DNS server

DNS functions

• Forward Lookup - hostname to IP
• Reverse Lookup - IP to hostname
• Logically group computer by domain
• Email routing information - MX record

DNS Zone, Domains and Delegation

• A domain is a DNS scope that responsible for name resolution
• A zone is the name resolution scope that managed by one specific server
• DNS server can delegate sub-domains into additional zones which managed by other server or servers

Name Server Hierarchy

• Master name server contains the master copy of data for a zone
  
  • Master name server files:
  • Domain forward lookup zone file
  • Domain reverse lookup zone file
  • named.ca - Root server information file
    
  • localhost.zone - local forward lookup file
    
  • named.local - local reverse lookup file
    
• Slave name server provides a backup of the master DNS server and automatically synchronize with the master DNS server.
  
  • Slaver name server file:
  • named.ca
  • localhost.zone
  • named.local
  • DNS zone transfer - The action of slaver name server copying the "Domain forward lookup zone file" and "Domain reverse lookup zone file" from master server called DNS zone transfer

Name resolution procedure:

1. Received name resolution request from client.
2. If the requested name is in the local database, DNS serve would send the IP address back to the client. The name resolution action will finished. If the requested name is not in the local database, DNS server would forward the request to the root server.
3. If the root server has not the requested name, it will response the IP address of the DNS serve which mange the second level domain of the requested name. Otherwise the root server will response the IP of the requested name and then DNS server will send it back to client.
4. DNS serve will continually repeat step 3 until resolved the Requested name.
   
5. DNS server will save the resolution in the catch file and send it back to client

Berkeley Internet Name Domain (BIND)

BIND is the most widely used DNS server on the internet. It provides a stable and reliable infrastructure on which to base a domain's name and IP address associations. It runs in a chrooted environment to provide max security. Chrooted redirect the root directory to other directory which is /var/named/chroot/var/named/db.* in RHEL

BIND on RHEL

• Service type - system V
• Packages - bind, bind-utils, bind-chroot
• Daemons - named, rndc
• Script - named which can start or stop DNS service
  
• Ports - named on port 53, rndc on port 953
• Files - all under /var/named/chroot directory
  
• /etc/named.conf - main configuration file include zones, options, access control lists and etc
• /var/named/* - DNS database
  
• /etc/rndc.* - DNS security file
  
• Related - caching-nameserver - used to quickly setup a caching only DNS, openssl encrypt the DNS communication.

Master and Slave Zones

• Master zone - the DNS data which sorted in the master DNS server. The data on master zone can be added, deleted or modified.
  
• Slaver zone - the DNS data which sorted in the slave DNS server. The data inside Slaver zone are transfered from the master DNS server. So that the data on slaver zone can not be modified , deleted and added.

Reverse Loolup Zones

DNS configurations

• bind-chroot - change ROOTDIR = directory_name in /etc/sysconfig/named. Put a # in front of ROOTDIR will stop chroot function.
• Zone files directory - directory=var/named so all DNS zone files are in the /var/named/chroot/var/named
  
• Global Options (each line must finish by ";", sting need inside " ") (in named.conf)
  
  • options{
    
    directory "/var/named"; # set root directory of all related paths specified in named.cong. That means all the root directory of all the DNS database file.
    forwards {10.0.01.254;}; # define the server to which DNS queries will be sent when the queries can be resolved locally. If the queried DNS server can not answer, it will try root DNS server unless the forward-only option is set too.
    allow-query {192.068.2/24;}; #White list of the querier. If this option is not set the DNS can be queried from every where.
    allow-transfer {192.068.2/24;}; #Only the listed DNS can copy the DNS database.
    
    }
• Access Conrol Lists (acl) (in named.conf)
  • acl "list_name" {192.168.1/24;192.168.1/24};
• Master and Slave Zones Note: zone file name must contain zone name
  
  • zone "example.com"{
    type master;
    file "example.com.zone" #it stored in the path which defined in directory option
    };
  • zone "kernel.org"{
    type slaver;
    masters {192.168.1.1;};
    file "slaves/kernel.org.zone";
    };
    
• Reverse Loolup Zones must have follows three records
  
  • SOA record
  • NS records
  • PTR records
    
  Create one reverse lookup zone by create the 192.168.1.zone in the /var/named/chroot/var/named directory. Type in the following lines.
  
  $TTL 86400
  @ IN SOA example.com. root.example.com. (
  2001101100 ; serial number
  10800 ;refresh
  3600 ;retry query
  604800 ;expire
  0 ;negative TTL
  )
  ; Resource Records
  @ IN NS ns.example.com.
  3 IN PTR ns.example.com.
  
  After created the zone file, the owner and owner group of the file need to be change to named by using command "chown named:named 192.168.1.zone".
  
  zone "192.168.1.in-adde.arpa"{
  type slave;
  masters {192.168.1.3;};
  file "slaves/192.168.1.zone";
  }
  Note: zone name must end with .in-adde.arpa
  
  
  
• Root Zone and Loopback Zone
  
  • Root zone "."
    zone "." {
    type hint;
    file "named.ca";
    }
  • Lookback zone "0.0.127.in-adde.arpa"
    zone "0.0.127.in-adde.arpa" {
    type master;
    file "named.local";
    }
• Forward lookup zone must have follows three records
  • SOA record
  • NS record
  • A records
  Create one forward lookup zone by create the example.com.zone in the /var/named/chroot/var/named directory. Type in the following lines.
  
  $TTL 86400
  @ IN SOA example.com. root.example.com. (
  2001101100 ; serial number
  10800 ;refresh
  3600 ;retry query
  604800 ;expire
  0 ;negative TTL
  )
  ; Resource Records
  @ IN NS ns.example.com.
  ns IN A 192.168.1.3
  
  After created the zone file, the owner and owner group of the file need to be change to named by using command "chown named:named example.com.zone".
  

Zone file

• Begins with $TTL(Time to live) - Determines the default length of time in seconds which you want resolving servers to cache your zone's data.
• First resource record is zone's start of authority(SOA)
• Zone data in additional resource records
• Resource Records(RR)
  
  • [domain] [ttl] [clase]
  • [domain] - specify domain or use current
    
  • [ttl] - how long record will be cached, if it has not been specific the record will use the ttl which in the first line for the zone file.
    
  • [clase] - record classification(usually IN means Internet)
    
  • - record typ (SOA, MX, A, etc)
    
  • - specific data for record
• SOA(Start of Authority) - Every zone file must have one. Following is a example SOA record.
  @ IN SOA example.com. root.example.com(
  2001101100 ; serial number
  10800 ;refresh
  3600 ;retry query
  604800 ;expire
  0 ;negative TTL
  )
  
  In the first line, example.com. - The domain name of the DNS server which manage this zone. root.example.com - The administrator of this zone. Serial number will be increase when every time of change. Therefor the slave servers can know whether the zone file has been changed.
  
  In the Second line, The number meas 10800 second which determined slaver servers check the zone file whether has been changed every 10800 second(3 hours)
  
  In the third line, The number is 3600 second which determined slaver servers will retry connect the master server every 3600 second when the refresh was failed.
  
  In the fourth line, Slaver server would delete the zone file if it can not refresh with in the expire time 604800 seconds.
  
  In the fifth line, negative TTL specify how long the DNS server cache the unfound record.
• NS (Name Server) - designate name servers to use for this domain
  There should be an NS record for each master of slave name server serving your zone. NS records point to any slave servers that should be consulter by the client's name server if the master should fail
  
  example.com. IN NS ns.example.com.
  example.com. IN NS ns1.example.com.
  @ IN NS ns2.example.com.
  
  That is domain name, internet, Name server, DNS server's domain name. @ represent the default domain name.
  
  If there are more than one DNS point to one domain the first one would be the master DNS others would be slave DNS.
• A records map host name to IP address
  mail IN A 192.168.0.2
  ns.example.com. IN A 192.168.0.3
  Note: If the hos tname not finished with "." system would think it is a host inside the default domain. System will add the default domain name behind the host name. In this case the host full domain name is "mail.example.com.".
  
• CNAME records map address aliases
  www IN CNAME ns1
  dns IN CNAME ns.example.com.
  The first line means if someone look for www.example.com the DNS server will response the IP address of the host ns1.example.com. So that As the host name usage in the A record, if the host name not finish with "." system will add default domain name behind it.
  
• PTR records map IP address to hostname
  3.0 IN PTR ns.example.com.
  Note 3.0 not finish with "." so it represent "3.0.168.192.in-addr.arpa."
  
• MX records map mail servers for a domain
  example.com. IN MX 5 mail.example.com.
  example.com. IN MX 10 mail1.example.com.
  Note: the number represent priority, less number means higher priority
• Round Robin Load Sharing Through DNS
  Load balancing can be achieved through the simple use of multiple A records:
  www 0 IN A 192.168.2.101
  www 0 IN A 192.168.2.102
  www 0 IN A 192.168.2.103
  AS TTL is set to 0 so that everyone need access host www, need to request IP from the DNS server. And the DNS server will reponse the ip one by one in the list. Therefor www users can be redirect to different servers for load balance implementation. However DNS traffic will increase as a TTL of 0 means never cached.
  
  
  

•