Linux Box Admin
 Trusted Remote Administration
logo

Tilde
What's new
Articles
Micro HowTos
About
Contact







DNS
(0 votes)
Wednesday, 07 March 2007
   
    DNS    
     
       
 

DNS client name resolution

When a DNS name lookup is requested, it calls the resolver library (gethostbyname() C function). Programs linked against glibc will search using the order defined on the hosts line in /etc/nsswitch.conf. Typically, the hosts line is defined as:
hosts: files dns
This tells the resolver to look in /etc/hosts first, then ask DNS. Sometimes, NIS or a central database is included on the hosts line.

The resolver uses the name servers defined in /etc/resolv.conf. Most distributions use some kind of configuration tool to manage this file, so be careful of manual modifications.

DNS client utilities

The dig program (Domain Internet Groper) sends domain name query packets to name servers and can be used to test DNS configuration.

Dig queries use this format:
dig @server domain query-type query-class
where query-type is one of all, mx, ns, soa, txt or axfr (zone transfer).

For reverse DNS lookups:
dig -x 1.2.3.4

DNS/BIND server

There are 13 root servers that are the master servers for the whole system. The latest root server file can be downloaded from FTP.RS.INTERNIC.NET.

The DNS/BIND server daemon is "named". By default, named listens on UDP port 53.

The named configuration file is:
/etc/named.conf.

Within /etc/named.conf, the location of the zone files is specified with the directory option. For example:

        options {
            directory "/var/named";
        };
And here is a typical authoritative zone definition:

        zone "foo.com" {
            type master;
            file "foo.com";
            allow-transfer { 1.2.3.4; };
            allow-query { any; };
        };

 

Here is the minimal zone file (/var/named/foo.com) defined above:

    $TTL 3600
    @       IN      SOA     ns1.foo.com. hostmaster.foo.com. (
                    2005092601      ; serial, todays date + serial #
                    3600            ; refresh, seconds
                    900             ; retry, seconds
                    1209600         ; expire, seconds
                    3600 )          ; minimum, seconds

    IN      NS      ns1.foo.com.
    IN      NS      ns2.foo.com.
    IN      MX      10 mail.foo.com.  ; Primary Mail

    localhost         A     127.0.0.1
    ns1               A     1.2.3.4
    ns2               A     1.2.3.5
    foo.com.          A     1.2.3.6
    mail              A     1.2.3.6
    www               A     1.2.3.6

 

When updating a zone file, the serial number must be incremented or named will not load the new configuration.

Here is a typical reverse lookup zone file (always in domain in-addr.arpa):

    $TTL 3600
    4.3.2.in-addr.arpa.  IN  SOA  ns1.foo.com. hostmaster.foo.com. (
                    2005092601      ; serial, todays date + serial #
                    3600            ; refresh, seconds
                    900             ; retry, seconds
                    3600            ; expire, seconds
                    3600 )          ; minimum, seconds

    ; name servers
    3.2.1.in-addr.arpa.     IN  NS    ns1.foo.com.
    3.2.1.in-addr.arpa.     IN  NS    ns2.foo.com.

    ; reverse DNS mapping
    6.3.2.1.in-addr.arpa.  IN  PTR   mail.foo.com.

 

Turning off or limiting recursion

Recursive lookups (allowed by default) can create security risks and performance issues, specifically DNS cache poisoning attacks. To turn off recursion altogether, use this option in named.conf:

        options {
            recursion no;
        };

 

To allow recursion for certain hosts, use an access control list to define the IP addresses of hosts that can use recursion. Use this to allow recursion for internal hosts while denying recursion for the public:

        acl recursionok { 192.168.1.0/24; 192.168.2.100; };
        options {
            allow-recursion { recursionok; };
        };
This would only allow hosts with source IP addresses of 192.168.1.0/24 or 192.168.2.100 to query about domains the server is not authoritative for.

 

Setting up a caching only name server

If you don't want to host your own DNS zones, but do want to centralize name lookups to reduce DNS overhead, you can set up a caching only name server. This server accepts DNS requests and forwards all requests that are not cached to another DNS server to resolve, passing the result back to the client.

To set up a caching only server, do NOT define any authoritative zones in the /etc/named.conf file, just enter valid DNS servers in the forwarders option. For example:

        options {
            forward first;
            forwarders {
                1.2.3.4; 1.2.3.5;
            };
        };

 

The "forward first" option tells the server to try the forwarders first, then do a lookup itself if the forwarders fail to resolve the name. The "forward only" option tells the server to try the forwarders, then fail if it does not get an answer.

DNS domain wildcards

To configure DNS wildcards so that any subdomain name resolves to the main site, use an "*" in the CNAME record:
www    IN A 1.2.3.4
*      IN CNAME www

The asterisk will match all subdomain names for the domain and return the IP address of www, sending the browser to the main web site. This technique is often used in marketing programs where you want everyone to arrive at the same web site, but want to track who sent them there by the HTTP REFERRER.

note: DNS is only half of setting up domain wildcards, the web server must also be set up to accept all subdomains and show the same content. See the Apache micro how-to for details.

 

Testing your DNS configuration

A good tool that runs many tests against your DNS server can be found at:
DNSreport.com

   
       
         
 
[ Back ]


Copyright © 2006,2007 Linux Box Admin.

 
My NHL fan blog