Friday, December 4, 2009

Domain Name Server (DNS) Configuration and Administration

At my place of employment, we are using Linux as a DNS server. It performs exceptionally well. This section will address configuration of DNS tables for these services using the BIND 8.x package which comes standard with the Red Hat distribution.

Note: Note: Red Hat versions 5.1 and earlier used the BIND 4.x package, which used a slightly different format for its configuration file. BIND 8.x offers more functionality over that offered by BIND 4.x, and as 4.x is no longer being developed, you should probably consider upgrading your BIND package to the latest version. Simply install the BIND RPM package (see Section 10.1 for details on using the RPM utility), then convert your configuration file to the new format.

Fortunately, converting your existing BIND 4.x configuration file to be compliant with BIND 8.x is easy! In the documentation directory provided as part of BIND (for example, ``/usr/doc/bind-8.1.2/'' for BIND version 8.1.2), there exists a file called ``named-bootconf.pl'', which is an executable Perl program. Assuming you have Perl installed on your system, you can use this program to convert your configuration file. To do so, type the following commands (as root):

cd /usr/doc/bind-8.1.2
./named-bootconf.pl < /etc/named.boot > /etc/named.conf
mv /etc/named.boot /etc/named.boot-obsolete

You should now have an ``/etc/named.conf'' file which should work with BIND 8.x "out-of-the-box". Your existing DNS tables will work as-is with the new version of BIND, as the format of the tables remains the same.

Configuration of DNS services under Linux involves the following steps:

1.

To enable DNS services, the ``/etc/host.conf'' file should look like this:

# Lookup names via /etc/hosts first, then by DNS query
order hosts, bind
# We don't have machines with multiple addresses
multi on
# Check for IP address spoofing
nospoof on
# Warn us if someone attempts to spoof
alert on

The extra spoof detection adds a bit of a performance hit to DNS lookups (although negligible), so if you're not too worried about this you may wish to disable the "nospool" and "alert" entries.
2.

Configure the ``/etc/hosts'' file as needed. Typically there doesn't need to be much in here, but for improved performance you can add any hosts you access often (such as local servers) to avoid performing DNS lookups on them.
3.

The ``/etc/named.conf'' file should be configured to point to your DNS tables according to the example below.

Note: (Note: IP addresses shown are examples only and must be replaced with your own class addresses!):

options {
// DNS tables are located in the /var/named directory
directory "/var/named";

// Forward any unresolved requests to our ISP's name server
// (this is an example IP address only -- do not use!)
forwarders {
123.12.40.17;
};

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

// Enable caching and load root server info
zone "named.root" {
type hint;
file "";
};

// All our DNS information is stored in /var/named/mydomain_name.db
// (eg. if mydomain.name = foobar.com then use foobar_com.db)
zone "mydomain.name" {
type master;
file "mydomain_name.db";
allow-transfer { 123.12.41.40; };
};

// Reverse lookups for 123.12.41.*, .42.*, .43.*, .44.* class C's
// (these are example Class C's only -- do not use!)
zone "12.123.IN-ADDR.ARPA" {
type master;
file "123_12.rev";
allow-transfer { 123.12.41.40; };
};

// Reverse lookups for 126.27.18.*, .19.*, .20.* class C's
// (these are example Class C's only -- do not use!)
zone "27.126.IN-ADDR.ARPA" {
type master;
file "126_27.rev";
allow-transfer { 123.12.41.40; };
};

Tip: Tip: Make note of the allow-transfer options above, which restricts DNS zone transfers to a given IP address. In our example, we are allowing the host at 123.12.41.40 (probably a slave DNS server in our domain) to request zone transfers. If you omit this option, anyone on the Internet will be able to request such transfers. As the information provided is often used by spammers and IP spoofers, I strongly recommend you restrict zone transfers except to your slave DNS server(s), or use the loopback address, ``127.0.0.1'' instead.

4.

Now you can set up your DNS tables in the ``var/named/'' directory as configured in the ``/etc/named.conf'' file in step three. Configuring DNS database files for the first time is a major undertaking, and is beyond the scope of this document. There are several guides, online and in printed form that should be referred to. However, several examples are provided below.

Sample entries in the ``/var/named/mydomain_name.db'' forward lookup file:

; This is the Start of Authority (SOA) record. Contains contact
; & other information about the name server. The serial number
; must be changed whenever the file is updated (to inform secondary
; servers that zone information has changed).
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990811 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum

; List the name servers in use. Unresolved (entries in other zones)
; will go to our ISP's name server isp.domain.name.com
IN NS mydomain.name.
IN NS isp.domain.name.com.

; This is the mail-exchanger. You can list more than one (if
; applicable), with the integer field indicating priority (lowest
; being a higher priority)
IN MX mail.mydomain.name.

; Provides optional information on the machine type & operating system
; used for the server
IN HINFO Pentium/350 LINUX

; A list of machine names & addresses
spock.mydomain.name. IN A 123.12.41.40 ; OpenVMS Alpha
mail.mydomain.name. IN A 123.12.41.41 ; Linux (main server)
kirk.mydomain.name. IN A 123.12.41.42 ; Windows NT (blech!)

; Including any in our other class C's
twixel.mydomain.name. IN A 126.27.18.161 ; Linux test machine
foxone.mydomain.name. IN A 126.27.18.162 ; Linux devel. kernel

; Alias (canonical) names
gopher IN CNAME mail.mydomain.name.
ftp IN CNAME mail.mydomain.name.
www IN CNAME mail.mydomain.name.

Sample entries in the ``/var/named/123_12.rev'' reverse lookup file:

; This is the Start of Authority record. Same as in forward lookup table.
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990811 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum

; Name servers listed as in forward lookup table
IN NS mail.mydomain.name.
IN NS isp.domain.name.com.

; A list of machine names & addresses, in reverse. We are mapping
; more than one class C here, so we need to list the class B portion
; as well.
40.41 IN PTR spock.mydomain.name.
41.41 IN PTR mail.mydomain.name.
42.41 IN PTR kirk.mydomain.name.

; As you can see, we can map our other class C's as long as they are
; under the 123.12.* class B addresses
24.42 IN PTR tsingtao.mydomain.name.
250.42 IN PTR redstripe.mydomain.name.
24.43 IN PTR kirin.mydomain.name.
66.44 IN PTR sapporo.mydomain.name.

; No alias (canonical) names should be listed in the reverse lookup
; file (for obvious reasons).

Any other reverse lookup files needed to map addresses in a different class B (such as 126.27.*) can be created, and would look much the same as the example reverse lookup file above.
5.

Make sure the named daemon is running. This daemon is usually started from the ``/etc/rc.d/init.d/named'' file upon system boot. You can also start and stop the daemon manually; type ``named start'' and ``named stop'', respectively.
6.

Whenever changes are made to the DNS tables, the DNS server should be restarted by typing ``/etc/rc.d/init.d/named restart''. You may then wish to test your changes by using a tool such as "nslookup" to query the machine you have added or changed.

No comments:

Post a Comment