version 1.1, 2013/03/09 00:15:25
|
version 1.2, 2013/03/10 09:58:15
|
Line 1
|
Line 1
|
# The Domain Name System |
# The Domain Name System |
|
|
Use of the Domain Name System has been discussed in previous chapters, without |
Use of the Domain Name System has been discussed in previous chapters, without |
going into detail on the setup of the server providing the service. This chapter |
going into detail on the setup of the server providing the service. This chapter |
describes setting up a simple, small domain with one Domain Name System (DNS) |
describes setting up a simple, small domain with one Domain Name System (DNS) |
nameserver on a NetBSD system. It includes a brief explanation and overview of |
nameserver on a NetBSD system. It includes a brief explanation and overview of |
the DNS; further information can be obtained from the DNS Resources Directory |
the DNS; further information can be obtained from the DNS Resources Directory |
(DNSRD) at [http://www.dns.net/dnsrd/](http://www.dns.net/dnsrd/). |
(DNSRD) at [http://www.dns.net/dnsrd/](http://www.dns.net/dnsrd/). |
|
|
## DNS Background and Concepts |
## DNS Background and Concepts |
|
|
The DNS is a widely used *naming service* on the Internet and other TCP/IP |
The DNS is a widely used *naming service* on the Internet and other TCP/IP |
networks. The network protocols, data and file formats, and other aspects of the |
networks. The network protocols, data and file formats, and other aspects of the |
DNS are Internet Standards, specified in a number of RFC documents, and |
DNS are Internet Standards, specified in a number of RFC documents, and |
described by a number of other reference and tutorial works. The DNS has a |
described by a number of other reference and tutorial works. The DNS has a |
distributed, client-server architecture. There are reference implementations for |
distributed, client-server architecture. There are reference implementations for |
the server and client, but these are not part of the standard. There are a |
the server and client, but these are not part of the standard. There are a |
number of additional implementations available for many platforms. |
number of additional implementations available for many platforms. |
|
|
### Naming Services |
### Naming Services |
|
|
Naming services are used to provide a mapping between textual names and |
Naming services are used to provide a mapping between textual names and |
configuration data of some form. A *nameserver* maintains this mapping, and |
configuration data of some form. A *nameserver* maintains this mapping, and |
clients request the nameserver to *resolve* a name into its attached data. |
clients request the nameserver to *resolve* a name into its attached data. |
|
|
The reader should have a good understanding of basic hosts to IP address mapping |
The reader should have a good understanding of basic hosts to IP address mapping |
and IP address class specifications, see |
and IP address class specifications, see |
[[Name Service Concepts|guide/net-intro#nsconcepts]]. |
[[Name Service Concepts|guide/net-intro#nsconcepts]]. |
|
|
In the case of the DNS, the configuration data bound to a name is in the form of |
In the case of the DNS, the configuration data bound to a name is in the form of |
standard *Resource Records* (RRs). These textual names conform to certain |
standard *Resource Records* (RRs). These textual names conform to certain |
structural conventions. |
structural conventions. |
|
|
### The DNS namespace |
### The DNS namespace |
|
|
The DNS presents a hierarchical name space, much like a UNIX filesystem, |
The DNS presents a hierarchical name space, much like a UNIX filesystem, |
pictured as an inverted tree with the *root* at the top. |
pictured as an inverted tree with the *root* at the top. |
|
|
TOP-LEVEL .org |
TOP-LEVEL .org |
| |
| |
MID-LEVEL .diverge.org |
MID-LEVEL .diverge.org |
______________________|________________________ |
______________________|________________________ |
| | | |
| | | |
BOTTOM-LEVEL strider.diverge.org samwise.diverge.org wormtongue.diverge.org |
BOTTOM-LEVEL strider.diverge.org samwise.diverge.org wormtongue.diverge.org |
|
|
The system can also be logically divided even further if one wishes at different |
The system can also be logically divided even further if one wishes at different |
points. The example shown above shows three nodes on the diverge.org domain, but |
points. The example shown above shows three nodes on the diverge.org domain, but |
we could even divide diverge.org into subdomains such as |
we could even divide diverge.org into subdomains such as |
"strider.net1.diverge.org", "samwise.net2.diverge.org" and |
"strider.net1.diverge.org", "samwise.net2.diverge.org" and |
"wormtongue.net2.diverge.org"; in this case, 2 nodes reside in |
"wormtongue.net2.diverge.org"; in this case, 2 nodes reside in |
"net2.diverge.org" and one in "net1.diverge.org". |
"net2.diverge.org" and one in "net1.diverge.org". |
|
|
There are directories of names, some of which may be sub-directories of further |
There are directories of names, some of which may be sub-directories of further |
names. These directories are sometimes called *zones*. There is provision for |
names. These directories are sometimes called *zones*. There is provision for |
symbolic links, redirecting requests for information on one name to the records |
symbolic links, redirecting requests for information on one name to the records |
bound to another name. Each name recognised by the DNS is called a *Domain |
bound to another name. Each name recognised by the DNS is called a *Domain |
Name*, whether it represents information about a specific host, or a directory |
Name*, whether it represents information about a specific host, or a directory |
of subordinate Domain Names (or both, or something else). |
of subordinate Domain Names (or both, or something else). |
|
|
Unlike most filesystem naming schemes, however, Domain Names are written with |
Unlike most filesystem naming schemes, however, Domain Names are written with |
the innermost name on the left, and progressively higher-level domains to the |
the innermost name on the left, and progressively higher-level domains to the |
right, all the way up to the root directory if necessary. The separator used |
right, all the way up to the root directory if necessary. The separator used |
when writing Domain Names is a period, ".". |
when writing Domain Names is a period, ".". |
|
|
Like filesystem pathnames, Domain Names can be written in an absolute or |
Like filesystem pathnames, Domain Names can be written in an absolute or |
relative manner, though there are some differences in detail. For instance, |
relative manner, though there are some differences in detail. For instance, |
there is no way to indirectly refer to the parent domain like with the UNIX `..` |
there is no way to indirectly refer to the parent domain like with the UNIX `..` |
directory. Many (but not all) resolvers offer a search path facility, so that |
directory. Many (but not all) resolvers offer a search path facility, so that |
partially-specified names can be resolved relative to additional listed |
partially-specified names can be resolved relative to additional listed |
sub-domains other than the client's own domain. Names that are completely |
sub-domains other than the client's own domain. Names that are completely |
specified all the way to the root are called *Fully Qualified Domain Names* or |
specified all the way to the root are called *Fully Qualified Domain Names* or |
*FQDN*s. A defining characteristic of an FQDN is that it is written with a |
*FQDN*s. A defining characteristic of an FQDN is that it is written with a |
terminating period. The same name, without the terminating period, may be |
terminating period. The same name, without the terminating period, may be |
considered relative to some other sub-domain. It is rare for this to occur |
considered relative to some other sub-domain. It is rare for this to occur |
without malicious intent, but in part because of this possibility, FQDNs are |
without malicious intent, but in part because of this possibility, FQDNs are |
required as configuration parameters in some circumstances. |
required as configuration parameters in some circumstances. |
|
|
On the Internet, there are some established conventions for the names of the |
On the Internet, there are some established conventions for the names of the |
first few levels of the tree, at which point the hierarchy reaches the level of |
first few levels of the tree, at which point the hierarchy reaches the level of |
an individual organisation. This organisation is responsible for establishing |
an individual organisation. This organisation is responsible for establishing |
and maintaining conventions further down the tree, within its own domain. |
and maintaining conventions further down the tree, within its own domain. |
|
|
### Resource Records |
### Resource Records |
|
|
Resource Records for a domain are stored in a standardised format in an ASCII |
Resource Records for a domain are stored in a standardised format in an ASCII |
text file, often called a *zone file*. The following Resource Records are |
text file, often called a *zone file*. The following Resource Records are |
commonly used (a number of others are defined but not often used, or no longer |
commonly used (a number of others are defined but not often used, or no longer |
used). In some cases, there may be multiple RR types associated with a name, and |
used). In some cases, there may be multiple RR types associated with a name, and |
even multiple records of the same type. |
even multiple records of the same type. |
|
|
#### Common DNS Resource Records |
#### Common DNS Resource Records |
|
|
* *A: Address* -- This record contains the numerical IP address associated with |
* *A: Address* -- This record contains the numerical IP address associated with |
the name. |
the name. |
|
|
* *CNAME: Canonical Name* -- This record contains the Canonical Name (an FQDN |
* *CNAME: Canonical Name* -- This record contains the Canonical Name (an FQDN |
with an associated A record) of the host name to which this record is bound. |
with an associated A record) of the host name to which this record is bound. |
This record type is used to provide name aliasing, by providing a link to |
This record type is used to provide name aliasing, by providing a link to |
another name with which other appropriate RR's are associated. If a name has |
another name with which other appropriate RR's are associated. If a name has |
a CNAME record bound to it, it is an alias, and no other RR's are permitted |
a CNAME record bound to it, it is an alias, and no other RR's are permitted |
to be bound to the same name. |
to be bound to the same name. |
|
|
It is common for these records to be used to point to hosts providing a |
It is common for these records to be used to point to hosts providing a |
particular service, such as an FTP or HTTP server. If the service must be |
particular service, such as an FTP or HTTP server. If the service must be |
moved to another host, the alias can be changed, and the same name will reach |
moved to another host, the alias can be changed, and the same name will reach |
the new host. |
the new host. |
|
|
* *PTR: Pointer* -- This record contains a textual name. These records are |
* *PTR: Pointer* -- This record contains a textual name. These records are |
bound to names built in a special way from numerical IP addresses, and are |
bound to names built in a special way from numerical IP addresses, and are |
used to provide a reverse mapping from an IP address to a textual name. This |
used to provide a reverse mapping from an IP address to a textual name. This |
is described in more detail in [[Reverse Resolution|guide/dns#bg-reverse]]. |
is described in more detail in [[Reverse Resolution|guide/dns#bg-reverse]]. |
|
|
* *NS: Name Server* -- This record type is used to *delegate* a sub-tree of the |
* *NS: Name Server* -- This record type is used to *delegate* a sub-tree of the |
Domain Name space to another nameserver. The record contains the FQDN of a |
Domain Name space to another nameserver. The record contains the FQDN of a |
DNS nameserver with information on the sub-domain, and is bound to the name |
DNS nameserver with information on the sub-domain, and is bound to the name |
of the sub-domain. In this manner, the hierarchical structure of the DNS is |
of the sub-domain. In this manner, the hierarchical structure of the DNS is |
established. Delegation is described in more detail in |
established. Delegation is described in more detail in |
[[Delegation|guide/dns#bg-delegation]]. |
[[Delegation|guide/dns#bg-delegation]]. |
|
|
* *MX: Mail eXchange* -- This record contains the FQDN for a host that will |
* *MX: Mail eXchange* -- This record contains the FQDN for a host that will |
accept SMTP electronic mail for the named domain, together with a priority |
accept SMTP electronic mail for the named domain, together with a priority |
value used to select an MX host when relaying mail. It is used to indicate |
value used to select an MX host when relaying mail. It is used to indicate |
other servers that are willing to receive and spool mail for the domain if |
other servers that are willing to receive and spool mail for the domain if |
the primary MX is unreachable for a time. It is also used to direct email to |
the primary MX is unreachable for a time. It is also used to direct email to |
a central server, if desired, rather than to each and every individual |
a central server, if desired, rather than to each and every individual |
workstation. |
workstation. |
|
|
* *HINFO: Host Information* -- Contains two strings, intended for use to |
* *HINFO: Host Information* -- Contains two strings, intended for use to |
describe the host hardware and operating system platform. There are defined |
describe the host hardware and operating system platform. There are defined |
strings to use for some systems, but their use is not enforced. Some sites, |
strings to use for some systems, but their use is not enforced. Some sites, |
because of security considerations, do not publicise this information. |
because of security considerations, do not publicise this information. |
|
|
* *TXT: Text* -- A free-form text field, sometimes used as a comment field, |
* *TXT: Text* -- A free-form text field, sometimes used as a comment field, |
sometimes overlaid with site-specific additional meaning to be interpreted by |
sometimes overlaid with site-specific additional meaning to be interpreted by |
local conventions. |
local conventions. |
|
|
* *SOA: Start of Authority* -- This record is required to appear for each zone |
* *SOA: Start of Authority* -- This record is required to appear for each zone |
file. It lists the primary nameserver and the email address of the person |
file. It lists the primary nameserver and the email address of the person |
responsible for the domain, together with default values for a number of |
responsible for the domain, together with default values for a number of |
fields associated with maintaining consistency across multiple servers and |
fields associated with maintaining consistency across multiple servers and |
caching of the results of DNS queries. |
caching of the results of DNS queries. |
|
|
### Delegation |
### Delegation |
|
|
Using NS records, authority for portions of the DNS namespace below a certain |
Using NS records, authority for portions of the DNS namespace below a certain |
point in the tree can be delegated, and further sub-parts below that delegated |
point in the tree can be delegated, and further sub-parts below that delegated |
again. It is at this point that the distinction between a domain and a zone |
again. It is at this point that the distinction between a domain and a zone |
becomes important. Any name in the DNS is called a domain, and the term applies |
becomes important. Any name in the DNS is called a domain, and the term applies |
to that name and to any subordinate names below that one in the tree. The |
to that name and to any subordinate names below that one in the tree. The |
boundaries of a zone are narrower, and are defined by delegations. A zone starts |
boundaries of a zone are narrower, and are defined by delegations. A zone starts |
with a delegation (or at the root), and encompasses all names in the domain |
with a delegation (or at the root), and encompasses all names in the domain |
below that point, excluding names below any subsequent delegations. |
below that point, excluding names below any subsequent delegations. |
|
|
This distinction is important for implementation - a zone is a single |
This distinction is important for implementation - a zone is a single |
administrative entity (with a single SOA record), and all data for the zone is |
administrative entity (with a single SOA record), and all data for the zone is |
referred to by a single file, called a *zone file*. A zone file may contain more |
referred to by a single file, called a *zone file*. A zone file may contain more |
than one period-separated level of the namespace tree, if desired, by including |
than one period-separated level of the namespace tree, if desired, by including |
periods in the names in that zone file. In order to simplify administration and |
periods in the names in that zone file. In order to simplify administration and |
prevent overly-large zone files, it is quite legal for a DNS server to delegate |
prevent overly-large zone files, it is quite legal for a DNS server to delegate |
to itself, splitting the domain into several zones kept on the same server. |
to itself, splitting the domain into several zones kept on the same server. |
|
|
### Delegation to multiple servers |
### Delegation to multiple servers |
|
|
For redundancy, it is common (and often administratively required) that there be |
For redundancy, it is common (and often administratively required) that there be |
more than one nameserver providing information on a zone. It is also common that |
more than one nameserver providing information on a zone. It is also common that |
at least one of these servers be located at some distance (in terms of network |
at least one of these servers be located at some distance (in terms of network |
topology) from the others, so that knowledge of that zone does not become |
topology) from the others, so that knowledge of that zone does not become |
unavailable in case of connectivity failure. Each nameserver will be listed in |
unavailable in case of connectivity failure. Each nameserver will be listed in |
an NS record bound to the name of the zone, stored in the parent zone on the |
an NS record bound to the name of the zone, stored in the parent zone on the |
server responsible for the parent domain. In this way, those searching the name |
server responsible for the parent domain. In this way, those searching the name |
hierarchy from the top down can contact any one of the servers to continue |
hierarchy from the top down can contact any one of the servers to continue |
narrowing their search. This is occasionally called *walking the tree*. |
narrowing their search. This is occasionally called *walking the tree*. |
|
|
There are a number of nameservers on the Internet which are called *root |
There are a number of nameservers on the Internet which are called *root |
nameservers*. These servers provide information on the very top levels of the |
nameservers*. These servers provide information on the very top levels of the |
domain namespace tree. These servers are special in that their addresses must be |
domain namespace tree. These servers are special in that their addresses must be |
pre-configured into nameservers as a place to start finding other servers. |
pre-configured into nameservers as a place to start finding other servers. |
Isolated networks that cannot access these servers may need to provide their own |
Isolated networks that cannot access these servers may need to provide their own |
root nameservers. |
root nameservers. |
|
|
### Secondaries, Caching, and the SOA record |
### Secondaries, Caching, and the SOA record |
|
|
In order to maintain consistency between these servers, one is usually |
In order to maintain consistency between these servers, one is usually |
configured as the *primary* server, and all administrative changes are made on |
configured as the *primary* server, and all administrative changes are made on |
this server. The other servers are configured as *secondaries*, and transfer the |
this server. The other servers are configured as *secondaries*, and transfer the |
contents of the zone from the primary. This operational model is not required, |
contents of the zone from the primary. This operational model is not required, |
and if external considerations require it, multiple primaries can be used |
and if external considerations require it, multiple primaries can be used |
instead, but consistency must then be maintained by other means. DNS servers |
instead, but consistency must then be maintained by other means. DNS servers |
that store Resource Records for a zone, whether they be primary or secondary |
that store Resource Records for a zone, whether they be primary or secondary |
servers, are said to be *authoritative* for the zone. A DNS server can be |
servers, are said to be *authoritative* for the zone. A DNS server can be |
authoritative for several zones. |
authoritative for several zones. |
|
|
When nameservers receive responses to queries, they can *cache* the results. |
When nameservers receive responses to queries, they can *cache* the results. |
This has a significant beneficial impact on the speed of queries, the query load |
This has a significant beneficial impact on the speed of queries, the query load |
on high-level nameservers, and network utilisation. It is also a major |
on high-level nameservers, and network utilisation. It is also a major |
contributor to the memory usage of the nameserver process. |
contributor to the memory usage of the nameserver process. |
|
|
There are a number of parameters that are important to maintaining consistency |
There are a number of parameters that are important to maintaining consistency |
amongst the secondaries and caches. The values for these parameters for a |
amongst the secondaries and caches. The values for these parameters for a |
particular domain zone file are stored in the SOA record. These fields are: |
particular domain zone file are stored in the SOA record. These fields are: |
|
|
#### Fields of the SOA Record |
#### Fields of the SOA Record |
|
|
* *Serial* -- A serial number for the zone file. This should be incremented any |
* *Serial* -- A serial number for the zone file. This should be incremented any |
time the data in the domain is changed. When a secondary wants to check if |
time the data in the domain is changed. When a secondary wants to check if |
its data is up-to-date, it checks the serial number on the primary's SOA |
its data is up-to-date, it checks the serial number on the primary's SOA |
record. |
record. |
|
|
* *Refresh* -- A time, in seconds, specifying how often the secondary should |
* *Refresh* -- A time, in seconds, specifying how often the secondary should |
check the serial number on the primary, and start a new transfer if the |
check the serial number on the primary, and start a new transfer if the |
primary has newer data. |
primary has newer data. |
|
|
* *Retry* -- If a secondary fails to connect to the primary when the refresh |
* *Retry* -- If a secondary fails to connect to the primary when the refresh |
time has elapsed (for example, if the host is down), this value specifies, in |
time has elapsed (for example, if the host is down), this value specifies, in |
seconds, how often the connection should be retried. |
seconds, how often the connection should be retried. |
|
|
* *Expire* -- If the retries fail to reach the primary within this number of |
* *Expire* -- If the retries fail to reach the primary within this number of |
seconds, the secondary destroys its copies of the zone data file(s), and |
seconds, the secondary destroys its copies of the zone data file(s), and |
stops answering requests for the domain. This stops very old and potentially |
stops answering requests for the domain. This stops very old and potentially |
inaccurate data from remaining in circulation. |
inaccurate data from remaining in circulation. |
|
|
* *TTL* -- This field specifies a time, in seconds, that the resource records |
* *TTL* -- This field specifies a time, in seconds, that the resource records |
in this zone should remain valid in the caches of other nameservers. If the |
in this zone should remain valid in the caches of other nameservers. If the |
data is volatile, this value should be short. TTL is a commonly-used acronym, |
data is volatile, this value should be short. TTL is a commonly-used acronym, |
that stands for "Time To Live". |
that stands for "Time To Live". |
|
|
### Name Resolution |
### Name Resolution |
|
|
DNS clients are configured with the addresses of DNS servers. Usually, these are |
DNS clients are configured with the addresses of DNS servers. Usually, these are |
servers which are authoritative for the domain of which they are a member. All |
servers which are authoritative for the domain of which they are a member. All |
requests for name resolution start with a request to one of these local servers. |
requests for name resolution start with a request to one of these local servers. |
DNS queries can be of two forms: |
DNS queries can be of two forms: |
|
|
* A *recursive* query asks the nameserver to resolve a name completely, and |
* A *recursive* query asks the nameserver to resolve a name completely, and |
return the result. If the request cannot be satisfied directly, the |
return the result. If the request cannot be satisfied directly, the |
nameserver looks in its configuration and caches for a server higher up the |
nameserver looks in its configuration and caches for a server higher up the |
domain tree which may have more information. In the worst case, this will be |
domain tree which may have more information. In the worst case, this will be |
a list of pre-configured servers for the root domain. These addresses are |
a list of pre-configured servers for the root domain. These addresses are |
returned in a response called a *referral*. The local nameserver must then |
returned in a response called a *referral*. The local nameserver must then |
send its request to one of these servers. |
send its request to one of these servers. |
|
|
* Normally, this will be an *iterative* query, which asks the second nameserver |
* Normally, this will be an *iterative* query, which asks the second nameserver |
to either respond with an authoritative reply, or with the addresses of |
to either respond with an authoritative reply, or with the addresses of |
nameservers (NS records) listed in its tables or caches as authoritative for |
nameservers (NS records) listed in its tables or caches as authoritative for |
the relevant zone. The local nameserver then makes iterative queries, walking |
the relevant zone. The local nameserver then makes iterative queries, walking |
the tree downwards until an authoritative answer is found (either positive or |
the tree downwards until an authoritative answer is found (either positive or |
negative) and returned to the client. |
negative) and returned to the client. |
|
|
In some configurations, such as when firewalls prevent direct IP communications |
In some configurations, such as when firewalls prevent direct IP communications |
between DNS clients and external nameservers, or when a site is connected to the |
between DNS clients and external nameservers, or when a site is connected to the |
rest of the world via a slow link, a nameserver can be configured with |
rest of the world via a slow link, a nameserver can be configured with |
information about a *forwarder*. This is an external nameserver to which the |
information about a *forwarder*. This is an external nameserver to which the |
local nameserver should make requests as a client would, asking the external |
local nameserver should make requests as a client would, asking the external |
nameserver to perform the full recursive name lookup, and return the result in a |
nameserver to perform the full recursive name lookup, and return the result in a |
single query (which can then be cached), rather than reply with referrals. |
single query (which can then be cached), rather than reply with referrals. |
|
|
### Reverse Resolution |
### Reverse Resolution |
|
|
The DNS provides resolution from a textual name to a resource record, such as an |
The DNS provides resolution from a textual name to a resource record, such as an |
A record with an IP address. It does not provide a means, other than exhaustive |
A record with an IP address. It does not provide a means, other than exhaustive |
search, to match in the opposite direction; there is no mechanism to ask which |
search, to match in the opposite direction; there is no mechanism to ask which |
name is bound to a particular RR. |
name is bound to a particular RR. |
|
|
For many RR types, this is of no real consequence, however it is often useful to |
For many RR types, this is of no real consequence, however it is often useful to |
identify by name the host which owns a particular IP address. Rather than |
identify by name the host which owns a particular IP address. Rather than |
complicate the design and implementation of the DNS database engine by providing |
complicate the design and implementation of the DNS database engine by providing |
matching functions in both directions, the DNS utilises the existing mechanisms |
matching functions in both directions, the DNS utilises the existing mechanisms |
and creates a special namespace, populated with PTR records, for IP address to |
and creates a special namespace, populated with PTR records, for IP address to |
name resolution. Resolving in this manner is often called *reverse resolution*, |
name resolution. Resolving in this manner is often called *reverse resolution*, |
despite the inaccurate implications of the term. |
despite the inaccurate implications of the term. |
|
|
The manner in which this is achieved is as follows: |
The manner in which this is achieved is as follows: |
|
|
* A normal domain name is reserved and defined to be for the purpose of mapping |
* A normal domain name is reserved and defined to be for the purpose of mapping |
IP addresses. The domain name used is `in-addr.arpa.` which shows the |
IP addresses. The domain name used is `in-addr.arpa.` which shows the |
historical origins of the Internet in the US Government's Defence Advanced |
historical origins of the Internet in the US Government's Defence Advanced |
Research Projects Agency's funding program. |
Research Projects Agency's funding program. |
|
|
* This domain is then subdivided and delegated according to the structure of IP |
* This domain is then subdivided and delegated according to the structure of IP |
addresses. IP addresses are often written in *decimal dotted quad notation*, |
addresses. IP addresses are often written in *decimal dotted quad notation*, |
where each octet of the 4-octet long address is written in decimal, separated |
where each octet of the 4-octet long address is written in decimal, separated |
by dots. IP address ranges are usually delegated with more and more of the |
by dots. IP address ranges are usually delegated with more and more of the |
left-most parts of the address in common as the delegation gets smaller. |
left-most parts of the address in common as the delegation gets smaller. |
Thus, to allow delegation of the reverse lookup domain to be done easily, |
Thus, to allow delegation of the reverse lookup domain to be done easily, |
this is turned around when used with the hierarchical DNS namespace, which |
this is turned around when used with the hierarchical DNS namespace, which |
places higher level domains on the right of the name. |
places higher level domains on the right of the name. |
|
|
* Each byte of the IP address is written, as an ASCII text representation of |
* Each byte of the IP address is written, as an ASCII text representation of |
the number expressed in decimal, with the octets in reverse order, separated |
the number expressed in decimal, with the octets in reverse order, separated |
by dots and appended with the in-addr.arpa. domain name. For example, to |
by dots and appended with the in-addr.arpa. domain name. For example, to |
determine the hostname of a network device with IP address 11.22.33.44, this |
determine the hostname of a network device with IP address 11.22.33.44, this |
algorithm would produce the string `44.33.22.11.in-addr.arpa.` which is a |
algorithm would produce the string `44.33.22.11.in-addr.arpa.` which is a |
legal, structured Domain Name. A normal nameservice query would then be sent |
legal, structured Domain Name. A normal nameservice query would then be sent |
to the nameserver asking for a PTR record bound to the generated name. |
to the nameserver asking for a PTR record bound to the generated name. |
|
|
* The PTR record, if found, will contain the FQDN of a host. |
* The PTR record, if found, will contain the FQDN of a host. |
|
|
One consequence of this is that it is possible for mismatch to occur. Resolving |
One consequence of this is that it is possible for mismatch to occur. Resolving |
a name into an A record, and then resolving the name built from the address in |
a name into an A record, and then resolving the name built from the address in |
that A record to a PTR record, may not result in a PTR record which contains the |
that A record to a PTR record, may not result in a PTR record which contains the |
original name. There is no restriction within the DNS that the "reverse" mapping |
original name. There is no restriction within the DNS that the "reverse" mapping |
must coincide with the "forward" mapping. This is a useful feature in some |
must coincide with the "forward" mapping. This is a useful feature in some |
circumstances, particularly when it is required that more than one name has an A |
circumstances, particularly when it is required that more than one name has an A |
record bound to it which contains the same IP address. |
record bound to it which contains the same IP address. |
|
|
While there is no such restriction within the DNS, some application server |
While there is no such restriction within the DNS, some application server |
programs or network libraries will reject connections from hosts that do not |
programs or network libraries will reject connections from hosts that do not |
satisfy the following test: |
satisfy the following test: |
|
|
* the state information included with an incoming connection includes the IP |
* the state information included with an incoming connection includes the IP |
address of the source of the request. |
address of the source of the request. |
|
|
* a PTR lookup is done to obtain an FQDN of the host making the connection |
* a PTR lookup is done to obtain an FQDN of the host making the connection |
|
|
* an A lookup is then done on the returned name, and the connection rejected if |
* an A lookup is then done on the returned name, and the connection rejected if |
the source IP address is not listed amongst the A records that get returned. |
the source IP address is not listed amongst the A records that get returned. |
|
|
This is done as a security precaution, to help detect and prevent malicious |
This is done as a security precaution, to help detect and prevent malicious |
sites impersonating other sites by configuring their own PTR records to return |
sites impersonating other sites by configuring their own PTR records to return |
the names of hosts belonging to another organisation. |
the names of hosts belonging to another organisation. |
|
|
## The DNS Files |
## The DNS Files |
|
|
Now let's look at actually setting up a small DNS enabled network. We will |
Now let's look at actually setting up a small DNS enabled network. We will |
continue to use the examples mentioned in [Chapter 24, *Setting up TCP/IP on |
continue to use the examples mentioned in [Chapter 24, *Setting up TCP/IP on |
NetBSD in practice*](chap-net-practice.html "Chapter 24. Setting up TCP/IP on |
NetBSD in practice*](chap-net-practice.html "Chapter 24. Setting up TCP/IP on |
NetBSD in practice"), i.e. we assume that: |
NetBSD in practice"), i.e. we assume that: |
|
|
* Our IP networking is working correctly |
* Our IP networking is working correctly |
* We have IPNAT working correctly |
* We have IPNAT working correctly |
* Currently all hosts use the ISP for DNS |
* Currently all hosts use the ISP for DNS |
|
|
Our Name Server will be the `strider` host which also runs IPNAT, and our two |
Our Name Server will be the `strider` host which also runs IPNAT, and our two |
clients use "strider" as a gateway. It is not really relevant as to what type of |
clients use "strider" as a gateway. It is not really relevant as to what type of |
interface is on "strider", but for argument's sake we will say a 56k dial up |
interface is on "strider", but for argument's sake we will say a 56k dial up |
connection. |
connection. |
|
|
So, before going any further, let's look at our `/etc/hosts` file on "strider" |
So, before going any further, let's look at our `/etc/hosts` file on "strider" |
Line 345 before we have made the alterations to u
|
Line 345 before we have made the alterations to u
|
192.168.1.2 samwise sam |
192.168.1.2 samwise sam |
192.168.1.3 wormtongue worm |
192.168.1.3 wormtongue worm |
|
|
This is not exactly a huge network, but it is worth noting that the same rules |
This is not exactly a huge network, but it is worth noting that the same rules |
apply for larger networks as we discuss in the context of this section. |
apply for larger networks as we discuss in the context of this section. |
|
|
The other assumption we want to make is that the domain we want to set up is |
The other assumption we want to make is that the domain we want to set up is |
`diverge.org`, and that the domain is only known on our internal network, and |
`diverge.org`, and that the domain is only known on our internal network, and |
not worldwide. Proper registration of the nameserver's IP address as primary |
not worldwide. Proper registration of the nameserver's IP address as primary |
would be needed in addition to a static IP. These are mostly administrative |
would be needed in addition to a static IP. These are mostly administrative |
issues which are left out here. |
issues which are left out here. |
|
|
The NetBSD operating system provides a set of config files for you to use for |
The NetBSD operating system provides a set of config files for you to use for |
setting up DNS. Along with a default `/etc/named.conf`, the following files are |
setting up DNS. Along with a default `/etc/named.conf`, the following files are |
stored in the `/etc/namedb` directory: |
stored in the `/etc/namedb` directory: |
|
|
* `localhost` |
* `localhost` |
Line 363 stored in the `/etc/namedb` directory:
|
Line 363 stored in the `/etc/namedb` directory:
|
* `loopback.v6` |
* `loopback.v6` |
* `root.cache` |
* `root.cache` |
|
|
You will see modified versions of these files in this section, and I strongly |
You will see modified versions of these files in this section, and I strongly |
suggest making a backup copy of the original files for reference purposes. |
suggest making a backup copy of the original files for reference purposes. |
|
|
*Note*: The examples in this chapter refer to BIND major version 8, however, it |
*Note*: The examples in this chapter refer to BIND major version 8, however, it |
should be noted that format of the name database and other config files are |
should be noted that format of the name database and other config files are |
almost 100% compatible between version. The only difference I noticed was that |
almost 100% compatible between version. The only difference I noticed was that |
the `$TTL` information was not required. |
the `$TTL` information was not required. |
|
|
### /etc/named.conf |
### /etc/named.conf |
|
|
The first file we want to look at is `/etc/named.conf`. This file is the config |
The first file we want to look at is `/etc/named.conf`. This file is the config |
file for bind (hence the catchy name). Setting up system like the one we are |
file for bind (hence the catchy name). Setting up system like the one we are |
doing is relatively simple. First, here is what mine looks like: |
doing is relatively simple. First, here is what mine looks like: |
|
|
options { |
options { |
Line 418 doing is relatively simple. First, here
|
Line 418 doing is relatively simple. First, here
|
file "root.cache"; |
file "root.cache"; |
}; |
}; |
|
|
Note that in my `named.conf` the root (".") section is last, that is because |
Note that in my `named.conf` the root (".") section is last, that is because |
there is another domain called diverge.org on the internet (I happen to own it) |
there is another domain called diverge.org on the internet (I happen to own it) |
so I want the resolver to look out on the internet last. This is not normally |
so I want the resolver to look out on the internet last. This is not normally |
the case on most systems. |
the case on most systems. |
|
|
Another very important thing to remember here is that if you have an internal |
Another very important thing to remember here is that if you have an internal |
setup, in other words no live internet connection and/or no need to do root |
setup, in other words no live internet connection and/or no need to do root |
server lookups, comment out the root (".") zone. It may cause lookup problems if |
server lookups, comment out the root (".") zone. It may cause lookup problems if |
a particular client decides it wants to reference a domain on the internet, |
a particular client decides it wants to reference a domain on the internet, |
which our server couldn't resolve itself. |
which our server couldn't resolve itself. |
|
|
Looks like a pretty big mess, upon closer examination it is revealed that many |
Looks like a pretty big mess, upon closer examination it is revealed that many |
of the lines in each section are somewhat redundant. So we should only have to |
of the lines in each section are somewhat redundant. So we should only have to |
explain them a few times. |
explain them a few times. |
|
|
Lets go through the sections of `named.conf`: |
Lets go through the sections of `named.conf`: |
|
|
#### options |
#### options |
|
|
This section defines some global parameters, most noticeable is the location of |
This section defines some global parameters, most noticeable is the location of |
the DNS tables, on this particular system, they will be put in `/etc/namedb` as |
the DNS tables, on this particular system, they will be put in `/etc/namedb` as |
indicated by the "directory" option. |
indicated by the "directory" option. |
|
|
Following are the rest of the params: |
Following are the rest of the params: |
|
|
* `allow-transfer` -- This option lists which remote DNS servers acting as |
* `allow-transfer` -- This option lists which remote DNS servers acting as |
secondaries are allowed to do zone transfers, i.e. are allowed to read all |
secondaries are allowed to do zone transfers, i.e. are allowed to read all |
DNS data at once. For privacy reasons, this should be restricted to secondary |
DNS data at once. For privacy reasons, this should be restricted to secondary |
DNS servers only. |
DNS servers only. |
|
|
* `allow-query` -- This option defines hosts from what network may query this |
* `allow-query` -- This option defines hosts from what network may query this |
name server at all. Restricting queries only to the local network |
name server at all. Restricting queries only to the local network |
(192.168.1.0/24) prevents queries arriving on the DNS server's external |
(192.168.1.0/24) prevents queries arriving on the DNS server's external |
interface, and prevent possible privacy issues. |
interface, and prevent possible privacy issues. |
|
|
* `listen-on port` -- This option defined the port and associated IP addresses |
* `listen-on port` -- This option defined the port and associated IP addresses |
this server will run |
this server will run |
[named(8)](http://netbsd.gw.com/cgi-bin/man-cgi?named+8+NetBSD-5.0.1+i386) |
[named(8)](http://netbsd.gw.com/cgi-bin/man-cgi?named+8+NetBSD-5.0.1+i386) |
on. Again, the "external" interface is not listened here, to prevent queries |
on. Again, the "external" interface is not listened here, to prevent queries |
getting received from "outside". |
getting received from "outside". |
|
|
The rest of the `named.conf` file consists of `zone`s. A zone is an area that |
The rest of the `named.conf` file consists of `zone`s. A zone is an area that |
can have items to resolve attached, e.g. a domain can have hostnames attached to |
can have items to resolve attached, e.g. a domain can have hostnames attached to |
resolve into IP addresses, and a reverse-zone can have IP addresses attached |
resolve into IP addresses, and a reverse-zone can have IP addresses attached |
that get resolved back into hostnames. Each zone has a file associated with it, |
that get resolved back into hostnames. Each zone has a file associated with it, |
and a table within that file for resolving that particular zone. As is readily |
and a table within that file for resolving that particular zone. As is readily |
apparent, their format in `named.conf` is strikingly similar, so I will |
apparent, their format in `named.conf` is strikingly similar, so I will |
highlight just one of their records: |
highlight just one of their records: |
|
|
#### zone diverge.org |
#### zone diverge.org |
|
|
* `type` -- The type of a zone is usually of type "master" in all cases except |
* `type` -- The type of a zone is usually of type "master" in all cases except |
for the root zone `.` and for zones that a secondary (backup) service is |
for the root zone `.` and for zones that a secondary (backup) service is |
provided - the type obviously is "secondary" in the latter case. |
provided - the type obviously is "secondary" in the latter case. |
|
|
* `notify` -- Do you want to send out notifications to secondaries when your |
* `notify` -- Do you want to send out notifications to secondaries when your |
zone changes? Obviously not in this setup, so this is set to "no". |
zone changes? Obviously not in this setup, so this is set to "no". |
|
|
* `file` -- This option sets the filename in our `/etc/namedb` directory where |
* `file` -- This option sets the filename in our `/etc/namedb` directory where |
records about this particular zone may be found. For the "diverge.org" zone, |
records about this particular zone may be found. For the "diverge.org" zone, |
the file `/etc/namedb/diverge.org` is used. |
the file `/etc/namedb/diverge.org` is used. |
|
|
### /etc/namedb/localhost |
### /etc/namedb/localhost |
|
|
For the most part, the zone files look quite similar, however, each one does |
For the most part, the zone files look quite similar, however, each one does |
have some unique properties. Here is what the `localhost` file looks like: |
have some unique properties. Here is what the `localhost` file looks like: |
|
|
1|$TTL 3600 |
1|$TTL 3600 |
Line 498 have some unique properties. Here is wha
|
Line 498 have some unique properties. Here is wha
|
|
|
Line by line: |
Line by line: |
|
|
* *Line 1*: This is the Time To Live for lookups, which defines how long other |
* *Line 1*: This is the Time To Live for lookups, which defines how long other |
DNS servers will cache that value before discarding it. This value is |
DNS servers will cache that value before discarding it. This value is |
generally the same in all the files. |
generally the same in all the files. |
|
|
* *Line 2*: This line is generally the same in all zone files except |
* *Line 2*: This line is generally the same in all zone files except |
`root.cache`. It defines a so-called "Start Of Authority" (SOA) header, which |
`root.cache`. It defines a so-called "Start Of Authority" (SOA) header, which |
contains some basic information about a zone. Of specific interest on this |
contains some basic information about a zone. Of specific interest on this |
line are "strider.diverge.org." and "root.diverge.org." (note the trailing |
line are "strider.diverge.org." and "root.diverge.org." (note the trailing |
dots!). Obviously one is the name of this server and the other is the contact |
dots!). Obviously one is the name of this server and the other is the contact |
for this DNS server, in most cases root seems a little ambiguous, it is |
for this DNS server, in most cases root seems a little ambiguous, it is |
preferred that a regular email account be used for the contact information, |
preferred that a regular email account be used for the contact information, |
with the "@" replaced by a "." (for example, mine would be |
with the "@" replaced by a "." (for example, mine would be |
"jrf.diverge.org."). |
"jrf.diverge.org."). |
|
|
* *Line 3*: This line is the serial number identifying the "version" of the |
* *Line 3*: This line is the serial number identifying the "version" of the |
zone's data set (file). The serial number should be incremented each time |
zone's data set (file). The serial number should be incremented each time |
there is a change to the file, the usual format is to either start with a |
there is a change to the file, the usual format is to either start with a |
value of "1" and increase it for every change, or use a value of "YYYYMMDDNN" |
value of "1" and increase it for every change, or use a value of "YYYYMMDDNN" |
to encode year (YYYY), month (MM), day (DD) and change within one day (NN) in |
to encode year (YYYY), month (MM), day (DD) and change within one day (NN) in |
the serial number. |
the serial number. |
|
|
* *Line 4*: This is the refresh rate of the server, in this file it is set to |
* *Line 4*: This is the refresh rate of the server, in this file it is set to |
once every 8 hours. |
once every 8 hours. |
|
|
* *Line 5*: The retry rate. |
* *Line 5*: The retry rate. |
Line 528 Line by line:
|
Line 528 Line by line:
|
|
|
* *Line 7*: The minimum Time To Live. |
* *Line 7*: The minimum Time To Live. |
|
|
* *Line 8*: This is the Nameserver line, which uses a "NS" resource record to |
* *Line 8*: This is the Nameserver line, which uses a "NS" resource record to |
show that "localhost" is the only DNS server handing out data for this zone |
show that "localhost" is the only DNS server handing out data for this zone |
(which is "@", which indicates the zone name used in the `named.conf` file, |
(which is "@", which indicates the zone name used in the `named.conf` file, |
i.e. "diverge.org") is, well, "localhost". |
i.e. "diverge.org") is, well, "localhost". |
|
|
* *Line 9*: This is the localhost entry, which uses an "A" resource record to |
* *Line 9*: This is the localhost entry, which uses an "A" resource record to |
indicate that the name "localhost" should be resolved into the IP-address |
indicate that the name "localhost" should be resolved into the IP-address |
127.0.0.1 for IPv4 queries (which specifically ask for the "A" record). |
127.0.0.1 for IPv4 queries (which specifically ask for the "A" record). |
|
|
* *Line 10*: This line is the IPv6 entry, which returns ::1 when someone asks |
* *Line 10*: This line is the IPv6 entry, which returns ::1 when someone asks |
for an IPv6-address (by specifically asking for the AAAA record) of |
for an IPv6-address (by specifically asking for the AAAA record) of |
"localhost.". |
"localhost.". |
|
|
### /etc/namedb/zone.127.0.0 |
### /etc/namedb/zone.127.0.0 |
|
|
This is the reverse lookup file (or zone) to resolve the special IP address |
This is the reverse lookup file (or zone) to resolve the special IP address |
127.0.0.1 back to "localhost": |
127.0.0.1 back to "localhost": |
|
|
1| $TTL 3600 |
1| $TTL 3600 |
Line 556 This is the reverse lookup file (or zone
|
Line 556 This is the reverse lookup file (or zone
|
8| IN NS localhost. |
8| IN NS localhost. |
9| 1.0.0 IN PTR localhost. |
9| 1.0.0 IN PTR localhost. |
|
|
In this file, all of the lines are the same as the localhost zonefile with |
In this file, all of the lines are the same as the localhost zonefile with |
exception of line 9, this is the reverse lookup (PTR) record. The zone used here |
exception of line 9, this is the reverse lookup (PTR) record. The zone used here |
is "@" again, which got set to the value given in `named.conf`, i.e. |
is "@" again, which got set to the value given in `named.conf`, i.e. |
"127.in-addr.arpa". This is a special "domain" which is used to do |
"127.in-addr.arpa". This is a special "domain" which is used to do |
reverse-lookup of IP addresses back into hostnames. For it to work, the four |
reverse-lookup of IP addresses back into hostnames. For it to work, the four |
bytes of the IPv4 address are reserved, and the domain "in-addr.arpa" attached, |
bytes of the IPv4 address are reserved, and the domain "in-addr.arpa" attached, |
so to resolve the IP address "127.0.0.1", the PTR record of |
so to resolve the IP address "127.0.0.1", the PTR record of |
"1.0.0.127.in-addr.arpa" is queried, which is what is defined in that line. |
"1.0.0.127.in-addr.arpa" is queried, which is what is defined in that line. |
|
|
### /etc/namedb/diverge.org |
### /etc/namedb/diverge.org |
|
|
This zone file is populated by records for all of our hosts. Here is what it |
This zone file is populated by records for all of our hosts. Here is what it |
looks like: |
looks like: |
|
|
1| $TTL 3600 |
1| $TTL 3600 |
Line 585 looks like:
|
Line 585 looks like:
|
13| www IN CNAME samwise.diverge.org. |
13| www IN CNAME samwise.diverge.org. |
14| worm IN A 192.168.1.3 |
14| worm IN A 192.168.1.3 |
|
|
There is a lot of new stuff here, so lets just look over each line that is new |
There is a lot of new stuff here, so lets just look over each line that is new |
here: |
here: |
|
|
* *Line 9*: This line shows our mail exchanger (MX), in this case it is |
* *Line 9*: This line shows our mail exchanger (MX), in this case it is |
"strider". The number that precedes "strider.diverge.org." is the priority |
"strider". The number that precedes "strider.diverge.org." is the priority |
number, the lower the number their higher the priority. The way we are setup |
number, the lower the number their higher the priority. The way we are setup |
here is if "strider" cannot handle the mail, then "samwise" will. |
here is if "strider" cannot handle the mail, then "samwise" will. |
|
|
* *Line 11*: CNAME stands for canonical name, or an alias for an existing |
* *Line 11*: CNAME stands for canonical name, or an alias for an existing |
hostname, which must have an A record. So we have aliased `www.diverge.org` |
hostname, which must have an A record. So we have aliased `www.diverge.org` |
to `samwise.diverge.org`. |
to `samwise.diverge.org`. |
|
|
The rest of the records are simply mappings of IP address to a full name (A |
The rest of the records are simply mappings of IP address to a full name (A |
records). |
records). |
|
|
### /etc/namedb/1.168.192 |
### /etc/namedb/1.168.192 |
|
|
This zone file is the reverse file for all of the host records, to map their IP |
This zone file is the reverse file for all of the host records, to map their IP |
numbers we use on our private network back into hostnames. The format is similar |
numbers we use on our private network back into hostnames. The format is similar |
to that of the "localhost" version with the obvious exception being the |
to that of the "localhost" version with the obvious exception being the |
addresses are different via the different zone given in the `named.conf` file, |
addresses are different via the different zone given in the `named.conf` file, |
i.e. "0.168.192.in-addr.arpa" here: |
i.e. "0.168.192.in-addr.arpa" here: |
|
|
1|$TTL 3600 |
1|$TTL 3600 |
Line 622 i.e. "0.168.192.in-addr.arpa" here:
|
Line 622 i.e. "0.168.192.in-addr.arpa" here:
|
|
|
### /etc/namedb/root.cache |
### /etc/namedb/root.cache |
|
|
This file contains a list of root name servers for your server to query when it |
This file contains a list of root name servers for your server to query when it |
gets requests outside of its own domain that it cannot answer itself. Here are |
gets requests outside of its own domain that it cannot answer itself. Here are |
first few lines of a root zone file: |
first few lines of a root zone file: |
|
|
; |
; |
Line 659 first few lines of a root zone file:
|
Line 659 first few lines of a root zone file:
|
; |
; |
... |
... |
|
|
This file can be obtained from ISC at <http://www.isc.org/> and usually comes |
This file can be obtained from ISC at <http://www.isc.org/> and usually comes |
with a distribution of BIND. A `root.cache` file is included in the NetBSD |
with a distribution of BIND. A `root.cache` file is included in the NetBSD |
operating system's "etc" set. |
operating system's "etc" set. |
|
|
This section has described the most important files and settings for a DNS |
This section has described the most important files and settings for a DNS |
server. Please see the BIND documentation in `/usr/src/dist/bind/doc/bog` and |
server. Please see the BIND documentation in `/usr/src/dist/bind/doc/bog` and |
[named.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?named.conf+5+NetBSD-5.0.1+i386) |
[named.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?named.conf+5+NetBSD-5.0.1+i386) |
for more information. |
for more information. |
|
|
## Using DNS |
## Using DNS |
|
|
In this section we will look at how to get DNS going and setup "strider" to use |
In this section we will look at how to get DNS going and setup "strider" to use |
its own DNS services. |
its own DNS services. |
|
|
Setting up named to start automatically is quite simple. In `/etc/rc.conf` |
Setting up named to start automatically is quite simple. In `/etc/rc.conf` |
simply set `named=yes`. Additional options can be specified in `named_flags`, |
simply set `named=yes`. Additional options can be specified in `named_flags`, |
for example, I like to use `-g nogroup -u nobody`, so a non-root account runs |
for example, I like to use `-g nogroup -u nobody`, so a non-root account runs |
the "named" process. |
the "named" process. |
|
|
In addition to being able to startup "named" at boot time, it can also be |
In addition to being able to startup "named" at boot time, it can also be |
controlled with the `ndc` command. In a nutshell the `ndc` command can stop, |
controlled with the `ndc` command. In a nutshell the `ndc` command can stop, |
start or restart the named server process. It can also do a great many other |
start or restart the named server process. It can also do a great many other |
things. Before use, it has to be setup to communicate with the "named" process, |
things. Before use, it has to be setup to communicate with the "named" process, |
see the [ndc(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ndc+8+NetBSD-5.0.1+i386) |
see the [ndc(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ndc+8+NetBSD-5.0.1+i386) |
and |
and |
[named.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?named.conf+5+NetBSD-5.0.1+i386) |
[named.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?named.conf+5+NetBSD-5.0.1+i386) |
man pages for more details on setting up communication channels between "ndc" |
man pages for more details on setting up communication channels between "ndc" |
and the "named" process. |
and the "named" process. |
|
|
Next we want to point "strider" to itself for lookups. We have two simple steps, |
Next we want to point "strider" to itself for lookups. We have two simple steps, |
first, decide on our resolution order. On a network this small, it is likely |
first, decide on our resolution order. On a network this small, it is likely |
that each host has a copy of the hosts table, so we can get away with using |
that each host has a copy of the hosts table, so we can get away with using |
`/etc/hosts` first, and then DNS. However, on larger networks it is much easier |
`/etc/hosts` first, and then DNS. However, on larger networks it is much easier |
to use DNS. Either way, the file where order of name services used for |
to use DNS. Either way, the file where order of name services used for |
resolution is determined is `/etc/nsswitch.conf` (see |
resolution is determined is `/etc/nsswitch.conf` (see |
[[`nsswitch.conf`|guide/net-practice#ex-nsswitch]]. Here is part of a typical |
[[`nsswitch.conf`|guide/net-practice#ex-nsswitch]]. Here is part of a typical |
`nsswitch.conf`: |
`nsswitch.conf`: |
|
|
... |
... |
Line 703 resolution is determined is `/etc/nsswit
|
Line 703 resolution is determined is `/etc/nsswit
|
netgroup: files [notfound=return] nis |
netgroup: files [notfound=return] nis |
... |
... |
|
|
The line we are interested in is the "hosts" line. "files" means the system uses |
The line we are interested in is the "hosts" line. "files" means the system uses |
the `/etc/hosts` file first to determine ip to name translation, and if it can't |
the `/etc/hosts` file first to determine ip to name translation, and if it can't |
find an entry, it will try DNS. |
find an entry, it will try DNS. |
|
|
The next file to look at is `/etc/resolv.conf`, which is used to configure DNS |
The next file to look at is `/etc/resolv.conf`, which is used to configure DNS |
lookups ("resolution") on the client side. The format is pretty self explanatory |
lookups ("resolution") on the client side. The format is pretty self explanatory |
but we will go over it anyway: |
but we will go over it anyway: |
|
|
domain diverge.org |
domain diverge.org |
search diverge.org |
search diverge.org |
nameserver 192.168.1.1 |
nameserver 192.168.1.1 |
|
|
In a nutshell this file is telling the resolver that this machine belongs to the |
In a nutshell this file is telling the resolver that this machine belongs to the |
"diverge.org" domain, which means that lookups that contain only a hostname |
"diverge.org" domain, which means that lookups that contain only a hostname |
without a "." gets this domain appended to build a FQDN. If that lookup doesn't |
without a "." gets this domain appended to build a FQDN. If that lookup doesn't |
succeed, the domains in the "search" line are tried next. Finally, the |
succeed, the domains in the "search" line are tried next. Finally, the |
"nameserver" line gives the IP addresses of one or more DNS servers that should |
"nameserver" line gives the IP addresses of one or more DNS servers that should |
be used to resolve DNS queries. |
be used to resolve DNS queries. |
|
|
To test our nameserver we can use several commands, for example: |
To test our nameserver we can use several commands, for example: |
Line 727 To test our nameserver we can use severa
|
Line 727 To test our nameserver we can use severa
|
# host sam |
# host sam |
sam.diverge.org has address 192.168.1.2 |
sam.diverge.org has address 192.168.1.2 |
|
|
As can be seen, the domain was appended automatically here, using the value from |
As can be seen, the domain was appended automatically here, using the value from |
`/etc/resolv.conf`. Here is another example, the output of running |
`/etc/resolv.conf`. Here is another example, the output of running |
`host www.yahoo.com`: |
`host www.yahoo.com`: |
|
|
Line 742 As can be seen, the domain was appended
|
Line 742 As can be seen, the domain was appended
|
www.yahoo.akadns.net has address 68.142.226.55 |
www.yahoo.akadns.net has address 68.142.226.55 |
www.yahoo.akadns.net has address 68.142.226.32 |
www.yahoo.akadns.net has address 68.142.226.32 |
|
|
Other commands for debugging DNS besides |
Other commands for debugging DNS besides |
[host(1)](http://netbsd.gw.com/cgi-bin/man-cgi?host+1+NetBSD-5.0.1+i386) are |
[host(1)](http://netbsd.gw.com/cgi-bin/man-cgi?host+1+NetBSD-5.0.1+i386) are |
[nslookup(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nslookup+8+NetBSD-5.0.1+i386) |
[nslookup(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nslookup+8+NetBSD-5.0.1+i386) |
and |
and |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386). Note |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386). Note |
that |
that |
[ping(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ping+8+NetBSD-5.0.1+i386) |
[ping(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ping+8+NetBSD-5.0.1+i386) |
is *not* useful for debugging DNS, as it will use whatever is configured in |
is *not* useful for debugging DNS, as it will use whatever is configured in |
`/etc/nsswitch.conf` to do the name-lookup. |
`/etc/nsswitch.conf` to do the name-lookup. |
|
|
At this point the server is configured properly. The procedure for setting up |
At this point the server is configured properly. The procedure for setting up |
the client hosts are easier, you only need to setup `/etc/nsswitch.conf` and |
the client hosts are easier, you only need to setup `/etc/nsswitch.conf` and |
`/etc/resolv.conf` to the same values as on the server. |
`/etc/resolv.conf` to the same values as on the server. |
|
|
## Setting up a caching only name server |
## Setting up a caching only name server |
|
|
A caching only name server has no local zones; all the queries it receives are |
A caching only name server has no local zones; all the queries it receives are |
forwarded to the root servers and the replies are accumulated in the local |
forwarded to the root servers and the replies are accumulated in the local |
cache. The next time the query is performed the answer will be faster because |
cache. The next time the query is performed the answer will be faster because |
the data is already in the server's cache. Since this type of server doesn't |
the data is already in the server's cache. Since this type of server doesn't |
handle local zones, to resolve the names of the local hosts it will still be |
handle local zones, to resolve the names of the local hosts it will still be |
necessary to use the already known `/etc/hosts` file. |
necessary to use the already known `/etc/hosts` file. |
|
|
Since NetBSD supplies defaults for all the files needed by a caching only |
Since NetBSD supplies defaults for all the files needed by a caching only |
server, it only needs to be enabled and started and is immediately ready for |
server, it only needs to be enabled and started and is immediately ready for |
use! To enable named, put `named=yes` into `/etc/rc.conf`, and tell the system |
use! To enable named, put `named=yes` into `/etc/rc.conf`, and tell the system |
to use it adding the following line to the `/etc/resolv.conf` file: |
to use it adding the following line to the `/etc/resolv.conf` file: |
|
|
# cat /etc/resolv.conf |
# cat /etc/resolv.conf |
Line 779 Now we can start named:
|
Line 779 Now we can start named:
|
|
|
### Testing the server |
### Testing the server |
|
|
Now that the server is running we can test it using the |
Now that the server is running we can test it using the |
[nslookup(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nslookup+8+NetBSD-5.0.1+i386) |
[nslookup(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nslookup+8+NetBSD-5.0.1+i386) |
program: |
program: |
|
|
$ nslookup |
$ nslookup |
Line 808 If you repeat the query a second time, t
|
Line 808 If you repeat the query a second time, t
|
Name: www.NetBSD.org |
Name: www.NetBSD.org |
Address: 204.152.190.12 |
Address: 204.152.190.12 |
|
|
As you've probably noticed, the address is the same, but the message |
As you've probably noticed, the address is the same, but the message |
`Non-authoritative answer` has appeared. This message indicates that the answer |
`Non-authoritative answer` has appeared. This message indicates that the answer |
is not coming from an authoritative server for the domain NetBSD.org but from |
is not coming from an authoritative server for the domain NetBSD.org but from |
the cache of our own server. |
the cache of our own server. |
|
|
The results of this first test confirm that the server is working correctly. |
The results of this first test confirm that the server is working correctly. |
|
|
We can also try the |
We can also try the |
[host(1)](http://netbsd.gw.com/cgi-bin/man-cgi?host+1+NetBSD-5.0.1+i386) and |
[host(1)](http://netbsd.gw.com/cgi-bin/man-cgi?host+1+NetBSD-5.0.1+i386) and |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386) commands, |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386) commands, |
which give the following result. |
which give the following result. |
|
|
$ host www.NetBSD.org |
$ host www.NetBSD.org |
Line 846 which give the following result.
|
Line 846 which give the following result.
|
;; Total query time: 14 msec |
;; Total query time: 14 msec |
;; FROM: miyu to SERVER: 127.0.0.1 |
;; FROM: miyu to SERVER: 127.0.0.1 |
;; WHEN: Thu Nov 25 22:59:36 2004 |
;; WHEN: Thu Nov 25 22:59:36 2004 |
;; MSG SIZE sent: 32 rcvd: 175 |
;; MSG SIZE sent: 32 rcvd: 175 |
|
|
As you can see |
As you can see |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386) gives |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386) gives |
quite a bit of output, the expected answer can be found in the "ANSWER SECTION". |
quite a bit of output, the expected answer can be found in the "ANSWER SECTION". |
The other data given may be of interest when debugging DNS problems. |
The other data given may be of interest when debugging DNS problems. |
|
|