Domain Name Service Deep Dive
The Domain Name Service (DNS) is an Internet service that converts domain names into their corresponding IP addresses. As you may recall, all computers connected to the Internet area addressed using an Internet Protocol (IP) address. The IP address may be implemented in either the newer IPV6 (Internet Protocol Version 6) format or on the older and more commonIPV4 (Internet Protocol Version 4) format
Domain Name Service Configuration
You configure a DNS server using a configuration file, several zone files, and a cache file.
The part of a network for which the name server is responsible is called a zone. A zone is not the same as a domain, because in a large domain you could have several zones, each with its own name server.
You could also have one name server service several zones. In this case, each zone has its own zone file.
The zone files hold resource records that provide host name and IP address associations for computers on the network for which the DNS server is responsible. Zone files exist for the server’s network and the local machine.
Zone entries are defined in the
named.conf
file. Here, you place zone entries for your master, slave, and forward DNS servers.
The most commonly used zone types are described here:
Master zone this is the primary zone file for a network. It holds the mappings from domain names to IP addresses for all the hosts on the network.
Slave zone these are references to other DNS servers for your network. Your network can have a master DNS server and several slave DNS servers to help carry the work load. A slave DNS server automatically copies its configuration files, including all zone files, from the master DNS server. Any changes to the master configuration files trigger an automatic download of these files to the slave servers.
Forward zone the forward zone lists name servers outside your network that should be searched if your network’s name server fails to resolve an address.
DNS Servers
There are several kinds of DNS server, each designed to perform a different type of task under the Domain Name Service. The basic kind of DNS server is the master server.
Each network must have at least one master server that is responsible for resolving names on the network. Large networks may need several DNS servers.
Some of these can be slave servers that can be updated directly from a master server. Others may be alternative master servers that hosts in a network can use. Both are commonly referred to as secondary servers.
For DNS requests a DNS server cannot resolve, the request can be forwarded to specific DNS servers outside the network, say on the Internet.
DNS servers in a network can be set up to perform this task and are referred to as forwarder servers. Local DNS servers can be setup within a network that operate as caching servers. Such a server merely collects DNS lookups from previous requests it sent to the main DNS server.
Any repeated requests can then be answered by the caching server.
Resource Records
Your name server holds domain name information about the hosts on your network in resource records placed in zone and reverse mapping files. Resource records are used to associate IP addresses with fully qualified domain names. You need a record for every computer in the zone that the name server services.
A record takes up one line, though you can use parentheses to use several lines for a record, as is usually the case with SOA records.
A resource record uses the Standard Resource Record Format as shown here:
name [<ttl>] [<class>] <type><rdata> [<comment>]
Here, name is the name for this record. It can be a domain name for a fully qualified domain name. If you only specify the hostname, the default domain is appended. If no name entry exists, the last specific name is used.
If the @ symbol is used, the name server’s domain name is used. ttl (time to live) is an optional entry that specifies how long the record is to be cached, and class is the class of the record. The class used in most resource record entries is IN, for Internet.
By default, it is the same as that specified for the domain in the named.conf file.type is the type of the record. rdatais the resource record data.
Zone Files
A DNS server uses several zone files covering different components of the DNS. Each zone uses two zone files: the principal zone file and a reverse mapping zone file.
The zone file contains the resource records for hosts in the zone. A reverse mapping file contains records that provide reverse mapping of your domain name entries, enabling you to map from IP addresses to domain names.
The name of the file used for the zone file can be any name. The name of the file is specified in the zone statement’s file entry in the named.conf file.
If your server supports several zones, you may want to use a name that denotes the specific zone. Most systems use the domain name as the name of the zone file.
For example, the zone
whiletrue.com
would have a zone file also calledwhiletrue.com
. These could be placed in a subdirectory called zones or master. The zone file used in the following example is calledwhiletrue.com
.
Zone Files for Internet Zones
A zone file holds resource records that follow a certain format. The file begins with general directives to define default domains or to include other resource record files.
These are followed by a single SOA, name server, and domain resource records, and then resource records for the different hosts.
Comments begin with a semicolon and can be placed throughout the file. The @ symbol operates like a special macro, representing the domain name of the zone to which the records apply.
The @ symbol is used in the first field of are source or SOA record as the zone’s domain name. Multiple names can be specified using the* matching character.
The first field in a resource record is the name of the domain to which it applies. If the name is left blank, the next previous explicit name entry in another resource record is automatically used.
This way, you can list several entries that apply to the same host without having to repeat the host name. Any host or domain name used throughout this file that is not terminated with a period has the zone’s domain appended to it.
Localhost Reverse Mapping
A localhost reverse mapping file implements reverse mapping for the local loop back inter face known as localhost, whose network address is 127.0.0.1. This file can be any name. On most systems, localhost is given the name named.local. The domain part of the IP address is entered in reverse order, withIN- ADDR.ARPA appended to it, 0.0.127.IN- ADDR.ARPA.
The named.conf entry is shown here:
zone "0.0.127.IN-ADDR.ARPA"
{
type master;
file "named.local";
};
The name of the file used for the localhost reverse mapping file is usually named.local, though it can be any name. The NS record specifies the name server localhost should use. This file has a PTR record that maps the IP address to the localhost. The 1 used as the name expands to append the zone domain-in this case, giving you 1.0.0.127, a reverse IP address.
Subdomains and Slaves
Adding a subdomain to a DNS server is a simple matter of creating an additional master entry in the named.conf
file, and then placing name server and authority entries for that subdomain in your primary DNS server’s zone file. The subdomain, in turn, has its own zone file with its SOA record and entries listing hosts, which are part of its subdomain, including any of its own mail and news servers.
The name for the subdomain could be a different name altogether or a name with the same suffix as the primary domain. In the following example, the subdomain is called beach.whiletrue.com
. It could just as easily be called my beach.com. The name server to that domain is on the host crab.beach.whiletrue.com
, in this example. Its IP address is192.189.1.33 and its zone file is beach.whiletrue.com
.
The beach.whiletrue.com zone file holds DNS entries for all the hosts being serviced by this name server. The following example shows zone entries for its named.conf:
zone "beach.whiletrue.com" {
type master;
file "beach.whiletrue.com"; };
zone "1.189.192.IN-ADDR.ARPA"
{ type master;
file "192.189.1"; };
IP Virtual Domains
IP-based virtual hosting allows more than one IP address to be used for a single machine. If a machine has two registered IP addresses, either one can be used to address the machine. If you want to treat the extra IP address as another host in your domain, you need only create an address record for it in your domain’s zone file. The domain name for the host would be the same as your domain name.
Cache File
The cache file is used to connect the DNS server to root servers on the Internet. The file can be any name. On many systems, the cache file is called named.ca. Other systems may call the cache file named.cache or roots.hints. The cache file is usually a standard file installed by your BIND software, which lists resource records for designated root servers for the Internet.
Access Control Lists
To control access by other hosts, you use access control lists, implemented with the aclstatement. allow and deny options with access control host lists enable you to deny or allow access by specified hosts to the name server. With allow-query you can restrict queries to specified hosts or networks.
Normally this will result in a response saying that access is denied. You can further eliminate this response by using the black hole option in the options statement.
The following example defines an acl list called mynet:
acl mynet { 192.189.1.1; 192.189.1.2; };
If you are specifying a range, like a network, you also add exceptions to the list by preceding such addresses with an !.
DNSSEC
DNSSEC provides both DNS encrypted authentication. With DNSSEC, you can create assigned zone that is securely identified with an encrypted signature.
This form of security is used primarily to secure the connections between master and slave DNS servers, so that a master server transfers update records only to authorized slave servers and does so with a secure encrypted communication.
Two servers that establish such a secure connection do sousing a pair of public and private keys. In effect, you have parent zones that can securely authenticate child zones, using encrypted transmissions.
This involves creating zone keys for each child, and having those keys used by the parent zone to authenticate the child zones. You generate a zone key using the dnssec-keygen command.
Split DNS: Views
BIND 9.x allows you to divide DNS space into internal and external views. This organization into separate views is referred to as split DNS. Such a configuration is helpful to manage a local network that is connected to a larger network, such as the Internet.
To implement a split DNS space, you need to set up different DNS servers for the internal and external views. The internal DNS servers will hold DNS information about local hosts.
The external DNS server maintains connections to the Internet through a gateway and manages DNS information about any local hosts that allow external access such as FTP or Websites.
The gateways and Internet-accessible sites make up the external view of hosts on the network. The internal servers handle all queries to the local hosts or subdomains.