This section discusses how DNS works and provides resources for additional information on DNS. How DNS WorksApplication programs do not issue DNS queries directly but rather use the gethostbyname() system call. How the system comes up with the corresponding IP address is transparent to the calling program. The gethostbyname() call examines the hosts line in /etc/nsswitch.conf file (page 435) to determine which files it should examine and/or which services it should query and in what order to obtain the IP address corresponding to a domain name. When it needs to query DNS, the local system (i.e., the DNS client) queries the DNS database by calling the resolver library on the local system. This call returns the required information to the application program. PrerequisitesInstall the following packages:
Run chkconfig to cause named to start when the system enters multiuser mode: # /sbin/chkconfig named on After you have configured named, start it with service: # /sbin/service named start Starting named: [ OK ] Caution: Remove caching-nameserver and install bind-config The released version of Fedora Core 5, including the version on the DVD enclosed with this book, includes the caching-nameserver package. Shortly after Fedora Core 5 was released, the caching-nameserver package was replaced by the bind-config package. To follow the examples in this chapter, you must remove the caching-nameserver package and install the bind-config package. The following commands use yum (page 478) to accomplish these tasks. In addition, it may be helpful to remove or rename /etc/named.conf as shown below. # yum remove caching-nameserver ... # yum install bind-config ... # mv /etc/named.conf /etc/named.conf.old If you cannot or do not want to replace the caching-nameserver package, read the parts of this chapter that are labeled RHEL and that describe the named.caching-nameserver.conf file. RHEL includes the caching-nameserver package. More InformationDNS for Rocket Scientists is an excellent site that makes good use of links to present information on DNS in a very digestible form.
Local Bind Administrator Reference Manual /usr/share/doc/bind*/arm/Bv9ARM.html or see the tip "Using this JumpStart" on page 735.
Web DNS for Rocket Scientists www.zytrax.com/books/dns BIND www.isc.org/products/BIND DNS security www.sans.org/rr/papers/index.php?id=1069
HOWTO DNS HOWTO
Book DNS & BIND, fourth edition, by Albitz & Liu, O'Reilly & Associates (April 2001) Notes
Firewall The named server normally accepts queries on TCP and UDP port 53. If the server system is running a firewall, you need to open these ports. For information on using the Red Hat graphical firewall tool, see "Opening Other Ports" on page 768. For more general information, see Chapter 25, which details iptables.
SELinux According to the Red Hat named man page, the default Red Hat SELinux policy for named is very secure and prevents known BIND security vulnerabilities from being exploited. This setup has some limitations, however. Refer to the named man page for more information. If the system is running SELinux with a targeted policy and you want to modify the SELinux named settings, you must turn on one or more of the SELinux settings under the Name Service section as displayed by system-config-securitylevel (page 402).
chroot jail The bind-chroot package sets up named to run in a chroot jail. With this package installed, all files that control BIND are located within this jail. In this case the filenames used in this chapter are symbolic links to the files in the chroot jail. See page 750 for more information.
named options See the comments in the /etc/sysconfig/named file for information about named options that you can set there. One of the most important of these options sets the value of the ROOTDIR variable that controls the location of the chroot jail (page 750) that BIND runs in.
named.conf (FEDORA) Traditionally, named looks for configuration information in the /etc/named.conf file. The caching-only nameserver, which is part of the bind-config package, places named configuration information in /etc/named.caching-nameserver.conf. For the caching-only nameserver to work without any setup, and so that named will work normally if you create a /etc/named.conf file, the Red Hat Linux named init script (/etc/rc.d/init.d/named) first looks for configuration information in /etc/named.conf. If that file does not exist, it looks for configuration information in /etc/named.caching-nameserver.conf. |