Chapter 33. The Domain Name System¶
Contents
Abstract
DNS (domain name system) is needed to resolve the domain names and
hostnames into IP addresses. In this way, the IP address 192.168.0.1 is assigned to
the hostname earth, for
example. Before setting up your own name server, read the general information about DNS in
Section 30.3, “Name Resolution”. The following
configuration examples refer to BIND.
33.1. DNS Terminology¶
- Zone
The domain name space is divided into regions called zones. For instance, if you have
example.org, you have theexamplesection, or zone, of theorgdomain.- DNS server
The DNS server is a server that maintains the name and IP information for a domain. You can have a primary DNS server for master zone, a secondary server for slave zone, or a slave server without any zones for caching.
- Master zone DNS server
The master zone includes all hosts from your network and a DNS server master zone stores up-to-date records for all the hosts in your domain.
- Slave zone DNS server
A slave zone is a copy of the master zone. The slave zone DNS server obtains its zone data with zone transfer operations from its master server. The slave zone DNS server responds authoritatively for the zone as long as it has valid (not expired) zone data. If the slave cannot obtain a new copy of the zone data, it stops responding for the zone.
- Forwarder
Forwarders are DNS servers to which your DNS server should send queries it cannot answer.
- Record
The record is information about name and IP address. Supported records and their syntax are described in BIND documentation. Some special records are:
- NS record
An NS record tells name servers which machines are in charge of a given domain zone.
- MX record
The MX (mail exchange) records describe the machines to contact for directing mail across the Internet.
- SOA record
SOA (Start of Authority) record is the first record in a zone file. The SOA record is used when using DNS to synchronize data between multiple computers.
33.2. Configuration with YaST¶
You can use the DNS module of YaST to configure a DNS server for your local network. To configure a Samba server, start YaST and select +. When starting the module for the first time, a wizard starts, prompting you to make just a few basic decisions concerning administration of the server. Completing this initial setup produces a very basic server configuration that should be functioning in its essential aspects. The expert mode can be used to deal with more advanced configuration tasks, such as setting up ACLs, logging, TSIG keys, and other options.
33.2.1. Wizard Configuration¶
The wizard consists of three steps or dialogs. At the appropriate places in the dialogs, you are given the opportunity to enter the expert configuration mode.
When starting the module for the first time, the dialog, shown in Figure 33.1, “DNS Server Installation: Forwarder Settings”, opens. In it, decide whether the PPP daemon should provide a list of forwarders on dial-up via DSL or ISDN () or whether you want to supply your own list ().
The dialog consists of several parts and is responsible for the management of zone files, described in Section 33.5, “Zone Files”. For a new zone, provide a name for it in . To add a reverse zone, the name must end in
.in-addr.arpa. Finally, select the (master or slave). See Figure 33.2, “DNS Server Installation: DNS Zones”. Click to configure other settings of an existing zone. To remove a zone, click .In the final dialog, you can open the DNS port in the firewall by clicking . Then decide whether or not the DNS server should be started ( or ). You can also activate LDAP support. See Figure 33.3, “DNS Server Installation: Finish Wizard”.
33.2.2. Expert Configuration¶
After starting the module, YaST opens a window displaying several configuration options. Completing it results in a DNS server configuration with the basic functions in place:
33.2.2.1. Starting the DNS Server¶
Under , define whether the DNS server should be started when the system boots (during booting the system) or manually. To start the DNS server immediately, select . To stop the DNS server, select . To save the current settings, select . You can open the DNS port in the firewall with and modify the firewall settings with .
By selecting , the zone files are managed by an LDAP database. Any changes to zone data written to the LDAP database are picked up by the DNS server as soon as it is restarted or prompted to reload its configuration.
33.2.2.2. DNS Server: Basic Options¶
In this section, set basic server options. From the menu, select the desired item then specify the value in the corresponding entry field. Include the new entry by selecting .
33.2.2.3. Logging¶
To set what the DNS server should log
and how, select .
Under , specify where
the DNS server should write the log data. Use the
systemwide log file /var/log/messages by
selecting or specify a
different file by selecting . In the
latter case, additionally specify a name, the maximum file size in
megabytes, and the number of versions of log files to store.
Further options are available under . Enabling causes every query to be logged, in which case the log file could grow extremely large. For this reason, it is not a good idea to enable this option for other than debugging purposes. To log the data traffic during zone updates between DHCP and DNS server, enable . To log the data traffic during a zone transfer from master to slave, enable . See Figure 33.4, “DNS Server: Logging”.
33.2.2.4. Using ACLs¶
Use this window to define ACLs (access control lists) to enforce access restrictions. After providing a distinct name under , specify an IP address (with or without netmask) under in the following fashion:
{ 10.10/16; }The syntax of the configuration file requires that the address ends with a semicolon and is put into curly braces.
33.2.2.5. TSIG Keys¶
The main purpose of TSIGs (transaction signatures) is to secure communications between DHCP and DNS servers. They are described in Section 33.7, “Secure Transactions”.
To generate a TSIG key, enter a distinctive name in the field labeled and specify the file where the key should be stored (). Confirm your choices with .
To use a previously created key, leave the field blank and select the file where it is stored under . After that, confirm with .
33.2.2.6. Adding a Slave Zone¶
To add a slave zone, select , choose the zone type , and click .
In the under , specify the master from which the slave should fetch its data. To limit access to the server, select one of the ACLs from the list. See Figure 33.5, “DNS Server: Slave Zone Editor”.
33.2.2.7. Adding a Master Zone¶
To add a master zone, select , choose the zone type , write the name of the new zone, and click .
33.2.2.8. Editing a Master Zone¶
To edit a master zone, select , choose the zone type , select the master zone from the table, and click . The dialog consists of several pages: (the one opened first), , , , and .
The basic dialog, shown in Figure 33.6, “DNS Server: Zone Editor (Basic)”, lets you define settings for dynamic DNS and access options for zone transfers to clients and slave name servers. To permit the dynamic update of zones, select as well as the corresponding TSIG key. The key must have been defined before the update action starts. To enable zone transfers, select the corresponding ACLs. ACLs must have been defined already.
- Zone Editor (NS Records)
This dialog allows you to define alternative name servers for the zones specified. Make sure that your own name server is included in the list. To add a record, enter its name under then confirm with . See Figure 33.7, “DNS Server: Zone Editor (NS Records)”.
- Zone Editor (MX Records)
To add a mail server for the current zone to the existing list, enter the corresponding address and priority value. After doing so, confirm by selecting . See Figure 33.8, “DNS Server: Zone Editor (MX Records)”.
- Zone Editor (SOA)
This page allows you to create SOA (start of authority) records. For an explanation of the individual options, refer to Example 33.6, “File /var/lib/named/world.zone”. Changing SOA records is not supported for dynamic zones managed via LDAP.
- Zone Editor (Records)
This dialog manages name resolution. In , enter the hostname then select its type. represents the main entry. The value for this should be an IP address. is an alias. Use the types and for detailed or partial records that expand on the information provided in the and tabs. These three types resolve to an existing A record. is for reverse zones. It is the opposite of an A record.
33.3. Starting the Name Server BIND¶
On a SUSE Linux Enterprise® system, the name server BIND (Berkeley
Internet name domain) comes preconfigured so it can be started
right after installation without any problem. If you already have a
functioning Internet connection and have entered 127.0.0.1 as the name server
address for
localhost in
/etc/resolv.conf, you normally already have a working
name resolution without needing to know the DNS of the provider. BIND
carries out name resolution via the root name server, a notably slower
process. Normally, the DNS of the provider should be entered with its IP
address in the configuration file /etc/named.conf under
forwarders to ensure effective and secure name
resolution. If this works so far, the name server runs as a pure
caching-only name server. Only when you configure its
own zones will it become a proper DNS. A simple example of this is included
in the documentation in
/usr/share/doc/packages/bind/config.
![[Tip]](admon/tip.png) | Automatic Adaptation of the Name Server Information |
|---|---|
Depending on the type of Internet connection
or the network connection, the name server information
can automatically be adapted to the current
conditions. To do this, set the variable
| |
However, do not set up any official domains until assigned one by the responsible institution. Even if you have your own domain and it is managed by the provider, you are better off not using it, because BIND would otherwise not forward requests for this domain. The Web server at the provider, for example, would not be accessible for this domain.
To start the name server, enter the command
rcnamed start as
root. If
“done” appears to the
right in green, named, as the name server process
is called, has been started successfully. Test the name server immediately
on the local system with the host or
dig programs, which should return localhost as the default server
with the
address 127.0.0.1. If this is not
the case, /etc/resolv.conf probably contains an
incorrect name server entry or the file does not exist at all. For the first
test, enter host 127.0.0.1, which
should always work. If you get an error message, use
rcnamed status to see whether the
server is actually running. If the name server does not start or
behaves unexpectedly, you can usually find the cause in the log
file /var/log/messages.
To use the name server of the provider or one already running on your
network as the forwarder, enter the corresponding IP address
or addresses in the options section under
forwarders. The addresses included in
Example 33.1, “Forwarding Options in named.conf” are just examples. Adjust
these entries to your own setup.
Example 33.1. Forwarding Options in named.conf¶
options {
directory "/var/lib/named";
forwarders { 10.11.12.13; 10.11.12.14; };
listen-on { 127.0.0.1; 192.168.0.99; };
allow-query { 127/8; 192.168.0/24; };
notify no;
};
The options entry is followed by entries for the
zone, localhost, and
0.0.127.in-addr.arpa. The type
hint entry under “.” should always be
present. The corresponding files do not need to be modified and should work
as they are. Also make sure that each entry is closed with a “;” and
that the curly braces are in the correct places. After changing the
configuration file /etc/named.conf or the zone files,
tell BIND to reread them with
rcnamed reload. Achieve the
same by stopping and restarting the name server with
rcnamed restart. Stop the server
at any time by entering
rcnamed stop.
33.4. The Configuration File /etc/named.conf¶
All the settings for the BIND name server itself are stored in the file
/etc/named.conf. However, the zone data for the domains
to handle, consisting of the hostnames, IP addresses, and so on, are stored
in separate files in the /var/lib/named directory. The
details of this are described later.
/etc/named.conf is roughly divided into two areas.
One is the options section for general settings and
the other consists of zone entries for the
individual domains. A logging section and
acl (access control list) entries are optional.
Comment lines begin with a # sign or //. A
minimal /etc/named.conf is shown in
Example 33.2, “A Basic /etc/named.conf”.
Example 33.2. A Basic /etc/named.conf¶
options {
directory "/var/lib/named";
forwarders { 10.0.0.1; };
notify no;
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
zone "." in {
type hint;
file "root.hint";
};33.4.1. Important Configuration Options¶
- directory "
filename"; Specifies the directory in which BIND can find the files containing the zone data. Usually, this is
/var/lib/named.- forwarders {
ip-address; }; Specifies the name servers (mostly of the provider) to which DNS requests should be forwarded if they cannot be resolved directly. Replace
ip-addresswith an IP address like10.0.0.1.- forward first;
Causes DNS requests to be forwarded before an attempt is made to resolve them via the root name servers. Instead of
forward first,forward onlycan be written to have all requests forwarded and none sent to the root name servers. This makes sense for firewall configurations.- listen-on port 53 { 127.0.0.1;
ip-address; }; Tells BIND on which network interfaces and port to accept client queries.
port 53does not need to be specified explicitly, because53is the default port. Enter127.0.0.1to permit requests from the local host. If you omit this entry entirely, all interfaces are used by default.- listen-on-v6 port 53 {any; };
Tells BIND on which port it should listen for IPv6 client requests. The only alternative to
anyisnone. As far as IPv6 is concerned, the server only accepts a wild card address.- query-source address * port 53;
This entry is necessary if a firewall is blocking outgoing DNS requests. This tells BIND to post requests externally from port 53 and not from any of the high ports above 1024.
- query-source-v6 address * port 53;
Tells BIND which port to use for IPv6 queries.
- allow-query { 127.0.0.1;
net; }; Defines the networks from which clients can post DNS requests. Replace
netwith address information like192.168.1/24. The/24at the end is an abbreviated expression for the netmask, in this case,255.255.255.0.- allow-transfer ! *;;
Controls which hosts can request zone transfers. In the example, such requests are completely denied with
! *. Without this entry, zone transfers can be requested from anywhere without restrictions.- statistics-interval 0;
In the absence of this entry, BIND generates several lines of statistical information per hour in
/var/log/messages. Set it to 0 to suppress these statistics completely or set an interval in minutes.- cleaning-interval 720;
This option defines at which time intervals BIND clears its cache. This triggers an entry in
/var/log/messageseach time it occurs. The time specification is in minutes. The default is 60 minutes.- interface-interval 0;
BIND regularly searches the network interfaces for new or nonexistent interfaces. If this value is set to
0, this is not done and BIND only listens at the interfaces detected at start-up. Otherwise, the interval can be defined in minutes. The default is sixty minutes.- notify no;
noprevents other name servers from being informed when changes are made to the zone data or when the name server is restarted.
33.4.2. Logging¶
What, how, and where logging takes place can be extensively configured in BIND. Normally, the default settings should be sufficient. Example 33.3, “Entry to Disable Logging” shows the simplest form of such an entry and completely suppresses any logging.
33.4.3. Zone Entries¶
Example 33.4. Zone Entry for my-domain.de¶
zone "my-domain.de" in {
type master;
file "my-domain.zone";
notify no;
};
After zone, specify the name of the domain
to administer (my-domain.de)
followed by in and a block of relevant options
enclosed in curly braces, as shown in Example 33.4, “Zone Entry for my-domain.de”.
To define a slave zone,
switch the type to
slave and specify a name server that administers
this zone as master (which, in turn, may be a slave of
another master), as shown in Example 33.5, “Zone Entry for other-domain.de”.
Example 33.5. Zone Entry for other-domain.de¶
zone "other-domain.de" in {
type slave;
file "slave/other-domain.zone";
masters { 10.0.0.1; };
};The zone options:
- type master;
By specifying
master, tell BIND that the zone is handled by the local name server. This assumes that a zone file has been created in the correct format.- type slave;
This zone is transferred from another name server. It must be used together with
masters.- type hint;
The zone
.of thehinttype is used to set the root name servers. This zone definition can be left as is.- file
my-domain.zoneor file “slave/other-domain.zone”; This entry specifies the file where zone data for the domain is located. This file is not required for a slave, because this data is fetched from another name server. To differentiate master and slave files, use the directory
slavefor the slave files.- masters {
server-ip-address; }; This entry is only needed for slave zones. It specifies from which name server the zone file should be transferred.
- allow-update {! *; };
This option controls external write access, which would allow clients to make a DNS entry—something not normally desirable for security reasons. Without this entry, zone updates are not allowed at all. The above entry achieves the same because
! *effectively bans any such activity.
33.5. Zone Files¶
Two types of zone files are needed. One assigns IP addresses to hostnames and the other does the reverse: it supplies a hostname for an IP address.
| Using the Dot in Zone Files |
|---|---|
The | |
The first case to consider is the zone file
world.zone, responsible for the domain
world.cosmos, shown in Example 33.6, “File /var/lib/named/world.zone”.
Example 33.6. File /var/lib/named/world.zone¶
$TTL 2D
world.cosmos. IN SOA gateway root.world.cosmos. (
2003072441 ; serial
1D ; refresh
2H ; retry
1W ; expiry
2D ) ; minimum
IN NS gateway
IN MX 10 sun
gateway IN A 192.168.0.1
IN A 192.168.1.1
sun IN A 192.168.0.2
moon IN A 192.168.0.3
earth IN A 192.168.1.2
mars IN A 192.168.1.3
www IN CNAME moon
- Line 1:
$TTLdefines the default time to live that should apply to all the entries in this file. In this example, entries are valid for a period of two days (2 D).- Line 2:
This is where the SOA (start of authority) control record begins:
The name of the domain to administer is
world.cosmosin the first position. This ends with a., because otherwise the zone would be appended a second time. Alternatively,@can be entered here, in which case the zone would be extracted from the corresponding entry in/etc/named.conf.After
IN SOAis the name of the name server in charge as master for this zone. The name is expanded fromgatewaytogateway.world.cosmos, because it does not end with a..An e-mail address of the person in charge of this name server follows. Because the
@sign already has a special meaning,.is entered here instead. Forroot@world.cosmosthe entry must readroot.world.cosmos.. The.must be included at the end to prevent the zone from being added.The
(includes all lines up to)into the SOA record.
- Line 3:
The
serial numberis an arbitrary number that is increased each time this file is changed. It is needed to inform the secondary name servers (slave servers) of changes. For this, a 10 digit number of the date and run number, written as YYYYMMDDNN, has become the customary format.- Line 4:
The
refresh ratespecifies the time interval at which the secondary name servers verify the zoneserial number. In this case, one day.- Line 5:
The
retry ratespecifies the time interval at which a secondary name server, in case of error, attempts to contact the primary server again. Here, two hours.- Line 6:
The
expiration timespecifies the time frame after which a secondary name server discards the cached data if it has not regained contact to the primary server. Here, it is a week.- Line 7:
The last entry in the SOA record specifies the
negative caching TTL—the time for which results of unresolved DNS queries from other servers may be cached.- Line 9:
The
IN NSspecifies the name server responsible for this domain.gatewayis extended togateway.world.cosmosbecause it does not end with a.. There can be several lines like this—one for the primary and one for each secondary name server. Ifnotifyis not set tonoin/etc/named.conf, all the name servers listed here are informed of the changes made to the zone data.- Line 10:
The MX record specifies the mail server that accepts, processes, and forwards e-mails for the domain
world.cosmos. In this example, this is the hostsun.world.cosmos. The number in front of the hostname is the preference value. If there are multiple MX entries, the mail server with the smallest value is taken first and, if mail delivery to this server fails, an attempt is made with the next higher value.- Lines 12–17:
These are the actual address records where one or more IP addresses are assigned to hostnames. The names are listed here without a
.because they do not include their domain, soworld.cosmosis added to all of them. Two IP addresses are assigned to the hostgateway, because it has two network cards. Wherever the host address is a traditional one (IPv4), the record is marked withAAAA. If the address is an IPv6 address, the entry is marked withAAAA 0. The previous token for IPv6 addresses was onlyAAAA, which is now obsolete.![[Note]](admon/note.png)
IPv6 Syntax A IPv6 record has a slightly different syntax than IPv4. Because of the fragmentation possibility, it is necessary to provide information about missed bits before the address. You must provide this information even if you want to use a completely unfragmented address. For the IPv4 record with the syntax
pluto IN AAAA 2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 pluto IN AAAA 2345:00D2:DA11:0001:1234:5678:9ABC:DEF0
You need to add information about missing bits in IPv6 format. Because the example above is complete (does not miss any bits), the IPv6 format of this record is:
pluto IN AAAA 0 2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 pluto IN AAAA 0 2345:00D2:DA11:0001:1234:5678:9ABC:DEF0
Do not use IPv4 addresses with IPv6 mapping.
- Line 18:
The alias
wwwcan be used to addressmond(CNAMEmeans canonical name).
The pseudodomain in-addr.arpa is used for the reverse
lookup of IP addresses into hostnames. It is appended to the network part
of the address in reverse notation. So
192.168.1 is resolved into
1.168.192.in-addr.arpa. See
Example 33.7, “Reverse Lookup”.
Example 33.7. Reverse Lookup¶
$TTL 2D
1.168.192.in-addr.arpa. IN SOA gateway.world.cosmos. root.world.cosmos. (
2003072441 ; serial
1D ; refresh
2H ; retry
1W ; expiry
2D ) ; minimum
IN NS gateway.world.cosmos.
1 IN PTR gateway.world.cosmos.
2 IN PTR earth.world.cosmos.
3 IN PTR mars.world.cosmos.
- Line 1:
$TTL defines the standard TTL that applies to all entries here.
- Line 2:
The configuration file should activate reverse lookup for the network
192.168.1.0. Given that the zone is called1.168.192.in-addr.arpa, should not be added to the hostnames. Therefore, all hostnames are entered in their complete form—with their domain and with a.at the end. The remaining entries correspond to those described for the previousworld.cosmosexample.- Lines 3–7:
See the previous example for
world.cosmos.- Line 9:
Again this line specifies the name server responsible for this zone. This time, however, the name is entered in its complete form with the domain and a
.at the end.- Lines 11–13:
These are the pointer records hinting at the IP addresses on the respective hosts. Only the last part of the IP address is entered at the beginning of the line, without the
.at the end. Appending the zone to this (without the.in-addr.arpa) results in the complete IP address in reverse order.
Normally, zone transfers between different versions of BIND should be possible without any problem.
33.6. Dynamic Update of Zone Data¶
The term dynamic update refers to operations by which
entries in the zone files of a master server are added, changed, or deleted.
This mechanism is described in RFC 2136. Dynamic update is configured
individually for each zone entry by adding an optional
allow-update or
update-policy rule. Zones to update dynamically
should not be edited by hand.
Transmit the entries to update to the server with the command
nsupdate. For the exact syntax of this command, check the
manual page for nsupdate (man 8
nsupdate). For security reasons, any such update should be
performed using TSIG keys as described in Section 33.7, “Secure Transactions”.
33.7. Secure Transactions¶
Secure transactions can be made with the help of transaction signatures (TSIGs) based on shared secret keys (also called TSIG keys). This section describes how to generate and use such keys.
Secure transactions are needed for communication between different servers and for the dynamic update of zone data. Making the access control dependent on keys is much more secure than merely relying on IP addresses.
Generate a TSIG key with the following command (for details, see
man dnssec-keygen):
dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2
This creates two files with names similar to these:
Khost1-host2.+157+34265.private Khost1-host2.+157+34265.key
The key itself (a string like ejIkuCyyGJwwuN3xAteKgg==)
is found in both files. To use it for transactions, the second file
(Khost1-host2.+157+34265.key) must be transferred to
the remote host, preferably in a secure way (using
scp, for example). On the remote server, the key
must be included in the file /etc/named.conf to enable
a secure communication between host1 and
host2:
key host1-host2. {
algorithm hmac-md5;
secret ";ejIkuCyyGJwwuN3xAteKgg==;
};![[Warning]](admon/warning.png) | File Permissions of /etc/named.conf |
|---|---|
Make sure that the permissions of include "filename" Replace | |
To enable the server host1 to use the key for
host2 (which has the address
192.168.2.3 in this example), the server's
/etc/named.conf must include the following rule:
server 192.168.2.3 {
keys { host1-host2. ;};
};
Analogous entries must be included in the configuration files of
host2.
Add TSIG keys for any ACLs (access control lists, not to be confused with file system ACLs) that are defined for IP addresses and address ranges to enable transaction security. The corresponding entry could look like this:
allow-update { key host1-host2. ;};
This topic is discussed in more detail in the BIND Administrator
Reference Manual under update-policy.
33.8. DNS Security¶
DNSSEC, or DNS security, is described in RFC 2535. The tools available for DNSSEC are discussed in the BIND Manual.
A zone considered secure must have one or several zone keys associated with
it. These are generated with dnssec-keygen, just like the
host keys. The DSA encryption algorithm is currently used to generate these
keys. The public keys generated should be included in the corresponding zone
file with an $INCLUDE rule.
With the command dnssec-makekeyset, all keys generated
are packaged into one set, which must then be transferred to the parent zone
in a secure manner. On the parent, the set is signed with
dnssec-signkey. The files generated by this command are
then used to sign the zones with dnssec-signzone, which
in turn generates the files to include for each zone in
/etc/named.conf.
33.9. For More Information¶
For additional information, refer to the BIND Administrator
Reference Manual from package bind-doc, which
is installed under /usr/share/doc/packages/bind/. Consider additionally
consulting the RFCs referenced by the manual and the manual pages included
with BIND. /usr/share/doc/packages/bind/README.SuSE
contains up-to-date information about BIND in SUSE Linux Enterprise.