Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK APPLICATIONS

DNS

  • Domain Name System

    Berkeley Internet Name Domain (BIND)

    • Domain Name Service, a distributed database of name to IP address translations
    • a networked client server architecture.

    Two primary components:

    named

    The server daemon, responds to requests from resolver and returns an IP address.

    resolver

    Client stub, code implemented in system libraries that resolves names to IP addresses.

    Reserved ports - /etc/services

    .....
    domain         53/tcp
    domain         53/udp
    mdns         5353/tcp
    mdns         5353/udp          Multicast domain name service
    rndc          953              Default rndc port
    .....
    

    Latest (ISC) version appears to be 9.9 at time of writting so some of this stuff could be a bit dated. You can get the full ISC bind 9.9 Administrator Manual from here.

    Convert a bind4 configuration file to bind8 - /usr/sbin/named-bootconf

    # /usr/sbin/named-bootconf named.boot named.conf
    

    The location of main server configuration file varies depending on the version and distribution:

    • /etc/named.conf, /etc/named/named.conf, /etc/bind/named.conf, ../named.conf.local.
    • Domain names in named.conf do NOT end in a '.'

    Debian uses a modular approach incorporating named.d/ directory which contains separate customisable files that represent sections that would otherwise be in a single named.conf.

    Minimum required files to run 'named':

    File Description
    named.boot(V4), named.conf(V8, V9) Named/Bind configuration file
    named.ca or root.hints or db.root root Server hints file
    named.local or db.local or db.127 Loopback data file
    /etc/resolv.conf Tells system which name server to use
  • Main server types

    Authoritative server

    • allows others to find the IP address of a given domain name
    • it knows the IP <=> domain name mapping for that domain i.e. it owns, has the zone files for the domain
    • e.g. web hosting companies or specialist DNS hosting companies (dyn.com)

    Recursive server

    • allows you to resolve other people's domain name
    • it provides the information to a web client that allows it to resolve a domain name into an IP address
    • it does the searching for you by asking 'root' servers who is reponsible for a particular domain, then asking those authoritative servers for the IP address of the domain in question
    • it gets its knowlege about a domain from the domain's authoritative server
    • e.g. ISP domain servers, specialist DNS hosting companies

    Non-authoritative server

    • a caching server
    • it does not own the zone files for the domain queried
    • when a non-authoritative server queries an authoritative server and receives an authoritative answer, it passes that answer along to the querier as an authoritative answer
    • if the answer to a query comes from it's cache it is a non-authoritative answer
  • Caching-only name server

    Caching-only name server example

    • serves resolution requests from it's cache if it has them in which case it is a non-authoritative answer
    • requests the information from other servers if the answer is not in it's cache, caching the result
    • if the response comes from an Authoritative server it is passed on to the client as an Authoritative answer

    A Non-authoritative answer

    $ nslookup
    > lpi.org
    server:     192.168.0.1
    address:    192.168.0.1#53
    non-authoritative answer:
    name:   lpi.org
    address: 24.215.7.162
    
    Configure named

    Configure zones and options - /etc/named.conf or /etc/bind/named.conf

    options {
     directory "/var/cache/bind";      // Working directory
     pid-file "named.pid";             // Put pid file in working direcory
    
    zone "." {
     type hint;                        // Root server hints
     file "/etc/bind/db.root";         // Location of zone file on disk
    };
    
    zone "0.0.127.in-addr.arpa" {       // Reverse mapping zone file for the loopback
     type master;                      // This server is the master server for this zone
     file "/etc/bind/db.127";          
    }; 
    
    Create the zone files

    local reverse lookup file - 127.in-addr.arpa (0.0.127.in-addr.arpa)

    $TTL 604800
    
    # describes the zone, where it comes from, 'email addr.' of who is responsible for it
    @ IN SOA my-home.com.   admin.my-home.com. (
                        1  ; Serial
                   604800  ; Refresh
                    86400  ; Retry
                  2419200  ; Expire
                  604800 ) ; Negative Cache TTL
    ;
     IN  NS   dnssrv.my-home.
    1 IN  PTR  localhost.
    
    Check version of root.hints (named.ca, db.root)

    A few sample lines of a root.hints file

    ;       This file holds the information on root name servers needed to
    ;       initialize cache of Internet domain name servers
    .....
    ;       last update:    Feb 04, 2008
    ;       related version of root zone:   2008020400
    ;
    ; formerly NS.INTERNIC.NET
    ;
    .                        3600000  IN  NS    A.ROOT-SERVERS.NET.
    a.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
    a.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
    .....
    

    The '.' on the left hand side equates to the root zone. '2008020400' is the version number.

    When named cannot find an answer in it's cache it asks one of the nameservers listed in the 'roots.hints' file to provide 'directions' to resolving the request.

    Check if 'root.hints' file's SOA version number has changed

    $ dig @a.root-servers.net . SOA | grep SOA
    ; <<>> DiG 9.8.1-P1 <<>> @a.root-servers.net . SOA
    ;.               IN  SOA
    .            86400   IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2013120400 1800 900 604800 86400
    

    If your version differs from the root-servers version then you should update (download the root-servers version).

    Update the named.ca, root.hints or db.root file

    # wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache \
    -O /var/named/root.hints
                                                                           (or)
    # dig @a.root-servers.net . ns > roothints
    
    Configure system to use it's own cache first

    /etc/resolv.conf

    search my-home.com               # domain is appended to searches using short
                                    # hostnames i.e. dnssrv -> dnssrv.my-home.com                   
    nameserver 0.0.0.0               # IP address of self (caching-only server)
                                    # Could also use 127.0.0.1
    

    Only one search statement which can contain a space separated list of domains. Max. of 3 nameservers.

    Restart named

    The usual suspects

    # sudo /etc/init.d/bind9 restart
                                    (or maybe)
    # sudo service bind9 restart     (maybe bind9 or bind or named or ...)
                                    (or)
    # sudo kill -HUP <pid of named>
    
    Test the configuration

    Do a reverse lookup on the loopback address

    $ dig -x 127.0.0.1
    .....
    ;; QUESTION SECTION:
    ;1.0.0.127.in-addr.arpa.                IN      PTR
    
    ;; ANSWER SECTION:
    1.0.0.127.in-addr.arpa. 259200  IN      PTR     localhost.
    
    ;; AUTHORITY SECTION:
    0.0.127.in-addr.arpa.   259200  IN      NS      dnssrv.my-home.
    .....
    

    Our nameserver gives an authoritative reply for it's own reverse lookup loopback zone - which you would expect.

  • Named syntax checker
    named-checkconf

    Checks the syntax in zone files as well

    named-checkconf [-v] [-j] [-t directory] {filename} [-z]
    
    Options:
     -t directory       Chroot to directory
     -v                 Print the version
     -z                 Perform a test load of all master zones found in named.conf.
     -j                 When loading a zonefile read the journal if it exists.
     filename           Configuration file to be checked. Defaults to 
                        /etc/bind/named.conf.
    

    Options may have changed.

    Test load all configured master zone files

    # named-checkconf -z
    zone 0.0.127.in-addr.arpa/IN: loaded serial 1
    zone 0.168.192.in-addr.arpa/IN: loaded serial 1
    zone my-home.com/IN: loaded serial 2
    
    BIND9

    Check configuration file

    # named-checkconf
    

    No news is good news .. if no problems then o output.

    Check zone file

    # named-check zone <domain> <zone-file>
    

    Outputs info and OK if OK.

    Check reverse-zone file

    # named-checkzone 0.168.192.in-addr.arpa /etc/bind/zones/master/db.192.168.0
    zone 0.168.192.in-addr.arpa/IN: loaded serial 2
    OK
    

    Source: LinuxConfig.org

  • Stopping and starting BIND8,9
    ndc, named. bind9

    Down to version and your distributions implementation.

    BIND 8

    # /usr/sbin/ndc [start | stop | ... ]
                                                  (or)
    # /etc/init.d/ndc [start | stop | restart | status | probe | checkconfig | .... ]
    

    '/etc/named.conf' bind 8 has NO controls { ... } or key { ... } sections

    BIND 9

    # /usr/sbin/named                             (Start)
                                                  (or)
    # /etc/init.d/named [start | stop | restart | status | probe | checkconfig | .... ]
                                                  (or)
    # /etc/init.d/bind9 [start | stop | restart | status | probe | checkconfig | .... ]
    

    BIND 9 has replaced 'ndc' with 'rndc'. 'rndc' cannot start named.

    There are also the usual linux/unix ways of stopping programs .. 'kill', 'killall' ..

  • BIND8 control program
    /usr/sbin/ndc

    BIND8 named control utility.

    ndc directive [...]
    
    Directives:
     status
     dumpdb                  Dump db and cache to /var/tmp/named_dump.db
                             (uses the INT signal)
     reload
     stats
     trace                   Increment trace level by 1 to /var/tmp/named.run
     notrace                 Set trace level to 0, closes /var/tmp/named.run
     querylog | qrylog       Toggle querylogging feature on/off
     start | stop
     restart
    

    Reloading modified zone files

    # killall -HUP named
                                 (or)
    # kill -HUP <PID of named>
                                 (or)
    # ndc reload
    
  • BIND9 (remote) control utility
    /usr/sbin/rndc

    BIND9 (remote) named control utility

    rndc [-c config] [-s server] 
         [-p port] [-k key-file ] 
         [-y key] [-V] command
    
    Commands:
     reload                                      Reload configuration file and zones.
     reload zone [class [view]]                  Reload a single zone.
     refresh zone [class [view]]                 Schedule immediate maintenance for a zone.
     retransfer zone [class [view]]              Retransfer a single zone without checking serial number.
     freeze                                      Suspend updates to all dynamic zones.
     freeze zone [class [view]]                  Suspend updates to a dynamic zone.
     thaw                                        Enable updates to all dynamic zones and reload them.
     thaw zone [class [view]]                    Enable updates to a frozen dynamic zone and reload it.
     notify zone [class [view]]                  Resend NOTIFY messages for the zone.
     reconfig                                    Reload configuration file and NEW zones only.
     stats
     querylog
     dumpdb [-all|-cache|-zones] [view ...]      Dump cache(s) to the dump file (named_dump.db).
     stop                                        Save pending updates to master files and stop the server.
     stop -p                                     As stop and report process id.
     halt                                        Stop the server without saving pending updates.
     halt -p                                     As halt and report process id.
     trace
     trace level                                 Change the debugging level.
     notrace
     flush                                       Flushes all of the server's caches.
     flush [view]                                Flushes the server's cache for a view.
     flushname name [view]                       Flush the given name from the server's cache(s)
     status
     recursing                                   Dump the queries that are currently recursing (named.recursing)
     validation newstate [view]                  Enable / disable DNSSEC validation.
    

    There is no 'start' cmd for 'rndc'. Restart is not yet implemented (time of writing).

    Various ways to reload modified zone files

    # /etc/init.d/bind9 [stop | start | reload | restart | force-reload]
    # rndc reload
    # rndc reload my-home.com
    # rndc reconfig
    # killall -HUP named
    # kill -HUP <PID of named>
    
  • Generate a BIND9 rndc configuration file
    rndc-confgen
    • Generates configuration files for rndc
    • An alternative to writing the rndc.conf file and the corresponding controls and key statements in named.conf.
    • Can be run with the '-a' option to set up a rndc.key file and avoid the need for a rndc.conf file and a controls statement altogether.
    rndc-confgen [options]
    
    Options:
     -a                      Generate just the key clause and write it to keyfile 
                             (/etc/bind/rndc.key).  NO need for control and key 
                             statements in /etc/named.conf
     -b bits                 From 1 through 512, default 128; total length of the secret
     -c keyfile              Specify an alternate key file (requires -a)
     -k keyname              The name as it will be used  in named.conf and rndc.conf
     -p port                 The port named will listen on and rndc will connect to
     -r randomfile           A file containing random data
     -s addr                 The address to which rndc should connect
     -t chrootdir            Write a keyfile in chrootdir as well (requires -a)
     -u user                 Set the keyfile owner to "user" (requires -a)
    

    Running 'rndc-confgen -a' allows BIND 9 and rndc to be used as drop-in replacements for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file.

    Generate the rndc.conf file

    # rndc-confgen > /etc/bind/rndc.conf
    

    Generate the /etc/bind/rndc.key file

    # rndc-confgen -a -k dnsadmin -b 256
    

    Replaces the default key name with 'dnsadmin'.

    'named' and 'rndc' will automatically read info from /etc/bind/rndc.key on startup - if it exists. If it does exist there is no need to include a 'control' and 'key' clause in named.conf.

  • BIND9 'rndc' configuration file
    rndc.conf
    • rndc.conf is the configuration file for the 'rndc' command - BIND 9 name server control program
    • it allows for remote control of a named server
    • to use 'rndc' from other machines their system clocks need to be within '5 minutes' of each other

    Sample /etc/bind/rndc.conf

    key "rndc-key" {
     algorithm hmac-md5;
     secret "af5nfFqVDcaYnHKN+xnFuQ==";
    };
    
    options {
     default-key "rndc-key";
     default-server 127.0.0.1;
     default-port 953;
    };
    

    To accept 'rndc' connections and recognise the key specified in the 'rndc.conf' file, the name server must be configured with the controls statement in the 'named.conf' file.

    Configure 'named' to accept rndc connections - /etc/bind/named.conf

    .....
    controls {
       inet 127.0.0.1 port 953
       allow { 127.0.0.1; } keys { "rndc-key"; };
    };
    
    // This must match the key statement in /etc/rndc.conf
    key "rndc-key" {
       algorithm hmac-md5;
       secret "af5nfFqVDcaYnHKN+xnFuQ==";
    };
    .....
    
  • Client configuration
    • Client configuration is centred upon the resolver.
    • The resolver is configured via /etc/resolv.conf.
    • The method to use for name resolution is configured via either /etc/host.conf or /etc/nsswitch.conf and or /etc/hosts.
    Resolution method Description
    Files /etc/hosts a static local file with name-to-address mappings for a few systems
    NIS Network Information Service (NIS or NIS+) some private networks use
    DNS Distributed db, small portions are managed by local authorities

    Lookup method (pre-glib2c) - /etc/hosts.conf

    order hosts,bind             # Lookup method and order i.e. try /etc/hosts
                                 # first, if no joy use dns.
    multi on                     # Returns all valid addresses for a host 
                                 # instead of stopping after the first.
    

    Lookup method (post-glib2c) - /etc/nsswitch.conf

    .....
    hosts:      files dns        # Search local files first then use DNS
    .....
    

    These days it is more than likely to be '/etc/nsswitch.conf' with '/etc/hosts' being used for local name resolution.

  • Debian, Ubuntu caching-only named server

    The main BIND9 configuration files are:

    /etc/bind/named.conf
    /etc/bind/named.conf.options
    /etc/bind/named.conf.local
    
    • The default configuration a caching server.
    • Just need to add the IP numbers of your ISP's DNS servers.

    Configure your ISP's named servers forwarders - /etc/bind/named.conf.options

    ....
        forwarders {
             1.2.3.4;             # ISP's nameserver1 IP
             5.6.7.8;             # ISP's nameserver2 IP
        };
    .....
    

    Restart named, bind9 ...

    Test

    $ dig -x 127.0.0.1
    
  • Remotely controlled caching and authoritative nameserver

    A basic, small example.

    • the server will be the authoritative server for my home's internal lan
    • it will be a caching server for everything else
    • can use bind9's 'rndc' to remotely control the 'named'

    Actions required are:

    • use the same configuration as the caching only server above
    • add to it the 'rndc' configuration from above
    • add to it a forward and a reverse zone file for my home's internal lan

    Assumptions:

    • The /etc/rndc-conf exists and is the same as that used in the above "BIND 9 'rndc' configuration file - rndc.conf" article.
    • The reverse zone/map for the loopback is the same as that used for the caching-only example

    Add 'rndc' and additional zones to /etc/bind/named.conf

    acl "my-home" { 192.168.0.0/24; };   
    
    options {
      directory "/var/cache/bind";                       // Working directory
      pid-file "named.pid";                              // Put pid file in working directory
      listen-on { 192.168.0.2; };
      allow-query { "my-home"; localhost; };             // Allow queries from my-home.com
      allow-recursion { "my-home"; localhost; };
    };
    
    controls {                                           
      inet 127.0.0.1 port 953                            // Allow rndc use via loopback using
        allow { 127.0.0.1; } keys { "rndc-key"; };       // the "rndc-key".
      inet * allow { "my-home" } keys { "rndc-key"; };   // Use acl for address-matching.  Allow
                                                         // any IP on internal lan to access via
                                                         // any server address (IP and port) using
                                                         // the "rndc-key" key
    };
    
    key "rndc-key" {                                     // This must match the key statement 
       algorithm hmac-md5;                               // in /etc/rndc.conf
       secret "af5nfFqVDcaYnHKN+xnFuQ==";                // Should be in a secure file and 'included'
    };                                                   // into this one
    
    zone "." {
      type hint;                                         // Root server hints
      file "/etc/bind/db.root";
    };
    
    zone "0.0.127.in-addr.arpa" {                        // Reverse mapping for the loopback address
      type master;
      file "/etc/bind/db.127";
      notify no;
    };
    
    zone "0.168.192.in-addr.arpa" {                      // Reverse mapping for my-home address
      type master;                                       // slave | forward | stub | hint | delegation-only
      file "/etc/bind/db.0.168.192";                     // Stub -  like slaves but only maintain a copy of NS RRs
      notify no;
    };
    
    zone "my-home.com" {                                 // Forward mapping for my-home.com names
      type master;
      file "/etc/bind/db.my-home.com";
      notify no;
    };
    

    Create the forward zone file for "my-home" lan - /etc/bind/db.my-home.com

    $TTL 604800
    @     IN SOA       dnssrv.my-home.com. admin.my-home.com. (
                             2  ; Serial
                        604800  ; Refresh
                         86400  ; Retry
                       2419200  ; Expire
                       604800 ) ; Negative Cache TTL
    ;
                     NS   dnssrv.my-home.com.
    dnssrv            A   192.168.0.2
    wireless-router   A   192.168.0.1 
    kali-laptop       A   192.168.0.3
    

    Create the reverse zone file for 'my-home" lan - /etc/bind/db.127

    $TTL 604800
    @ IN SOA my-home.com.   root.my-home.com. (
                            1  ; Serial
                       604800  ; Refresh
                        86400  ; Retry
                      2419200  ; Expire
                      604800 ) ; Negative Cache TTL
    ;
      IN  NS   dnssrv.my-home.
    2 IN  PTR  dnssrv.
    1 IN  PTR  wireless-router.
    3 IN  PTR  kali-laptop.
    
  • Configure logging
    named.conf
    • Logging is configured in named.conf via the logging{ ... } stanza.
    • Within the logging stanza are at least two further stanzas - channel and category.

    Example - /etc/bind/named.conf

    .....  
    logging{
      channel simple_log {
        file "/var/log/named/bind.log" versions 3 size 5m;
        severity warning;
        print-time yes;
        print-severity yes;
        print-category yes;
      };
      category default{
        simple_log;
      };
    };
    .....
    

    Logging channel options and categories

    Check documentation re. rsyslogd if you want to use that as a channel.

    A channel defines:

    • which file to use as a log
    • some house-keeping options
    • general options on what to actually log
    channel

    Use own or predefined names such as "default_syslog" "default_debug" "default_stderr" "null"

    • versions Number of log versions to keep. Appends 0, 1, ... to log file
    • size <k|K|m|M|g|G>If NO size AND a versions - log files will be rolled only when BIND is restarted.

    If size and NO versions - once size is reached logging will stop until file size is reduced. If size AND a versions - log files will be rolled when the size limit is reached.

    syslog

    Use syslogd logging features - file, syslog, stderr and null are mutually exclusive for a channel

    severity

    Logging level

    category

    Controls what categories are logged to the various channel_names

    A category defines the finer details of what to include in the log.

    Category name Description
    client Processing of client requests
    config Configuration file parsing and processing
    database Messages relating to the dbs used internally by the NS to store zone and cache data
    default Logs all values not explicitly defined in category statements except queries
    delegation-only Logs queries that have returned NXDOMAIN
    dispatch Dispatching of incoming packets to the server modules
    dnssec DNSSEC and TSIG protocol processing
    general Anything that is not classified as any other item in this list defaults to this category
    lame-servers Mis-configuration in the delegation of domains. Switch off category lame-servers {null;};
    network Logs all network operations
    notify Logs all NOTIFY operations
    queries Logs all query transactions
    resolver Name resolution performed on behalf of clients by a caching NS
    security Approval and denial of requests
    update Logging of all dynamic update (DDNS) transactions
    update-security Approval and denial of update requests used with DDNS
    xfer-in Details of zone transfers the server is receiving
    xfer-out Details of zone transfers the server is sending
  • Zone files

    Forward and Reverse zone files are used to resolve domains to IP addresses and IP addresses to Domain names.

    Zone files contain resource records (RRs). A RR describes the resource it refers to.

    Common resource records (RRs) include:

    RR Description
    SOA Start Of Authority, parameters affecting an entire zone, each zone file starts with one of these
    NS Name Server, Domain's name server(s), usually primary and secondary, can be more
    A Address, domain name/hostname to IP mapping
    PTR Reverse name PoinTeR, IP to domain name mapping
    MX Mail eXchange, tells mail systems where to send mail addressed to someone@domain.name
    CNAME Canonical Name, a way to give a single machine several names (aliases). CNAMEs should ONLY ever refer to an A RR e.g. dnssrv A 123.456.7.8 → ubusrv CNAME dnssrv
    TXT Text, stores arbitrary values

    Location of zone files

    Achieved via use of the file keyword in 'named.conf'**

    zone "a.domain.com" {
         file "/path/to/db.adomain.com";
    }
    

    Forward Zone file example - db.my-home.com

    $TTL 604800
    @     IN SOA       dnssrv.my-home.com. admin.my-home.com. (
                             2  ; Serial
                        604800  ; Refresh
                         86400  ; Retry
                       2419200  ; Expire
                       604800 ) ; Negative Cache TTL
    ;
                     NS   dnssrv.my-home.com.
    dnssrv            A   192.168.0.2
    wireless-router   A   192.168.0.1
    

    Reverse Zone file example - 0.0.127.in-addr.arpa

    $TTL 604800
    @ IN SOA my-home.com.   admin.my-home.com. (
             1  ; Serial
        604800  ; Refresh
         86400  ; Retry
       2419200  ; Expire
       604800 ) ; Negative Cache TTL
    ;
      IN NS dnssrv.my-home.
    1 IN PTR localhost.
    
    • A TTL of 86400 secs. (24 hours) could have been written as '$TTL 24h' or '$TTL 1d'
    • All domain names in a zone file must end with a 'dot'
    Based on the above two example zone files:

    @ is a special notation meaning the origin.

    @   IN SOA my-home.com. root.my-home.com.
    0.0.127.in-addr.arpa.  IN SOA my-home.com. root.my-home.com.
    

    The two examples have the same meaning. In the first example @ refers to 0.0.127.in-addr.arpa.

    @ occurring in a previous line is implicit in following lines so the last two lines in the example below have the same meaning.

    @   IN SOA my-home.com. root.my-home.com.
    .....
    IN NS dnssrv.my-home.
    @ IN NS dnssrv.my-home.
    

    Here @ is superfluous since it appears previously. All three entries below have the same meaning.

    IN NS dnssrv.my-home.
    @ IN NS dnssrv.my-home.
    0.0.127.in-addr.arpa. IN NS dnssrv.my-home.
    

    If a machine name does not end in a period in a zone file the origin is added to its end e.g. dnssrv.my-home.com will become dnssrv.my-home.com.my-home.com.

    MX      10 mail.my-home.com.    ; Primary Mail Exchanger
    MX      10 mail                 ; Primary Mail Exchanger
    

    Either entry is correct.

    SOA record

    • dnssrv.my-home.com must be an actual machine with an A record.
    • It is not legal to have a CNAME record for the machine mentioned in the SOA record.
    • The zone maintainer should be a valid email address e.g. admin.dnssrv.my-home.com => admin@dnsserv.my-home.com.
  • Zone delegation

    Is done with NS resource records at any node.

    A zone delegation example

    $ORIGIN 168.192.in-addr.arpa
    10              NS      dns1.mydomain.com.
                    NS      dns2.mydomain.com.
    

    The owner of the 168.192.in-addr.arpa zone delegates control of 10.168.192.in-addr.arpa to the listed nameservers.

  • Subdomains
    (a) Inside a zone

    Put a subdomain inside a normal zone file. The subdomain will not have its own SOA and NS records. Not recommended as it is harder to maintain (zone signing).

    (b) As a delegated zone

    Configure the subdomain as an independent zone (own SOA and NS records) and delegate that domain from the parent domain. A zone will only be authoritative if the parent zone has delegated its authority to the zone.

    The master nameserver for the 'parent' domain has an entry something like below.

    In named.conf

    .....
    zone "example.com" in {
     type master;
     file "master/.example.com";
    };
    .....
    

    Subdomain zone file - example.com

    $TTL 1d
    @  1h  IN  SOA  ns1.example.net. hostmaster.example.com. (
             2004074891     ; Serial
             8h             ; Refresh
             1h             ; Retry
             4w             ; Expire
             1h )           ; Negative
          IN  NS  ns1.example.net.
          IN  NS  ns2.example.net.
    
    ; zone data
          IN  MX  10  mailhost.example.net.
    www    IN  A   251.3.91.6
    
    ; A delegated subdomain
    subdom IN  NS  ns1.subdom.example.com.
          IN  NS  ns2.somewhere.com.
    

    The owner of 'example.com' has delegated the control of it's sub-domain 'subdom.example.com' to 'ns1.subdom.example.co'm and 'ns2.somewhere.com' namesevers.

    A problem with the above (as it stands) is that NS records point to names, not IPs. So to resolve www.subdom.example.com I must first resolve ns1.subdom.example.com, to resolve ns1.subdom.example.com I must first resolve ns1.subdom.example.com!!

    The solution is to use a glue record - an A record for the sub-domain's nameserver.

    Example of a glue record - example.com

    .....
    ; zone data
          IN  MX  10  mailhost.example.net.
    www    IN  A   251.3.91.6
    
    ; A delegated subdomain
    subdom      IN  NS  ns1.subdom           ; Needs some glue
               IN  NS  ns2.somewhere.com.   ; Doesn't need a glue as it is NOT 
                                            ; a subdomain of example.com
    
    ns1.subdom  IN  A   192.0.2.4            ; The glue record
    
  • Zone forwarding
    named.conf

    Requests for non-local zones are forwarded to and dealt with by other Nameservers.

    Sample entries - /etc/bind/named.conf

    options {
         directory "/var/named";
         forwarders { 192.168.2.1; 192.168.3.1};     // Forward all requests except for local zones
                                                     // to the nameservers listed
    
    //   forward only;                               // Forward only queries to listed nameservers -
                                                     // forwarders statement must exist as well.  Value 
                                                     // can be 'first' or 'only'.  Default is 'first'.
                                                     // If forwarder cannot resolve/respond this 
                                                     // server will attempt to do so. 
    };
    
    zone "example.com" IN {
         type forward;                               // Forward queries for this zone to listed nameservers
         forwarders { 192.168.2.1; 192.168.3.1};
    };
    
  • Slave name servers
    named.conf

    Secondary, Tertiary DNS servers - Slave servers. These types of nameservers get their zone files from a master nameserver(s).

    Sample entry - /etc/named.conf

    zone "example.net" {
         type slave;                             // Indicates secondary/tertiary server
         file "db.example.net";
         masters { 192.168.0.100; };             // Where to get the zone files from
    };
    

    Configure zone transfers - Master server named.conf

    (a) Slave server(s) configured as above.

    (b) Master server sample entries as below in master's named.conf

    .....
         allow-transfer { <IP of secondary/tertiary server> ... ; };     // Or use an acl
         notify yes;
         also-notify { <IP of secondary/tertiary server> ... ; };
    .....
    
    // notify yes        Master nameserver checks for NS RRs in the Zone files and sends a 
    //                   notify to those nameservers found whenever there is a change to 
    //                   the data in the zone file.
    
    // also-notify       A way to provide 'recipients of notifications' without having to 
    //                   create a NS RR in the zone file.
    

    Either in the global options or on a per zone basis.