PC World 1999 August

home *** CD-ROM | disk | FTP | other *** search

/ PC World 1999 August / PCWorld_1999-08_cd.bin / doc / HOWTO / DNS-HOWTO < prev next >

Wrap

Text File | 1999-03-02 | 76.1 KB | 2,443 lines

DNS HOWTO Nicolai Langfeldt janl@math.uio.no v2.2, 11 February 1999 HOWTO become a totally small time DNS admin. ______________________________________________________________________ Table of Contents 1. Preamble 1.1 Legal stuff 1.2 Credits and request for help. 1.3 Dedication 2. Introduction. 3. A caching only name server. 3.1 Starting named 3.2 Making it even better 3.3 Congratulations 4. A 4.1 But first some dry theory 4.2 Our own domain 4.3 The reverse zone 4.4 Words of caution 4.5 Why reverse lookups don't work. 4.5.1 The reverse zone isn't delegated. 4.5.2 You've got a classless subnet 5. A real domain example 5.1 /etc/named.conf (or /var/named/named.conf) 5.2 /var/named/root.hints 5.3 /var/named/zone/127.0.0 5.4 /var/named/zone/land-5.com 5.5 /var/named/zone/206.6.177 6. Maintenance 7. Converting from version 4 to version 8 8. Questions and Answers 9. How to become a bigger time DNS admin. ______________________________________________________________________ 1. Preamble Keywords: DNS, bind, bind-4, bind-8, named, dialup, ppp, slip, isdn, Internet, domain, name, hosts, resolving, caching. This document is part of the Linux Documentation Project. 1.1. Legal stuff (C)opyright 1995-1999 Nicolai Langfeldt. Do not modify without amending copyright, distribute freely but retain copyright message. 1.2. Credits and request for help. I want to thank Arnt Gulbrandsen whom I cause to suffer through the drafts to this work and whom provided many useful suggestions. I also want to thank the numerous people that have e-mailed suggestions and notes. This will never be a finished document, please send me mail about your problems and successes, it can make this a better HOWTO. So please send comments and/or questions or money to janl@math.uio.no. If you send e-mail and want an answer please show the simple courtesy of making sure that the return address is correct and working. Also, please read the ``QnA'' section before mailing me. Another thing, I can only understand Norwegian and English. If you want to translate this HOWTO please notify me so I can keep track of what languages it has been published in, and also I can notify you when the HOWTO has been updated. 1.3. Dedication This HOWTO is dedicated to Anne Line Norheim Langfeldt. Though she will probably never read it since she's not that kind of girl. 2. Introduction. What this is and isn't. DNS is is the Domain Name System. DNS converts machine names to the IP addresses that all machines on the net have. It maps from name to address and from address to name, and some other things. This HOWTO documents how to define such mappings using a Linux system. A mapping is simply a association between two things, in this case a machine name, like ftp.linux.org, and the machines IP number (or address) 199.249.150.4. DNS is, to the uninitiated (you ;-), one of the more opaque areas of network administration. This HOWTO will try to make a few things clearer. It describes how to set up a simple DNS name server. Starting with a caching only server and going on to setting up a primary DNS server for a domain. For more complex setups you can check the ``QnA'' section of this document. If it's not described there you will need to read the Real Documentation. I'll get back to what this Real Documentation consists of in ``the last chapter''. Before you start on this you should configure your machine so that you can telnet in and out of it, and successfully make all kinds of connections to the net, and you should especially be able to do telnet 127.0.0.1 and get your own machine (test it now!). You also need a good /etc/nsswitch.conf (or /etc/host.conf), /etc/resolv.conf and /etc/hosts files as a starting point, since I will not explain their function here. If you don't already have all this set up and working the NET-3-HOWTO and/or the PPP-HOWTO explains how to set it up. Read them. When I say `your machine' I mean the machine you are trying to set up DNS on. Not any other machine you might have that's involved in your networking effort. I assume you're not behind any kind of firewall that blocks name queries. If you are you will need a special configuration, see the section on ``QnA''. Name serving on Unix is done by a program called named. This is a part of the ``bind'' package which is coordinated by Paul Vixie for The Internet Software Consortium. Named is included in most Linux distributions and is usually installed as /usr/sbin/named. If you have a named you can probably use it; if you don't have one you can get a binary off a Linux ftp site, or get the latest and greatest source from ftp.isc.org:/isc/bind/src/cur/bind-8/. This HOWTO is about bind version 8. The old version of the HOWTO, about bind 4 is still available at http://www.math.uio.no/~janl/DNS/ in case you use bind 4. If the named man page talks about (at the very end, the FILES section) named.conf you have bind 8, if it talks about named.boot you have bind 4. If you have 4 and are security conscious you really ought to upgrade to a recent 8. DNS is a net-wide database. Take care about what you put into it. If you put junk into it, you, and others will get junk out of it. Keep your DNS tidy and consistent and you will get good service from it. Learn to use it, admin it, debug it and you will be another good admin keeping the net from falling to it's knees by mismanagement. In this document I state flatly a couple of things that are not completely true (they are at least half truths though). All in the interest of simplification. Things will (probably ;-) work if you believe what I say. Tip: Make backup copies of all the files I instruct you to change if you already have them, so if after going through this nothing works you can get it back to your old, working state. 3. A caching only name server. A first stab at DNS config, very useful for dialup users. A caching only name server will find the answer to name queries and remember the answer the next time you need it. This will shorten the waiting time the next time significantly, especially if you're on a slow connection. First you need a file called /etc/named.conf. This is read when named starts. For now it should simply contain: ______________________________________________________________________ // Config file for caching only name server options { directory "/var/named"; // Uncommenting this might help if you have to go through a // firewall and things are not working out: // query-source port 53; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; ______________________________________________________________________ The `directory' line tells named where to look for files. All files named subsequently will be relative to this. Thus pz is a directory under /var/named, i.e., /var/named/pz. /var/named is the right directory according to the Linux File system Standard. The file named /var/named/root.hints is named in this. /var/named/root.hints should contain this: ______________________________________________________________________ ; ; There might be opening comments here if you already have this file. ; If not don't worry. ; . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 ______________________________________________________________________ The file describes the root name servers in the world. This changes over time and must be maintained. See the ``maintenance section'' for how to keep it up to date. The next section in named.conf is the last zone. I will explain its use in a later chapter, for now just make this a file named 127.0.0 in the subdirectory pz: ______________________________________________________________________ @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 1 ; Serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.linux.bogus. 1 PTR localhost. ______________________________________________________________________ Next, you need a /etc/resolv.conf looking something like this: ______________________________________________________________________ search subdomain.your-domain.edu your-domain.edu nameserver 127.0.0.1 ______________________________________________________________________ The `search' line specifies what domains should be searched for any host names you want to connect to. The `nameserver' line specifies the address of your nameserver, in this case your own machine since that is where your named runs (127.0.0.1 is right, no matter if your machine has an other address too). If you want to list several name servers put in one `nameserver' line for each. (Note: Named never reads this file, the resolver that uses named does.) To illustrate what this file does: If a client tries to look up foo, then foo.subdomain.your-domain.edu is tried first, then foo.your- fomain.edu, finally foo. If a client tries to look up sunsite.unc.edu, sunsite.unc.edu.subdomain.your-domain.edu is tried first (yes, it's silly, but that's the way it works), then sunsite.unc.edu.your-domain.edu, and finally sunsite.unc.edu. You may not want to put in too many domains in the search line, it takes time to search them all. The example assumes you belong in the domain subdomain.your- domain.edu, your machine then, is probably called your- machine.subdomain.your-domain.edu. The search line should not contain your TLD (Top Level Domain, `edu' in this case). If you frequently need to connect to hosts in another domain you can add that domain to the search line like this: ______________________________________________________________________ search subdomain.your-domain.edu your-domain.edu other-domain.com ______________________________________________________________________ and so on. Obviously you need to put real domain names in instead. Please note the lack of periods at the end of the domain names. This is important, please note the lack of periods at the end of the domain names. Next, depending on your libc version you either need to fix /etc/nsswitch.conf or /etc/host.conf. If you already have nsswitch.conf that's what we'll fix, if not, we'll fix host.conf. /etc/nsswitch.conf This is a long file specifying where to get different kinds of data types, from what file or database. It usually contains helpful comments at the top, which you should consider reading. After that find the line starting with `hosts:', it should read ______________________________________________________________________ hosts: files dns ______________________________________________________________________ If there is no line starting with `hosts:' then put in the one above. It says that programs should first look in the /etc/hosts file, then check DNS according to resolv.conf. /etc/host.conf It probably contains several lines, one should start with order and it should look like this: ______________________________________________________________________ order hosts,bind ______________________________________________________________________ If there is no `order' line you should add one. It tells the host name resolving routines to first look in /etc/hosts, then ask the name server (which you in resolv.conf said is at 127.0.0.1). 3.1. Starting named After all this it's time to start named. If you're using a dialup connection connect first. Type `ndc start', and press return, no options. If that does not work try `/usr/sbin/ndc start' instead. If that back-fires see the ``QnA'' section. If you view your syslog message file (usually called /var/adm/messages, but another directory to look in is /var/log and another file to look in is syslog) while starting named (do tail -f /var/log/messages) you should see something like: (the lines ending in \ continue on the next line) Feb 15 01:26:17 roke named[6091]: starting. named 8.1.1 Sat Feb 14 \ 00:18:20 MET 1998 ^Ijanl@roke.uio.no:/var/tmp/bind-8.1.1/src/bin/named Feb 15 01:26:17 roke named[6091]: cache zone "" (IN) loaded (serial 0) Feb 15 01:26:17 roke named[6091]: master zone "0.0.127.in-addr.arpa" \ (IN) loaded (serial 1) Feb 15 01:26:17 roke named[6091]: listening [127.0.0.1].53 (lo) Feb 15 01:26:17 roke named[6091]: listening [129.240.230.92].53 (ippp0) Feb 15 01:26:17 roke named[6091]: Forwarding source address is [0.0.0.0].1040 Feb 15 01:26:17 roke named[6092]: Ready to answer queries. If there are any messages about errors then there is a mistake. Named will name the file it is in (one of named.conf and root.hints I hope :-) Kill named and go back and check the file. Now you can test your setup. Start nslookup to examine your work. $ nslookup Default Server: localhost Address: 127.0.0.1 > If that's what you get it's working. We hope. Anything else, go back and check everything. Each time you change the named.conf file you need to restart named using the ndc restart command. Now you can enter a query. Try looking up some machine close to you. pat.uio.no is close to me, at the University of Oslo: > pat.uio.no Server: localhost Address: 127.0.0.1 Name: pat.uio.no Address: 129.240.130.16 nslookup now asked your named to look for the machine pat.uio.no. It then contacted one of the name server machines named in your root.hints file, and asked its way from there. It might take tiny while before you get the result as it may need to search all the domains you named in /etc/resolv.conf. If you ask the same again you get this: > pat.uio.no Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: pat.uio.no Address: 129.240.2.50 Note the ``Non-authoritative answer:'' line we got this time around. That means that named did not go out on the network to ask this time, the information is in the cache now. But the cached information might be out of date (stale). So you are informed of this (very slight) possibility by it saying `Non-authorative answer:'. When nslookup says this the second time you ask for a host it's a sure sign that named caches the information and that it's working. You exit nslookup by giving the command `exit'. 3.2. Making it even better In large, well organized, academic or ISP (Internet Service Provider) networks you will sometimes find that the network people has set up a forwarder hierarchy of DNS servers which helps lighten the internal network load and on the outside servers as well. It's not easy to know if you're inside such a network or not. It is however not important and by using the DNS server of your network provider as a ``forwarder'' you can make the responses to queries faster and less of a load on your network. If you use a modem this can be quite a win. For the sake of this example we assume that your network provider has two name servers they want you to use, with IP numbers 10.0.0.1 and 10.1.0.1. Then, in your named.conf file, inside the opening section called ``options'' insert these lines: ______________________________________________________________________ forward first; forwarders { 10.0.0.1; 10.1.0.1; }; ______________________________________________________________________ Restart your nameserver and test it with nslookup. Should work fine. 3.3. Congratulations Now you know how to set up a caching named. Take a beer, milk, or whatever you prefer to celebrate it. 4. A simple domain. How to set up your own domain. 4.1. But first some dry theory Before we really start this section I'm going to serve you some theory on and an example of how DNS works. And you're going to read it because it's good for you. If you don't want to you should at least skim it very quickly. Stop skimming when you get to what should go in your named.conf file. DNS is a hierarchical, tree structured, system. The top is written `.' and pronounced `root'. Under . there are a number of Top Level Domains (TLDs), the best known ones are ORG, COM, EDU and NET, but there are many more. Just like a tree it has a root and it branches out. If you have any computer science background you will recognize DNS as a search tree, and you will be able to find nodes, leaf nodes and edges. When looking for a machine the query proceeds recursively into the hierarchy starting at the top. If you want to find out the address of prep.ai.mit.edu your name server has to find a name server that serves edu. It asks a . server (it already knows the . servers, that's what the root.hints file is for), the . server gives a list of edu servers: $ nslookup Default Server: localhost Address: 127.0.0.1 Start asking a root server: > server c.root-servers.net. Default Server: c.root-servers.net Address: 192.33.4.12 Set the Query type to NS (name server records): > set q=ns Ask about edu: > edu. The trailing . here is significant, it tells nslookup we're asking that edu is right under . (and not under any of our search domains, it speeds the search). edu nameserver = A.ROOT-SERVERS.NET edu nameserver = H.ROOT-SERVERS.NET edu nameserver = B.ROOT-SERVERS.NET edu nameserver = C.ROOT-SERVERS.NET edu nameserver = D.ROOT-SERVERS.NET edu nameserver = E.ROOT-SERVERS.NET edu nameserver = I.ROOT-SERVERS.NET edu nameserver = F.ROOT-SERVERS.NET edu nameserver = G.ROOT-SERVERS.NET A.ROOT-SERVERS.NET internet address = 198.41.0.4 H.ROOT-SERVERS.NET internet address = 128.63.2.53 B.ROOT-SERVERS.NET internet address = 128.9.0.107 C.ROOT-SERVERS.NET internet address = 192.33.4.12 D.ROOT-SERVERS.NET internet address = 128.8.10.90 E.ROOT-SERVERS.NET internet address = 192.203.230.10 I.ROOT-SERVERS.NET internet address = 192.36.148.17 F.ROOT-SERVERS.NET internet address = 192.5.5.241 G.ROOT-SERVERS.NET internet address = 192.112.36.4 This tells us that all ROOT-SERVERS.NET servers serves EDU., so we can go on asking any of them. We'll continue asking C. Now we want to know who serves the next level of the domain name: mit.edu.: > mit.edu. Server: c.root-servers.net Address: 192.33.4.12 Non-authoritative answer: mit.edu nameserver = W20NS.mit.edu mit.edu nameserver = BITSY.mit.edu mit.edu nameserver = STRAWB.mit.edu Authoritative answers can be found from: W20NS.mit.edu internet address = 18.70.0.160 BITSY.mit.edu internet address = 18.72.0.3 STRAWB.mit.edu internet address = 18.71.0.151 steawb, w20ns and bitsy all serves mit.edu, we select one and inquire about the name one more level up: ai.mit.edu: > server W20NS.mit.edu. Host names are not case sensitive, but I use my mouse to cut and paste so it gets copied as-is from the screen. Server: W20NS.mit.edu Address: 18.70.0.160 > ai.mit.edu. Server: W20NS.mit.edu Address: 18.70.0.160 Non-authoritative answer: ai.mit.edu nameserver = ALPHA-BITS.AI.MIT.EDU ai.mit.edu nameserver = GRAPE-NUTS.AI.MIT.EDU ai.mit.edu nameserver = TRIX.AI.MIT.EDU ai.mit.edu nameserver = MUESLI.AI.MIT.EDU ai.mit.edu nameserver = LIFE.AI.MIT.EDU ai.mit.edu nameserver = BEET-CHEX.AI.MIT.EDU ai.mit.edu nameserver = MINI-WHEATS.AI.MIT.EDU ai.mit.edu nameserver = COUNT-CHOCULA.AI.MIT.EDU ai.mit.edu nameserver = MINTAKA.LCS.MIT.EDU Authoritative answers can be found from: AI.MIT.EDU nameserver = ALPHA-BITS.AI.MIT.EDU AI.MIT.EDU nameserver = GRAPE-NUTS.AI.MIT.EDU AI.MIT.EDU nameserver = TRIX.AI.MIT.EDU AI.MIT.EDU nameserver = MUESLI.AI.MIT.EDU AI.MIT.EDU nameserver = LIFE.AI.MIT.EDU AI.MIT.EDU nameserver = BEET-CHEX.AI.MIT.EDU AI.MIT.EDU nameserver = MINI-WHEATS.AI.MIT.EDU AI.MIT.EDU nameserver = COUNT-CHOCULA.AI.MIT.EDU AI.MIT.EDU nameserver = MINTAKA.LCS.MIT.EDU ALPHA-BITS.AI.MIT.EDU internet address = 128.52.32.5 GRAPE-NUTS.AI.MIT.EDU internet address = 128.52.36.4 TRIX.AI.MIT.EDU internet address = 128.52.37.6 MUESLI.AI.MIT.EDU internet address = 128.52.39.7 LIFE.AI.MIT.EDU internet address = 128.52.32.80 BEET-CHEX.AI.MIT.EDU internet address = 128.52.32.22 MINI-WHEATS.AI.MIT.EDU internet address = 128.52.54.11 COUNT-CHOCULA.AI.MIT.EDU internet address = 128.52.38.22 MINTAKA.LCS.MIT.EDU internet address = 18.26.0.36 So museli.ai.mit.edu is a nameserver for ai.mit.edu: > server MUESLI.AI.MIT.EDU Default Server: MUESLI.AI.MIT.EDU Address: 128.52.39.7 Now I change query type, we've found the name server so now we're going to ask about everything wheaties knows about prep.ai.mit.edu. > set q=any > prep.ai.mit.edu. Server: MUESLI.AI.MIT.EDU Address: 128.52.39.7 prep.ai.mit.edu CPU = dec/decstation-5000.25 OS = unix prep.ai.mit.edu inet address = 18.159.0.42, protocol = tcp ftp telnet smtp finger prep.ai.mit.edu preference = 1, mail exchanger = gnu-life.ai.mit.edu prep.ai.mit.edu internet address = 18.159.0.42 ai.mit.edu nameserver = beet-chex.ai.mit.edu ai.mit.edu nameserver = alpha-bits.ai.mit.edu ai.mit.edu nameserver = mini-wheats.ai.mit.edu ai.mit.edu nameserver = trix.ai.mit.edu ai.mit.edu nameserver = muesli.ai.mit.edu ai.mit.edu nameserver = count-chocula.ai.mit.edu ai.mit.edu nameserver = mintaka.lcs.mit.edu ai.mit.edu nameserver = life.ai.mit.edu gnu-life.ai.mit.edu internet address = 128.52.32.60 beet-chex.ai.mit.edu internet address = 128.52.32.22 alpha-bits.ai.mit.edu internet address = 128.52.32.5 mini-wheats.ai.mit.edu internet address = 128.52.54.11 trix.ai.mit.edu internet address = 128.52.37.6 muesli.ai.mit.edu internet address = 128.52.39.7 count-chocula.ai.mit.edu internet address = 128.52.38.22 mintaka.lcs.mit.edu internet address = 18.26.0.36 life.ai.mit.edu internet address = 128.52.32.80 So starting at . we found the successive name servers for the each level in the domain name. If you had used your own DNS server instead of using all those other servers, your named would of-course cache all the information it found while digging this out for you, and it would not have to ask again for a while. In the tree analogue each ``.'' in the name is a branching point. And each part between the ``.''s are the names of individual branches in the tree. We climb the tree by taking the name we want (prep.ai.mit.edu) first finding the root (.) and then looking for the next branch to climb, in this case edu. Once we have found it we climb it by switching to the server that knows about that part of the name. Next we look for the mit branch over the edu branch (the combined name is mit.edu) and climb it by switching to a server that knows about mit.edu. Again we look for the next branch, it's ai.mit.edu and again we switch to the server that knows about it. Now we have arrived at the right server, at the right branching point. The last part is finding prep.ai.mit.edu, which is simple. In computer science we usually call prep a leaf on the tree. A much less talked about, but just as important domain is in- addr.arpa. It too is nested like the `normal' domains. in-addr.arpa allows us to get the hosts name when we have its address. A important thing here is to note that ip addresses are written in reverse order in the in-addr.arpa domain. If you have the address of a machine: 192.128.52.43 named proceeds just like for the prep.ai.mit.edu example: find arpa. servers. Find in-addr.arpa. servers, find 192.in- addr.arpa. servers, find 128.192.in-addr.arpa. servers, find 52.128.192.in-addr.arpa. servers. Find needed records for 43.52.128.192.in-addr.arpa. Clever huh? (Say `yes'.) The reversion of the numbers can be confusing for years though. I have just told a lie. DNS does not work precisely the way I just told you. But it's close enough. 4.2. Our own domain Now to define our own domain. We're going to make the domain linux.bogus and define machines in it. I use a totally bogus domain name to make sure we disturb no-one Out There. One more thing before we start: Not all characters are allowed in host names. We're restricted to the characters of the English alphabet: a- z, and numbers: 0-9 and the character '-' (dash). Keep to those characters. Upper and lower-case characters are the same for DNS, so pat.uio.no is identical to Pat.UiO.No. We've already started this part with this line in named.conf: ______________________________________________________________________ zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; ______________________________________________________________________ Please note the lack of `.' at the end of the domain names in this file. This says that now we will define the zone 0.0.127.in- addr.arpa, that we're the master server for it and that it is stored in a file called pz/127.0.0. We've already set up this file, it reads: ______________________________________________________________________ @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 1 ; Serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.linux.bogus. 1 PTR localhost. ______________________________________________________________________ Please note the `.' at the end of all the full domain names in this file, in contrast to the named.conf file above. Some people like to start each zone file with a $ORIGIN directive, but this is superfluous. The origin (where in the DNS hierarchy it belongs) of a zone file is specified in the zone section of the named.conf file, in this case it's 0.0.127.in-addr.arpa. This `zone file' contains 3 `resource records' (RRs): A SOA RR. A NS RR and a PTR RR. SOA is short for Start Of Authority. The `@' is a special notation meaning the origin, and since the `domain' column for this file says 0.0.127.in-addr.arpa the first line really means 0.0.127.in-addr.arpa. IN SOA ... NS is the Name Server RR. There is no '@' at the start of this line, it is implicit since the last line started with a '@'. Saves some typing that. So the NS line could also be written 0.0.127.in-addr.arpa. IN NS ns.linux.bogus It tells DNS what machine is the name server of the domain 0.0.127.in- addr.arpa, it is ns.linux.bogus. 'ns' is a customary name for name- servers, but as with web servers who are customarily named www.something the name may be anything. And finally the PTR record says that the host at address 1 in the subnet 0.0.127.in-addr.arpa, i.e., 127.0.0.1 is named localhost. The SOA record is the preamble to all zone files, and there should be exactly one in each zone file. It describes the zone, where it comes from (a machine called ns.linux.bogus), who is responsible for its contents (hostmaster@linux.bogus, you should insert your e-mail address here), what version of the zone file this is (serial: 1), and other things having to do with caching and secondary DNS servers. For the rest of the fields (refresh, retry, expire and minimum) use the numbers used in this HOWTO and you should be safe. Now restart your named (the command is ndc restart) and use nslookup to examine what you've done: $ nslookup Default Server: localhost Address: 127.0.0.1 > 127.0.0.1 Server: localhost Address: 127.0.0.1 Name: localhost Address: 127.0.0.1 so it manages to get localhost from 127.0.0.1, good. Now for our main task, the linux.bogus domain, insert a new 'zone' section in named.conf: ______________________________________________________________________ zone "linux.bogus" { notify no; type master; file "pz/linux.bogus"; }; ______________________________________________________________________ Note again the lack of ending `.' on the domain name in the named.conf file. In the linux.bogus zone file we'll put some totally bogus data: ______________________________________________________________________ ; ; Zone file for linux.bogus ; ; The full zone file ; @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 199802151 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 1W ; expire, seconds 1D ) ; minimum, seconds ; NS ns ; Inet Address of name server MX 10 mail.linux.bogus ; Primary Mail Exchanger MX 20 mail.friend.bogus. ; Secondary Mail Exchanger ; localhost A 127.0.0.1 ns A 192.168.196.2 mail A 192.168.196.4 ______________________________________________________________________ Two things must be noted about the SOA record. ns.linux.bogus must be a actual machine with a A record. It is not legal to have a CNAME record for he machine mentioned in the SOA record. It's name need not be `ns', it could be any legal host name. Next, hostmaster.linux.bogus should be read as hostmaster@linux.bogus, this should be a mail alias, or a mailbox, where the person(s) maintaining DNS should read mail frequently. Any mail regarding the domain will be sent to the address listed here. The name need not be `hostmaster', it can be your normal e-mail address, but the e-mail address `hostmaster' is often expected to work as well. There is one new RR type in this file, the MX, or Mail eXchanger RR. It tells mail systems where to send mail that is addressed to someone@linux.bogus, namely too mail.linux.bogus or mail.friend.bogus. The number before each machine name is that MX RRs priority. The RR with the lowest number (10) is the one mail should be sent to if possible. If that fails the mail can be sent to one with a higher number, a secondary mail handler, i.e., mail.friend.bogus which has priority 20 here. Restart named by running ndc restart. Examine the results with nslookup: $ nslookup > set q=any > linux.bogus Server: localhost Address: 127.0.0.1 linux.bogus origin = ns.linux.bogus mail addr = hostmaster.linux.bogus serial = 199802151 refresh = 28800 (8 hours) retry = 7200 (2 hours) expire = 604800 (7 days) minimum ttl = 86400 (1 day) linux.bogus nameserver = ns.linux.bogus linux.bogus preference = 10, mail exchanger = mail.linux.bogus.linux.bogus linux.bogus preference = 20, mail exchanger = mail.friend.bogus linux.bogus nameserver = ns.linux.bogus ns.linux.bogus internet address = 192.168.196.2 mail.linux.bogus internet address = 192.168.196.4 Upon careful examination you will discover a bug. The line linux.bogus preference = 10, mail exchanger = mail.linux.bogus.linux.bogus is all wrong. It should be linux.bogus preference = 10, mail exchanger = mail.linux.bogus I deliberately made a mistake so you could learn from it :-) Looking in the zone file we find that the line MX 10 mail.linux.bogus ; Primary Mail Exchanger is missing a period. Or has a 'linux.bogus' too many. If a machine name does not end in a period in a zone file the origin is added to its end causing the double linux.bogus.linux.bogus. So either ______________________________________________________________________ MX 10 mail.linux.bogus. ; Primary Mail Exchanger ______________________________________________________________________ or ______________________________________________________________________ MX 10 mail ; Primary Mail Exchanger ______________________________________________________________________ is correct. I prefer the latter form, it's less to type. There are some bind experts that disagree, and some that agree with this. In a zone file the domain should either be written out and ended with a `.' or it should not be included at all, in which case it defaults to the origin. I must stress that in the named.conf file there should not be `.'s after the domain names. You have no idea how many times a `.' too many or few have fouled up things and confused the h*ll out of people. So having made my point here is the new zone file, with some extra information in it as well: ______________________________________________________________________ ; ; Zone file for linux.bogus ; ; The full zone file ; @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 199802151 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 1W ; expire, seconds 1D ) ; minimum, seconds ; TXT "Linux.Bogus, your DNS consultants" NS ns ; Inet Address of name server NS ns.friend.bogus. MX 10 mail ; Primary Mail Exchanger MX 20 mail.friend.bogus. ; Secondary Mail Exchanger localhost A 127.0.0.1 gw A 192.168.196.1 HINFO "Cisco" "IOS" TXT "The router" ns A 192.168.196.2 MX 10 mail MX 20 mail.friend.bogus. HINFO "Pentium" "Linux 2.0" www CNAME ns donald A 192.168.196.3 MX 10 mail MX 20 mail.friend.bogus. HINFO "i486" "Linux 2.0" TXT "DEK" mail A 192.168.196.4 MX 10 mail MX 20 mail.friend.bogus. HINFO "386sx" "Linux 1.2" ftp A 192.168.196.5 MX 10 mail MX 20 mail.friend.bogus. HINFO "P6" "Linux 2.1.86" ______________________________________________________________________ There are a number of new RRs here: HINFO (Host INFOrmation) has two parts, it's a good habit to quote each. The first part is the hardware or CPU on the machine, and the second part the software or OS on the machine. The machine called 'ns' has a Pentium CPU and runs Linux 2.0. CNAME (Canonical NAME) is a way to give each machine several names. So www is an alias for ns. CNAME record usage is a bit controversial. But it's safe to follow the rule that a MX, CNAME or SOA record should never refer to a CNAME record, they should only refer to something with a A record, so it is inadvisable to have ______________________________________________________________________ foobar CNAME www ; NO! ______________________________________________________________________ but correct to have ______________________________________________________________________ foobar CNAME ns ; Yes! ______________________________________________________________________ It's also safe to assume that a CNAME is not a legal host name for a e-mail address: webmaster@www.linux.bogus is an illegal e-mail address given the setup above. You can expect quite a few mail admins Out There to enforce this rule even if it works for you. The way to avoid this is to use A records (and perhaps some others too, like a MX record) instead: ______________________________________________________________________ www A 192.168.196.2 ______________________________________________________________________ A number of the arch-bind-wizards, recommend not using CNAME at all. But the discussion of why or why not is beyond this HOWTO. But as you see, this HOWTO and many sites does not follow this rule. Load the new database by running ndc reload, this causes named to read its files again. $ nslookup Default Server: localhost Address: 127.0.0.1 > ls -d linux.bogus This means that all records should be listed. It results in this: [localhost] $ORIGIN linux.bogus. @ 1D IN SOA ns hostmaster ( 199802151 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns 1D IN NS ns.friend.bogus. 1D IN TXT "Linux.Bogus, your DNS consultants" 1D IN MX 10 mail 1D IN MX 20 mail.friend.bogus. gw 1D IN A 192.168.196.1 1D IN HINFO "Cisco" "IOS" 1D IN TXT "The router" mail 1D IN A 192.168.196.4 1D IN MX 10 mail 1D IN MX 20 mail.friend.bogus. 1D IN HINFO "386sx" "Linux 1.0.9" localhost 1D IN A 127.0.0.1 www 1D IN CNAME ns donald 1D IN A 192.168.196.3 1D IN MX 10 mail 1D IN MX 20 mail.friend.bogus. 1D IN HINFO "i486" "Linux 1.2" 1D IN TXT "DEK" ftp 1D IN A 192.168.196.5 1D IN MX 10 mail 1D IN MX 20 mail.friend.bogus. 1D IN HINFO "P6" "Linux 1.3.59" ns 1D IN A 192.168.196.2 1D IN MX 10 mail 1D IN MX 20 mail.friend.bogus. 1D IN HINFO "Pentium" "Linux 1.2" That's good. As you see it looks a lot like the zone file itself. Let's check what it says for www alone: > set q=any > www.linux.bogus. Server: localhost Address: 127.0.0.1 www.linux.bogus canonical name = ns.linux.bogus linux.bogus nameserver = ns.linux.bogus linux.bogus nameserver = ns.friend.bogus ns.linux.bogus internet address = 192.168.196.2 In other words, the real name of www.linux.bogus is ns.linux.bogus, and it gives you some of the information it has about ns as well, enough to connect to it if you were a program. Now we're halfway. 4.3. The reverse zone Now programs can convert the names in linux.bogus to addresses which they can connect to. But also required is a reverse zone, one making DNS able to convert from an address to a name. This name is used buy a lot of servers of different kinds (FTP, IRC, WWW and others) to decide if they want to talk to you or not, and if so, maybe even how much priority you should be given. For full access to all services on the Internet a reverse zone is required. Put this in named.conf: ______________________________________________________________________ zone "196.168.192.in-addr.arpa" { notify no; type master; file "pz/192.168.196"; }; ______________________________________________________________________ This is exactly as with the 0.0.127.in-addr.arpa, and the contents are similar: ______________________________________________________________________ @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 199802151 ; Serial, todays date + todays serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.linux.bogus. 1 PTR gw.linux.bogus. 2 PTR ns.linux.bogus. 3 PTR donald.linux.bogus. 4 PTR mail.linux.bogus. 5 PTR ftp.linux.bogus. ______________________________________________________________________ Now you restart your named (ndc restart) and examine your work with nslookup again: ______________________________________________________________________ > 192.168.196.4 Server: localhost Address: 127.0.0.1 Name: mail.linux.bogus Address: 192.168.196.4 ______________________________________________________________________ so, it looks OK, dump the whole thing to examine that too: ______________________________________________________________________ > ls -d 196.168.192.in-addr.arpa [localhost] $ORIGIN 196.168.192.in-addr.arpa. @ 1D IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 199802151 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns.linux.bogus. 1 1D IN PTR gw.linux.bogus. 2 1D IN PTR ns.linux.bogus. 3 1D IN PTR donald.linux.bogus. 4 1D IN PTR mail.linux.bogus. 5 1D IN PTR ftp.linux.bogus. @ 1D IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 199802151 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum ______________________________________________________________________ Looks good! If your output didn't look like that look for error- messages in your syslog, I explained how to do that at the very beginning of this chapter. 4.4. Words of caution There are some things I should add here. The IP numbers used in the examples above are taken from one of the blocks of 'private nets', i.e., they are not allowed to be used publicly on the internet. So they are safe to use in an example in a HOWTO. The second thing is the notify no; line. It tells named not to notify its secondary (slave) servers when it has gotten a update to one of its zone files. In bind-8 the named can notify the other servers listed in NS records in the zone file when a zone is updated. This is handy for ordinary use, but for private experiments with zones this feature should be off, we don't want the experiment to pollute the Internet do we? And, of course, this domain is highly bogus, and so are all the addresses in it. For a real example of a real-life domain see the next main-section. 4.5. Why reverse lookups don't work. There are a couple of ``gotchas'' that normally are avoided with name lookups that are often seen when setting up reverse zones. Before you go on you need reverse lookups of your machines working on your own nameserver. If it isn't go back and fix it before continuing. I will discuss two failures of reverse lookups as seen from outside your network: 4.5.1. The reverse zone isn't delegated. When you ask a service provider for a network-address range and a domain name the domain name is normally delegated as a matter of course. A delegation is the glue NS record that helps you get from one nameserver to another as explained in the dry theory section above. You read that, right? If your reverse zone dosn't work go back and read it. Now. The reverse zone also needs to be delegated. If you got the 192.168.196 net with the linux.bogus domain from your provider they need to put NS records in for your reverse zone as well as for your forward zone. If you follow the chain from in-addr.arpa and up to your net you will probably find a break in the chain. Most probably at your service provider. Having found the break in the chain contact your service-provider and ask them to correct the error. 4.5.2. You've got a classless subnet This is a somewhat advanced topic, but classless subnets are very common these days and you probably have one unless you're a medium sized company. A classless subnet is what keeps the Internet going these days. Some years ago there was much ado about the shortage of ip numbers. The smart people in IETF (the Internet Engineering Task Force, they keep the Internet working) stuck their heads together and solved the problem. At a price. The price is that you'll get less than a ``C'' subnet and some things may break. Please see Ask Mr. DNS at http://www.acmebw.com/askmrdns/00007.htm for an good explanation of this and how to handle it. Did you read it? I'm not going to explain it so please read it. The first part of the problem is that your ISP must understand the technique described by Mr. DNS. Not all small ISPs have a working understanding of this. If so you might have to explain to them and be persistent. But be sure you understand it first ;-). They will then set up a nice reverse zone at their server which you can examine for correctness with nslookup. The second and last part of the problem is that you must understand the technique. If you're unsure go back and read about it again. Then you can set up your own classless reverse zone as described by Mr. DNS. There is another trap lurking here. Old resolvers will not be able to follow the CNAME trick in the resolving chain and will fail to reverse-resolve your machine. This can result in the service assigning it an incorrect access class, deny access or something along those lines. If you stumble into such a service the only solution (that I know of) is for your ISP to insert your PTR record directly into their trick classless zone file instead of the trick CNAME record. Some ISPs will offer other ways to handle this, like Web based forms for you to input your reverse-mappings in or other automagical systems. 5. A real domain example Where we list some real zone files Users have suggested that I include a real example of a working domain as well as the tutorial example. I use this example with permission from David Bullock of LAND-5. These files were current 24th of September 1996, and were then edited to fit bind 8 restrictions and use extensions by me. So, what you see here differs a bit from what you find if you query LAND-5's name servers now. 5.1. /etc/named.conf (or /var/named/named.conf) Here we find master zone sections for the two reverse zones needed: the 127.0.0 net, as well as LAND-5's 206.6.177 subnet. And a primary line for land-5's forward zone land-5.com. Also note that instead of stuffing the files in a directory called pz, as I do in this HOWTO, he puts them in a directory called zone. ______________________________________________________________________ // Boot file for LAND-5 name server options { directory "/var/named"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "zone/127.0.0"; }; zone "land-5.com" { type master; file "zone/land-5.com"; }; zone "177.6.206.in-addr.arpa" { type master; file "zone/206.6.177"; }; ______________________________________________________________________ If you put this in your named.conf file to play with PLEASE put ``notify no;'' in the zone sections for the two land-5 zones so as to avoid accidents. 5.2. /var/named/root.hints Keep in mind that this file is dynamic, and the one listed here is old. You're better off using one produced now, with dig, as explained earlier. ______________________________________________________________________ ; <<>> DiG 8.1 <<>> @A.ROOT-SERVERS.NET. ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 ;; Total query time: 215 msec ;; FROM: roke.uio.no to SERVER: A.ROOT-SERVERS.NET. 198.41.0.4 ;; WHEN: Sun Feb 15 01:22:51 1998 ;; MSG SIZE sent: 17 rcvd: 436 ______________________________________________________________________ 5.3. /var/named/zone/127.0.0 Just the basics, the obligatory SOA record, and a record that maps 127.0.0.1 to localhost. Both are required. No more should be in this file. It will probably never need to be updated, unless your nameserver or hostmaster address changes. ______________________________________________________________________ @ IN SOA land-5.com. root.land-5.com. ( 199609203 ; Serial 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400) ; Minimum TTL NS land-5.com. 1 PTR localhost. ______________________________________________________________________ 5.4. /var/named/zone/land-5.com Here we see the mandatory SOA record, the needed NS records. We can see that he has a secondary name server at ns2.psi.net. This is as it should be, always have a off site secondary server as backup. We can also see that he has a master host called land-5 which takes care of many of the different Internet services, and that he's done it with CNAMEs (a alternative is using A records). As you see from the SOA record, the zone file originates at land-5.com, the contact person is root@land-5.com. hostmaster is another oft used address for the contact person. The serial number is in the customary yyyymmdd format with todays serial number appended; this is probably the sixth version of zone file on the 20th of September 1996. Remember that the serial number must increase monotonically, here there is only one digit for todays serial#, so after 9 edits he has to wait until tomorrow before he can edit the file again. Consider using two digits. ______________________________________________________________________ @ IN SOA land-5.com. root.land-5.com. ( 199609206 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 1W ; expire, seconds 1D ) ; minimum, seconds NS land-5.com. NS ns2.psi.net. MX 10 land-5.com. ; Primary Mail Exchanger TXT "LAND-5 Corporation" localhost A 127.0.0.1 router A 206.6.177.1 land-5.com. A 206.6.177.2 ns A 206.6.177.3 www A 207.159.141.192 ftp CNAME land-5.com. mail CNAME land-5.com. news CNAME land-5.com. funn A 206.6.177.2 ; ; Workstations ; ws-177200 A 206.6.177.200 MX 10 land-5.com. ; Primary Mail Host ws-177201 A 206.6.177.201 MX 10 land-5.com. ; Primary Mail Host ws-177202 A 206.6.177.202 MX 10 land-5.com. ; Primary Mail Host ws-177203 A 206.6.177.203 MX 10 land-5.com. ; Primary Mail Host ws-177204 A 206.6.177.204 MX 10 land-5.com. ; Primary Mail Host ws-177205 A 206.6.177.205 MX 10 land-5.com. ; Primary Mail Host ; {Many repetitive definitions deleted - SNIP} ws-177250 A 206.6.177.250 MX 10 land-5.com. ; Primary Mail Host ws-177251 A 206.6.177.251 MX 10 land-5.com. ; Primary Mail Host ws-177252 A 206.6.177.252 MX 10 land-5.com. ; Primary Mail Host ws-177253 A 206.6.177.253 MX 10 land-5.com. ; Primary Mail Host ws-177254 A 206.6.177.254 MX 10 land-5.com. ; Primary Mail Host ______________________________________________________________________ If you examine land-5s nameserver you will find that the host names are of the form ws_number. As of late bind 4 versions named started enforcing the restrictions on what characters may be used in host names. So that does not work with bind-8 at all, and I substituted '-' (dash) for '_' (underline) for use in this HOWTO. Another thing to note is that the workstations don't have individual names, but rather a prefix followed by the two last parts of the IP numbers. Using such a convention can simplify maintenance significantly, but can be a bit impersonal, and, in fact, be a source of irritation among your customers. We also see that funn.land-5.com is an alias for land-5.com, but using an A record, not a CNAME record. This is a good policy as noted earlier. 5.5. /var/named/zone/206.6.177 I'll comment on this file below ______________________________________________________________________ @ IN SOA land-5.com. root.land-5.com. ( 199609206 ; Serial 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400) ; Minimum TTL NS land-5.com. NS ns2.psi.net. ; ; Servers ; 1 PTR router.land-5.com. 2 PTR land-5.com. 2 PTR funn.land-5.com. ; ; Workstations ; 200 PTR ws-177200.land-5.com. 201 PTR ws-177201.land-5.com. 202 PTR ws-177202.land-5.com. 203 PTR ws-177203.land-5.com. 204 PTR ws-177204.land-5.com. 205 PTR ws-177205.land-5.com. ; {Many repetitive definitions deleted - SNIP} 250 PTR ws-177250.land-5.com. 251 PTR ws-177251.land-5.com. 252 PTR ws-177252.land-5.com. 253 PTR ws-177253.land-5.com. 254 PTR ws-177254.land-5.com. ______________________________________________________________________ The reverse zone is the bit of the setup that seems to cause the most grief. It is used to find the host name if you have the IP number of a machine. Example: you are an IRC server and accept connections from IRC clients. However you are a Norwegian IRC server and so you only want to accept connections from clients in Norway and other Scandinavian countries. When you get a connection from a client the C library is able to tell you the IP number of the connecting machine because the IP number of the client is contained in all the packets that are passed over the network. Now you can call a function called gethostbyaddr that looks up the name of a host given the IP number. Gethostbyaddr will ask a DNS server, which will then traverse the DNS looking for the machine. Supposing the client connection is from ws-177200.land-5.com. The IP number the C library provides to the IRC server is 206.6.177.200. To find out the name of that machine we need to find 200.177.6.206.in-addr.arpa. The DNS server will first find the arpa. servers, then find in-addr.arpa. servers, following the reverse trail through 206, then 6 and at last finding the server for the 177.6.206.in-addr.arpa zone at LAND-5. From which it will finally get the answer that for 200.177.6.206.in-addr.arpa we have a ``PTR ws-177200.land-5.com'' record, meaning that the name that goes with 206.6.177.200 is ws-177200.land-5.com. As with the explanation of how prep.ai.mit.edu is looked up, this is slightly fictitious. Getting back to the IRC server example. The IRC server only accepts connections from the Scandinavian countries, i.e., *.no, *.se, *.dk, the name ws-177200.land-5.com clearly does not match any of those, and the server will deny the connection. If there was no reverse mapping of 206.2.177.200 through the in-addr.arpa zone the server would have been unable to find the name at all and would have to settle to comparing 206.2.177.200 with *.no, *.se and *.dk, none of which will match. Some people will tell you that reverse lookup mappings are only important for servers, or not important at all. Not so: Many ftp, news, IRC and even some http (WWW) servers will not accept connections from machines of which they are not able to find the name. So reverse mappings for machines are in fact mandatory. 6. Maintenance Keeping it working. There is one maintenance task you have to do on nameds, other than keeping them running. That's keeping the root.hints file updated. The easiest way is using dig, first run dig with no arguments, you will get the root.hints according to your own server. Then ask one of the listed root servers with dig @rootserver. You will note that the output looks terribly like a root.hints file. Save it to a file (dig @e.root-servers.net . ns >root.hints.new) and replace the old root.hints with it. Remember to reload named after replacing the cache file. Al Longyear sent me this script, that can be run automatically to update root.hints, install a crontab entry to run it once a month and forget it. The script assumes you have mail working and that the mail-alias `hostmaster' is defined. You must hack it to suit your setup. ______________________________________________________________________ #!/bin/sh # # Update the nameserver cache information file once per month. # This is run automatically by a cron entry. # # Original by Al Longyear # Updated for bind 8 by Nicolai Langfeldt # Miscelanious error-conditions reported by David A. Ranch # Ping test suggested by Martin Foster # ( echo "To: hostmaster <hostmaster>" echo "From: system <root>" echo "Subject: Automatic update of the root.hints file" echo PATH=/sbin:/usr/sbin:/bin:/usr/bin: export PATH cd /var/named # Are we online? Ping a server at your ISP case `ping -qnc some.machine.net` in *'100% packet loss'*) echo "The network is DOWN. root.hints NOT updated" echo exit 0 ;; esac dig @rs.internic.net . ns >root.hints.new 2>&1 case `cat root.hints.new` in *NOERROR*) # It worked :;; *) echo "The root.hints file update has FAILED." echo "This is the dig output reported:" echo cat root.hints.new exit 0 ;; esac echo "The root.hints file has been updated to contain the following information:" echo cat root.hints.new chown root.root root.hints.new chmod 444 root.hints.new rm -f root.hints.old mv root.hints root.hints.old mv root.hints.new root.hints ndc restart echo echo "The nameserver has been restarted to ensure that the update is complete." echo "The previous root.hints file is now called /var/named/root.hints.old." ) 2>&1 | /usr/lib/sendmail -t exit 0 ______________________________________________________________________ Some of you might have picked up that the root.hints file is also available by ftp from Internic. Please don't use ftp to update root.hints, the above method is much more friendly to the net, and Internic. 7. Converting from version 4 to version 8 This was originally a section on using bind 8 written by David E. Smith (dave@bureau42.ml.org). I have edited it some to fit the new section name. There's not much to it. Except for using named.conf instead of named.boot, everything is identical. And bind8 comes with a perl script that converts old-style files to new. Example named.boot (old style) for a cache-only name server: ______________________________________________________________________ directory /var/named cache . root.hints primary 0.0.127.IN-ADDR.ARPA 127.0.0.zone primary localhost localhost.zone ______________________________________________________________________ On the command line, in the bind8/src/bin/named directory (this assumes you got a source distribution. If you got a binary package the script is probably around, I'm not sure where it would be though. -ed.), type: ______________________________________________________________________ ./named-bootconf.pl < named.boot > named.conf ______________________________________________________________________ Which creates named.conf: ______________________________________________________________________ // generated by named-bootconf.pl options { directory "/var/named"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "127.0.0.zone"; }; zone "localhost" { type master; file "localhost.zone"; }; ______________________________________________________________________ It works for everything that can go into a named.boot file, although it doesn't add all of the new enhancements and configuration options that bind8 allows. Here's a more complete named.conf that does the same things, but a little more efficiently. ______________________________________________________________________ // This is a configuration file for named (from BIND 8.1 or later). // It would normally be installed as /etc/named.conf. // The only change made from the `stock' named.conf (aside from this // comment :) is that the directory line was uncommented, since I // already had the zone files in /var/named. options { directory "/var/named"; datasize 20M; }; zone "localhost" IN { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" IN { type master; file "127.0.0.zone"; }; zone "." IN { type hint; file "root.hints"; }; ______________________________________________________________________ In the bind 8 distributions directory bind8/src/bin/named/test you find this, and copies of the zone files, that many people can just drop in and use instantly. The formats for zone files and root.hints files are identical, as are the commands for updating them. 8. Questions and Answers Please read this section before mailing me. 1. My named wants a named.boot file You are reading the wrong HOWTO. Please see the old version of this HOWTO, which covers bind 4, at http://www.math.uio.no/~janl/DNS/ 2. How do use DNS from inside a firewall? A hint: forward only;, You will probably also need ___________________________________________________________________ query-source port 53; ___________________________________________________________________ inside the ``options'' part of the named.conf file as suggested in the example ``caching'' section. 3. How do I make DNS rotate through the available addresses for a service, say www.busy.site to obtain a load balancing effect, or similar? Make several A records for www.busy.site and use bind 4.9.3 or later. Then bind will round-robin the answers. It will not work with earlier versions of bind. 4. I want to set up DNS on a (closed) intranet. What do I do? You drop the root.hints file and just do zone files. That also means you don't have to get new hint files all the time. 5. How do I set up a secondary (slave) name server? If the primary/master server has address 127.0.0.1 you put a line like this in the named.conf file of your secondary: ___________________________________________________________________ zone "linux.bogus" { type slave; file "sz/linux.bogus"; masters { 127.0.0.1; }; }; ___________________________________________________________________ You may list several alternate master servers the zone can be copied from inside the masters list, separated by ';' (semicolon). 6. I want bind running when I'm disconnected from the net. There are three items regarding this: ╖ I have received this mail from Ian Clark <ic@deakin.edu.au> where he explains his way of doing this: I run named on my 'Masquerading' machine here. I have two root.hints files, one called root.hints.real which contains the real root server names and the other called root.hints.fake which contains... ---- ; root.hints.fake ; this file contains no information ---- When I go off line I copy the root.hints.fake file to root.hints and restart named. When I go online I copy root.hints.real to root.hints and restart named. This is done from ip-down & ip-up respectively. The first time I do a query off line on a domain name named doesn't have details for it puts an entry like this in messages.. Jan 28 20:10:11 hazchem named[10147]: No root nameserver for class IN which I can live with. It certainly seems to work for me. I can use the nameserver for local machines while off the 'net without the timeout delay for external domain names and I while on the 'net queries for external domains work normally ╖ I have also received information about how bind interacts with NFS and the portmapper on a mostly offline machine from Karl-Max Wanger: I use to run my own named on all my machines which are only occasionally connected to the Internet by modem. The nameserver only acts as a cache, it has no area of authority and asks back for everything at the name servers in the root.cache file. As is usual with Slackware, it is started before nfsd and mountd. With one of my machines (a Libretto 30 notebook) I had the problem that sometimes I could mount it from another system connected to my local LAN, but most of the time it didn't work. I had the same effect regardless of using PLIP, a PCMCIA ethernet card or PPP over a serial interface. After some time of guessing and experimenting I found out that apparently named messed with the process of registration nfsd and mountd have to carry out with the portmapper upon startup (I start these daemons at boot time as usual). Starting named after nfsd and mountd eliminated this problem completely. As there are no disadvantages to expect from such a modified boot sequence I'd advise everybody to do it that way to prevent potential trouble. ╖ Finally, there is HOWTO information about this at Ask Mr. DNS at http://www.acmebw.com/askmrdns/#linux-ns. It is about bind 4 though, so you have to adapt what he says to bind 8. 7. Where does the caching name server store its cache? Is there any way I can control the size of the cache? The cache is completely stored in memory, it is not written to disk at any time. Every time you kill named the cache is lost. The cache is not controllable in any way. named manages it according to some simple rules and that is it. You cannot control the cache or the cache size in any way for any reason. If you want to you can ``fix'' this by hacking named. This is however not recommended. 8. Does named save the cache between restarts? Can I make it save it? No, named does not save the cache when it dies. That means that the cache must be built anew each time you kill and restart named. There is no way to make named save the cache in a file. If you want you can ``fix'' this by hacking named. This is however not recommended. 9. How can I get a domian? I want to set up my own domain called (for example) linux-rules.net. How can I get the domain I want assigned to me? Please contact your network service provider. They will be able to help you with this. Please note that in most parts of the world you need to pay money to get a domain. 9. How to become a bigger time DNS admin. Documentation and tools. Real Documentation exists. Online and in print. The reading of several of these is required to make the step from small time DNS admin to a big time one. In print the standard book is DNS and BIND by C. Liu and P. Albitz from O'Reilly & Associates, Sebastopol, CA, ISBN 0-937175-82-X. I read this, it's excellent, though based on bind 4, this is not a real problem though. There is also a section in on DNS in TCP/IP Network Administration, by Craig Hunt from O'Reilly..., ISBN 0-937175-82-X. Another must for Good DNS administration (or good anything for that matter) is Zen and the Art of Motorcycle Maintenance by Robert M. Pirsig :-) Available as ISBN 0688052304 and others. Online you will find stuff on <http://www.dns.net/dnsrd/> (DNS Resources Directory), <http://www.isc.org/bind.html>; A FAQ, a reference manual (BOG; Bind Operations Guide) as well as papers and protocol definitions and DNS hacks (these, and most, if not all, of the RFCs mentioned below, are also contained in the bind distribution). I have not read most of these, but then I'm not a big- time DNS admin either. Arnt Gulbrandsen on the other hand has read BOG and he's ecstatic about it :-). The newsgroup comp.protocols.tcp- ip.domains is about DNS. In addition there are a number of RFCs about DNS, the most important are probably these: RFC 2052 A. Gulbrandsen, P. Vixie, A DNS RR for specifying the location of services (DNS SRV), October 1996 RFC 1918 Y. Rekhter, R. Moskowitz, D. Karrenberg, G. de Groot, E. Lear, Address Allocation for Private Internets, 02/29/1996. RFC 1912 D. Barr, Common DNS Operational and Configuration Errors, 02/28/1996. RFC 1912 Errors B. Barr Errors in RFC 1912, this is available at <http://www.cis.ohio-state.edu/~barr/rfc1912-errors.html> RFC 1713 A. Romao, Tools for DNS debugging, 11/03/1994. RFC 1712 C. Farrell, M. Schulze, S. Pleitner, D. Baldoni, DNS Encoding of Geographical Location, 11/01/1994. RFC 1183 R. Ullmann, P. Mockapetris, L. Mamakos, C. Everhart, New DNS RR Definitions, 10/08/1990. RFC 1035 P. Mockapetris, Domain names - implementation and specification, 11/01/1987. RFC 1034 P. Mockapetris, Domain names - concepts and facilities, 11/01/1987. RFC 1033 M. Lottor, Domain administrators operations guide, 11/01/1987. RFC 1032 M. Stahl, Domain administrators guide, 11/01/1987. RFC 974 C. Partridge, Mail routing and the domain system, 01/01/1986.