Home
Paul's_Page
UK_NetDirect
PhotoAlbum:
Phoebe 1,
2, 3,
4
Francie 1, 2
Pets 1, 2
Family 1, 2,
3
Special Occasions
Photo Art
Pre-USAF
Devner
Panama 1, 2,
3, 4-misc
Korea & misc
Germany & misc
Soham & misc
Daws_
Hill:
Page 1, 2,
3,
& misc
Leave '96 Mom
UK
Panama '98: 1, 2,
3
Colorado_ Springs:
Leave '98
Springs 1, 2,
3, 4
& misc
Francie's Birth
Rodriguez'
Holiday
Colorado_Homes
PCI_Systems
Online_Documents:
Catalogs
'n Manuals
Howto's
Linux
Microsoft
Security
Mirrored_Sites:
Hardening
Port
Reference
Reghacks
| | At my place of employment, we are using Linux as a DNS server. It
performs exceptionally well. This section will address configuration of
DNS tables for these services using the BIND 8.x package which comes standard
with the Red Hat distribution. ![Note](../../images/note.gif) | Note: Red Hat versions 5.1 and earlier used the BIND 4.x package,
which used a slightly different format for its configuration file. BIND
8.x offers more functionality over that offered by BIND 4.x, and as 4.x is
no longer being developed, you should probably consider upgrading your
BIND package to the latest version. Simply install the BIND RPM package
(see the section called Using the Red Hat Package Manager (RPM) in Chapter 10 for details on using the RPM utility),
then convert your configuration file to the new format. Fortunately, converting your existing BIND 4.x configuration file to
be compliant with BIND 8.x is easy! In the documentation directory
provided as part of BIND (for example,
``/usr/doc/bind-8.1.2/'' for BIND
version 8.1.2), there exists a file called
``named-bootconf.pl'', which is an
executable Perl program. Assuming you have Perl installed on your system,
you can use this program to convert your configuration file. To do so,
type the following commands (as root): cd /usr/doc/bind-8.1.2
./named-bootconf.pl < /etc/named.boot > /etc/named.conf
mv /etc/named.boot /etc/named.boot-obsolete |
You should now have an
``/etc/named.conf'' file which
should work with BIND 8.x “out-of-the-box”. Your existing
DNS tables will work as-is with the new version of BIND, as the format of
the tables remains the same. |
Configuration of DNS services under Linux involves the following
steps: To enable DNS services,
the ``/etc/host.conf'' file
should look like this: # Lookup names via /etc/hosts first, then by DNS query
order hosts, bind
# We don't have machines with multiple addresses
multi on
# Check for IP address spoofing
nospoof on
# Warn us if someone attempts to spoof
alert on |
The extra spoof detection adds a bit of a performance hit to DNS
lookups (although negligible), so if you're not too worried about this you
may wish to disable the “nospool” and “alert”
entries. Configure the
``/etc/hosts'' file as needed.
Typically there doesn't need to be much in here, but for improved
performance you can add any hosts you access often (such as local
servers) to avoid performing DNS lookups on them. The
``/etc/named.conf'' file should be
configured to point to your DNS tables according to the example below. ![Note](../../images/note.gif) | (Note: IP addresses shown are examples only and must be replaced
with your own class addresses!): |
options {
// DNS tables are located in the /var/named directory
directory "/var/named";
// Forward any unresolved requests to our ISP's name server
// (this is an example IP address only -- do not use!)
forwarders {
123.12.40.17;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
// Enable caching and load root server info
zone "named.root" {
type hint;
file "";
};
// All our DNS information is stored in /var/named/mydomain_name.db
// (eg. if mydomain.name = foobar.com then use foobar_com.db)
zone "mydomain.name" {
type master;
file "mydomain_name.db";
allow-transfer { 123.12.41.40; };
};
// Reverse lookups for 123.12.41.*, .42.*, .43.*, .44.* class C's
// (these are example Class C's only -- do not use!)
zone "12.123.IN-ADDR.ARPA" {
type master;
file "123_12.rev";
allow-transfer { 123.12.41.40; };
};
// Reverse lookups for 126.27.18.*, .19.*, .20.* class C's
// (these are example Class C's only -- do not use!)
zone "27.126.IN-ADDR.ARPA" {
type master;
file "126_27.rev";
allow-transfer { 123.12.41.40; };
}; |
![Tip](../../images/tip.gif) | Tip: Make note of the allow-transfer
options above, which restricts DNS zone transfers to a given IP address.
In our example, we are allowing the host at 123.12.41.40 (probably a slave
DNS server in our domain) to request zone transfers. If you omit this
option, anyone on the Internet will be able to request such transfers.
As the information provided is often used by spammers and IP spoofers, I
strongly recommend you restrict zone transfers except to your slave DNS
server(s), or use the loopback address, ``127.0.0.1''
instead. |
Now you can set up your DNS tables in the
``var/named/'' directory as
configured in the
``/etc/named.conf'' file in step
three. Configuring DNS database files for the first time is a major
undertaking, and is beyond the scope of this document. There are several
guides, online and in printed form that should be referred to. However,
several examples are provided below. Sample entries in the
``/var/named/mydomain_name.db''
forward lookup file: ; This is the Start of Authority (SOA) record. Contains contact
; & other information about the name server. The serial number
; must be changed whenever the file is updated (to inform secondary
; servers that zone information has changed).
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990811 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum
; List the name servers in use. Unresolved (entries in other zones)
; will go to our ISP's name server isp.domain.name.com
IN NS mydomain.name.
IN NS isp.domain.name.com.
; This is the mail-exchanger. You can list more than one (if
; applicable), with the integer field indicating priority (lowest
; being a higher priority)
IN MX mail.mydomain.name.
; Provides optional information on the machine type & operating system
; used for the server
IN HINFO Pentium/350 LINUX
; A list of machine names & addresses
spock.mydomain.name. IN A 123.12.41.40 ; OpenVMS Alpha
mail.mydomain.name. IN A 123.12.41.41 ; Linux (main server)
kirk.mydomain.name. IN A 123.12.41.42 ; Windows NT (blech!)
; Including any in our other class C's
twixel.mydomain.name. IN A 126.27.18.161 ; Linux test machine
foxone.mydomain.name. IN A 126.27.18.162 ; Linux devel. kernel
; Alias (canonical) names
gopher IN CNAME mail.mydomain.name.
ftp IN CNAME mail.mydomain.name.
www IN CNAME mail.mydomain.name. |
Sample entries in the
``/var/named/123_12.rev'' reverse
lookup file: ; This is the Start of Authority record. Same as in forward lookup table.
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990811 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum
; Name servers listed as in forward lookup table
IN NS mail.mydomain.name.
IN NS isp.domain.name.com.
; A list of machine names & addresses, in reverse. We are mapping
; more than one class C here, so we need to list the class B portion
; as well.
40.41 IN PTR spock.mydomain.name.
41.41 IN PTR mail.mydomain.name.
42.41 IN PTR kirk.mydomain.name.
; As you can see, we can map our other class C's as long as they are
; under the 123.12.* class B addresses
24.42 IN PTR tsingtao.mydomain.name.
250.42 IN PTR redstripe.mydomain.name.
24.43 IN PTR kirin.mydomain.name.
66.44 IN PTR sapporo.mydomain.name.
; No alias (canonical) names should be listed in the reverse lookup
; file (for obvious reasons). |
Any other reverse lookup files needed to map addresses in a different
class B (such as 126.27.*) can be created, and would look much the same
as the example reverse lookup file above. Make sure the named daemon is running. This daemon is
usually started from the
``/etc/rc.d/init.d/named'' file
upon system boot. You can also start and stop the daemon manually; type
``named start'' and ``named stop'',
respectively. Whenever changes are made to the DNS tables, the DNS
server should be restarted by typing ``/etc/rc.d/init.d/named
restart''. You may then wish to test your changes by using a
tool such as “nslookup” to query the
machine you have added or changed.
More information on configuring DNS services can be found in the
``DNS-HOWTO'' guide at
http://metalab.unc.edu/Linux/HOWTO/DNS-HOWTO-5.html. |