Steve's RHCE Study Guide: BIND

Next Previous Contents

19. BIND

19.1 Overview

BIND 9
Resolves hostnames to IP addresses(forward lookup).
Resolves IP addresses to hostnames(reverse lookup).
Provides e-mail routing information.
Packages
- bind - Primary package. Provides binaries, documentation, configs, etc.
- bind-utils - Tools used to query DNS servers.
- bind-conf - Contains tools to configure a DNS server.
- caching-nameserver - Includes necessary configuration files to make BIND a caching only nameserver.
  Important files provided by caching-nameserver:
```
/var/named/localhost.zone    # Forward zone for localhost
/var/named/named.ca          # "Hints" file.  Contains root servers
/var/named/named.local       # Reverse zone for localhost
        
```
- openssl - Needed for some of BIND's security features.
Ports
- 53 UDP - DNS queries
- 53 TCP - Zone transfers and DNS queries > 512 bytes.
redhat-config-bindconf
GUI configuration utility provided by bindconf package.

19.2 Configuration Files

/etc/named.conf

Specifies zones, options, and access controls.
SEMI-COLON placement is critical!

Sample named.conf

options {
   directory "/var/named";               // Working directory of server
   allow-query { any; };                 // Specify which hosts are allowed to query this server
   allow-transfer { 192.168.1.0/24; };   // Specify hosts that are allowed to receive zone
                                         // transfers from this server
   recursion yes;                        // Enable recursive queries
   allow-recursion {192.168.1.0/24; };   // Specify which hosts can perform recursive queries.
   version "Surely you must be joking";  // Set version reported by ndc and when querying
                                         // version.bind in the chaos class
};

// The following controls who can access this server using rndc.
// Bind to 127.0.0.1 and allow only localhost access.
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {                // Hints file containing root servers
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "xyz.com" IN {          // Forward lookup zone for xyz.com
        type master;         // This is a master zone
        file "db.xyz.com";   // Zone information stored in /var/named/db.xyz.com
        allow-update { none; };
};

zone "zyx.com" IN {          // Forward lookup zone for zyx.com
        type master;         // This is a master zone
        file "db.zyx.com";   // Zone information stored in /var/named/db.zyx.com
        allow-update { none; };
};

zone "somedomain.com" IN {        // Forward lookup zone for somedomain.com
        type slave;               // This is a slave zone
        file "db.somedomain.com"; // Optional for slave zones.  If set, a copy of the zone
                                  // information is kept locally on disk under /var/named.
};

include "/etc/rndc.key";     // Private key used for secure remote administration

See the end of the named.conf man page for more configuration examples.

SECURITY NOTE:

If the following options are left unspecified, they default to allowing access from all hosts.

allow-query
allow-transfer
allow-recursion

/etc/nsswitch.conf
- Not part of BIND, but must be setup correctly in order for local processes to use BIND for host resolution.
- Specifies the order in which resources are queried in order to resolve hostnames, IP addresses, etc.
- Partial example:
```
hosts:      files dns
networks:   files
protocols:  files nisplus
        
```
  The "hosts" line specifies that we should first check our local files (e.g. /etc/hosts for hostname resolution before consulting DNS services. The "networks" line states that only our local files (e.g. /etc/networks) should be consulted for network information. The "protocols" line says we should first consult our local files (e.g. /etc/protocols) for protocol information, and then consult nisplus services if it isn't found in our local files.
/etc/hosts
- Not part of BIND, but must be setup correctly in order for host resolution to work.
- See host resolution above.
/etc/resolv.conf
- Not part of BIND, but must be setup correctly in order for host resolution to work.
- See host resolution above.

19.3 Caching Only Name Servers

Not authoritative for any zone.
Uses DNS root servers or another name server known as a forwarder to resolve DNS queries.
To create a Forwarding Name Server, put the following line in the "options" section of the /etc/named.conf file:
```
forwarders { 192.168.1.20; };
```
If you want BIND to only use it's forwarders to resolve hosts and not the root name servers, put the following line in the "options" section of the /etc/named.conf file:
```
forward only;
```
The "forwarders" option specifies which DNS or DNS servers queries should be forwarded to for resolution.

19.4 Zones

Overview
- Specified in /etc/named.conf.
- No trailing "." on FQDN.
- "IN" after zone name is optional (see sample named.conf above for example).

Master Zones

DNS server is authoritative for that zone.
All domains must have one.

Example:

zone "somedomain.com" {
   type               master;
   file               "db.somedomain.com";
   allow-transfer     { 192.168.3.4; };
};

Slave Zones
- Provides backup service to "masters".
- Example:
```
zone "somedomain.com" {
   type               slave;
   masters            { 192.168.1.50; };
   file               "db.somedomain.com";
};
        
```
- masters - Specifies the DNS server that is the "master" of this domain.
- file - Not required for slave. If specified, indicates the name of the local file where the zone information is kept.
- When a slave server starts, it checks the serial number for the zone on them master. If it's been updated, the slave performs a zone transfer to get the latest information. If it hasn't, and the slave has the zone on disk (e.g. the file directive was used), it will load the information directly from disk reducing network traffic.
- Slaves must be given permission to perform zone transfers by the master server. In /etc/named.conf:
```
options {
   ...
   allow-transfer { 192.168.1.45; };
   ...
};
        
```
  Or you can specify the "allow-transfer" directive on a per zone basis as shown above.

Reverse Lookup Zones

Used to resolve IP to hostname.
Special domain .in-addr.arpa is used.
Zone name is created by reversing the octets in the network portion of the IP address and appending .in-addr.arpa to it.
For example, to provide reverse lookups for all hosts in the IP range 192.168.1.0/24, use the following zone name:
```
1.168.192.in-addr.arpa
        
```

Example:

zone "1.168.192.in-addr.arpa" {
   type                       master;
   file                       "db.1.168.192.in-addr.arpa";
};

zone "0.0.127.in-addr.arpa" {           # Loopback zone
   type                     master;     # Should NEVER be a slave
   file                     "db.0.0.127.in-addr.arpa";
};

Root Zone
- Special zone that specifies the root servers.
- Zone type is "hint".
- Example:
```
zone "." {
   type   hint;
   file   "named.ca";   # Contains root DNS servers
}
        
```
- Used when a query isn't resolvable by any of the other configured zones.
- Update root servers from ftp://rs.internic.net/domain/named.ca or used dig:
```
dig @<rootserver>
dig @a.root-servers.net
        
```
Zone Delegation
- Divides up a larger domain into smaller, more manageable domains.
- For example, support.somedomain.com and development.somedomain.com can be delegated to someone else's control to ease the management of the somedomain.com domain.
- Example. In the zone file for somedomain.com, put the following entries:
```
support.somedomain.com.     IN  NS ns.support.somedomain.com.
ns.support                  IN  A  192.168.44.10

development.somedomain.com  IN  NS ns.development.somedomain.com.
ns.development              IN  A  192.168.45.10
        
```
- Both the NS and A records are required in order to delegate a zone.
- These are known as "glue" records that help queries go from one name server to another.

19.5 Resource Records

Format
```
[domain/@]    [ttl]    [class]     <type>    <rdata>    [comment]
```
- domain/@ - Optional. If left blank, defaults to the same value as the last resource record. @ represents the domain name specified in /etc/named.conf for the zone. Otherwise, any name specified will have the domain appended to it unless it ends in a ".".
- ttl - Optional. Time-to-Live. Defaults to the value specified by the $TTL directive if left unspecified. Specifies how long the record can be cached.
- class - Optional. If left unspecified, defaults to IN??
- type - Specifies the type of RR.
- rdata - Specifies RR related data.
- comment - Comments about the RR.
Character Restrictions
Hostnames can only consist of A-Z (case insensitive), 0-9, and -.
Start of Authority (SOA)
- Every zone must have one and only one.
- Preamble of the zone file.
- Example:
```
@      1D IN SOA       ns root (
                       2002011201      ; serial
                       3H              ; refresh
                       15M             ; retry
                       1W              ; expire
                       1D )            ; minimum

@      1D IN SOA       ns.somedomain.com. root.somedomain.com. (
                       2002011201      ; serial
                       3H              ; refresh
                       15M             ; retry
                       1W              ; expire
                       1D )            ; minimum
        
```
  Both of the above two sample SOA RR are identical when the $ORIGIN is somedomain.com. The name server specified in the SOA record must be a machine with an A record. You cannot use machine named defined by a CNAME record in the SOA record.
  Component Definitions:
  1. serial - Used for version control. Every time an update is made to the zone, the serial number must be updated so the slave zones know there has been an update.
  2. refresh - How often the slave servers should check the serial number on the master for changes.
  3. retry - Amount of time a slave should wait before attempting another "refresh" after a previous refresh has failed.
  4. expire - How long a slave should use it's DNS information without a refresh from the master.
  5. minimum - How long a server should cache negative hits (e.g. no such domain/host).
  Values for the above entries can be specified in seconds (default), minutes (M), hours(H), days(D), and weeks(W). You must use a capital letter to specify the unit and there can't be a space between the number and the unit.
  86400 = 24H = 1D
Name Server (NS)
- Every zone must have at least the master name server specified.
- A FQDN must be used for NS resource records.
- Example:
```
@               IN      NS      ns1.somewhere.com.
somewhere.com.  IN      NS      ns2.somewhere.com.
                IN      NS      ns3.somewhere.com.
        
```
  All 3 lines refer to the same domain. The @ in the first line refers to the origin (specified by the zone directive in /etc/named.conf. The second line explicitly states the domain (notice the trailing ".") The third line doesn't specify the domain or an @ so it defaults to the domain in the RR above it.)

Address (A)

Maps a hostname to an IP address.
Used by forward lookups.

Example:

ns1.somewhere.com.  IN  A  192.168.20.10   # FQDN specified.  Notice trailing "."
ns2                 IN  A  192.168.20.11   # FQDN isn't required.  In the last 4 lines,
ns3                 IN  A  192.168.20.12   # somedomain.com. is appended to ns2, ns3,
www                 IN  A  192.168.20.15   # www, and mail
mail                IN  A  192.168.20.20

Canonical Name (CNAME)
- Provides an "alias" or alternate name for an existing host.
- A CNAME record should never be referred to by another CNAME record, an MX record, or an SOA record.
- Example:
```
pop                   IN  CNAME  mail
imap                  IN  CNAME  mail
        
```
  In this case, both pop and imap refer to the "mail" address (A) record in the previous example.

Pointer (PTR)

Maps an IP address to hostname.
Used in "in-addr.arpa" zones.

Example (assume a zone of 1.168.192.in-addr.arpa):

10                          IN  PTR  ns1.somewhere.com.
11                          IN  PTR  ns2.somewhere.com.
12                          IN  PTR  ns3.somewhere.com.
15.1.168.192.in-addr.arpa.  IN  PTR  www.somewhere.com.
20                          IN  PTR  mail.somewhere.com.

Again, if a FQDN isn't specified, the domain is appended to the entry.

Mail Exchange (MX)
- Define a mail exchange for a zone.
- Requires a priority be specified right after the "MX" but before the hostname. The lower the number, the higher the priority.
- Used by MTAs to deliver mail to the zone.
- Should not be used in reverse lookup zones.
- Example:
```
@                IN  MX  5 mail.somewhere.com.     ### Highest priority
somewhere.com.   IN  MX 10 mail2.somewhere.com.
                 IN  MX 15 mail3.somewhere.com.    ### Lowest priority
        
```
Host Information (HINFO)
- Provides information about your host.
- Generally not a good idea to give out any host information due to security concerns.
- Should not be used in reverse lookup zones.
- Example:
```
mail             IN HINFO  i686 Linux-2.4.18
www              IN HINFO  i686 Linux-2.4.17-pre2
        
```

19.6 Zone Files

Generally located in /var/named.
Must begin with a Start Of Authority (SOA) resource record.
Contain other resource records.
$TTL directive must be specified.
Always specify the last "." for a FQDN.

Example Forward Zone File:

$TTL    86400
$ORIGIN xyz.com.    ; If not specified, it's taken from named.conf

;  ns1 is a nameserver for the domain.  root is the
;  e-mail address of the owner of the domain.  The domain
;  is appended to each of these values since they don't
;  end with a period. (e.g. they become ns1.xyz.com
;  and root.xyz.com);
@           1D IN SOA ns1 root (
                            2002011901      ; serial
                            3H              ; refresh
                            15M             ; retry
                            1W              ; expire
                            1D )            ; minimum


; These two lines specify the same domain.
; @ means take it from the $ORIGIN or the zone
; specified in named.conf
@                        IN NS     ns1.xyz.com.
xyz.com.                 IN NS     ns2.xyz.com.

ns1                      IN A      192.168.1.20
ns2                      IN A      192.168.1.21

www                      IN A      192.168.1.22
kashyyyk                 IN CNAME  www
coruscant                IN CNAME  kashyyyk      # BAD IDEA!!

www1.xyz.com.            IN A      192.168.1.23
endor                    IN CNAME  www1

mail                     IN A      192.168.1.24
backup-mail              IN A      192.168.1.25

@                        IN MX 5   mail          # Both lines reference
xyz.com.                 IN MX 20  backup-mail   # the same domain

support.xyz.com.         IN NS     ns.support.xyz.com.     # Zone delegation
ns.support               IN A      192.168.2.20

development.xyz.com.     IN NS     ns.development.xyz.com. # Zone delegation
ns.development.xyz.com.  IN A      192.168.3.20

Example Reverse Zone File:

$TTL    86400
$ORIGIN 1.168.192.in-addr.arpa.

@           1D IN SOA ns1.xyz.com. root.xyz.com. (
                            2002011901      ; serial
                            3H              ; refresh
                            15M             ; retry
                            1W              ; expire
                            1D )            ; minimum

; These two lines specify the same domain.
; @ means take it from the $ORIGIN or the zone specified in named.conf
@                          IN NS        ns1.xyz.com.
1.168.192.in-addr.arpa.    IN NS        ns2.xyz.com.

20                         IN PTR       ns1.xyz.com.  # Domain appended to 20
21.1.168.192.in-addr.arpa. IN PTR       ns2.xyz.com.  # Domain not appended (ends with a "." )

22                         IN PTR       www.xyz.com.
23.1.168.192.in-addr.arpa. IN PTR       www1.xyz.com.

24                         IN PTR       mail.xyz.com.
25                         IN PTR       mail-backup.xyz.com.

Next Previous Contents

ERROR!!

RHCE2B.COM Home Page
RHCE2B.COM Practice Test for the RHCE exam
Legal stuff