17
321 Quick HOWTO : Ch18 : Configuring DNS Quick HOWTO : Ch18 : Configuring DNS Quick HOWTO : Ch18 : Configuring DNS Quick HOWTO : Ch18 : Configuring DNS From Linux Home Networking Contents Contents Contents Contents 1 Introduction 2 Introduction to DNS 2.1 DNS Domains 2.2 BIND 2.3 DNS Clients 2.4 Authoritative DNS Servers 2.5 How DNS Servers Find Out Your Site Information 2.6 When To Use A DNS Caching Name Server 2.7 When To Use A Static DNS Server 2.8 When To Use A Dynamic DNS Server 2.9 How To Get Your Own Domain 2.10 Basic DNS Testing of DNS Resolution 2.10.1 The Host Command 2.10.2 The nslookup Command 2.11 Downloading and Installing the BIND Packages 2.12 Managing the BIND Server 2.13 The /etc/resolv.conf File 2.13.1 Table 18.1 Keywords In /etc/resolv.conf 3 Important File Locations 3.1 RedHat / Fedora 3.2 Table 18.2 Differences In Fedora And Redhat DNS File Locations 3.3 Debian / Ubuntu 4 Configuring Your Nameserver 4.1 Configuring resolv.conf 4.2 Creating a named.conf Base Configuration 4.2.1 Table 18.3 The Primary BIND Configuration Files 4.3 Configuring BIND Views in named.conf 4.3.1 Forward Zone File References in named.conf 4.3.2 Reverse Zone File References in named.conf 4.3.3 The Caching Nameserver localhost_resolver View 4.3.4 The Internal View 4.3.5 The External View 4.4 Configuring The Zone Files 4.4.1 Time to Live Value 4.4.2 DNS Resource Records 4.4.3 The SOA Record 4.4.4 Table 18.4 The SOA Record Format 4.4.5 NS, MX, A And CNAME Records 4.4.6 Table 18.5 NS, MX, A, PTR and CNAME Record Formats 4.4.7 TXT Records 4.5 Sample Forward Zone File 4.6 Sample Reverse Zone File Stop ISP DNS Attacks nominum.com/stop-amplificat Protect Open Resolvers That Are Vulnerable To DNS Amplification Other Linux Home Networking Topics Other Linux Home Networking Topics Other Linux Home Networking Topics Other Linux Home Networking Topics Introduction to Networking Linux Networking Simple Network Troubleshooting Troubleshooting Linux with Syslog Installing Linux Software The Linux Boot Process Configuring the DHCP Server Linux Users and sudo Windows, Linux and Samba Sharing Resources with Samba Samba Security and Troubleshooting Linux Wireless Networking S S M Home Home Home HomePurchase PDFsForumsAbout Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H... 1 of 17 11/04/2014 9:01 PM

Configuring DNS in Linux Server

Embed Size (px)

Citation preview

Page 1: Configuring DNS in Linux Server

321

Quick HOWTO : Ch18 : Configuring DNSQuick HOWTO : Ch18 : Configuring DNSQuick HOWTO : Ch18 : Configuring DNSQuick HOWTO : Ch18 : Configuring DNS

From Linux Home Networking

ContentsContentsContentsContents

1 Introduction

2 Introduction to DNS

2.1 DNS Domains

2.2 BIND

2.3 DNS Clients

2.4 Authoritative DNS Servers

2.5 How DNS Servers Find Out Your Site Information

2.6 When To Use A DNS Caching Name Server

2.7 When To Use A Static DNS Server

2.8 When To Use A Dynamic DNS Server

2.9 How To Get Your Own Domain

2.10 Basic DNS Testing of DNS Resolution

2.10.1 The Host Command

2.10.2 The nslookup Command

2.11 Downloading and Installing the BIND Packages

2.12 Managing the BIND Server

2.13 The /etc/resolv.conf File

2.13.1 Table 18.1 Keywords In /etc/resolv.conf

3 Important File Locations

3.1 RedHat / Fedora

3.2 Table 18.2 Differences In Fedora And Redhat DNS File Locations

3.3 Debian / Ubuntu

4 Configuring Your Nameserver

4.1 Configuring resolv.conf

4.2 Creating a named.conf Base Configuration

4.2.1 Table 18.3 The Primary BIND Configuration Files

4.3 Configuring BIND Views in named.conf

4.3.1 Forward Zone File References in named.conf

4.3.2 Reverse Zone File References in named.conf

4.3.3 The Caching Nameserver localhost_resolver View

4.3.4 The Internal View

4.3.5 The External View

4.4 Configuring The Zone Files

4.4.1 Time to Live Value

4.4.2 DNS Resource Records

4.4.3 The SOA Record

4.4.4 Table 18.4 The SOA Record Format

4.4.5 NS, MX, A And CNAME Records

4.4.6 Table 18.5 NS, MX, A, PTR and CNAME Record Formats

4.4.7 TXT Records

4.5 Sample Forward Zone File

4.6 Sample Reverse Zone File

Stop ISP DNS

Attacksnominum.com/stop-amplificat

Protect Open Resolvers That Are

Vulnerable To DNS Amplification

Other Linux Home Networking TopicsOther Linux Home Networking TopicsOther Linux Home Networking TopicsOther Linux Home Networking Topics

Introduction to Networking

Linux Networking

Simple Network Troubleshooting

Troubleshooting Linux with Syslog

Installing Linux Software

The Linux Boot Process

Configuring the DHCP Server

Linux Users and sudo

Windows, Linux and Samba

Sharing Resources with Samba

Samba Security and Troubleshooting

Linux Wireless Networking

ShareShareMore

HomeHomeHomeHomePurchase PDFsForumsAbout

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

1 of 17 11/04/2014 9:01 PM

Page 2: Configuring DNS in Linux Server

4.7 Loading Your New Configuration Files

4.8 Make Sure Your /etc/hosts File Is Correctly Updated

4.9 Configure Your Firewall

4.10 Fix Your Domain Registration

5 Troubleshooting BIND

5.1 Configuration Troubleshooting Steps

5.2 Network Troubleshooting Steps

6 Migrating Your Web Site In-House

7 DHCP Considerations For DNS

8 Simple DNS Security

8.1 Zone Transfer Protection

8.2 Selectively Disabling Recursion

8.3 Naming Convention Security

9 Conclusion

IntroductionIntroductionIntroductionIntroduction

Domain Name System (DNS) converts the name of a Web site (www.linuxhomenetworking.com) to an IP address(65.115.71.34). This step is important, because the IP address of a Web site's server, not the Web site's name, is used inrouting traffic over the Internet. This chapter will explain how to configure your own DNS server to help guide Web surfers toyour site.

Introduction to DNSIntroduction to DNSIntroduction to DNSIntroduction to DNS

Before you dig too deep in DNS, you need to understand a few foundation concepts on which the rest of the chapter will bebuilt.

DNS DomainsDNS DomainsDNS DomainsDNS Domains

Everyone in the world has a first name and a last, or family, name. The same thing is true in the DNS world: A family of Websites can be loosely described a domain. For example, the domain linuxhomenetworking.com has a number of children, suchas www.linuxhomenetworking.com and mail.linuxhomenetworking.com for the Web and mail servers, respectively.

BINDBINDBINDBIND

BIND is an acronym for the Berkeley Internet Name Domain project, which is a group that maintains the DNS-relatedsoftware suite that runs under Linux. The most well known program in BIND is named, the daemon that responds to DNSqueries from remote machines.

DNS ClientsDNS ClientsDNS ClientsDNS Clients

A DNS client doesn't store DNS information; it must always refer to a DNS server to get it. The only DNS configuration file fora DNS client is the /etc/resolv.conf file, which defines the IP address of the DNS server it should use. You shouldn't need toconfigure any other files. You'll become well acquainted with the /etc/resolv.conf file soon.

Authoritative DNS ServersAuthoritative DNS ServersAuthoritative DNS ServersAuthoritative DNS Servers

Authoritative servers provide the definitive information for your DNS domain, such as the names of servers and Web sites init. They are the last word in information related to your domain.

How DNS Servers Find Out Your Site InformationHow DNS Servers Find Out Your Site InformationHow DNS Servers Find Out Your Site InformationHow DNS Servers Find Out Your Site Information

There are 13 root authoritative DNS servers (super duper authorities) that all DNS servers query first. These root serversknow all the authoritative DNS servers for all the main domains - .com, .net, and the rest. This layer of servers keep track ofall the DNS servers that Web site systems administrators have assigned for their sub domains.

For example, when you register your domain my-site.com, you are actually inserting a record on the .com DNS servers thatpoint to the authoritative DNS servers you assigned for your domain. (More on how to register your site later.).

When To Use A DNS Caching Name ServerWhen To Use A DNS Caching Name ServerWhen To Use A DNS Caching Name ServerWhen To Use A DNS Caching Name Server

Most servers don’t ask authoritative servers for DNS directly, they usually ask a caching DNS server to do it on their behalf.These servers, through a process called recursion, sequentially query the authoritative servers at the root, main domain andsub domain levels to get eventually get the specific information requested. The most frequently requested information is thenstored (or cached) to reduce the lookup overhead of subsequent queries.

Linux Firewalls Using iptables

Linux FTP Server Setup

Telnet, TFTP and xinetd

Secure Remote Logins and File Copying

Configuring DNS

Dynamic DNS

The Apache Web Server

Configuring Linux Mail Servers

Monitoring Server Performance

Advanced MRTG For Linux

The NTP Server

Network-Based Linux Installation

Linux Software RAID

Expanding Disk Capacity

Managing Disk Usage with Quotas

Remote Disk Access with NFS

Configuring NIS

Centralized Logins Using LDAP and RADIUS

Controlling Web Access with Squid

Modifying the Kernel to Improve Performance

Basic MySQL Configuration

LHN Linux Forums - Latest ThreadsLHN Linux Forums - Latest ThreadsLHN Linux Forums - Latest ThreadsLHN Linux Forums - Latest Threads

Linux (Mint) can't access Fedora Server

(Linux - Hardware, Networking & Security) I

have a fresh LinuxMint (Ubuntu variant)

install on my laptop, and need to access the

music files on my Vortexbox appliance

running Fedora. I can...

Problem with Cisco EHWIC-4ESG (General

Chat) Just wondering if the EHWIC-4ESG

(URL be used in a Cisco 800 router.I want to

add at least one...

Ubuntu 12.04 LTS Setting Up Network

between Xp/7 and Ubuntu 12.04LTS (Linux -

Hardware, Networking & Security) i am a

Absolute Newbie at Linux i would like to have

it where the windows computers see and

transfer files with the linux box and see and

transfer...

Cisco Catalyst 2960X Ethernet Switch

(General Chat) "I want to buy Catalyst

2960-X series switches like WS-C2960X-

24PS-L,WS-C2960X-24PD-L, buy I'm not very

well know about c2960x series. Can

someone...

Linux vpn client (Linux - Software,

Applications & Programming) Our company

has one vpn server,it is CISCO2901/K9 router.

We can conntect it with cisco vpn tools in

windows machine.But about linux client, we

have...

Norihan Talib Here! (General Chat) Hello

Everyone my name is Norihan Talib i joined

this forum to make new connections on

friends see you all on the boards Penipu

Dr. Obaid Busit Legal Consultants! new

member post.. (General Chat) Hello to all

forum members.... I am Dr. Obaid Busit new

member here! Hope everyone is fine and

enjoy being here! Regards Dr. Obaid Busit

hani dalqamouni here! (General Chat) hello

everybody! i am hani dalqamouni... i am new

to this forum annd i am happy to join here to

meet new friends and to sahre interests with

you...

Best way to know Cisco Catalyst 24-Port

Network Switch WS-C2960-24TC-L (Linux -

Hardware, Networking & Security) Cisco

2960-S switches are the leading fixed-

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

2 of 17 11/04/2014 9:01 PM

Page 3: Configuring DNS in Linux Server

If you want to advertise your Web site www.my-site.com to the rest of the world, then a regular DNS server is what yourequire. Setting up a caching DNS server is fairly straightforward and works whether or not your ISP provides you with astatic or dynamic Internet IP address.

After you set up your caching DNS server, you must configure each of your home network PCs to use it as their DNS server. Ifyour home PCs get their IP addresses using DHCP, then you have to configure your DHCP server to make it aware of the IPaddress of your new DNS server, so that the DHCP server can advertise the DNS server to its PC clients. Off-the-shelfrouter/firewall appliances used in most home networks usually can act as both the caching DNS and DHCP server, rendering aseparate DNS server is unnecessary.

You can find the configuration steps for a Linux DHCP server in Chapter 8, "Configuring the DHCP Server".

When To Use A Static DNS ServerWhen To Use A Static DNS ServerWhen To Use A Static DNS ServerWhen To Use A Static DNS Server

If your ISP provides you with a fixed or static IP address, and you want to host your own Web site, then a regularauthoritative DNS server would be the way to go. A caching DNS name server is used as a reference only, regular nameservers are used as the authoritative source of information for your Web site's domain.

Note:Note:Note:Note: Regular name servers are also caching name servers by default.

When To Use A Dynamic DNS ServerWhen To Use A Dynamic DNS ServerWhen To Use A Dynamic DNS ServerWhen To Use A Dynamic DNS Server

If your ISP provides your router/firewall with its Internet IP address using DHCP then you must consider dynamic DNScovered in Chapter 19, "Dynamic DNS". For now, I'm assuming that you are using static Internet IP addresses.

How To Get Your Own DomainHow To Get Your Own DomainHow To Get Your Own DomainHow To Get Your Own Domain

Whether or not you use static or dynamic DNS, you need to register a domain.

Dynamic DNS providers frequently offer you a subdomain of their own site, such as my-site.dnsprovider.com, in which youregister your domain on their site.

If you choose to create your very own domain, such as my-site.com, you have to register with a company specializing in staticDNS registration and then point your registration record to the intended authoritative DNS for your domain. Popular domainregistrars include VeriSign, Register Free, and Yahoo.

If you want to use a dynamic DNS provider for your own domain, then you have to point your registration record to the DNSservers of your dynamic DNS provider. (More details on domain registration are coming later in the chapter.).

Basic DNS Testing of DNS ResolutionBasic DNS Testing of DNS ResolutionBasic DNS Testing of DNS ResolutionBasic DNS Testing of DNS Resolution

As you know, DNS resolution maps a fully qualified domain name (FQDN), such as www.linuxhomenetworking.com, to an IPaddress. This is also known as a forward lookup. The reverse is also true: By performing a reverse lookup, DNS candetermining the fully qualified domain name associated with an IP address.

Many different Web sites can map to a single IP address, but the reverse isn't true; an IP address can map to only one FQDN.This means that forward and reverse entries frequently don't match. The reverse DNS entries are usually the responsibility ofthe ISP hosting your site, so it is quite common for the reverse lookup to resolve to the ISP's domain. This isn't an importantfactor for most small sites, but some e-commerce applications require matching entries to operate correctly. You may have toask your ISP to make a custom DNS change to correct this.

There are a number of commands you can use do these lookups. Linux uses the host command, for example, but Windowsuses nslookup.

The Host CommandThe Host CommandThe Host CommandThe Host Command

The host command accepts arguments that are either the fully qualified domain name or the IP address of the server whenproviding results. To perform a forward lookup, use the syntax:

[root@bigboy tmp]# host www.linuxhomenetworking.comwww.linuxhomenetworking.com has address 65.115.71.3 4[root@bigboy tmp]#

To perform a reverse lookup

[root@bigboy tmp]# host 65.115.71.3434.71.115.65.in-addr.arpa domain name pointer 65-11 5-71-34.myisp.net.[root@bigboy tmp]#

As you can see, the forward and reverse entries don't match. The reverse entry matches the entry of the ISP.

The nslookup CommandThe nslookup CommandThe nslookup CommandThe nslookup Command

The nslookup command provides the same results on Windows PCs. To perform forward lookup, use.

C:\> nslookup www.linuxhomenetworking.comServer: 192-168-1-200.my-site.comAddress: 192.168.1.200

Non-authoritative answer:

configuration Layer 2 edge access switches

and 2960-S most ports are GE.The Catalyst

2960-S Series...

hello..Robert Didiana here.. (General Chat)

iam glad to be a part of this forum it seems

like a pretty cool community that is ran here

and I can tell there's good administration just

by...

Jack Rafael Gorodezky Mirsky newbie here!

(General Chat) My name is Jack Rafael

Gorodezky as you can see i am a new

member of the forum. I am interested to

meet new like minded people Kind regards,...

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

3 of 17 11/04/2014 9:01 PM

Page 4: Configuring DNS in Linux Server

Name: www.linuxhomenetworking.comAddress: 65.115.71.34

C:\>

To perform a reverse lookup

C:\> nslookup 65.115.71.34Server: 192-168-1-200.my-site.comAddress: 192.168.1.200

Name: 65-115-71-34.my-isp.comAddress: 65.115.71.34

C:\>

Downloading and Installing the BIND PackagesDownloading and Installing the BIND PackagesDownloading and Installing the BIND PackagesDownloading and Installing the BIND Packages

Most RedHat and Fedora Linux software products are available in a package format. When searching for the file, rememberthat the BIND package's filename usually starts with the word “bind” followed by a version number, as in

bind-9.2.2.P3-9.i386.rpm . (For more details on downloading RPMs, see Chapter 6, "Installing Linux Software").

Note:Note:Note:Note: Unless otherwise stated, the sample configurations covered in this chapter will be for Redhat / Fedora distributions. Ifyou use Debian / Ubuntu, don’t worry, there will be annotations to make you aware of the differences.

Managing the BIND ServerManaging the BIND ServerManaging the BIND ServerManaging the BIND Server

Managing BIND's named daemon is easy to do, but the procedure differs between Linux distributions. Here are some thingsto keep in mind.

Firstly, different Linux distributions use different daemon management systems. Each system has its own set of

commands to do similar operations. The most commonly used daemon management systems are SysV and Systemd.

1.

Secondly, the daemon name needs to be known. In this case the name of the daemon is namednamednamednamed.2.

Armed with this information you can know how to:

Start your daemons automatically on booting1.

Stop, start and restart them later on during troubleshooting or when a configuration file change needs to be applied.2.

For more details on this, please take a look at the "Managing Daemons" section of Chapter 6 "Installing Linux Software" Note:Note:Note:Note:Remember to configure your daemon to start automatically upon your next reboot.

The /etc/resolv.conf FileThe /etc/resolv.conf FileThe /etc/resolv.conf FileThe /etc/resolv.conf File

DNS clients (servers not running BIND) use the /etc/resolv.conf file to determine both the location of their DNS server and thedomains to which they belong. The file generally has two columns; the first contains a keyword, and the second contains thedesired values separated by commas. See Table 18.1 for a list of keywords.

Table 18.1 Keywords In /etc/resolv.confTable 18.1 Keywords In /etc/resolv.confTable 18.1 Keywords In /etc/resolv.confTable 18.1 Keywords In /etc/resolv.conf

KeywordKeywordKeywordKeyword ValueValueValueValue

Nameserver IP address of your DNS nameserver. There should be only one entry per "nameserver" keyword. If there is

more than one nameserver, you’ll need to have multiple "nameserver" lines.

DomainThe local domain name to be used by default. If the server is bigboy.my-web-site.org, then the entry would

just be my-web-site.org

Search

If you refer to another server just by its name without the domain added on, DNS on your client will append

the server name to each domain in this list and do an DNS lookup on each to get the remote servers’ IP

address. This is a handy time saving feature to have so that you can refer to servers in the same domain by

only their servername without having to specify the domain. The domains in this list must separated by

spaces.

Take a look at a sample configuration in which the client server's main domain is my-site.com, but it also is a member ofdomains my-site.net and my-site.org, which should be searched for shorthand references to other servers. Two name servers,192.168.1.100 and 192.168.1.102, provide DNS name resolution:

search my-site.com my-site.net my-site.orgnameserver 192.168.1.100nameserver 192.168.1.102

The first domain listed after the search directive must be the home domain of your network, in this case my-site.com. Placinga domain and search entry in the /etc/resolv.conf is redundant, therefore.

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

4 of 17 11/04/2014 9:01 PM

Page 5: Configuring DNS in Linux Server

Important File LocationsImportant File LocationsImportant File LocationsImportant File Locations

The locations of the BIND configuration files vary by Linux distribution, as you will soon see.

RedHat / FedoraRedHat / FedoraRedHat / FedoraRedHat / Fedora

RedHat / Fedora BIND normally runs as the named process owned by the unprivileged named user.

Sometimes BIND is also installed using Linux's chroot feature to not only run named as user named, but also to limit the filesnamed can see. When installed, named is fooled into thinking that the directory /var/named/chroot is actually the root or /

directory. Therefore, named files normally found in the /etc directory are found in /var/named/chroot/etc directory instead,

and those you'd expect to find in /var/named are actually located in /var/named/chroot/var/named .

The advantage of the chroot feature is that if a hacker enters your system via a BIND exploit, the hacker's access to the restof your system is isolated to the files under the chroot directory and nothing else. This type of security is also known as a

chroot jail.

You can determine whether you have the chroot add-on RPM by using this command, which returns the name of the RPM.

[root@bigboy tmp]# rpm -q bind-chrootbind-chroot-9.2.3-13[root@bigboy tmp]#

There can be confusion with the locations: Regular BIND installs its files in the normal locations, and the chroot BIND add-onRPM installs its own versions in their chroot locations. Unfortunately, the chroot versions of some of the files are empty.Before starting Fedora BIND, copy the configuration files to their chroot locations:

[root@bigboy tmp]# cp -f /etc/named.conf /var/named /chroot/etc/[root@bigboy tmp]# cp -f /etc/rndc.* /var/named/chr oot/etc/

Before you go to the next step of configuring a regular name server, it is important to understand exactly where the files arelocated. Table 18.2 provides a map.

Table 18.2 Differences In Fedora And Redhat DNS File LocationsTable 18.2 Differences In Fedora And Redhat DNS File LocationsTable 18.2 Differences In Fedora And Redhat DNS File LocationsTable 18.2 Differences In Fedora And Redhat DNS File Locations

FileFileFileFile PurposePurposePurposePurpose BIND chroot LocationBIND chroot LocationBIND chroot LocationBIND chroot LocationRegular BINDRegular BINDRegular BINDRegular BIND

LocationLocationLocationLocation

named.conf Tells the names of the zone files to be used for each of your

website domains.

/var/named/chroot/etc /etc

rndc.key

rndc.conf

Files used in named authentication /var/named/chroot/etc /etc

zone files Links all the IP addresses in your domain to their

corresponding server

/var/named/chroot

/var/named

/var/named

Note:Note:Note:Note: Fedora Core installs BIND chroot by default. RedHat 9 and earlier don't.

Debian / UbuntuDebian / UbuntuDebian / UbuntuDebian / Ubuntu

With Debian / Ubuntu, all the configuration files, the primary named.conf file and all the DNS zone files reside in the /etc/bind

directory.

Unlike in Redhat / Fedora, references to other files within these configuration files should include the full path. The nameddaemon won't automatically assume they are located in the /etc/bind directory.

Configuring Your NameserverConfiguring Your NameserverConfiguring Your NameserverConfiguring Your Nameserver

For the purposes of this tutorial, assume your ISP assigned you the subnet 97.158.253.24 with a subnet mask of255.255.255.248 (/29).

Configuring resolv.confConfiguring resolv.confConfiguring resolv.confConfiguring resolv.conf

You'll have to make your DNS server refer to itself for all DNS queries by configuring the /etc/resolv.conf file to referencelocalhost only.

nameserver 127.0.0.1

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

5 of 17 11/04/2014 9:01 PM

Page 6: Configuring DNS in Linux Server

Creating a named.conf Base ConfigurationCreating a named.conf Base ConfigurationCreating a named.conf Base ConfigurationCreating a named.conf Base Configuration

The /etc/named.conf file contains the main DNS configuration and tells BIND where to find the configuration, or zone files foreach domain you own. This file usually has two zone areas:

Forward zone file definitions list files to map domains to IP addresses.

Reverse zone file definitions list files to map IP addresses to domains.

Some versions of BIND will come with a /etc/amed.conf file configured to work as a caching nameserver which can beconverted to an authoritative nameserver by adding the correct references to your zone files. Please proceed to the nextsection if this is the case with your version of BIND.

In other cases the named.conf configuration file may be hard to find. Some versions of Linux install BIND as a default cachingnameserver using a file names /etc/named.caching-nameserver.conf for its configuration. In such cases BIND becomes anauthoritative nameserver when a correctly configured /etc/named.conf file is created.

Fortunately BIND comes with samples of all the primary files you need. Table 18.3 explains their names and purpose in moredetail.

Table 18.3 The Primary BIND Configuration FilesTable 18.3 The Primary BIND Configuration FilesTable 18.3 The Primary BIND Configuration FilesTable 18.3 The Primary BIND Configuration Files

FileFileFileFile DescriptionDescriptionDescriptionDescription

/etc/named.conf The main configuration file that lists the location of all your domain's zone files

/etc/named.rfc1912.zones Base configuration file for a caching name server.

/var/named/named.ca A list of the 13 root authoritative DNS servers.

The first task is to make sure your DNS server will listening of requests on all the required network interfaces. The optionssection of named.conf may be configured to listen exclusively on its internal hidden localhost interface with an IP address of127.0.0.1 as we see in this example.

# File: /etc/named.conf

options { listen-on port 53 { 127.0.0.1; };};

If other devices are going to rely on your server for queries, then you’ll need to either change this or add a selected numberof IP addresses on your server. In this example, we allow queries on any interface.

listen-on port 53 { any; };

In this example, we allow queries on localhost and address 192.168.1.100.

listen-on port 53 { 127.0.0.1; 192.168.1.100; };

Note:Note:Note:Note: Always make sure localhost, 127.0.0.1 is included.

Though it is not required, it is a good practice to configure your DNS server's named.conf file to support BIND views. This willbe discussed next.

Configuring BIND Views in named.confConfiguring BIND Views in named.confConfiguring BIND Views in named.confConfiguring BIND Views in named.conf

Our sample scenario assumes that DNS queries will be coming from the Internet and that the zone files will returninformation related to the external 97.158.253.26 address of the Web server. What do the PCs on your home network need tosee? They need to see DNS references to the real IP address of the Web server, 192.168.1.100, because NAT won’t workproperly if a PC on your home network attempts to connect to the external 97.158.253.26 NAT IP address of your Web server.Don’t worry. BIND figures this out using its views feature which allows you to use predefined zone files for queries fromcertain subnets. This means it’s possible to use one set of zone files for queries from the Internet and another set for queriesfrom your home network. Here’s a summary of how it’s done:

1. If your DNS server is also acting as a caching DNS server, then you'll also need a view for localhost to use. We'll use a viewcalled localhost_resolver for this.

2. Place your zone statements in the /etc/named.conf file in one of two other view sections. The first section is called internaland lists the zone files to be used by your internal network. The second view called external lists the zone files to be used forInternet users.

For example; you could have a reference to a zone file called my-site.zone for lookups related to the 97.158.253.X networkwhich Internet users would see. This /etc/named.conf entry would be inserted in the external section. You could also have afile called my-site-home.zone for lookups by home users on the 192.168.1.0 network. This entry would be inserted in theinternal section. Creating the my-site-home.zone file is fairly easy: Copy it from the my-site.zone file and replace allreferences to 97.158.253.X with references to 192.168.1.X.

3. You must also tell the DNS server which addresses you feel are internal and external. To do this, you must first define theinternal and external networks with access control lists (ACLs) and then refer to these lists within their respective view sectionwith the match-clients statement. Some built-in ACLs can save you time:

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

6 of 17 11/04/2014 9:01 PM

Page 7: Configuring DNS in Linux Server

localhostlocalhostlocalhostlocalhost: Refers to the DNS server itself

localnetslocalnetslocalnetslocalnets: Refers to all the networks to which the DNS server is directly connected

anyanyanyany: which is self explanatory.

Let's examine BIND views more carefully using a number of sample configuration snippets from the /etc/named.conf file I usefor my home network. All the statements below were inserted after the options and controls sections in the file. I haveselected generic names internal, for views given to trusted hosts (home, non-internet or corporate users), and external forthe views given to Internet clients, but they can be named whatever you wish.

First let's talk about how we should refer to the zone files in each view.

Forward Zone File References in named.confForward Zone File References in named.confForward Zone File References in named.confForward Zone File References in named.conf

Let’s describe how we point to forward zone files in a typical named.conf file.

In this example the zone file is named my-site.zone, and, although not explicitly stated, the file my-site.zone should belocated in the default directory of /var/named/chroot/var/named in a chroot configuration or in /var/named in a regular one.With Debian / Ubuntu, references to the full file path will have to be used. Use the code:

zone “my-web-site.org” {

type master; notify no; allow-query { any; }; file “my-site.zone”;

};

In addition, you can insert more entries in the named.conf file to reference other Web domains you host. Here is an examplefor another-site.com using a zone file named another-site.zone.

zone “another-site.com” {

type master; notify no; allow-query { any; }; file “another-site.zone”;

};

Note:Note:Note:Note: The allow-query directive defines the networks that are allowed to query your DNS server for information on any zone.For example, to limit queries to only your 192.168.1.0 network, you could modify the directive to:

allow-query { 192.168.1.0/24; };

Reverse Zone File References in named.confReverse Zone File References in named.confReverse Zone File References in named.confReverse Zone File References in named.conf

Here’s how to format entries that refer to zone files used for reverse lookups for your IP addresses.

In most cases, your ISP handles the reverse zone entries for your public IP addresses, but you will have to create reversezone entries for your SOHO/home environment using the 192.168.1.0/24 address space. This isn’t important for the Windowsclients on your network, but some Linux applications require valid forward and reverse entries to operate correctly.

The forward domain lookup process for mysite.com scans the FQDN from right to left to get to get increasingly more specificinformation about the authoritative servers to use. Reverse lookups operate similarly by scanning an IP address from left toright to get increasingly specific information about an address.

The similarity in both methods is that increasingly specific information is sought, but the noticeable difference is that forforward lookups the scan is from right to left, and for reverse lookups the scan is from left to right. This difference can beseen in the formatting of the zone statement for a reverse zone in /etc/named.conf file where the main in-addr.arpa domain,to which all IP addresses belong, is followed by the first 3 octets of the IP address in reverse order. This order is important toremember or else the configuration will fail. This reverse zone definition for named.conf uses a reverse zone file named192-168-1.zone for the 192.168.1.0/24 network.

zone “1.168.192.in-addr.arpa” { type master; notify no; allow-query { any; }; file “192-168-1.zone”;};

Your patience will soon be rewarded. It's time to talk about the views! Let's go!

The Caching Nameserver localhost_resolver ViewThe Caching Nameserver localhost_resolver ViewThe Caching Nameserver localhost_resolver ViewThe Caching Nameserver localhost_resolver View

The localhost_resolver view is used for your caching DNS server configuration and should look like this:

view "localhost_resolver"{/* This view sets up named to be a localhost resolv er * ( caching only nameserver ). If all you want is a * caching-only nameserver, then you need only defi ne this view: */ match-clients { localhost; }; match-destinations { localhost; };

// As your caching name server clients will be using this server // for DNS lookups to get to sites all over the Web you’ll need to // turn on recursion

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

7 of 17 11/04/2014 9:01 PM

Page 8: Configuring DNS in Linux Server

recursion yes; // All views used by caching nameserver cli ents must // contain the root hints zone. Recursive l ookups to DNS domains // you don’t own (non-authoritative) starts here. zone "." IN { type hint; file "named.ca"; };

/* these are zones that contain definitions for all the localhost * names and addresses, as recommended in R FC1912 - these names should * ONLY be served to localhost clients: */ include "/etc/named.rfc1912.zones"; /* * Include zonefiles for internal zones */ include "/var/named/zones/internal/internal _zones.conf";};

There are some quick facts you should be aware of with your caching name server configuration:

1. If you want your server to be only a caching DNS server, then delete all other views in named.conf and restart the nameddaemon.

[root@bigboy tmp]# systemctl restart named.service

2. Make all the other machines on your network point to the caching DNS server as their primary DNS server.

3. Remember that all DNS queries done on your DNS server appear to come from localhost. If your server is also anauthoritative server for your domain, you will have to include a reference to your domain's zone files in this section for theserver's own DNS lookups to work. If not, queries from clients defined by the internal and external ACLs will work correctly,but queries for the domain from the server itself will fail. In this example we have included a reference to theinternal_zones.conf zone file which we'll visit again soon. This line can be deleted if your server isn't an authoritative server

for your domain.

Note:Note:Note:Note: If you have a localhost only view like this, make sure you don't reference localhost in any of your other views as oneview will take precedence over the other for queries from your server. This could lead to unpredictable results.

The Internal ViewThe Internal ViewThe Internal ViewThe Internal View

In this example I included an ACL for network 192.168.17.0 /24 called safe-subnet to help clarify the use of ACLs in morecomplex environments. Once the ACL was defined, I then inserted a reference to the safe-subnet in the match-clientsstatement in the internal view. Therefore the local network (192.168.1.0 /24), the other trusted network (192.168.17.0), andlocalhost get DNS data from the zone files in the internal view.

// ACL statement

acl “safe-subnet” { 192.168.17.0/24; };

view “internal” { // What the home network will see match-clients { localnets; localhost; safe- subnet; }; match-destinations { localnets; localhost; safe- subnet; };

// As your caching name server clients will be u sing this server // for DNS lookups to get to sites all over the Web you’ll need to // turn on recursion recursion yes; // All views used by caching nameserver clients must // contain the root hints zone. Recursive lookup s to DNS domains // you don’t own (non-authoritative) starts here . zone "." IN { type hint; file "named.ca"; };

// These are your "authoritative" internal zones , and would probably // also be included in the "localhost_resolver" view above :

/* * Include zonefiles for internal zones */ include "/var/named/zones/internal/internal_zone s.conf";

};

The question you may have on your mind is, "Where are the zone file definitions?". Don't worry, there is an include statementthat refers to a file named internal_zones.conf that contains them all as we see here:

// File internal_zones.conf

zone "1.168.192.in-addr.arpa" IN { type master; file "/var/named/zones/internal/192.168.1.zone"; allow-update { none; };};

zone "my-web-site.org" IN { type master; file "/var/named/zones/internal/my-web-site.org. zone"; allow-update { none; };};

I'll discuss how to handle queries from clients outside your trusted networks in the next section where an external view canbe used.

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

8 of 17 11/04/2014 9:01 PM

Page 9: Configuring DNS in Linux Server

The External ViewThe External ViewThe External ViewThe External View

You can also setup an external view that will be used for DNS queries from clients outside your network, such as the Internet.In this case external queries get results from zone files in the /var/named/zones/external directory.

view “external” { // What the Internet will see /* This view will contain zones you want to serv e only to "external" * clients that have addresses that are not on y our directly attached * LAN interface subnets: */

match-clients { any; }; match-destinations { any; }; // you'd probably want to deny recursion to exte rnal clients, so you don't // end up providing free DNS service to all take rs recursion no;

// These are your "authoritative" external zones , and would probably // contain entries for just your web and mail se rvers:

zone "253.158.97.in-addr.arpa" IN { type master; file "/var/named/zones/external/97.158.253.zo ne"; allow-update { none; }; }; zone "my-web-site.org" IN { type master; file "/var/named/zones/external/my-web-site.o rg.zone"; allow-update { none; }; };};

Notice that the reverse zone file gives results for public internet addresses, and of course, the forward zone file should only

provide responses with Internet accessible addresses.

Note:Note:Note:Note: In the external view, you may be tempted to use an exclamation mark (!) to eliminate networks used in the internalview like this. Be careful, it is best to use "any;" for your external view as the exclamation mark (!) is not honored with someversions of BIND in views named "external".

; !!! CAUTION !!!

match-clients { !localnets; !localhost; !safe- subnet; };match-destinations { !localnets; !localhost; !safe- subnet; };

The views listed here are purely to illustrate their use. The sample home network we have been using doesn’t need to havethe ACL statement at all as the built in ACLs localnets and localhost are sufficient. The sample network won’t need thesafe-subnet section in the match-clients line either as there is only one subnet in the configuration.

Views are also not just for NAT. If you run an Internet data center, you can set up your DNS server to act as a caching serverto servers on all the Internet networks you own and no one else, and then provide authoritative responses to your customers'domains to everyone. Views can be very useful.

Configuring The Zone FilesConfiguring The Zone FilesConfiguring The Zone FilesConfiguring The Zone Files

You need to keep a number of things in mind when configuring DNS zone files:

In all zone files, you can place a comment at the end of any line by inserting a semi-colon character then typing in the

text of your comment.

By default, your zone files are located in the /var/named or /var/named/chroot/var/named or /etc/bind directories

depending on your Linux distribution.

Each zone file contains a variety of records (SOA, NS, MX, A, and CNAME) that govern different areas of BIND.

Take a closer look at these entries in the zone file.

Time to Live ValueTime to Live ValueTime to Live ValueTime to Live Value

The very first entry in the zone file is usually the zone's time to live (TTL) value. Caching DNS servers cache the responses totheir queries from authoritative DNS servers. The authoritative servers not only provide the DNS answer but also provide theinformation's time to live, which is the period for which it's valid.

The purpose of a TTL is to reduce the number of DNS queries the authoritative DNS server has to answer. If the TTL is set tothree days, then caching servers use the original stored response for three days before making the query again.

$TTL 3D

BIND recognizes several suffixes for time-related values. A D signifies days, a W signifies weeks, and an H signifies hours. Inthe absence of a suffix, BIND assumes the value is in seconds.

DNS Resource RecordsDNS Resource RecordsDNS Resource RecordsDNS Resource Records

The rest of the records in a zone file are usually BIND resource records. They define the nature of the DNS information inyour zone files that's presented to querying DNS clients. They all have the general format:

Name Class Type Data

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

9 of 17 11/04/2014 9:01 PM

Page 10: Configuring DNS in Linux Server

There are different types of records for mail (MX), forward lookups (A), reverse lookups (PTR), aliases (CNAME) and overallzone definitions, Start of Authority (SOA). The data portion is formatted according to the record type and may consist ofseveral values separated by spaces. Similarly, the name is also subject to interpretation based on this factor.

The SOA RecordThe SOA RecordThe SOA RecordThe SOA Record

The first resource record is the Start of Authority (SOA) record, which contains general administrative and control informationabout the domain. It has the format:

Name Class Type Name-Server Email-Address Serial-No Refresh Retry Expiry Minimum-TTL

The record can be long, and will sometimes wrap around on your screen. For the sake of formatting, you can insert new linecharacters between the fields as long as you insert parenthesis at the beginning and end of the insertion to alert BIND thatpart of the record will straddle multiple lines. You can also add comments to the end of each new line separated by asemicolon when you do this. Here is an example:

@ IN SOA ns1.my-site.com. hostmaster .my-site.com. ( 2004100801 ; serial # 4H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum

Table 18.4 explains what each field in the record means.

Table 18.4 The SOA Record FormatTable 18.4 The SOA Record FormatTable 18.4 The SOA Record FormatTable 18.4 The SOA Record Format

FieldFieldFieldField DescriptionDescriptionDescriptionDescription

Name The root name of the zone. The “@” sign is a shorthand reference to the current origin (zone) in the

/etc/named.conf file for that particular database file.

Class There are a number of different DNS classes. Home/SOHO will be limited to the IN or Internet class used

when defining IP address mapping information for BIND. Other classes exist for non Internet protocols and

functions but are very rarely used.

Type The type of DNS resource record. In the example, this is an SOA resource record. Other types of records

exist, which I’ll cover later.

Name-server Fully qualified name of your primary name server. Must be followed by a period.

Email-

address

The e-mail address of the name server administrator. The regular @ in the e-mail address must be replaced

with a period instead. The e-mail address must also be followed by a period.

Serial-no A serial number for the current configuration. You can use the date format YYYYMMDD with an incremented

single digit number tagged to the end. This will allow you to do multiple edits each day with a serial number

that both increments and reflects the date on which the change was made.

Refresh Tells the slave DNS server how often it should check the master DNS server. Slaves aren’t usually used in

home / SOHO environments.

Retry The slave’s retry interval to connect the master in the event of a connection failure. Slaves aren’t usually

used in home / SOHO environments.

Expiry Total amount of time a slave should retry to contact the master before expiring the data it contains. Future

references will be directed towards the root servers. Slaves aren’t usually used in home/SOHO environments.

Minimum-TTL There are times when remote clients will make queries for subdomains that don’t exist. Your DNS server will

respond with a no domain or NXDOMAIN response that the remote client caches. This value defines the

caching duration your DNS includes in this response.

So in the example, the primary name server is defined as ns1.my-site.com with a contact e-mail address of [email protected]. The serial number is 2004100801 with refresh, retry, expiry, and minimum values of 4 hours, 1 hour, 1 week, and 1day, respectively.

NS, MX, A And CNAME RecordsNS, MX, A And CNAME RecordsNS, MX, A And CNAME RecordsNS, MX, A And CNAME Records

Like the SOA record, the NS, MX, A, PTR and CNAME records each occupy a single line with a very similar general format.Table 18.5 outlines the way they are laid out.

Table 18.5 NS, MX, A, PTR and CNAME Record FormatsTable 18.5 NS, MX, A, PTR and CNAME Record FormatsTable 18.5 NS, MX, A, PTR and CNAME Record FormatsTable 18.5 NS, MX, A, PTR and CNAME Record Formats

RecordRecordRecordRecord

TypeTypeTypeTypeName FieldName FieldName FieldName Field

ClassClassClassClass

FieldFieldFieldField2222

TypeTypeTypeType

FieldFieldFieldFieldData FieldData FieldData FieldData Field

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

10 of 17 11/04/2014 9:01 PM

Page 11: Configuring DNS in Linux Server

NS Usually blank1 IN NS IP address or CNAME of the

name server

MX Domain to be used for mail. Usually the same as the

domain of the zone file itself.

IN MX Mail server DNS name

A Name of a server in the domain IN A IP address of server

CNAME Server name alias IN CNAME "A" record name for the

server

PTR Last octet of server’s IP address IN PTR Fully qualified server name

If the search key to a DNS resource record is blank it reuses the search key from the previous record which in this

case of is the SOA @ sign.

1.

For most home / SOHO scenarios, the Class field will always be IN or Internet. You should also be aware that IN is

the default Class, and BIND will assume a record is of this type unless otherwise stated.

2.

If you don't put a period at the end of a host name in a SOA, NS, A, or CNAME record, BIND will automatically tack on thezone file's domain name to the name of the host. So, BIND assumes an A record with www refers to www.my-site.com. Thismay be acceptable in most cases, but if you forget to put the period after the domain in the MX record for my-site.com, BINDattaches the my-site.com at the end, and you will find your mail server accepting mail only for the domainmy-site.com.mysite.com.

TXT RecordsTXT RecordsTXT RecordsTXT Records

There is also a less frequently used DNS TXT record that can be configured to contain additional generic information. Thedata section of the record typically has the format "name=value", where "name" is the name to be given to the type of data,and "value" is the value assigned to the name as seen in this example.

my-web-site.org. TXT "v=spf1 -all"

TXT records are increasingly being used to help fight SPAM using the Sender Policy Framework (SPF) method. SPF TXTrecords are used by systems receiving mail to interrogate the DNS of the domain which appears in the email (the sender) anddetermine if the originating IP address of the mail (the source) is authorized to send mail for the sender's domain.

Further description of the use of TXT records is beyond the scope of this book, but you should at least be aware that they canbe up to 255 characters in length and that this feature is often exploited in distributed denial of service (DDoS) attacks. Thesection on "Simple DNS Security" explains how to configure your DNS server to not participate in such an event.

Sample Forward Zone FileSample Forward Zone FileSample Forward Zone FileSample Forward Zone File

Now that you know the key elements of a zone file, it's time to examine a working example for the domain my-site.com.

;; Zone file for my-site.com;; The full zone file;$TTL 3D@ IN SOA ns1.my-site.com. hostmaster .my-site.com. ( 200211152 ; serial# 3600 ; refresh, s econds 3600 ; retry, sec onds 3600 ; expire, se conds 3600 ) ; minimum, s econds

NS www ; Inet Addr ess of nameservermy-site.com. MX 10 mail ; Primary M ail Exchanger localhost A 127.0.0.1bigboy A 97.158.253.26mail A 97.158.253.27ns1 CNAME bigboywww CNAME bigboy

Notice that in this example:

Server ns1.my-site.com is the name server for my-site.com. In corporate environments there may be a separate name

server for this purpose. Primary name servers are more commonly called ns1 and secondary name servers ns2.

The minimum TTL value ($TTL) is three days, therefore remote DNS caching servers will store learned DNS information

from your zone for three days before flushing it out of their caches.

The MX record for my-site.com points to the server named mail.my-site.com and this server has the IP address

97.158.253.27.

ns1 is actually a CNAME or alias for the Web server www. So here you have an example of the name server, and Web

server being the same machine. If they were all different machines, then you'd have an A record entry for each.

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

11 of 17 11/04/2014 9:01 PM

Page 12: Configuring DNS in Linux Server

www A 97.158.253.26ns A 97.158.253.125

It is a required practice to increment your serial number whenever you edit your zone file. When DNS is setup in a redundantconfiguration, the slave DNS servers periodically poll the master server for updated zone file information, and use the serialnumber to determine whether the data on the master has been updated. Failing to increment the serial number, even thoughthe contents of the zone file have been modified, could cause your slaves to have outdated information.

Note:Note:Note:Note: The DNS specification (RFC 2181) does not allow for an MX record to be a CNAME. It may work in most cases, butsome mail servers may refuse to send to you because of this.

Sample Reverse Zone FileSample Reverse Zone FileSample Reverse Zone FileSample Reverse Zone File

Now you need to make sure that you can do a host query on all your home network's PCs and get their correct IP addresses.This is very important if you are running a mail server on your network, because sendmail typically relays mail only from hostswhose IP addresses resolve correctly in DNS. NFS, which is used in network-based file access, also requires valid reverselookup capabilities.

This is an example of a zone file for the 192.168.1.x network. All the entries in the first column refer to the last octet of the IPaddress for the network, so the IP address 192.168.1.100 points to the name bigboy.my-site.com.

Notice how the main difference between forward and reverse zone files is that the reverse zone file only has PTR and NSrecords. Also the PTR records cannot have CNAME aliases.

;; Filename: 192-168-1.zone;; Zone file for 192.168.1.x;$TTL 3D@ IN SOA www.my-site.com. host master.my-site.com. ( 200303301 ; se rial number 8H ; re fresh, seconds 2H ; re try, seconds 4W ; ex pire, seconds 1D ) ; mi nimum, seconds

NS www ; N ameserver Address

100 PTR bigboy.my-site.com.103 PTR smallfry.my-site.com.102 PTR ochorios.my-site.com.105 PTR reggae.my-site.com.

32 PTR dhcp-192-168-1-32.my- site.com.33 PTR dhcp-192-168-1-33.my- site.com.34 PTR dhcp-192-168-1-34.my- site.com.35 PTR dhcp-192-168-1-35.my- site.com.36 PTR dhcp-192-168-1-36.my- site.com.

I included entries for addresses 192.168.1.32 to 192.168.1.36, which are the addresses the DHCP server issues. SMTP mailrelay wouldn't work for PCs that get their IP addresses via DHCP if these lines weren't included.

You may also want to create a reverse zone file for the public NAT IP addresses for your home network. Unfortunately, ISPswon't usually delegate this ability for anyone with less than a Class C block of 256 IP addresses. Most home DSL siteswouldn't qualify.

Loading Your New Configuration FilesLoading Your New Configuration FilesLoading Your New Configuration FilesLoading Your New Configuration Files

Make sure your configuration files are in the correct locations and the serial numbers of the zone files you may have modifiedhave been updated. If all seems correct, restart BIND named daemon for the configuration to become active.

[root@bigboy tmp]# systemctl restart named.service

Take a look at the end of your /var/log/messages file to make sure there are no errors.

Make Sure Your /etc/hosts File Is Correctly UpdatedMake Sure Your /etc/hosts File Is Correctly UpdatedMake Sure Your /etc/hosts File Is Correctly UpdatedMake Sure Your /etc/hosts File Is Correctly Updated

Chapter 3, "Linux Networking", explains how to correctly configure your /etc/hosts file. Some programs, such as sendmail,require a correctly configured /etc/hosts file even though DNS is correctly configured.

Configure Your FirewallConfigure Your FirewallConfigure Your FirewallConfigure Your Firewall

The sample network assumes that the BIND name server and Apache Web server software run on the same machineprotected by a router/firewall. The actual IP address of the server is 192.168.1.100, which is a private IP address. You'll haveto use NAT for Internet users to be able to gain access to the server via the chosen public IP address, namely 97.158.253.26.If your firewall is a Linux box, you may want to consider taking a look at Chapter 14, "Linux Firewalls Using iptables",describes how to do the network address translation and allow DNS traffic through to your name server.

Fix Your Domain RegistrationFix Your Domain RegistrationFix Your Domain RegistrationFix Your Domain Registration

Remember to edit your domain registration for my-site.com, or whatever it is, so that at least one of the name servers is yournew name server (97.158.253.26 in this case). Domain registrars, such as VeriSign and RegisterFree, usually provide a Webinterface to help you manage your domain.

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

12 of 17 11/04/2014 9:01 PM

Page 13: Configuring DNS in Linux Server

Once you've logged in with the registrar's username and password, you'll have take two steps:

1) Create a new name server record entry for the IP address 97.158.253.26 to map to ns.my-site.com or www.my-

site.com or whatever your name server is called. (This screen prompts you for both the server's IP address and name.)

2) Assign ns.my-site.com to handle your domain. This screen will prompt you for the server name only.

Sometimes, the registrar requires at least two registered name servers per domain. If you only have one, then you

could either create a second name server record entry with the same IP address, but different name, or you could give

your Web server a second IP address using an IP alias, create a second NAT entry on your firewall and then create the

second name server record entry with the new IP address, and different name.

It normally takes about three to four days for your updated DNS information to be propagated to all 13 of the world's rootname servers. You'll therefore have to wait about this amount of time before starting to notice people hitting your new Website.

You can use the chapter's troubleshooting section to test specific DNS servers for the information they have on your site.You'll most likely want to test your new DNS server, which should be up to date, plus a few well known ones, which shouldhave delayed values.

Troubleshooting BINDTroubleshooting BINDTroubleshooting BINDTroubleshooting BIND

BIND troubleshooting is usually easy to do. The named daemon updates the /var/log/messages file with detailed statusmessages that are frequently easy to interpret when you suspect a configuration error. The usual troubleshooting steps fornetwork problems are also applicable. Both methodologies will be covered next.

Configuration Troubleshooting StepsConfiguration Troubleshooting StepsConfiguration Troubleshooting StepsConfiguration Troubleshooting Steps

Always check your /var/logs/messages file and console output file for errors. Here are a couple examples you may comeacross:

The named daemon is started with an unedited version of the sample named.conf file which causes unusual errors on

the screen. References to the nonexistent sample zone files create errors. References to both the named.rfc1912.zones

and named.root files in the localhost_resolver section cause errors related to duplicate definitions.

[root@bigboy tmp]# systemctl restart named.serviceStarting named: Error in named configuration:/etc/named.rfc1912.zones:10: zone '.': already exis ts previous definition: /etc/named.root.hints:12zone localdomain/IN: loaded serial 42zone localhost/IN: loaded serial 42zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022 700zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 19970227 00zone 255.in-addr.arpa/IN: loaded serial 42zone 0.in-addr.arpa/IN: loaded serial 42zone my.internal.zone/IN: loading master file my.in ternal.zone.db: file not foundinternal/my.internal.zone/IN: file not foundzone my.ddns.internal.zone/IN: loading master file slaves/my.ddns.internal.zone.db: file not foundinternal/my.ddns.internal.zone/IN: file not foundzone my.external.zone/IN: loading master file my.ex ternal.zone.db: file not foundexternal/my.external.zone/IN: file not found[FAILED][root@bigboy tmp]#

The named.conf file refers to an undefined secret key in the ddns_key of named.conf. Use the dns-keygen or dnskeygen

commands to create a correct entry.

Feb 25 20:38:49 bigboy named[4593]: /etc/named.conf :99: configuring key 'ddns_key': bad base64 encodin gFeb 25 20:38:49 bigboy named[4593]: loading configu ration: bad base64 encoding

The named.root.hints file referred to in named.conf isn't present in the /etc or the chroot /etc directory.

[root@bigboy tmp]# systemctl start named.serviceStarting named: Error in named configuration:/etc/named.conf:58: open: /etc/named.root.hints: fi le not found[FAILED][root@bigboy tmp]#

The named.root file referred to in the named.root.hints file isn't present.

Feb 25 21:33:41 bigboy named[5007]: could not confi gure root hints from 'named.root': file not foundFeb 25 21:33:41 bigboy named[5007]: loading configu ration: file not foundFeb 25 21:33:41 bigboy named[5007]: exiting (due to fatal error)

You are using a chroot version of BIND with a sample rndc.key file located in the /etc directory instead of the

/var/named/chroot/etc/ directory. Copy the file to the correct location and restart named to fix the problem.

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

13 of 17 11/04/2014 9:01 PM

Page 14: Configuring DNS in Linux Server

[root@bigboy tmp]# systemctl restart named.serviceStopping named: rndc: connect failed: connection re fused[ OK ]Starting named: [ OK ][root@bigboy tmp]#

In your named.conf file you refer to a zone file that doesn't exist. This example includes both errors to the console

screen and errors in the /var/log/messages file.

[root@bigboy tmp]# systemctl start named.serviceStarting named: Error in named configuration:zone localdomain/IN: loaded serial 42zone localhost/IN: loaded serial 42zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022 700zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 19970227 00zone 255.in-addr.arpa/IN: loaded serial 42zone 0.in-addr.arpa/IN: loaded serial 42zone 2.168.192.in-addr.arpa/IN: loaded serial 20060 52301zone my-web-site.org/IN: loaded serial 2006052302zone my-web-site.com/IN: loading master file /var/n amed/zones/internal/my-web-site.com.zone: file not foundinternal/my-web-site.com/IN: file not foundzone 1.168.192.in-addr.arpa/IN: loaded serial 20060 52301zone my-web-site.org/IN: loaded serial 2006052302[FAILED][root@bigboy tmp]#

Feb 26 01:47:10 smallfry named: zone my-web-site.co m/IN: loading master file /var/named/zones/internal /my-web-site.com.zone: file not foundFeb 26 01:47:10 smallfry named: internal/my-web-sit e.com/IN: file not found

This is a tricky one that would occur in some early versions of Fedora. BIND would appear to start correctly, but none of

the zone files would be loaded. In this scenario could be using a chroot version of BIND with a sample named.conf file

located in the /etc directory instead of the /var/named/chroot/etc/ directory. Copy the file to the correct location and

restart named to fix the problem. Delete the /etc and create a symbolic link to /var/named/chroot/etc/named.conf from

/etc to ensure you always edit the correct file.

Nov 9 17:35:41 bigboy named[1157]: starting BIND 9 .2.3 -u named -t /var/named/chrootNov 9 17:35:41 bigboy named[1157]: using 1 CPUNov 9 17:35:41 bigboy named[1157]: loading configu ration from ‘/etc/named.conf’Nov 9 17:35:41 bigboy named[1157]: listening on IP v4 interface lo, 127.0.0.1#53Nov 9 17:35:41 bigboy named[1157]: listening on IP v4 interface eth0, 10.41.32.71#53Nov 9 17:35:41 bigboy named[1157]: command channel listening on 127.0.0.1#953Nov 9 17:35:41 bigboy named[1157]: command channel listening on ::1#953Nov 9 17:35:41 bigboy named[1157]: running

If there are no named errors to the screen or /var/log/messages, and your domain doesn't resolve correctly when

queried using the host command when you are logged into your new nameserver, then the problem could be due to you

forgetting to add a zone file entry for the domain in named.conf; there could be a typographical error in your zone file;

or you could have forgotten to update your zone file serial numbers.

This isn't a comprehensive configuration error list, but it covers some common mistakes with a new configuration.

Network Troubleshooting StepsNetwork Troubleshooting StepsNetwork Troubleshooting StepsNetwork Troubleshooting Steps

Once configuration troubleshooting this is completed, you can continue with the following troubleshooting steps:

1) Determine whether your DNS server is accessible on DNS UDP/TCP port 53. Lack of connectivity could be caused by afirewall with incorrect, permit, NAT, or port forwarding rules to your DNS server. Failure could also be caused by the namedprocess being stopped. It is best to test this from both inside your network and from the Internet.

Troubleshooting with TELNET is covered in Chapter 4, "Simple Network Troubleshooting".

2) Linux status messages are logged to the file /var/log/messages. Use it to make sure all your zone files are loaded whenyou start BIND/named. Check your /etc/named.conf file if they fail to do so. (Linux logging is covered in Chapter 5,"Troubleshooting Linux with syslog".

Feb 21 09:13:13 bigboy named: named startup succeed edFeb 21 09:13:13 bigboy named[12026]: loading config uration from '/etc/named.conf'Feb 21 09:13:13 bigboy named[12026]: no IPv6 interf aces foundFeb 21 09:13:13 bigboy named[12026]: listening on I Pv4 interface lo, 127.0.0.1#53Feb 21 09:13:13 bigboy named[12026]: listening on I Pv4 interface wlan0, 192.168.1.100#53Feb 21 09:13:13 bigboy named[12026]: listening on I Pv4 interface eth0, 172.16.1.100#53Feb 21 09:13:14 bigboy named[12026]: command channe l listening on 127.0.0.1#953Feb 21 09:13:14 bigboy named[12026]: zone 0.0.127.i n-addr.arpa/IN: loaded serial 1997022700Feb 21 09:13:14 bigboy named[12026]: zone 1.16.172. in-addr.arpa/IN: loaded serial 51Feb 21 09:13:14 bigboy named[12026]: zone 1.168.192 .in-addr.arpa/IN: loaded serial 51Feb 21 09:13:14 bigboy named[12026]: zone simiya.co m/IN: loaded serial 2004021401Feb 21 09:13:14 bigboy named[12026]: zone localhost /IN: loaded serial 42Feb 21 09:13:14 bigboy named[12026]: zone simiya.co m/IN: loaded serial 200301114Feb 21 09:13:14 bigboy named[12026]: running

3) Use the host (nslookup in Windows) command for both forward and reverse lookups to make sure the zone files wereconfigured correctly.

If this fails, try:

Double check for your updated serial numbers in the modified files and also inspect the individual records within the

files for mistakes.

Ensure there isn't a firewall that could be blocking DNS traffic on TCP and/or UDP port 53 between your server and the

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

14 of 17 11/04/2014 9:01 PM

Page 15: Configuring DNS in Linux Server

DNS server.

Use the dig command to determine whether the name server for your domain is configured correctly.

Here is an example of querying DNS server ns1.my-site.com for the IP address of www.linuxhomenetworking.com. (You canalso replace the name server's name with its IP address.)

[root@bigboy tmp]# host www.linuxhomenetworking.com ns1.my-site.comUsing domain server:Name: ns1.my-site.comAddress: 192.168.1.100#53Aliases:

www.linuxhomenetworking.com has address 65.115.71.3 4

[root@bigboy tmp]#

Here is an example of querying your default DNS server for the IP address of www.linuxhomenetworking.com. As you cansee, the name of the specific DNS server to query has been left off the end. Failure in this case could be due not only to anerror on your BIND configuration or domain registration but also to an error in your DNS client's DNS server entry in yourLinux /etc/resolv.conf file or the Windows TCP/IP properties for your NIC.

[root@bigboy tmp]# host www.linuxhomenetworking.comwww.linuxhomenetworking.com has address 65.115.71.3 4[root@bigboy tmp]#

4) You can also use the dig command to determine whether known DNS servers on the Internet have received a valid updatefor your zone. (Remember if you decide to change the DNS servers for your domain that it could take up to four days for it to

propagate across the Internet.)

The format for the command is:

dig <domain-name> <name-server> soa

The name server is optional. If you specify a name server, then dig queries that name server instead of the Linux server'sdefault name server. It is sometimes good to query both your name server, as well as a well known name server such asns1.yahoo.com to make sure your DNS records have propagated properly. The dig command only works with fully qualifieddomain names only, because it doesn't refer to the /etc/resolv.conf file.

This command uses the local DNS server for the query. It returns the SOA record information and the addresses of thedomain's DNS servers in the authority section.

[root@bigboy tmp]# dig linuxhomenetworking.com SOA......;; AUTHORITY SECTION:linuxhomenetworking.com. 3600 IN NS ns1 .myisp.net.linuxhomenetworking.com. 3600 IN NS ns2 .myisp.net.

;; ADDITIONAL SECTION:ns1.myisp.net. 3600 IN A 65.115. 70.68ns2.myisp.net. 3600 IN A 65.115. 70.69......[root@bigboy tmp]#

Here is a successful dig using DNS server ns1.yahoo.com for the query. As before, it returns the SOA record for the zone.

[root@bigboy tmp]# dig ns1.yahoo.com linuxhomenetwo rking.com SOA......;; AUTHORITY SECTION:linuxhomenetworking.com. 3600 IN NS ns2 .myisp.net.linuxhomenetworking.com. 3600 IN NS ns1 .myisp.net. ;; ADDITIONAL SECTION:ns1.myisp.net. 3600 IN A 65.115. 70.68ns2.myisp.net. 3600 IN A 65.115. 70.69......[root@bigboy tmp]#

Sometimes your SOA dig will fail. This command uses the DNS server ns1.yahoo.com for the query. In this case the authoritysection doesn't know of the domain and points to the name server for the entire .com domain at VeriSign.

[root@bigboy tmp]# dig ns1.yahoo.com linuxhomeqnet working.com SOA......;; QUESTION SECTION:;linuxhomeqnetworking.com. IN SOA;; AUTHORITY SECTION:com. 0 IN SOA a.g tld-servers.net. nstld.verisign-grs.com. 107734125 4 1800 900 604800 900......[root@bigboy tmp]#

Possible causes of failure include:

Typographical errors. In this case the misspelling "linuxhomeqnetworking.com" was entered on the command line.

Incorrect domain registration.

Correct domain registration, but there is a lag in the propagation of the domain information across the Internet. Delays

of up to four days are not uncommon.

A firewall could be blocking DNS traffic on TCP and/or UDP port 53 between your server and the DNS server.

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

15 of 17 11/04/2014 9:01 PM

Page 16: Configuring DNS in Linux Server

Migrating Your Web Site In-HouseMigrating Your Web Site In-HouseMigrating Your Web Site In-HouseMigrating Your Web Site In-House

It is important to have a detailed migration plan if you currently use an external company to host your Web site and wish tomove the site to a server at home or in your office. At the very least your plan should include these steps:

There is no magic bullet that will allow you to tell all the caching DNS servers in the world to flush their caches of your

zone file entries. Your best alternative is to request your existing service provider to set the TTL on my-site.com in the

DNS zone file to a very low value, say one minute. As the TTL is usually set to a number of days, it will take at least

three to five days for all remote DNS servers to recognize the change. Once the propagation is complete, it will take

only one minute to see the results of the final DNS configuration switch to your new server. If anything goes wrong, you

can then revert to the old configuration, knowing it will rapidly recover within minutes rather than days.

1.

Set up your test server in house. Edit the /etc/hosts file to make www.my-site.com refer to its own IP address, not that

of the www.my-site.com site that is currently in production. This file is usually given a higher priority than DNS,

therefore the test server will begin to think that www.my-site.com is really hosted on itself. You may also want to add an

entry for mail.my-site.com if the new Web server is going to also be your new mail server.

2.

Test your server based applications from the server itself. This should include mail, Web, and so on.3.

Test the server from a remote client. You can test the server running as www.my-site.com even though DNS hasn't been

updated. Just edit your /etc/hosts file on your Web browsing Linux PC to make www.my-site.com map to the IP address

of the new server. In the case of Windows, the file would be C:\WINDOWS\system32\drivers\etc\hosts. You may also

want to add an entry for mail.my-site.com if the new Web server is going to also be your new mail server. Your client

will usually refer to these files first before checking DNS, hence you can use them to predefine some DNS lookups at the

local client level only.

4.

Once testing is completed, coordinate with your Web hosting provider to update your domain registration's DNS records

for www.my-site.com to point to your new Web server. As the TTLs were set to one minute previously, you'll be able to

see results of the migration within minutes.

5.

Once complete, you can set the TTL back to the original value to help reduce the volume of DNS query traffic hitting

your DNS server.

6.

Fix your /etc/hosts files by deleting the test entries you had before.7.

You may also want to take over your own DNS. Edit your my-site.com DNS entries with VeriSign, RegisterFree or

whoever you bought your domain from to point to your new DNS servers.

8.

Remember, you don't have to host DNS or mail in-house, this could be left in the hands of your service provider. You can thenmigrate these services in-house as your confidence in hosting becomes greater.

Finally, if you have concerns that your service provider won't cooperate, then you could explain to the provider that you wantto test its failover capabilities to a duplicate server that you host in-house. You can then decide whether the change will bepermanent once you have failed over back and forth a few times.

DHCP Considerations For DNSDHCP Considerations For DNSDHCP Considerations For DNSDHCP Considerations For DNS

If you have a DHCP server on your network, you'll need to make it assign the IP address of the Linux box as the DNS server ittells the DHCP clients to use. If your Linux box is the DHCP server, then you may need to refer to Chapter 8, "Configuring theDHCP Server".

Simple DNS SecuritySimple DNS SecuritySimple DNS SecuritySimple DNS Security

DNS can reveal a lot about the nature of your domain. You should take some precautions to conceal some of the informationfor the sake of security.

Zone Transfer ProtectionZone Transfer ProtectionZone Transfer ProtectionZone Transfer Protection

The host command does one DNS query at a time, but the dig command is much more powerful. When given the rightparameters it can download the entire contents of your domain's zone file.

In this example, the AFXR zone transfer parameter is used to get the contents of the my-site.com zone file.

[root@smallfry tmp]# dig my-site.com AXFR; <<>> DiG 9.2.3 <<>> my-site.com AXFR;; global options: printcmdmy-site.com. 3600 IN SOA www .my-site.com. hostmaster.my-site.com. 2004110701 3 600 3600 3600 3600my-site.com. 3600 IN NS ns1 .my-site.com.my-site.com. 3600 IN MX 10 mail.my-site.com.192-168-1-96.my-site.com. 3600 IN A 192 .168.1.96192-168-1-97.my-site.com. 3600 IN A 192 .168.1.97192-168-1-98.my-site.com. 3600 IN A 192 .168.1.98bigboy.my-site.com. 3600 IN A 192 .168.1.100gateway.my-site.com. 3600 IN A 192 .168.1.1localhost.my-site.com. 3600 IN A 127 .0.0.1mail.my-site.com. 3600 IN CNAME www .my-site.com.ns1.my-site.com. 3600 IN CNAME www .my-site.com.ntp.my-site.com. 3600 IN CNAME www .my-site.com.

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

16 of 17 11/04/2014 9:01 PM

Page 17: Configuring DNS in Linux Server

smallfry.my-site.com. 3600 IN A 192 .168.1.102www.my-site.com. 3600 IN A 192 .168.1.100my-site.com. 3600 IN SOA www .my-site.com. hostmaster.my-site.com. 2004110701 3 600 3600 3600 3600;; Query time: 16 msec;; SERVER: 192.168.1.100#53(192.168.1.100);; WHEN: Sun Nov 14 20:21:07 2004;; XFR size: 16 records[root@smallfry tmp]#

This may not seem like an important security threat at first glance, but it is. Anyone can use this command to determine allyour server's IP addresses and from the names determine what type of server it is and then launch an appropriate cyberattack.

In a simple home network, without master and slave servers, zone transfers should be disabled. You can do this by applyingthe allow-transfer directive to the global options section of your named.conf file.

options { allow-transfer {none;};};

Once applied, your zone transfer test should fail.

[root@smallfry tmp]# dig my-site.com AXFR...... ; <<>> DiG 9.2.3 <<>> my-site.com AXFR ;; global options: printcmd ; Transfer failed. [root@smallfry tmp]#

Selectively Disabling RecursionSelectively Disabling RecursionSelectively Disabling RecursionSelectively Disabling Recursion

Your caching DNS server can unknowingly participate in a form of DDoS attack if recursive lookups are globally allowed.

Say for example that for political, religious, competitive or otherwise malicious reasons your web site is targeted for an attack.First, a hacker breaks into the authoritative DNS server for a sub domain, like my-web-site.org, and adds a large TXT recordto the sub domain. The hacker then sends thousands of queries to unsecured caching DNS servers requesting the TXT record,but there is a catch. The queries use a false source IP address that corresponds to the IP address of the DNS server for yourwebsite. The queries are small, but the responses are amplified by the size of the TXT information, and your DNS serverquickly becomes overwhelmed by the flurry of replies. Without DNS, your web site goes off the air. For the administrator ofthe caching DNS servers, the additional load of the queries can be unnoticeable, but when multiplied by thousands of otherpoorly configured servers, the attack on your site becomes lethal.

The allow-recursion directive placed in the options section of your named.conf file can be used to restrict the networks towhich recursive lookups are allowed. In this example an ACL is also used to limit lookups to localhost and the 192.168.1.0/24network.

acl "recursive_subnets" { 192.168.1.0/24; localhost;};

options { allow-recursion { "recursive_subnets"; };};

Note:Note:Note:Note: This does not restrict forward or reverse lookups defined by the zone files on the server. The server will answer allqueries for my-web-site.org if it owns that domain, but it won't respond to queries for servers in another domain such asgoogle.com.

Naming Convention SecurityNaming Convention SecurityNaming Convention SecurityNaming Convention Security

Your my-site.com domain will probably have a www and a mail subdomain, and they should remain obvious to all. You maywant to adjust your DNS views so that to external users, your MySQL database server doesn't have the letters "DB" or "SQL"in the name, or that your firewall doesn't have the letters "FW" in its name either. This may good for ease of reference withinthe company, but to the Internet these names provide rapid identifiaction of the types of malicious exploits a hacker could use

to break in. Web site security refers to anything that helps to guarantee the availability of the site, this is just one of manymethods you can use.

ConclusionConclusionConclusionConclusion

DNS management is a critical part of the maintenance of any Web site. Fortunately, although it can be a little complicated,DNS modifications are usually infrequent, because the IP address of a server is normally fixed or static. This is not always thecase. There are situations in which a server's IP address will change unpredictably and frequently, making DNS management

extremely difficult. Dynamic DNS was created as a solution to this and is explained in Chapter 19, "Dynamic DNS".

Retrieved from "http://www.linuxhomenetworking.com/wiki/index.php?title=Quick_HOWTO_:_Ch18_:_Configuring_DNS&

oldid=4322"

This page was last modified on 10 August 2012, at 06:01.

Content is available under Attribution-NonCommercial-NoDerivs 2.5 .

Quick HOWTO : Ch18 : Configuring DNS - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...

17 of 17 11/04/2014 9:01 PM