| Add comments here | |
|
|
| |
This chapter follows on from Chapter 31.
|
| |
There seems to be a lot of hype that elevates the name server to
something mystical and illusive. In fact, setting up a nameserver
is a standard and trivial exercise.
|
| |
A nameserver daemon is also no heavyweight service: The named
executable is 500kB, and consumes little CPU.
|
| |
The package that the name server comes in is called
bind. This chapter assumes a bind of
approximately bind-8.2 or later. bind
stands for Berkeley Internet Name Domain.
|
| |
The difficulty with setting up a nameserver is that the
configuration files are impossible to construct from a
specification without making some kind of typing error.
|
| |
The solution is quite simple: never create a
nameserver config file from scratch. always copy
one from an existing working name server. Here we will
give more example configuration files than explanation.
You can copy these examples to create your own nameserver.
|
| |
Before you even start working on nameserver configuration,
you should start a new terminal window with the command:
|
tail -f /var/log/messages
|
Keep this window throughout the entire setup and testing
procedure. From now on, when I refer to messages
I am refering to a message in this window.
|
| |
|
| |
The man page for named are hostname7,
named-xfer8, named8, and ndc8.
|
| |
The man pages reference a document called the ``Name Server
Operations Guide for BIND''. What they actually mean is a text
file /usr/doc/bind-8.2/bog/file.lst or a PostScript file
/usr/doc/bind-8.2/bog/file.psf for printing.
|
| |
The problem with some of this documentation is that it is still
based on the old (now depreciated) named.boot
configuration file. There is a program
/usr/doc/bind-8.2/named-bootconf/named-bootconf that
reads a named.boot file from stdin and writes a
named.conf file to stdout. I found it useful to
echo "old config line" | named-bootconf to see
what a new style equivalent would be.
|
| |
The most important info is in /usr/doc/bind-8.2/html
which contains a complete reference to configuration.
|
| |
There are also FAQ documents in /usr/doc/bind-8.2/misc
and various thesis on security. /usr/doc/bind-8.2/misc/style.txt
contains the recommended layout of the configuration files
for consistent spacing and readability. Finally
/usr/doc/bind-8.2/rfc contains the relevant RFC's
(See Section 16.5).
|
| |
|
| |
There is only one main configuration file for named:
/etc/named.conf. The named service once used a
file /etc/named.boot but this has been scrapped. If there
is a named.boot file in your /etc directory then it
is not being used, except possibly by a very old version of
bind.
|
| |
The named.conf file will have a line in it directory
"/var/named"; or directory "/etc/named";. This directory
hold various files containing textual lists of name to IP address
mappings. The following example is a nameserver for a company that has been
given a range of IP address (196.28.133.20-30),
as well as one single IP address (160.124.182.44). It also
must support a range of internal IP addresses
(192.168.2.0-255) The trick is not to think about
how everything works. If you just copy and edit things in a
consistent fashion, carefully reading the comments, this will
work fine.
|
| |
The /etc/name.conf file should look like:
5
10
15
20
25
30
35
40
45
50
|
/*
* The ``directory'' line tells named that any further file name's
* given are under the /var/named/ directory.
*/
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
/* The list of root servers: */
zone "." {
type hint;
file "named.ca";
};
/* Forward lookups of hosts in my domain: */
zone "obsidian.co.za" {
type master;
file "named.obsidian.co.za";
};
/* Reverse lookups of the localhost: */
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
/* Reverse lookups of local IP numbers: */
zone "1.168.192.in-addr.arpa" {
type master;
file "named.192.168.1";
};
/* Reverse lookups of 196.28.133.* Internet IP numbers: */
zone "133.28.196.in-addr.arpa" {
type master;
file "named.196.28.133";
};
/* Reverse lookup of 160.124.182.44 only: */
zone "44.182.124.160.in-addr.arpa" {
type master;
file "named.160.124.182.44";
};
|
|
| |
The /var/named.ca file should look like:
5
10
15
20
25
|
; Get the original of this file from ftp://ftp.rs.internic.net/domain/named.root
;
; formerly ns.internic.net
. 3600000 IN NS a.root-servers.net.
a.root-servers.net. 3600000 A 198.41.0.4
. 3600000 NS b.root-servers.net.
b.root-servers.net. 3600000 A 128.9.0.107
. 3600000 NS c.root-servers.net.
c.root-servers.net. 3600000 A 192.33.4.12
. 3600000 NS d.root-servers.net.
d.root-servers.net. 3600000 A 128.8.10.90
. 3600000 NS e.root-servers.net.
e.root-servers.net. 3600000 A 192.203.230.10
. 3600000 NS f.root-servers.net.
f.root-servers.net. 3600000 A 192.5.5.241
. 3600000 NS g.root-servers.net.
g.root-servers.net. 3600000 A 192.112.36.4
. 3600000 NS h.root-servers.net.
h.root-servers.net. 3600000 A 128.63.2.53
. 3600000 NS i.root-servers.net.
i.root-servers.net. 3600000 A 192.36.148.17
. 3600000 NS j.root-servers.net.
j.root-servers.net. 3600000 A 198.41.0.10
. 3600000 NS k.root-servers.net.
k.root-servers.net. 3600000 A 193.0.14.129
. 3600000 NS l.root-servers.net.
l.root-servers.net. 3600000 A 198.32.64.12
. 3600000 NS m.root-servers.net.
m.root-servers.net. 3600000 A 202.12.27.33
|
|
| |
The /var/named.obsidian.co.za file should look like:
5
10
15
20
25
30
|
$TTL 259200
@ IN SOA ns1.obsidian.co.za. root.ns1.obsidian.co.za. (
2000012101 ; Serial number
10800 ; Refresh every 3 hours
3600 ; Retry every hour
3600000 ; Expire after 42 days
259200 ) ; Minimum Time to Live (TTL) of 3 days
IN NS ns1.obsidian.co.za.
IN NS ns2.obsidian.co.za.
IN A 160.124.182.44
IN MX 10 mail1.obsidian.co.za.
IN MX 20 mail2.obsidian.co.za.
ns1 IN A 196.28.144.1
ns2 IN A 196.28.144.2
ftp IN A 196.28.133.3
www IN CNAME obsidian.co.za.
mail1 IN CNAME ns1.obsidian.co.za.
mail2 IN CNAME ns2.obsidian.co.za.
gopher IN CNAME ftp.obsidian.co.za.
pop IN CNAME mail1.obsidian.co.za.
proxy IN CNAME ftp.obsidian.co.za.
http IN CNAME www.obsidian.co.za.
pc1 IN A 192.168.2.1
pc2 IN A 192.168.2.2
pc3 IN A 192.168.2.3
pc4 IN A 192.168.2.4
|
|
| |
The /var/named.local file should look like:
5
10
|
$TTL 259200
@ IN SOA localhost. root.localhost. (
2000012101 ; Serial number
10800 ; Refresh every 3 hours
3600 ; Retry every hour
3600000 ; Expire after 42 days
259200 ) ; Minimum Time to Live (TTL) of 3 days
IN NS localhost.
1 IN PTR localhost.
|
|
| |
The /var/named.192.168.1 file should look like:
5
10
|
$TTL 259200
@ IN SOA localhost. root.localhost. (
2000012101 ; Serial number
10800 ; Refresh every 3 hours
3600 ; Retry every hour
3600000 ; Expire after 42 days
259200 ) ; Minimum Time to Live (TTL) of 3 days
IN NS localhost.
1 IN PTR pc1.obsidian.co.za.
2 IN PTR pc2.obsidian.co.za.
3 IN PTR pc3.obsidian.co.za.
4 IN PTR pc4.obsidian.co.za.
|
|
| |
The /var/named.196.28.133 file should look like:
5
10
|
$TTL 259200
@ IN SOA ns1.obsidian.co.za. dnsmaster.ns1.obsidian.co.za. (
2000012101 ; Serial number
10800 ; Refresh every 3 hours
3600 ; Retry every hour
3600000 ; Expire after 42 days
259200 ) ; Minimum Time to Live (TTL) of 3 days
IN NS ns1.obsidian.co.za.
IN NS ns2.obsidian.co.za.
1 IN PTR ns1.obsidian.co.za.
2 IN PTR ns2.obsidian.co.za.
3 IN PTR ftp.obsidian.co.za.
|
|
| |
The /var/named.160.124.182.44 file should look like:
5
10
|
$TTL 259200
@ IN SOA ns1.obsidian.co.za. dnsmaster.ns1.obsidian.co.za. (
2000012101 ; Serial number
10800 ; Refresh every 3 hours
3600 ; Retry every hour
3600000 ; Expire after 42 days
259200 ) ; Minimum Time to Live (TTL) of 3 days
IN NS ns1.obsidian.co.za.
IN NS ns2.obsidian.co.za.
IN PTR www.obsidian.co.za.
|
|
| |
Run the appropriate lines:
|
/etc/rc.d/init.d/named start
/etc/rc.d/init.d/named stop
/etc/rc.d/init.d/named restart
|
You should get messages like:
5
10
|
Jan 21 13:41:04 ns1 named[24996]: starting. named 8.2 Fri Jan 20 11:15:20 EST 1999 ^Iroot@ns1.obsidian.co.za:
/usr/src/bs/BUILD/bind-8.2/src/bin/named
Jan 21 13:41:04 ns1 named[24996]: cache zone "" (IN) loaded (serial 0)
Jan 21 13:41:04 ns1 named[24996]: master zone "obsidian.co.za" (IN) loaded (serial 2000012101)
Jan 21 13:41:04 ns1 named[24996]: master zone "0.0.127.in-addr.arpa" (IN) loaded (serial 2000012101)
Jan 21 13:41:04 ns1 named[24996]: master zone "1.168.192.in-addr.arpa" (IN) loaded (serial 2000012101)
Jan 21 13:41:04 ns1 named[24996]: master zone "133.28.196.in-addr.arpa" (IN) loaded (serial 2000012101)
Jan 21 13:41:04 ns1 named[24996]: master zone "44.182.124.160.in-addr.arpa" (IN) loaded (serial 2000012101)
Jan 21 13:41:04 ns1 named[24996]: listening on [127.0.0.1].53 (lo)
Jan 21 13:41:04 ns1 named[24996]: listening on [192.168.3.9].53 (eth0)
Jan 21 13:41:04 ns1 named[24996]: Forwarding source address is [0.0.0.0].1060
Jan 21 13:41:04 ns1 named[24997]: Ready to answer queries.
|
|
| |
If you have made typing errors, or named files incorrectly,
you will get appropriate error messages. Novice
administrators are want to edit named configuration files
and restart named without checking
/var/log/messages for errors. NEVER do
this.
|
| |
|
| |
The top-level configuration file /etc/named.conf
has an obvious C style format. Comments are designated
by /* */, //, or #.
|
| |
The options section in our case specifies only one
parameter: the directory for locating any files.
/usr/doc/bind-8.2/html/options.html has a complete list of
options.
|
| |
The lines zone "." {...
will be present in almost all nameserver configurations. It tells
named that the whole Internet is governed by the
file named.ca. named.ca in turn contains the
list of root nameservers.
|
| |
The lines zone "0.0.127.in-addr.arpa" {...will also
always be present. It specifies that reverse lookups for the
IP address range 127.0.0.0-255 are stored in the
file named.local. (Note that 0.0.127 is
127.0.0 written backwards. In fact, reverse lookups
are just forward lookups under the domain .in-addr.arpa.
|
| |
The rest of the file is the configuration specific to our domain.
|
| |
The lines zone "obsidian.co.za" {...says that info for
forward lookups is located in the file
named.obsidian.co.za.
|
| |
The lines zone "1.168.192.in-addr.arpa" {...says that
info for reverse lookups on the IP address range
192.168.1.0-255 is located in the file
named.192.168.1.
|
| |
The lines zone "44.182.124.160.in-addr.arpa" {...says that
info for reverse lookups on the IP address
160.124.182.44 is located in the file
named.160.124.182.44.
|
| |
|
| |
Each of the above named. files has a similar format. They begin with
$TTL line and then an @ IN SOA. TTL stands for
Time To Live (the default expiry time for all subsequent entries --
merely prevents a No default TTL set... warning message).
SOA stands for Start of Authority. The hostname on the first
line specifies the authority for that domain, and the adjacent
<user>.<hostname> specifies the email address of the responsible
person.
|
| |
The next few lines contain timeout specifications for cached
data and data propagation across the net. These are reasonable
defaults, but if you would like to tune these values, consult
the relevant documentation listed above. The values are all in seconds.
|
| |
The serial number for the file (i.e. 2000012101) is
used to tell when a change has been made and hence that new
data should be propagated to other servers. When updating the
file in any way, this serial number should be incremented.
The format is conventionally YYYYMMDDxx -- exactly ten digits.
xx begins with, say, 01 and is incremented with each change
made during a day.
|
| |
It is absolutely essential that the serial number be
updated whenever a file is edited. If not, the changes will not be
reflected through the rest of the Internet.
|
| |
|
| |
If a hostname in a ends in a . then it signifies that
it a fully qualified hostname. If it does not end in a .
then it signifies that the domain should be appended to the
hostname. This feature is purely to make files more
elegant.
|
| |
For instance, The line
could just as well be written
|
ftp.obsidian.co.za. IN A 196.28.133.3
|
Always be careful to properly end qualified hostnames with a dot,
since failing to do so causes named to append a further
domain.
|
| |
|
| |
An omitted hostname is substitute with the domain. The purpose
of this notation is also for elegance. For example
|
IN NS ns1.obsidian.co.za.
|
is the same as
|
obsidian.co.za. IN NS ns1.obsidian.co.za.
|
|
| |
|
| |
Each DNS record appears on a single line, associating some
hostname/domain or IP address with some other hostname or IP
address.
|
| |
It is hence easy to construct a file that makes the Internet
think anything you want it to about your organisation.
|
| |
The most basic type of record is the A and PTR
records. They simply associates a hostname with an IP number,
or an IP number with a hostname respectively. You should not
have more than one host associated to a particular IP number.
|
| |
The CNAME record says that a host is just an alias
to another host. So rather have
|
ns1 IN A 196.28.144.1
mail1 IN CNAME ns1.obsidian.co.za.
|
|
| |
than,
|
ns1 IN A 196.28.144.1
mail1 IN A 196.28.144.1
|
|
| |
Finally, NS and MX records,
|
<domain> IN NS <nameserver>
<domain> IN MX <mailserver>
|
just state that domain <domain> has a nameserver/mailserver
<nameserver> or <mailserver> respectively.
|
| |
|
| |
If you have a dialup connection, the nameserver should be
configured as what is called a caching-only nameserver.
Of course their is no such thing as a caching-only
nameserver -- it just means that the name. files have
only a few essential records in them. The point of a caching
server is to prevent spurious DNS lookups that may eat modem
bandwidth or cause a dial-on-demand server to initiate a
dialout. It also prevents applications blocking waiting for DNS
lookup. (A typical example of this is sendmail, which
blocks for couple of minutes when a machine is turned on
without the network plugged in; and
netscape 4, which tries to look up the IP address of
news.<localdomain>.)
|
| |
The /etc/name.conf file should look as follows. Replace
<naneserver> with the IP address of the nameserver
your ISP has given you. Your local machine name is assumed to
be cericon.priv.ate. (The following listings are minus
superfluous comments and newlines for the purposes of brevity):
5
10
|
options {
forwarders {
<nameserver>;
};
directory "/var/named";
};
zone "." { type hint; file "named.ca"; };
zone "priv.ate" { type master; file "named.priv.ate"; };
zone "0.0.127.in-addr.arpa" { type master; file "named.local"; };
zone "168.192.in-addr.arpa" { type master; file "named.192.168"; };
|
|
| |
The /var/named.ca file is the same as before.
The /var/named.priv.ate file should look like:
5
|
$TTL 259200
@ IN SOA cericon.priv.ate. root.cericon.priv.ate.
( 2000012101 10800 3600 3600000 259200 )
IN NS cericon.priv.ate.
cericon IN A 192.168.1.1
news IN A 192.168.1.2
|
|
| |
The /var/named.local file should look like:
5
|
$TTL 259200
@ IN SOA localhost. root.localhost.
( 2000012101 10800 3600 3600000 259200 )
IN NS localhost.
1 IN PTR localhost.
|
|
| |
The /var/named.192.168 file should look like:
5
|
$TTL 259200
@ IN SOA localhost. root.localhost.
( 2000012101 10800 3600 3600000 259200 )
IN NS localhost.
1.1 IN PTR cericon.priv.ate.
|
|
| |
In addition to the above, your hostname and domainname have
to be configured as per Chapter 31.
|
| |
|
| |
The one contingency of dialup machines is that IP addresses are
often dynamically assigned. So your 192.168. addresses
aren't going to apply. Probably one way to get around this is to
get a feel for what IP addresses you are likely to get by dialling in
a few times. Assuming you know that your ISP always gives you
196.26.x.x, you can have a reverse
lookup file named.196.26 with nothing in it. This will
just cause reverse lookups to fail instead of blocking.
|
| |
This is actually a bad idea because an application may legitimately
need to reverse lookup in this range. The real complete solution
would involve creating a script to modify the named.conf file
and restart named upon each dialup.
|
| |
For instance, pppd (from the
ppp-2.x.x package) executes a
user defined script upon a successful dial. This script would be
run by pppd after determining the new IP address.
The script should create a complete named configuration
based on the current IP and then restart named.
|
| |
In Section 43.3 we show a dynamic DNS
configuration that does this.
|
| |
Both of these plans may be unnecessary. It is probably best to
identify the particular application that is causing a spurious
dial-out, or causing a block, and then apply your creativity for the
particular case. For instance, in my own case, a setup had
netscape taking minutes to start up -- rather irritating
to the user. I immediately diagnosed that netscape was
trying to do a reverse lookup of some sort. An strace
revealed that it was actually trying to find a news server
on the local domain. Simply creating a news record
pointing to the local machine fixed the problem42.1.
|
| |
|
| |
named can operate as a backup server to another
server also called a slave or secondary server.
|
| |
Like the caching-only server there is no such thing
as a secondary server. Its just the same named
running with reduced info.
|
| |
Lets say we would like ns2.obsidian.co.za to be a secondary
to ns1.obsidian.co.za. The named.conf file would
look as follows:
5
10
15
20
25
30
35
40
45
50
|
options {
directory "/var/named";
// query-source address * port 53;
};
/* The list of root servers: */
zone "." {
type hint;
file "named.ca";
};
/* Forward lookups of hosts in my domain: */
zone "obsidian.co.za" {
type slave;
file "named.obsidian.co.za";
masters {
196.28.144.1;
};
};
/* Reverse lookups of the localhost: */
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
/* Reverse lookups of local IP numbers: */
zone "1.168.192.in-addr.arpa" {
type slave;
file "named.192.168.1";
masters {
196.28.144.1;
};
};
/* Reverse lookups of 196.28.133.* Internet IP numbers: */
zone "133.28.196.in-addr.arpa" {
type slave;
file "named.196.28.133";
masters {
196.28.144.1;
};
};
/* Reverse lookup of 160.124.182.44 only: */
zone "44.182.124.160.in-addr.arpa" {
type slave;
file "named.160.124.182.44";
masters {
196.28.144.1;
};
};
|
|
| |
Where an entry has a ``master'' in it, you must supply
the appropriate file.
Where an entry has a ``slave'' in it, named will
automatically download the file from 196.28.144.1 (i.e.
ns1.obsidian.co.za) the first time a lookup is required
from that domain.
|
