You are on page 1of 17

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

Home6urch$se 6DFsForums)9out Home


321 Sh$re Sh$re7ore

Quick HOWTO : Ch18 : Configuring DNS


From Linux Home Networking

Contents
1 ntro!uction " ntro!uction to DNS "#1 DNS Dom$ins "#" % ND "#& DNS C'ients "#( )uthorit$ti*e DNS Ser*ers "#+ How DNS Ser*ers Fin! Out ,our Site nform$tion "#- When To .se ) DNS C$ching N$me Ser*er "#/ When To .se ) St$tic DNS Ser*er "#8 When To .se ) D0n$mic DNS Ser*er "#1 How To 2et ,our Own Dom$in "#13 %$sic DNS Testing of DNS 4eso'ution "#13#1 The Host Comm$n! "#13#" The ns'ooku5 Comm$n! "#11 Down'o$!ing $n! nst$''ing the % ND 6$ck$ges "#1" 7$n$ging the % ND Ser*er "#1& The 8etc8reso'*#conf Fi'e "#1&#1 T$9'e 18#1 :e0wor!s n 8etc8reso'*#conf & m5ort$nt Fi'e Loc$tions &#1 4e!H$t 8 Fe!or$ &#" T$9'e 18#" Differences n Fe!or$ )n! 4e!h$t DNS Fi'e Loc$tions &#& De9i$n 8 .9untu ( Configuring ,our N$meser*er (#1 Configuring reso'*#conf (#" Cre$ting $ n$me!#conf %$se Configur$tion (#"#1 T$9'e 18#& The 6rim$r0 % ND Configur$tion Fi'es (#& Configuring % ND ;iews in n$me!#conf (#&#1 Forw$r! <one Fi'e 4eferences in n$me!#conf (#&#" 4e*erse <one Fi'e 4eferences in n$me!#conf (#&#& The C$ching N$meser*er 'oc$'host=reso'*er ;iew (#&#( The ntern$' ;iew (#&#+ The >xtern$' ;iew (#( Configuring The <one Fi'es (#(#1 Time to Li*e ;$'ue (#(#" DNS 4esource 4ecor!s (#(#& The SO) 4ecor! (#(#( T$9'e 18#( The SO) 4ecor! Form$t (#(#+ NS? 7@? ) )n! CN)7> 4ecor!s (#(#- T$9'e 18#+ NS? 7@? )? 6T4 $n! CN)7> 4ecor! Form$ts (#(#/ T@T 4ecor!s (#+ S$m5'e Forw$r! <one Fi'e (#- S$m5'e 4e*erse <one Fi'e
Other Linux Home Networking To5ics ntro!uction to Networking Linux Networking Sim5'e Network Trou9'eshooting Trou9'eshooting Linux with S0s'og nst$''ing Linux Softw$re The Linux %oot 6rocess Configuring the DHC6 Ser*er Linux .sers $n! su!o Win!ows? Linux $n! S$m9$ Sh$ring 4esources with S$m9$ S$m9$ Securit0 $n! Trou9'eshooting Linux Wire'ess Networking

Stop ISP DNS Attacks


nominum.com/stop-amplificat! Protect Open Resolvers That Are Vulnera le To DNS Amplification

1 of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

(#/ Lo$!ing ,our New Configur$tion Fi'es (#8 7$ke Sure ,our 8etc8hosts Fi'e s Correct'0 .5!$te! (#1 Configure ,our Firew$'' (#13 Fix ,our Dom$in 4egistr$tion + Trou9'eshooting % ND +#1 Configur$tion Trou9'eshooting Ste5s +#" Network Trou9'eshooting Ste5s - 7igr$ting ,our We9 Site nAHouse / DHC6 Consi!er$tions For DNS 8 Sim5'e DNS Securit0 8#1 <one Tr$nsfer 6rotection 8#" Se'ecti*e'0 Dis$9'ing 4ecursion 8#& N$ming Con*ention Securit0 1 Conc'usion

Linux Firew$''s .sing i5t$9'es Linux FT6 Ser*er Setu5 Te'net? TFT6 $n! xinet! Secure 4emote Logins $n! Fi'e Co50ing Configuring DNS D0n$mic DNS The )5$che We9 Ser*er Configuring Linux 7$i' Ser*ers 7onitoring Ser*er 6erform$nce )!*$nce! 74T2 For Linux The NT6 Ser*er NetworkA%$se! Linux nst$''$tion Linux Softw$re 4) D >x5$n!ing Disk C$5$cit0 7$n$ging Disk .s$ge with Quot$s 4emote Disk )ccess with NFS Configuring N S Centr$'iIe! Logins .sing LD)6 $n! 4)D .S Contro''ing We9 )ccess with SFui! 7o!if0ing the :erne' to m5ro*e 6erform$nce %$sic 70SQL Configur$tion

ntro!uction
Dom$in N$me S0stem BDNSC con*erts the n$me of $ We9 site Bwww#'inuxhomenetworking#comC to $n 6 $!!ress B-+#11+#/1#&(C# This ste5 is im5ort$nt? 9ec$use the 6 $!!ress of $ We9 siteDs ser*er? not the We9 siteDs n$me? is use! in routing tr$ffic o*er the nternet# This ch$5ter wi'' ex5'$in how to configure 0our own DNS ser*er to he'5 gui!e We9 surfers to 0our site#

LHN Linux Forums A L$test Thre$!s Linux B7intC c$nDt $ccess Fe!or$ Ser*er BLinux A H$r!w$re? Networking J Securit0C h$*e $ fresh Linux7int B.9untu *$ri$ntC inst$'' on m0 '$5to5? $n! nee! to $ccess the music fi'es on m0 ;ortex9ox $55'i$nce running Fe!or$# c$n### 6ro9'em with Cisco >HW CA(>S2 B2ener$' Ch$tC Kust won!ering if the >HW CA(>S2 B.4L 9e use! in $ Cisco 833 router# w$nt to $!! $t 'e$st one### .9untu 1"#3( LTS Setting .5 Network 9etween @58/ $n! .9untu 1"#3(LTS BLinux A H$r!w$re? Networking J Securit0C i $m $ )9so'ute New9ie $t Linux i wou'! 'ike to h$*e it where the win!ows com5uters see $n! tr$nsfer fi'es with the 'inux 9ox $n! see $n! tr$nsfer### Cisco C$t$'0st "1-3@ >thernet Switch B2ener$' Ch$tC L w$nt to 9u0 C$t$'0st "1-3A@ series switches 'ike WSAC"1-3@A "(6SAL?WSAC"1-3@A"(6DAL? 9u0 Dm not *er0 we'' know $9out c"1-3x series# C$n someone### Linux *5n c'ient BLinux A Softw$re? )55'ic$tions J 6rogr$mmingC Our com5$n0 h$s one *5n ser*er?it is C SCO"1318:1 router# We c$n conntect it with cisco *5n too's in win!ows m$chine#%ut $9out 'inux c'ient? we h$*e### Norih$n T$'i9 HereM B2ener$' Ch$tC He''o >*er0one m0 n$me is Norih$n T$'i9 i Eoine! this forum to m$ke new connections on frien!s see 0ou $'' on the 9o$r!s 6eni5u Dr# O9$i! %usit Leg$' Consu't$ntsM new mem9er 5ost## B2ener$' Ch$tC He''o to $'' forum mem9ers#### $m Dr# O9$i! %usit new mem9er hereM Ho5e e*er0one is fine $n! enEo0 9eing hereM 4eg$r!s Dr# O9$i! %usit h$ni !$'F$mouni hereM B2ener$' Ch$tC he''o e*er09o!0M i $m h$ni !$'F$mouni### i $m new to this forum $nn! i $m h$550 to Eoin here to meet new frien!s $n! to s$hre interests with 0ou### %est w$0 to know Cisco C$t$'0st "(A6ort Network Switch WSAC"1-3A"(TCAL BLinux A H$r!w$re? Networking J Securit0C Cisco "1-3AS switches $re the 'e$!ing fixe!A

ntro!uction to DNS
%efore 0ou !ig too !ee5 in DNS? 0ou nee! to un!erst$n! $ few foun!$tion conce5ts on which the rest of the ch$5ter wi'' 9e 9ui't#

DNS Dom$ins
>*er0one in the wor'! h$s $ first n$me $n! $ '$st? or f$mi'0? n$me# The s$me thing is true in the DNS wor'!: ) f$mi'0 of We9 sites c$n 9e 'oose'0 !escri9e! $ !om$in# For ex$m5'e? the !om$in 'inuxhomenetworking#com h$s $ num9er of chi'!ren? such $s www#'inuxhomenetworking#com $n! m$i'#'inuxhomenetworking#com for the We9 $n! m$i' ser*ers? res5ecti*e'0#

% ND
% ND is $n $cron0m for the %erke'e0 nternet N$me Dom$in 5roEect? which is $ grou5 th$t m$int$ins the DNSAre'$te! softw$re suite th$t runs un!er Linux# The most we'' known 5rogr$m in % ND is n$me!? the !$emon th$t res5on!s to DNS Fueries from remote m$chines#

DNS C'ients
) DNS c'ient !oesnDt store DNS inform$tionG it must $'w$0s refer to $ DNS ser*er to get it# The on'0 DNS configur$tion fi'e for $ DNS c'ient is the 8etc8reso'*#conf fi'e? which !efines the 6 $!!ress of the DNS ser*er it shou'! use# ,ou shou'!nDt nee! to configure $n0 other fi'es# ,ouD'' 9ecome we'' $cFu$inte! with the 8etc8reso'*#conf fi'e soon#

)uthorit$ti*e DNS Ser*ers


)uthorit$ti*e ser*ers 5ro*i!e the !efiniti*e inform$tion for 0our DNS !om$in? such $s the n$mes of ser*ers $n! We9 sites in it# The0 $re the '$st wor! in inform$tion re'$te! to 0our !om$in#

How DNS Ser*ers Fin! Out ,our Site nform$tion


There $re 1& root $uthorit$ti*e DNS ser*ers Bsu5er !u5er $uthoritiesC th$t $'' DNS ser*ers Fuer0 first# These root ser*ers know $'' the $uthorit$ti*e DNS ser*ers for $'' the m$in !om$ins A #com? #net? $n! the rest# This '$0er of ser*ers kee5 tr$ck of $'' the DNS ser*ers th$t We9 site s0stems $!ministr$tors h$*e $ssigne! for their su9 !om$ins# For ex$m5'e? when 0ou register 0our !om$in m0Asite#com? 0ou $re $ctu$''0 inserting $ recor! on the #com DNS ser*ers th$t 5oint to the $uthorit$ti*e DNS ser*ers 0ou $ssigne! for 0our !om$in# B7ore on how to register 0our site '$ter#C#

When To .se ) DNS C$ching N$me Ser*er


7ost ser*ers !onHt $sk $uthorit$ti*e ser*ers for DNS !irect'0? the0 usu$''0 $sk $ c$ching DNS ser*er to !o it on their 9eh$'f# These ser*ers? through $ 5rocess c$''e! recursion? seFuenti$''0 Fuer0 the $uthorit$ti*e ser*ers $t the root? m$in !om$in $n! su9 !om$in 'e*e's to get e*entu$''0 get the s5ecific inform$tion reFueste!# The most freFuent'0 reFueste! inform$tion is then store! Bor c$che!C to re!uce the 'ooku5 o*erhe$! of su9seFuent Fueries#

" of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

f 0ou w$nt to $!*ertise 0our We9 site www#m0Asite#com to the rest of the wor'!? then $ regu'$r DNS ser*er is wh$t 0ou reFuire# Setting u5 $ c$ching DNS ser*er is f$ir'0 str$ightforw$r! $n! works whether or not 0our S6 5ro*i!es 0ou with $ st$tic or !0n$mic nternet 6 $!!ress# )fter 0ou set u5 0our c$ching DNS ser*er? 0ou must configure e$ch of 0our home network 6Cs to use it $s their DNS ser*er# f 0our home 6Cs get their 6 $!!resses using DHC6? then 0ou h$*e to configure 0our DHC6 ser*er to m$ke it $w$re of the 6 $!!ress of 0our new DNS ser*er? so th$t the DHC6 ser*er c$n $!*ertise the DNS ser*er to its 6C c'ients# OffAtheAshe'f router8firew$'' $55'i$nces use! in most home networks usu$''0 c$n $ct $s 9oth the c$ching DNS $n! DHC6 ser*er? ren!ering $ se5$r$te DNS ser*er is unnecess$r0# ,ou c$n fin! the configur$tion ste5s for $ Linux DHC6 ser*er in Ch$5ter 8? LConfiguring the DHC6 Ser*erL#

configur$tion L$0er " e!ge $ccess switches $n! "1-3AS most 5orts $re 2>#The C$t$'0st "1-3AS Series### he''o##4o9ert Di!i$n$ here## B2ener$' Ch$tC i$m g'$! to 9e $ 5$rt of this forum it seems 'ike $ 5rett0 coo' communit0 th$t is r$n here $n! c$n te'' thereDs goo! $!ministr$tion Eust 90### K$ck 4$f$e' 2oro!eIk0 7irsk0 new9ie hereM B2ener$' Ch$tC 70 n$me is K$ck 4$f$e' 2oro!eIk0 $s 0ou c$n see i $m $ new mem9er of the forum# $m intereste! to meet new 'ike min!e! 5eo5'e :in! reg$r!s?###

When To .se ) St$tic DNS Ser*er


f 0our S6 5ro*i!es 0ou with $ fixe! or st$tic 6 $!!ress? $n! 0ou w$nt to host 0our own We9 site? then $ regu'$r $uthorit$ti*e DNS ser*er wou'! 9e the w$0 to go# ) c$ching DNS n$me ser*er is use! $s $ reference on'0? regu'$r n$me ser*ers $re use! $s the $uthorit$ti*e source of inform$tion for 0our We9 siteDs !om$in# Note: 4egu'$r n$me ser*ers $re $'so c$ching n$me ser*ers 90 !ef$u't#

When To .se ) D0n$mic DNS Ser*er


f 0our S6 5ro*i!es 0our router8firew$'' with its nternet 6 $!!ress using DHC6 then 0ou must consi!er !0n$mic DNS co*ere! in Ch$5ter 11? LD0n$mic DNSL# For now? Dm $ssuming th$t 0ou $re using st$tic nternet 6 $!!resses#

How To 2et ,our Own Dom$in


Whether or not 0ou use st$tic or !0n$mic DNS? 0ou nee! to register $ !om$in# D0n$mic DNS 5ro*i!ers freFuent'0 offer 0ou $ su9!om$in of their own site? such $s m0Asite#!ns5ro*i!er#com? in which 0ou register 0our !om$in on their site# f 0ou choose to cre$te 0our *er0 own !om$in? such $s m0Asite#com? 0ou h$*e to register with $ com5$n0 s5eci$'iIing in st$tic DNS registr$tion $n! then 5oint 0our registr$tion recor! to the inten!e! $uthorit$ti*e DNS for 0our !om$in# 6o5u'$r !om$in registr$rs inc'u!e ;eriSign? 4egister Free? $n! ,$hoo# f 0ou w$nt to use $ !0n$mic DNS 5ro*i!er for 0our own !om$in? then 0ou h$*e to 5oint 0our registr$tion recor! to the DNS ser*ers of 0our !0n$mic DNS 5ro*i!er# B7ore !et$i's on !om$in registr$tion $re coming '$ter in the ch$5ter#C#

%$sic DNS Testing of DNS 4eso'ution


)s 0ou know? DNS reso'ution m$5s $ fu''0 Fu$'ifie! !om$in n$me BFQDNC? such $s www#'inuxhomenetworking#com? to $n 6 $!!ress# This is $'so known $s $ forw$r! 'ooku5# The re*erse is $'so true: %0 5erforming $ re*erse 'ooku5? DNS c$n !etermining the fu''0 Fu$'ifie! !om$in n$me $ssoci$te! with $n 6 $!!ress# 7$n0 !ifferent We9 sites c$n m$5 to $ sing'e 6 $!!ress? 9ut the re*erse isnDt trueG $n 6 $!!ress c$n m$5 to on'0 one FQDN# This me$ns th$t forw$r! $n! re*erse entries freFuent'0 !onDt m$tch# The re*erse DNS entries $re usu$''0 the res5onsi9i'it0 of the S6 hosting 0our site? so it is Fuite common for the re*erse 'ooku5 to reso'*e to the S6Ds !om$in# This isnDt $n im5ort$nt f$ctor for most sm$'' sites? 9ut some eAcommerce $55'ic$tions reFuire m$tching entries to o5er$te correct'0# ,ou m$0 h$*e to $sk 0our S6 to m$ke $ custom DNS ch$nge to correct this# There $re $ num9er of comm$n!s 0ou c$n use !o these 'ooku5s# Linux uses the host comm$n!? for ex$m5'e? 9ut Win!ows uses ns'ooku5#

The Host Comm$n!


The host comm$n! $cce5ts $rguments th$t $re either the fu''0 Fu$'ifie! !om$in n$me or the 6 $!!ress of the ser*er when 5ro*i!ing resu'ts# To 5erform $ forw$r! 'ooku5? use the s0nt$x:
[root@bigboy tmp]# host www.linuxhomenetworking.com www.linuxhomenetworking.com has address 65.115.71.34 [root@bigboy tmp]#

To 5erform $ re*erse 'ooku5


[root@bigboy tmp]# host 65.115.71.34 34.71.115.65.in-addr.arpa domain name pointer 65-115-71-34.myisp.net. [root@bigboy tmp]#

)s 0ou c$n see? the forw$r! $n! re*erse entries !onDt m$tch# The re*erse entr0 m$tches the entr0 of the S6#

The ns'ooku5 Comm$n!


The ns'ooku5 comm$n! 5ro*i!es the s$me resu'ts on Win!ows 6Cs# To 5erform forw$r! 'ooku5? use#
C:\> nslookup www.linuxhomenetworking.com Server: 192-168-1-200.my-site.com Address: 192.168.1.200 Non-authoritative answer:

& of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking


Name: www.linuxhomenetworking.com Address: 65.115.71.34 C:\>

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

To 5erform $ re*erse 'ooku5


C:\> nslookup 65.115.71.34 Server: 192-168-1-200.my-site.com Address: 192.168.1.200 Name: 65-115-71-34.my-isp.com Address: 65.115.71.34 C:\>

Down'o$!ing $n! nst$''ing the % ND 6$ck$ges


7ost 4e!H$t $n! Fe!or$ Linux softw$re 5ro!ucts $re $*$i'$9'e in $ 5$ck$ge form$t# When se$rching for the fi'e? remem9er th$t the % ND 5$ck$geDs fi'en$me usu$''0 st$rts with the wor! N9in!O fo''owe! 90 $ *ersion num9er? $s in bind-9.2.2.P3-9.i386.rpm# BFor more !et$i's on !own'o$!ing 467s? see Ch$5ter -? L nst$''ing Linux Softw$reLC# Note: .n'ess otherwise st$te!? the s$m5'e configur$tions co*ere! in this ch$5ter wi'' 9e for 4e!h$t 8 Fe!or$ !istri9utions# f 0ou use De9i$n 8 .9untu? !onHt worr0? there wi'' 9e $nnot$tions to m$ke 0ou $w$re of the !ifferences#

7$n$ging the % ND Ser*er


7$n$ging % NDDs n$me! !$emon is e$s0 to !o? 9ut the 5roce!ure !iffers 9etween Linux !istri9utions# Here $re some things to kee5 in min!# 1# First'0? !ifferent Linux !istri9utions use !ifferent !$emon m$n$gement s0stems# >$ch s0stem h$s its own set of comm$n!s to !o simi'$r o5er$tions# The most common'0 use! !$emon m$n$gement s0stems $re S0s; $n! S0stem!# "# Secon!'0? the !$emon n$me nee!s to 9e known# n this c$se the n$me of the !$emon is n$me!# n$me! )rme! with this inform$tion 0ou c$n know how to: 1# St$rt 0our !$emons $utom$tic$''0 on 9ooting "# Sto5? st$rt $n! rest$rt them '$ter on !uring trou9'eshooting or when $ configur$tion fi'e ch$nge nee!s to 9e $55'ie!# For more !et$i's on this? 5'e$se t$ke $ 'ook $t the L7$n$ging D$emonsL section of Ch$5ter - L nst$''ing Linux Softw$reL Note: 4emem9er to configure 0our !$emon to st$rt $utom$tic$''0 u5on 0our next re9oot#

The 8etc8reso'*#conf Fi'e


DNS c'ients Bser*ers not running % NDC use the 8etc8reso'*#conf fi'e to !etermine 9oth the 'oc$tion of their DNS ser*er $n! the !om$ins to which the0 9e'ong# The fi'e gener$''0 h$s two co'umnsG the first cont$ins $ ke0wor!? $n! the secon! cont$ins the !esire! *$'ues se5$r$te! 90 comm$s# See T$9'e 18#1 for $ 'ist of ke0wor!s#

T$9'e 18#1 :e0wor!s n 8etc8reso'*#conf


:e0wor! N$meser*er ;$'ue 6 $!!ress of 0our DNS n$meser*er# There shou'! 9e on'0 one entr0 5er Ln$meser*erL ke0wor!# f there is more th$n one n$meser*er? 0ouH'' nee! to h$*e mu'ti5'e Ln$meser*erL 'ines# Dom$in The 'oc$' !om$in n$me to 9e use! 90 !ef$u't# f the ser*er is 9ig9o0#m0Awe9Asite#org? then the entr0 wou'! Eust 9e m0Awe9Asite#org f 0ou refer to $nother ser*er Eust 90 its n$me without the !om$in $!!e! on? DNS on 0our c'ient wi'' $55en! the ser*er n$me to e$ch !om$in in this 'ist $n! !o $n DNS 'ooku5 on e$ch to get the remote ser*ersH 6 Se$rch $!!ress# This is $ h$n!0 time s$*ing fe$ture to h$*e so th$t 0ou c$n refer to ser*ers in the s$me !om$in 90 on'0 their ser*ern$me without h$*ing to s5ecif0 the !om$in# The !om$ins in this 'ist must se5$r$te! 90 s5$ces# T$ke $ 'ook $t $ s$m5'e configur$tion in which the c'ient ser*erDs m$in !om$in is m0Asite#com? 9ut it $'so is $ mem9er of !om$ins m0Asite#net $n! m0Asite#org? which shou'! 9e se$rche! for shorth$n! references to other ser*ers# Two n$me ser*ers? 11"#1-8#1#133 $n! 11"#1-8#1#13"? 5ro*i!e DNS n$me reso'ution:
search my-site.com my-site.net my-site.org nameserver 192.168.1.100 nameserver 192.168.1.102

The first !om$in 'iste! $fter the se$rch !irecti*e must 9e the home !om$in of 0our network? in this c$se m0Asite#com# 6'$cing $ !om$in $n! se$rch entr0 in the 8etc8reso'*#conf is re!un!$nt? therefore#

( of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

m5ort$nt Fi'e Loc$tions


The 'oc$tions of the % ND configur$tion fi'es *$r0 90 Linux !istri9ution? $s 0ou wi'' soon see#

4e!H$t 8 Fe!or$
4e!H$t 8 Fe!or$ % ND norm$''0 runs $s the n$me! 5rocess owne! 90 the un5ri*i'ege! n$me! user# Sometimes % ND is $'so inst$''e! using LinuxDs chroot fe$ture to not on'0 run n$me! $s user n$me!? 9ut $'so to 'imit the fi'es n$me! c$n see# When inst$''e!? n$me! is foo'e! into thinking th$t the !irector0 /var/named/chroot is $ctu$''0 the root or / !irector0# Therefore? n$me! fi'es norm$''0 foun! in the /etc !irector0 $re foun! in /var/named/chroot/etc !irector0 inste$!? $n! those 0ouD! ex5ect to fin! in 8*$r8n$me! $re $ctu$''0 'oc$te! in /var/named/chroot/var/named# The $!*$nt$ge of the chroot fe$ture is th$t if $ h$cker enters 0our s0stem *i$ $ % ND ex5'oit? the h$ckerDs $ccess to the rest of 0our s0stem is iso'$te! to the fi'es un!er the chroot !irector0 $n! nothing e'se# This t05e of securit0 is $'so known $s $ chroot E$i'# ,ou c$n !etermine whether 0ou h$*e the chroot $!!Aon 467 90 using this comm$n!? which returns the n$me of the 467#
[root@bigboy tmp]# rpm -q bind-chroot bind-chroot-9.2.3-13 [root@bigboy tmp]#

There c$n 9e confusion with the 'oc$tions: 4egu'$r % ND inst$''s its fi'es in the norm$' 'oc$tions? $n! the chroot % ND $!!Aon 467 inst$''s its own *ersions in their chroot 'oc$tions# .nfortun$te'0? the chroot *ersions of some of the fi'es $re em5t0# %efore st$rting Fe!or$ % ND? co50 the configur$tion fi'es to their chroot 'oc$tions:
[root@bigboy tmp]# cp -f /etc/named.conf /var/named/chroot/etc/ [root@bigboy tmp]# cp -f /etc/rndc.* /var/named/chroot/etc/

%efore 0ou go to the next ste5 of configuring $ regu'$r n$me ser*er? it is im5ort$nt to un!erst$n! ex$ct'0 where the fi'es $re 'oc$te!# T$9'e 18#" 5ro*i!es $ m$5#

T$9'e 18#" Differences n Fe!or$ )n! 4e!h$t DNS Fi'e Loc$tions


Fi'e 6ur5ose % ND chroot Loc$tion 8*$r8n$me!8chroot8etc 4egu'$r % ND Loc$tion 8etc

n$me!#conf Te''s the n$mes of the Ione fi'es to 9e use! for e$ch of 0our we9site !om$ins# rn!c#ke0 rn!c#conf Ione fi'es Links $'' the 6 $!!resses in 0our !om$in to their corres5on!ing ser*er Fi'es use! in n$me! $uthentic$tion

8*$r8n$me!8chroot8etc

8etc

8*$r8n$me!8chroot 8*$r8n$me!

8*$r8n$me!

Note: Fe!or$ Core inst$''s % ND chroot 90 !ef$u't# 4e!H$t 1 $n! e$r'ier !onDt#

De9i$n 8 .9untu
With De9i$n 8 .9untu? $'' the configur$tion fi'es? the 5rim$r0 named.conf fi'e $n! $'' the DNS Ione fi'es resi!e in the /etc/bind !irector0# .n'ike in 4e!h$t 8 Fe!or$? references to other fi'es within these configur$tion fi'es shou'! inc'u!e the fu'' 5$th# The n$me! !$emon wonDt $utom$tic$''0 $ssume the0 $re 'oc$te! in the /etc/bind !irector0#

Configuring ,our N$meser*er


For the 5ur5oses of this tutori$'? $ssume 0our S6 $ssigne! 0ou the su9net 1/#1+8#"+&#"( with $ su9net m$sk of "++#"++#"++#"(8 B8"1C#

Configuring reso'*#conf
,ouD'' h$*e to m$ke 0our DNS ser*er refer to itse'f for $'' DNS Fueries 90 configuring the 8etc8reso'*#conf fi'e to reference 'oc$'host on'0#
nameserver 127.0.0.1

+ of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

Cre$ting $ n$me!#conf %$se Configur$tion


The 8etc8n$me!#conf fi'e cont$ins the m$in DNS configur$tion $n! te''s % ND where to fin! the configur$tion? or Ione fi'es for e$ch !om$in 0ou own# This fi'e usu$''0 h$s two Ione $re$s: Forw$r! Ione fi'e !efinitions 'ist fi'es to m$5 !om$ins to 6 $!!resses# 4e*erse Ione fi'e !efinitions 'ist fi'es to m$5 6 $!!resses to !om$ins# Some *ersions of % ND wi'' come with $ 8etc8$me!#conf fi'e configure! to work $s $ c$ching n$meser*er which c$n 9e con*erte! to $n $uthorit$ti*e n$meser*er 90 $!!ing the correct references to 0our Ione fi'es# 6'e$se 5rocee! to the next section if this is the c$se with 0our *ersion of % ND# n other c$ses the n$me!#conf configur$tion fi'e m$0 9e h$r! to fin!# Some *ersions of Linux inst$'' % ND $s $ !ef$u't c$ching n$meser*er using $ fi'e n$mes 8etc8n$me!#c$chingAn$meser*er#conf for its configur$tion# n such c$ses % ND 9ecomes $n $uthorit$ti*e n$meser*er when $ correct'0 configure! 8etc8n$me!#conf fi'e is cre$te!# Fortun$te'0 % ND comes with s$m5'es of $'' the 5rim$r0 fi'es 0ou nee!# T$9'e 18#& ex5'$ins their n$mes $n! 5ur5ose in more !et$i'#

T$9'e 18#& The 6rim$r0 % ND Configur$tion Fi'es


Fi'e 8etc8n$me!#conf Descri5tion The m$in configur$tion fi'e th$t 'ists the 'oc$tion of $'' 0our !om$inDs Ione fi'es

8etc8n$me!#rfc111"#Iones %$se configur$tion fi'e for $ c$ching n$me ser*er# 8*$r8n$me!8n$me!#c$ ) 'ist of the 1& root $uthorit$ti*e DNS ser*ers#

The first t$sk is to m$ke sure 0our DNS ser*er wi'' 'istening of reFuests on $'' the reFuire! network interf$ces# The o5tions section of n$me!#conf m$0 9e configure! to 'isten exc'usi*e'0 on its intern$' hi!!en 'oc$'host interf$ce with $n 6 $!!ress of 1"/#3#3#1 $s we see in this ex$m5'e#
# File: /etc/named.conf options { listen-on port 53 { 127.0.0.1; }; };

f other !e*ices $re going to re'0 on 0our ser*er for Fueries? then 0ouH'' nee! to either ch$nge this or $!! $ se'ecte! num9er of 6 $!!resses on 0our ser*er# n this ex$m5'e? we $''ow Fueries on $n0 interf$ce#
listen-on port 53 { any; };

n this ex$m5'e? we $''ow Fueries on 'oc$'host $n! $!!ress 11"#1-8#1#133#


listen-on port 53 { 127.0.0.1; 192.168.1.100; };

Note: )'w$0s m$ke sure 'oc$'host? 1"/#3#3#1 is inc'u!e!# Though it is not reFuire!? it is $ goo! 5r$ctice to configure 0our DNS ser*erDs n$me!#conf fi'e to su55ort % ND *iews# This wi'' 9e !iscusse! next#

Configuring % ND ;iews in n$me!#conf


Our s$m5'e scen$rio $ssumes th$t DNS Fueries wi'' 9e coming from the nternet $n! th$t the Ione fi'es wi'' return inform$tion re'$te! to the extern$' 1/#1+8#"+&#"- $!!ress of the We9 ser*er# Wh$t !o the 6Cs on 0our home network nee! to seeP The0 nee! to see DNS references to the re$' 6 $!!ress of the We9 ser*er? 11"#1-8#1#133? 9ec$use N)T wonHt work 5ro5er'0 if $ 6C on 0our home network $ttem5ts to connect to the extern$' 1/#1+8#"+&#"- N)T 6 $!!ress of 0our We9 ser*er# DonHt worr0# % ND figures this out using its *iews fe$ture which $''ows 0ou to use 5re!efine! Ione fi'es for Fueries from cert$in su9nets# This me$ns itHs 5ossi9'e to use one set of Ione fi'es for Fueries from the nternet $n! $nother set for Fueries from 0our home network# HereHs $ summ$r0 of how itHs !one: 1# f 0our DNS ser*er is $'so $cting $s $ c$ching DNS ser*er? then 0ouD'' $'so nee! $ *iew for 'oc$'host to use# WeD'' use $ *iew c$''e! 'oc$'host=reso'*er for this# "# 6'$ce 0our Ione st$tements in the 8etc8n$me!#conf fi'e in one of two other *iew sections# The first section is c$''e! intern$' $n! 'ists the Ione fi'es to 9e use! 90 0our intern$' network# The secon! *iew c$''e! extern$' 'ists the Ione fi'es to 9e use! for nternet users# For ex$m5'eG 0ou cou'! h$*e $ reference to $ Ione fi'e c$''e! m0Asite#Ione for 'ooku5s re'$te! to the 1/#1+8#"+&#@ network which nternet users wou'! see# This 8etc8n$me!#conf entr0 wou'! 9e inserte! in the extern$' section# ,ou cou'! $'so h$*e $ fi'e c$''e! m0AsiteAhome#Ione for 'ooku5s 90 home users on the 11"#1-8#1#3 network# This entr0 wou'! 9e inserte! in the intern$' section# Cre$ting the m0AsiteAhome#Ione fi'e is f$ir'0 e$s0: Co50 it from the m0Asite#Ione fi'e $n! re5'$ce $'' references to 1/#1+8#"+&#@ with references to 11"#1-8#1#@# &# ,ou must $'so te'' the DNS ser*er which $!!resses 0ou fee' $re intern$' $n! extern$'# To !o this? 0ou must first !efine the intern$' $n! extern$' networks with $ccess contro' 'ists B)CLsC $n! then refer to these 'ists within their res5ecti*e *iew section with the m$tchAc'ients st$tement# Some 9ui'tAin )CLs c$n s$*e 0ou time:

- of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

'oc$'host: 'oc$'host 4efers to the DNS ser*er itse'f 'oc$'nets: 'oc$'nets 4efers to $'' the networks to which the DNS ser*er is !irect'0 connecte! $n0: $n0 which is se'f ex5'$n$tor0# LetDs ex$mine % ND *iews more c$refu''0 using $ num9er of s$m5'e configur$tion sni55ets from the 8etc8n$me!#conf fi'e use for m0 home network# )'' the st$tements 9e'ow were inserte! $fter the o5tions $n! contro's sections in the fi'e# h$*e se'ecte! generic n$mes intern$'? for *iews gi*en to truste! hosts Bhome? nonAinternet or cor5or$te usersC? $n! extern$' for the *iews gi*en to nternet c'ients? 9ut the0 c$n 9e n$me! wh$te*er 0ou wish# First 'etDs t$'k $9out how we shou'! refer to the Ione fi'es in e$ch *iew#

Forw$r! <one Fi'e 4eferences in n$me!#conf


LetHs !escri9e how we 5oint to forw$r! Ione fi'es in $ t05ic$' n$me!#conf fi'e# n this ex$m5'e the Ione fi'e is n$me! m0Asite#Ione? $n!? $'though not ex5'icit'0 st$te!? the fi'e m0Asite#Ione shou'! 9e 'oc$te! in the !ef$u't !irector0 of 8*$r8n$me!8chroot8*$r8n$me! in $ chroot configur$tion or in 8*$r8n$me! in $ regu'$r one# With De9i$n 8 .9untu? references to the fu'' fi'e 5$th wi'' h$*e to 9e use!# .se the co!e:
zone my-web-site.org { type master; notify no; allow-query { any; }; file my-site.zone; };

n $!!ition? 0ou c$n insert more entries in the n$me!#conf fi'e to reference other We9 !om$ins 0ou host# Here is $n ex$m5'e for $notherAsite#com using $ Ione fi'e n$me! $notherAsite#Ione#
zone another-site.com { type master; notify no; allow-query { any; }; file another-site.zone; };

Note: The $''owAFuer0 !irecti*e !efines the networks th$t $re $''owe! to Fuer0 0our DNS ser*er for inform$tion on $n0 Ione# For ex$m5'e? to 'imit Fueries to on'0 0our 11"#1-8#1#3 network? 0ou cou'! mo!if0 the !irecti*e to:
allow-query { 192.168.1.0/24; };

4e*erse <one Fi'e 4eferences in n$me!#conf


HereHs how to form$t entries th$t refer to Ione fi'es use! for re*erse 'ooku5s for 0our 6 $!!resses# n most c$ses? 0our S6 h$n!'es the re*erse Ione entries for 0our 5u9'ic 6 $!!resses? 9ut 0ou wi'' h$*e to cre$te re*erse Ione entries for 0our SOHO8home en*ironment using the 11"#1-8#1#38"( $!!ress s5$ce# This isnHt im5ort$nt for the Win!ows c'ients on 0our network? 9ut some Linux $55'ic$tions reFuire *$'i! forw$r! $n! re*erse entries to o5er$te correct'0# The forw$r! !om$in 'ooku5 5rocess for m0site#com sc$ns the FQDN from right to 'eft to get to get incre$sing'0 more s5ecific inform$tion $9out the $uthorit$ti*e ser*ers to use# 4e*erse 'ooku5s o5er$te simi'$r'0 90 sc$nning $n 6 $!!ress from 'eft to right to get incre$sing'0 s5ecific inform$tion $9out $n $!!ress# The simi'$rit0 in 9oth metho!s is th$t incre$sing'0 s5ecific inform$tion is sought? 9ut the notice$9'e !ifference is th$t for forw$r! 'ooku5s the sc$n is from right to 'eft? $n! for re*erse 'ooku5s the sc$n is from 'eft to right# This !ifference c$n 9e seen in the form$tting of the Ione st$tement for $ re*erse Ione in 8etc8n$me!#conf fi'e where the m$in inA$!!r#$r5$ !om$in? to which $'' 6 $!!resses 9e'ong? is fo''owe! 90 the first & octets of the 6 $!!ress in re*erse or!er# This or!er is im5ort$nt to remem9er or e'se the configur$tion wi'' f$i'# This re*erse Ione !efinition for n$me!#conf uses $ re*erse Ione fi'e n$me! 11"A1-8A1#Ione for the 11"#1-8#1#38"( network#
zone 1.168.192.in-addr.arpa { type master; notify no; allow-query { any; }; file 192-168-1.zone; };

,our 5$tience wi'' soon 9e rew$r!e!# tDs time to t$'k $9out the *iewsM LetDs goM

The C$ching N$meser*er 'oc$'host=reso'*er ;iew


The 'oc$'host=reso'*er *iew is use! for 0our c$ching DNS ser*er configur$tion $n! shou'! 'ook 'ike this:
view "localhost_resolver" { /* This view sets up named to be a localhost resolver * ( caching only nameserver ). If all you want is a * caching-only nameserver, then you need only define this view: */ match-clients { localhost; }; match-destinations { localhost; }; // As your caching name server clients will be using this server // for DNS lookups to get to sites all over the Web youll need to // turn on recursion

/ of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking


recursion yes; // All views used by caching nameserver clients must // contain the root hints zone. Recursive lookups to DNS domains // you dont own (non-authoritative) starts here. zone "." IN { type hint; file "named.ca"; }; /* these are zones that contain definitions for all the localhost * names and addresses, as recommended in RFC1912 - these names should * ONLY be served to localhost clients: */ include "/etc/named.rfc1912.zones"; /* * Include zonefiles for internal zones */ include "/var/named/zones/internal/internal_zones.conf"; };

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

There $re some Fuick f$cts 0ou shou'! 9e $w$re of with 0our c$ching n$me ser*er configur$tion: 1# f 0ou w$nt 0our ser*er to 9e on'0 $ c$ching DNS ser*er? then !e'ete $'' other *iews in n$me!#conf $n! rest$rt the n$me! !$emon#
[root@bigboy tmp]# systemctl restart named.service

"# 7$ke $'' the other m$chines on 0our network 5oint to the c$ching DNS ser*er $s their 5rim$r0 DNS ser*er# &# 4emem9er th$t $'' DNS Fueries !one on 0our DNS ser*er $55e$r to come from 'oc$'host# f 0our ser*er is $'so $n $uthorit$ti*e ser*er for 0our !om$in? 0ou wi'' h$*e to inc'u!e $ reference to 0our !om$inDs Ione fi'es in this section for the ser*erDs own DNS 'ooku5s to work# f not? Fueries from c'ients !efine! 90 the intern$' $n! extern$' )CLs wi'' work correct'0? 9ut Fueries for the !om$in from the ser*er itse'f wi'' f$i'# n this ex$m5'e we h$*e inc'u!e! $ reference to the intern$'=Iones#conf Ione fi'e which weD'' *isit $g$in soon# This 'ine c$n 9e !e'ete! if 0our ser*er isnDt $n $uthorit$ti*e ser*er for 0our !om$in# Note: f 0ou h$*e $ 'oc$'host on'0 *iew 'ike this? m$ke sure 0ou !onDt reference 'oc$'host in $n0 of 0our other *iews $s one *iew wi'' t$ke 5rece!ence o*er the other for Fueries from 0our ser*er# This cou'! 'e$! to un5re!ict$9'e resu'ts#

The ntern$' ;iew


n this ex$m5'e inc'u!e! $n )CL for network 11"#1-8#1/#3 8"( c$''e! s$feAsu9net to he'5 c'$rif0 the use of )CLs in more com5'ex en*ironments# Once the )CL w$s !efine!? then inserte! $ reference to the s$feAsu9net in the m$tchAc'ients st$tement in the intern$' *iew# Therefore the 'oc$' network B11"#1-8#1#3 8"(C? the other truste! network B11"#1-8#1/#3C? $n! 'oc$'host get DNS !$t$ from the Ione fi'es in the intern$' *iew#
// ACL statement acl safe-subnet { 192.168.17.0/24; }; view internal { // What the home network will see match-clients { localnets; localhost; safe-subnet; }; match-destinations { localnets; localhost; safe-subnet; }; // As your caching name server clients will be using this server // for DNS lookups to get to sites all over the Web youll need to // turn on recursion recursion yes; // All views used by caching nameserver clients must // contain the root hints zone. Recursive lookups to DNS domains // you dont own (non-authoritative) starts here. zone "." IN { type hint; file "named.ca"; }; // These are your "authoritative" internal zones, and would probably // also be included in the "localhost_resolver" view above : /* * Include zonefiles for internal zones */ include "/var/named/zones/internal/internal_zones.conf"; };

The Fuestion 0ou m$0 h$*e on 0our min! is? LWhere $re the Ione fi'e !efinitionsPL# DonDt worr0? there is $n inc'u!e st$tement th$t refers to $ fi'e n$me! intern$'=Iones#conf th$t cont$ins them $'' $s we see here:
// File internal_zones.conf zone "1.168.192.in-addr.arpa" IN { type master; file "/var/named/zones/internal/192.168.1.zone"; allow-update { none; }; }; zone "my-web-site.org" IN { type master; file "/var/named/zones/internal/my-web-site.org.zone"; allow-update { none; }; };

D'' !iscuss how to h$n!'e Fueries from c'ients outsi!e 0our truste! networks in the next section where $n extern$' *iew c$n 9e use!#

8 of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

The >xtern$' ;iew


,ou c$n $'so setu5 $n extern$' *iew th$t wi'' 9e use! for DNS Fueries from c'ients outsi!e 0our network? such $s the nternet# n this c$se extern$' Fueries get resu'ts from Ione fi'es in the 8*$r8n$me!8Iones8extern$' !irector0#
view external { // What the Internet will see /* This view will contain zones you want to serve only to "external" * clients that have addresses that are not on your directly attached * LAN interface subnets: */ match-clients { any; }; match-destinations { any; }; // you'd probably want to deny recursion to external clients, so you don't // end up providing free DNS service to all takers recursion no; // These are your "authoritative" external zones, and would probably // contain entries for just your web and mail servers: zone "253.158.97.in-addr.arpa" IN { type master; file "/var/named/zones/external/97.158.253.zone"; allow-update { none; }; }; zone "my-web-site.org" IN { type master; file "/var/named/zones/external/my-web-site.org.zone"; allow-update { none; }; }; };

Notice th$t the re*erse Ione fi'e gi*es resu'ts for 5u9'ic internet $!!resses? $n! of course? the forw$r! Ione fi'e shou'! on'0 5ro*i!e res5onses with nternet $ccessi9'e $!!resses# Note: n the extern$' *iew? 0ou m$0 9e tem5te! to use $n exc'$m$tion m$rk BMC to e'imin$te networks use! in the intern$' *iew 'ike this# %e c$refu'? it is 9est to use L$n0GL for 0our extern$' *iew $s the exc'$m$tion m$rk BMC is not honore! with some *ersions of % ND in *iews n$me! Lextern$'L#
; !!! CAUTION !!! match-clients { !localnets; !localhost; !safe-subnet; }; match-destinations { !localnets; !localhost; !safe-subnet; };

The *iews 'iste! here $re 5ure'0 to i''ustr$te their use# The s$m5'e home network we h$*e 9een using !oesnHt nee! to h$*e the )CL st$tement $t $'' $s the 9ui't in )CLs 'oc$'nets $n! 'oc$'host $re sufficient# The s$m5'e network wonHt nee! the s$feAsu9net section in the m$tchAc'ients 'ine either $s there is on'0 one su9net in the configur$tion# ;iews $re $'so not Eust for N)T# f 0ou run $n nternet !$t$ center? 0ou c$n set u5 0our DNS ser*er to $ct $s $ c$ching ser*er to ser*ers on $'' the nternet networks 0ou own $n! no one e'se? $n! then 5ro*i!e $uthorit$ti*e res5onses to 0our customersD !om$ins to e*er0one# ;iews c$n 9e *er0 usefu'#

Configuring The <one Fi'es


,ou nee! to kee5 $ num9er of things in min! when configuring DNS Ione fi'es: n $'' Ione fi'es? 0ou c$n 5'$ce $ comment $t the en! of $n0 'ine 90 inserting $ semiAco'on ch$r$cter then t05ing in the text of 0our comment# %0 !ef$u't? 0our Ione fi'es $re 'oc$te! in the /var/named or /var/named/chroot/var/named or /etc/bind !irectories !e5en!ing on 0our Linux !istri9ution# >$ch Ione fi'e cont$ins $ *$riet0 of recor!s BSO)? NS? 7@? )? $n! CN)7>C th$t go*ern !ifferent $re$s of % ND# T$ke $ c'oser 'ook $t these entries in the Ione fi'e#

Time to Li*e ;$'ue


The *er0 first entr0 in the Ione fi'e is usu$''0 the IoneDs time to 'i*e BTTLC *$'ue# C$ching DNS ser*ers c$che the res5onses to their Fueries from $uthorit$ti*e DNS ser*ers# The $uthorit$ti*e ser*ers not on'0 5ro*i!e the DNS $nswer 9ut $'so 5ro*i!e the inform$tionDs time to 'i*e? which is the 5erio! for which itDs *$'i!# The 5ur5ose of $ TTL is to re!uce the num9er of DNS Fueries the $uthorit$ti*e DNS ser*er h$s to $nswer# f the TTL is set to three !$0s? then c$ching ser*ers use the origin$' store! res5onse for three !$0s 9efore m$king the Fuer0 $g$in#
$TTL 3D

% ND recogniIes se*er$' suffixes for timeAre'$te! *$'ues# ) D signifies !$0s? $ W signifies weeks? $n! $n H signifies hours# n the $9sence of $ suffix? % ND $ssumes the *$'ue is in secon!s#

DNS 4esource 4ecor!s


The rest of the recor!s in $ Ione fi'e $re usu$''0 % ND resource recor!s# The0 !efine the n$ture of the DNS inform$tion in 0our Ione fi'es th$tDs 5resente! to Fuer0ing DNS c'ients# The0 $'' h$*e the gener$' form$t:
Name Class Type Data

1 of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

There $re !ifferent t05es of recor!s for m$i' B7@C? forw$r! 'ooku5s B)C? re*erse 'ooku5s B6T4C? $'i$ses BCN)7>C $n! o*er$'' Ione !efinitions? St$rt of )uthorit0 BSO)C# The !$t$ 5ortion is form$tte! $ccor!ing to the recor! t05e $n! m$0 consist of se*er$' *$'ues se5$r$te! 90 s5$ces# Simi'$r'0? the n$me is $'so su9Eect to inter5ret$tion 9$se! on this f$ctor#

The SO) 4ecor!


The first resource recor! is the St$rt of )uthorit0 BSO)C recor!? which cont$ins gener$' $!ministr$ti*e $n! contro' inform$tion $9out the !om$in# t h$s the form$t:
Name Class Type Name-Server Email-Address Serial-No Refresh Retry Expiry Minimum-TTL

The recor! c$n 9e 'ong? $n! wi'' sometimes wr$5 $roun! on 0our screen# For the s$ke of form$tting? 0ou c$n insert new 'ine ch$r$cters 9etween the fie'!s $s 'ong $s 0ou insert 5$renthesis $t the 9eginning $n! en! of the insertion to $'ert % ND th$t 5$rt of the recor! wi'' str$!!'e mu'ti5'e 'ines# ,ou c$n $'so $!! comments to the en! of e$ch new 'ine se5$r$te! 90 $ semico'on when 0ou !o this# Here is $n ex$m5'e:
@ IN SOA ns1.my-site.com. 2004100801 ; 4H ; 1H ; 1W ; 1D ) ; hostmaster.my-site.com. ( serial # refresh retry expiry minimum

T$9'e 18#( ex5'$ins wh$t e$ch fie'! in the recor! me$ns#

T$9'e 18#( The SO) 4ecor! Form$t


Fie'! N$me Descri5tion The root n$me of the Ione# The NQO sign is $ shorth$n! reference to the current origin BIoneC in the 8etc8n$me!#conf fi'e for th$t 5$rticu'$r !$t$9$se fi'e# C'$ss There $re $ num9er of !ifferent DNS c'$sses# Home8SOHO wi'' 9e 'imite! to the N or nternet c'$ss use! when !efining 6 $!!ress m$55ing inform$tion for % ND# Other c'$sses exist for non nternet 5rotoco's $n! functions 9ut $re *er0 r$re'0 use!# T05e The t05e of DNS resource recor!# n the ex$m5'e? this is $n SO) resource recor!# Other t05es of recor!s exist? which H'' co*er '$ter# N$meAser*er >m$i'A $!!ress Seri$'Ano Fu''0 Fu$'ifie! n$me of 0our 5rim$r0 n$me ser*er# 7ust 9e fo''owe! 90 $ 5erio!# The eAm$i' $!!ress of the n$me ser*er $!ministr$tor# The regu'$r Q in the eAm$i' $!!ress must 9e re5'$ce! with $ 5erio! inste$!# The eAm$i' $!!ress must $'so 9e fo''owe! 90 $ 5erio!# ) seri$' num9er for the current configur$tion# ,ou c$n use the !$te form$t ,,,,77DD with $n incremente! sing'e !igit num9er t$gge! to the en!# This wi'' $''ow 0ou to !o mu'ti5'e e!its e$ch !$0 with $ seri$' num9er th$t 9oth increments $n! ref'ects the !$te on which the ch$nge w$s m$!e# 4efresh Te''s the s'$*e DNS ser*er how often it shou'! check the m$ster DNS ser*er# S'$*es $renHt usu$''0 use! in home 8 SOHO en*ironments# 4etr0 The s'$*eHs retr0 inter*$' to connect the m$ster in the e*ent of $ connection f$i'ure# S'$*es $renHt usu$''0 use! in home 8 SOHO en*ironments# >x5ir0 Tot$' $mount of time $ s'$*e shou'! retr0 to cont$ct the m$ster 9efore ex5iring the !$t$ it cont$ins# Future references wi'' 9e !irecte! tow$r!s the root ser*ers# S'$*es $renHt usu$''0 use! in home8SOHO en*ironments# 7inimumATTL There $re times when remote c'ients wi'' m$ke Fueries for su9!om$ins th$t !onHt exist# ,our DNS ser*er wi'' res5on! with $ no !om$in or N@DO7) N res5onse th$t the remote c'ient c$ches# This *$'ue !efines the c$ching !ur$tion 0our DNS inc'u!es in this res5onse# So in the ex$m5'e? the 5rim$r0 n$me ser*er is !efine! $s ns1#m0Asite#com with $ cont$ct eAm$i' $!!ress of hostm$sterQm0A site#com# The seri$' num9er is "33(133831 with refresh? retr0? ex5ir0? $n! minimum *$'ues of ( hours? 1 hour? 1 week? $n! 1 !$0? res5ecti*e'0#

NS? 7@? ) )n! CN)7> 4ecor!s


Like the SO) recor!? the NS? 7@? )? 6T4 $n! CN)7> recor!s e$ch occu50 $ sing'e 'ine with $ *er0 simi'$r gener$' form$t# T$9'e 18#+ out'ines the w$0 the0 $re '$i! out#

T$9'e 18#+ NS? 7@? )? 6T4 $n! CN)7> 4ecor! Form$ts


4ecor! T05e C'$ss Fie'!
"

N$me Fie'!

T05e Fie'!

D$t$ Fie'!

13 of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

NS

.su$''0 9'$nk

NS

6 $!!ress or CN)7> of the n$me ser*er

7@

Dom$in to 9e use! for m$i'# .su$''0 the s$me $s the !om$in of the Ione fi'e itse'f#

7@

7$i' ser*er DNS n$me

) CN)7>

N$me of $ ser*er in the !om$in Ser*er n$me $'i$s

N N

) CN)7>

6 $!!ress of ser*er L)L recor! n$me for the ser*er

6T4

L$st octet of ser*erHs 6 $!!ress

6T4

Fu''0 Fu$'ifie! ser*er n$me

1# f the se$rch ke0 to $ DNS resource recor! is 9'$nk it reuses the se$rch ke0 from the 5re*ious recor! which in this c$se of is the SO) Q sign# "# For most home 8 SOHO scen$rios? the C'$ss fie'! wi'' $'w$0s 9e N or nternet# ,ou shou'! $'so 9e $w$re th$t N is the !ef$u't C'$ss? $n! % ND wi'' $ssume $ recor! is of this t05e un'ess otherwise st$te!# f 0ou !onDt 5ut $ 5erio! $t the en! of $ host n$me in $ SO)? NS? )? or CN)7> recor!? % ND wi'' $utom$tic$''0 t$ck on the Ione fi'eDs !om$in n$me to the n$me of the host# So? % ND $ssumes $n ) recor! with www refers to www#m0Asite#com# This m$0 9e $cce5t$9'e in most c$ses? 9ut if 0ou forget to 5ut the 5erio! $fter the !om$in in the 7@ recor! for m0Asite#com? % ND $tt$ches the m0Asite#com $t the en!? $n! 0ou wi'' fin! 0our m$i' ser*er $cce5ting m$i' on'0 for the !om$in m0Asite#com#m0site#com#

T@T 4ecor!s
There is $'so $ 'ess freFuent'0 use! DNS T@T recor! th$t c$n 9e configure! to cont$in $!!ition$' generic inform$tion# The !$t$ section of the recor! t05ic$''0 h$s the form$t Ln$meR*$'ueL? where Ln$meL is the n$me to 9e gi*en to the t05e of !$t$? $n! L*$'ueL is the *$'ue $ssigne! to the n$me $s seen in this ex$m5'e#
my-web-site.org. TXT "v=spf1 -all"

T@T recor!s $re incre$sing'0 9eing use! to he'5 fight S6)7 using the Sen!er 6o'ic0 Fr$mework BS6FC metho!# S6F T@T recor!s $re use! 90 s0stems recei*ing m$i' to interrog$te the DNS of the !om$in which $55e$rs in the em$i' Bthe sen!erC $n! !etermine if the origin$ting 6 $!!ress of the m$i' Bthe sourceC is $uthoriIe! to sen! m$i' for the sen!erDs !om$in# Further !escri5tion of the use of T@T recor!s is 9e0on! the sco5e of this 9ook? 9ut 0ou shou'! $t 'e$st 9e $w$re th$t the0 c$n 9e u5 to "++ ch$r$cters in 'ength $n! th$t this fe$ture is often ex5'oite! in !istri9ute! !eni$' of ser*ice BDDoSC $tt$cks# The section on LSim5'e DNS Securit0L ex5'$ins how to configure 0our DNS ser*er to not 5$rtici5$te in such $n e*ent#

S$m5'e Forw$r! <one Fi'e


Now th$t 0ou know the ke0 e'ements of $ Ione fi'e? itDs time to ex$mine $ working ex$m5'e for the !om$in m0Asite#com#
; ; Zone file for my-site.com ; ; The full zone file ; $TTL 3D @ IN SOA ns1.my-site.com. 200211152 ; 3600 ; 3600 ; 3600 ; 3600 ) ; NS MX A A A CNAME CNAME www 10 mail 127.0.0.1 97.158.253.26 97.158.253.27 bigboy bigboy

hostmaster.my-site.com. ( serial# refresh, seconds retry, seconds expire, seconds minimum, seconds ; Inet Address of nameserver ; Primary Mail Exchanger

my-site.com. localhost bigboy mail ns1 www

Notice th$t in this ex$m5'e: Ser*er ns1#m0Asite#com is the n$me ser*er for m0Asite#com# n cor5or$te en*ironments there m$0 9e $ se5$r$te n$me ser*er for this 5ur5ose# 6rim$r0 n$me ser*ers $re more common'0 c$''e! ns1 $n! secon!$r0 n$me ser*ers ns"# The minimum TTL *$'ue BSTTLC is three !$0s? therefore remote DNS c$ching ser*ers wi'' store 'e$rne! DNS inform$tion from 0our Ione for three !$0s 9efore f'ushing it out of their c$ches# The 7@ recor! for m0Asite#com 5oints to the ser*er n$me! m$i'#m0Asite#com $n! this ser*er h$s the 6 $!!ress 1/#1+8#"+&#"/# ns1 is $ctu$''0 $ CN)7> or $'i$s for the We9 ser*er www# So here 0ou h$*e $n ex$m5'e of the n$me ser*er? $n! We9 ser*er 9eing the s$me m$chine# f the0 were $'' !ifferent m$chines? then 0ouD! h$*e $n ) recor! entr0 for e$ch#

11 of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

www ns

A A

97.158.253.26 97.158.253.125

t is $ reFuire! 5r$ctice to increment 0our seri$' num9er whene*er 0ou e!it 0our Ione fi'e# When DNS is setu5 in $ re!un!$nt configur$tion? the s'$*e DNS ser*ers 5erio!ic$''0 5o'' the m$ster ser*er for u5!$te! Ione fi'e inform$tion? $n! use the seri$' num9er to !etermine whether the !$t$ on the m$ster h$s 9een u5!$te!# F$i'ing to increment the seri$' num9er? e*en though the contents of the Ione fi'e h$*e 9een mo!ifie!? cou'! c$use 0our s'$*es to h$*e out!$te! inform$tion# Note: The DNS s5ecific$tion B4FC "181C !oes not $''ow for $n 7@ recor! to 9e $ CN)7># t m$0 work in most c$ses? 9ut some m$i' ser*ers m$0 refuse to sen! to 0ou 9ec$use of this#

S$m5'e 4e*erse <one Fi'e


Now 0ou nee! to m$ke sure th$t 0ou c$n !o $ host Fuer0 on $'' 0our home networkDs 6Cs $n! get their correct 6 $!!resses# This is *er0 im5ort$nt if 0ou $re running $ m$i' ser*er on 0our network? 9ec$use sen!m$i' t05ic$''0 re'$0s m$i' on'0 from hosts whose 6 $!!resses reso'*e correct'0 in DNS# NFS? which is use! in networkA9$se! fi'e $ccess? $'so reFuires *$'i! re*erse 'ooku5 c$5$9i'ities# This is $n ex$m5'e of $ Ione fi'e for the 11"#1-8#1#x network# )'' the entries in the first co'umn refer to the '$st octet of the 6 $!!ress for the network? so the 6 $!!ress 11"#1-8#1#133 5oints to the n$me 9ig9o0#m0Asite#com# Notice how the m$in !ifference 9etween forw$r! $n! re*erse Ione fi'es is th$t the re*erse Ione fi'e on'0 h$s 6T4 $n! NS recor!s# )'so the 6T4 recor!s c$nnot h$*e CN)7> $'i$ses#
; ; Filename: 192-168-1.zone ; ; Zone file for 192.168.1.x ; $TTL 3D @ IN SOA

www.my-site.com. 200303301 8H 2H 4W 1D ) www

hostmaster.my-site.com. ( ; serial number ; refresh, seconds ; retry, seconds ; expire, seconds ; minimum, seconds ; Nameserver Address

NS 100 103 102 105 32 33 34 35 36 PTR PTR PTR PTR PTR PTR PTR PTR PTR

bigboy.my-site.com. smallfry.my-site.com. ochorios.my-site.com. reggae.my-site.com. dhcp-192-168-1-32.my-site.com. dhcp-192-168-1-33.my-site.com. dhcp-192-168-1-34.my-site.com. dhcp-192-168-1-35.my-site.com. dhcp-192-168-1-36.my-site.com.

inc'u!e! entries for $!!resses 11"#1-8#1#&" to 11"#1-8#1#&-? which $re the $!!resses the DHC6 ser*er issues# S7T6 m$i' re'$0 wou'!nDt work for 6Cs th$t get their 6 $!!resses *i$ DHC6 if these 'ines werenDt inc'u!e!# ,ou m$0 $'so w$nt to cre$te $ re*erse Ione fi'e for the 5u9'ic N)T 6 $!!resses for 0our home network# .nfortun$te'0? S6s wonDt usu$''0 !e'eg$te this $9i'it0 for $n0one with 'ess th$n $ C'$ss C 9'ock of "+- 6 $!!resses# 7ost home DSL sites wou'!nDt Fu$'if0#

Lo$!ing ,our New Configur$tion Fi'es


7$ke sure 0our configur$tion fi'es $re in the correct 'oc$tions $n! the seri$' num9ers of the Ione fi'es 0ou m$0 h$*e mo!ifie! h$*e 9een u5!$te!# f $'' seems correct? rest$rt % ND n$me! !$emon for the configur$tion to 9ecome $cti*e#
[root@bigboy tmp]# systemctl restart named.service

T$ke $ 'ook $t the en! of 0our 8*$r8'og8mess$ges fi'e to m$ke sure there $re no errors#

7$ke Sure ,our 8etc8hosts Fi'e s Correct'0 .5!$te!


Ch$5ter &? LLinux NetworkingL? ex5'$ins how to correct'0 configure 0our 8etc8hosts fi'e# Some 5rogr$ms? such $s sen!m$i'? reFuire $ correct'0 configure! 8etc8hosts fi'e e*en though DNS is correct'0 configure!#

Configure ,our Firew$''


The s$m5'e network $ssumes th$t the % ND n$me ser*er $n! )5$che We9 ser*er softw$re run on the s$me m$chine 5rotecte! 90 $ router8firew$''# The $ctu$' 6 $!!ress of the ser*er is 11"#1-8#1#133? which is $ 5ri*$te 6 $!!ress# ,ouD'' h$*e to use N)T for nternet users to 9e $9'e to g$in $ccess to the ser*er *i$ the chosen 5u9'ic 6 $!!ress? n$me'0 1/#1+8#"+&#"-# f 0our firew$'' is $ Linux 9ox? 0ou m$0 w$nt to consi!er t$king $ 'ook $t Ch$5ter 1(? LLinux Firew$''s .sing i5t$9'esL? !escri9es how to !o the network $!!ress tr$ns'$tion $n! $''ow DNS tr$ffic through to 0our n$me ser*er#

Fix ,our Dom$in 4egistr$tion


4emem9er to e!it 0our !om$in registr$tion for m0Asite#com? or wh$te*er it is? so th$t $t 'e$st one of the n$me ser*ers is 0our new n$me ser*er B1/#1+8#"+&#"- in this c$seC# Dom$in registr$rs? such $s ;eriSign $n! 4egisterFree? usu$''0 5ro*i!e $ We9 interf$ce to he'5 0ou m$n$ge 0our !om$in#

1" of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

Once 0ouD*e 'ogge! in with the registr$rDs usern$me $n! 5$sswor!? 0ouD'' h$*e t$ke two ste5s: 1C Cre$te $ new n$me ser*er recor! entr0 for the 6 $!!ress 1/#1+8#"+&#"- to m$5 to ns#m0Asite#com or www#m0A site#com or wh$te*er 0our n$me ser*er is c$''e!# BThis screen 5rom5ts 0ou for 9oth the ser*erDs 6 $!!ress $n! n$me#C "C )ssign ns#m0Asite#com to h$n!'e 0our !om$in# This screen wi'' 5rom5t 0ou for the ser*er n$me on'0# Sometimes? the registr$r reFuires $t 'e$st two registere! n$me ser*ers 5er !om$in# f 0ou on'0 h$*e one? then 0ou cou'! either cre$te $ secon! n$me ser*er recor! entr0 with the s$me 6 $!!ress? 9ut !ifferent n$me? or 0ou cou'! gi*e 0our We9 ser*er $ secon! 6 $!!ress using $n 6 $'i$s? cre$te $ secon! N)T entr0 on 0our firew$'' $n! then cre$te the secon! n$me ser*er recor! entr0 with the new 6 $!!ress? $n! !ifferent n$me# t norm$''0 t$kes $9out three to four !$0s for 0our u5!$te! DNS inform$tion to 9e 5ro5$g$te! to $'' 1& of the wor'!Ds root n$me ser*ers# ,ouD'' therefore h$*e to w$it $9out this $mount of time 9efore st$rting to notice 5eo5'e hitting 0our new We9 site# ,ou c$n use the ch$5terDs trou9'eshooting section to test s5ecific DNS ser*ers for the inform$tion the0 h$*e on 0our site# ,ouD'' most 'ike'0 w$nt to test 0our new DNS ser*er? which shou'! 9e u5 to !$te? 5'us $ few we'' known ones? which shou'! h$*e !e'$0e! *$'ues#

Trou9'eshooting % ND
% ND trou9'eshooting is usu$''0 e$s0 to !o# The n$me! !$emon u5!$tes the 8*$r8'og8mess$ges fi'e with !et$i'e! st$tus mess$ges th$t $re freFuent'0 e$s0 to inter5ret when 0ou sus5ect $ configur$tion error# The usu$' trou9'eshooting ste5s for network 5ro9'ems $re $'so $55'ic$9'e# %oth metho!o'ogies wi'' 9e co*ere! next#

Configur$tion Trou9'eshooting Ste5s


)'w$0s check 0our 8*$r8'ogs8mess$ges fi'e $n! conso'e out5ut fi'e for errors# Here $re $ cou5'e ex$m5'es 0ou m$0 come $cross: The n$me! !$emon is st$rte! with $n une!ite! *ersion of the s$m5'e n$me!#conf fi'e which c$uses unusu$' errors on the screen# 4eferences to the nonexistent s$m5'e Ione fi'es cre$te errors# 4eferences to 9oth the n$me!#rfc111"#Iones $n! n$me!#root fi'es in the 'oc$'host=reso'*er section c$use errors re'$te! to !u5'ic$te !efinitions#
[root@bigboy tmp]# systemctl restart named.service Starting named: Error in named configuration: /etc/named.rfc1912.zones:10: zone '.': already exists previous definition: /etc/named.root.hints:12 zone localdomain/IN: loaded serial 42 zone localhost/IN: loaded serial 42 zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700 zone 255.in-addr.arpa/IN: loaded serial 42 zone 0.in-addr.arpa/IN: loaded serial 42 zone my.internal.zone/IN: loading master file my.internal.zone.db: file not found internal/my.internal.zone/IN: file not found zone my.ddns.internal.zone/IN: loading master file slaves/my.ddns.internal.zone.db: file not found internal/my.ddns.internal.zone/IN: file not found zone my.external.zone/IN: loading master file my.external.zone.db: file not found external/my.external.zone/IN: file not found [FAILED] [root@bigboy tmp]#

The n$me!#conf fi'e refers to $n un!efine! secret ke0 in the !!ns=ke0 of n$me!#conf# .se the !nsAke0gen or !nske0gen comm$n!s to cre$te $ correct entr0#
Feb 25 20:38:49 bigboy named[4593]: /etc/named.conf:99: configuring key 'ddns_key': bad base64 encoding Feb 25 20:38:49 bigboy named[4593]: loading configuration: bad base64 encoding

The n$me!#root#hints fi'e referre! to in n$me!#conf isnDt 5resent in the 8etc or the chroot 8etc !irector0#
[root@bigboy tmp]# systemctl start named.service Starting named: Error in named configuration: /etc/named.conf:58: open: /etc/named.root.hints: file not found [FAILED] [root@bigboy tmp]#

The n$me!#root fi'e referre! to in the n$me!#root#hints fi'e isnDt 5resent#


Feb 25 21:33:41 bigboy named[5007]: could not configure root hints from 'named.root': file not found Feb 25 21:33:41 bigboy named[5007]: loading configuration: file not found Feb 25 21:33:41 bigboy named[5007]: exiting (due to fatal error)

,ou $re using $ chroot *ersion of % ND with $ s$m5'e rn!c#ke0 fi'e 'oc$te! in the 8etc !irector0 inste$! of the 8*$r8n$me!8chroot8etc8 !irector0# Co50 the fi'e to the correct 'oc$tion $n! rest$rt n$me! to fix the 5ro9'em#

1& of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

[root@bigboy tmp]# systemctl restart named.service Stopping named: rndc: connect failed: connection refused [ OK ] Starting named: [ OK ] [root@bigboy tmp]#

n 0our n$me!#conf fi'e 0ou refer to $ Ione fi'e th$t !oesnDt exist# This ex$m5'e inc'u!es 9oth errors to the conso'e screen $n! errors in the 8*$r8'og8mess$ges fi'e#
[root@bigboy tmp]# systemctl start named.service Starting named: Error in named configuration: zone localdomain/IN: loaded serial 42 zone localhost/IN: loaded serial 42 zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700 zone 255.in-addr.arpa/IN: loaded serial 42 zone 0.in-addr.arpa/IN: loaded serial 42 zone 2.168.192.in-addr.arpa/IN: loaded serial 2006052301 zone my-web-site.org/IN: loaded serial 2006052302 zone my-web-site.com/IN: loading master file /var/named/zones/internal/my-web-site.com.zone: file not found internal/my-web-site.com/IN: file not found zone 1.168.192.in-addr.arpa/IN: loaded serial 2006052301 zone my-web-site.org/IN: loaded serial 2006052302 [FAILED] [root@bigboy tmp]# Feb 26 01:47:10 smallfry named: zone my-web-site.com/IN: loading master file /var/named/zones/internal/my-web-site.com.zone: file not found Feb 26 01:47:10 smallfry named: internal/my-web-site.com/IN: file not found

This is $ trick0 one th$t wou'! occur in some e$r'0 *ersions of Fe!or$# % ND wou'! $55e$r to st$rt correct'0? 9ut none of the Ione fi'es wou'! 9e 'o$!e!# n this scen$rio cou'! 9e using $ chroot *ersion of % ND with $ s$m5'e n$me!#conf fi'e 'oc$te! in the 8etc !irector0 inste$! of the 8*$r8n$me!8chroot8etc8 !irector0# Co50 the fi'e to the correct 'oc$tion $n! rest$rt n$me! to fix the 5ro9'em# De'ete the 8etc $n! cre$te $ s0m9o'ic 'ink to 8*$r8n$me!8chroot8etc8n$me!#conf from 8etc to ensure 0ou $'w$0s e!it the correct fi'e#
Nov Nov Nov Nov Nov Nov Nov Nov 9 9 9 9 9 9 9 9 17:35:41 17:35:41 17:35:41 17:35:41 17:35:41 17:35:41 17:35:41 17:35:41 bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy named[1157]: named[1157]: named[1157]: named[1157]: named[1157]: named[1157]: named[1157]: named[1157]: starting BIND 9.2.3 -u named -t /var/named/chroot using 1 CPU loading configuration from /etc/named.conf listening on IPv4 interface lo, 127.0.0.1#53 listening on IPv4 interface eth0, 10.41.32.71#53 command channel listening on 127.0.0.1#953 command channel listening on ::1#953 running

f there $re no n$me! errors to the screen or 8*$r8'og8mess$ges? $n! 0our !om$in !oesnDt reso'*e correct'0 when Fuerie! using the host comm$n! when 0ou $re 'ogge! into 0our new n$meser*er? then the 5ro9'em cou'! 9e !ue to 0ou forgetting to $!! $ Ione fi'e entr0 for the !om$in in n$me!#confG there cou'! 9e $ t05ogr$5hic$' error in 0our Ione fi'eG or 0ou cou'! h$*e forgotten to u5!$te 0our Ione fi'e seri$' num9ers# This isnDt $ com5rehensi*e configur$tion error 'ist? 9ut it co*ers some common mist$kes with $ new configur$tion#

Network Trou9'eshooting Ste5s


Once configur$tion trou9'eshooting this is com5'ete!? 0ou c$n continue with the fo''owing trou9'eshooting ste5s: 1C Determine whether 0our DNS ser*er is $ccessi9'e on DNS .D68TC6 5ort +&# L$ck of connecti*it0 cou'! 9e c$use! 90 $ firew$'' with incorrect? 5ermit? N)T? or 5ort forw$r!ing ru'es to 0our DNS ser*er# F$i'ure cou'! $'so 9e c$use! 90 the n$me! 5rocess 9eing sto55e!# t is 9est to test this from 9oth insi!e 0our network $n! from the nternet# Trou9'eshooting with T>LN>T is co*ere! in Ch$5ter (? LSim5'e Network Trou9'eshootingL# "C Linux st$tus mess$ges $re 'ogge! to the fi'e 8*$r8'og8mess$ges# .se it to m$ke sure $'' 0our Ione fi'es $re 'o$!e! when 0ou st$rt % ND8n$me!# Check 0our 8etc8n$me!#conf fi'e if the0 f$i' to !o so# BLinux 'ogging is co*ere! in Ch$5ter +? LTrou9'eshooting Linux with s0s'ogL#
Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb 21 21 21 21 21 21 21 21 21 21 21 21 21 21 09:13:13 09:13:13 09:13:13 09:13:13 09:13:13 09:13:13 09:13:14 09:13:14 09:13:14 09:13:14 09:13:14 09:13:14 09:13:14 09:13:14 bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy named: named startup succeeded named[12026]: loading configuration from '/etc/named.conf' named[12026]: no IPv6 interfaces found named[12026]: listening on IPv4 interface lo, 127.0.0.1#53 named[12026]: listening on IPv4 interface wlan0, 192.168.1.100#53 named[12026]: listening on IPv4 interface eth0, 172.16.1.100#53 named[12026]: command channel listening on 127.0.0.1#953 named[12026]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 named[12026]: zone 1.16.172.in-addr.arpa/IN: loaded serial 51 named[12026]: zone 1.168.192.in-addr.arpa/IN: loaded serial 51 named[12026]: zone simiya.com/IN: loaded serial 2004021401 named[12026]: zone localhost/IN: loaded serial 42 named[12026]: zone simiya.com/IN: loaded serial 200301114 named[12026]: running

&C .se the host Bns'ooku5 in Win!owsC comm$n! for 9oth forw$r! $n! re*erse 'ooku5s to m$ke sure the Ione fi'es were configure! correct'0# f this f$i's? tr0: Dou9'e check for 0our u5!$te! seri$' num9ers in the mo!ifie! fi'es $n! $'so ins5ect the in!i*i!u$' recor!s within the fi'es for mist$kes# >nsure there isnDt $ firew$'' th$t cou'! 9e 9'ocking DNS tr$ffic on TC6 $n!8or .D6 5ort +& 9etween 0our ser*er $n! the

1( of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

DNS ser*er# .se the !ig comm$n! to !etermine whether the n$me ser*er for 0our !om$in is configure! correct'0# Here is $n ex$m5'e of Fuer0ing DNS ser*er ns1#m0Asite#com for the 6 $!!ress of www#'inuxhomenetworking#com# B,ou c$n $'so re5'$ce the n$me ser*erDs n$me with its 6 $!!ress#C
[root@bigboy tmp]# host www.linuxhomenetworking.com ns1.my-site.com Using domain server: Name: ns1.my-site.com Address: 192.168.1.100#53 Aliases: www.linuxhomenetworking.com has address 65.115.71.34 [root@bigboy tmp]#

Here is $n ex$m5'e of Fuer0ing 0our !ef$u't DNS ser*er for the 6 $!!ress of www#'inuxhomenetworking#com# )s 0ou c$n see? the n$me of the s5ecific DNS ser*er to Fuer0 h$s 9een 'eft off the en!# F$i'ure in this c$se cou'! 9e !ue not on'0 to $n error on 0our % ND configur$tion or !om$in registr$tion 9ut $'so to $n error in 0our DNS c'ientDs DNS ser*er entr0 in 0our Linux 8etc8reso'*#conf fi'e or the Win!ows TC68 6 5ro5erties for 0our N C#
[root@bigboy tmp]# host www.linuxhomenetworking.com www.linuxhomenetworking.com has address 65.115.71.34 [root@bigboy tmp]#

(C ,ou c$n $'so use the !ig comm$n! to !etermine whether known DNS ser*ers on the nternet h$*e recei*e! $ *$'i! u5!$te for 0our Ione# B4emem9er if 0ou !eci!e to ch$nge the DNS ser*ers for 0our !om$in th$t it cou'! t$ke u5 to four !$0s for it to 5ro5$g$te $cross the nternet#C The form$t for the comm$n! is:
dig <domain-name> <name-server> soa

The n$me ser*er is o5tion$'# f 0ou s5ecif0 $ n$me ser*er? then !ig Fueries th$t n$me ser*er inste$! of the Linux ser*erDs !ef$u't n$me ser*er# t is sometimes goo! to Fuer0 9oth 0our n$me ser*er? $s we'' $s $ we'' known n$me ser*er such $s ns1#0$hoo#com to m$ke sure 0our DNS recor!s h$*e 5ro5$g$te! 5ro5er'0# The !ig comm$n! on'0 works with fu''0 Fu$'ifie! !om$in n$mes on'0? 9ec$use it !oesnDt refer to the 8etc8reso'*#conf fi'e# This comm$n! uses the 'oc$' DNS ser*er for the Fuer0# t returns the SO) recor! inform$tion $n! the $!!resses of the !om$inDs DNS ser*ers in the $uthorit0 section#
[root@bigboy tmp]# dig linuxhomenetworking.com SOA ... ... ;; AUTHORITY SECTION: linuxhomenetworking.com. 3600 IN NS ns1.myisp.net. linuxhomenetworking.com. 3600 IN NS ns2.myisp.net. ;; ADDITIONAL SECTION: ns1.myisp.net. 3600 ns2.myisp.net. 3600 ... ... [root@bigboy tmp]#

IN IN

A A

65.115.70.68 65.115.70.69

Here is $ successfu' !ig using DNS ser*er ns1#0$hoo#com for the Fuer0# )s 9efore? it returns the SO) recor! for the Ione#
[root@bigboy tmp]# dig ns1.yahoo.com linuxhomenetworking.com SOA ... ... ;; AUTHORITY SECTION: linuxhomenetworking.com. 3600 IN NS ns2.myisp.net. linuxhomenetworking.com. 3600 IN NS ns1.myisp.net. ;; ADDITIONAL SECTION: ns1.myisp.net. 3600 ns2.myisp.net. 3600 ... ... [root@bigboy tmp]#

IN IN

A A

65.115.70.68 65.115.70.69

Sometimes 0our SO) !ig wi'' f$i'# This comm$n! uses the DNS ser*er ns1#0$hoo#com for the Fuer0# n this c$se the $uthorit0 section !oesnDt know of the !om$in $n! 5oints to the n$me ser*er for the entire #com !om$in $t ;eriSign#
[root@bigboy tmp]# dig ns1.yahoo.com linuxhomeqnetworking.com SOA ... ... ;; QUESTION SECTION: ;linuxhomeqnetworking.com. IN SOA ;; AUTHORITY SECTION: com. 0 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. ... ... [root@bigboy tmp]#

1077341254 1800 900 604800 900

6ossi9'e c$uses of f$i'ure inc'u!e: T05ogr$5hic$' errors# n this c$se the miss5e''ing L'inuxhomeFnetworking#comL w$s entere! on the comm$n! 'ine# ncorrect !om$in registr$tion# Correct !om$in registr$tion? 9ut there is $ '$g in the 5ro5$g$tion of the !om$in inform$tion $cross the nternet# De'$0s of u5 to four !$0s $re not uncommon# ) firew$'' cou'! 9e 9'ocking DNS tr$ffic on TC6 $n!8or .D6 5ort +& 9etween 0our ser*er $n! the DNS ser*er#

1+ of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

7igr$ting ,our We9 Site nAHouse


t is im5ort$nt to h$*e $ !et$i'e! migr$tion 5'$n if 0ou current'0 use $n extern$' com5$n0 to host 0our We9 site $n! wish to mo*e the site to $ ser*er $t home or in 0our office# )t the *er0 'e$st 0our 5'$n shou'! inc'u!e these ste5s: 1# There is no m$gic 9u''et th$t wi'' $''ow 0ou to te'' $'' the c$ching DNS ser*ers in the wor'! to f'ush their c$ches of 0our Ione fi'e entries# ,our 9est $'tern$ti*e is to reFuest 0our existing ser*ice 5ro*i!er to set the TTL on m0Asite#com in the DNS Ione fi'e to $ *er0 'ow *$'ue? s$0 one minute# )s the TTL is usu$''0 set to $ num9er of !$0s? it wi'' t$ke $t 'e$st three to fi*e !$0s for $'' remote DNS ser*ers to recogniIe the ch$nge# Once the 5ro5$g$tion is com5'ete? it wi'' t$ke on'0 one minute to see the resu'ts of the fin$' DNS configur$tion switch to 0our new ser*er# f $n0thing goes wrong? 0ou c$n then re*ert to the o'! configur$tion? knowing it wi'' r$5i!'0 reco*er within minutes r$ther th$n !$0s# "# Set u5 0our test ser*er in house# >!it the 8etc8hosts fi'e to m$ke www#m0Asite#com refer to its own 6 $!!ress? not th$t of the www#m0Asite#com site th$t is current'0 in 5ro!uction# This fi'e is usu$''0 gi*en $ higher 5riorit0 th$n DNS? therefore the test ser*er wi'' 9egin to think th$t www#m0Asite#com is re$''0 hoste! on itse'f# ,ou m$0 $'so w$nt to $!! $n entr0 for m$i'#m0Asite#com if the new We9 ser*er is going to $'so 9e 0our new m$i' ser*er# &# Test 0our ser*er 9$se! $55'ic$tions from the ser*er itse'f# This shou'! inc'u!e m$i'? We9? $n! so on# (# Test the ser*er from $ remote c'ient# ,ou c$n test the ser*er running $s www#m0Asite#com e*en though DNS h$snDt 9een u5!$te!# Kust e!it 0our 8etc8hosts fi'e on 0our We9 9rowsing Linux 6C to m$ke www#m0Asite#com m$5 to the 6 $!!ress of the new ser*er# n the c$se of Win!ows? the fi'e wou'! 9e C:TW NDOWSTs0stem&"T!ri*ersTetcThosts# ,ou m$0 $'so w$nt to $!! $n entr0 for m$i'#m0Asite#com if the new We9 ser*er is going to $'so 9e 0our new m$i' ser*er# ,our c'ient wi'' usu$''0 refer to these fi'es first 9efore checking DNS? hence 0ou c$n use them to 5re!efine some DNS 'ooku5s $t the 'oc$' c'ient 'e*e' on'0# +# Once testing is com5'ete!? coor!in$te with 0our We9 hosting 5ro*i!er to u5!$te 0our !om$in registr$tionDs DNS recor!s for www#m0Asite#com to 5oint to 0our new We9 ser*er# )s the TTLs were set to one minute 5re*ious'0? 0ouD'' 9e $9'e to see resu'ts of the migr$tion within minutes# -# Once com5'ete? 0ou c$n set the TTL 9$ck to the origin$' *$'ue to he'5 re!uce the *o'ume of DNS Fuer0 tr$ffic hitting 0our DNS ser*er# /# Fix 0our 8etc8hosts fi'es 90 !e'eting the test entries 0ou h$! 9efore# 8# ,ou m$0 $'so w$nt to t$ke o*er 0our own DNS# >!it 0our m0Asite#com DNS entries with ;eriSign? 4egisterFree or whoe*er 0ou 9ought 0our !om$in from to 5oint to 0our new DNS ser*ers# 4emem9er? 0ou !onDt h$*e to host DNS or m$i' inAhouse? this cou'! 9e 'eft in the h$n!s of 0our ser*ice 5ro*i!er# ,ou c$n then migr$te these ser*ices inAhouse $s 0our confi!ence in hosting 9ecomes gre$ter# Fin$''0? if 0ou h$*e concerns th$t 0our ser*ice 5ro*i!er wonDt coo5er$te? then 0ou cou'! ex5'$in to the 5ro*i!er th$t 0ou w$nt to test its f$i'o*er c$5$9i'ities to $ !u5'ic$te ser*er th$t 0ou host inAhouse# ,ou c$n then !eci!e whether the ch$nge wi'' 9e 5erm$nent once 0ou h$*e f$i'e! o*er 9$ck $n! forth $ few times#

DHC6 Consi!er$tions For DNS


f 0ou h$*e $ DHC6 ser*er on 0our network? 0ouD'' nee! to m$ke it $ssign the 6 $!!ress of the Linux 9ox $s the DNS ser*er it te''s the DHC6 c'ients to use# f 0our Linux 9ox is the DHC6 ser*er? then 0ou m$0 nee! to refer to Ch$5ter 8? LConfiguring the DHC6 Ser*erL#

Sim5'e DNS Securit0


DNS c$n re*e$' $ 'ot $9out the n$ture of 0our !om$in# ,ou shou'! t$ke some 5rec$utions to conce$' some of the inform$tion for the s$ke of securit0#

<one Tr$nsfer 6rotection


The host comm$n! !oes one DNS Fuer0 $t $ time? 9ut the !ig comm$n! is much more 5owerfu'# When gi*en the right 5$r$meters it c$n !own'o$! the entire contents of 0our !om$inDs Ione fi'e# n this ex$m5'e? the )F@4 Ione tr$nsfer 5$r$meter is use! to get the contents of the m0Asite#com Ione fi'e#
[root@smallfry tmp]# dig my-site.com AXFR ; <<>> DiG 9.2.3 <<>> my-site.com AXFR ;; global options: printcmd my-site.com. 3600 IN SOA my-site.com. 3600 IN NS my-site.com. 3600 IN MX 192-168-1-96.my-site.com. 3600 IN A 192-168-1-97.my-site.com. 3600 IN A 192-168-1-98.my-site.com. 3600 IN A bigboy.my-site.com. 3600 IN A gateway.my-site.com. 3600 IN A localhost.my-site.com. 3600 IN A mail.my-site.com. 3600 IN CNAME ns1.my-site.com. 3600 IN CNAME ntp.my-site.com. 3600 IN CNAME

www.my-site.com. hostmaster.my-site.com. 2004110701 ns1.my-site.com. 10 mail.my-site.com. 192.168.1.96 192.168.1.97 192.168.1.98 192.168.1.100 192.168.1.1 127.0.0.1 www.my-site.com. www.my-site.com. www.my-site.com.

3600 3600 3600 3600

1- of 1/

1183(8"31( 1:31 67

Quick HOWTO : Ch18 : Configuring DNS A Linux Home Networking


smallfry.my-site.com. 3600 IN A www.my-site.com. 3600 IN A my-site.com. 3600 IN SOA ;; Query time: 16 msec ;; SERVER: 192.168.1.100#53(192.168.1.100) ;; WHEN: Sun Nov 14 20:21:07 2004 ;; XFR size: 16 records [root@smallfry tmp]# 192.168.1.102 192.168.1.100 www.my-site.com. hostmaster.my-site.com. 2004110701

htt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h58Quick=H###

3600 3600 3600 3600

This m$0 not seem 'ike $n im5ort$nt securit0 thre$t $t first g'$nce? 9ut it is# )n0one c$n use this comm$n! to !etermine $'' 0our ser*erDs 6 $!!resses $n! from the n$mes !etermine wh$t t05e of ser*er it is $n! then '$unch $n $55ro5ri$te c09er $tt$ck# n $ sim5'e home network? without m$ster $n! s'$*e ser*ers? Ione tr$nsfers shou'! 9e !is$9'e!# ,ou c$n !o this 90 $55'0ing the $''owAtr$nsfer !irecti*e to the g'o9$' o5tions section of 0our n$me!#conf fi'e#
options { allow-transfer {none;}; };

Once $55'ie!? 0our Ione tr$nsfer test shou'! f$i'#


[root@smallfry tmp]# dig my-site.com AXFR ... ... ; <<>> DiG 9.2.3 <<>> my-site.com AXFR ;; global options: printcmd ; Transfer failed. [root@smallfry tmp]#

Se'ecti*e'0 Dis$9'ing 4ecursion


,our c$ching DNS ser*er c$n unknowing'0 5$rtici5$te in $ form of DDoS $tt$ck if recursi*e 'ooku5s $re g'o9$''0 $''owe!# S$0 for ex$m5'e th$t for 5o'itic$'? re'igious? com5etiti*e or otherwise m$'icious re$sons 0our we9 site is t$rgete! for $n $tt$ck# First? $ h$cker 9re$ks into the $uthorit$ti*e DNS ser*er for $ su9 !om$in? 'ike m0Awe9Asite#org? $n! $!!s $ '$rge T@T recor! to the su9 !om$in# The h$cker then sen!s thous$n!s of Fueries to unsecure! c$ching DNS ser*ers reFuesting the T@T recor!? 9ut there is $ c$tch# The Fueries use $ f$'se source 6 $!!ress th$t corres5on!s to the 6 $!!ress of the DNS ser*er for 0our we9site# The Fueries $re sm$''? 9ut the res5onses $re $m5'ifie! 90 the siIe of the T@T inform$tion? $n! 0our DNS ser*er Fuick'0 9ecomes o*erwhe'me! 90 the f'urr0 of re5'ies# Without DNS? 0our we9 site goes off the $ir# For the $!ministr$tor of the c$ching DNS ser*ers? the $!!ition$' 'o$! of the Fueries c$n 9e unnotice$9'e? 9ut when mu'ti5'ie! 90 thous$n!s of other 5oor'0 configure! ser*ers? the $tt$ck on 0our site 9ecomes 'eth$'# The $''owArecursion !irecti*e 5'$ce! in the o5tions section of 0our n$me!#conf fi'e c$n 9e use! to restrict the networks to which recursi*e 'ooku5s $re $''owe!# n this ex$m5'e $n )CL is $'so use! to 'imit 'ooku5s to 'oc$'host $n! the 11"#1-8#1#38"( network#
acl "recursive_subnets" { 192.168.1.0/24; localhost; }; options { allow-recursion { "recursive_subnets"; }; };

Note: This !oes not restrict forw$r! or re*erse 'ooku5s !efine! 90 the Ione fi'es on the ser*er# The ser*er wi'' $nswer $'' Fueries for m0Awe9Asite#org if it owns th$t !om$in? 9ut it wonDt res5on! to Fueries for ser*ers in $nother !om$in such $s goog'e#com#

N$ming Con*ention Securit0


,our m0Asite#com !om$in wi'' 5ro9$9'0 h$*e $ www $n! $ m$i' su9!om$in? $n! the0 shou'! rem$in o9*ious to $''# ,ou m$0 w$nt to $!Eust 0our DNS *iews so th$t to extern$' users? 0our 70SQL !$t$9$se ser*er !oesnDt h$*e the 'etters LD%L or LSQLL in the n$me? or th$t 0our firew$'' !oesnDt h$*e the 'etters LFWL in its n$me either# This m$0 goo! for e$se of reference within the com5$n0? 9ut to the nternet these n$mes 5ro*i!e r$5i! i!entifi$ction of the t05es of m$'icious ex5'oits $ h$cker cou'! use to 9re$k in# We9 site securit0 refers to $n0thing th$t he'5s to gu$r$ntee the $*$i'$9i'it0 of the site? this is Eust one of m$n0 metho!s 0ou c$n use#

Conc'usion
DNS m$n$gement is $ critic$' 5$rt of the m$inten$nce of $n0 We9 site# Fortun$te'0? $'though it c$n 9e $ 'itt'e com5'ic$te!? DNS mo!ific$tions $re usu$''0 infreFuent? 9ec$use the 6 $!!ress of $ ser*er is norm$''0 fixe! or st$tic# This is not $'w$0s the c$se# There $re situ$tions in which $ ser*erDs 6 $!!ress wi'' ch$nge un5re!ict$9'0 $n! freFuent'0? m$king DNS m$n$gement extreme'0 !ifficu't# D0n$mic DNS w$s cre$te! $s $ so'ution to this $n! is ex5'$ine! in Ch$5ter 11? LD0n$mic DNSL# 4etrie*e! from Lhtt5:88www#'inuxhomenetworking#com8wiki8in!ex#5h5Ptit'eRQuick=HOWTO=:=Ch18=:=Configuring=DNSJ o'!i!R(&""L

This 5$ge w$s '$st mo!ifie! on 13 )ugust "31"? $t 3-:31# Content is $*$i'$9'e un!er )ttri9utionANonCommerci$'ANoDeri*s "#+ #

1/ of 1/

1183(8"31( 1:31 67