Annotation of wikisrc/guide/dns.mdwn, revision 1.3

1.3     ! jdf         1: **Contents**
        !             2: 
        !             3: [[!toc levels=3]]
        !             4: 
1.1       jdf         5: # The Domain Name System
1.2       jdf         7: Use of the Domain Name System has been discussed in previous chapters, without
                      8: going into detail on the setup of the server providing the service. This chapter
                      9: describes setting up a simple, small domain with one Domain Name System (DNS)
                     10: nameserver on a NetBSD system. It includes a brief explanation and overview of
                     11: the DNS; further information can be obtained from the DNS Resources Directory
1.1       jdf        12: (DNSRD) at [](
                     14: ## DNS Background and Concepts
1.2       jdf        16: The DNS is a widely used *naming service* on the Internet and other TCP/IP
                     17: networks. The network protocols, data and file formats, and other aspects of the
                     18: DNS are Internet Standards, specified in a number of RFC documents, and
                     19: described by a number of other reference and tutorial works. The DNS has a
                     20: distributed, client-server architecture. There are reference implementations for
                     21: the server and client, but these are not part of the standard. There are a
1.1       jdf        22: number of additional implementations available for many platforms.
                     24: ### Naming Services
1.2       jdf        26: Naming services are used to provide a mapping between textual names and
                     27: configuration data of some form. A *nameserver* maintains this mapping, and
1.1       jdf        28: clients request the nameserver to *resolve* a name into its attached data.
1.2       jdf        30: The reader should have a good understanding of basic hosts to IP address mapping
1.1       jdf        31: and IP address class specifications, see
                     32: [[Name Service Concepts|guide/net-intro#nsconcepts]].
1.2       jdf        34: In the case of the DNS, the configuration data bound to a name is in the form of
                     35: standard *Resource Records* (RRs). These textual names conform to certain
1.1       jdf        36: structural conventions.
                     38: ### The DNS namespace
1.2       jdf        40: The DNS presents a hierarchical name space, much like a UNIX filesystem,
1.1       jdf        41: pictured as an inverted tree with the *root* at the top.
1.2       jdf        43:     TOP-LEVEL                                .org
                     44:                                                |
                     45:     MID-LEVEL                   
                     46:                          ______________________|________________________
                     47:                         |                      |                        |
1.1       jdf        48:     BOTTOM-LEVEL
1.2       jdf        50: The system can also be logically divided even further if one wishes at different
                     51: points. The example shown above shows three nodes on the domain, but
                     52: we could even divide into subdomains such as
                     53: "", "" and
                     54: ""; in this case, 2 nodes reside in
1.1       jdf        55: "" and one in "".
1.2       jdf        57: There are directories of names, some of which may be sub-directories of further
                     58: names. These directories are sometimes called *zones*. There is provision for
                     59: symbolic links, redirecting requests for information on one name to the records
                     60: bound to another name. Each name recognised by the DNS is called a *Domain
                     61: Name*, whether it represents information about a specific host, or a directory
1.1       jdf        62: of subordinate Domain Names (or both, or something else).
1.2       jdf        64: Unlike most filesystem naming schemes, however, Domain Names are written with
                     65: the innermost name on the left, and progressively higher-level domains to the
                     66: right, all the way up to the root directory if necessary. The separator used
1.1       jdf        67: when writing Domain Names is a period, ".".
1.2       jdf        69: Like filesystem pathnames, Domain Names can be written in an absolute or
                     70: relative manner, though there are some differences in detail. For instance,
                     71: there is no way to indirectly refer to the parent domain like with the UNIX `..`
                     72: directory. Many (but not all) resolvers offer a search path facility, so that
                     73: partially-specified names can be resolved relative to additional listed
                     74: sub-domains other than the client's own domain. Names that are completely
                     75: specified all the way to the root are called *Fully Qualified Domain Names* or
                     76: *FQDN*s. A defining characteristic of an FQDN is that it is written with a
                     77: terminating period. The same name, without the terminating period, may be
                     78: considered relative to some other sub-domain. It is rare for this to occur
                     79: without malicious intent, but in part because of this possibility, FQDNs are
1.1       jdf        80: required as configuration parameters in some circumstances.
1.2       jdf        82: On the Internet, there are some established conventions for the names of the
                     83: first few levels of the tree, at which point the hierarchy reaches the level of
                     84: an individual organisation. This organisation is responsible for establishing
1.1       jdf        85: and maintaining conventions further down the tree, within its own domain.
                     87: ### Resource Records
1.2       jdf        89: Resource Records for a domain are stored in a standardised format in an ASCII
                     90: text file, often called a *zone file*. The following Resource Records are
                     91: commonly used (a number of others are defined but not often used, or no longer
                     92: used). In some cases, there may be multiple RR types associated with a name, and
1.1       jdf        93: even multiple records of the same type.
                     95: #### Common DNS Resource Records
1.2       jdf        97:  * *A: Address* -- This record contains the numerical IP address associated with
1.1       jdf        98:    the name.
1.2       jdf       100:  * *CNAME: Canonical Name* -- This record contains the Canonical Name (an FQDN
                    101:    with an associated A record) of the host name to which this record is bound.
                    102:    This record type is used to provide name aliasing, by providing a link to
                    103:    another name with which other appropriate RR's are associated. If a name has
                    104:    a CNAME record bound to it, it is an alias, and no other RR's are permitted
1.1       jdf       105:    to be bound to the same name.
1.2       jdf       107:    It is common for these records to be used to point to hosts providing a
                    108:    particular service, such as an FTP or HTTP server. If the service must be
                    109:    moved to another host, the alias can be changed, and the same name will reach
1.1       jdf       110:    the new host.
1.2       jdf       112:  * *PTR: Pointer* -- This record contains a textual name. These records are
                    113:    bound to names built in a special way from numerical IP addresses, and are
                    114:    used to provide a reverse mapping from an IP address to a textual name. This
1.1       jdf       115:    is described in more detail in [[Reverse Resolution|guide/dns#bg-reverse]].
1.2       jdf       117:  * *NS: Name Server* -- This record type is used to *delegate* a sub-tree of the
                    118:    Domain Name space to another nameserver. The record contains the FQDN of a
                    119:    DNS nameserver with information on the sub-domain, and is bound to the name
                    120:    of the sub-domain. In this manner, the hierarchical structure of the DNS is
                    121:    established. Delegation is described in more detail in
1.1       jdf       122:    [[Delegation|guide/dns#bg-delegation]].
1.2       jdf       124:  * *MX: Mail eXchange* -- This record contains the FQDN for a host that will
                    125:    accept SMTP electronic mail for the named domain, together with a priority
                    126:    value used to select an MX host when relaying mail. It is used to indicate
                    127:    other servers that are willing to receive and spool mail for the domain if
                    128:    the primary MX is unreachable for a time. It is also used to direct email to
                    129:    a central server, if desired, rather than to each and every individual
1.1       jdf       130:    workstation.
1.2       jdf       132:  * *HINFO: Host Information* -- Contains two strings, intended for use to
                    133:    describe the host hardware and operating system platform. There are defined
                    134:    strings to use for some systems, but their use is not enforced. Some sites,
1.1       jdf       135:    because of security considerations, do not publicise this information.
1.2       jdf       137:  * *TXT: Text* -- A free-form text field, sometimes used as a comment field,
                    138:    sometimes overlaid with site-specific additional meaning to be interpreted by
1.1       jdf       139:    local conventions.
1.2       jdf       141:  * *SOA: Start of Authority* -- This record is required to appear for each zone
                    142:    file. It lists the primary nameserver and the email address of the person
                    143:    responsible for the domain, together with default values for a number of
                    144:    fields associated with maintaining consistency across multiple servers and
1.1       jdf       145:    caching of the results of DNS queries.
                    147: ### Delegation
1.2       jdf       149: Using NS records, authority for portions of the DNS namespace below a certain
                    150: point in the tree can be delegated, and further sub-parts below that delegated
                    151: again. It is at this point that the distinction between a domain and a zone
                    152: becomes important. Any name in the DNS is called a domain, and the term applies
                    153: to that name and to any subordinate names below that one in the tree. The
                    154: boundaries of a zone are narrower, and are defined by delegations. A zone starts
                    155: with a delegation (or at the root), and encompasses all names in the domain
1.1       jdf       156: below that point, excluding names below any subsequent delegations.
1.2       jdf       158: This distinction is important for implementation - a zone is a single
                    159: administrative entity (with a single SOA record), and all data for the zone is
                    160: referred to by a single file, called a *zone file*. A zone file may contain more
                    161: than one period-separated level of the namespace tree, if desired, by including
                    162: periods in the names in that zone file. In order to simplify administration and
                    163: prevent overly-large zone files, it is quite legal for a DNS server to delegate
1.1       jdf       164: to itself, splitting the domain into several zones kept on the same server.
                    166: ### Delegation to multiple servers
1.2       jdf       168: For redundancy, it is common (and often administratively required) that there be
                    169: more than one nameserver providing information on a zone. It is also common that
                    170: at least one of these servers be located at some distance (in terms of network
                    171: topology) from the others, so that knowledge of that zone does not become
                    172: unavailable in case of connectivity failure. Each nameserver will be listed in
                    173: an NS record bound to the name of the zone, stored in the parent zone on the
                    174: server responsible for the parent domain. In this way, those searching the name
                    175: hierarchy from the top down can contact any one of the servers to continue
1.1       jdf       176: narrowing their search. This is occasionally called *walking the tree*.
1.2       jdf       178: There are a number of nameservers on the Internet which are called *root
                    179: nameservers*. These servers provide information on the very top levels of the
                    180: domain namespace tree. These servers are special in that their addresses must be
                    181: pre-configured into nameservers as a place to start finding other servers.
                    182: Isolated networks that cannot access these servers may need to provide their own
1.1       jdf       183: root nameservers.
                    185: ### Secondaries, Caching, and the SOA record
1.2       jdf       187: In order to maintain consistency between these servers, one is usually
                    188: configured as the *primary* server, and all administrative changes are made on
                    189: this server. The other servers are configured as *secondaries*, and transfer the
                    190: contents of the zone from the primary. This operational model is not required,
                    191: and if external considerations require it, multiple primaries can be used
                    192: instead, but consistency must then be maintained by other means. DNS servers
                    193: that store Resource Records for a zone, whether they be primary or secondary
                    194: servers, are said to be *authoritative* for the zone. A DNS server can be
1.1       jdf       195: authoritative for several zones.
1.2       jdf       197: When nameservers receive responses to queries, they can *cache* the results.
                    198: This has a significant beneficial impact on the speed of queries, the query load
                    199: on high-level nameservers, and network utilisation. It is also a major
1.1       jdf       200: contributor to the memory usage of the nameserver process.
1.2       jdf       202: There are a number of parameters that are important to maintaining consistency
                    203: amongst the secondaries and caches. The values for these parameters for a
1.1       jdf       204: particular domain zone file are stored in the SOA record. These fields are:
                    206: #### Fields of the SOA Record
1.2       jdf       208:  * *Serial* -- A serial number for the zone file. This should be incremented any
                    209:    time the data in the domain is changed. When a secondary wants to check if
                    210:    its data is up-to-date, it checks the serial number on the primary's SOA
1.1       jdf       211:    record.
1.2       jdf       213:  * *Refresh* -- A time, in seconds, specifying how often the secondary should
                    214:    check the serial number on the primary, and start a new transfer if the
1.1       jdf       215:    primary has newer data.
1.2       jdf       217:  * *Retry* -- If a secondary fails to connect to the primary when the refresh
                    218:    time has elapsed (for example, if the host is down), this value specifies, in
1.1       jdf       219:    seconds, how often the connection should be retried.
1.2       jdf       221:  * *Expire* -- If the retries fail to reach the primary within this number of
                    222:    seconds, the secondary destroys its copies of the zone data file(s), and
                    223:    stops answering requests for the domain. This stops very old and potentially
1.1       jdf       224:    inaccurate data from remaining in circulation.
1.2       jdf       226:  * *TTL* -- This field specifies a time, in seconds, that the resource records
                    227:    in this zone should remain valid in the caches of other nameservers. If the
                    228:    data is volatile, this value should be short. TTL is a commonly-used acronym,
1.1       jdf       229:    that stands for "Time To Live".
                    231: ### Name Resolution
1.2       jdf       233: DNS clients are configured with the addresses of DNS servers. Usually, these are
                    234: servers which are authoritative for the domain of which they are a member. All
                    235: requests for name resolution start with a request to one of these local servers.
1.1       jdf       236: DNS queries can be of two forms:
1.2       jdf       238:  * A *recursive* query asks the nameserver to resolve a name completely, and
                    239:    return the result. If the request cannot be satisfied directly, the
                    240:    nameserver looks in its configuration and caches for a server higher up the
                    241:    domain tree which may have more information. In the worst case, this will be
                    242:    a list of pre-configured servers for the root domain. These addresses are
                    243:    returned in a response called a *referral*. The local nameserver must then
1.1       jdf       244:    send its request to one of these servers.
1.2       jdf       246:  * Normally, this will be an *iterative* query, which asks the second nameserver
                    247:    to either respond with an authoritative reply, or with the addresses of
                    248:    nameservers (NS records) listed in its tables or caches as authoritative for
                    249:    the relevant zone. The local nameserver then makes iterative queries, walking
                    250:    the tree downwards until an authoritative answer is found (either positive or
1.1       jdf       251:    negative) and returned to the client.
1.2       jdf       253: In some configurations, such as when firewalls prevent direct IP communications
                    254: between DNS clients and external nameservers, or when a site is connected to the
                    255: rest of the world via a slow link, a nameserver can be configured with
                    256: information about a *forwarder*. This is an external nameserver to which the
                    257: local nameserver should make requests as a client would, asking the external
                    258: nameserver to perform the full recursive name lookup, and return the result in a
1.1       jdf       259: single query (which can then be cached), rather than reply with referrals.
                    261: ### Reverse Resolution
1.2       jdf       263: The DNS provides resolution from a textual name to a resource record, such as an
                    264: A record with an IP address. It does not provide a means, other than exhaustive
                    265: search, to match in the opposite direction; there is no mechanism to ask which
1.1       jdf       266: name is bound to a particular RR.
1.2       jdf       268: For many RR types, this is of no real consequence, however it is often useful to
                    269: identify by name the host which owns a particular IP address. Rather than
                    270: complicate the design and implementation of the DNS database engine by providing
                    271: matching functions in both directions, the DNS utilises the existing mechanisms
                    272: and creates a special namespace, populated with PTR records, for IP address to
                    273: name resolution. Resolving in this manner is often called *reverse resolution*,
1.1       jdf       274: despite the inaccurate implications of the term.
                    276: The manner in which this is achieved is as follows:
1.2       jdf       278:  * A normal domain name is reserved and defined to be for the purpose of mapping
                    279:    IP addresses. The domain name used is `` which shows the
                    280:    historical origins of the Internet in the US Government's Defence Advanced
1.1       jdf       281:    Research Projects Agency's funding program.
1.2       jdf       283:  * This domain is then subdivided and delegated according to the structure of IP
                    284:    addresses. IP addresses are often written in *decimal dotted quad notation*,
                    285:    where each octet of the 4-octet long address is written in decimal, separated
                    286:    by dots. IP address ranges are usually delegated with more and more of the
                    287:    left-most parts of the address in common as the delegation gets smaller.
                    288:    Thus, to allow delegation of the reverse lookup domain to be done easily,
                    289:    this is turned around when used with the hierarchical DNS namespace, which
1.1       jdf       290:    places higher level domains on the right of the name.
1.2       jdf       292:  * Each byte of the IP address is written, as an ASCII text representation of
                    293:    the number expressed in decimal, with the octets in reverse order, separated
                    294:    by dots and appended with the domain name. For example, to
                    295:    determine the hostname of a network device with IP address, this
                    296:    algorithm would produce the string `` which is a
                    297:    legal, structured Domain Name. A normal nameservice query would then be sent
1.1       jdf       298:    to the nameserver asking for a PTR record bound to the generated name.
1.2       jdf       299: 
1.1       jdf       300:  * The PTR record, if found, will contain the FQDN of a host.
1.2       jdf       302: One consequence of this is that it is possible for mismatch to occur. Resolving
                    303: a name into an A record, and then resolving the name built from the address in
                    304: that A record to a PTR record, may not result in a PTR record which contains the
                    305: original name. There is no restriction within the DNS that the "reverse" mapping
                    306: must coincide with the "forward" mapping. This is a useful feature in some
                    307: circumstances, particularly when it is required that more than one name has an A
1.1       jdf       308: record bound to it which contains the same IP address.
1.2       jdf       310: While there is no such restriction within the DNS, some application server
                    311: programs or network libraries will reject connections from hosts that do not
1.1       jdf       312: satisfy the following test:
1.2       jdf       314:  * the state information included with an incoming connection includes the IP
1.1       jdf       315:    address of the source of the request.
                    317:  * a PTR lookup is done to obtain an FQDN of the host making the connection
1.2       jdf       319:  * an A lookup is then done on the returned name, and the connection rejected if
1.1       jdf       320:    the source IP address is not listed amongst the A records that get returned.
1.2       jdf       322: This is done as a security precaution, to help detect and prevent malicious
                    323: sites impersonating other sites by configuring their own PTR records to return
1.1       jdf       324: the names of hosts belonging to another organisation.
                    326: ## The DNS Files
1.2       jdf       328: Now let's look at actually setting up a small DNS enabled network. We will
                    329: continue to use the examples mentioned in [Chapter 24, *Setting up TCP/IP on
                    330: NetBSD in practice*](chap-net-practice.html "Chapter 24. Setting up TCP/IP on
1.1       jdf       331: NetBSD in practice"), i.e. we assume that:
                    333:  * Our IP networking is working correctly
                    334:  * We have IPNAT working correctly
                    335:  * Currently all hosts use the ISP for DNS
1.2       jdf       337: Our Name Server will be the `strider` host which also runs IPNAT, and our two
                    338: clients use "strider" as a gateway. It is not really relevant as to what type of
                    339: interface is on "strider", but for argument's sake we will say a 56k dial up
1.1       jdf       340: connection.
                    342: So, before going any further, let's look at our `/etc/hosts` file on "strider"
                    343: before we have made the alterations to use DNS.
                    345: **Example strider's `/etc/hosts` file**
                    347:       localhost
                    348:     strider
                    349:     samwise sam
                    350:     wormtongue worm
1.2       jdf       352: This is not exactly a huge network, but it is worth noting that the same rules
1.1       jdf       353: apply for larger networks as we discuss in the context of this section.
1.2       jdf       355: The other assumption we want to make is that the domain we want to set up is
                    356: ``, and that the domain is only known on our internal network, and
                    357: not worldwide. Proper registration of the nameserver's IP address as primary
                    358: would be needed in addition to a static IP. These are mostly administrative
1.1       jdf       359: issues which are left out here.
1.2       jdf       361: The NetBSD operating system provides a set of config files for you to use for
                    362: setting up DNS. Along with a default `/etc/named.conf`, the following files are
1.1       jdf       363: stored in the `/etc/namedb` directory:
                    365:  * `localhost`
                    366:  * `127`
                    367:  * `loopback.v6`
                    368:  * `root.cache`
1.2       jdf       370: You will see modified versions of these files in this section, and I strongly
1.1       jdf       371: suggest making a backup copy of the original files for reference purposes.
1.2       jdf       373: *Note*: The examples in this chapter refer to BIND major version 8, however, it
                    374: should be noted that format of the name database and other config files are
                    375: almost 100% compatible between version. The only difference I noticed was that
1.1       jdf       376: the `$TTL` information was not required.
                    378: ### /etc/named.conf
1.2       jdf       380: The first file we want to look at is `/etc/named.conf`. This file is the config
                    381: file for bind (hence the catchy name). Setting up system like the one we are
1.1       jdf       382: doing is relatively simple. First, here is what mine looks like:
                    384:     options {
                    385:             directory "/etc/namedb";
                    386:             allow-transfer {; };
                    387:             allow-query {; };
                    388:             listen-on port 53 {; };
                    389:     };
                    391:     zone "localhost" {
                    392:        type master;
                    393:        notify no;
                    394:        file "localhost";
                    395:     };
                    397:     zone "127.IN-ADDR.ARPA" {
                    398:        type master;
                    399:        notify no;
                    400:        file "127";
                    401:     };
                    403:     zone "" {
                    404:        type master;
                    405:        file "loopback.v6";
                    406:     };
                    408:     zone "" {
                    409:        type master;
                    410:        notify no;
                    411:        file "";
                    412:     };
                    414:     zone "" {
                    415:        type master;
                    416:        notify no;
                    417:        file "1.168.192";
                    418:     };
                    420:     zone "." in {
                    421:        type hint;
                    422:        file "root.cache";
                    423:     };
1.2       jdf       425: Note that in my `named.conf` the root (".") section is last, that is because
                    426: there is another domain called on the internet (I happen to own it)
                    427: so I want the resolver to look out on the internet last. This is not normally
1.1       jdf       428: the case on most systems.
1.2       jdf       430: Another very important thing to remember here is that if you have an internal
                    431: setup, in other words no live internet connection and/or no need to do root
                    432: server lookups, comment out the root (".") zone. It may cause lookup problems if
                    433: a particular client decides it wants to reference a domain on the internet,
1.1       jdf       434: which our server couldn't resolve itself.
1.2       jdf       436: Looks like a pretty big mess, upon closer examination it is revealed that many
                    437: of the lines in each section are somewhat redundant. So we should only have to
1.1       jdf       438: explain them a few times.
                    440: Lets go through the sections of `named.conf`:
                    442: #### options
1.2       jdf       444: This section defines some global parameters, most noticeable is the location of
                    445: the DNS tables, on this particular system, they will be put in `/etc/namedb` as
1.1       jdf       446: indicated by the "directory" option.
                    448: Following are the rest of the params:
1.2       jdf       450:  * `allow-transfer` -- This option lists which remote DNS servers acting as
                    451:    secondaries are allowed to do zone transfers, i.e. are allowed to read all
                    452:    DNS data at once. For privacy reasons, this should be restricted to secondary
1.1       jdf       453:    DNS servers only.
1.2       jdf       455:  * `allow-query` -- This option defines hosts from what network may query this
                    456:    name server at all. Restricting queries only to the local network
                    457:    ( prevents queries arriving on the DNS server's external
1.1       jdf       458:    interface, and prevent possible privacy issues.
1.2       jdf       460:  * `listen-on port` -- This option defined the port and associated IP addresses
                    461:    this server will run
                    462:    [named(8)](
                    463:    on. Again, the "external" interface is not listened here, to prevent queries
1.1       jdf       464:    getting received from "outside".
1.2       jdf       466: The rest of the `named.conf` file consists of `zone`s. A zone is an area that
                    467: can have items to resolve attached, e.g. a domain can have hostnames attached to
                    468: resolve into IP addresses, and a reverse-zone can have IP addresses attached
                    469: that get resolved back into hostnames. Each zone has a file associated with it,
                    470: and a table within that file for resolving that particular zone. As is readily
                    471: apparent, their format in `named.conf` is strikingly similar, so I will
1.1       jdf       472: highlight just one of their records:
                    474: #### zone
1.2       jdf       476:  * `type` -- The type of a zone is usually of type "master" in all cases except
                    477:    for the root zone `.` and for zones that a secondary (backup) service is
1.1       jdf       478:    provided - the type obviously is "secondary" in the latter case.
1.2       jdf       480:  * `notify` -- Do you want to send out notifications to secondaries when your
1.1       jdf       481:    zone changes? Obviously not in this setup, so this is set to "no".
1.2       jdf       483:  * `file` -- This option sets the filename in our `/etc/namedb` directory where
                    484:    records about this particular zone may be found. For the "" zone,
1.1       jdf       485:    the file `/etc/namedb/` is used.
                    487: ### /etc/namedb/localhost
1.2       jdf       489: For the most part, the zone files look quite similar, however, each one does
1.1       jdf       490: have some unique properties. Here is what the `localhost` file looks like:
                    492:      1|$TTL    3600
                    493:      2|@              IN SOA (
                    494:      3|                        1       ; Serial
                    495:      4|                        8H      ; Refresh
                    496:      5|                        2H      ; Retry
                    497:      6|                        1W      ; Expire
                    498:      7|                        1D)     ; Minimum TTL
                    499:      8|               IN NS   localhost.
                    500:      9|localhost.     IN      A
                    501:     10|               IN      AAAA    ::1
                    503: Line by line:
1.2       jdf       505:  * *Line 1*: This is the Time To Live for lookups, which defines how long other
                    506:    DNS servers will cache that value before discarding it. This value is
1.1       jdf       507:    generally the same in all the files.
1.2       jdf       509:  * *Line 2*: This line is generally the same in all zone files except
                    510:    `root.cache`. It defines a so-called "Start Of Authority" (SOA) header, which
                    511:    contains some basic information about a zone. Of specific interest on this
                    512:    line are "" and "" (note the trailing
                    513:    dots!). Obviously one is the name of this server and the other is the contact
                    514:    for this DNS server, in most cases root seems a little ambiguous, it is
                    515:    preferred that a regular email account be used for the contact information,
                    516:    with the "@" replaced by a "." (for example, mine would be
1.1       jdf       517:    "").
1.2       jdf       519:  * *Line 3*: This line is the serial number identifying the "version" of the
                    520:    zone's data set (file). The serial number should be incremented each time
                    521:    there is a change to the file, the usual format is to either start with a
                    522:    value of "1" and increase it for every change, or use a value of "YYYYMMDDNN"
                    523:    to encode year (YYYY), month (MM), day (DD) and change within one day (NN) in
1.1       jdf       524:    the serial number.
1.2       jdf       526:  * *Line 4*: This is the refresh rate of the server, in this file it is set to
1.1       jdf       527:    once every 8 hours.
                    529:  * *Line 5*: The retry rate.
                    531:  * *Line 6*: Lookup expiry.
                    533:  * *Line 7*: The minimum Time To Live.
1.2       jdf       535:  * *Line 8*: This is the Nameserver line, which uses a "NS" resource record to
                    536:    show that "localhost" is the only DNS server handing out data for this zone
                    537:    (which is "@", which indicates the zone name used in the `named.conf` file,
1.1       jdf       538:    i.e. "") is, well, "localhost".
1.2       jdf       540:  * *Line 9*: This is the localhost entry, which uses an "A" resource record to
                    541:    indicate that the name "localhost" should be resolved into the IP-address
1.1       jdf       542: for IPv4 queries (which specifically ask for the "A" record).
1.2       jdf       544:  * *Line 10*: This line is the IPv6 entry, which returns ::1 when someone asks
                    545:    for an IPv6-address (by specifically asking for the AAAA record) of
1.1       jdf       546:    "localhost.".
                    548: ### /etc/namedb/zone.127.0.0
1.2       jdf       550: This is the reverse lookup file (or zone) to resolve the special IP address
1.1       jdf       551: back to "localhost":
                    553:      1| $TTL    3600
                    554:      2| @              IN SOA (
                    555:      3|                        1       ; Serial
                    556:      4|                        8H      ; Refresh
                    557:      5|                        2H      ; Retry
                    558:      6|                        1W      ; Expire
                    559:      7|                        1D)     ; Minimum TTL
                    560:      8|                 IN NS   localhost.
                    561:      9| 1.0.0           IN PTR  localhost.
1.2       jdf       563: In this file, all of the lines are the same as the localhost zonefile with
                    564: exception of line 9, this is the reverse lookup (PTR) record. The zone used here
                    565: is "@" again, which got set to the value given in `named.conf`, i.e.
                    566: "". This is a special "domain" which is used to do
                    567: reverse-lookup of IP addresses back into hostnames. For it to work, the four
                    568: bytes of the IPv4 address are reserved, and the domain "" attached,
                    569: so to resolve the IP address "", the PTR record of
1.1       jdf       570: "" is queried, which is what is defined in that line.
                    572: ### /etc/namedb/
1.2       jdf       574: This zone file is populated by records for all of our hosts. Here is what it
1.1       jdf       575: looks like:
                    577:      1| $TTL    3600
                    578:      2| @              IN SOA (
                    579:      3|                         1       ; serial
                    580:      4|                         8H      ; refresh
                    581:      5|                         2H      ; retry
                    582:      6|                         1W      ; expire
                    583:      7|                         1D )    ; minimum seconds
                    584:      8|                 IN NS
                    585:      9|                 IN MX   10   ; primary mail server
                    586:     10|                 IN MX   20   ; secondary mail server
                    587:     11| strider         IN A
                    588:     12| samwise         IN A
                    589:     13| www             IN CNAME
                    590:     14| worm            IN A
1.2       jdf       592: There is a lot of new stuff here, so lets just look over each line that is new
1.1       jdf       593: here:
1.2       jdf       595:  * *Line 9*: This line shows our mail exchanger (MX), in this case it is
                    596:    "strider". The number that precedes "" is the priority
                    597:    number, the lower the number their higher the priority. The way we are setup
1.1       jdf       598:    here is if "strider" cannot handle the mail, then "samwise" will.
1.2       jdf       600:  * *Line 11*: CNAME stands for canonical name, or an alias for an existing
                    601:    hostname, which must have an A record. So we have aliased ``
1.1       jdf       602:    to ``.
1.2       jdf       604: The rest of the records are simply mappings of IP address to a full name (A
1.1       jdf       605: records).
                    607: ### /etc/namedb/1.168.192
1.2       jdf       609: This zone file is the reverse file for all of the host records, to map their IP
                    610: numbers we use on our private network back into hostnames. The format is similar
                    611: to that of the "localhost" version with the obvious exception being the
                    612: addresses are different via the different zone given in the `named.conf` file,
1.1       jdf       613: i.e. "" here:
                    615:      1|$TTL    3600
                    616:      2|@              IN SOA (
                    617:      3|                     1       ; serial
                    618:      4|                     8H      ; refresh
                    619:      5|                     2H      ; retry
                    620:      6|                     1W      ; expire
                    621:      7|                     1D )    ; minimum seconds
                    622:      8|               IN NS
                    623:      9|1              IN PTR
                    624:     10|2              IN PTR
                    625:     11|3              IN PTR
                    627: ### /etc/namedb/root.cache
1.2       jdf       629: This file contains a list of root name servers for your server to query when it
                    630: gets requests outside of its own domain that it cannot answer itself. Here are
1.1       jdf       631: first few lines of a root zone file:
                    633:     ;
                    634:     ;       This file holds the information on root name servers needed to
                    635:     ;       initialize cache of Internet domain name servers
                    636:     ;       (e.g. reference this file in the "cache  .  <file>"
                    637:     ;       configuration file of BIND domain name servers).
                    638:     ;
                    639:     ;       This file is made available by InterNIC
                    640:     ;       under anonymous FTP as
                    641:     ;           file                /domain/db.cache
                    642:     ;           on server           FTP.INTERNIC.NET
                    643:     ;       -OR-                    RS.INTERNIC.NET
                    644:     ;
                    645:     ;       last update:    Jan 29, 2004
                    646:     ;       related version of root zone:   2004012900
                    647:     ;
                    648:     ;
                    649:     ; formerly NS.INTERNIC.NET
                    650:     ;
                    651:     .                        3600000  IN  NS    A.ROOT-SERVERS.NET.
                    652:     A.ROOT-SERVERS.NET.      3600000      A
                    653:     ;
                    654:     ; formerly NS1.ISI.EDU
                    655:     ;
                    656:     .                        3600000      NS    B.ROOT-SERVERS.NET.
                    657:     B.ROOT-SERVERS.NET.      3600000      A
                    658:     ;
                    659:     ; formerly C.PSI.NET
                    660:     ;
                    661:     .                        3600000      NS    C.ROOT-SERVERS.NET.
                    662:     C.ROOT-SERVERS.NET.      3600000      A
                    663:     ;
                    664:     ...
1.2       jdf       666: This file can be obtained from ISC at <> and usually comes
                    667: with a distribution of BIND. A `root.cache` file is included in the NetBSD
1.1       jdf       668: operating system's "etc" set.
1.2       jdf       670: This section has described the most important files and settings for a DNS
                    671: server. Please see the BIND documentation in `/usr/src/dist/bind/doc/bog` and
                    672: [named.conf(5)](
1.1       jdf       673: for more information.
                    675: ## Using DNS
1.2       jdf       677: In this section we will look at how to get DNS going and setup "strider" to use
1.1       jdf       678: its own DNS services.
1.2       jdf       680: Setting up named to start automatically is quite simple. In `/etc/rc.conf`
                    681: simply set `named=yes`. Additional options can be specified in `named_flags`,
                    682: for example, I like to use `-g nogroup -u nobody`, so a non-root account runs
1.1       jdf       683: the "named" process.
1.2       jdf       685: In addition to being able to startup "named" at boot time, it can also be
                    686: controlled with the `ndc` command. In a nutshell the `ndc` command can stop,
                    687: start or restart the named server process. It can also do a great many other
                    688: things. Before use, it has to be setup to communicate with the "named" process,
                    689: see the [ndc(8)](
                    690: and
                    691: [named.conf(5)](
                    692: man pages for more details on setting up communication channels between "ndc"
1.1       jdf       693: and the "named" process.
1.2       jdf       695: Next we want to point "strider" to itself for lookups. We have two simple steps,
                    696: first, decide on our resolution order. On a network this small, it is likely
                    697: that each host has a copy of the hosts table, so we can get away with using
                    698: `/etc/hosts` first, and then DNS. However, on larger networks it is much easier
                    699: to use DNS. Either way, the file where order of name services used for
                    700: resolution is determined is `/etc/nsswitch.conf` (see
                    701: [[`nsswitch.conf`|guide/net-practice#ex-nsswitch]]. Here is part of a typical
1.1       jdf       702: `nsswitch.conf`:
                    704:     ...
                    705:     group_compat:   nis
                    706:     hosts:          files dns
                    707:     netgroup:       files [notfound=return] nis
                    708:     ...
1.2       jdf       710: The line we are interested in is the "hosts" line. "files" means the system uses
                    711: the `/etc/hosts` file first to determine ip to name translation, and if it can't
1.1       jdf       712: find an entry, it will try DNS.
1.2       jdf       714: The next file to look at is `/etc/resolv.conf`, which is used to configure DNS
                    715: lookups ("resolution") on the client side. The format is pretty self explanatory
1.1       jdf       716: but we will go over it anyway:
                    718:     domain
                    719:     search
                    720:     nameserver
1.2       jdf       722: In a nutshell this file is telling the resolver that this machine belongs to the
                    723: "" domain, which means that lookups that contain only a hostname
                    724: without a "." gets this domain appended to build a FQDN. If that lookup doesn't
                    725: succeed, the domains in the "search" line are tried next. Finally, the
                    726: "nameserver" line gives the IP addresses of one or more DNS servers that should
1.1       jdf       727: be used to resolve DNS queries.
                    729: To test our nameserver we can use several commands, for example:
                    731:     # host sam
                    732: has address
1.2       jdf       734: As can be seen, the domain was appended automatically here, using the value from
1.1       jdf       735: `/etc/resolv.conf`. Here is another example, the output of running
                    736: `host`:
                    738:     $ host
                    739: is an alias for
                    740: has address
                    741: has address
                    742: has address
                    743: has address
                    744: has address
                    745: has address
                    746: has address
                    747: has address
1.2       jdf       749: Other commands for debugging DNS besides
                    750: [host(1)]( are
                    751: [nslookup(8)](
1.1       jdf       752: and
1.2       jdf       753: [dig(1)]( Note
1.1       jdf       754: that
                    755: [ping(8)](
1.2       jdf       756: is *not* useful for debugging DNS, as it will use whatever is configured in
1.1       jdf       757: `/etc/nsswitch.conf` to do the name-lookup.
1.2       jdf       759: At this point the server is configured properly. The procedure for setting up
                    760: the client hosts are easier, you only need to setup `/etc/nsswitch.conf` and
1.1       jdf       761: `/etc/resolv.conf` to the same values as on the server.
                    763: ## Setting up a caching only name server
1.2       jdf       765: A caching only name server has no local zones; all the queries it receives are
                    766: forwarded to the root servers and the replies are accumulated in the local
                    767: cache. The next time the query is performed the answer will be faster because
                    768: the data is already in the server's cache. Since this type of server doesn't
                    769: handle local zones, to resolve the names of the local hosts it will still be
1.1       jdf       770: necessary to use the already known `/etc/hosts` file.
1.2       jdf       772: Since NetBSD supplies defaults for all the files needed by a caching only
                    773: server, it only needs to be enabled and started and is immediately ready for
                    774: use! To enable named, put `named=yes` into `/etc/rc.conf`, and tell the system
1.1       jdf       775: to use it adding the following line to the `/etc/resolv.conf` file:
                    777:     # cat /etc/resolv.conf
                    778:     nameserver
                    780: Now we can start named:
                    782:     # sh /etc/rc.d/named restart
                    784: ### Testing the server
1.2       jdf       786: Now that the server is running we can test it using the
                    787: [nslookup(8)](
1.1       jdf       788: program:
                    790:     $ nslookup
                    791:     Default server: localhost
                    792:     Address:
                    794:     >
                    796: Let's try to resolve a host name, for example "":
                    798:     >
                    799:     Server:  localhost
                    800:     Address:
                    802:     Name:
                    803:     Address:
                    805: If you repeat the query a second time, the result is slightly different:
                    807:     >
                    808:     Server:  localhost
                    809:     Address:
                    811:     Non-authoritative answer:
                    812:     Name:
                    813:     Address:
1.2       jdf       815: As you've probably noticed, the address is the same, but the message
                    816: `Non-authoritative answer` has appeared. This message indicates that the answer
                    817: is not coming from an authoritative server for the domain but from
1.1       jdf       818: the cache of our own server.
                    820: The results of this first test confirm that the server is working correctly.
1.2       jdf       822: We can also try the
                    823: [host(1)]( and
                    824: [dig(1)]( commands,
1.1       jdf       825: which give the following result.
                    827:     $ host
                    828: has address
                    829:     $
                    830:     $ dig
                    832:     ; <<>> DiG 8.3 <<>>
                    833:     ;; res options: init recurs defnam dnsrch
                    834:     ;; got answer:
                    835:     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19409
                    836:     ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0
                    837:     ;; QUERY SECTION:
                    838:     ;;, type = A, class = IN
                    840:     ;; ANSWER SECTION:
                    841:         23h32m54s IN A
                    843:     ;; AUTHORITY SECTION:
                    844:             23h32m54s IN NS
                    845:             23h32m54s IN NS
                    846:             23h32m54s IN NS
                    847:             23h32m54s IN NS
                    848:             23h32m54s IN NS
                    850:     ;; Total query time: 14 msec
                    851:     ;; FROM: miyu to SERVER:
                    852:     ;; WHEN: Thu Nov 25 22:59:36 2004
1.2       jdf       853:     ;; MSG SIZE  sent: 32  rcvd: 175
1.1       jdf       854: 
1.2       jdf       855: As you can see
                    856: [dig(1)]( gives
                    857: quite a bit of output, the expected answer can be found in the "ANSWER SECTION".
1.1       jdf       858: The other data given may be of interest when debugging DNS problems.

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb