|
version 1.1, 2013/03/09 00:15:25
|
version 1.2, 2013/03/10 09:58:15
|
|
Line 1
|
Line 1
|
| # The Domain Name System |
# The Domain Name System |
| |
|
| Use of the Domain Name System has been discussed in previous chapters, without |
Use of the Domain Name System has been discussed in previous chapters, without |
| going into detail on the setup of the server providing the service. This chapter |
going into detail on the setup of the server providing the service. This chapter |
| describes setting up a simple, small domain with one Domain Name System (DNS) |
describes setting up a simple, small domain with one Domain Name System (DNS) |
| nameserver on a NetBSD system. It includes a brief explanation and overview of |
nameserver on a NetBSD system. It includes a brief explanation and overview of |
| the DNS; further information can be obtained from the DNS Resources Directory |
the DNS; further information can be obtained from the DNS Resources Directory |
| (DNSRD) at [http://www.dns.net/dnsrd/](http://www.dns.net/dnsrd/). |
(DNSRD) at [http://www.dns.net/dnsrd/](http://www.dns.net/dnsrd/). |
| |
|
| ## DNS Background and Concepts |
## DNS Background and Concepts |
| |
|
| The DNS is a widely used *naming service* on the Internet and other TCP/IP |
The DNS is a widely used *naming service* on the Internet and other TCP/IP |
| networks. The network protocols, data and file formats, and other aspects of the |
networks. The network protocols, data and file formats, and other aspects of the |
| DNS are Internet Standards, specified in a number of RFC documents, and |
DNS are Internet Standards, specified in a number of RFC documents, and |
| described by a number of other reference and tutorial works. The DNS has a |
described by a number of other reference and tutorial works. The DNS has a |
| distributed, client-server architecture. There are reference implementations for |
distributed, client-server architecture. There are reference implementations for |
| the server and client, but these are not part of the standard. There are a |
the server and client, but these are not part of the standard. There are a |
| number of additional implementations available for many platforms. |
number of additional implementations available for many platforms. |
| |
|
| ### Naming Services |
### Naming Services |
| |
|
| Naming services are used to provide a mapping between textual names and |
Naming services are used to provide a mapping between textual names and |
| configuration data of some form. A *nameserver* maintains this mapping, and |
configuration data of some form. A *nameserver* maintains this mapping, and |
| clients request the nameserver to *resolve* a name into its attached data. |
clients request the nameserver to *resolve* a name into its attached data. |
| |
|
| The reader should have a good understanding of basic hosts to IP address mapping |
The reader should have a good understanding of basic hosts to IP address mapping |
| and IP address class specifications, see |
and IP address class specifications, see |
| [[Name Service Concepts|guide/net-intro#nsconcepts]]. |
[[Name Service Concepts|guide/net-intro#nsconcepts]]. |
| |
|
| In the case of the DNS, the configuration data bound to a name is in the form of |
In the case of the DNS, the configuration data bound to a name is in the form of |
| standard *Resource Records* (RRs). These textual names conform to certain |
standard *Resource Records* (RRs). These textual names conform to certain |
| structural conventions. |
structural conventions. |
| |
|
| ### The DNS namespace |
### The DNS namespace |
| |
|
| The DNS presents a hierarchical name space, much like a UNIX filesystem, |
The DNS presents a hierarchical name space, much like a UNIX filesystem, |
| pictured as an inverted tree with the *root* at the top. |
pictured as an inverted tree with the *root* at the top. |
| |
|
| TOP-LEVEL .org |
TOP-LEVEL .org |
| | |
| |
| MID-LEVEL .diverge.org |
MID-LEVEL .diverge.org |
| ______________________|________________________ |
______________________|________________________ |
| | | | |
| | | |
| BOTTOM-LEVEL strider.diverge.org samwise.diverge.org wormtongue.diverge.org |
BOTTOM-LEVEL strider.diverge.org samwise.diverge.org wormtongue.diverge.org |
| |
|
| The system can also be logically divided even further if one wishes at different |
The system can also be logically divided even further if one wishes at different |
| points. The example shown above shows three nodes on the diverge.org domain, but |
points. The example shown above shows three nodes on the diverge.org domain, but |
| we could even divide diverge.org into subdomains such as |
we could even divide diverge.org into subdomains such as |
| "strider.net1.diverge.org", "samwise.net2.diverge.org" and |
"strider.net1.diverge.org", "samwise.net2.diverge.org" and |
| "wormtongue.net2.diverge.org"; in this case, 2 nodes reside in |
"wormtongue.net2.diverge.org"; in this case, 2 nodes reside in |
| "net2.diverge.org" and one in "net1.diverge.org". |
"net2.diverge.org" and one in "net1.diverge.org". |
| |
|
| There are directories of names, some of which may be sub-directories of further |
There are directories of names, some of which may be sub-directories of further |
| names. These directories are sometimes called *zones*. There is provision for |
names. These directories are sometimes called *zones*. There is provision for |
| symbolic links, redirecting requests for information on one name to the records |
symbolic links, redirecting requests for information on one name to the records |
| bound to another name. Each name recognised by the DNS is called a *Domain |
bound to another name. Each name recognised by the DNS is called a *Domain |
| Name*, whether it represents information about a specific host, or a directory |
Name*, whether it represents information about a specific host, or a directory |
| of subordinate Domain Names (or both, or something else). |
of subordinate Domain Names (or both, or something else). |
| |
|
| Unlike most filesystem naming schemes, however, Domain Names are written with |
Unlike most filesystem naming schemes, however, Domain Names are written with |
| the innermost name on the left, and progressively higher-level domains to the |
the innermost name on the left, and progressively higher-level domains to the |
| right, all the way up to the root directory if necessary. The separator used |
right, all the way up to the root directory if necessary. The separator used |
| when writing Domain Names is a period, ".". |
when writing Domain Names is a period, ".". |
| |
|
| Like filesystem pathnames, Domain Names can be written in an absolute or |
Like filesystem pathnames, Domain Names can be written in an absolute or |
| relative manner, though there are some differences in detail. For instance, |
relative manner, though there are some differences in detail. For instance, |
| there is no way to indirectly refer to the parent domain like with the UNIX `..` |
there is no way to indirectly refer to the parent domain like with the UNIX `..` |
| directory. Many (but not all) resolvers offer a search path facility, so that |
directory. Many (but not all) resolvers offer a search path facility, so that |
| partially-specified names can be resolved relative to additional listed |
partially-specified names can be resolved relative to additional listed |
| sub-domains other than the client's own domain. Names that are completely |
sub-domains other than the client's own domain. Names that are completely |
| specified all the way to the root are called *Fully Qualified Domain Names* or |
specified all the way to the root are called *Fully Qualified Domain Names* or |
| *FQDN*s. A defining characteristic of an FQDN is that it is written with a |
*FQDN*s. A defining characteristic of an FQDN is that it is written with a |
| terminating period. The same name, without the terminating period, may be |
terminating period. The same name, without the terminating period, may be |
| considered relative to some other sub-domain. It is rare for this to occur |
considered relative to some other sub-domain. It is rare for this to occur |
| without malicious intent, but in part because of this possibility, FQDNs are |
without malicious intent, but in part because of this possibility, FQDNs are |
| required as configuration parameters in some circumstances. |
required as configuration parameters in some circumstances. |
| |
|
| On the Internet, there are some established conventions for the names of the |
On the Internet, there are some established conventions for the names of the |
| first few levels of the tree, at which point the hierarchy reaches the level of |
first few levels of the tree, at which point the hierarchy reaches the level of |
| an individual organisation. This organisation is responsible for establishing |
an individual organisation. This organisation is responsible for establishing |
| and maintaining conventions further down the tree, within its own domain. |
and maintaining conventions further down the tree, within its own domain. |
| |
|
| ### Resource Records |
### Resource Records |
| |
|
| Resource Records for a domain are stored in a standardised format in an ASCII |
Resource Records for a domain are stored in a standardised format in an ASCII |
| text file, often called a *zone file*. The following Resource Records are |
text file, often called a *zone file*. The following Resource Records are |
| commonly used (a number of others are defined but not often used, or no longer |
commonly used (a number of others are defined but not often used, or no longer |
| used). In some cases, there may be multiple RR types associated with a name, and |
used). In some cases, there may be multiple RR types associated with a name, and |
| even multiple records of the same type. |
even multiple records of the same type. |
| |
|
| #### Common DNS Resource Records |
#### Common DNS Resource Records |
| |
|
| * *A: Address* -- This record contains the numerical IP address associated with |
* *A: Address* -- This record contains the numerical IP address associated with |
| the name. |
the name. |
| |
|
| * *CNAME: Canonical Name* -- This record contains the Canonical Name (an FQDN |
* *CNAME: Canonical Name* -- This record contains the Canonical Name (an FQDN |
| with an associated A record) of the host name to which this record is bound. |
with an associated A record) of the host name to which this record is bound. |
| This record type is used to provide name aliasing, by providing a link to |
This record type is used to provide name aliasing, by providing a link to |
| another name with which other appropriate RR's are associated. If a name has |
another name with which other appropriate RR's are associated. If a name has |
| a CNAME record bound to it, it is an alias, and no other RR's are permitted |
a CNAME record bound to it, it is an alias, and no other RR's are permitted |
| to be bound to the same name. |
to be bound to the same name. |
| |
|
| It is common for these records to be used to point to hosts providing a |
It is common for these records to be used to point to hosts providing a |
| particular service, such as an FTP or HTTP server. If the service must be |
particular service, such as an FTP or HTTP server. If the service must be |
| moved to another host, the alias can be changed, and the same name will reach |
moved to another host, the alias can be changed, and the same name will reach |
| the new host. |
the new host. |
| |
|
| * *PTR: Pointer* -- This record contains a textual name. These records are |
* *PTR: Pointer* -- This record contains a textual name. These records are |
| bound to names built in a special way from numerical IP addresses, and are |
bound to names built in a special way from numerical IP addresses, and are |
| used to provide a reverse mapping from an IP address to a textual name. This |
used to provide a reverse mapping from an IP address to a textual name. This |
| is described in more detail in [[Reverse Resolution|guide/dns#bg-reverse]]. |
is described in more detail in [[Reverse Resolution|guide/dns#bg-reverse]]. |
| |
|
| * *NS: Name Server* -- This record type is used to *delegate* a sub-tree of the |
* *NS: Name Server* -- This record type is used to *delegate* a sub-tree of the |
| Domain Name space to another nameserver. The record contains the FQDN of a |
Domain Name space to another nameserver. The record contains the FQDN of a |
| DNS nameserver with information on the sub-domain, and is bound to the name |
DNS nameserver with information on the sub-domain, and is bound to the name |
| of the sub-domain. In this manner, the hierarchical structure of the DNS is |
of the sub-domain. In this manner, the hierarchical structure of the DNS is |
| established. Delegation is described in more detail in |
established. Delegation is described in more detail in |
| [[Delegation|guide/dns#bg-delegation]]. |
[[Delegation|guide/dns#bg-delegation]]. |
| |
|
| * *MX: Mail eXchange* -- This record contains the FQDN for a host that will |
* *MX: Mail eXchange* -- This record contains the FQDN for a host that will |
| accept SMTP electronic mail for the named domain, together with a priority |
accept SMTP electronic mail for the named domain, together with a priority |
| value used to select an MX host when relaying mail. It is used to indicate |
value used to select an MX host when relaying mail. It is used to indicate |
| other servers that are willing to receive and spool mail for the domain if |
other servers that are willing to receive and spool mail for the domain if |
| the primary MX is unreachable for a time. It is also used to direct email to |
the primary MX is unreachable for a time. It is also used to direct email to |
| a central server, if desired, rather than to each and every individual |
a central server, if desired, rather than to each and every individual |
| workstation. |
workstation. |
| |
|
| * *HINFO: Host Information* -- Contains two strings, intended for use to |
* *HINFO: Host Information* -- Contains two strings, intended for use to |
| describe the host hardware and operating system platform. There are defined |
describe the host hardware and operating system platform. There are defined |
| strings to use for some systems, but their use is not enforced. Some sites, |
strings to use for some systems, but their use is not enforced. Some sites, |
| because of security considerations, do not publicise this information. |
because of security considerations, do not publicise this information. |
| |
|
| * *TXT: Text* -- A free-form text field, sometimes used as a comment field, |
* *TXT: Text* -- A free-form text field, sometimes used as a comment field, |
| sometimes overlaid with site-specific additional meaning to be interpreted by |
sometimes overlaid with site-specific additional meaning to be interpreted by |
| local conventions. |
local conventions. |
| |
|
| * *SOA: Start of Authority* -- This record is required to appear for each zone |
* *SOA: Start of Authority* -- This record is required to appear for each zone |
| file. It lists the primary nameserver and the email address of the person |
file. It lists the primary nameserver and the email address of the person |
| responsible for the domain, together with default values for a number of |
responsible for the domain, together with default values for a number of |
| fields associated with maintaining consistency across multiple servers and |
fields associated with maintaining consistency across multiple servers and |
| caching of the results of DNS queries. |
caching of the results of DNS queries. |
| |
|
| ### Delegation |
### Delegation |
| |
|
| Using NS records, authority for portions of the DNS namespace below a certain |
Using NS records, authority for portions of the DNS namespace below a certain |
| point in the tree can be delegated, and further sub-parts below that delegated |
point in the tree can be delegated, and further sub-parts below that delegated |
| again. It is at this point that the distinction between a domain and a zone |
again. It is at this point that the distinction between a domain and a zone |
| becomes important. Any name in the DNS is called a domain, and the term applies |
becomes important. Any name in the DNS is called a domain, and the term applies |
| to that name and to any subordinate names below that one in the tree. The |
to that name and to any subordinate names below that one in the tree. The |
| boundaries of a zone are narrower, and are defined by delegations. A zone starts |
boundaries of a zone are narrower, and are defined by delegations. A zone starts |
| with a delegation (or at the root), and encompasses all names in the domain |
with a delegation (or at the root), and encompasses all names in the domain |
| below that point, excluding names below any subsequent delegations. |
below that point, excluding names below any subsequent delegations. |
| |
|
| This distinction is important for implementation - a zone is a single |
This distinction is important for implementation - a zone is a single |
| administrative entity (with a single SOA record), and all data for the zone is |
administrative entity (with a single SOA record), and all data for the zone is |
| referred to by a single file, called a *zone file*. A zone file may contain more |
referred to by a single file, called a *zone file*. A zone file may contain more |
| than one period-separated level of the namespace tree, if desired, by including |
than one period-separated level of the namespace tree, if desired, by including |
| periods in the names in that zone file. In order to simplify administration and |
periods in the names in that zone file. In order to simplify administration and |
| prevent overly-large zone files, it is quite legal for a DNS server to delegate |
prevent overly-large zone files, it is quite legal for a DNS server to delegate |
| to itself, splitting the domain into several zones kept on the same server. |
to itself, splitting the domain into several zones kept on the same server. |
| |
|
| ### Delegation to multiple servers |
### Delegation to multiple servers |
| |
|
| For redundancy, it is common (and often administratively required) that there be |
For redundancy, it is common (and often administratively required) that there be |
| more than one nameserver providing information on a zone. It is also common that |
more than one nameserver providing information on a zone. It is also common that |
| at least one of these servers be located at some distance (in terms of network |
at least one of these servers be located at some distance (in terms of network |
| topology) from the others, so that knowledge of that zone does not become |
topology) from the others, so that knowledge of that zone does not become |
| unavailable in case of connectivity failure. Each nameserver will be listed in |
unavailable in case of connectivity failure. Each nameserver will be listed in |
| an NS record bound to the name of the zone, stored in the parent zone on the |
an NS record bound to the name of the zone, stored in the parent zone on the |
| server responsible for the parent domain. In this way, those searching the name |
server responsible for the parent domain. In this way, those searching the name |
| hierarchy from the top down can contact any one of the servers to continue |
hierarchy from the top down can contact any one of the servers to continue |
| narrowing their search. This is occasionally called *walking the tree*. |
narrowing their search. This is occasionally called *walking the tree*. |
| |
|
| There are a number of nameservers on the Internet which are called *root |
There are a number of nameservers on the Internet which are called *root |
| nameservers*. These servers provide information on the very top levels of the |
nameservers*. These servers provide information on the very top levels of the |
| domain namespace tree. These servers are special in that their addresses must be |
domain namespace tree. These servers are special in that their addresses must be |
| pre-configured into nameservers as a place to start finding other servers. |
pre-configured into nameservers as a place to start finding other servers. |
| Isolated networks that cannot access these servers may need to provide their own |
Isolated networks that cannot access these servers may need to provide their own |
| root nameservers. |
root nameservers. |
| |
|
| ### Secondaries, Caching, and the SOA record |
### Secondaries, Caching, and the SOA record |
| |
|
| In order to maintain consistency between these servers, one is usually |
In order to maintain consistency between these servers, one is usually |
| configured as the *primary* server, and all administrative changes are made on |
configured as the *primary* server, and all administrative changes are made on |
| this server. The other servers are configured as *secondaries*, and transfer the |
this server. The other servers are configured as *secondaries*, and transfer the |
| contents of the zone from the primary. This operational model is not required, |
contents of the zone from the primary. This operational model is not required, |
| and if external considerations require it, multiple primaries can be used |
and if external considerations require it, multiple primaries can be used |
| instead, but consistency must then be maintained by other means. DNS servers |
instead, but consistency must then be maintained by other means. DNS servers |
| that store Resource Records for a zone, whether they be primary or secondary |
that store Resource Records for a zone, whether they be primary or secondary |
| servers, are said to be *authoritative* for the zone. A DNS server can be |
servers, are said to be *authoritative* for the zone. A DNS server can be |
| authoritative for several zones. |
authoritative for several zones. |
| |
|
| When nameservers receive responses to queries, they can *cache* the results. |
When nameservers receive responses to queries, they can *cache* the results. |
| This has a significant beneficial impact on the speed of queries, the query load |
This has a significant beneficial impact on the speed of queries, the query load |
| on high-level nameservers, and network utilisation. It is also a major |
on high-level nameservers, and network utilisation. It is also a major |
| contributor to the memory usage of the nameserver process. |
contributor to the memory usage of the nameserver process. |
| |
|
| There are a number of parameters that are important to maintaining consistency |
There are a number of parameters that are important to maintaining consistency |
| amongst the secondaries and caches. The values for these parameters for a |
amongst the secondaries and caches. The values for these parameters for a |
| particular domain zone file are stored in the SOA record. These fields are: |
particular domain zone file are stored in the SOA record. These fields are: |
| |
|
| #### Fields of the SOA Record |
#### Fields of the SOA Record |
| |
|
| * *Serial* -- A serial number for the zone file. This should be incremented any |
* *Serial* -- A serial number for the zone file. This should be incremented any |
| time the data in the domain is changed. When a secondary wants to check if |
time the data in the domain is changed. When a secondary wants to check if |
| its data is up-to-date, it checks the serial number on the primary's SOA |
its data is up-to-date, it checks the serial number on the primary's SOA |
| record. |
record. |
| |
|
| * *Refresh* -- A time, in seconds, specifying how often the secondary should |
* *Refresh* -- A time, in seconds, specifying how often the secondary should |
| check the serial number on the primary, and start a new transfer if the |
check the serial number on the primary, and start a new transfer if the |
| primary has newer data. |
primary has newer data. |
| |
|
| * *Retry* -- If a secondary fails to connect to the primary when the refresh |
* *Retry* -- If a secondary fails to connect to the primary when the refresh |
| time has elapsed (for example, if the host is down), this value specifies, in |
time has elapsed (for example, if the host is down), this value specifies, in |
| seconds, how often the connection should be retried. |
seconds, how often the connection should be retried. |
| |
|
| * *Expire* -- If the retries fail to reach the primary within this number of |
* *Expire* -- If the retries fail to reach the primary within this number of |
| seconds, the secondary destroys its copies of the zone data file(s), and |
seconds, the secondary destroys its copies of the zone data file(s), and |
| stops answering requests for the domain. This stops very old and potentially |
stops answering requests for the domain. This stops very old and potentially |
| inaccurate data from remaining in circulation. |
inaccurate data from remaining in circulation. |
| |
|
| * *TTL* -- This field specifies a time, in seconds, that the resource records |
* *TTL* -- This field specifies a time, in seconds, that the resource records |
| in this zone should remain valid in the caches of other nameservers. If the |
in this zone should remain valid in the caches of other nameservers. If the |
| data is volatile, this value should be short. TTL is a commonly-used acronym, |
data is volatile, this value should be short. TTL is a commonly-used acronym, |
| that stands for "Time To Live". |
that stands for "Time To Live". |
| |
|
| ### Name Resolution |
### Name Resolution |
| |
|
| DNS clients are configured with the addresses of DNS servers. Usually, these are |
DNS clients are configured with the addresses of DNS servers. Usually, these are |
| servers which are authoritative for the domain of which they are a member. All |
servers which are authoritative for the domain of which they are a member. All |
| requests for name resolution start with a request to one of these local servers. |
requests for name resolution start with a request to one of these local servers. |
| DNS queries can be of two forms: |
DNS queries can be of two forms: |
| |
|
| * A *recursive* query asks the nameserver to resolve a name completely, and |
* A *recursive* query asks the nameserver to resolve a name completely, and |
| return the result. If the request cannot be satisfied directly, the |
return the result. If the request cannot be satisfied directly, the |
| nameserver looks in its configuration and caches for a server higher up the |
nameserver looks in its configuration and caches for a server higher up the |
| domain tree which may have more information. In the worst case, this will be |
domain tree which may have more information. In the worst case, this will be |
| a list of pre-configured servers for the root domain. These addresses are |
a list of pre-configured servers for the root domain. These addresses are |
| returned in a response called a *referral*. The local nameserver must then |
returned in a response called a *referral*. The local nameserver must then |
| send its request to one of these servers. |
send its request to one of these servers. |
| |
|
| * Normally, this will be an *iterative* query, which asks the second nameserver |
* Normally, this will be an *iterative* query, which asks the second nameserver |
| to either respond with an authoritative reply, or with the addresses of |
to either respond with an authoritative reply, or with the addresses of |
| nameservers (NS records) listed in its tables or caches as authoritative for |
nameservers (NS records) listed in its tables or caches as authoritative for |
| the relevant zone. The local nameserver then makes iterative queries, walking |
the relevant zone. The local nameserver then makes iterative queries, walking |
| the tree downwards until an authoritative answer is found (either positive or |
the tree downwards until an authoritative answer is found (either positive or |
| negative) and returned to the client. |
negative) and returned to the client. |
| |
|
| In some configurations, such as when firewalls prevent direct IP communications |
In some configurations, such as when firewalls prevent direct IP communications |
| between DNS clients and external nameservers, or when a site is connected to the |
between DNS clients and external nameservers, or when a site is connected to the |
| rest of the world via a slow link, a nameserver can be configured with |
rest of the world via a slow link, a nameserver can be configured with |
| information about a *forwarder*. This is an external nameserver to which the |
information about a *forwarder*. This is an external nameserver to which the |
| local nameserver should make requests as a client would, asking the external |
local nameserver should make requests as a client would, asking the external |
| nameserver to perform the full recursive name lookup, and return the result in a |
nameserver to perform the full recursive name lookup, and return the result in a |
| single query (which can then be cached), rather than reply with referrals. |
single query (which can then be cached), rather than reply with referrals. |
| |
|
| ### Reverse Resolution |
### Reverse Resolution |
| |
|
| The DNS provides resolution from a textual name to a resource record, such as an |
The DNS provides resolution from a textual name to a resource record, such as an |
| A record with an IP address. It does not provide a means, other than exhaustive |
A record with an IP address. It does not provide a means, other than exhaustive |
| search, to match in the opposite direction; there is no mechanism to ask which |
search, to match in the opposite direction; there is no mechanism to ask which |
| name is bound to a particular RR. |
name is bound to a particular RR. |
| |
|
| For many RR types, this is of no real consequence, however it is often useful to |
For many RR types, this is of no real consequence, however it is often useful to |
| identify by name the host which owns a particular IP address. Rather than |
identify by name the host which owns a particular IP address. Rather than |
| complicate the design and implementation of the DNS database engine by providing |
complicate the design and implementation of the DNS database engine by providing |
| matching functions in both directions, the DNS utilises the existing mechanisms |
matching functions in both directions, the DNS utilises the existing mechanisms |
| and creates a special namespace, populated with PTR records, for IP address to |
and creates a special namespace, populated with PTR records, for IP address to |
| name resolution. Resolving in this manner is often called *reverse resolution*, |
name resolution. Resolving in this manner is often called *reverse resolution*, |
| despite the inaccurate implications of the term. |
despite the inaccurate implications of the term. |
| |
|
| The manner in which this is achieved is as follows: |
The manner in which this is achieved is as follows: |
| |
|
| * A normal domain name is reserved and defined to be for the purpose of mapping |
* A normal domain name is reserved and defined to be for the purpose of mapping |
| IP addresses. The domain name used is `in-addr.arpa.` which shows the |
IP addresses. The domain name used is `in-addr.arpa.` which shows the |
| historical origins of the Internet in the US Government's Defence Advanced |
historical origins of the Internet in the US Government's Defence Advanced |
| Research Projects Agency's funding program. |
Research Projects Agency's funding program. |
| |
|
| * This domain is then subdivided and delegated according to the structure of IP |
* This domain is then subdivided and delegated according to the structure of IP |
| addresses. IP addresses are often written in *decimal dotted quad notation*, |
addresses. IP addresses are often written in *decimal dotted quad notation*, |
| where each octet of the 4-octet long address is written in decimal, separated |
where each octet of the 4-octet long address is written in decimal, separated |
| by dots. IP address ranges are usually delegated with more and more of the |
by dots. IP address ranges are usually delegated with more and more of the |
| left-most parts of the address in common as the delegation gets smaller. |
left-most parts of the address in common as the delegation gets smaller. |
| Thus, to allow delegation of the reverse lookup domain to be done easily, |
Thus, to allow delegation of the reverse lookup domain to be done easily, |
| this is turned around when used with the hierarchical DNS namespace, which |
this is turned around when used with the hierarchical DNS namespace, which |
| places higher level domains on the right of the name. |
places higher level domains on the right of the name. |
| |
|
| * Each byte of the IP address is written, as an ASCII text representation of |
* Each byte of the IP address is written, as an ASCII text representation of |
| the number expressed in decimal, with the octets in reverse order, separated |
the number expressed in decimal, with the octets in reverse order, separated |
| by dots and appended with the in-addr.arpa. domain name. For example, to |
by dots and appended with the in-addr.arpa. domain name. For example, to |
| determine the hostname of a network device with IP address 11.22.33.44, this |
determine the hostname of a network device with IP address 11.22.33.44, this |
| algorithm would produce the string `44.33.22.11.in-addr.arpa.` which is a |
algorithm would produce the string `44.33.22.11.in-addr.arpa.` which is a |
| legal, structured Domain Name. A normal nameservice query would then be sent |
legal, structured Domain Name. A normal nameservice query would then be sent |
| to the nameserver asking for a PTR record bound to the generated name. |
to the nameserver asking for a PTR record bound to the generated name. |
| |
|
| * The PTR record, if found, will contain the FQDN of a host. |
* The PTR record, if found, will contain the FQDN of a host. |
| |
|
| One consequence of this is that it is possible for mismatch to occur. Resolving |
One consequence of this is that it is possible for mismatch to occur. Resolving |
| a name into an A record, and then resolving the name built from the address in |
a name into an A record, and then resolving the name built from the address in |
| that A record to a PTR record, may not result in a PTR record which contains the |
that A record to a PTR record, may not result in a PTR record which contains the |
| original name. There is no restriction within the DNS that the "reverse" mapping |
original name. There is no restriction within the DNS that the "reverse" mapping |
| must coincide with the "forward" mapping. This is a useful feature in some |
must coincide with the "forward" mapping. This is a useful feature in some |
| circumstances, particularly when it is required that more than one name has an A |
circumstances, particularly when it is required that more than one name has an A |
| record bound to it which contains the same IP address. |
record bound to it which contains the same IP address. |
| |
|
| While there is no such restriction within the DNS, some application server |
While there is no such restriction within the DNS, some application server |
| programs or network libraries will reject connections from hosts that do not |
programs or network libraries will reject connections from hosts that do not |
| satisfy the following test: |
satisfy the following test: |
| |
|
| * the state information included with an incoming connection includes the IP |
* the state information included with an incoming connection includes the IP |
| address of the source of the request. |
address of the source of the request. |
| |
|
| * a PTR lookup is done to obtain an FQDN of the host making the connection |
* a PTR lookup is done to obtain an FQDN of the host making the connection |
| |
|
| * an A lookup is then done on the returned name, and the connection rejected if |
* an A lookup is then done on the returned name, and the connection rejected if |
| the source IP address is not listed amongst the A records that get returned. |
the source IP address is not listed amongst the A records that get returned. |
| |
|
| This is done as a security precaution, to help detect and prevent malicious |
This is done as a security precaution, to help detect and prevent malicious |
| sites impersonating other sites by configuring their own PTR records to return |
sites impersonating other sites by configuring their own PTR records to return |
| the names of hosts belonging to another organisation. |
the names of hosts belonging to another organisation. |
| |
|
| ## The DNS Files |
## The DNS Files |
| |
|
| Now let's look at actually setting up a small DNS enabled network. We will |
Now let's look at actually setting up a small DNS enabled network. We will |
| continue to use the examples mentioned in [Chapter 24, *Setting up TCP/IP on |
continue to use the examples mentioned in [Chapter 24, *Setting up TCP/IP on |
| NetBSD in practice*](chap-net-practice.html "Chapter 24. Setting up TCP/IP on |
NetBSD in practice*](chap-net-practice.html "Chapter 24. Setting up TCP/IP on |
| NetBSD in practice"), i.e. we assume that: |
NetBSD in practice"), i.e. we assume that: |
| |
|
| * Our IP networking is working correctly |
* Our IP networking is working correctly |
| * We have IPNAT working correctly |
* We have IPNAT working correctly |
| * Currently all hosts use the ISP for DNS |
* Currently all hosts use the ISP for DNS |
| |
|
| Our Name Server will be the `strider` host which also runs IPNAT, and our two |
Our Name Server will be the `strider` host which also runs IPNAT, and our two |
| clients use "strider" as a gateway. It is not really relevant as to what type of |
clients use "strider" as a gateway. It is not really relevant as to what type of |
| interface is on "strider", but for argument's sake we will say a 56k dial up |
interface is on "strider", but for argument's sake we will say a 56k dial up |
| connection. |
connection. |
| |
|
| So, before going any further, let's look at our `/etc/hosts` file on "strider" |
So, before going any further, let's look at our `/etc/hosts` file on "strider" |
|
Line 345 before we have made the alterations to u
|
Line 345 before we have made the alterations to u
|
| 192.168.1.2 samwise sam |
192.168.1.2 samwise sam |
| 192.168.1.3 wormtongue worm |
192.168.1.3 wormtongue worm |
| |
|
| This is not exactly a huge network, but it is worth noting that the same rules |
This is not exactly a huge network, but it is worth noting that the same rules |
| apply for larger networks as we discuss in the context of this section. |
apply for larger networks as we discuss in the context of this section. |
| |
|
| The other assumption we want to make is that the domain we want to set up is |
The other assumption we want to make is that the domain we want to set up is |
| `diverge.org`, and that the domain is only known on our internal network, and |
`diverge.org`, and that the domain is only known on our internal network, and |
| not worldwide. Proper registration of the nameserver's IP address as primary |
not worldwide. Proper registration of the nameserver's IP address as primary |
| would be needed in addition to a static IP. These are mostly administrative |
would be needed in addition to a static IP. These are mostly administrative |
| issues which are left out here. |
issues which are left out here. |
| |
|
| The NetBSD operating system provides a set of config files for you to use for |
The NetBSD operating system provides a set of config files for you to use for |
| setting up DNS. Along with a default `/etc/named.conf`, the following files are |
setting up DNS. Along with a default `/etc/named.conf`, the following files are |
| stored in the `/etc/namedb` directory: |
stored in the `/etc/namedb` directory: |
| |
|
| * `localhost` |
* `localhost` |
|
Line 363 stored in the `/etc/namedb` directory:
|
Line 363 stored in the `/etc/namedb` directory:
|
| * `loopback.v6` |
* `loopback.v6` |
| * `root.cache` |
* `root.cache` |
| |
|
| You will see modified versions of these files in this section, and I strongly |
You will see modified versions of these files in this section, and I strongly |
| suggest making a backup copy of the original files for reference purposes. |
suggest making a backup copy of the original files for reference purposes. |
| |
|
| *Note*: The examples in this chapter refer to BIND major version 8, however, it |
*Note*: The examples in this chapter refer to BIND major version 8, however, it |
| should be noted that format of the name database and other config files are |
should be noted that format of the name database and other config files are |
| almost 100% compatible between version. The only difference I noticed was that |
almost 100% compatible between version. The only difference I noticed was that |
| the `$TTL` information was not required. |
the `$TTL` information was not required. |
| |
|
| ### /etc/named.conf |
### /etc/named.conf |
| |
|
| The first file we want to look at is `/etc/named.conf`. This file is the config |
The first file we want to look at is `/etc/named.conf`. This file is the config |
| file for bind (hence the catchy name). Setting up system like the one we are |
file for bind (hence the catchy name). Setting up system like the one we are |
| doing is relatively simple. First, here is what mine looks like: |
doing is relatively simple. First, here is what mine looks like: |
| |
|
| options { |
options { |
|
Line 418 doing is relatively simple. First, here
|
Line 418 doing is relatively simple. First, here
|
| file "root.cache"; |
file "root.cache"; |
| }; |
}; |
| |
|
| Note that in my `named.conf` the root (".") section is last, that is because |
Note that in my `named.conf` the root (".") section is last, that is because |
| there is another domain called diverge.org on the internet (I happen to own it) |
there is another domain called diverge.org on the internet (I happen to own it) |
| so I want the resolver to look out on the internet last. This is not normally |
so I want the resolver to look out on the internet last. This is not normally |
| the case on most systems. |
the case on most systems. |
| |
|
| Another very important thing to remember here is that if you have an internal |
Another very important thing to remember here is that if you have an internal |
| setup, in other words no live internet connection and/or no need to do root |
setup, in other words no live internet connection and/or no need to do root |
| server lookups, comment out the root (".") zone. It may cause lookup problems if |
server lookups, comment out the root (".") zone. It may cause lookup problems if |
| a particular client decides it wants to reference a domain on the internet, |
a particular client decides it wants to reference a domain on the internet, |
| which our server couldn't resolve itself. |
which our server couldn't resolve itself. |
| |
|
| Looks like a pretty big mess, upon closer examination it is revealed that many |
Looks like a pretty big mess, upon closer examination it is revealed that many |
| of the lines in each section are somewhat redundant. So we should only have to |
of the lines in each section are somewhat redundant. So we should only have to |
| explain them a few times. |
explain them a few times. |
| |
|
| Lets go through the sections of `named.conf`: |
Lets go through the sections of `named.conf`: |
| |
|
| #### options |
#### options |
| |
|
| This section defines some global parameters, most noticeable is the location of |
This section defines some global parameters, most noticeable is the location of |
| the DNS tables, on this particular system, they will be put in `/etc/namedb` as |
the DNS tables, on this particular system, they will be put in `/etc/namedb` as |
| indicated by the "directory" option. |
indicated by the "directory" option. |
| |
|
| Following are the rest of the params: |
Following are the rest of the params: |
| |
|
| * `allow-transfer` -- This option lists which remote DNS servers acting as |
* `allow-transfer` -- This option lists which remote DNS servers acting as |
| secondaries are allowed to do zone transfers, i.e. are allowed to read all |
secondaries are allowed to do zone transfers, i.e. are allowed to read all |
| DNS data at once. For privacy reasons, this should be restricted to secondary |
DNS data at once. For privacy reasons, this should be restricted to secondary |
| DNS servers only. |
DNS servers only. |
| |
|
| * `allow-query` -- This option defines hosts from what network may query this |
* `allow-query` -- This option defines hosts from what network may query this |
| name server at all. Restricting queries only to the local network |
name server at all. Restricting queries only to the local network |
| (192.168.1.0/24) prevents queries arriving on the DNS server's external |
(192.168.1.0/24) prevents queries arriving on the DNS server's external |
| interface, and prevent possible privacy issues. |
interface, and prevent possible privacy issues. |
| |
|
| * `listen-on port` -- This option defined the port and associated IP addresses |
* `listen-on port` -- This option defined the port and associated IP addresses |
| this server will run |
this server will run |
| [named(8)](http://netbsd.gw.com/cgi-bin/man-cgi?named+8+NetBSD-5.0.1+i386) |
[named(8)](http://netbsd.gw.com/cgi-bin/man-cgi?named+8+NetBSD-5.0.1+i386) |
| on. Again, the "external" interface is not listened here, to prevent queries |
on. Again, the "external" interface is not listened here, to prevent queries |
| getting received from "outside". |
getting received from "outside". |
| |
|
| The rest of the `named.conf` file consists of `zone`s. A zone is an area that |
The rest of the `named.conf` file consists of `zone`s. A zone is an area that |
| can have items to resolve attached, e.g. a domain can have hostnames attached to |
can have items to resolve attached, e.g. a domain can have hostnames attached to |
| resolve into IP addresses, and a reverse-zone can have IP addresses attached |
resolve into IP addresses, and a reverse-zone can have IP addresses attached |
| that get resolved back into hostnames. Each zone has a file associated with it, |
that get resolved back into hostnames. Each zone has a file associated with it, |
| and a table within that file for resolving that particular zone. As is readily |
and a table within that file for resolving that particular zone. As is readily |
| apparent, their format in `named.conf` is strikingly similar, so I will |
apparent, their format in `named.conf` is strikingly similar, so I will |
| highlight just one of their records: |
highlight just one of their records: |
| |
|
| #### zone diverge.org |
#### zone diverge.org |
| |
|
| * `type` -- The type of a zone is usually of type "master" in all cases except |
* `type` -- The type of a zone is usually of type "master" in all cases except |
| for the root zone `.` and for zones that a secondary (backup) service is |
for the root zone `.` and for zones that a secondary (backup) service is |
| provided - the type obviously is "secondary" in the latter case. |
provided - the type obviously is "secondary" in the latter case. |
| |
|
| * `notify` -- Do you want to send out notifications to secondaries when your |
* `notify` -- Do you want to send out notifications to secondaries when your |
| zone changes? Obviously not in this setup, so this is set to "no". |
zone changes? Obviously not in this setup, so this is set to "no". |
| |
|
| * `file` -- This option sets the filename in our `/etc/namedb` directory where |
* `file` -- This option sets the filename in our `/etc/namedb` directory where |
| records about this particular zone may be found. For the "diverge.org" zone, |
records about this particular zone may be found. For the "diverge.org" zone, |
| the file `/etc/namedb/diverge.org` is used. |
the file `/etc/namedb/diverge.org` is used. |
| |
|
| ### /etc/namedb/localhost |
### /etc/namedb/localhost |
| |
|
| For the most part, the zone files look quite similar, however, each one does |
For the most part, the zone files look quite similar, however, each one does |
| have some unique properties. Here is what the `localhost` file looks like: |
have some unique properties. Here is what the `localhost` file looks like: |
| |
|
| 1|$TTL 3600 |
1|$TTL 3600 |
|
Line 498 have some unique properties. Here is wha
|
Line 498 have some unique properties. Here is wha
|
| |
|
| Line by line: |
Line by line: |
| |
|
| * *Line 1*: This is the Time To Live for lookups, which defines how long other |
* *Line 1*: This is the Time To Live for lookups, which defines how long other |
| DNS servers will cache that value before discarding it. This value is |
DNS servers will cache that value before discarding it. This value is |
| generally the same in all the files. |
generally the same in all the files. |
| |
|
| * *Line 2*: This line is generally the same in all zone files except |
* *Line 2*: This line is generally the same in all zone files except |
| `root.cache`. It defines a so-called "Start Of Authority" (SOA) header, which |
`root.cache`. It defines a so-called "Start Of Authority" (SOA) header, which |
| contains some basic information about a zone. Of specific interest on this |
contains some basic information about a zone. Of specific interest on this |
| line are "strider.diverge.org." and "root.diverge.org." (note the trailing |
line are "strider.diverge.org." and "root.diverge.org." (note the trailing |
| dots!). Obviously one is the name of this server and the other is the contact |
dots!). Obviously one is the name of this server and the other is the contact |
| for this DNS server, in most cases root seems a little ambiguous, it is |
for this DNS server, in most cases root seems a little ambiguous, it is |
| preferred that a regular email account be used for the contact information, |
preferred that a regular email account be used for the contact information, |
| with the "@" replaced by a "." (for example, mine would be |
with the "@" replaced by a "." (for example, mine would be |
| "jrf.diverge.org."). |
"jrf.diverge.org."). |
| |
|
| * *Line 3*: This line is the serial number identifying the "version" of the |
* *Line 3*: This line is the serial number identifying the "version" of the |
| zone's data set (file). The serial number should be incremented each time |
zone's data set (file). The serial number should be incremented each time |
| there is a change to the file, the usual format is to either start with a |
there is a change to the file, the usual format is to either start with a |
| value of "1" and increase it for every change, or use a value of "YYYYMMDDNN" |
value of "1" and increase it for every change, or use a value of "YYYYMMDDNN" |
| to encode year (YYYY), month (MM), day (DD) and change within one day (NN) in |
to encode year (YYYY), month (MM), day (DD) and change within one day (NN) in |
| the serial number. |
the serial number. |
| |
|
| * *Line 4*: This is the refresh rate of the server, in this file it is set to |
* *Line 4*: This is the refresh rate of the server, in this file it is set to |
| once every 8 hours. |
once every 8 hours. |
| |
|
| * *Line 5*: The retry rate. |
* *Line 5*: The retry rate. |
|
Line 528 Line by line:
|
Line 528 Line by line:
|
| |
|
| * *Line 7*: The minimum Time To Live. |
* *Line 7*: The minimum Time To Live. |
| |
|
| * *Line 8*: This is the Nameserver line, which uses a "NS" resource record to |
* *Line 8*: This is the Nameserver line, which uses a "NS" resource record to |
| show that "localhost" is the only DNS server handing out data for this zone |
show that "localhost" is the only DNS server handing out data for this zone |
| (which is "@", which indicates the zone name used in the `named.conf` file, |
(which is "@", which indicates the zone name used in the `named.conf` file, |
| i.e. "diverge.org") is, well, "localhost". |
i.e. "diverge.org") is, well, "localhost". |
| |
|
| * *Line 9*: This is the localhost entry, which uses an "A" resource record to |
* *Line 9*: This is the localhost entry, which uses an "A" resource record to |
| indicate that the name "localhost" should be resolved into the IP-address |
indicate that the name "localhost" should be resolved into the IP-address |
| 127.0.0.1 for IPv4 queries (which specifically ask for the "A" record). |
127.0.0.1 for IPv4 queries (which specifically ask for the "A" record). |
| |
|
| * *Line 10*: This line is the IPv6 entry, which returns ::1 when someone asks |
* *Line 10*: This line is the IPv6 entry, which returns ::1 when someone asks |
| for an IPv6-address (by specifically asking for the AAAA record) of |
for an IPv6-address (by specifically asking for the AAAA record) of |
| "localhost.". |
"localhost.". |
| |
|
| ### /etc/namedb/zone.127.0.0 |
### /etc/namedb/zone.127.0.0 |
| |
|
| This is the reverse lookup file (or zone) to resolve the special IP address |
This is the reverse lookup file (or zone) to resolve the special IP address |
| 127.0.0.1 back to "localhost": |
127.0.0.1 back to "localhost": |
| |
|
| 1| $TTL 3600 |
1| $TTL 3600 |
|
Line 556 This is the reverse lookup file (or zone
|
Line 556 This is the reverse lookup file (or zone
|
| 8| IN NS localhost. |
8| IN NS localhost. |
| 9| 1.0.0 IN PTR localhost. |
9| 1.0.0 IN PTR localhost. |
| |
|
| In this file, all of the lines are the same as the localhost zonefile with |
In this file, all of the lines are the same as the localhost zonefile with |
| exception of line 9, this is the reverse lookup (PTR) record. The zone used here |
exception of line 9, this is the reverse lookup (PTR) record. The zone used here |
| is "@" again, which got set to the value given in `named.conf`, i.e. |
is "@" again, which got set to the value given in `named.conf`, i.e. |
| "127.in-addr.arpa". This is a special "domain" which is used to do |
"127.in-addr.arpa". This is a special "domain" which is used to do |
| reverse-lookup of IP addresses back into hostnames. For it to work, the four |
reverse-lookup of IP addresses back into hostnames. For it to work, the four |
| bytes of the IPv4 address are reserved, and the domain "in-addr.arpa" attached, |
bytes of the IPv4 address are reserved, and the domain "in-addr.arpa" attached, |
| so to resolve the IP address "127.0.0.1", the PTR record of |
so to resolve the IP address "127.0.0.1", the PTR record of |
| "1.0.0.127.in-addr.arpa" is queried, which is what is defined in that line. |
"1.0.0.127.in-addr.arpa" is queried, which is what is defined in that line. |
| |
|
| ### /etc/namedb/diverge.org |
### /etc/namedb/diverge.org |
| |
|
| This zone file is populated by records for all of our hosts. Here is what it |
This zone file is populated by records for all of our hosts. Here is what it |
| looks like: |
looks like: |
| |
|
| 1| $TTL 3600 |
1| $TTL 3600 |
|
Line 585 looks like:
|
Line 585 looks like:
|
| 13| www IN CNAME samwise.diverge.org. |
13| www IN CNAME samwise.diverge.org. |
| 14| worm IN A 192.168.1.3 |
14| worm IN A 192.168.1.3 |
| |
|
| There is a lot of new stuff here, so lets just look over each line that is new |
There is a lot of new stuff here, so lets just look over each line that is new |
| here: |
here: |
| |
|
| * *Line 9*: This line shows our mail exchanger (MX), in this case it is |
* *Line 9*: This line shows our mail exchanger (MX), in this case it is |
| "strider". The number that precedes "strider.diverge.org." is the priority |
"strider". The number that precedes "strider.diverge.org." is the priority |
| number, the lower the number their higher the priority. The way we are setup |
number, the lower the number their higher the priority. The way we are setup |
| here is if "strider" cannot handle the mail, then "samwise" will. |
here is if "strider" cannot handle the mail, then "samwise" will. |
| |
|
| * *Line 11*: CNAME stands for canonical name, or an alias for an existing |
* *Line 11*: CNAME stands for canonical name, or an alias for an existing |
| hostname, which must have an A record. So we have aliased `www.diverge.org` |
hostname, which must have an A record. So we have aliased `www.diverge.org` |
| to `samwise.diverge.org`. |
to `samwise.diverge.org`. |
| |
|
| The rest of the records are simply mappings of IP address to a full name (A |
The rest of the records are simply mappings of IP address to a full name (A |
| records). |
records). |
| |
|
| ### /etc/namedb/1.168.192 |
### /etc/namedb/1.168.192 |
| |
|
| This zone file is the reverse file for all of the host records, to map their IP |
This zone file is the reverse file for all of the host records, to map their IP |
| numbers we use on our private network back into hostnames. The format is similar |
numbers we use on our private network back into hostnames. The format is similar |
| to that of the "localhost" version with the obvious exception being the |
to that of the "localhost" version with the obvious exception being the |
| addresses are different via the different zone given in the `named.conf` file, |
addresses are different via the different zone given in the `named.conf` file, |
| i.e. "0.168.192.in-addr.arpa" here: |
i.e. "0.168.192.in-addr.arpa" here: |
| |
|
| 1|$TTL 3600 |
1|$TTL 3600 |
|
Line 622 i.e. "0.168.192.in-addr.arpa" here:
|
Line 622 i.e. "0.168.192.in-addr.arpa" here:
|
| |
|
| ### /etc/namedb/root.cache |
### /etc/namedb/root.cache |
| |
|
| This file contains a list of root name servers for your server to query when it |
This file contains a list of root name servers for your server to query when it |
| gets requests outside of its own domain that it cannot answer itself. Here are |
gets requests outside of its own domain that it cannot answer itself. Here are |
| first few lines of a root zone file: |
first few lines of a root zone file: |
| |
|
| ; |
; |
|
Line 659 first few lines of a root zone file:
|
Line 659 first few lines of a root zone file:
|
| ; |
; |
| ... |
... |
| |
|
| This file can be obtained from ISC at <http://www.isc.org/> and usually comes |
This file can be obtained from ISC at <http://www.isc.org/> and usually comes |
| with a distribution of BIND. A `root.cache` file is included in the NetBSD |
with a distribution of BIND. A `root.cache` file is included in the NetBSD |
| operating system's "etc" set. |
operating system's "etc" set. |
| |
|
| This section has described the most important files and settings for a DNS |
This section has described the most important files and settings for a DNS |
| server. Please see the BIND documentation in `/usr/src/dist/bind/doc/bog` and |
server. Please see the BIND documentation in `/usr/src/dist/bind/doc/bog` and |
| [named.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?named.conf+5+NetBSD-5.0.1+i386) |
[named.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?named.conf+5+NetBSD-5.0.1+i386) |
| for more information. |
for more information. |
| |
|
| ## Using DNS |
## Using DNS |
| |
|
| In this section we will look at how to get DNS going and setup "strider" to use |
In this section we will look at how to get DNS going and setup "strider" to use |
| its own DNS services. |
its own DNS services. |
| |
|
| Setting up named to start automatically is quite simple. In `/etc/rc.conf` |
Setting up named to start automatically is quite simple. In `/etc/rc.conf` |
| simply set `named=yes`. Additional options can be specified in `named_flags`, |
simply set `named=yes`. Additional options can be specified in `named_flags`, |
| for example, I like to use `-g nogroup -u nobody`, so a non-root account runs |
for example, I like to use `-g nogroup -u nobody`, so a non-root account runs |
| the "named" process. |
the "named" process. |
| |
|
| In addition to being able to startup "named" at boot time, it can also be |
In addition to being able to startup "named" at boot time, it can also be |
| controlled with the `ndc` command. In a nutshell the `ndc` command can stop, |
controlled with the `ndc` command. In a nutshell the `ndc` command can stop, |
| start or restart the named server process. It can also do a great many other |
start or restart the named server process. It can also do a great many other |
| things. Before use, it has to be setup to communicate with the "named" process, |
things. Before use, it has to be setup to communicate with the "named" process, |
| see the [ndc(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ndc+8+NetBSD-5.0.1+i386) |
see the [ndc(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ndc+8+NetBSD-5.0.1+i386) |
| and |
and |
| [named.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?named.conf+5+NetBSD-5.0.1+i386) |
[named.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?named.conf+5+NetBSD-5.0.1+i386) |
| man pages for more details on setting up communication channels between "ndc" |
man pages for more details on setting up communication channels between "ndc" |
| and the "named" process. |
and the "named" process. |
| |
|
| Next we want to point "strider" to itself for lookups. We have two simple steps, |
Next we want to point "strider" to itself for lookups. We have two simple steps, |
| first, decide on our resolution order. On a network this small, it is likely |
first, decide on our resolution order. On a network this small, it is likely |
| that each host has a copy of the hosts table, so we can get away with using |
that each host has a copy of the hosts table, so we can get away with using |
| `/etc/hosts` first, and then DNS. However, on larger networks it is much easier |
`/etc/hosts` first, and then DNS. However, on larger networks it is much easier |
| to use DNS. Either way, the file where order of name services used for |
to use DNS. Either way, the file where order of name services used for |
| resolution is determined is `/etc/nsswitch.conf` (see |
resolution is determined is `/etc/nsswitch.conf` (see |
| [[`nsswitch.conf`|guide/net-practice#ex-nsswitch]]. Here is part of a typical |
[[`nsswitch.conf`|guide/net-practice#ex-nsswitch]]. Here is part of a typical |
| `nsswitch.conf`: |
`nsswitch.conf`: |
| |
|
| ... |
... |
|
Line 703 resolution is determined is `/etc/nsswit
|
Line 703 resolution is determined is `/etc/nsswit
|
| netgroup: files [notfound=return] nis |
netgroup: files [notfound=return] nis |
| ... |
... |
| |
|
| The line we are interested in is the "hosts" line. "files" means the system uses |
The line we are interested in is the "hosts" line. "files" means the system uses |
| the `/etc/hosts` file first to determine ip to name translation, and if it can't |
the `/etc/hosts` file first to determine ip to name translation, and if it can't |
| find an entry, it will try DNS. |
find an entry, it will try DNS. |
| |
|
| The next file to look at is `/etc/resolv.conf`, which is used to configure DNS |
The next file to look at is `/etc/resolv.conf`, which is used to configure DNS |
| lookups ("resolution") on the client side. The format is pretty self explanatory |
lookups ("resolution") on the client side. The format is pretty self explanatory |
| but we will go over it anyway: |
but we will go over it anyway: |
| |
|
| domain diverge.org |
domain diverge.org |
| search diverge.org |
search diverge.org |
| nameserver 192.168.1.1 |
nameserver 192.168.1.1 |
| |
|
| In a nutshell this file is telling the resolver that this machine belongs to the |
In a nutshell this file is telling the resolver that this machine belongs to the |
| "diverge.org" domain, which means that lookups that contain only a hostname |
"diverge.org" domain, which means that lookups that contain only a hostname |
| without a "." gets this domain appended to build a FQDN. If that lookup doesn't |
without a "." gets this domain appended to build a FQDN. If that lookup doesn't |
| succeed, the domains in the "search" line are tried next. Finally, the |
succeed, the domains in the "search" line are tried next. Finally, the |
| "nameserver" line gives the IP addresses of one or more DNS servers that should |
"nameserver" line gives the IP addresses of one or more DNS servers that should |
| be used to resolve DNS queries. |
be used to resolve DNS queries. |
| |
|
| To test our nameserver we can use several commands, for example: |
To test our nameserver we can use several commands, for example: |
|
Line 727 To test our nameserver we can use severa
|
Line 727 To test our nameserver we can use severa
|
| # host sam |
# host sam |
| sam.diverge.org has address 192.168.1.2 |
sam.diverge.org has address 192.168.1.2 |
| |
|
| As can be seen, the domain was appended automatically here, using the value from |
As can be seen, the domain was appended automatically here, using the value from |
| `/etc/resolv.conf`. Here is another example, the output of running |
`/etc/resolv.conf`. Here is another example, the output of running |
| `host www.yahoo.com`: |
`host www.yahoo.com`: |
| |
|
|
Line 742 As can be seen, the domain was appended
|
Line 742 As can be seen, the domain was appended
|
| www.yahoo.akadns.net has address 68.142.226.55 |
www.yahoo.akadns.net has address 68.142.226.55 |
| www.yahoo.akadns.net has address 68.142.226.32 |
www.yahoo.akadns.net has address 68.142.226.32 |
| |
|
| Other commands for debugging DNS besides |
Other commands for debugging DNS besides |
| [host(1)](http://netbsd.gw.com/cgi-bin/man-cgi?host+1+NetBSD-5.0.1+i386) are |
[host(1)](http://netbsd.gw.com/cgi-bin/man-cgi?host+1+NetBSD-5.0.1+i386) are |
| [nslookup(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nslookup+8+NetBSD-5.0.1+i386) |
[nslookup(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nslookup+8+NetBSD-5.0.1+i386) |
| and |
and |
| [dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386). Note |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386). Note |
| that |
that |
| [ping(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ping+8+NetBSD-5.0.1+i386) |
[ping(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ping+8+NetBSD-5.0.1+i386) |
| is *not* useful for debugging DNS, as it will use whatever is configured in |
is *not* useful for debugging DNS, as it will use whatever is configured in |
| `/etc/nsswitch.conf` to do the name-lookup. |
`/etc/nsswitch.conf` to do the name-lookup. |
| |
|
| At this point the server is configured properly. The procedure for setting up |
At this point the server is configured properly. The procedure for setting up |
| the client hosts are easier, you only need to setup `/etc/nsswitch.conf` and |
the client hosts are easier, you only need to setup `/etc/nsswitch.conf` and |
| `/etc/resolv.conf` to the same values as on the server. |
`/etc/resolv.conf` to the same values as on the server. |
| |
|
| ## Setting up a caching only name server |
## Setting up a caching only name server |
| |
|
| A caching only name server has no local zones; all the queries it receives are |
A caching only name server has no local zones; all the queries it receives are |
| forwarded to the root servers and the replies are accumulated in the local |
forwarded to the root servers and the replies are accumulated in the local |
| cache. The next time the query is performed the answer will be faster because |
cache. The next time the query is performed the answer will be faster because |
| the data is already in the server's cache. Since this type of server doesn't |
the data is already in the server's cache. Since this type of server doesn't |
| handle local zones, to resolve the names of the local hosts it will still be |
handle local zones, to resolve the names of the local hosts it will still be |
| necessary to use the already known `/etc/hosts` file. |
necessary to use the already known `/etc/hosts` file. |
| |
|
| Since NetBSD supplies defaults for all the files needed by a caching only |
Since NetBSD supplies defaults for all the files needed by a caching only |
| server, it only needs to be enabled and started and is immediately ready for |
server, it only needs to be enabled and started and is immediately ready for |
| use! To enable named, put `named=yes` into `/etc/rc.conf`, and tell the system |
use! To enable named, put `named=yes` into `/etc/rc.conf`, and tell the system |
| to use it adding the following line to the `/etc/resolv.conf` file: |
to use it adding the following line to the `/etc/resolv.conf` file: |
| |
|
| # cat /etc/resolv.conf |
# cat /etc/resolv.conf |
|
Line 779 Now we can start named:
|
Line 779 Now we can start named:
|
| |
|
| ### Testing the server |
### Testing the server |
| |
|
| Now that the server is running we can test it using the |
Now that the server is running we can test it using the |
| [nslookup(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nslookup+8+NetBSD-5.0.1+i386) |
[nslookup(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nslookup+8+NetBSD-5.0.1+i386) |
| program: |
program: |
| |
|
| $ nslookup |
$ nslookup |
|
Line 808 If you repeat the query a second time, t
|
Line 808 If you repeat the query a second time, t
|
| Name: www.NetBSD.org |
Name: www.NetBSD.org |
| Address: 204.152.190.12 |
Address: 204.152.190.12 |
| |
|
| As you've probably noticed, the address is the same, but the message |
As you've probably noticed, the address is the same, but the message |
| `Non-authoritative answer` has appeared. This message indicates that the answer |
`Non-authoritative answer` has appeared. This message indicates that the answer |
| is not coming from an authoritative server for the domain NetBSD.org but from |
is not coming from an authoritative server for the domain NetBSD.org but from |
| the cache of our own server. |
the cache of our own server. |
| |
|
| The results of this first test confirm that the server is working correctly. |
The results of this first test confirm that the server is working correctly. |
| |
|
| We can also try the |
We can also try the |
| [host(1)](http://netbsd.gw.com/cgi-bin/man-cgi?host+1+NetBSD-5.0.1+i386) and |
[host(1)](http://netbsd.gw.com/cgi-bin/man-cgi?host+1+NetBSD-5.0.1+i386) and |
| [dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386) commands, |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386) commands, |
| which give the following result. |
which give the following result. |
| |
|
| $ host www.NetBSD.org |
$ host www.NetBSD.org |
|
Line 846 which give the following result.
|
Line 846 which give the following result.
|
| ;; Total query time: 14 msec |
;; Total query time: 14 msec |
| ;; FROM: miyu to SERVER: 127.0.0.1 |
;; FROM: miyu to SERVER: 127.0.0.1 |
| ;; WHEN: Thu Nov 25 22:59:36 2004 |
;; WHEN: Thu Nov 25 22:59:36 2004 |
| ;; MSG SIZE sent: 32 rcvd: 175 |
;; MSG SIZE sent: 32 rcvd: 175 |
| |
|
| As you can see |
As you can see |
| [dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386) gives |
[dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-5.0.1+i386) gives |
| quite a bit of output, the expected answer can be found in the "ANSWER SECTION". |
quite a bit of output, the expected answer can be found in the "ANSWER SECTION". |
| The other data given may be of interest when debugging DNS problems. |
The other data given may be of interest when debugging DNS problems. |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to dns.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / guide