DNS HOWTO : A resolving, caching name server.

3. A resolving, caching name server.

A first stab at DNS config, very useful for dialup, cable-modem and ADSL users.

On Red Hat and Red Hat related distributions you can achieve the same practical result as this HOWTO's first section by installing the packages bind, bind-utils and caching-nameserver. If you use Debian simply install bind and bind-doc. Of course just installing those packages won't teach you as much as reading this HOWTO. So install the packages, and then read along verifying the files they installed.

A caching only name server will find the answer to name queries and remember the answer the next time you need it. This will shorten the waiting time the next time significantly, especially if you're on a slow connection.

First you need a file called /etc/named.conf (Debian: /etc/bind/named.conf). This is read when named starts. For now it should simply contain: 

// Config file for caching only name server

options {
        directory "/var/named";

        // Uncommenting this might help if you have to go through a
        // firewall and things are not working out.  But you probably
        // need to talk to your firewall admin.

        // query-source port 53;
};

zone "." {
        type hint;
        file "root.hints";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "pz/127.0.0";
};

The Linux distribution packages may use different file names for each kind of file mentioned here; they will still contain about the same things.

The `directory' line tells named where to look for files. All files named subsequently will be relative to this. Thus pz is a directory under /var/named, i.e., /var/named/pz. /var/named is the right directory according to the Linux File system Standard.

The file named /var/named/root.hints is named in this. /var/named/root.hints should contain this: (If you cut and paste this file from an electronic version of this document, please note that there should be no leading spaces in the file, i.e. all the lines should start with a non-blank character. Some document processing software will insert spaces at beginning of the lines, causing some confusion. In that case please remove the leading spaces) 

;
; There might be opening comments here if you already have this file.
; If not don't worry.
;
.                       6D IN NS        M.ROOT-SERVERS.NET.
.                       6D IN NS        I.ROOT-SERVERS.NET.
.                       6D IN NS        E.ROOT-SERVERS.NET.
.                       6D IN NS        D.ROOT-SERVERS.NET.
.                       6D IN NS        A.ROOT-SERVERS.NET.
.                       6D IN NS        H.ROOT-SERVERS.NET.
.                       6D IN NS        C.ROOT-SERVERS.NET.
.                       6D IN NS        G.ROOT-SERVERS.NET.
.                       6D IN NS        F.ROOT-SERVERS.NET.
.                       6D IN NS        B.ROOT-SERVERS.NET.
.                       6D IN NS        J.ROOT-SERVERS.NET.
.                       6D IN NS        K.ROOT-SERVERS.NET.
.                       6D IN NS        L.ROOT-SERVERS.NET.
;
M.ROOT-SERVERS.NET.     6D IN A         202.12.27.33
I.ROOT-SERVERS.NET.     6D IN A         192.36.148.17
E.ROOT-SERVERS.NET.     6D IN A         192.203.230.10
D.ROOT-SERVERS.NET.     6D IN A         128.8.10.90
A.ROOT-SERVERS.NET.     6D IN A         198.41.0.4
H.ROOT-SERVERS.NET.     6D IN A         128.63.2.53
C.ROOT-SERVERS.NET.     6D IN A         192.33.4.12
G.ROOT-SERVERS.NET.     6D IN A         192.112.36.4
F.ROOT-SERVERS.NET.     6D IN A         192.5.5.241
B.ROOT-SERVERS.NET.     6D IN A         128.9.0.107
J.ROOT-SERVERS.NET.     6D IN A         198.41.0.10
K.ROOT-SERVERS.NET.     6D IN A         193.0.14.129
L.ROOT-SERVERS.NET.     6D IN A         198.32.64.12

The file describes the root name servers in the world. The servers change over time and must be maintained now and then. See the maintenance section for how to keep it up to date.

The next section in named.conf is the last zone. I will explain its use in a later chapter; for now just make this a file named 127.0.0 in the subdirectory pz: (Again, please remove leading spaces if you cut and paste this) 

$TTL 3D
@               IN      SOA     ns.linux.bogus. hostmaster.linux.bogus. (
                                1       ; Serial
                                8H      ; Refresh
                                2H      ; Retry
                                4W      ; Expire
                                1D)     ; Minimum TTL
                        NS      ns.linux.bogus.
1                       PTR     localhost.

Next, you need a /etc/resolv.conf looking something like this: (Again: Remove spaces!) 

search subdomain.your-domain.edu your-domain.edu
nameserver 127.0.0.1

The `search' line specifies what domains should be searched for any host names you want to connect to. The `nameserver' line specifies the address of your nameserver, in this case your own machine since that is where your named runs (127.0.0.1 is right, no matter if your machine has another address too). If you want to list several name servers put in one `nameserver' line for each. (Note: Named never reads this file, the resolver that uses named does. Note 2: In some resolv.conf files you find a line saying "domain". That's fine, but don't use both "search" and "domain", only one of them will work).

To illustrate what this file does: If a client tries to look up foo, then foo.subdomain.your-domain.edu is tried first, then foo.your-domain.edu, and finally foo. You may not want to put in too many domains in the search line, as it takes time to search them all.

The example assumes you belong in the domain subdomain.your-domain.edu; your machine, then, is probably called your-machine.subdomain.your-domain.edu. The search line should not contain your TLD (Top Level Domain, `edu' in this case). If you frequently need to connect to hosts in another domain you can add that domain to the search line like this: (Remember to remove the leading spaces, if any) 

search subdomain.your-domain.edu your-domain.edu other-domain.com

and so on. Obviously you need to put real domain names in instead. Please note the lack of periods at the end of the domain names. This is important; please note the lack of periods at the end of the domain names.

3.1 Starting named

After all this it's time to start named. If you're using a dialup connection connect first. Type `ndc start', and press return, no options. If that does not work try `/usr/sbin/ndc start' instead. If that back-fires see the qanda section. If you view your syslog message file (usually called /var/adm/messages, but another directory to look in is /var/log and another file to look in is syslog) while starting named (do tail -f /var/log/messages) you should see something like:

(the lines ending in \ continues on the next line) 

Dec 15 23:53:29 localhost named[3768]: starting.  named 8.2.2-P7 \
                Fri Nov 10 04:50:23 EST 2000 ^Iprospector@porky.\
                devel.redhat.com:/usr/src/bs/BUILD/bind-8.2.2_P7/\
                src/bin/named
Dec 15 23:53:29 localhost named[3768]: hint zone "" (IN) loaded\
                (serial 0)
Dec 15 23:53:29 localhost named[3768]: Zone "0.0.127.in-addr.arpa"\
                (file pz/127.0.0): No default TTL set using SOA\
                minimum instead
Dec 15 23:53:29 localhost named[3768]: master zone\
                "0.0.127.in-addr.arpa" (IN) loaded (serial 1)
Dec 15 23:53:29 localhost named[3768]: listening on [127.0.0.1].53 (lo)
Dec 15 23:53:29 localhost named[3768]: listening on [10.0.0.129].53\
                (wvlan0)
Dec 15 23:53:29 localhost named[3768]: Forwarding source address is\
                [0.0.0.0].1034
Dec 15 23:53:29 localhost named[3769]: Ready to answer queries.

If there are any messages about errors then there is a mistake. Named will name the file it is in. Go back and check the file. Run "ndc restart" when you have fixed it.

Now you can test your setup. Traditionally a program called nslookup is used for this. These days dig is recommended: 

$ dig -x 127.0.0.1       

; <<>> DiG 8.2 <<>> -x 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      1.0.0.127.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
1.0.0.127.in-addr.arpa.  1D IN PTR  localhost.

;; AUTHORITY SECTION:
0.0.127.in-addr.arpa.   1D IN NS        ns.penguin.bv.

;; Total query time: 30 msec
;; FROM: lookfar to SERVER: default -- 127.0.0.1
;; WHEN: Sat Dec 16 00:16:12 2000
;; MSG SIZE  sent: 40  rcvd: 110

If that's what you get it's working. We hope. Anything else, go back and check everything. Each time you change the named.conf file you need to restart named using the ndc restart command.

Now you can enter a query. Try looking up some machine close to you. pat.uio.no is close to me, at the University of Oslo: 

$ dig pat.uio.no

; <<>> DiG 8.2 <<>> pat.uio.no 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;;      pat.uio.no, type = A, class = IN

;; ANSWER SECTION:
pat.uio.no.             1D IN A         129.240.130.16

;; AUTHORITY SECTION:
uio.no.                 1D IN NS        nissen.uio.no.
uio.no.                 1D IN NS        ifi.uio.no.
uio.no.                 1D IN NS        nn.uninett.no.

;; ADDITIONAL SECTION:
nissen.uio.no.          1D IN A         129.240.2.3
ifi.uio.no.             1H IN A         129.240.64.2
nn.uninett.no.          1D IN A         158.38.0.181

;; Total query time: 112 msec
;; FROM: lookfar to SERVER: default -- 127.0.0.1
;; WHEN: Sat Dec 16 00:23:07 2000
;; MSG SIZE  sent: 28  rcvd: 162

This time dig asked your named to look for the machine pat.uio.no. It then contacted one of the name server machines named in your root.hints file, and asked its way from there. It might take tiny while before you get the result as it may need to search all the domains you named in /etc/resolv.conf. Please note the "aa" on the "flags:" line. It means that the answer is authoritative, that it is fresh from an authoritative server. I'll explain "authoritative" later.

If you ask the same again you get this: 

$ dig pat.uio.no

; <<>> DiG 8.2 <<>> pat.uio.no 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;;      pat.uio.no, type = A, class = IN

;; ANSWER SECTION:
pat.uio.no.             23h59m58s IN A  129.240.130.16

;; AUTHORITY SECTION:
UIO.NO.                 23h59m58s IN NS  nissen.UIO.NO.
UIO.NO.                 23h59m58s IN NS  ifi.UIO.NO.
UIO.NO.                 23h59m58s IN NS  nn.uninett.NO.

;; ADDITIONAL SECTION:
nissen.UIO.NO.          23h59m58s IN A  129.240.2.3
ifi.UIO.NO.             1d23h59m58s IN A  129.240.64.2
nn.uninett.NO.          1d23h59m58s IN A  158.38.0.181

;; Total query time: 4 msec
;; FROM: lookfar to SERVER: default -- 127.0.0.1
;; WHEN: Sat Dec 16 00:23:09 2000
;; MSG SIZE  sent: 28  rcvd: 162

Note the lack of a "aa" flag in this answer. That means that named did not go out on the network to ask this time, as the information is in the cache now. But the cached information might be out of date (stale). So you are informed of this (very slight) possibility by the "aa" not being there. But, now you know that your cache is working.

3.2 Resolvers

All OSes implementing the standard C API has the calls gethostbyname and gethostbyaddr. These can get information from several different sources. Which sources it gets it from is configured in /etc/nsswitch.conf on Linux (and some other Unixes). This is a long file specifying from which file or database to get different kinds of data types. It usually contains helpful comments at the top, which you should consider reading. After that find the line starting with `hosts:'; it should read: 

hosts:      files dns

(You remembered about the leading spaces, right? I won't mention them again.)

If there is no line starting with `hosts:' then put in the one above. It says that programs should first look in the /etc/hosts file, then check DNS according to resolv.conf.

3.3 Congratulations

Now you know how to set up a caching named. Take a beer, milk, or whatever you prefer to celebrate it.

Your Comments

Bind 9
Comment by ChupaMe - 2001-09-10 10:23:25

Any1 knows a good doc about BIND 9?

comment
Comment by amol - 2001-09-04 03:47:29

nice document to start with .
read it and really enjoyed reading it .
regards,
amol sanglikar

Security - Preventing an attacker to know our bind version
Comment by Gabriel - 2001-04-23 10:01:41

Some versions of bind are known to have numerous exploits so we (dns admins) want to hide the bind version to make an attaker's job more difficult. Try this:

# dig @localhost version.bind chaos txt

;;ANSWER SECTION:
version.bind. OS CHAOS TXT "9.0.1"

Now add the following line to the options section of your named.conf:

version "Go Away, Lame!!!"

and try the dig command again:

# dig @localhost version.bind chaos txt

;;ANSWER SECTION
version.bind. OS CHAOS TXT "Go Away, Lame!!!"

Hope this is usefull for you guys!!!
NOTE: Obviously you can change the version string to whatever you like.

Hmmmm - not sure if I agree
Comment by nick@nexnix.co.uk - 2001-03-01 07:48:26

I'm not sure if having a machine with the same name
as the domain (as per your zone files -ie land-5.com ) is a good idea. I did it once and my ISP thought it was "scary". :-)

Also, according to my Cricket book, the SOA should
point to the primary nameserver for the domain.
ie "SOA ns.land-5.com hostmaster.land-5.com ( "
This might be explained by my first point though.

Finally, I don't think you need to declare an mx record
after each host in the domain - once per zone file is sufficent.

But I may be completely wrong and it wouldn't be the first time.
:-))

Hours of involving
Comment by Hung H Dang - 2001-02-21 01:22:01

Well, I have taken a course Linux at college for setup up a web server. But I haven't done setting up DNS server. My question is How much to involve to Set DNS for a linux's beginner to do this? And How many memory does it need for DNS server reach minimal expectation?

Re: ISP
Comment by Mike Fisher - 2001-01-09 06:19:12

It is possible, and also not at all expensive. To be an ISP however, requires quite a bit more of a capital investment. I'm not sure if you're talking about an ISP to provide a connection for just yourself or for yourself AND others.

ISP ....
Comment by Bill Scott - 2000-12-19 08:14:02

is it feasible to handle my own email ISP connection .. using Best Linux as a connection to the internet ? I am a little confused as to what I need to be my own ISP and serve my own email tired of using onemain.com ... is it feasible to be my own connection to the internet I mean money wise ?

Please share a comment:

You are posting anonymously. Create an account.

Name (optional):

Subject:

Comment:

Allowed tags in comment body: B BR I P U

convert newlines to <BR> tags

Please note that comments will be moderated. We reserve the right to delete comments that are obscene, copyrighted by someone else, or otherwise objectionable.

Please also note that your comment may be displayed alongside your name, email address and url, as supplied on your account details.