Building a DHCP Server
coming soon...
Building a DNS Server
Types of Servers
- Caching-only nameserver
- Does not have zone files on disk
- Caches information from root domain
nameservers
- accumulates information over time
- Can be used to reduce the load on other
nameserver and improve response to users
- Primary nameserver (master)
- Contains the official copy of the zone's
data on disk.
- Changes are made on the master server by
the administrator
- Secondary nameserver (slave)
- Receives zone data via zone transfer from
the master server.
Zones
- A zone is slightly different from a domain
- A zone is a chunk or a unit of domain
information containing resource records for that zone only
- For example .com is a domain but it is divided
into many zones such as example.com.
The management of these zones is delegated to the companies that own
them.
- example.com
may have a subdomain named research.example.com,
which could fall in the same zone as example.com,
if the nameservers for that zone contained resource records
for research.example.com and example.com.
- On the other hand, the example.com domain may delegate
subdomains such as research.example.com
to other nameservers to manage. These other nameservers would host the
resource records for the nodes in research.example.com but not
records for example.com.
- A zone never contains records for nodes in a
delegated zone.
Delegating Domains
- Delegating
is giving the responsibilty of maintaining resource records for part of
your domain to other nameservers, ie, example.com
may delegate authority to the subdomain sub.example.com to another
nameserver(s).
- The delegator would only contain pointers to
the nameservers that are authoritative for that subdomain.
Resource Records
- Zone files consist of resource records which define the
hosts in your zone
- IP to host name records (PTR), mail exchange records
(MX), name server records (NS), host name to IP address records (A)
Namespace
- Should the internal namespace (perhaps
private IPs) be separated from external name space (public addresses)?
- Perhaps example.com faces the Internet and internal-example.com
faces the internal
hosts
- or
- example.com may be the domain name for both the internal and
external namespace
- It is possible, and probably the best
practice, to keep the external and internal zone files separate for
security reasons.
- Keep your private network safe from
prying eyes on the outside
- This can be accomplished regardless of how
you split your namespace, even if you use the same domain name
internally and externally.
Authoratative Vs
Non-authoritative Responses
- Authoratative replies come from the master or slave nameservers
regarding their own zone data
- A slave server may lag behind a master
causing the data to be out of date
- Nameservers can be authoritative for more
than one zone
- Non-authoritative replies come nameservers
that have cached information for another domain (not their own)
Name Resolution
- When names servers provide information to a
client from their own zone or another zone.
- All name servers have the IP address of the
root name servers
- Typically: /var/named/root.hints
- This file should be kept up to date
- ftp.rs.internic.net
- If they cannot resolve a name, they query
one of the root servers
From Verisign http://www.verisign.com/tl/nds.html
Recursive and
Iterative Queries
Recursive:
when resolver queries its name server and that name server follows the
referrals and retrieves the answer for the client.
- The name server receives a recursive query from the
client
- That name server responds with the required
information or returns an error
- A recursive request isn't passed off to another name
server
Iterative:
The resolution process that the name server follows to retrieve the
information for the client is iterative.
- In interative resolution, the queried name server
simply returns information from its local data or cache. Typically,
referrals to other name servers.
Forward and
Reverse Queries
- Mapping
a name to an IP number is a forward
query
- Since the structure of DNS is hierarchic,
a name is easily mapped to an IP by following the tree structure from
less specific at the top to more specific at the bottom.
- To resolve www.miracosta.cc.ca.us.
. -> us ->
ca -> cc -> miracosta -> www
- Mapping
an IP number to a name is a reverse query
- An exhasutive search would be required
unless...
- there existed the in-addr.arpa namespace
- There are 256 subdomains under in-addr and
256 subdomains under each of these, and so on for each dotted decimal
number in an IP address.
- To resolve 10.250.15.9
. -> arpa -> in-addr
-> 10 -> 250 -> 15 -> 9
- The name is read from the bottom to the
top so it appears like this:
- 9.15.250.10.in-addr.arpa
- most specific to least specific
Getting Started
1. Decide on the name(s) of
your namespace
- Will the internal and external names be different?
2. Register your name with a registrar on the Internet
- There are many available offering different services
- You will need to provide additional information such as
contact name, server name and IP address.
3. Contact your ISP regarding your new domain. Provide the
information they require to support your domain.
- They may have nameservers that will act as slave
servers for your master server
- They will need the name and IP number of your name
server
- Of course you must have a routable, public IP address.
- Hopefully you have already obtained this from your ISP
Configuring
Your Zone
- This is taylored to RedHat 8.0, bind versions 9
- install the bind rpm packages
- bind: /usr/sbin/named daemon
- bind-utils: utilities such as dig and nslookup
- caching-nameserver: only required if you plan in
building a caching name server
- redhat-config-bind: RedHat GUI for configuring bind
(you probably don't need this)
Begin with the bind configuration
file: /etc/named.conf
- Note: This example is
for an internal private network named home-example.com. Later there
will be an example of an
Internet name server.
- Here is where you define the zones for which you have
authority, both forward and reverse
options {
; The options are for global
settings
; this is the location of your zone data files
directory "/var/named";
; replace a.b.c.d with your
external name server's IP
; perhaps this is your ISP's
name server
; this is the name server to
which unresolvable requests are sent
forwarders { a.b.c.d; d.e.f.g; };
; If you have a slave server
configured, uncomment this line
; allow-transfer { 192.168.1.1; localhost; };
allow-query { 192.168.1.0/24; localhost; };
allow-recursion { 192.168.1.0/24; localhost; };
};
; ACLs provide a simple
way to referr to multiple hosts
; The following ACLs are for
dynamic updates
acl "dhcp-clients" {
192.168.1.0/24;
};
acl "dhcp-servers" {
192.168.1.20;
};
acl "domain-controllers" {
192.168.1.230;
};
zone "." in {
type hint;
file "root.hints";
};
# reverse zone for
localhost
zone "0.0.127.in-addr.arpa" IN {
type master;
file "zone/db.0.0.127.in-addr.arpa";
};
zone "home-example.com" {
type master;
file "zone/db.home-example.com";
; uncomment if you want to
allow dynamic updates to your database
; allow-update {
"domain-controllers";"dhcp-servers"; };
};
zone "1.168.192.in-addr.arpa" {
type master;
file "zone/db.192.168.1";
; uncomment if you want to allow dynamic updates to your database
; allow-update {
"domain-controllers";"dhcp-servers"; };
};
Now configure you forward and
reverse
zone files
- The location of these files is defined in /etc/named.conf
- In our case, /var/named/zone
- SOA Record
- The Start of Authority record is the first record you
must define
- Contains the name of the primary (master) name
server, contact person, and Time To Live (TTL) values
- The "@" is replaced by the domain name,
home-example.com, named in the named.conf file
- You must
use the trailing '.' for FQDNs
- or you get this: ns.home-example.com.home-example.com
The db.home-example.com file:
$TTL 3h
@ IN SOA ns.home-example.com.
nsadmin.ns.home-example.com. (
1 ; serial
3h ; refresh (3 hours)
1h ; retry (1 hour)
1w ; expire (1 week)
1h ; minimum (1 hour) negative caching TTL
)
; Now for the name
server(s)
IN NS ns.home-example.com.
; Next the mail server(s)
; If you have more than one, associate a different number
; Lower numbers mean higher preferrence
IN MX 10
mail.home-example.com.
; The addresses of your hosts
beginning with the localhost
localhost
IN A 127.0.0.1
ns
IN A
192.168.1.222
colima
IN A 192.168.1.114
pavones
IN A 192.168.1.115
michoacan
IN A 192.168.1.116
oaxaca
IN A 192.168.1.117
; Aliases
www
IN CNAME home-nt4dt.com.
mail
IN CNAME ns
The db.192.168.1 file:
$TTL 3h ; 3 hours
@ IN SOA ns.home-example.com.
nsadmin.ns.home-example.com. (
1 ; serial
3h ; refresh
(3 hours)
1h ; retry (1 hour)
1w ; expire (1 week)
1h ; minimum (1 hour) negative caching TTL
)
; name server(s)
IN NS ns.home-example.com.
; addresses of hosts
$TTL 1d
; 1 day
222
IN PTR ns.home-example.com.
116
IN PTR michoacan.home-example.com.
114
IN PTR colima.home-example.com.
115
IN PTR pavones.home-example.com.
117
IN
PTR oaxaca.home-example.com.
The
db.0.0.127.in-addr.arpa file:
$TTL 3h
@ IN SOA ns.home-example.com. nsadmin.ns.home-example.com.
(
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ; Minimum TTL
)
IN NS
ns.home-example.com.
1
IN PTR
localhost.
Start the Service and Test Your
Configuration
- Enter domain name and name servers in /etc/resolv.conf
# cat
/etc/resolv.conf
search home-example.com
nameserver 192.168.1.222
#
/etc/init.d/named start
- Test configuration with the nslookup command
- test local lookups
# nslookup ns
- test reverse lookups
# nslookup
192.168.1.222
- test root servers (if your domain is publically
registered)
# nslookup
ns.home-example.com.
Problems?
- Check log files
- First examine the syslog.conf
file to see where named is
logging
- look for facility daemon which is where named will log messages
# grep daemon
/etc/syslog.conf
daemon.*
/var/log/named
- Syntax errors should appear in your logs
- Restart the named server while watching the log output
in another terminal window
# tail -f
/var/log/named
#
/etc/init.d/named stop
# /etc/init.d/named start
more later...