红帽全球峰会5.2. Installing RHEL with eDNS enabled from a local installation media
Install RHEL with encrypted DNS (eDNS) enabled directly from local media using an enforce policy. This helps ensure that all DNS queries remain private and secure during and after the installation process.
If you require a custom CA certificate bundle, you must install it by using the %certificate section in the Kickstart file.
During the installation, you must provide both the RHEL installation content and the Kickstart file from local media. You cannot download the Kickstart file from a remote HTTP server because the installation program requires to use DNS to resolve the server’s hostname. If your environment is configured to support a fallback to unencrypted DNS, you can perform a standard RHEL installation and configure eDNS afterwards.
Prerequisites
-
Commands that start with the
#command prompt require administrative privileges provided bysudoor root user access. For information on how to configuresudoaccess, see Enabling unprivileged users to run certain commands. - You have the RHEL installation media available locally.
-
If you require a custom CA bundle, have your Kickstart file with a
%certificatesection available locally.
Procedure
Optional: Create a Kickstart file with a
%certificatesection. Ensure the certificate is saved in a file namedtls-ca-bundle.pem.%certificate --dir /etc/pki/dns/extracted/pem/ --filename tls-ca-bundle.pem -----BEGIN CERTIFICATE----- <Base64-encoded_certificate_content> -----END CERTIFICATE----- %end- Prepare your bootable installation media, and include the Kickstart file if you need a custom CA bundle.
- Boot the installation media.
-
From the boot menu window, select the required option and press the
ekey to edit the boot parameters. Add the eDNS kernel arguments:
linux ($root)/vmlinuz-6.12.0-0.el10_0.x86_64 root=/dev/mapper/rhel-root ro crashkernel=2G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet emergency ip=dhcp rd.net.dns=dns+tls://<server_ip>#<dns_server_hostname> rd.net.dns-resolve-mode=exclusive rd.net.dns-backend=dnsconfd inst.ks=hd:/dev/sdb1/mykickstart.ks-
When you finish editing, press
Ctrl+Xto start the installation using the specified options.
Verification
Verify your eDNS configuration:
$ dnsconfd statusExpected output:
Running cache service: unbound Resolving mode: exclusive Config present in service: { ".": [ "dns+tls://198.51.100.143#dot.dns.example.com" ] } State of Dnsconfd: RUNNING Info about servers: [ { "address": "198.51.100.143", "port": 853, "name": "dot.dns.example.com", "routing_domains": [ "." ], "search_domains": [], "interface": null, "protocol": "dns+tls", "dnssec": true, "networks": [], "firewall_zone": null } ]Verify that DNS server is responsive by using
nslookup:$ nslookup <domain_name>Replace the
<domain_name>with the domain that you want to query.
Troubleshooting
Enable detailed logging in
unbound:# unbound-control verbosity 5Review logs for the relevant service:
$ journalctl -xe -u <service_name>Replace
<service_name>withNetworkManager,dnsconfd, orunbound.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}