580 lines
12 KiB
HTML
580 lines
12 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Domain Name Server (DNS) Configuration and Administration</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Administration Made Easy"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Custom Configuration and Administration Issues"
|
|
HREF="custom-config.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Web Server and HTTP Caching Proxy Administration"
|
|
HREF="web-server-administration.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Internet User Authentication with TACACS"
|
|
HREF="internet-user-authentication.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Administration Made Easy</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="web-server-administration.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 7. Custom Configuration and Administration Issues</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="internet-user-authentication.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="DOMAIN-NAME-SERVER"
|
|
>7.2. Domain Name Server (DNS) Configuration and Administration</A
|
|
></H1
|
|
><P
|
|
>At my place of employment, we are using Linux as a DNS server. It
|
|
performs exceptionally well. This section will address configuration of
|
|
DNS tables for these services using the BIND 8.x package which comes standard
|
|
with the Red Hat distribution.</P
|
|
><DIV
|
|
CLASS="NOTE"
|
|
><BLOCKQUOTE
|
|
CLASS="NOTE"
|
|
><P
|
|
><B
|
|
>Note: </B
|
|
>Note: Red Hat versions 5.1 and earlier used the BIND 4.x package,
|
|
which used a slightly different format for its configuration file. BIND
|
|
8.x offers more functionality over that offered by BIND 4.x, and as 4.x is
|
|
no longer being developed, you should probably consider upgrading your
|
|
BIND package to the latest version. Simply install the BIND RPM package
|
|
(see <A
|
|
HREF="using-rpm.html"
|
|
>Section 10.1</A
|
|
> for details on using the RPM utility),
|
|
then convert your configuration file to the new format.</P
|
|
><P
|
|
>Fortunately, converting your existing BIND 4.x configuration file to
|
|
be compliant with BIND 8.x is easy! In the documentation directory
|
|
provided as part of BIND (for example,
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/usr/doc/bind-8.1.2/</TT
|
|
></TT
|
|
>'' for BIND
|
|
version 8.1.2), there exists a file called
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>named-bootconf.pl</TT
|
|
></TT
|
|
>'', which is an
|
|
executable Perl program. Assuming you have Perl installed on your system,
|
|
you can use this program to convert your configuration file. To do so,
|
|
type the following commands (as root):</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>cd /usr/doc/bind-8.1.2</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>./named-bootconf.pl < /etc/named.boot > /etc/named.conf</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>mv /etc/named.boot /etc/named.boot-obsolete</B
|
|
></TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>You should now have an
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/etc/named.conf</TT
|
|
></TT
|
|
>'' file which
|
|
should work with BIND 8.x <SPAN
|
|
CLASS="QUOTE"
|
|
>"out-of-the-box"</SPAN
|
|
>. Your existing
|
|
DNS tables will work as-is with the new version of BIND, as the format of
|
|
the tables remains the same.</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><P
|
|
>Configuration of DNS services under Linux involves the following
|
|
steps:</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
>To enable DNS services,
|
|
the ``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/etc/host.conf</TT
|
|
></TT
|
|
>'' file
|
|
should look like this:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
># Lookup names via /etc/hosts first, then by DNS query
|
|
order hosts, bind
|
|
# We don't have machines with multiple addresses
|
|
multi on
|
|
# Check for IP address spoofing
|
|
nospoof on
|
|
# Warn us if someone attempts to spoof
|
|
alert on</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>The extra spoof detection adds a bit of a performance hit to DNS
|
|
lookups (although negligible), so if you're not too worried about this you
|
|
may wish to disable the <SPAN
|
|
CLASS="QUOTE"
|
|
>"nospool"</SPAN
|
|
> and <SPAN
|
|
CLASS="QUOTE"
|
|
>"alert"</SPAN
|
|
>
|
|
entries.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Configure the
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts</TT
|
|
></TT
|
|
>'' file as needed.
|
|
Typically there doesn't need to be much in here, but for improved
|
|
performance you can add any hosts you access often (such as local
|
|
servers) to avoid performing DNS lookups on them.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>The
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/etc/named.conf</TT
|
|
></TT
|
|
>'' file should be
|
|
configured to point to your DNS tables according to the example below.</P
|
|
><DIV
|
|
CLASS="NOTE"
|
|
><BLOCKQUOTE
|
|
CLASS="NOTE"
|
|
><P
|
|
><B
|
|
>Note: </B
|
|
>(Note: IP addresses shown are examples only and must be replaced
|
|
with your own class addresses!):</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>options {
|
|
// DNS tables are located in the /var/named directory
|
|
directory "/var/named";
|
|
|
|
// Forward any unresolved requests to our ISP's name server
|
|
// (this is an example IP address only -- do not use!)
|
|
forwarders {
|
|
123.12.40.17;
|
|
};
|
|
|
|
/*
|
|
* If there is a firewall between you and nameservers you want
|
|
* to talk to, you might need to uncomment the query-source
|
|
* directive below. Previous versions of BIND always asked
|
|
* questions using port 53, but BIND 8.1 uses an unprivileged
|
|
* port by default.
|
|
*/
|
|
// query-source address * port 53;
|
|
};
|
|
|
|
// Enable caching and load root server info
|
|
zone "named.root" {
|
|
type hint;
|
|
file "";
|
|
};
|
|
|
|
// All our DNS information is stored in /var/named/mydomain_name.db
|
|
// (eg. if mydomain.name = foobar.com then use foobar_com.db)
|
|
zone "mydomain.name" {
|
|
type master;
|
|
file "mydomain_name.db";
|
|
allow-transfer { 123.12.41.40; };
|
|
};
|
|
|
|
// Reverse lookups for 123.12.41.*, .42.*, .43.*, .44.* class C's
|
|
// (these are example Class C's only -- do not use!)
|
|
zone "12.123.IN-ADDR.ARPA" {
|
|
type master;
|
|
file "123_12.rev";
|
|
allow-transfer { 123.12.41.40; };
|
|
};
|
|
|
|
// Reverse lookups for 126.27.18.*, .19.*, .20.* class C's
|
|
// (these are example Class C's only -- do not use!)
|
|
zone "27.126.IN-ADDR.ARPA" {
|
|
type master;
|
|
file "126_27.rev";
|
|
allow-transfer { 123.12.41.40; };
|
|
};</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="TIP"
|
|
><BLOCKQUOTE
|
|
CLASS="TIP"
|
|
><P
|
|
><B
|
|
>Tip: </B
|
|
>Tip: Make note of the <TT
|
|
CLASS="LITERAL"
|
|
>allow-transfer</TT
|
|
>
|
|
options above, which restricts DNS zone transfers to a given IP address.
|
|
In our example, we are allowing the host at 123.12.41.40 (probably a slave
|
|
DNS server in our domain) to request zone transfers. If you omit this
|
|
option, anyone on the Internet will be able to request such transfers.
|
|
As the information provided is often used by spammers and IP spoofers, I
|
|
strongly recommend you restrict zone transfers except to your slave DNS
|
|
server(s), or use the loopback address, ``<TT
|
|
CLASS="LITERAL"
|
|
>127.0.0.1</TT
|
|
>''
|
|
instead.</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Now you can set up your DNS tables in the
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>var/named/</TT
|
|
></TT
|
|
>'' directory as
|
|
configured in the
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/etc/named.conf</TT
|
|
></TT
|
|
>'' file in step
|
|
three. Configuring DNS database files for the first time is a major
|
|
undertaking, and is beyond the scope of this document. There are several
|
|
guides, online and in printed form that should be referred to. However,
|
|
several examples are provided below.</P
|
|
><P
|
|
>Sample entries in the
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/var/named/mydomain_name.db</TT
|
|
></TT
|
|
>''
|
|
forward lookup file:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>; This is the Start of Authority (SOA) record. Contains contact
|
|
; & other information about the name server. The serial number
|
|
; must be changed whenever the file is updated (to inform secondary
|
|
; servers that zone information has changed).
|
|
@ IN SOA mydomain.name. postmaster.mydomain.name. (
|
|
19990811 ; Serial number
|
|
3600 ; 1 hour refresh
|
|
300 ; 5 minutes retry
|
|
172800 ; 2 days expiry
|
|
43200 ) ; 12 hours minimum
|
|
|
|
; List the name servers in use. Unresolved (entries in other zones)
|
|
; will go to our ISP's name server isp.domain.name.com
|
|
IN NS mydomain.name.
|
|
IN NS isp.domain.name.com.
|
|
|
|
; This is the mail-exchanger. You can list more than one (if
|
|
; applicable), with the integer field indicating priority (lowest
|
|
; being a higher priority)
|
|
IN MX mail.mydomain.name.
|
|
|
|
; Provides optional information on the machine type & operating system
|
|
; used for the server
|
|
IN HINFO Pentium/350 LINUX
|
|
|
|
; A list of machine names & addresses
|
|
spock.mydomain.name. IN A 123.12.41.40 ; OpenVMS Alpha
|
|
mail.mydomain.name. IN A 123.12.41.41 ; Linux (main server)
|
|
kirk.mydomain.name. IN A 123.12.41.42 ; Windows NT (blech!)
|
|
|
|
; Including any in our other class C's
|
|
twixel.mydomain.name. IN A 126.27.18.161 ; Linux test machine
|
|
foxone.mydomain.name. IN A 126.27.18.162 ; Linux devel. kernel
|
|
|
|
; Alias (canonical) names
|
|
gopher IN CNAME mail.mydomain.name.
|
|
ftp IN CNAME mail.mydomain.name.
|
|
www IN CNAME mail.mydomain.name.</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Sample entries in the
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/var/named/123_12.rev</TT
|
|
></TT
|
|
>'' reverse
|
|
lookup file:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>; This is the Start of Authority record. Same as in forward lookup table.
|
|
@ IN SOA mydomain.name. postmaster.mydomain.name. (
|
|
19990811 ; Serial number
|
|
3600 ; 1 hour refresh
|
|
300 ; 5 minutes retry
|
|
172800 ; 2 days expiry
|
|
43200 ) ; 12 hours minimum
|
|
|
|
; Name servers listed as in forward lookup table
|
|
IN NS mail.mydomain.name.
|
|
IN NS isp.domain.name.com.
|
|
|
|
; A list of machine names & addresses, in reverse. We are mapping
|
|
; more than one class C here, so we need to list the class B portion
|
|
; as well.
|
|
40.41 IN PTR spock.mydomain.name.
|
|
41.41 IN PTR mail.mydomain.name.
|
|
42.41 IN PTR kirk.mydomain.name.
|
|
|
|
; As you can see, we can map our other class C's as long as they are
|
|
; under the 123.12.* class B addresses
|
|
24.42 IN PTR tsingtao.mydomain.name.
|
|
250.42 IN PTR redstripe.mydomain.name.
|
|
24.43 IN PTR kirin.mydomain.name.
|
|
66.44 IN PTR sapporo.mydomain.name.
|
|
|
|
; No alias (canonical) names should be listed in the reverse lookup
|
|
; file (for obvious reasons).</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Any other reverse lookup files needed to map addresses in a different
|
|
class B (such as 126.27.*) can be created, and would look much the same
|
|
as the example reverse lookup file above.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Make sure the named daemon is running. This daemon is
|
|
usually started from the
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/etc/rc.d/init.d/named</TT
|
|
></TT
|
|
>'' file
|
|
upon system boot. You can also start and stop the daemon manually; type
|
|
``<TT
|
|
CLASS="LITERAL"
|
|
>named start</TT
|
|
>'' and ``<TT
|
|
CLASS="LITERAL"
|
|
>named stop</TT
|
|
>'',
|
|
respectively.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Whenever changes are made to the DNS tables, the DNS
|
|
server should be restarted by typing ``<TT
|
|
CLASS="LITERAL"
|
|
>/etc/rc.d/init.d/named
|
|
restart</TT
|
|
>''. You may then wish to test your changes by using a
|
|
tool such as <SPAN
|
|
CLASS="QUOTE"
|
|
>"<TT
|
|
CLASS="LITERAL"
|
|
>nslookup</TT
|
|
>"</SPAN
|
|
> to query the
|
|
machine you have added or changed.</P
|
|
></LI
|
|
></OL
|
|
><P
|
|
>More information on configuring DNS services can be found in the
|
|
``<EM
|
|
>DNS-HOWTO</EM
|
|
>'' guide at
|
|
<A
|
|
HREF="http://metalab.unc.edu/Linux/HOWTO/DNS-HOWTO-5.html"
|
|
TARGET="_top"
|
|
>http://metalab.unc.edu/Linux/HOWTO/DNS-HOWTO-5.html</A
|
|
>.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="web-server-administration.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="internet-user-authentication.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Web Server and HTTP Caching Proxy Administration</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="custom-config.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Internet User Authentication with TACACS</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |