Senin, 05 September 2005

Implementing DNS on Linux - Part I

In the previous post - Understanding Domain Name System , I had explained about domain, zone and its features. Here I will explain how to implement DNS on linux.

Berkeley Internet Name Domain (BIND) is the most widely used DNS server on the internet. BIND provides a stable and reliable infrastructure on which to base a domain's name and IP address associations.
The current BIND is version 9. It has many features like providing IPv6 support, allowing 8-bit clean names and better multi-threading. BIND is maintained by Internet Software Consortium isc.org .

First step in successful implementation of BIND is to make sure that you have bind and bind-utils package installed on your system. If you are using RedHat, you can find it by executing the command(s):

# rpm -q bind
# rpm -q bind-utils

DNS Service Profile
Daemons : named , rndc
Ports : 53 (domain) and 953 (rndc)
Configuration files : /etc/named.conf , /var/named/* , /etc/rndc.*
GUI (Only in RedHat/Fedora) : system-config-bind

If you want to implement a caching name server then you should also install caching-nameserver package and for cryptographic support install openssl package.

Configuring BIND
The default configuration file is /etc/named.conf which is read by named (BIND daemon) during startup or service reload.

/etc/named.conf
  • Comments can be of C,C++ or Shell style.
  • The contents of the file is divided into blocks delineated by braces '{}' . Each block can contain sub-blocks within. Each block ends with a semi-colon.
  • Directives options, server and zone precede the blocks.
Options Directive
Commonly used global options

  • directory : Base directory of all relative paths specified in named.conf
  • forwarders : Server forwards queries it can't answer to the name servers at the IP address in the list. If it gets no answer, it will try a root name server unless the forward-only option is also set.
  • allow-query : Specifies an address match list of hosts allowed to query this server. If this option is not set, any host can query the server.
  • allow-transfer : Like allow-query, specifies hosts that may copy the database. Should be used to limit zone transfers. By default zone transfers are not permitted unless explicitly stated using the allow-transfer statement.
Eg:

#FILE : /etc/named.conf
...
acl "mynetwork" { 192.168.100/24; }; # Gives a name for the network
options {
directory "/var/named";
forwarders { 203.22.11.121; };
allow-query { mynetwork; };
allow-transfer { mynetwork; };
};
...

Address Match Lists - acl

Address match list is a list of semi-colon seperated IP addresses, networks, or named address match lists.
You can use acl to create a custom named address match list as shown in the above snippet.
Trailing non-significant zeros may be dropped. For example you can denote the network 192.168.5.0 as 192.168.5 .
acl makes the configuration easier to read and maintain.

For acls there are 4 pre defined named address match lists available. They are as follows :
  1. none : No IP address matches
  2. any : All IP address match.
  3. localhost : Any IP address of the name server matches.
  4. localnets : Any network on which the name server has an IP address matches.
For example, to create an acl which matches only the server, we write it as follows:

acl "mylocalmachine" { localhost; };

One of the main benefits of ACLs is that they make the configuration file easier to maintain and more human readable. They provide a central place where the IP addressed may be changed which is considerably easier than replacing those IP(s) throughout the file if a change needs to be implemented.

Zone directive
Master and slave zones are declared with the zone directive in the /etc/named.conf file. Every non-cached domain name must have a master zone so that authoritative records can be generated for queries.
For Example:

zone "mysite.com" {
type master;
file "mysite.com.zone"; # File name should indicate the zone.
};

zone "kernel.org" {
type slave;
masters { 192.168.192.5; };
file "kernel.org.zone";
};

Note: Slave zones look similar to their masters counterparts. The 'master' sub-directive must occur if the 'type' sub-directive equals 'slave'. A 'file' directive is used to store a local copy of the database which lessens the load on the master server. However, it is not required.

Reverse Lookup Zones
You also have to set reverse lookup zones. This is done as follows:
  1. Determine the network the zone should cover. For example, let us consider the network 172.100.10/24 .
  2. Reverse the order of octets in the network address. From above, we take 172.100.10 and reverse it to 10.100.172 .
  3. Append in-addr.arpa to the reversed string. Appending on to the result of step 2 we get 10.100.172.in-addr.arpa .
So the syntax for reverse lookup zones will be -

zone "10.100.172.in-addr.arpa" {
type slave;
masters { 172.100.10.1 };
file "172.100.10.zone";
};

Special Zones
Root Zone - Every BIND configuration must include a root zone. The root zone is used when a query is unresolvable by any other configured zones . The type of root zone is 'hint'.

zone "." {
type hint;
file "named.ca";
};

The file 'named.ca' contains information about root servers on the internet. This information rarely changes, but the latest version can always be obtained from rs.internic.net .
Loopback Zone - Though not strictly required, they should also be specified. Many programs like the X window system use local UNIX sockets to emulate IPC queues between cooperating processes. These sockets are bound to 127.0.0.1, the loopback address. Loopback zones should never be slaves.

zone "0.0.127.in-addr.arpa" {
# Specified like other reverse lookup zones.
};

This brings us to the end of editing the /etc/named.conf file.

In the next part, I will explain the syntax of the zone files which reside in /var/named/ directory.
To be Contd ...

Tidak ada komentar:

Posting Komentar