerated by the server using an online zone key. Update 

authorization is based on transaction signatures and an explicit server policy. 

Edit /etc/named.conf file in forward zone allow-udpate { any; }; for dynamic DNS

zone "example.com" IN {

                type master;

                file "zmailtech.com.zone";

                                allow-update { any; };

        };

It is not good configuration, it should be allowed from one or two authorized computer only.

(Later you will know how to encrypt and protect it with TSIG).

Some thing like allow-update { 192.168.10.xx; };

[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.10.2; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        allow-transfer     { localhost; 192.168.10.20; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;

//      dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

//      managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "zmailtech.com" IN {
        type master;
        file "zmailtech.com.zone";
        allow-update { any; };
};

zone "10.168.192.in-addr.arpa" IN {
        type master;
        file "10.168.192.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@master ~]#

now add A record with nsupdate command. 

[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> update add server12.zmailtech.com. 3600 IN A 192.168.10.12
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;zmailtech.com.                 IN      SOA

;; UPDATE SECTION:
server12.zmailtech.com. 3600    IN      A       192.168.10.12

> send
> quit
[root@master ~]#

check server12.zmailtech.com A record with dig command. 

[root@master ~]# dig server12.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server12.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20726
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server12.zmailtech.com.                IN      A

;; ANSWER SECTION:
server12.zmailtech.com. 3600    IN      A       192.168.10.12

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 12:39:59 IST 2018
;; MSG SIZE  rcvd: 101

[root@master named]#

now Delete A record with nsupdate command. 


[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> update delete server14.zmailtech.com
> send
> quit
[root@master ~]#

now check server14.zmailtech.com with dig command.


[root@master ~]# dig server14.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server14.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1243
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server14.zmailtech.com.                IN      A

;; AUTHORITY SECTION:
zmailtech.com.          10800   IN      SOA     ns1.zmailtech.com. admin.zmailtech.com. 2018021005 86400 3600 604800 10800

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 13:15:16 IST 2018
;; MSG SIZE  rcvd: 97

[root@master ~]#

Configure SRV recorde

An SRV record is intended to provide information on available services for your systems, most commonly used with SIP configuration. SRV records have a unique system for naming. The naming system is an underscore followed by the name of the service, followed by a period, and underscore, and then the protocol, another dot, and then the name of the domain

SRV records are often used to help with service discovery. For example, SRV records are used in Internet Telephony for defining where a SIP service may be found.

An SRV record typically defines a symbolic name and the transport protocol used as part of the domain name, and defines the priority, weight, port and target for the service in the record content.


Here is an example of two SRV records. 

_web._tcp.zmailtech.com.   3600 IN    SRV 10       60     80 web.zmailtech.com.

_web._tcp.zmailtech.com.   3600 IN    SRV 10       20     80 web1.zmailtech.com.

From the name, _web is the symbolic name for the service and _tcp is the transport protocol. Note that the symbolic name and transport always start with an underscore. 

The content of the SRV record defines a priority of 10 for both records. The first record has a weight of 60 and the second a weight of 20. The priority and weight values can be used to encourage use of certain servers over others.

The final two values in the record define the port and hostname to connect to for accessing the service.

Edit srv record in local dns service forward zone file. 

[root@master ~]# vim /var/named/zmailtech.com.zone
[root@master ~]# cat /var/named/zmailtech.com.zone
$TTL 1D
@       IN SOA  ns1.zmailtech.com.      admin.zmailtech.com. (
                                        2018021002      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN      NS      ns1.zmailtech.com.
ns1     IN      A       192.168.10.2
master  IN      A       192.168.10.2
mail    IN      A       192.168.10.2
web     IN      A       192.168.10.2
web1    IN      A       192.168.10.2

;CNAME Record
www     IN      CNAME   master.zmailtech.com.
ftp     IN      CNAME   master.zmailtech.com.
smtp    IN      CNAME   master.zmailtech.com.

;MX Record
zmailtech.com.  IN      MX      10      mail.zmailtech.com.
zmailtech.com.  IN      MX      20      smtp.zmailtech.com.

;spf recrod
zmailtech.com.  IN      TXT     "v=spf1 a:192.168.10.2 mx:mail.zmailtech.com ptr:master.zmailtech.com -all"

;srv record
_web._tcp.zmailtech.com.   3600 IN    SRV 10       60     80 web.zmailtech.com.
_web._tcp.zmailtech.com.   3600 IN    SRV 10       20     80 web1.zmailtech.com.
[root@master ~]#

Restart named service after add srv record in forward zone file.

[root@master ~]# systemctl restart named 

Check SRV Record with dig command 
 
[root@master ~]# dig -t SRV _web._tcp.zmailtech.com
 
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t SRV _web._tcp.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34416
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_web._tcp.zmailtech.com.       IN      SRV

;; ANSWER SECTION:
_web._tcp.zmailtech.com. 3600   IN      SRV     10 20 80 web1.zmailtech.com.
_web._tcp.zmailtech.com. 3600   IN      SRV     10 60 80 web.zmailtech.com.

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
web.zmailtech.com.      86400   IN      A       192.168.10.2
web1.zmailtech.com.     86400   IN      A       192.168.10.2
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 11 16:35:43 IST 2018
;; MSG SIZE  rcvd: 193
 
[root@master ~]#