Table of Contents for
TCP/IP Network Administration, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition TCP/IP Network Administration, 3rd Edition by Craig Hunt Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. TCP/IP Network Administration, 3rd Edition
  3. Dedication
  4. Preface
  5. 1. Overview of TCP/IP
  6. 2. Delivering the Data
  7. 3. Network Services
  8. 4. Getting Started
  9. 5. Basic Configuration
  10. 6. Configuring the Interface
  11. 7. Configuring Routing
  12. 8. Configuring DNS
  13. 9. Local Network Services
  14. 10. sendmail
  15. 11. Configuring Apache
  16. 12. Network Security
  17. 13. Troubleshooting TCP/IP
  18. A. PPP Tools
  19. B. A gated Reference
  20. C. A named Reference
  21. D. A dhcpd Reference
  22. E. A sendmail Reference
  23. F. Solaris httpd.conf File
  24. G. RFC Excerpts
  25. Index
  26. Index
  27. Index
  28. Index
  29. Index
  30. Index
  31. Index
  32. Index
  33. Index
  34. Index
  35. Index
  36. Index
  37. Index
  38. Index
  39. Index
  40. Index
  41. Index
  42. Index
  43. Index
  44. Index
  45. Index
  46. Index
  47. Index
  48. Index
  49. Index
  50. Index
  51. Index
  52. About the Author
  53. Colophon
  54. Copyright

Chapter 8. Configuring DNS

Congratulations! You have installed TCP/IP in the kernel, configured the network interface, and configured routing. At this point, you have completed all of the configuration tasks required to run TCP/IP on a Unix system. While none of the remaining tasks is required for TCP/IP software to operate, they are necessary for making the network more friendly and useful. In the next two chapters, we look at how to configure basic TCP/IP network services. Perhaps the most important of these is name service.

It is, as the name implies, a service—specifically, a service intended to make the network more user-friendly. Computers are perfectly happy with IP addresses, but people prefer names. The importance of name service is indicated by the amount of coverage it has in this book. Chapter 3 discusses why name service is needed; this chapter covers how it is configured; and Appendix C covers the details of the name server configuration commands. This chapter provides sufficient information to show you how to configure the BIND software to run on your system.[82] But if you want to know more about why something is done or details on how to do it, don’t hesitate to refer to Chapter 3 and Appendix C.

BIND: Unix Name Service

In Unix, DNS is implemented by the Berkeley Internet Name Domain (BIND) software. BIND is a client/server software system. The client side of BIND is called the resolver. It generates the queries for domain name information and sends them to the server. The DNS server software answers the resolver’s queries. The server side of BIND is a daemon called named (pronounced “name” “d”).

This chapter covers three basic BIND configuration tasks:

  • Configuring the BIND resolver

  • Configuring the BIND name server (named)

  • Constructing the name server database files, called the zone files

A zone is a piece of the domain namespace over which a name server holds authority. A zone cannot contain a domain that is delegated to another server. Here we use “zone” to refer to the DNS database file, while the term “domain” is used in more general contexts. In this book, a domain is part of the domain hierarchy identified by a domain name. A zone is a collection of domain information contained in a DNS database file. The file that contains the domain information is called a zone file.

RFC 1033, the Domain Administrators Operations Guide, defines the basic set of standard records used to construct zone files. Many RFCs propose new DNS records that are not widely implemented. In this chapter and in Appendix C, we stick to the basic resource records that you are most likely to use. We’ll use these records to construct the zone files used in this chapter. But how, or even if, you need to construct zone files on your system is controlled by the type of BIND configuration you decide to use.

BIND Configurations

BIND configurations are described by the type of service the software is configured to provide. The four levels of service that can be defined in a BIND configuration are resolver-only systems, caching-only servers, master servers, and slave servers.

The resolver is the code that asks name servers for domain information. On Unix systems, it is implemented as a library rather than as a separate client program. Some systems, called resolver-only systems, use only the resolver; they don’t run a name server. Resolver-only systems are very easy to configure: you just need to set up the /etc/resolv.conf file.

The three other BIND configurations all require that the local system run the named server software. They are:

Master

The master name server is the authoritative source for all information about a specific zone. It loads the domain information from a locally maintained disk file that is built by the domain administrator. This file (the zone file) contains the most accurate information about a piece of the domain hierarchy over which this name server has authority. The master server is an authoritative server because it can answer any query about its zone with full authority.

Configuring a master server requires creating a complete set of configuration files: zone files for the forward-mapping zone and the reverse-mapping zone, the conf file, the root hints file, and the loopback file. No other configuration requires creating this complete set of files.

Slave

A slave server transfers a complete set of zone information from the master server. The zone data is transferred from the master server and stored on the slave server as a local disk file. This transfer is aptly called a zone transfer . A slave server keeps a complete copy of all zone information and can answer queries about that zone with authority. Therefore, a slave server is also considered an authoritative server.

Configuring a slave server does not require creating local zone files because the zone files are downloaded from the master server. However, other files (a boot file, a cache file, and a loopback file) are required.

Caching-only

A caching-only server runs the name server software but keeps no zone files. It learns the answer to every name server query from some remote server. Once it learns an answer, the server caches the answer and uses it to answer future queries for the same information. All name servers use cached information in this manner, but a caching-only server depends on this technique for all of its name server information. It is not considered an authoritative server because all of the information it provides is secondhand. Only a boot file and a cache file are required for a caching-only configuration, but the most common configuration also includes a loopback file. This is probably the most common name server configuration, and apart from the resolver-only configuration, it is the easiest to configure.

A name server may use any one of these configurations or, as is often the case, it may combine elements of more than one type of configuration. However, all systems run the resolver, so let’s begin by examining the configuration of the client side of the DNS software.

Configuring the Resolver

The resolver is configured in the /etc/resolv.conf file. The resolver is not a separate and distinct process; it is a library of routines called by network processes. The resolv.conf file is read when a process using the resolver starts, and is cached for the life of that process. If the configuration file is not found, the resolver attempts to connect to the named server running on the local host. While this may work, I don’t recommend it. By allowing the resolver configuration to default, you give up control over your system and become vulnerable to variations in the techniques used by different systems to determine the default configuration. For these reasons, the resolver configuration file should be created on every system running BIND.

The Resolver Configuration File

The configuration file clearly documents the resolver configuration. It allows you to identify up to three name servers, two of which provide backup if the first server doesn’t respond. It defines the default domain and various other processing options. The resolv.conf file is a critical part of configuring name service.

resolv.conf is a simple, human-readable file. There are system-specific variations in the commands used in the file, but the entries supported by most systems are:

nameserver address

The nameserver entries identify, by IP address, the servers that the resolver is to query for domain information. The name servers are queried in the order that they appear in the file. If no response is received from a server, the next server in the list is tried until the maximum number of servers are tried.[83] If no nameserver entries are contained in the resolv.conf file or if no resolv.conf file exists, all queries are sent to the local host. However, if there is a resolv.conf file and it contains nameserver entries, the local host is not queried unless an entry points to it. Specify the local host with its official IP address or with 0.0.0.0, not with the loopback address. The official address avoids problems seen on some versions of Unix when the loopback address is used. A resolver-only configuration never contains a nameserver entry that points to the local host.

domain name

The domain entry defines the default domain name. The resolver appends the default domain name to any hostname that does not contain a dot.[84] It then uses the expanded hostname in the query it sends to the name server. For example, if the hostname crab (which does not contain a dot) is received by the resolver, the default domain name is appended to crab to construct the query. If the value for name in the domain entry is wrotethebook.com, the resolver queries for crab.wrotethebook.com. If the environment variable LOCALDOMAIN is set, it overrides the domain entry, and the value of LOCALDOMAIN is used to expand the hostname.

search domain ...

The search entry defines a series of domains that is searched when a hostname does not contain a dot. Assume the entry search essex.wrotethebook.com butler.wrotethebook.com. A query for the hostname cookbook is first tried as cookbook.essex.wrotethebook.com. If that fails to provide a successful match, the resolver queries for cookbook.butler.wrotethebook.com. If that query fails, no other attempts are made to resolve the hostname. Use either a search statement or a domain statement. (The search command is preferred.) Never use both in the same configuration. If the environment variable LOCALDOMAIN is set, it overrides the search entry.

sortlist network [/ netmask ] ...

Addresses from the networks listed on the sortlist command are preferred over other addresses. If the resolver receives multiple addresses in response to a query about a multi-homed host or a router, it reorders the addresses so that an address from a network listed in the sortlist statement is placed in front of the other addresses. Normally addresses are returned to the application by the resolver in the order in which they are received.

The sortlist command is rarely used because it interferes with the servers’ ability to reorder addresses for load balancing and other purposes. The primary exception to this is that sometimes sortlist is configured to prefer addresses on a shared network over other addresses. Using this configuration, if the computer running the resolver is connected to network 172.16.0.0/16 and one of the addresses returned in a multiple address response is from that network, the address from 172.16.0.0 is placed in front of the other addresses.

options option ...

The options entry is used to select optional settings for the resolver. There are several possible options:[85]

debug

Turns on debugging, which prints debugging messages to standard output. debug works only if the resolver was compiled with the -DDEBUG option, and most weren’t.

ndots: n

Sets the number of dots in a hostname used to determine whether or not the search list is applied before sending the query to the name server. The default is 1. Therefore a hostname with one dot does not have a domain appended before it is sent to the name server. If options ndots:2 is specified, a hostname with one dot does have the search list domain added before the query is sent out, but a hostname with two or more dots does not have a domain added.

ndots may be useful for you if some component of your domain could be confused with a top-level domain and your users consistently truncate hostnames at that domain. In that case, the queries would first be sent to the root servers for resolution in the top-level domain before eventually getting back to your local server. It is very bad form to bother the root servers over nothing. Use ndots to force the resolver to extend the troublesome hostnames with your local domain name so that they will be resolved before reaching the root servers.

timeout: n

Sets the initial query timeout for the resolver. By default, the timeout is 5 seconds for the first query to every server. Under the Solaris 8 version of BIND, the syntax of this option is retrans: n.

attempts: n

Defines the number of times the resolver will retry a query. The default value is 2, which means the resolver will retry a query two times with every server in its server list before returning an error to the application. Under the Solaris 8 version of BIND, the syntax of this option is retry: n, and the default is 4.

rotate

Turns on round-robin selection of name servers. Normally, the resolver sends the query to the first server in the name server list, sending it to another server only if the first server does not respond. The rotate option tells the resolver to share the name server workload evenly among all of the servers.

no-check-names

Disables checking of domain names for compliance with RFC 952, DOD Internet Host Table Specification. By default, domain names that contain an underscore (_), non-ASCII characters, or ASCII control characters are considered to be in error. Use this option if you must work with hostnames that contain an underscore.

inet6

Causes the resolver to query for IPv6 addresses. The version of the Internet Protocol (IP) used in today’s Internet is IPv4. IPv4 uses 32-bit addresses. IPv6 expands those to 128-bit addresses.

The most common resolv.conf configuration defines the local domain name as the search list, the local host as the first name server, and one or two backup name servers. An example of this configuration is:

# Domain name resolver configuration file 
# 
search wrotethebook.com 
# try yourself first 
nameserver 172.16.12.2 
# try crab next 
nameserver 172.16.12.1 
# finally try ora
nameserver 172.16.1.2

The example is based on our imaginary network, so the default domain name is wrotethebook.com. The configuration is for rodent, and it specifies itself as the first name server. The backup servers are crab and ora. The configuration does not contain a sort list or any options, as these are infrequently used. This is an example of an average resolver configuration.

A resolver-only configuration

The resolver-only configuration is very simple. It is identical to the average configuration except that it does not contain a nameserver entry for the local system. A sample resolv.conf file for a resolver-only system is shown here:

# Domain name resolver configuration file 
# 
search wrotethebook.com 
# try crab 
nameserver 172.16.12.1 
# next try ora
nameserver 172.16.1.2

The configuration tells the resolver to pass all queries to crab; if that fails, try ora. Queries are never resolved locally. This simple resolv.conf file is all that is required for a resolver-only configuration.

Configuring named

While the resolver configuration requires, at most, one configuration file, several files are used to configure named. The complete set of named files is:

The configuration file

Sets general named parameters and points to the sources of DNS database information used by this server. These sources can be local disk files or remote servers. This file is usually called named.conf .

The root hints file

Points to the root zone servers. Some common names for this file are named.ca, db.cache, named.root, or root.ca.

The localhost file

Used to locally resolve the loopback address. The filename named.local is generally used for this file.

The forward-mapping zone file

The zone file that maps hostnames to IP addresses. This is the file that contains the bulk of the information about the zone. To make it easier to discuss this file, this text generally refers to it as the zone file, dropping the “forward-mapping” qualifier. The zone file is generally given a descriptive name, such as wrotethebook.com.hosts, that identifies which zone’s data is contained in the file.

The reverse-mapping zone file

The zone file that maps IP addresses to hostnames. To make it easier to discuss this file, this text generally refers to it as the reverse zone file. The reverse zone file is generally given a descriptive name, such as 172.16.rev, that identifies which IP address is mapped by the file.

All of these files can have any names you wish. However, you should use descriptive names for your zone files, the filenames named.conf and named.local for the boot file and the loopback address file, and one of the well-known names for the root hints file to make it easier for others to maintain your system. In the following sections, we’ll look at how each of these files is used, starting with named.conf.

The named.conf File

The named.conf file points named to sources of DNS information. Some of these sources are local files; others are remote servers. You need to create only the files referenced in the master and cache statements. We’ll look at an example of each type of file you may need to create.

The structure of the configuration commands in named.conf is similar to the structure of the C programming language. A statement ends with a semicolon (;), literals are enclosed in quotes (""), and related items are grouped together inside curly braces ({}). A comment can be enclosed between /* and */, like a C language comment; it can begin with //, like a C++ comment, or with #, like a shell comment. These examples use C++ style comments, but, of course, you can use any of the three valid styles you like.

Table 8-1 summarizes the basic named.conf configuration statements. It provides just enough information to help you understand the examples. Not all of the named.conf configuration commands are used in the examples, and you probably won’t use all of the commands in your configuration. The commands are designed to cover the full spectrum of configurations, even the configurations of root servers. If you want more details about the named.conf configuration statements, Appendix C contains a full explanation of each command.

Table 8-1. named.conf configuration commands

Command

Function

acl

Defines an access control list of IP addresses

include

Includes another file into the configuration file

key

Defines security keys for authentication

logging

Defines what will be logged and where it will be stored

options

Defines global configuration options and defaults

server

Defines a remote server’s characteristics

zone

Defines a zone

The way you configure the named.conf file controls whether the name server acts as a zone’s master server, a zone’s slave server, or a caching-only server. The best way to understand these different configurations is to look at sample named.conf files. The next sections show examples of each type of configuration.

A caching-only server configuration

A caching-only server configuration is simple. A named.conf file and a named.ca file are all that you need, though the named.local file is usually also used. A possible named.conf file for a caching-only server is:

$ cat /etc/named.conf
options {
        directory "/var/named";
};

//
// a caching only name server config
//
zone "." {
        type hint;
        file "named.ca";
};

zone "0.0.127.in-addr.arpa" {   
        type master;
        file "named.local";
};

The options statement defines the default directory for named. In the sample file, this is /var/named. All subsequent file references in the named.conf file are relative to this directory.

The two zone statements in this caching-only configuration are found in all server configurations. The first zone statement defines the hints file that is used to help the name server locate the root servers during startup. The second zone statement makes the server the master for its own loopback address, and says that the information for the loopback domain is stored in the file named.local. The loopback domain is an in-addr.arpa domain[86] that maps the address 127.0.0.1 to the name localhost. The idea of resolving your own loopback address makes sense to most people, and named.conf files should contain this entry. The hints file and the local host file, along with the named.conf file, are used for every server configuration.[87]

These zone and options statements are the only statements used in most caching-only server configurations, but the options statement used can be more complex. A forwarders option and a forward only option are sometimes used. The forwarders option causes the caching-only server to send all of the queries that it cannot resolve from its own cache to specific servers. For example:

options {
        directory "/var/named";
        forwarders { 172.16.12.1; 172.16.1.2; };
};

This forwarders option forwards every query that cannot be answered from the local cache to 172.16.12.1 and 172.16.1.2. The forwarders option builds a rich DNS cache on selected servers located on the local network. This reduces the number of times that queries must be sent out on the wide area network, which is particularly useful if you have limited bandwidth to the wide area network or if you are charged for usage.

When network access to the outside world is severely limited, use the forward only option to force the local server to always use the forwarder:

options {
        directory "/var/named";
        forwarders { 172.16.12.1; 172.16.1.2; };
        forward only;
};

With this option in the configuration file, the local server will not attempt to resolve a query itself even if it cannot get an answer to that query from the forwarders.

Adding options to the options statements does not change this from being a caching-only server configuration. Only the addition of master and slave zone commands will do that.

Master and slave server configurations

The imaginary wrotethebook.com domain is the basis for our sample master and slave server configurations. Here is the named.conf file to define crab as the master server for the wrotethebook.com domain:

options {
        directory "/var/named";
};

// a master name server configuration
//
zone "." {
        type hint;
        file "named.ca";
};

zone "0.0.127.in-addr.arpa" {   
        type master;
        file "named.local";
};

zone "wrotethebook.com" {   
        type master;
        file "wrotethebook.com.hosts";
};

zone "16.172.in-addr.arpa" {   
        type master;
        file "172.16.rev";
};

The directory option saves keystrokes on the subsequent filenames. It tells named that all relative filenames (i.e., filenames that don’t begin with a /), no matter where they occur in the named configuration, are relative to the directory /var/named. This option also tells named where to write various files, such as the dump file.

The first two zone statements in the sample configuration are the zone statements for the loopback address and the hints file. These statements were discussed earlier in reference to caching-only configurations. They always have the same function and are found in almost every configuration.

The first new zone statement declares that this is the master server for the wrotethebook.com domain and that the data for that domain is loaded from the file wrotethebook.com.hosts.

The second new zone statement points to the file that maps IP addresses from 172.16.0.0 to hostnames. This statement says that the local server is the master server for the reverse domain 16.172.in-addr.arpa and that the data for that domain is loaded from the file 172.16.rev.

A slave server’s configuration differs from a master’s only in the structure of the zone statements. Slave server zone statements point to remote servers as the source of the domain information instead of local disk files, and they define the zone as type slave. Unlike the file clause in a master zone statement, the file clause in a slave zone statement contains the name of a local file where information received from the remote server will be stored—not a file from which the domain is loaded. The following named.conf file configures ora as a slave server for the wrotethebook.com domain:

options {
        directory "/var/named";
};

// a slave server configuration
//
zone "." {
        type hint;
        file "named.ca";
};

zone "0.0.127.in-addr.arpa" {   
        type master;
        file "named.local";
};

zone "wrotethebook.com" {   
        type slave;
        file "wrotethebook.hosts";
        masters { 172.16.12.1; };
};

zone "16.172.in-addr.arpa" {   
        type slave;
        file "172.16.rev";
        masters { 172.16.12.1; };
};

The first zone statement with its type set to slave makes this a slave server for the wrotethebook.com domain. The statement tells named to download the data for the wrotethebook.com domain from the server at IP address 172.16.12.1 and to store that data in the file /var/named/wrotethebook.hosts. If the wrotethebook.hosts file does not exist, named creates it, gets the zone data from the remote server, and writes the data in the newly created file. If the file does exist, named checks with the remote server to see if the remote server’s data is newer than the data in the file. If the data has changed, named downloads the updated data and overwrites the file’s contents with the new data. If the data has not changed, named loads the contents of the disk file and doesn’t bother with a zone transfer.[88] Keeping a copy of the database on a local disk file makes it unnecessary to transfer the zone file every time the local host is rebooted. It’s necessary to transfer the zone only when the data changes.

The last zone statement in this configuration says that the local server is also a slave server for the reverse domain 16.172.in-addr.arpa, and that the data for that domain should also be downloaded from 172.16.12.1. The reverse domain data is stored locally in a file named 172.16.rev, following the same rules discussed previously for creating and overwriting wrotethebook.hosts.

Standard Resource Records

The configuration commands discussed above and listed in Table 8-1 are used only in the named.conf file. All other files used to configure named (the zone file, the reverse zone file, named.local, and named.ca) store DNS database information. These files all have the same basic format and use the same type of database records. They use standard resource records, called RRs. These are defined in RFC 1033, the Domain Administrators Operations Guide, and in other RFCs. Table 8-2 summarizes all of the standard resource records used in this chapter. These records are covered in detail in Appendix C.

Table 8-2. Standard resource records

Resource record text name

Record type

Function

Start of Authority

SOA

Marks the beginning of a zone’s data and defines parameters that affect the entire zone.

Nameserver

NS

Identifies a domain’s name server.

Address

A

Converts a hostname to an address.

Pointer

PTR

Converts an address to a hostname.

Mail Exchange

MX

Identifies where to deliver mail for a given domain name.

Canonical Name

CNAME

Defines an alias hostname.

Text

TXT

Stores arbitrary text strings.

The resource record syntax is described in Appendix C, but a little understanding of the structure of these records is necessary to read the sample configuration files used in this chapter.

The format of DNS resource records is:

 [name] [ttl] IN type data
name

The name of the domain object that the resource record references. It can be an individual host or an entire domain. The string entered for the name field is relative to the current domain unless it ends with a dot. If the name field is blank, i.e., contains only whitespace, the record applies to the domain object that was named last. For example, if the A record for rodent is followed by an MX record with a blank name field, both the A record and the MX record apply to rodent.

ttl

Time-to-live defines the length of time, in seconds, that the information in this resource record should be kept in a remote system’s cache. Usually this field is left blank and the default ttl, set for the entire zone by the $TTL directive, is used.[89]

IN

Identifies the record as an Internet DNS resource record. There are other classes of records, but they are rarely used. Curious? See Appendix C for the other, non-Internet, classes.

type

Identifies the kind of resource record. Table 8-2 lists the record types under the heading Record type. Specify one of these values in the type field.

data

The information specific to this type of resource record. For example, in an A record, this is the field that contains the actual IP address.

Later in this chapter we look at each of the remaining configuration files. As you look at the files, remember that all of the standard resource records in these files follow the format described above.

The bulk of a zone file is composed of standard resource records. In addition, BIND provides some zone file directives that are used to build a DNS database.

Zone File Directives

BIND provides four directives that simplify the construction of a zone file or define a value used by the resource records in the file. The four directives are evenly divided into two commands that simplify the construction of a zone file, $INCLUDE and $GENERATE, and two that define values used by the resource records, $ORIGIN and $TTL.

The $TTL directive

The $TTL directive defines the default TTL for resource records that do not specify an explicit time to live. The time value can be specified as a number of seconds or as a combination of numbers and letters. Defining one week as the default TTL using the numeric format is:

$TTL 604800

One week is equal to 604800 seconds. Using the alphanumeric format, one week can be defined simply as:

$TTL 1w

The possible values that can be used with the alphanumeric format are:

  • w for week

  • d for day

  • h for hour

  • m for minute

  • s for second

The $ORIGIN directive

The $ORIGIN directive sets the current origin, which is the domain name used to complete any relative domain names. A relative domain name is any name that does not end with a dot. By default, $ORIGIN starts out as the domain name defined on the zone statement. Use the $ORIGIN directive to change the setting.

The $INCLUDE directive

The $INCLUDE directive reads in an external file and includes it as part of the zone file. The external file is included in the zone file at the point where the $INCLUDE directive occurs.

The $GENERATE directive

The $GENERATE directive is used to create a series of resource records. The resource records created by the $GENERATE directive are almost identical, varying only by a numeric iterator. For example:

$ORIGIN 20.16.172.in-addr.arpa.
$GENERATE 1-4 $ CNAME $.1to4

The $GENERATE keyword is followed by the range of records to be created. In the example the range is 1 through 4. The range is followed by the template of the resource records to be generated. In this case, the template is $ CNAME $.1to4. A $ sign in the template is replaced by the current iterator value. In the example, the value iterates from 1 to 4. This $GENERATE directive produces the following resource records:

1 CNAME 1.1to4
2 CNAME 2.1to4
3 CNAME 3.1to4
4 CNAME 4.1to4

Given that 20.16.172.in-addr.arpa. is the value defined for the current origin, these resource records are the same as:

1.20.16.172.in-addr.arpa. CNAME 1.1to4.20.16.172.in-addr.arpa.
2.20.16.172.in-addr.arpa. CNAME 2.1to4.20.16.172.in-addr.arpa.
3.20.16.172.in-addr.arpa. CNAME 3.1to4.20.16.172.in-addr.arpa.
4.20.16.172.in-addr.arpa. CNAME 4.1to4.20.16.172.in-addr.arpa.

These odd-looking records are helpful for delegating reverse subdomains. Delegating domains is described later in this chapter.

Except for named.conf, all of the BIND configuration files are composed of standard records and directives. All four of the remaining configuration files are database files. Two of these files, named.ca and named.local, are used on all servers, regardless of server type.

The Cache Initialization File

The zone statement in named.conf that has its type set to hints points to the cache initialization file. Each server that maintains a cache has such a file. It contains the information needed to begin building a cache of domain data when the name server starts. The root domain is indicated on the zone statement by a single dot in the domain name field because the cache initialization file contains the names and addresses of the root servers.

The named.ca file is called a “hints” file because it contains hints that named uses to initialize the cache. The hints it contains are the names and addresses of the root servers. The hints file is used to help the local server locate a root server during startup. Once a root server is found, an authoritative list of root servers is downloaded from that server. The hints are not referred to again until the local server is forced to restart. The information in the named.ca file is not referred to often, but it is critical for booting a named server.

The basic named.ca file contains NS records that name the root servers and A records that provide the addresses of the root servers. A sample named.ca file is shown here:

; 
.                     3600000  IN  NS   A.ROOT-SERVERS.NET. 
A.ROOT-SERVERS.NET.   3600000  IN  A    198.41.0.4 
; 
.                     3600000      NS   B.ROOT-SERVERS.NET. 
B.ROOT-SERVERS.NET.   3600000  IN  A    128.9.0.107 
; 
.                     3600000      NS   C.ROOT-SERVERS.NET. 
C.ROOT-SERVERS.NET.   3600000  IN  A    192.33.4.12 
; 
.                     3600000      NS   D.ROOT-SERVERS.NET. 
D.ROOT-SERVERS.NET.   3600000  IN  A    128.8.10.90 
; 
.                     3600000      NS   E.ROOT-SERVERS.NET. 
E.ROOT-SERVERS.NET.   3600000  IN  A    192.203.230.10 
; 
.                     3600000      NS   F.ROOT-SERVERS.NET. 
F.ROOT-SERVERS.NET.   3600000  IN  A    192.5.5.241 
; 
.                     3600000      NS   G.ROOT-SERVERS.NET. 
G.ROOT-SERVERS.NET.   3600000  IN  A    192.112.36.4 
; 
.                     3600000      NS   H.ROOT-SERVERS.NET. 
H.ROOT-SERVERS.NET.   3600000  IN  A    128.63.2.53 
; 
.                     3600000      NS   I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.   3600000  IN  A    192.36.148.17
;
.                    3600000       NS  J.ROOT-SERVERS.NET. 
J.ROOT-SERVERS.NET.  3600000   IN  A   198.41.0.10
;
.                    3600000       NS  K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.  3600000   IN  A   193.0.14.129
;
.                    3600000       NS  L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.  3600000   IN  A   198.32.64.12
;
.                    3600000       NS  M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.  3600000   IN  A   202.12.27.33

This file contains only name server and address records. Each NS record identifies a name server for the root (.) domain. The associated A record gives the address of each root server. The TTL value for all of these records is 3600000—a very large value that is approximately 42 days.

Create the named.ca file by downloading the file domain/named.root from ftp.rs.internic.net via anonymous ftp. The file stored there is in the correct format for a Unix system. The following example shows the superuser downloading the named.root file directly into the local system’s named.ca file. The file doesn’t even need to be edited; it is ready to run.

# ftp ftp.rs.internic.net
Connected to rs.internic.net.
220-*****Welcome to the InterNIC Registration Host  *****
    *****Login with username "anonymous"
    *****You may change directories to the following:
      policy            - Registration Policies
      templates         - Registration Templates
      netinfo           - NIC Information Files
      domain            - Root Domain Zone Files
220 And more!
Name (ftp.rs.internic.net:craig): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password: craig@wrotethebook.com
230 Guest login ok, access restrictions apply.
Remote system type is Unix.
Using binary mode to transfer files. 
ftp> get /domain/named.root /var/named/named.ca
local: /var/named/named.ca remote: /domain/named.root
200 PORT command successful.
150 Opening BINARY mode data connection for /domain/named.root (2769 bytes).
226 Transfer complete.
2769 bytes received in 0.998 secs (2.7 Kbytes/sec)
ftp> quit
221 Goodbye.

Download the named.root file every few months to keep accurate root server information in your cache. A bogus root server entry could cause problems with your local server. The data given above is correct as of publication, but could change at any time.

If your system is not connected to the Internet, it won’t be able to communicate with the root servers. Initializing your hints file with the servers listed above would be useless. In this case, initialize your hints with entries that point to the major name servers on your local network. Those servers must also be configured to answer queries for the “root” domain. However, this root domain contains only NS records pointing to the domain servers on your local network. For example, assume that wrotethebook.com is not connected to the Internet and that crab and horseshoe are going to act as root servers for this isolated domain. crab is declared the master server for the root domain in its named.conf file. horseshoe is configured as the slave server for the root domain. They load the root from a zone file that starts with an SOA record identifying crab as the server and providing an in-house point of contact. Following the SOA record, the file contains NS records and A records, stating that crab and horseshoe are authoritative for the root and delegating the wrotethebook.com and 16.172.in-addr.arpa domains to the local name servers that service those domains. (How domains are delegated is covered later in the chapter.) Details of this type of configuration are provided in DNS and BIND by Liu and Albitz (O’Reilly & Associates).

The named.local File

The named.local file is used to convert the address 127.0.0.1 (the “loopback address”) into the name localhost. It’s the zone file for the reverse domain 0.0.127.IN-ADDR.ARPA. Because all systems use 127.0.0.1 as the “loopback” address, this file is virtually identical on every server. Here’s a sample named.local file:

$TTL    86400
@       IN  SOA     crab.wrotethebook.com. alana.crab.wrotethebook.com. ( 
                    1               ; serial  
                    360000          ; refresh every 100 hours 
                    3600            ; retry after 1 hour 
                    3600000         ; expire after 1000 hours 
                    3600            ; negative cache is 1 hour 
                    ) 
        IN  NS      crab.wrotethebook.com. 
0       IN  PTR     loopback.
1       IN  PTR     localhost.

Most zone files start as this one does, with a $TTL directive. This directive sets the default TTL for all resource records in this zone. It can be overridden on any individual record by defining a specific TTL on that record.

The SOA record and the NS record identify the zone and the name server for the zone. The first PTR record maps the network 127.0.0.0 to the name loopback, which is an alternative to mapping the network name in the /etc/networks file. The second PTR record is the heart of this file. It maps host address 1 on network 127.0.0 to the name localhost.

The SOA record’s data fields and the NS record that contains the computer’s hostname vary from system to system. The sample SOA record identifies crab.wrotethebook.com. as the server originating this zone, and the email address alana.crab.wrotethebook.com. as the point of contact for any questions about the zone. (Note that in an SOA record, the email address is written with a dot separating the recipient’s name from the hostname: alana is the user and crab.wrotethebook.com is the host. The domain names end in a dot, indicating that they are fully qualified and no default domain name should be appended.) The NS record also contains the computer’s hostname. Change these three data fields and you can use this identical file on any host.

The files discussed so far, named.conf, named.ca, and named.local, are the only files required to configure caching-only servers and slave servers. Most of your servers will use only these files, and the files used will contain almost identical information on every server. The simplest way to create these three files is to copy a sample file and modify it for your system. Most systems come with sample files. If your system doesn’t, get sample configuration files from a running server.

The remaining named configuration files are more complex, but the relative number of systems that require these files is small. Only the master server needs all of the configuration files, and there should be only one master server per zone.

The Reverse Zone File

The reverse zone file is very similar in structure to the named.local file. Both of these files translate IP addresses into hostnames, so both files contain PTR records.

The 172.16.rev file in our example is the reverse zone file for the 16.172.in-addr.arpa domain. The domain administrator creates this file on crab, and every other host that needs this information gets it from there.

$TTL 86400
; 
;        Address to hostname mappings. 
; 
@       IN      SOA     crab.wrotethebook.com. jan.crab.wrotethebook.com. ( 
                                2001061401   ;   Serial 
                                21600        ;   Refresh 
                                1800         ;   Retry 
                                604800       ;   Expire 
                                900 )        ;   Negative cache TTL 
                IN      NS      crab.wrotethebook.com. 
                IN      NS      ora.wrotethebook.com. 
                IN      NS      bigserver.isp.com. 
1.12            IN      PTR     crab.wrotethebook.com. 
2.12            IN      PTR     rodent.wrotethebook.com. 
3.12            IN      PTR     horseshoe.wrotethebook.com. 
4.12            IN      PTR     jerboas.wrotethebook.com. 
2.1             IN      PTR     ora.wrotethebook.com. 
6               IN      NS      linuxuser.articles.wrotethebook.com.
                IN      NS      horseshoe.wrotethebook.com.

Like all zone files, the first resource record in the reverse zone file is an SOA record. The @ in the name field of the SOA record references the current origin. Because this zone file does not contain an $ORIGIN directive to explicitly define the origin, the current origin is the domain 16.172.in-addr.arpa defined by the zone statement for this file in our sample named.conf file:

 zone "16.172.in-addr.arpa" {   
        type master;
        file "172.16.rev";
};

The @ in the SOA record allows the zone statement to define the zone file domain. This same SOA record is used on every zone; it always references the correct domain name because it references the domain defined for that particular zone file in named.conf. Change the hostname (crab.wrotethebook.com.) and the manager’s mail address (jan.crab.wrotethebook.com.), and use this SOA record in any of your zone files.

The NS records that follow the SOA record define the name servers for the domain. Generally the name servers are listed immediately after the SOA and have a blank name field. Recall that a blank name field means that the last domain name is still in force. This means that the NS records apply to the same domain as the SOA’s.

PTR records dominate the reverse zone file because they are used to translate addresses to hostnames. The PTR records in our example provide address-to-name conversions for hosts 12.1, 12.2, 12.3, 12.4, and 2.1 on network 172.16. Because they don’t end in dots, the values in the name fields of these PTR records are relative to the current domain. For example, the value 3.12 is interpreted as 3.12.16.172.in-addr.arpa. The hostname in the data field of the PTR record is fully qualified to prevent it from being relative to the current domain name (and therefore it ends with a dot). Using the information in this PTR, named will translate 3.12.16.172.in-addr.arpa into horseshoe.wrotethebook.com.

The last two lines of this file are additional NS records. As with any domain, subdomains can be created in an in-addr.arpa domain. This is what the last two NS records do. These NS records point to horseshoe and linuxuser as name servers for the subdomain 6.16.172.in-addr.arpa. Any query for information in the 6.16.172.in-addr.arpa subdomain is referred to them. NS records that point to the servers for a subdomain must be placed in the higher-level domain before you can use that subdomain.

Domain names and IP addresses are not the same thing and do not have the same structure. When an IP address is turned into an in-addr.arpa domain name, the four bytes of the address are treated as four distinct pieces of a name. In reality, the IP address is 32 contiguous bits, not four distinct bytes. Subnets divide up the IP address space and subnet masks are bit-oriented, which does not limit them to byte boundaries. Limiting subdomains to byte boundaries makes them less flexible than the subnets they must support. Our example in-addr.arpa domain delegates the subdomain at a full byte boundary, which treats each byte of the address as a distinct “name.” This is the simplest reverse subdomain delegation, but it might not be flexible enough for your situation.

The $GENERATE example shown earlier in this chapter helps create more flexible reverse domain delegations. The $GENERATE directive created CNAME records to map a range of addresses in an in-addr.arpa domain to a different domain that has more flexible domain name rules. Real in-addr.arpa domain names must be four numeric fields, corresponding to the four bytes of the IP address, followed by the string in-addr.arpa. In the $GENERATE example, we mapped these names to longer names that give us more flexibility. Here is a larger example of the $GENERATE command:

$ORIGIN 30.168.192.in-addr.arpa.
$GENERATE 0-63    $ CNAME $.1ST64
$GENERATE 63-127  $ CNAME $.2ND64
$GENERATE 128-191 $ CNAME $.3RD64
$GENERATE 192-255 $ CNAME $.4TH64

These four $GENERATE commands map the 256 numeric names in the 30.168.192.in-addr.arpa domain into four other domains, each composed of 64 numeric names. When a remote server seeks the PTR record for 52.30.168.192.in-addr.arpa, it is told that the canonical name for that host is 52.1st64.30.168.192.in-addr.arpa and that the server must seek the pointer record for that host from the server for the 1st64.30.168.192.in-addr.arpa domain. In effect, the $GENERATE directive lets us divide the single 30.168.192.in-addr.arpa domain into multiple domains. Once it is divided, each piece can be delegated to a different server.

Subdomain delegation can make reverse domains complex.[90] In most cases, however, reverse zone files are simpler than the forward-mapping zone file.

The Forward-Mapping Zone File

The forward-mapping zone file contains most of the domain information. This file converts hostnames to IP addresses, so A records predominate, but it also contains MX, CNAME, and other records. The zone file, like the reverse zone file, is created only on the master server; all other servers get this information from the master server.

$TTL 86400
; 
;       Addresses and other host information. 
; 
@      IN      SOA     crab.wrotethebook.com. jan.crab.wrotethebook.com. ( 
                                2001061401   ;   Serial 
                                21600        ;   Refresh 
                                1800         ;   Retry 
                                604800       ;   Expire 
                                900 )        ;   Negative cache TTL 
;       Define the name servers and the mail servers 
                IN      NS      crab.wrotethebook.com. 
                IN      NS      ora.wrotethebook.com. 
                IN      NS      bigserver.isp.com. 
                IN      MX      10 crab.wrotethebook.com. 
                IN      MX      20 horseshoe.wrotethebook.com. 
; 
;       Define localhost 
; 
localhost       IN      A       127.0.0.1 
; 
;       Define the hosts in this zone 
; 
crab            IN      A       172.16.12.1 
loghost         IN      CNAME   crab.wrotethebook.com. 
rodent          IN      A       172.16.12.2 
                IN      MX      5 crab.wrotethebook.com. 
mouse           IN      CNAME   rodent.wrotethebook.com. 
horseshoe       IN      A       172.16.12.3 
jerboas         IN      A       172.16.12.4 
ora             IN      A       172.16.1.2 
;       host table has BOTH host and gateway entries for 10.104.0.19 
wtb-gw          IN      A       10.104.0.19 
; 
;    Glue records for servers within this domain 
; 
linuxmag.articles  IN      A       172.16.18.15 
24seven.events     IN      A       172.16.6.1 
; 
;       Define sub-domains 
; 
articles           IN      NS      linuxmag.articles.wrotethebook.com. 
                   IN      NS      horseshoe.wrotethebook.com. 
events             IN      NS      24seven.events.wrotethebook.com.
                   IN      NS      linuxmag.articles.wrotethebook.com.

Like the reverse zone file, the zone file begins with an SOA record and a few NS records that define the domain and its servers, but the zone file contains a wider variety of resource records than a reverse zone file does. We’ll look at each of these records in the order they occur in the sample file, so you can follow along using the sample file as your reference.

The first MX record identifies a mail server for the entire domain. This record says that crab is the mail server for wrotethebook.com with a preference of 10. Mail addressed to user@wrotethebook.com is redirected to crab for delivery. Of course, for crab to successfully deliver the mail, it must be properly configured as a mail server. The MX record is only part of the story. We look at configuring sendmail in Chapter 10.

The second MX record identifies horseshoe as a mail server for wrotethebook.com with a preference of 20. Preference numbers let you define alternate mail servers. The lower the preference number, the more desirable the server. Therefore, our two sample MX records say “send mail for the wrotethebook.com domain to crab first; if crab is unavailable, try sending the mail to horseshoe.” Rather than relying on a single mail server, preference numbers allow you to create backup servers. If the main mail server is unreachable, the domain’s mail is sent to one of the backups instead.

These sample MX records redirect mail addressed to wrotethebook.com, but mail addressed to user@jerboas.wrotethebook.com will still be sent directly to jerboas.wrotethebook.com—not to crab or horseshoe. This configuration allows simplified mail addressing in the form user@wrotethebook.com for those who want to take advantage of it, but it continues to allow direct mail delivery to individual hosts for those who wish to take advantage of that.

The first A record in this example defines the address for localhost. This is the opposite of the PTR entry in the named.local file. It allows users within the wrotethebook.com domain to enter the name localhost and have it resolved to the address 127.0.0.1 by the local name server.

The next A record defines the IP address for crab, which is the master server for this domain. This A record is followed by a CNAME record that defines loghost as an alias for crab.

rodent’s A record is followed by an MX record and a CNAME record. (Note that the records that relate to a single host are grouped together, which is the most common structure used in zone file.) rodent’s MX record directs all mail addressed to user@rodent.wrotethebook.com to crab. This MX record is required because the MX records at the beginning of the zone file redirect mail only if it is addressed to user@wrotethebook.com. If you also want to redirect mail addressed to rodent, you need a “rodent-specific” MX record.

The name field of the CNAME record contains an alias for the official hostname. The official name, called the canonical name, is provided in the data field of the record. Because of these records, crab can be referred to by the name loghost, and rodent can be referred to as mouse. The loghost alias is a generic hostname used to direct syslogd output to crab.[91] Hostname aliases should not be used in other resource records.[92] For example, don’t use an alias as the name of a mail server in an MX record. Use only the canonical (official) name that’s defined in an A record.

Your zone file could be much larger than the sample file we’ve discussed, but it will contain essentially the same records. If you know the names and addresses of the hosts in your domain, you have most of the information necessary to create the named configuration.

Controlling the named Process

After you construct the named.conf file and the required zone files, start named. named is usually started at boot time from a startup script. On a Solaris 8 system, named is started by the /etc/init.d/inetsvc script. On a Red Hat Linux system, the script that starts named is /etc/rc.d/init.d/named. The Red Hat script can be run from the command prompt with optional arguments. For example, on a Red Hat system, the following command can be used to stop the name server:

# /etc/rc.d/init.d/named stop

To resume name service, use the command:

# /etc/rc.d/init.d/named start

Startup scripts work, but the named control (ndc ) program is a more effective tool for managing the named process. It comes with BIND 8 and provides a variety of functions designed to help you manage named. BIND 9 has a similar tool named rndc. Table 8-3 lists the ndc options and the purpose of each.[93]

Table 8-3. ndc options

Option

Function

status

Displays the process status of named.

dumpdb

Dumps the cache to named_dump.db.[a]

reload

Reloads the name server.

stats

Dumps statistics to named.stats.

trace

Turns on tracing to named.run.

notrace

Turns off tracing and closes named.run.

querylog

Toggles query logging, which logs each incoming query to syslogd.

start

Starts named.

stop

Stops named.

restart

Stops the current named process and starts a new one.

[a] This file is stored in the directory defined by the directory option in the named.conf file.

ndc options are simple to understand and easy to use. The following commands would stop, then restart the named process:

# ndc stop
# ndc start
new pid is 795

This command sequence assumes that there is some length of time between stopping the old named process and starting a new one. If you really want to quickly kill and restart the named process, use the restart option:

# ndc restart
new pid is 798

The first time you run named, watch for error messages. named logs errors to the messages file.[94] Once named is running to your satisfaction, use nslookup to query the name server to make sure it is providing the correct information.

Using nslookup

nslookup is a debugging tool provided as part of the BIND software package. It allows anyone to query a name server directly and retrieve any of the information known to the DNS system. It is helpful for determining if the server is running correctly and is properly configured, or for querying for information provided by remote servers.

The nslookup program is used to resolve queries either interactively or directly from the command line. Here is a command-line example of using nslookup to query for the IP address of a host:

% nslookup crab.wrotethebook.com 
Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
Name:    crab.wrotethebook.com
Address:  172.16.12.1

Here, a user asks nslookup to provide the address of crab.wrotethebook.com. nslookup displays the name and address of the server used to resolve the query, and then it displays the answer to the query. This is useful, but nslookup is more often used interactively.

The real power of nslookup is seen in interactive mode. To enter interactive mode, type nslookup on the command line without any arguments. Terminate an interactive session by typing Ctrl-D (^D) or entering the exit command at the nslookup prompt. As an interactive session, the previous query shown is:

% nslookup 
Default Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
> crab.wrotethebook.com 
Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
Name:    crab.wrotethebook.com 
Address:  172.16.12.1 
 > ^D

By default, nslookup queries for A records, but you can use the set type command to change the query to another resource record type or to the special query type ANY. ANY is used to retrieve all available resource records for the specified host.[95]

The following example checks MX records for crab and rodent. Note that once the query type is set to MX, it stays MX. It doesn’t revert to the default A-type query. Another set type command is required to reset the query type.

% nslookup 
Default Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
> set type=MX 
> crab.wrotethebook.com 
Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
crab.wrotethebook.com    preference = 5, mail exchanger = crab.wrotethebook.com 
crab.wrotethebook.com    inet address = 172.16.12.1 
 
> rodent.wrotethebook.com 
Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
rodent.wrotethebook.com    preference = 5, mail exchanger = rodent.wrotethebook.com 
rodent.wrotethebook.com    inet address = 172.16.12.2
> exit

You can use the server command to control the server used to resolve queries. This is particularly useful for going directly to an authoritative server to check some information. The following example does just that. In fact, this example contains several interesting commands:

  • First we set type=NS and get the NS records for the zoo.edu domain.

  • From the information returned by this query, we select a server and use the server command to direct nslookup to use that server.

  • Next, using the set domain command, we set the default domain to zoo.edu. nslookup uses this default domain name to expand the hostnames in its queries in the same way that the resolver uses the default domain name defined in resolv.conf.

  • We reset the query type to ANY. If the query type is not reset, nslookup still queries for NS records.

  • Finally, we query for information about the host tiger.zoo.edu. Because the default domain is set to zoo.edu, we simply enter tiger at the prompt.

Here’s the example:

% nslookup 
Default Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
> set type=NS 
> zoo.edu 
Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
Non-authoritative answer: 
zoo.edu nameserver = NOC.ZOO.EDU 
zoo.edu nameserver = NI.ZOO.EDU 
zoo.edu nameserver = NAMESERVER.AGENCY.GOV 
Authoritative answers can be found from: 
NOC.ZOO.EDU     inet address = 172.28.2.200 
NI.ZOO.EDU      inet address = 172.28.2.240 
NAMESERVER.AGENCY.GOV inet address = 172.21.18.31 
> server NOC.ZOO.EDU 
Default Server:  NOC.ZOO.EDU 
Address:  172.28.2.200 
 
> set domain=zoo.edu 
> set type=any 
> tiger 
Server:  NOC.ZOO.EDU 
Address:  172.28.2.200 
 
tiger.zoo.edu   inet address = 172.28.172.8 
tiger.zoo.edu   preference = 10, mail exchanger = tiger.ZOO.EDU 
tiger.zoo.edu   CPU=ALPHA OS=Unix 
tiger.zoo.edu   inet address = 172.28.172.8, protocol = 6 
         7 21 23 25 79 
tiger.ZOO.EDU   inet address = 172.28.172.8
> exit

The final example shows how to download an entire domain from an authoritative server and examine it on your local system. The ls command requests a zone transfer and displays the contents of the zone it receives.[96] If the zone file is more than a few lines long, redirect the output to a file and use the view command to examine the contents of the file. (view sorts a file and displays it using the Unix more command.) The combination of ls and view is helpful when tracking down a remote hostname. In this example, the ls command retrieves the big.com zone and stores the information in temp.file. Then view is used to examine temp.file.

rodent% nslookup 
Default Server:  rodent.wrotethebook.com 
Address:  172.16.12.2 
 
> server minerals.big.com 
Default Server:  minerals.big.com 
Address:  192.168.20.1 
 
> ls big.com > temp.file 
[minerals.big.com] 
######## 
Received 406 records. 
> view temp.file 
 acmite                         192.168.20.28 
 adamite                        192.168.20.29 
 adelite                        192.168.20.11 
 agate                          192.168.20.30 
 alabaster                      192.168.20.31 
 albite                         192.168.20.32 
 allanite                       192.168.20.20 
 altaite                        192.168.20.33 
 alum                           192.168.20.35 
 aluminum                       192.168.20.8 
 amaranth                       192.168.20.85 
 amethyst                       192.168.20.36 
 andorite                       192.168.20.37 
 apatite                        192.168.20.38 
 beryl                          192.168.20.23 
--More--q
> exit

These examples show that nslookup allows you to:

  • Query for any specific type of standard resource record

  • Directly query the authoritative servers for a domain

  • Get the entire contents of a domain into a file so you can view it

Use nslookup’s help command to see its other features. Turn on debugging (with set debug) and examine the additional information this provides. As you play with this tool, you’ll find many helpful features.

Summary

The Domain Name System (DNS) provides an important user service that should be used on every system connected to the Internet. The vast majority of Unix implementations of DNS are based on the Berkeley Internet Name Domain (BIND) software. BIND provides both a DNS client and a DNS server.

The BIND client issues name queries and is implemented as library routines. It is called the resolver. The resolver is configured in the resolv.conf file. All systems run the resolver.

The BIND server answers name queries and runs as a daemon. It is called named. named is configured by the named.conf file, which defines where the server gets the DNS database information and the type of server being configured. The server types are master, slave, and caching servers. Because all servers are caching servers, a single configuration often encompasses more than one server type.

The original DNS database source files are found on the master server. The DNS database file is called a zone file. The zone file is constructed from standard resource records (RRs) that are defined in RFCs. The RRs share a common structure and are used to define all DNS database information.

The DNS server can be tested using nslookup. This test tool is included with the BIND release.

In this chapter we have seen how to configure and test DNS. In the next chapter, we configure several other services.


[82] BIND 8 is the version of domain name software that comes with most versions of Linux and with Solaris 8. A newer version of DNS software—BIND 9—is also available. BIND 8 and BIND 9 use essentially the same configuration file syntax. The examples presented here should work with both BIND 8 and BIND 9.

[83] Three is the maximum number of servers tried by most BIND implementations.

[84] This is the most common way that default domain names are used, but this is configurable.

[85] This list shows the options on Linux systems that run BIND 8. The Solaris version of BIND 8 does not provide the rotate, no-check-names, or inet6 options.

[86] See Chapter 4 for a description of in-addr.arpa domains.

[87] BIND 8 requires the root hints file, but BIND 9 has hints compiled in that are used if no root hints file is provided.

[88] Appendix C (in Section C.3.1.1) discusses how named determines if data has been updated.

[89] See the description of the $TTL directive later in this chapter.

[90] For even more complex examples, see DNS and BIND by Albitz and Liu.

[91] See Chapter 3 for a further discussion of generic hostnames.

[92] See Appendix C for additional information about using CNAME records in the zone data file.

[93] At this writing, the status, trace, and restart commands are not yet implemented for rndc.

[94] This file is found in /usr/adm/messages on our Solaris system and in /var/log/messages on our Red Hat system. It might be located somewhere else on your system; check your documentation.

[95] “All available” records can vary based on the server answering the question. A server that is authoritative for the zone that contains the host’s records responds with all records. A nonauthoritative server that has cached information about the host provides all of the records it has cached, which might not be every record the host owns.

[96] For security reasons, many name servers do not respond to the ls command. See the allow-transferoption in Appendix C for information on how to limit access to zone transfers.