Setting Up a Domain Name System Server

Understanding Authoritative Zones

As an administrator of a DNS server, you need to configure several zones. Each zone represents part of the DNS namespace as you view it from your DNS server. Besides the one or more zones representing your domain, you have a zone that identifies your local host and possibly your local, private LAN.

If you configure a server as authoritative for a zone, that server has the last word on resolving addresses for that zone. In the upcoming "DNS name server example" section, your primary master name server is authoritative for the domain you control (as are the secondary name servers it passes its records to), but not for domains outside your domain.

Remember that the DNS server that you configure is the ultimate authority for your zone. Other zones don't know how you configure your hostnames and IP addresses unless you properly set up your DNS server to distribute that information across the Internet.

The definitive data that you set up for your domain exists in the form of resource records . Resource records consist of the data associated with all names below the authoritative point in the tree structure. When the DNS server uses these records to reply to queries, it sets the authoritative answer ( AA ) bit in the packet that includes the reply. The AA bit indicates that your name server has the best and most current information available about your domain.

Understanding DNS Risks

When you set up a public DNS server, you are essentially responsible for providing reliable name-to-address conversion for the clients that use that server. Because of the potential security risks in maintaining a DNS server, you should not take this responsibility lightly.

Someone breaking in to control the information in a DNS server has the potential to redirect queries to the server for addresses to sites that the intruder chooses. So, for example, if someone is trying to contact a Web server in the domain your DNS server controls, they might be entering their credit card number or other personal information into a Web site that the intruder set up to for the purpose of stealing that information.

There are several different types of attacks directed at DNS servers. DNS cache poisoning is where fraudulent addresses are attached to hostnames that are placed in a DNS server's cache. Pay-per-click frauds will infect DNS servers in such a way that the Web browsers are directed to sites that set off a string of clicks to sites that pay each time you visit them. The person using the browser may never even see any indication that he has contacted those sites.

While Bind servers seem to have a better record of resisting attacks than Microsoft servers, there is still enough risk to warrant educating yourself against such attacks. Here are a few links where you can learn more about DNS attacks:

• DNS Poisoning ( http://isc.sans.org/presentations/dnspoisoning.php ) - Contains a good description of DNS poisoning and ways of dealing with it.

• DNS Amplification ( www.isotf.org/news/DNS-Amplification-Attacks.pdf ) - Contains a description of DNS amplification attacks, where DDoS attacks are used recursively along a chain of DNS servers.

Refer to the ISC Bind site ( www.isc.org/sw/bind ) for security alerts that relate to DNS service with Bind.

Understanding BIND

In Fedora, Red Hat Enterprise Linux, and most other Linux and UNIX systems, you implement DNS services by using the Berkeley Internet Name Domain ( BIND ) software. The Internet Software Consortium maintains BIND (at www.isc.org/sw/bind ). The particular version of BIND that I describe in this chapter is BIND 9. To use BIND as described in this section, you need to install these packages: bind, bind- utils , bind-chroot, and bind-libs. There is also a system-config-bind package that contains a graphical means of working with your DNS files.

For the latest Fedora and RHEL distributions, BIND has been configured to run in a changed root (chroot) environment (provided you install the bind-chroot package). This means that instead of having configuration files in /etc and /var/named as they always have been with BIND, they are located in /var/named/chroot/etc and /var/named/chroot/var/named instead. This is a security measure to limit the access that an intruder could gain by taking control of the named daemon. SELinux also is configured to limit access to the named and nscd daemons (see the Security Level Configuration window for details).

The basic components of BIND include the following:

• DNS server daemon ( /usr/sbin/named ) - The named daemon listens on a port (port number 53 by default) for DNS service requests and then fulfills those requests based on information in the configuration files that you create. Mostly, named receives requests to resolve the hostnames in your domain to IP addresses.

  Note

  The named daemon actually launches from the /etc/init.d/named startup script. You need to set that script to start automatically after your DNS server is ready to go. You can also use the named startup script to check the status of the named daemon.

• DNS configuration files ( named.conf file and named directory) - The /var/named/chroot/etc/named.conf file is where you add most of the general configuration information that you need to define the DNS services for your domain. Separate files in the /var/named/chroot/var/named directory contain specific zone information. The location of the chrooted DNS configuration files in Fedora and RHEL 4 ( /var/named/chroot ) is set in the /etc/sysconfig/named file.

  Note

  If you run BIND in a non-chrooted environment, configuration files are located in /etc/named.conf file and the /var/named directory. You must uninstall the bind-chroot package to do this.

• DNS lookup tools - You can use several tools to check that your DNS server is resolving hostnames properly. These include commands such as host , dig , and nslookup (which are part of the bind-utils software package).

To maintain your DNS server correctly, you can also perform the following configuration tasks with your DNS server:

• Logging - You can indicate what you want to log and where log files reside.

• Remote server options - You can set options for specific DNS servers to perform such tasks as blocking information from a bad server, setting encryption keys to use with a server, or defining transfer methods .

You don't need to give out DNS information to everyone who requests it. You can restrict access to those who request it based on the following:

• Access control list (acl) - This list can contain those hosts, domains, or IP addresses that you want to group together and apply the same level of access to your DNS server. You create acl records to group those addresses, and then indicate what domain information the locations in that acl can or can't access.

• Listen-on ports - By default, your name server accepts only name server requests that come to port 53 on your name server. You can add more port numbers if you want your name server to accept name service queries on different ports.

• Authentication - To verify the identities of hosts that are requesting services from your DNS server, you can use keys for authentication and authorization. (The key and trusted-keys statements are used for authentication.)

Identifying Your DNS Servers

If you didn't have your DNS servers set up at the time that you purchased your domain name with a registration authority, you might have just "parked" the domain name there until you configured your DNS servers. Whenever you're ready to set up your DNS servers, return to that registration authority and provide the following information about your DNS servers:

• DNS server IP addresses (the static IP addresses of your DNS servers, probably primary and slave)

• DNS server hostnames (often ns1. yourdomain.com , where you replace yourdomain.com with your domain name for the primary; the slave hostname is ns2. yourdomain.com )

You should register both the primary and slave DNS servers. After you update this record, that information typically takes a day or two to propagate throughout the Internet. When your DNS servers are registered, you also need to tell the registration authority to use those DNS servers as the authority for addresses in your domain. The registration authority probably offers an online form you can fill out to identify your DNS servers.

Creating DNS Configuration Files (named.conf and var/named)

In configuring a DNS server, you're actually creating definitions that apply to a particular zone in the public DNS tree, as well as several local zones that apply to your computer and local network. To create a useful DNS server for your example small-office environment, you have the following zones:

• Public DNS server zone - The DNS server is authoritative for the domain that you're serving. This zone serves the names and IP addresses for your public servers. In the example named.conf file shown in the next section, you need to replace the name yourdomain.com with the domain that you're creating. These records become accessible to everyone on the Internet.

• Private DNS server zone - So each computer on the private network doesn't need to know the IP addresses for other computers on your private network, a zone is added in the example named.conf file to let the DNS server resolve these addresses. The names and IP addresses (which are private) are available only to computers on your LAN.

Note that by creating different views of these zones, different information will be returned to queries, depending on where the queries come from. For example, when someone from the Internet requests the address of the DNS server ( ns1. yourdomain.com ), they will get the address 123.45.67.89. However, when a query for ns1. yourdomain .com comes from inside the LAN, the address 10.0.0.1 is returned. Also, any queries from the Internet for addresses of private computers ( red. yourdomain.com , blue. yourdomain.com , and so on) are rejected.

Editing named.conf

To begin, you configure the /var/named/chroot/etc/named.conf file on the primary master DNS server representing your example yourdomain .com domain. This example starts from the /etc/named.conf file that comes with the caching-nameserver package in Fedora and RHEL. (Make sure that you install the caching-nameserver and bind packages before you continue and make a backup copy of any configuration files you edit.) Following are a few tips relating to editing the named.conf file:

• If a statement contains substatements, make sure that you end the last substatement with a semicolon.

• Comments can appear in the same formats that popular programming languages use. These languages include C (begin with /* and end with */ ), C++ (begin with // and go to the end of the physical line), and shell or Perl styles (begin from a # and go to the end of the physical line).

• A leading exclamation mark ( ! ) negates an element. Putting !123.45.67.89 in a statement causes the IP address 123.45.67.89 not to match the element. (Just make sure that the negation occurs before a positive match or the positive match takes precedence.)

The edited version of the /var/named/chroot/etc/named.conf file is as follows:

 options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; }; acl "mylan" { 127/8; 10.0.0.0/24; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; }; }; view "inside" { match-clients { "mylan"; }; recursion yes; zone "." IN { type hint; file "named.ca"; }; zone "0.0.10.in-addr.arpa" IN { type master; file "yourlan.db"; }; zone "  yourdomain.com  " { type master; file "db.  yourdomain.com  .inside"; allow-transfer { 10.0.0.2; }; }; }; view "outside" { match-clients { any; }; recursion no; zone "." IN { type hint; file "named.ca"; }; zone "y  ourdomain.com  " { type master; file "db.  yourdomain.com  .outside"; allow-transfer { 123.45.67.2; }; }; }; include "/etc/rndc.key"; 

The options definition lies at the beginning of the named.conf file and identifies the /var/named directory as the location where the zone files reside. The acl lines define the mylan access-control list, which consists of host computers on the 10.0.0.0 local private network and the localhost (127/8). (You use this definition in the 0.0.10.in-addr.arpa zone to enable only users on the LAN to perform reverse lookups of names of computers on the LAN.)

The DNS server is broken up into two views: inside and outside. The inside view defines how IP addresses are resolved for requests that come from the private LAN and localhost (as defined in mylan ). By having recursion on ( recursion yes ), the named daemon will allow name server queries to any domain (even domains that the local DNS server doesn't control) from any computer on the LAN. The outside view defines how queries coming from all other places (presumably, the Internet) are handled. With recursion off ( recursion no ), only queries from other name servers for domains controlled by the local DNS server are honored. Requests for information about other domains will be rejected with a not found message. (Turning recursion off can help eliminate a common attack, where a cracker causes your server to seek information from a DNS server controlled by the cracker.)

Each zone entry in the named.conf file describes the type of server this computer is for the zone (master in all cases here, except the root zone), the database file (in the named directory) that contains records for the zone, and other options relating to the zone records. The named.ca file is set up for you by default. It identifies the locations of the Internet root servers.

I made the other zones (yourlan.db , db. yourdomain.com .inside, db. yourdomain.com .outside and 0.0.10.in-addr.arpa ) for this example. For the "inside" view, the yourlan .db file lets the computers on your LAN do reverse address lookups (getting the names for IP address queries). The db. yourdomain .com.inside file contains names and addresses for all computers in your domain (including those on the local LAN). The DNS slave server for the inside view of this domain is at 10.0.0.2. (Clients in your LAN would use 10.0.0.1 and 10.0.0.2 as DNS servers in /etc/resolv.conf .)

For the "outside" view, the db. yourdomain .com.outside file contains names and IP addresses for any computers in your domain you want to make public (computers on your private LAN are excluded). The DNS slave server for the outside view of this domain is 123.45.67.2.

Notice that each zone points to a zone file in the named directory. Table 25-1 shows which file in the named directory each zone points to.

Table 25-1: Zones and Related Zone Files in DNS Example
Open table as spreadsheet

Zone	Zone File (located in the /var/named/chroot/var/named directory)
. (a single dot representing Internet root servers)	named.ca
0.0.10.in-addr.arpa	yourlan.db
yourdomain.com (inside view)	db.yourdomain.com.inside
yourdomain.com (outside view)	db.yourdomain.com.outside

Be very careful editing the named.conf file. Forgetting a semicolon is all too easy, resulting in the entire file not loading. To ensure that the named.conf file doesn't contain any syntax errors, you can run the following command (as root user ):

 #  named-checkconf  

If a syntax error is present, a message identifies the problematic line and informs you what seems to be wrong with it. If the syntax is correct, continue to create the zone files in the /var/named directory.

 $TTL 86400 @ IN SOA  yourdomain.com  . hostmaster.  yourdomain.com  . ( 2006042701 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400) ; Minimum ; Name servers IN NS ns1.  yourdomain.com  . IN NS ns2.  yourdomain.com  . ; Mail server for domain IN MX 10 mail.  yourdomain  .com. ; Public servers ns1 IN A 10.0.0.1 ns2 IN A 10.0.0.2 mail IN A 123.45.67.2 www IN A 123.45.67.3 ftp IN A 123.45.67.4 ; Private clients on the LAN red IN A 10.0.0.2 blue IN A 10.0.0.3 green IN A 10.0.0.4 yellow IN A 10.0.0.5 ; EOF 

  $TTL 86400   @ IN SOA ns1.    yourdomain    .com hostmaster.    yourdomain    .com. (   2006042701 ; Serial   28800 ; Refresh   14400 ; Retry   3600000 ; Expire   86400) ; Minimum   IN NS ns1.    yourdomain    .com   1 IN PTR    yourdomain    .com.   2 IN PTR red.    yourdomain    .com.   3 IN PTR blue.    yourdomain    .com.   4 IN PTR green.    yourdomain    .com.   5 IN PTR yellow.    yourdomain    .com.   ; EOF  

 #  named-checkzone  yourdomain.com    /var/named/chroot/var/named/db.  yourdomain.com  .inside  zone yourdomain.com/IN: loaded serial 2006042701 OK #  named-checkzone  yourdomain.com    /var/named/chroot/var/named/db.  yourdomain.com  .outside  zone yourdomain.com/IN: loaded serial 2006042701 OK 

Starting the Named (DNS) Daemon

To start the named daemon and see whether it's working, type the following (as root user):

 #  /etc/init.d/named start  

If the named daemon starts successfully, clients of your DNS server should start getting information about your domain. To set the named daemon to start each time that the system boots up, type the following:

 #  chkconfig named on  

Remember that, whenever you make changes to the named.conf or any of the zone files, you must increase the serial number for anyone checking your domain records to pick up those changes. After that, you should restart the named service too (as root user) as follows:

 #  /etc/init.d/named restart  

Then you should consider adding the server's own local address to its own /etc/resolv.conf file. For example, the /etc/resolv.conf file could include the following:

 search  yourdomain  .com nameserver 127.0.0.1 

If you see the Starting named message, your DNS server is probably up and running. If you want to make sure that your server is correctly resolving addresses, the next section, "Checking that DNS is working," describes some tools that you can use to check your DNS name server.