|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
Preparation
Before starting this lab; make sure:
When configuring nameserver, you need to supply the following information in your /etc/named.conf and files that it refers to (so called DNS resource records):
You never know when a tradeshow, a demo setup, a lab setup, or some project requirement comes to a loggerhead because someone needs a robust Internet Domain Name Server (DNS). The function of the DNS is not all that difficult to comprehend. It is the server that client applications contact usually to resolve IP address from hostname. The IP address is then used by network routers to send data packets to the remote host.
In reverse mode, the DNS can also resolve hostnames given an IP address. This is used by many UNIX applications to do security checks or ARP or RARP to verify that hostname data and IP address do indeed match. For example, if you're trying to Telnet or FTP to a Solaris 2.x host from a renegade laptop using a valid but unresolvable IP address on the LAN, you may notice that it takes almost 60 seconds before you receive the login prompt. You can fix this delay by simply adding an entry for hostname and IP into the maps on the primary network DNS.
But setting up a DNS from scratch is fairly complicated. Attempting to read the
man-pages and generating valid map files is not very efficient. A better way is
to follow an example template which is what is provided here.
options {
directory "/etc/named";
dump-file "/var/log/named/db.named_dump";
};
zone "." in {
type hint;
file "db.root.hint";};
# --- primary (forward) zone
zone "test.firma.com" in {
type master;
file "db.test.firma.com";};
# --- reverse zone
zone "194.10.in-addr.arpa" in {
type master;
file "db.10.194";};
# --- loopback
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
Prototype:
options
{
version "You must be joking"; // Obscure version number
directory "/usr/local/bind";
check-names master ignore;
check-names slave warn;
check-names response ignore;
dump-file "/usr/local/bind/db.named_dump";
// Log stats every 15 minutes
statistics-interval 15;
// Don't bother to look for new interfaces
interface-interval 0;
// Limit zone transfer time. It either comes quickly or something is wrong.
max-transfer-time-in 5;
// pid file location, for convenience
pid-file "named.pid";
// Test for multi A record handling
rrset-order {
class IN type A name "www.gra.firma.com" order fixed;
};
};
//
// Log stats and special events to stat.log at the info severity.
// Notice severity will end up in /var/adm/messages, like "normal".
logging {
channel stat {
file "stat.log" versions 7 size 20M;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
channel my_syslog {
syslog daemon;
severity notice;
};
channel security {
file "security.log" versions 7 size 20M;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
channel query {
file "query.log" versions 3 size 20M;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
category statistics { stat; };
category security { security; };
category update-security { security; };
category update { stat; };
category notify { stat; };
category queries { query; };
category default { my_syslog; stat; };
};
//
// This is to try to fix ndc - GRA 3/14/03
//
controls
{
unix "/usr/local/bind/etc/ndc.d/ndc"
perm 0700
owner 0
group 1;
};
zone "."
{
type hint;
file "named.ca";
};
// Includes
include "named.conf.acl";
include "dynamic.conf";
include "master.conf";
include "slave.conf";
mkdir /etc/bind
; ; this is a primary forward domain map. It allows the dns server ; to resolve the IP address given a hostname. Edit the entries ; to match your server hostname(myhost), and your domain (mydomain.com). ; Note the placement of periods at the end of a fully qualified hostname ; and domain. Don't change the format or forget periods and punctuation. ; ; The header specifies the "start of authority" (SOA) of this map. ; Included are default timeout values. Whenever you make a modification ; to this map, you must increase (i.e. change) the serial number, then ; send a kill -HUP to the in.named process or kill and restart it. ; The serial number tells other DNS secondaries that this map has changed, ; and when it's time to refresh, they will download the new one if the ; serial number has changed. You shouldn't have to mess with other ; values ; @ IN SOA testdns.firma.com. root.testdns.firma.com. ( 20060824 ; Serial, increment this every update 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ; Minimum TTL of 1 day ) ; ; always set the default host for this domain. This means that ; someone who queries just mydomain.com, actually gets a real host IP. ; Many ISPs forget to do this and so when you register your domain, only ; www.yourdomain.com works, but no one can resolve yourdomain.com. ; This entry includes an MX (Mail eXchanger) record that forward email ; to the right host with a certain priority. You may spec multiple MX ; records so email can still be delivered if the primary server is down. ; Below, the MX priority is 10. A lower value is higher priority. ; Below, we also spec the primary NS (Name Server) entry for our domain. ; You shouldn't need to change this for a primary map, exit to edit this ; to reflect your domain name and this server hostname. ; testdns.firma.com. IN A 10.194.150.33 IN MX 10 testdns.firma.com. IN NS testdns.firma.com. ; ; to help resolve localhost via DNS and to route local email on this system localhost IN A 127.0.0.1 IN MX 10 testdns.firma.com. ; ; the meat of this dns map. This should be at least one authoritative (A) ; entry for each hostname. Note, once you specify a default domain in ; the named.boot or named.conf file, you only need to provide the first ; hostname word, and not the fully qualified host+domain name. The domain ; name becomes implicity (i.e. the nameserver assumes all unqualified ; hostnames here belong to "mydomain.com." domain. ; ; for any host, you can specify a mail exchanger (MX) record; you can ; also add hostname aliases using a "Canonical NAME" (CNAME) entry. ; testdns2 IN A 10.194.150.53 IN MX 10 testdns2.firma.com. sandbox IN A 10.194.156.58. ; ; add more hosts down here, using the format ; ; name IN A IP##.##.##.## ; ; for "InterNet Authoritative record - IN A, and MX for Mail Transfer ; and CNAME for "Canonical Name" or simply an alias. For example, above, ; the host myhost has two aliases also known as "www" and "mailhost". ; Gyoza serves as it's own mail exchanger so mail will be routed to it. ; The number after the MX parameter sets the priority. 10 is the usual ; number. Higher number means lower priority.
; ; this is a primary reverse domain map. It allows the dns server ; to resolve the hostname from a given IP address. Edit the entries ; to match your server hostname(test), and your domain (mydomain.com). ; Note the placement of periods at the end of a fully qualified hostname ; and domain. Don't change the format or forget periods and punctuation. ; ; The header specifies the "start of authority" (SOA) of this map. ; Included are default timeout values. Whenever you make a modification ; to this map, you must increase (i.e. change) the serial number, then ; send a kill -HUP to the in.named process or kill and restart it. ; The serial number tells other DNS secondaries that this map has changed, ; and when it's time to refresh, they will download the new one if the ; serial number has changed. You shouldn't have to mess with other ; values ; @ IN SOA test.firma.com. root.test.firma.com. ( 20060824 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ; Minimum TTL of 1 day ); ; specify the network reverse map and the primary NS entry. ; you should only need to edit the network numbers. They are in reverse ; order. The example is for class C. For class B, you'll have 2 numbers ; separated by dots and then the in-addr.arpa. ; 194.10.in-addr.arpa. IN NS testdns.firma.com. ; ; begin the meat of the reverse map. In this case, the server implicitly ; assigns the network IP prefix specified by reverse domain. So you only ; need to include just the single host number without any prefix. ; 1 IN PTR testdns.firma.com. ; ; add additional hosts down here. The format should be ; the last number of the IP address for the host, (i.e. bitwise AND ; of (00.00.00.ff & 129.200.9.##) which gives you the ##). Then ; use the IN PTR parameter followed by the fully-qualified hostname ; e.g. if I had host "myhost2 - 129.200.9.2 and myhost3 - 129.200.9.3" ; Don't forget the '.' at the end of the host.domainname. We need to fully ; qualify it in this map. ; 2 IN PTR myhost2.mydomain.com. 3 IN PTR myhost3.mydomain.com. ; ----------end--reverse-map----------------------------
You can also generate is using mkrdns - MaKe Reverse DNS (auto generate PTR maps)
mkrdns [options] [configuration file]
mkrdns is a program designed to auto-generate reverse DNS maps (IN PTR records). Some programs already accompany the BIND source package that will do this kind of thing on a single domain or network basis. mkrdns will read either a named.boot or named.conf file, figure out which domains and networks to deal with, and then generate the reverse maps.
You are deemed ``in charge'' of a network/domain if you are the primary DNS for a reverse zone, or if you are either the primary or secondary for a forward zone. The exception to this rule is that the 127.* network is not auto-generated due to the ``1 IN PTR localhost.'' issue.
Options:
- -debug Print debugging information. (this will print a LOT of information, be warned.)
- -extension <ext> Append the given extension to the output files. This is useful if you want to have the reverse maps generated, but want to check their contents before use.
- -help The help screen.
- -quiet Turn off warning messages (multiple A records -> IP, etc.) Good for scripts, but you probably want to check on what the warnings report.
- -rootdir <path> Specify the path to the root directory that named will be running in. This will handle anyone using a chrooted environment for named. Everything except the configuration file is assumed to be under the new root.
- -version Show mkrdns version information.
mkrdns reads the standard BIND configuration file named.conf. If you don't specify the full path to the file on the command line, mkrdns assumes that one (or both) will exist in /etc and will search for them. If none are found, the program exits. If one is found, it is used. If both are found, named.conf is used.
Think of directives as configuration options for mkrdns which are simply comments to BIND. The current directives are map, skip, and skipzone.
Map allows you to map hosts to another network. This was designed in for the purpose of handling DNS for a subnet of a class C network which you do not control. (See the DNS & BIND O'Reilly and Associates book, 3rd Ed., pg. 215-218) Assume that you have 10.4.4.32/27 (ie: you have the 32 IPs from 10.4.4.32 to 10.4.4.63 ...) You want to do reverse mappings for those IPs, but you don't control 4.4.10.in-addr.arpa. How do you do it? The solution is to become the master for another zone (such as 32.4.4.10.in-addr.arpa. or 32-63.4.4.10.in-addr.arpa.), and CNAME the correct reverse pointers to the ones you're in charge of. The format for the directive is: map <network/mask> <new network>
map 10.4.4.32/27 10.4.4.32-63
This maps all hosts between 10.4.4.32 and 10.4.4.63 to 10.4.4.32-63.32 to 10.4.4.32-63.63.
Skip forces mkrdns to ignore certain hosts/IPs via regular expression. The concept is that there are some IN A records that you would like to skip and not create a reverse entry. Skip allows this. (for instance, ``foo IN A 10.4.4.32'' and ``mail IN A 10.4.4.32'' both exist, but you want to force foo as the reverse lookup and ignore mail. The following example can do this for you.) Format: skip <regular expression>
skip ^mail
This will skip any host (or IP) that matches the ``^mail'' regular expression. The host is the FQDN, and the IP is before mapping (see above).
Skipzone forces mkrdns to ignore certain zones while processing the named configuration file. A possible use for this is where you have ``bar.com'' and ``bar.net'', and both of them should have the same host info (ie: foo.bar.com and foo.bar.net both have the same records.) You want ``bar.com'' to be the reverse lookup for the IPs used. So set the zone file setting to the same file (bar.zone), and then add ``skipzone bar.net''. NOTE: The skipzone argument must match EXACTLY with the zone name in the config file. NOTE: You can specify multiple zones in the same ``skipzone'' statement. (ie: ``skipzone foo.com bar.com'') NOTE2: If you are using views, the zone string must be in the format ``view:zone''. If a view isn't given, ``default'' is assumed.
ignoreslaves tells mkrdns to ignore any forward slave domains in the configuration. This is useful if, for instance, you are master for both a forward domain and reverse domain (say 168.192.in-addr.arpa) which go together, but you also have slave domains with hosts in the same reverse zone.
You need to provide special comment to include directives:
/* mkrdns <directive type> <parameters> ... */UNIX-style comments (the hash mark then the comment) are allowed.
mkrdns -e new /etc/named.conf
This will run mkrdns over the file /etc/named.conf. Output files will be generated as <name>.new (i.e.: if the PTR zone file is called 160.zone, the output will be 160.zone.new.)
I tend to use this script like a lint check. i.e.: Edit the proper zone files, then run mkrdns.
The named.conf configuration file should have view, zone, and ending braces ``};'' on separate lines. This is the usual/more readable format found in the wild, but the mkrdns configuration parser expects this format. So, if you have something like: 'view ``foo'' { zone ``bar.com'' { type master; file ``foo''; }; };' on a single line, you'll have to rewrite it as something like:
view "foo" { zone "bar.com" { type master; file "foo"; }; };The <network>.zone reverse map files must already be created, be uniquely specified in the configuration file, and have the appropriate information (SOA/NS records, etc.) in there. This script will strip out any PTR records, and then add them back in. (This means anything like blank lines and comments will be moved to the top of the file.) $ORIGIN and $INCLUDE are striped as of mkrdns 1.3.
You must be at least a secondary for all domains which reference IP networks for which you're responsible. There is no means (currently at least) to specify a PTR record for a non-existent A record, so this script must have access to all A records that need to be ``reversed''.
If you have more than one A record pointing to a specific IP, you can't have both be the PTR record. This script takes the first A record it sees as the one used for the PTR record. A warning is printed for any additional entries. (While the RFCs don't prohibit multiple PTR records for the same IP, I have yet to find anyone who can give me a good reason to do it.)
Map serial numbers default to be in YYYYMMDDVV format. (YYYY = year, MM = month, DD = day, VV = version (00-99). This script will convert your serial number to this format if it's not already. I don't have too many daily DNS changes, so the action for not being able to update the serial number (ie: VV is at 99 and can't be increased) is to simply exit. If this is going to cause a problem for you, you can use the serialt directive to specify a zone (or the default) should treat the serial number as a number instead of using the date format. Either way, a problem will come up when the serial number reaches 4294967295 (max value), but that's another story. (mkrdns will print a warning if this is about to happen :-)
; ; the localhost map. Edit this and change only the myhost and ; domain globally, but leave everything else as is. ; @ IN SOA test.firma.com. root.test.firma.com. ( 20060823 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ; Minimum TTL of 1 day ) ; 0.0.127.in-addr.arpa. IN NS testdns.firma.com. ; 1.0.0.127.in-addr.arpa. IN PTR localhost.
hosts: files
dns
domain test.firma.com
nameserver 127.0.0.1 ;if DNS server runs on this
host
nameserver 10.10.10.10 ; proper IP should be given if this is
a remote
Older version of bind are very crappy programmed. Check the client's
/etc/resolv.conf file for spaces at the end of the domain name. No
spaces or tabs are allowed at the end of the domain name.
or
/usr/local/bin/in.named
/usr/sbin/nslookup testdns
A sample response looks like:
Server: localhost Address: 127.0.0.1 Name: tesdns.firma.com Address: 10.146.150.53
You should repeat your test using an IP address instead:
/usr/sbin/nslookup 10.146.150.53
A sample response looks like:
Server: localhost Address: 127.0.0.1 Name: testdns.firma.com Address: 10.146.150.53
If the DNS is set up to resolve Internet addresses, you can test this by typing:
/usr/sbin/nslookup nuc.berkeley.edu
A sample response looks like:
Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: nuc.berkeley.edu Address: 128.32.142.96
If something is wrong send DNS server -INT signal and look in /etc/bind/named_dump.db
# nslookup
# pkill -INT 'cat /etc/named.pid'
# vi /etc/bind/named_dump.db
Use the techniques discussed in the lecture, testing both your local domain and remote domain servers as they become available.
// Slave config file.
zone "test.firma.com" {
type slave;
file "named.root";
masters {
10.192.186.180;
};
};
; Information for the loopback domain 127.in-addr.arpa.
@ IN SOA test.firma.com. hostmaster.test.firma.com. (
20060823 ; Serial number
43200 ; Refresh timer - 12 hours
3600 ; Retry timer - 1 hour
604800 ; Expire timer - 1 week
86400 ; Minimum timer - 1 day
)
; Define name servers for this domain.
IN NS testdns.firma.com.
; Define appropriate mappings for this domain.
10.144.150.53 IN PTR testdns.firma.com.
; Modify the domain-info file on the primary server.
; Add the following line after the existing name server resource record:
10.144.150.153 IN NS testdns2.firma.com ; secondary
; Modify the inverse-domain-info file on the primary server.
;Add the following line after the existing name server resource record:
IN NS testdns2.firma.com. ; secondary
Add the following record to the CNAME section of the domain-info file, replacing
the existing comment in that section:
www IN CNAME dns
mailhost IN MX 10 dns
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March, 12, 2019
