Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking

Forums | Corrections | About

(c) Peter Harrison

Search

Quick HOWTO : Ch18 : Configuring DNS

Contents [show]

Sponsors

Introduction
Domain Name System (DNS) converts the name of a Web site (www.linuxhomenetworking.com) to an IP address (65.115.71.34). This step is important, because the IP address of a Web site's server, not the Web site's name, is used in routing traffic over the Internet. This chapter will explain how to configure your own DNS server to help guide Web surfers to your site.

Introduction to DNS
Before you dig too deep in DNS, you need to understand a few foundation concepts on which the rest of the chapter will be built.

DNS Domains
Everyone in the world has a first name and a last, or family, name. The same thing is true in the DNS world: A family of Web sites can be loosely described a domain. For example, the domain linuxhomenetworking.com has a number of children, such as www.linuxhomenetworking.com and mail.linuxhomenetworking.com for the Web and mail servers, respectively.

BIND
BIND is an acronym for the Berkeley Internet Name Domain project, which is a group that maintains the DNS-related software suite that runs under Linux. The most well known program in BIND is named, the daemon that responds to DNS queries from remote machines.

DNS Clients
A DNS client doesn't store DNS information; it must always refer to a DNS server to get it. The only DNS configuration file for a DNS client is the /etc/resolv.conf file, which defines the IP address of the DNS server it should use. You shouldn't need to configure any other files. You'll become well acquainted with the /etc/resolv.conf file soon.

Authoritative DNS Servers
Authoritative servers provide the definitive information for your DNS domain, such as the names of servers and Web sites in it. They are the last word in information related to your domain.

How DNS Servers Find Out Your Site Information
There are 13 root authoritative DNS servers (super duper authorities) that all DNS servers query first. These root servers know all the authoritative DNS servers for all the main domains - .com, .net, and the rest. This layer of servers keep track of all the DNS servers that Web site systems administrators have assigned for their sub domains. For example, when you register your domain my-site.com, you are actually inserting a record on the .com DNS servers that point to the authoritative DNS servers you assigned for your domain. (More on how to register your site later.).

When To Use A DNS Caching Name Server
Most servers don’t ask authoritative servers for DNS directly, they usually ask a caching DNS server to do it on their behalf. These servers, through a

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58]

1 . you have to register with a company specializing in static DNS registration and then point your registration record to the intended authoritative DNS for your domain. If you choose to create your very own domain.71. If your home PCs get their IP addresses using DHCP.my-site.linuxhomenetworking. "Configuring the DHCP Server". I'm assuming that you are using static Internet IP addresses.com.65.net.com Server: 192 . When To Use A Dynamic DNS Server If your ISP provides your router/firewall with its Internet IP address using DHCP then you must consider dynamic DNS covered in Chapter 19. use. then you have to point your registration record to the DNS servers of your dynamic DNS provider. then a regular DNS server is what you require. such as www. The reverse is also true: By performing a reverse lookup.linuxhomenetworking. so that the DHCP server can advertise the DNS server to its PC clients. Popular domain registrars include VeriSign. This isn't an important factor for most small sites.arpa domain name pointer 65-115-71-34.71. To perform a forward lookup. the forward and reverse entries don't match. but some e-commerce applications require matching entries to operate correctly. so it is quite common for the reverse lookup to resolve to the ISP's domain.my . to an IP address.linuxhomenetworking. The nslookup Command The nslookup command provides the same results on Windows PCs. Setting up a caching DNS server is fairly straightforward and works whether or not your ISP provides you with a static or dynamic Internet IP address. If you want to advertise your Web site www. main domain and sub domain levels to get eventually get the specific information requested.com. you must configure each of your home network PCs to use it as their DNS server. use the syntax: [root@bigboy tmp]# host www. but the reverse isn't true. For now. When To Use A Static DNS Server If your ISP provides you with a fixed or static IP address. There are a number of commands you can use do these lookups. DNS can determining the fully qualified domain name associated with an IP address.34 [root@bigboy tmp]# To perform a reverse lookup [root@bigboy tmp]# host 65.myisp. and Yahoo. Off-the-shelf router/firewall appliances used in most home networks usually can act as both the caching DNS and DHCP server.com www. Dynamic DNS providers frequently offer you a subdomain of their own site. The most frequently requested information is then stored (or cached) to reduce the lookup overhead of subsequent queries. such as my-site.34 34.168 .115.115.200. The reverse DNS entries are usually the responsibility of the ISP hosting your site.addr.Quick HOWTO : Ch18 : Configuring DNS .dnsprovider. [root@bigboy tmp]# As you can see.in . C:\> nslookup www. an IP address can map to only one FQDN. This is also known as a forward lookup. rendering a separate DNS server is unnecessary. and you want to host your own Web site.com to the rest of the world. Linux uses the host command. Many different Web sites can map to a single IP address. Basic DNS Testing of DNS Resolution As you know.linuxhomenetworking. This means that forward and reverse entries frequently don't match. A caching DNS name server is used as a reference only. (More details on domain registration are coming later in the chapter. for example.com/wiki/index.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .Linux Home Networking process called recursion. then a regular authoritative DNS server would be the way to go. "Dynamic DNS".). The Host Command The host command accepts arguments that are either the fully qualified domain name or the IP address of the server when providing results.linuxhomenetworking. You can find the configuration steps for a Linux DHCP server in Chapter 8.115.com http://www. sequentially query the authoritative servers at the root. DNS resolution maps a fully qualified domain name (FQDN). You may have to ask your ISP to make a custom DNS change to correct this.site. Note: Regular name servers are also caching name servers by default.com has address 65. in which you register your domain on their site. Register Free. but Windows uses nslookup.71.com. you need to register a domain. After you set up your caching DNS server. regular name servers are used as the authoritative source of information for your Web site's domain. The reverse entry matches the entry of the ISP. such as my-site. To perform forward lookup. If you want to use a dynamic DNS provider for your own domain. How To Get Your Own Domain Whether or not you use static or dynamic DNS. then you have to configure your DHCP server to make it aware of the IP address of your new DNS server.

then the entry would just be my-web-site. as in bind-9. use: [root@bigboy tmp]# /etc/init. and restart BIND after booting.rc .34 C:\> Downloading and Installing the BIND Packages Most RedHat and Fedora Linux software products are available in a package format.34 Server: 192 . remember that the BIND package's filename usually starts with the word “bind” followed by a version number.d/bind start [root@bigboy tmp]# /etc/init. "Installing Linux Software"). but the procedure differs between Linux distributions.Linux Home Networking Address: 192. If the server is bigboy.200 Name: 65 .d/bind restart Even though the startup script and installation package name refers to bind. The file generally has two columns. you’ll need to have multiple "nameserver" lines.my-web-site.200 Non-authoritative answer: Name: www.conf File DNS clients (servers not running BIND) use the /etc/resolv. use: [root@bigboy tmp]# /etc/init. the sample configurations covered in this chapter will be for Redhat / Fedora distributions.d/named restart Remember to restart the BIND process every time you make a change to the configuration file for the changes to take effect on the running process.conf command to get BIND configured to start at boot [root@bigboy tmp]# sysv . don’t worry.168. see Chapter 6. See Table 18. The /etc/resolv.com/wiki/index. When searching for the file. the first contains a keyword.1 .conf bind on To start.P3-9. How To Get BIND Started Setting up your DNS server is easy to do.115.71 . Note: Unless otherwise stated. there will be annotations to make you aware of the differences. and the second contains the desired values separated by commas.2.168 .conf Keyword Value Nameserver IP address of your DNS nameserver.115.my . Also remember to restart the BIND process every time you make a change to the configuration file for the changes to take effect on the running process.1 for a list of keywords.71.com Address: 192.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .com Address: 65. Domain The local domain name to be used by default. Table 18. Debian / Ubuntu You can use the sysv .1 Keywords In /etc/resolv.115.168.d/named start [root@bigboy tmp]# /etc/init.com Address: 65.i386.linuxhomenetworking. stop.site.org http://www. There should be only one entry per "nameserver" keyword.1.linuxhomenetworking.rc . the name of the daemon that runs is named just like it is with Redhat / Fedora.200.71.org.conf file to determine both the location of their DNS server and the domains to which they belong. (For more details on downloading RPMs.2.d/named stop [root@bigboy tmp]# /etc/init. and restart BIND after booting.71. If there is more than one nameserver.Quick HOWTO : Ch18 : Configuring DNS .my .d/bind stop [root@bigboy tmp]# /etc/init.34. stop.rpm .isp.1. If you use Debian / Ubuntu.115 . Redhat / Fedora You can use the chkconfig command to get BIND configured to start at boot [root@bigboy tmp]# chkconfig named on To start.34 C:\> To perform a reverse lookup C:\> nslookup 65.

3 . named is fooled into thinking that the directory /var/named/chroot is actually the root or / directory.org nameserver 192. [root@bigboy tmp]# rpm .Quick HOWTO : Ch18 : Configuring DNS .13 [root@bigboy tmp]# There can be confusion with the locations: Regular BIND installs its files in the normal locations.1.2 Differences In Fedora And Redhat DNS File Locations File Purpose BIND chroot Location Regular BIND Location /etc /etc named. Table 18.net and mysite.conf Tells the names of the zone files to be used for each of your website domains. all the configuration files.com my . The domains in this list must separated by spaces. Placing a domain and search entry in the /etc/resolv.conf file and all the DNS zone files reside in the /etc/bind directory.conf zone files Links all the IP addresses in your domain to their corresponding server Files used in named authentication /var/named/chroot/etc /var/named/chroot/var/named /var/named Note: Fedora Core installs BIND chroot by default. and those you'd expect to find in /var/named are actually located in /var/named/chroot/var/named .site. Take a look at a sample configuration in which the client server's main domain is my-site.1. This type of security is also known as a chroot jail. DNS on your client will append the server name to each domain in this list and do an DNS lookup on each to get the remote servers’ IP address.168.key rndc. references to other files within these configuration files should include the full path. You can determine whether you have the chroot add-on RPM by using this command. the primary named.9.net my-site. named files normally found in the directory are found in /var/named/chroot/etc /etc directory instead. Debian / Ubuntu With Debian / Ubuntu.conf is redundant.com/wiki/index.1. therefore. /var/named/chroot/etc rndc.linuxhomenetworking. it is important to understand exactly where the files are located. RedHat / Fedora RedHat / Fedora BIND normally runs as the named process owned by the unprivileged named user.168.org. When installed. Sometimes BIND is also installed using Linux's chroot feature to not only run named as user named.1. Before starting Fedora BIND. RedHat 9 and earlier don't. as you will soon see. This is a handy time saving feature to have so that you can refer to servers in the same domain by only their servername without having to specify the domain. but also to limit the files named can see.conf /var/named/chroot/etc/ [root@bigboy tmp]# cp .f /etc/named.q bind-chroot bind-chroot .2.168. in this case my-site.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .f /etc/rndc. 192. Important File Locations The locations of the BIND configuration files vary by Linux distribution. Unfortunately. provide DNS name resolution: search my-site.100 and 192. Therefore.Linux Home Networking Search If you refer to another server just by its name without the domain added on.com. and the chroot BIND add-on RPM installs its own versions in their chroot locations. the hacker's access to the rest of your system is isolated to the files under the chroot directory and nothing else. which should be searched for shorthand references to other servers.102. Table 18.100 nameserver 192. which returns the name of the RPM.com.* /var/named/chroot/etc/ Before you go to the next step of configuring a regular name server. the chroot versions of some of the files are empty. Two name servers.168.2 provides a map. copy the configuration files to their chroot locations: [root@bigboy tmp]# cp . The named daemon won't automatically assume they are located in the /etc/bind directory. but it also is a member of domains my-site. Unlike in Redhat / Fedora. The advantage of the chroot feature is that if a hacker enters your system via a BIND exploit. http://www.102 The first domain listed after the search directive must be the home domain of your network.

BIND figures this out using its views feature which allows you to use predefined zone files for queries from certain subnets.0.0.zones Base configuration file for a caching name server. we allow queries on localhost and address 192.1 is included.0.0.Linux Home Networking Configuring Your Nameserver For the purposes of this tutorial. Don’t worry.158.0.3 explains their names and purpose in more detail. In other cases the named.conf configuration file may be hard to find. Place your zone statements in the /etc/named. This file usually has two zone areas: Forward zone file definitions list files to map domains to IP addresses.conf file in one of two other view sections. Note: Always make sure localhost.0. Fortunately BIND comes with samples of all the primary files you need. In this example.conf for its configuration. What do the PCs on your home network need to see? They need to see DNS references to the real IP address of the Web server.0.1 as we see in this example. assume your ISP assigned you the subnet 97.conf file configured to work as a caching nameserver which can be converted to an authoritative nameserver by adding the correct references to your zone files.168. # File: /etc/named. Please proceed to the next section if this is the case with your version of BIND.ca A list of the 13 root authoritative DNS servers.1.24 with a subnet mask of 255. /var/named/named.com/wiki/index. then you'll also need a view for localhost to use. The first task is to make sure your DNS server will listening of requests on all the required network interfaces.0.255. or zone files for each domain you own.conf file to reference localhost only. Here’s a summary of how it’s done: 1. In such cases BIND becomes an authoritative nameserver when a correctly configured /etc/named.conf may be configured to listen exclusively on its internal hidden localhost interface with an IP address of 127. }.1.1. }. http://www. Some versions of BIND will come with a /etc/amed.conf file contains the main DNS configuration and tells BIND where to find the configuration.conf Our sample scenario assumes that DNS queries will be coming from the Internet and that the zone files will return information related to the external 97.conf options { listen .0.conf You'll have to make your DNS server refer to itself for all DNS queries by configuring the /etc/resolv. The first section is called internal and lists the zone files to be used by your internal network. This means it’s possible to use one set of zone files for queries from the Internet and another set for queries from your home network. Table 18. The second view called external lists the zone files to be used for Internet users.3 The Primary BIND Configuration Files File /etc/named. 2.1 Creating a named. In this example. because NAT won’t work properly if a PC on your home network attempts to connect to the external 97.1.conf file is created.255. Reverse zone file definitions list files to map IP addresses to domains. Though it is not required.1.26 NAT IP address of your Web server. 192. }.rfc1912.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .0. then you’ll need to either change this or add a selected number of IP addresses on your server. 127.100.26 address of the Web server.Quick HOWTO : Ch18 : Configuring DNS . If other devices are going to rely on your server for queries.253. listen-on port 53 { any.100. If your DNS server is also acting as a caching DNS server.253.168. 192. Table 18. We'll use a view called localhost_resolver for this.253.158. it is a good practice to configure your DNS server's named.conf Description The main configuration file that lists the location of all your domain's zone files /etc/named.248 (/29). This will be discussed next.conf Base Configuration The /etc/named. we allow queries on any interface. }.158.on port 53 { 127.168. nameserver 127. Configuring BIND Views in named.caching-nameserver.linuxhomenetworking.100. Configuring resolv. The options section of named. Some versions of Linux install BIND as a default caching nameserver using a file names /etc/named.conf file to support BIND views. listen-on port 53 { 127.

notify no.0/24 address space.0 network.arpa” { type master. I have selected generic names internal.zone for lookups related to the 97. Reverse lookups operate similarly by scanning an IP address from left to right to get increasingly specific information about an address.com scans the FQDN from right to left to get to get increasingly more specific information about the authoritative servers to use.site.site. and external for the views given to Internet clients.253.168. With Debian / Ubuntu. For example. Reverse Zone File References in named. to limit queries to only your 192. This reverse zone definition for named.addr. Creating the my-site-home.X with references to 192.1.conf file. Note: The allow-query directive defines the networks that are allowed to query your DNS server for information on any zone.zone”.1. }.168. for views given to trusted hosts (home. non-internet or corporate users). In this example the zone file is named my-site.site.zone for lookups by home users on the 192.168. }. notify no.org” { type master. }. allow-query { any. }. Forward Zone File References in named. allow-query { any.com/wiki/index.zone”. This difference can be seen in the formatting of the zone statement for a reverse zone in /etc/named. This entry would be inserted in the internal section.conf file to reference other Web domains you host. file “192 .158. file “another .zone”. is followed by the first 3 octets of the IP address in reverse order.com using a zone file named another-site. The similarity in both methods is that increasingly specific information is sought. In addition.168. you can insert more entries in the named.in . It's time to talk about the views! Let's go! http://www.0/24 network. Let's examine BIND views more carefully using a number of sample configuration snippets from the /etc/named. Use the code: zone “my-web . but you will have to create reverse zone entries for your SOHO/home environment using the 192.conf file where the main in-addr. the file my-site.zone file and replace all references to 97.X.conf file I use for my home network. your ISP handles the reverse zone entries for your public IP addresses.com” { type master. In most cases.conf Here’s how to format entries that refer to zone files used for reverse lookups for your IP addresses. To do this.1. zone “1.zone for the 192.1.zone should be located in the default directory of /var/named/chroot/var/named in a chroot configuration or in /var/named in a regular one. you must first define the internal and external networks with access control lists (ACLs) and then refer to these lists within their respective view section with the match-clients statement.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .168. allow-query { any.168. Some built-in ACLs can save you time: localhost: Refers to the DNS server itself localnets: Refers to all the networks to which the DNS server is directly connected any: which is self explanatory. This /etc/named. but some Linux applications require valid forward and reverse entries to operate correctly. }.conf uses a reverse zone file named 192-1681.Quick HOWTO : Ch18 : Configuring DNS .168 . but they can be named whatever you wish.168.Linux Home Networking For example. although not explicitly stated.1.arpa domain. file “my . references to the full file path will have to be used.zone.linuxhomenetworking. You must also tell the DNS server which addresses you feel are internal and external. but the noticeable difference is that for forward lookups the scan is from right to left. you could have a reference to a zone file called my-site. and for reverse lookups the scan is from left to right. zone “another .0 network. }. and. This isn’t important for the Windows clients on your network.zone. 3. notify no. Here is an example for another-site.site.158. to which all IP addresses belong.conf entry would be inserted in the external section. }.253. This order is important to remember or else the configuration will fail. First let's talk about how we should refer to the zone files in each view. Your patience will soon be rewarded.conf Let’s describe how we point to forward zone files in a typical named.1.X network which Internet users would see. you could modify the directive to: allow-query { 192.1.0/24.192.zone file is fairly easy: Copy it from the my-site. All the statements below were inserted after the options and controls sections in the file. You could also have a file called my-site-home. The forward domain lookup process for mysite.

Remember that all DNS queries done on your DNS server appear to come from localhost.0 /24).1. then delete all other views in named.conf and restart the named daemon. Therefore the local network (192.17. localhost. }. Once the ACL was defined. }.zones".ca". view “internal” { // What the home network will see match-clients { localnets. The question you may have on your mind is.rfc1912.168. }. make sure you don't reference localhost in any of your other views as one view will take precedence over the other for queries from your server. There are some quick facts you should be aware of with your caching name server configuration: 1.conf". and localhost get DNS data from the zone files in the internal view." IN { type hint. match . queries from clients defined by the internal and external ACLs will work correctly. // All views used by caching nameserver clients must // contain the root hints zone.only nameserver.0/24.linuxhomenetworking. The Internal View In this example I included an ACL for network 192.these names should * ONLY be served to localhost clients: */ include "/etc/named. }. but queries for the domain from the server itself will fail.authoritative) starts here. }. Recursive lookups to DNS domains // you don’t own (non-authoritative) starts here. If your server is also an authoritative server for your domain. If not. // As your caching name server clients will be using this server // for DNS lookups to get to sites all over the Web you’ll need to // turn on recursion recursion yes. zone ". This line can be deleted if your server isn't an authoritative server for your domain. This could lead to unpredictable results.168. }. zone ".Linux Home Networking The Caching Nameserver localhost_resolver View The localhost_resolver view is used for your caching DNS server configuration and should look like this: view "localhost_resolver" { /* This view sets up named to be a localhost resolver * ( caching only nameserver ). // These are your "authoritative" internal zones." IN { type hint. "Where are the zone file definitions?". and would probably // also be included in the "localhost_resolver" view above : /* * Include zonefiles for internal zones */ include "/var/named/zones/internal/internal_zones.com/wiki/index. safe-subnet. [root@bigboy tmp]# /etc/init.d/named restart 2. }. Recursive lookups to DNS domains // you don’t own (non . then you need only define this view: */ match .ca". If all you want is a * caching.168. }.conf that contains them all as we see here: http://www. Make all the other machines on your network point to the caching DNS server as their primary DNS server. Note: If you have a localhost only view like this. there is an include statement that refers to a file named internal_zones. localhost.17. }.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] . // All views used by caching nameserver clients must // contain the root hints zone.0).Quick HOWTO : Ch18 : Configuring DNS .0 /24 called safe-subnet to help clarify the use of ACLs in more complex environments. file "named.17.168. I then inserted a reference to the safe-subnet in the match-clients statement in the internal view. safe-subnet. /* * Include zonefiles for internal zones */ include "/var/named/zones/internal/internal_zones. In this example we have included a reference to the internal_zones.clients { localhost. /* these are zones that contain definitions for all the localhost * names and addresses. as recommended in RFC1912 . // ACL statement acl “safe-subnet” { 192. the other trusted network (192. you will have to include a reference to your domain's zone files in this section for the server's own DNS lookups to work. // As your caching name server clients will be using this server // for DNS lookups to get to sites all over the Web you’ll need to // turn on recursion recursion yes.destinations { localhost. 3.conf".conf zone file which we'll visit again soon. If you want your server to be only a caching DNS server. match-destinations { localnets. file "named. Don't worry.

allow .168. $TTL 3D http://www. }. Each zone file contains a variety of records (SOA. and of course. file "/var/named/zones/external/97.org" IN { type master. A. }. }.web . Configuring The Zone Files You need to keep a number of things in mind when configuring DNS zone files: In all zone files. Notice that the reverse zone file gives results for public internet addresses.168.conf zone "1. In this case external queries get results from zone files in the /var/named/zones/external directory. the forward zone file should only provide responses with Internet accessible addresses.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .site. If you run an Internet data center.192.zone". zone "my-web .158. }. allow-update { none. file "/var/named/zones/internal/192." for your external view as the exclamation mark (!) is not honored with some versions of BIND in views named "external". Views can be very useful.zone".zone". The views listed here are purely to illustrate their use. such as the Internet. !safe-subnet.update { none.in . !safe-subnet. Caching DNS servers cache the responses to their queries from authoritative DNS servers.site. }. and would probably // contain entries for just your web and mail servers: zone "253. your zone files are located in the /var/named or /var/named/chroot/var/named or /etc/bind directories depending on your Linux distribution.97. }. The authoritative servers not only provide the DNS answer but also provide the information's time to live. view “external” { // What the Internet will see /* This view will contain zones you want to serve only to "external" * clients that have addresses that are not on your directly attached * LAN interface subnets: */ match-clients { any.org.org" IN { type master. file "/var/named/zones/internal/my-web-site.Linux Home Networking // File internal_zones. By default. file "/var/named/zones/external/my-web-site.253.linuxhomenetworking. Be careful. Note: In the external view. NS.arpa" IN { type master.Quick HOWTO : Ch18 : Configuring DNS . }. match-destinations { any. you can set up your DNS server to act as a caching server to servers on all the Internet networks you own and no one else. Take a closer look at these entries in the zone file. which is the period for which it's valid. // you'd probably want to deny recursion to external clients. you may be tempted to use an exclamation mark (!) to eliminate networks used in the internal view like this.arpa" IN { type master. If the TTL is set to three days. Time to Live Value The very first entry in the zone file is usually the zone's time to live (TTL) value.org. and CNAME) that govern different areas of BIND. MX. allow . I'll discuss how to handle queries from clients outside your trusted networks in the next section where an external view can be used. The sample network won’t need the safe-subnet section in the match-clients line either as there is only one subnet in the configuration.in . so you don't // end up providing free DNS service to all takers recursion no. The External View You can also setup an external view that will be used for DNS queries from clients outside your network. // These are your "authoritative" external zones. zone "my . and then provide authoritative responses to your customers' domains to everyone. The sample home network we have been using doesn’t need to have the ACL statement at all as the built in ACLs localnets and localhost are sufficient.zone".com/wiki/index. you can place a comment at the end of any line by inserting a semi-colon character then typing in the text of your comment. !localhost. The purpose of a TTL is to reduce the number of DNS queries the authoritative DNS server has to answer. }. allow-update { none. . }.1. }. Views are also not just for NAT. }. }. !localhost.addr.addr. it is best to use "any. }. then caching servers use the original stored response for three days before making the query again.158.update { none. !!! CAUTION !!! match-clients { !localnets. match-destinations { !localnets.

2004100801 . Home/SOHO will be limited to the IN or Internet class used when defining IP address mapping information for BIND. Slaves aren’t usually used in home/SOHO environments. The data portion is formatted according to the record type and may consist of several values separated by spaces. and 1 day. you can insert new line characters between the fields as long as you insert parenthesis at the beginning and end of the insertion to alert BIND that part of the record will straddle multiple lines.Server Email-Address Serial-No Refresh Retry Expiry Minimum-TTL The record can be long. They define the nature of the DNS information in your zone files that's presented to querying DNS clients. which contains general administrative and control information about the domain. A D signifies days. 1W .4 explains what each field in the record means.Quick HOWTO : Ch18 : Configuring DNS . You can use the date format YYYYMMDD with an incremented single digit number tagged to the end.linuxhomenetworking. Table 18. Table 18. For the sake of formatting. The regular @ in the e-mail address must be replaced with a period instead. 4H .com. So in the example. This will allow you to do multiple edits each day with a serial number that both increments and reflects the date on which the change was made. Here is an example: @ IN SOA ns1. The serial number is 2004100801 with refresh. respectively. DNS Resource Records The rest of the records in a zone file are usually BIND resource records. which I’ll cover later. The “@” sign is a shorthand reference to the current origin (zone) in the /etc/named. MX. 1 hour.com with a contact e-mail address of hostmaster@my-site. 1D ) . MX.Linux Home Networking BIND recognizes several suffixes for time-related values. BIND assumes the value is in seconds. Total amount of time a slave should retry to contact the master before expiring the data it contains. PTR and CNAME Record Formats http://www. The type of DNS resource record.4 The SOA Record Format Field Name Class Type Nameserver Emailaddress Serial-no Description The root name of the zone. A serial number for the current configuration. There are a number of different DNS classes. Future references will be directed towards the root servers. hostmaster. This value defines the caching duration your DNS includes in this response. You can also add comments to the end of each new line separated by a semicolon when you do this. expiry.5 outlines the way they are laid out. Other types of records exist. A. retry.my-site.com.my-site.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] . PTR and CNAME records each occupy a single line with a very similar general format. Table 18. Similarly. aliases (CNAME) and overall zone definitions. The e-mail address of the name server administrator.com. A. a W signifies weeks. NS. The slave’s retry interval to connect the master in the event of a connection failure. In the absence of a suffix. The e-mail address must also be followed by a period. Tells the slave DNS server how often it should check the master DNS server. Start of Authority (SOA). ( serial # refresh retry expiry minimum Table 18.5 NS.com/wiki/index. 1H . and minimum values of 4 hours. forward lookups (A). 1 week.conf file for that particular database file. They all have the general format: Name Class Type Data There are different types of records for mail (MX). Fully qualified name of your primary name server.my-site. Must be followed by a period. the name is also subject to interpretation based on this factor. In the example. this is an SOA resource record. and an H signifies hours. It has the format: Name Class Type Name . Slaves aren’t usually used in home / SOHO environments. The SOA Record The first resource record is the Start of Authority (SOA) record. Slaves aren’t usually used in home / SOHO environments.There are times when remote clients will make queries for subdomains that don’t exist. the primary name server is defined as ns1. reverse lookups (PTR). MX. Refresh Retry Expiry Minimum. and will sometimes wrap around on your screen. A And CNAME Records Like the SOA record. the NS. Other classes exist for non Internet protocols and functions but are very rarely used. Your DNS server will respond with a no domain or TTL NXDOMAIN response that the remote client caches.

Primary Mail Exchanger Notice that in this example: Server ns1. So here you have an example of the name server.my-site.com is the name server for my-site.253.com.253. Primary name servers are more commonly called ns1 and secondary name servers ns2. 3600 . and "value" is the value assigned to the name as seen in this example.mysite.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .0. BIND assumes an A record with www refers to www.158.com. In corporate environments there may be a separate name server for this purpose. seconds my-site.com points to the server named mail.158. ( serial# refresh. . seconds expire.site.com. 3600 .27 bigboy bigboy hostmaster. www ns A A 97.1 97. Inet Address of nameserver .Quick HOWTO : Ch18 : Configuring DNS . This may be acceptable in most cases. $TTL 3D @ IN SOA ns1. my-web-site. The data section of the record typically has the format "name=value".com/wiki/index.my-site.158.com . seconds retry. The minimum TTL value ($TTL) is three days.org. and Web server being the same machine. TXT Records There is also a less frequently used DNS TXT record that can be configured to contain additional generic information.my-site.com. So. Sample Forward Zone File Now that you know the key elements of a zone file.com. If they were all different machines. Name of a server in the domain Server name alias Last octet of server’s IP address 1. the Class field will always be IN or Internet.158.my-site. 2. .Linux Home Networking Record Type NS MX A CNAME PTR Usually blank 1 Name Field IN IN IN IN IN Field2 Class Type Field NS MX A CNAME PTR Data Field IP address or CNAME of the name server Mail server DNS name IP address of server "A" record name for the server Fully qualified server name Domain to be used for mail. The full zone file .27.com. When DNS is setup in a redundant configuration.0. NS.com. A.26 97.158.com. BIND attaches the my-site. therefore remote DNS caching servers will store learned DNS information from your zone for three days before flushing it out of their caches. You should also be aware that IN is the default Class. The section on "Simple DNS Security" explains how to configure your DNS server to not participate in such an event. where "name" is the name to be given to the type of data. SPF TXT records are used by systems receiving mail to interrogate the DNS of the domain which appears in the email (the sender) and determine if the originating IP address of the mail (the source) is authorized to send mail for the sender's domain. If you don't put a period at the end of a host name in a SOA. BIND will automatically tack on the zone file's domain name to the name of the host. .com at the end. but if you forget to put the period after the domain in the MX record for my-site. NS MX A A A CNAME CNAME www 10 mail 127. but you should at least be aware that they can be up to 255 characters in length and that this feature is often exploited in distributed denial of service (DDoS) attacks. the slave DNS servers periodically poll the master server for updated zone file information.125 It is a required practice to increment your serial number whenever you edit your zone file.linuxhomenetworking. and use the serial number to determine whether the data on the master has http://www.my-site.253. The MX record for my-site. it's time to examine a working example for the domain my-site. and you will find your mail server accepting mail only for the domain my-site. For most home / SOHO scenarios. or CNAME record. Zone file for my . If the search key to a DNS resource record is blank it reuses the search key from the previous record which in this case of is the SOA @ sign. Usually the same as the domain of the zone file itself. and BIND will assume a record is of this type unless otherwise stated. 200211152 . 3600 ) . 3600 . TXT "v=spf1 -all" TXT records are increasingly being used to help fight SPAM using the Sender Policy Framework (SPF) method. localhost bigboy mail ns1 www .26 97. seconds minimum.253.com and this server has the IP address 97.253. Further description of the use of TXT records is beyond the scope of this book.com. ns1 is actually a CNAME or alias for the Web server www. then you'd have an A record entry for each.

my-site. Configure Your Firewall The sample network assumes that the BIND name server and Apache Web server software run on the same machine protected by a router/firewall.26.168 .158. Most home DSL sites wouldn't qualify. I included entries for addresses 192. even though the contents of the zone file have been modified.my-site. seconds . seconds .my-site. require a correctly configured /etc/hosts file even though DNS is correctly configured. "Linux Networking".x . could cause your slaves to have outdated information. such as VeriSign and RegisterFree. Also the PTR records cannot have CNAME aliases. ochorios. If all seems correct.my-site. "Linux Firewalls Using iptables".my-site.com. seconds . $TTL 3D @ IN SOA www. Zone file for 192.26 to map to ns.my-site.com.168. Make Sure Your /etc/hosts File Is Correctly Updated Chapter 3.253.com. so the IP address 192. describes how to do the network address translation and allow DNS traffic through to your name server.1. because sendmail typically relays mail only from hosts whose IP addresses resolve correctly in DNS. also requires valid reverse lookup capabilities.zone . Notice how the main difference between forward and reverse zone files is that the reverse zone file only has PTR and NS records.168. ISPs won't usually delegate this ability for anyone with less than a Class C block of 256 IP addresses.253. explains how to correctly configure your /etc/hosts file.168.my-site.x network.com.my-site. but some mail servers may refuse Sample Reverse Zone File Now you need to make sure that you can do a host query on all your home network's PCs and get their correct IP addresses. Filename: 192 . dhcp-192-168-1-33. SMTP mail relay wouldn't work for PCs that get their IP addresses via DHCP if these lines weren't included.1.my-site. dhcp-192-168-1-32.158.253. Some programs.1. refresh.my-site.com. so that at least one of the name servers is your new name server (97.my-site.com. smallfry. NFS. Domain registrars. This is very important if you are running a mail server on your network.32 to 192.com/wiki/index.com or whatever your name http://www.100. This is an example of a zone file for the 192. minimum. such as sendmail. 200303301 8H 2H 4W 1D ) www hostmaster. serial number . Once you've logged in with the registrar's username and password. dhcp-192-168-1-35. Unfortunately. ( .com. dhcp-192-168-1-34. Loading Your New Configuration Files Make sure your configuration files are in the correct locations and the serial numbers of the zone files you may have modified have been updated.1. ) does not allow for an MX record to be a CNAME.168.com. You'll have to use NAT for Internet users to be able to gain access to the server via the chosen public IP address. or whatever it is. Failing to increment the serial number.com. .my-site. which is a private IP address. dhcp-192-168-1-36.my-site.Quick HOWTO : Ch18 : Configuring DNS . retry. usually provide a Web interface to help you manage your domain.my-site.com. All the entries in the first column refer to the last octet of the IP address for the network. [root@bigboy tmp]# /etc/init.Linux Home Networking been updated. seconds . which is used in network-based file access. The actual IP address of the server is 192. It may work in most cases.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] . namely 97.linuxhomenetworking.com or www. . .d/named restart Take a look at the end of your /var/log/messages file to make sure there are no errors. reggae.1. Fix Your Domain Registration Remember to edit your domain registration for my-site. you'll have take two steps: 1) Create a new name server record entry for the IP address 97. If your firewall is a Linux box. You may also want to create a reverse zone file for the public NAT IP addresses for your home network.100 points to the name bigboy.1. which are the addresses the DHCP server issues.26 in this case).com.com. restart BIND named daemon for the configuration to become active.168.158. expire.168.com.1. Note: The DNS specification (RFC 2181 to send to you because of this. you may want to consider taking a look at Chapter 14.36. Nameserver Address NS 100 103 102 105 32 33 34 35 36 PTR PTR PTR PTR PTR PTR PTR PTR PTR bigboy.

in . and different name.0.internal. which should be up to date.0. Configuration Troubleshooting Steps Always check your /var/logs/messages file and console output file for errors.zone/IN: loading master file slaves/my.in-addr.0.0. plus a few well known ones.0.arpa/IN: loaded serial 42 zone 0.root. You'll most likely want to test your new DNS server.zone/IN: file not found zone my. the registrar requires at least two registered name servers per domain.zones and named.internal.addr. but different name. then you could either create a second name server record entry with the same IP address. You can use the chapter's troubleshooting section to test specific DNS servers for the information they have on your site.root file referred to in the named.db: file not found internal/my.0.root. The named daemon updates the /var/log/messages file with detailed status messages that are frequently easy to interpret when you suspect a configuration error. Use the dns-keygen or dnskeygen commands to create a correct entry.0. Troubleshooting BIND BIND troubleshooting is usually easy to do.zone/IN: loading master file my. [root@bigboy tmp]# service named restart Stopping named: rndc: connect failed: connection refused [ OK ] Starting named: [ OK ] [root@bigboy tmp]# In your named.0.0. If you only have one.internal.0.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .0. create a second NAT entry on your firewall and then create the second name server record entry with the new IP address.zone/IN: file not found [FAILED] [root@bigboy tmp]# The named.root': file not found Feb 25 21:33:41 bigboy named[5007]: loading configuration: file not found Feb 25 21:33:41 bigboy named[5007]: exiting (due to fatal error) You are using a chroot version of BIND with a sample rndc.conf file which causes unusual errors on the screen.db: file not found internal/my.db: file not found external/my. You'll therefore have to wait about this amount of time before starting to notice people hitting your new Web site.com/wiki/index.ddns.hints: file not found [FAILED] [root@bigboy tmp]# The named.internal.hints file isn't present.external.) 2) Assign ns.conf.internal.zone.arpa/IN: loaded serial 1997022700 zone 255.0.Quick HOWTO : Ch18 : Configuring DNS .127.0.Linux Home Networking server is called.0.0. This screen will prompt you for the server name only.conf isn't present in the /etc or the chroot /etc directory. [root@bigboy tmp]# service named start http://www. Here are a couple examples you may come across: The named daemon is started with an unedited version of the sample named. which should have delayed values.conf:99: configuring key 'ddns_key': bad base64 encoding Feb 25 20:38:49 bigboy named[4593]: loading configuration: bad base64 encoding The named.0.zone.0.rfc1912.zone/IN: loading master file my.rfc1912. Both methodologies will be covered next.conf:58: open: /etc/named.0.0.arpa/IN: loaded serial 1997022700 zone 0. Sometimes.linuxhomenetworking. Feb 25 21:33:41 bigboy named[5007]: could not configure root hints from 'named.internal.com to handle your domain.0.in .0. Feb 25 20:38:49 bigboy named[4593]: /etc/named. This example includes both errors to the console screen and errors in the /var/log/messages file.key file located in the /etc directory instead of the /var/named/chroot/etc/ directory.my-site.0.ddns. References to the nonexistent sample zone files create errors.addr.0. The usual troubleshooting steps for network problems are also applicable.ip6. [root@bigboy tmp]# service named restart Starting named: Error in named configuration: /etc/named.hints file referred to in named.external.external.conf file refers to an undefined secret key in the ddns_key of named. Copy the file to the correct location and restart named to fix the problem.conf file you refer to a zone file that doesn't exist.0.root files in the localhost_resolver section cause errors related to duplicate definitions.zone/IN: file not found zone my. (This screen prompts you for both the server's IP address and name.ddns.0.hints:12 zone localdomain/IN: loaded serial 42 zone localhost/IN: loaded serial 42 zone 0.zones:10: zone '.arpa/IN: loaded serial 42 zone my.0.0. It normally takes about three to four days for your updated DNS information to be propagated to all 13 of the world's root name servers.': already exists previous definition: /etc/named.0. References to both the named.0.root. [root@bigboy tmp]# service named start Starting named: Error in named configuration: /etc/named.0. or you could give your Web server a second IP address using an IP alias.zone.0.root.

127.com for the IP address of www.zone: file not found internal/my .1#953 command channel listening on ::1#953 running If there are no named errors to the screen or /var/log/messages.127. and your domain doesn't resolve correctly when queried using the host command when you are logged into your new nameserver. then the problem could be due to you forgetting to add a zone file entry for the domain in named.conf' named[12026]: no IPv6 interfaces found named[12026]: listening on IPv4 interface lo.0.0. Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb 21 21 21 21 21 21 21 21 21 21 21 21 21 21 09:13:13 09:13:13 09:13:13 09:13:13 09:13:13 09:13:13 09:13:14 09:13:14 09:13:14 09:13:14 09:13:14 09:13:14 09:13:14 09:13:14 bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy named: named startup succeeded named[12026]: loading configuration from '/etc/named.conf. Failure in this case could be due not only to an error on your BIND configuration or domain registration but also to an error in your DNS client's DNS server entry in your Linux /etc/resolv.com.site.192.1#953 named[12026]: zone 0.in-addr.linuxhomenetworking.com/IN: loading master file /var/named/zones/internal/my-web-site.3 -u named -t /var/named/chroot using 1 CPU loading configuration from ‘/etc/named.linuxhomenetworking.in-addr.com ns1.0. Copy the file to the correct location and restart named to fix the problem. Lack of connectivity could be caused by a firewall with incorrect.0. "Troubleshooting Linux with syslog".168.0. try: Double check for your updated serial numbers in the modified files and also inspect the individual records within the files for mistakes.my .0.arpa/IN: loaded serial 1997022700 zone 0.com Using domain server: Name: ns1.zone: file not found Feb 26 01:47:10 smallfry named: internal/my-web-site. 2) Linux status messages are logged to the file /var/log/messages. Network Troubleshooting Steps Once configuration troubleshooting this is completed.0.conf from /etc to ensure you always edit the correct file.com.34 [root@bigboy tmp]# Here is an example of querying your default DNS server for the IP address of www.conf file if they fail to do so.arpa/IN: loaded serial 1997022700 zone 255.0. Check your /etc/named.115.) [root@bigboy tmp]# host www.0.0. Troubleshooting with TELNET is covered in Chapter 4.arpa/IN: loaded serial 51 named[12026]: zone 1. (Linux logging is covered in Chapter 5.172.in .168.0.168. NAT.conf file or the Windows TCP/IP properties for your NIC.0. there could be a typographical error in your zone file.0.com/IN: loaded serial 2004021401 named[12026]: zone localhost/IN: loaded serial 42 named[12026]: zone simiya. Here is an example of querying DNS server ns1.1. http://www.my-site.arpa/IN: loaded serial 51 named[12026]: zone simiya.0.ip6.addr.com/wiki/index.192. but none of the zone files would be loaded.com/IN: file not found zone 1. or you could have forgotten to update your zone file serial numbers.0.in . Use the dig command to determine whether the name server for your domain is configured correctly.arpa/IN: loaded serial 42 zone 0.com Address: 192.0.0.addr.100#53 named[12026]: listening on IPv4 interface eth0.addr.41. Use it to make sure all your zone files are loaded when you start BIND/named.0. Failure could also be caused by the named process being stopped.site.org/IN: loaded serial 2006052302 [FAILED] [root@bigboy tmp]# Feb 26 01:47:10 smallfry named: zone my-web-site.conf’ listening on IPv4 interface lo.1#53 listening on IPv4 interface eth0.com/IN: loading master file /var/named/zones/internal/my-web-site.com. BIND would appear to start correctly.2.0.0.16.0.168.arpa/IN: loaded serial 42 zone 2.32. 127.0. In this scenario could be using a chroot version of BIND with a sample named.1#53 named[12026]: listening on IPv4 interface wlan0.com/IN: file not found This is a tricky one that would occur in some early versions of Fedora.org/IN: loaded serial 2006052302 zone my-web .0. 172.linuxhomenetworking. 192.0. the name of the specific DNS server to query has been left off the end.0.site.0.Quick HOWTO : Ch18 : Configuring DNS .php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .conf file located in the /etc directory instead of the /var/named/chroot/etc/ directory.1.0.71#53 command channel listening on 127.in-addr.100#53 named[12026]: command channel listening on 127. Nov Nov Nov Nov Nov Nov Nov Nov 9 9 9 9 9 9 9 9 17:35:41 17:35:41 17:35:41 17:35:41 17:35:41 17:35:41 17:35:41 17:35:41 bigboy bigboy bigboy bigboy bigboy bigboy bigboy bigboy named[1157]: named[1157]: named[1157]: named[1157]: named[1157]: named[1157]: named[1157]: named[1157]: starting BIND 9.com/IN: loaded serial 200301114 named[12026]: running 3) Use the host (nslookup in Windows) command for both forward and reverse lookups to make sure the zone files were configured correctly.linuxhomenetworking. "Simple Network Troubleshooting".0.0.0.192.arpa/IN: loaded serial 2006052301 zone my-web . you can continue with the following troubleshooting steps: 1) Determine whether your DNS server is accessible on DNS UDP/TCP port 53.0.0.0.71. Ensure there isn't a firewall that could be blocking DNS traffic on TCP and/or UDP port 53 between your server and the DNS server.in . or port forwarding rules to your DNS server.site.com has address 65.16.web .0.in .arpa/IN: loaded serial 2006052301 zone my-web . 10.com.linuxhomenetworking.0. Delete the /etc and create a symbolic link to /var/named/chroot/etc/named. It is best to test this from both inside your network and from the Internet.168. permit.0.0.1.arpa/IN: loaded serial 1997022700 named[12026]: zone 1. but it covers some common mistakes with a new configuration.0. This isn't a comprehensive configuration error list. As you can see.127.100#53 Aliases: www.addr. (You can also replace the name server's name with its IP address. If this fails.Linux Home Networking Starting named: Error in named configuration: zone localdomain/IN: loaded serial 42 zone localhost/IN: loaded serial 42 zone 0.my-site.site.0.0.in-addr.

gtld-servers. In this case the misspelling "linuxhomeqnetworking. . If anything goes wrong.net..net.yahoo. 3600 . .com to make sure your DNS records have propagated properly.com. not that of the www. At the very least your plan should include these steps: 1. as well as a well known name server such as ns1.com is really hosted on itself. A firewall could be blocking DNS traffic on TCP and/or UDP port 53 between your server and the DNS server.my-site.com site that is currently in production.com. Migrating Your Web Site In-House It is important to have a detailed migration plan if you currently use an external company to host your Web site and wish to move the site to a server at home or in your office.70.71.myisp.myisp. AUTHORITY SECTION: linuxhomenetworking. 3600 IN NS ns2..verisign-grs.115.myisp. Your best alternative is to request your existing service provider to set the TTL on my-site..net.com SOA .com.linuxhomenetworking. 2.yahoo. ADDITIONAL SECTION: ns1.com. As before.com" was entered on the command line. then dig queries that name server instead of the Linux server's default name server. say one minute.34 [root@bigboy tmp]# 4) You can also use the dig command to determine whether known DNS servers on the Internet have received a valid update for your zone.com in the DNS zone file to a very low value. but there is a lag in the propagation of the domain information across the Internet...my-site.myisp. http://www. [root@bigboy tmp]# dig ns1. (Remember if you decide to change the DNS servers for your domain that it could take up to four days for it to propagate across the Internet.com linuxhomeqnetworking.com linuxhomenetworking. [root@bigboy tmp]# dig linuxhomenetworking. [root@bigboy tmp]# IN IN A A 65. .com refer to its own IP address.. This command uses the local DNS server for the query. There is no magic bullet that will allow you to tell all the caching DNS servers in the world to flush their caches of your zone file entries.linuxhomenetworking.net. QUESTION SECTION: .com domain at VeriSign.myisp. .name> <name .70... it will take only one minute to see the results of the final DNS configuration switch to your new server.com for the query.myisp.. IN SOA .myisp.com SOA . Delays of up to four days are not uncommon. .yahoo.. It returns the SOA record information and the addresses of the domain's DNS servers in the authority section.com SOA .net. ADDITIONAL SECTION: ns1. Test your server based applications from the server itself. 3600 IN NS ns1. nstld. it returns the SOA record for the zone. . linuxhomenetworking. It is sometimes good to query both your name server. Incorrect domain registration.my-site. it will take at least three to five days for all remote DNS servers to recognize the change.linuxhomeqnetworking..115. Web. In this case the authority section doesn't know of the domain and points to the name server for the entire ... knowing it will rapidly recover within minutes rather than days. 3.. . This file is usually given a higher priority than DNS.yahoo.68 65. AUTHORITY SECTION: linuxhomenetworking.yahoo.net.net.. linuxhomenetworking.conf file. ...com has address 65. [root@bigboy tmp]# 1077341254 1800 900 604800 900 Possible causes of failure include: Typographical errors.70. .net.my-site.69 Sometimes your SOA dig will fail.115. Correct domain registration.com. This should include mail.myisp. Once the propagation is complete.Linux Home Networking [root@bigboy tmp]# host www.. and so on.115. 3600 .server> soa The name server is optional. You may also want to add an entry for mail.linuxhomenetworking.. 0 IN SOA a. ..com...php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] . 3600 ns2..68 65..69 Here is a successful dig using DNS server ns1.com/wiki/index. As the TTL is usually set to a number of days.115..com if the new Web server is going to also be your new mail server. [root@bigboy tmp]# IN IN A A 65.com for the query. because it doesn't refer to the /etc/resolv. Edit the /etc/hosts file to make www..com www. 3600 ns2. [root@bigboy tmp]# dig ns1. .) The format for the command is: dig <domain . therefore the test server will begin to think that www.Quick HOWTO : Ch18 : Configuring DNS .. . If you specify a name server. The dig command only works with fully qualified domain names only. AUTHORITY SECTION: com. 3600 IN NS ns1... you can then revert to the old configuration. This command uses the DNS server ns1. Set up your test server in house..70.net. 3600 IN NS ns2.

[root@smallfry tmp]# http://www... 3600 IN A my-site. hostmaster.com. Edit your my-site. When given the right parameters it can download the entire contents of your domain's zone file.0. Simple DNS Security DNS can reveal a lot about the nature of your domain.1.1. www. 3600 IN A mail. the file would be C:\WINDOWS\system32\drivers\etc\hosts. 5.1. 192. }. Just edit your /etc/hosts file on your Web browsing Linux PC to make www.my-site.168. 2004110701 3600 3600 3600 3600 3600 3600 3600 3600 This may not seem like an important security threat at first glance.my-site. Once testing is completed.}. Zone Transfer Protection The host command does one DNS query at a time.my . . without master and slave servers.my-site. <<>> DiG 9. 3600 IN A gateway. 3600 IN NS my-site.1.com. In this example. You should take some precautions to conceal some of the information for the sake of security.my-site.my-site. 3600 IN CNAME smallfry.168.. if you have concerns that your service provider won't cooperate.my . you'll need to make it assign the IP address of the Linux box as the DNS server it tells the DHCP clients to use.site. global options: printcmd my-site.1. Query time: 16 msec .com DNS entries with VeriSign. 3600 IN A 192-168-1-98.com AXFR .com.Linux Home Networking 4. [root@smallfry tmp]# dig my .com.com.my-site. then you could explain to the provider that you want to test its failover capabilities to a duplicate server that you host in-house.my-site. "Configuring the DHCP Server". 3600 IN CNAME ntp.com AXFR . 2004110701 ns1.site.com.site.100 192.97 192.site. <<>> DiG 9. DHCP Considerations For DNS If you have a DHCP server on your network. You may also want to take over your own DNS..1. Once complete.my .my-site.168.168. You can test the server running as www.0.my-site. options { allow-transfer {none. 3600 IN MX 192-168-1-96.my-site.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .com AXFR .com map to the IP address of the new server.com. As the TTLs were set to one minute previously. Anyone can use this command to determine all your server's IP addresses and from the names determine what type of server it is and then launch an appropriate cyber attack.com.1 www. 3600 IN SOA my-site.1.168. 3600 IN CNAME ns1. ..com. Transfer failed.1 127. 7..my .2. the AFXR zone transfer parameter is used to get the contents of the my-site.102 192..linuxhomenetworking.site.my. You can then migrate these services inhouse as your confidence in hosting becomes greater. you'll be able to see results of the migration within minutes. You may also want to add an entry for mail.com.com AXFR .168.com.com.168. If your Linux box is the DHCP server. then you may need to refer to Chapter 8. but it is.100#53(192. zone transfers should be disabled.. Once applied.com even though DNS hasn't been updated.com.my-site.site..com zone file. 3600 IN A 192-168-1-97.com.my-site. XFR size: 16 records [root@smallfry tmp]# www. 3600 IN SOA .com. 3600 IN A www.168. your zone transfer test should fail. You can then decide whether the change will be permanent once you have failed over back and forth a few times. Finally.com to point to your new Web server.1.98 192.my-site. 10 mail. Your client will usually refer to these files first before checking DNS. Test the server from a remote client.com.conf file.site. [root@smallfry tmp]# dig my . 3600 IN A localhost. You can do this by applying the allow-transfer directive to the global options section of your named. RegisterFree or whoever you bought your domain from to point to your new DNS servers.my-site.site. WHEN: Sun Nov 14 20:21:07 2004 . 6.my-site. hostmaster.com. Fix your /etc/hosts files by deleting the test entries you had before.100) . but the dig command is much more powerful.96 192. www. you can set the TTL back to the original value to help reduce the volume of DNS query traffic hitting your DNS server.1.my-site. this could be left in the hands of your service provider.my-site. 8.com. global options: printcmd . In a simple home network. you don't have to host DNS or mail in-house. 192. In the case of Windows. hence you can use them to predefine some DNS lookups at the local client level only.com if the new Web server is going to also be your new mail server.com. Remember.com.3 <<>> my .com.com..168.site.my-site. 3600 IN A bigboy.3 <<>> my . SERVER: 192.site.100 www.com.Quick HOWTO : Ch18 : Configuring DNS .my . coordinate with your Web hosting provider to update your domain registration's DNS records for www.com.com/wiki/index.2.

. your web site goes off the air.com. but it won't respond to queries for servers in another domain such as google. Conclusion DNS management is a critical part of the maintenance of any Web site.. This is not always the case. The queries use a false source IP address that corresponds to the IP address of the DNS server for your website. and your DNS server quickly becomes overwhelmed by the flurry of replies. Amazon. and they should remain obvious to all. }. }.Quick HOWTO : Ch18 : Configuring DNS . New $19. the additional load of the queries can be unnoticeable.. Note: This does not restrict forward or reverse lookups defined by the zone files on the server. "Dynamic DNS". New $23. religious. because the IP address of a server is normally fixed or static. You may want to adjust your DNS views so that to external users.0/24.. localhost. but when multiplied by thousands of other poorly configured servers. Without DNS. DNS modifications are usually infrequent.com/wiki/index.362 times. First.1. but the responses are amplified by the size of the TXT information.. This page has been accessed 462. The hacker then sends thousands of queries to unsecured caching DNS servers requesting the TXT record. }.recursion { "recursive_subnets". Web site security refers to anything that helps to guarantee the availability of the site. New $25. this is just one of many methods you can use..php/Quick_HOWTO_:_Ch18_:_Configuring_DNS#Downloading_and_Installing_the_BIND_Packages[12/05/2009 23:51:58] .168.conf file can be used to restrict the networks to which recursive lookups are allowed.org. Dr Thomas Shinder. but to the Internet these names provide rapid identifiaction of the types of malicious exploits a hacker could use to break in. although it can be a little complicated. or that your firewall doesn't have the letters "FW" in its name either. In this example an ACL is also used to limit lookups to localhost and the 192. Terry. The allow-recursion directive placed in the options section of your named.97 Best $16. options { allow . Attribution-NonCommercial-NoDerivs 2. acl "recursive_subnets" { 192. the attack on your site becomes lethal. This may good for ease of reference within the company...79 Privacy Information This page was last modified on 15 August 2008.168. competitive or otherwise malicious reasons your web site is targeted for an attack. Dynamic DNS was created as a solution to this and is explained in Chapter 19. For the administrator of the caching DNS servers.07 Best $18.0/24 network.44 Linux Network Administrator's Guide Tony Bautts.com domain will probably have a www and a mail subdomain. and adds a large TXT record to the sub domain.1. The server will answer all queries for my-web-site. Fortunately. Privacy policy About Linux Home Networking Content is available under Disclaimers http://www.77 Best $4. There are situations in which a server's IP address will change unpredictably and frequently.org if it owns that domain.linuxhomenetworking.Linux Home Networking Selectively Disabling Recursion Your caching DNS server can unknowingly participate in a form of DDoS attack if recursive lookups are globally allowed. a hacker breaks into the authoritative DNS server for a sub domain. like my-web-site.95 How to Cheat at Configuring ISA Serv. Volume Two William von Hagen.5 . at 01:54. Say for example that for political.com Linux Server Hacks. Naming Convention Security Your my-site. making DNS management extremely difficult.. your MySQL database server doesn't have the letters "DB" or "SQL" in the name. but there is a catch.. The queries are small.

Sign up to vote on this title
UsefulNot useful