Configuring a Primary DNS Server


To configure a DNS server, you must first gather the necessary information to be able to provide a service. This includes:

  • The names and IP addresses of root servers, if connected to the Internet. If your organization is not connected to the Internet, then you still need to know the names and addresses of root servers for the organization.

  • The names and IP addresses of any DNS servers to which authority is delegated ”in other words, subdomains that are not part of the zone of responsibility for this server.

  • Hostnames and IP addresses of all hosts for which this server is going to be the authority. This information is used when name -to-address resolution is required.

  • Reverse lookup information for all hosts for which this server is going to be the authority. This information is used when address-to-name resolution is required.

The in.named process is started at boot time to provide DNS services. The startup script that initializes DNS is /etc/rc2.d/S72inetsvc . The process is started only if the configuration file, /etc/named.conf , is present. /etc/named.conf is the main configuration file for a DNS server and does not exist by default: It must be created manually. /etc/named.conf does the following:

  • Identifies the DNS server and its function (that is master, slave, cache, and so on).

  • Specifies the zones of authority for the server.

  • Specifies the pathname of the file that contains details of the root servers.

  • Contains security information for the zones of authority so that restrictions can be enforced to limit zone transfers of data to secondary servers, for example.

  • Specifies the pathnames of the zone data files.

graphics/alert_icon.gif

You should note that in the /etc/named.conf file, domain names do not contain a trailing . (dot) in the zone name. The trailing dot is required in the zone file itself, but not in this file. Inserting the dot in this file is a common mistake.


A sample /etc/named.conf file is shown here for a master DNS server:

 ultra10# cat /etc/named.conf options {         directory "/var/named"; }; acl "slaves" {         {192.168.28.0/24 ; }; }; zone "." in {         type hint;         file "named.ca"; }; zone "xyz.com" in {         type master;         file "db.xyz";         allow-transfer {"slaves";}; }; zone "28.168.192.in-addr.arpa" in {         type master;         file "xyz.rev"; }; zone "0.0.127.in-addr.arpa" in {         type master;         file "named.local"; }; 

Note the following about the preceding code:

  • Under the options directive, a directory is specified, /var/named . This is the default location for all the data files for this DNS server.

  • A special domain called . (dot) identifies the root DNS servers and the filename that contains their names and addresses ”the default filename to use for this is named.ca , although any meaningful name can be used if you wish. Note that the type for this entry is hint because the DNS server contacts one of the root servers listed in this file to obtain a current list of root servers, which is then held in the server's cache. The filename is not consulted again until the cached list reaches its expiry time, when the data is refreshed.

  • This is a master (primary) DNS server, as depicted by the type master directive for each of the files listed. A secondary DNS server would have each of these values set to slave .

  • An access control list has been created that uses the alias slaves , which is referred to later in the file. It enables IP addresses to be grouped together for ease of reference.

  • A number of zone files are specified, along with the locations of the data files. The allow-transfer directive makes use of the access control list slaves so that zone data can be transferred only to servers that are on the specified network, in this case 192.168.28.x . It enforces security so that an unauthorized host cannot obtain the name and address information.

  • The zone file 28.168.192.in-addr.arpa refers to the reverse lookup file for the zone. The domain in-addr.arpa is a conceptual domain used for reverse resolution ”that is, IP address-to-hostname. It is frequently used for authentication purposes to verify the identity of a remote host.

graphics/alert_icon.gif

There are no forward references allowed in the /etc/named.conf file, so any alias definitions must be set up before they can be referenced. You might get a question showing an invalid configuration file where a reference is used before it is defined.


The named.ca File

The named.ca file contains the list of root servers. This file is particularly important if your DNS server is connected to the Internet because it contains the names and IP addresses of the servers managing the top-level domains, such as com and gov , for example. The file is managed by IANA and is globally accessible. Periodically ”say, every two months ”this file should be checked on the Internet to see whether any changes have been made, and downloaded to keep it up to date.

The list of root servers can be obtained from ftp://ftp.rs.internic.net/domain/named.root.

The current file looks like this:

 ultra10# cat /var/named/named.ca ;       This file holds the information on root name servers needed to ;       initialize cache of Internet domain name servers ;       (e.g. reference this file in the "cache.  " ;       configuration file of BIND domain name servers). ; ;       This file is made available by InterNIC ;       under anonymous FTP as ;           file                /domain/named.root ;           on server           FTP.INTERNIC.NET ; ;       last update:    Nov 5, 2002 ;       related version of root zone: 2002110501 ; ; ; formerly NS.INTERNIC.NET ; .                        3600000  IN  NS    A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4 ; ; formerly NS1.ISI.EDU ; .                        3600000      NS    B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107 ; ; formerly C.PSI.NET ; .                        3600000      NS    C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12 ; ; formerly TERP.UMD.EDU ; .                        3600000      NS    D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90 ; ; formerly NS.NASA.GOV ; .                        3600000      NS    E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10 ; ; formerly NS.ISC.ORG ; .                        3600000      NS    F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241 ; ; formerly NS.NIC.DDN.MIL ; .                        3600000      NS    G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4 ; ; formerly AOS.ARL.ARMY.MIL ; .                        3600000      NS    H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53 ; ; formerly NIC.NORDU.NET ; .                        3600000      NS    I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17 ; ; operated by VeriSign, Inc. ; .                        3600000      NS    J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30 ; ; housed in LINX, operated by RIPE NCC ; .                        3600000      NS    K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129 ; ; operated by IANA ; .                        3600000      NS    L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12 ; ; housed in Japan, operated by WIDE ; .                        3600000      NS    M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33 ; End of File 

If your DNS server is not connected to the Internet, then you should create a named.ca file similar to the one shown in this section, but with the names and IP addresses of the root DNS servers for your organization. This will allow organizationwide DNS queries to be resolved.

Zone Files

At least one zone is specified in the master configuration file /etc/named.conf , along with the location of the relevant zone file. The actual name and IP address details of the hosts for which the DNS server has authority are stored in the zone file. Zones are used to distribute authority, which is particularly useful in large organizations, where the delegation of zones makes the process of keeping the information up to date much easier and more manageable.

Information in the zone file is stored in a particular format, known as resource records . Each resource record serves a specific purpose.

Resource records exist within the zone files of a server and contain all of the information pertaining to the zone of authority. There are a number of resource record types, each having special meaning and a number of keywords. The more common types are detailed in the following list:

  • Start Of Authority (SOA) ” This marks the start of the zone data and defines default parameters for the entire zone. This entry must be present in a zone file. A typical SOA entry follows :

     @   IN SOA master.xyz.com. root.master.xyz.com. (2003061001;  Serial Number             10800;       Refresh timer  3 hours             1800;        Retry  30 minutes             604800;      Expiry  1 week             43200);       Minimum TTL  12 hours 

    The following notes apply to this entry:

    • The @ symbol is a placeholder for the domain name, in this case xyz.com .

    • The record is of the class IN , Internet class.

    • master.xyz.com identifies the primary DNS server.

    • root.master.xyz.com identifies the email contact address for messages. Note that there is no @ symbol after the email name because this symbol is used elsewhere as already described.

    • The serial number field is important because secondary DNS servers use it to detect any changes that have been made to the zone and to update their own copies of the data files via a zone transfer. When the administrator makes a change to the zone data, this value should be incremented. A popular method of maintaining the serial number is to use the current date, in the form YYYYMMDD with two digits on the end that can be incremented by the administrator each time a change is made. This allows 100 updates to be made each day. You can choose any method to maintain the serial number, such as starting at number 1 and incrementing each time a change is made, but it is imperative that the secondary DNS servers detect the change and update accordingly .

    • The refresh timer, currently set to 3 hours, is the time at which a secondary server attempts to refresh its database from the primary DNS server. At this time, the primary server's serial number value is checked, and if it has been changed, the secondary server needs to update its database.

    • The retry entry specifies how long a secondary server should wait before retrying a failed contact to the primary DNS server.

    • The expiry entry, set to 1 week, stipulates how long a secondary DNS server's database can remain valid if no updates have been received. After this time, if there have been no updates, the secondary server updates its database from the primary DNS server.

    • The minimum time-to-live (TTL), set to 12 hours, specifies how long a hostname remains valid in the cache. After this time, the entry is discarded.

    • Everything after the ; (semicolon) character on each line is a comment and is not part of the configuration.

  • Name Server (NS) ” This lists the name servers for the zone and also includes any subdomains that have been delegated to other DNS servers. A typical NS entry follows:

     xyz.com.        IN   NS    master.xyz.com.                 IN   NS    slave.xyz.com. sales.xyz.com   IN   NS    saleserv.xyz.com. 

    In this entry, the sales.xyz.com. subdomain has been delegated to the DNS server saleserv.xyz.com.

  • Address (A) ” This is where the hostnames and IP addresses are listed for the zone, the functionality being similar to a /etc/hosts file. The following sample entries identify a host named test and a host named fulltest :

     test                 IN   A    192.168.28.67 fulltest.xyz.com.    IN   A    192.168.28.45 

    The preceding two entries show that both relative and fully qualified hostnames can be entered as address records. If a relative hostname is used, the domain name is automatically appended.

    graphics/alert_icon.gif

    Relative hostnames do not have a trailing . (dot) because the domain name is appended to the hostname. It is a common mistake to make because the fully qualified hostnames do have the trailing . (dot) present.


  • IPv6 Address (AAAA) ” Similar to the address resource record, but the quad A record identifies IPv6 addresses for hostnames. The quad A record is similar in function to the /etc/inet/ipnodes file.

  • Canonical Name (CNAME) ” This record is used to define aliases for a hostname. For example, you might have a server providing several applications, each of which requires its own hostname. It is also commonly used for access to Web servers via a WWW hostname. A sample CNAME entry is shown here:

     appl_1           IN   A       192.168.28.67 appl_accounts    IN   CNAME   appl_1 

    This type of entry is extremely useful when relocating services to another server. All that is required is a modification of the CNAME entry to point to a different hostname.

  • Mail Exchanger (MX) ” This record identifies a mail server or a number of mail servers that handle email for the domain. The MX resource record contains a preference field to allow a primary server to be used first, with a backup server to be used if the primary server is not available. The server with the lowest preference value is tried first. The following example shows two email servers, with their addresses and the relevant MX records:

     mailmaster       IN   A       192.168.28.68 mailslave        IN   A       192.168.28.78                  IN   MX      2    mailmaster                  IN   MX      8    mailslave 
  • Host Info (HINFO) ” This record provides information about the host, such as the hardware and operating system. For security purposes, it is not recommended to include this type of record, especially if the server is connected to the Internet, because it could provide an intruder with additional information. A sample entry is shown here:

     mailmaster  IN   HINFO    Enterprise-450   Solaris-9 
  • Text (TXT) ” This record provides textual comments about the DNS server. For security purposes, it is not recommended to include this type of record, especially if the server is connected to the Internet, because it could provide an intruder with additional information. A sample entry is shown here:

     mailmaster  IN   TXT    "Connected directly to 192.168.23.23 firewall" 
  • Well-Known Services (WKS) ” This record describes the well-known services that are supported by a protocol on a particular server. For security purposes, it is not recommended to include this type of record, especially if the server is connected to the Internet, because it could provide an intruder with the necessary information to attack the server. Most sites do not use this record, but you should be aware of its existence. A sample entry is shown here:

     mailmaster  IN   WKS    192.168.28.78    TCP (smtp rpc) 
  • Pointer (PTR) ” This type of record is used for reverse hostname resolution ”that is, when you want to find the IP address for a specified hostname. Typically, zone files used for reverse resolution append the .rev extension to the filename so that they are easily distinguishable . A special zone is used for reverse resolution, namely in-addr.arpa. The two sample entries shown here are equivalent, one using a relative address and one using the full address:

     68                            IN   PTR   mailmaster 68.28.168.192.in-addr.arpa.   IN   PTR   mailmaster 

    Note that the first entry includes only the host portion of the address because the remainder is automatically inserted. The second address is specified in full, but you should note that it is entered in reverse order with the in-addr.arpa. domain name appended to it, including the trailing . (dot).



Solaris 9 Network Administration Exam Cram 2 (Exam Cram CX-310-044)
Solaris 9 Network Administrator Exam Cram 2 (Exam CX-310-044)
ISBN: 0789728702
EAN: 2147483647
Year: 2003
Pages: 174
Authors: John Philcox

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net