300 likes | 440 Views
CMPT 471 Networking II. DNS. Database / authoritative servers. When a authoritative master or slave DNS server is initialized it loads a configuration file which associates domain names with data files containing DNS resource records for that domain
E N D
Database / authoritative servers • When a authoritative master or slave DNS server is initialized it loads a configuration file which associates domain names with data files containing DNS resource records for that domain • For linux systems that file is usually /etc/named.conf, configuration for the DNS daemon named. This file will be present only on hosts running DNS servers • Next we need to look at what is in the files referred to in the configuration file. There will be one file for each domain this DNS server serves.
Format of resource records • The detailed format depends on the particular resource record, but all resource records follow the pattern • name ttl class type data • The first two items may be omitted, • name defaults to the last specified name • ttl defaults to the value given in the SOA record • Class is usually IN for internet • Type is a code from the RFC (A, SOA, MX, PTR) • Data depends on the type of record
Organization of DNS data file • Remember domain names are case insensitive • All records start in the first column of the file • The usual order for records in the file is • $TTL: set time to live (bind 8 and later only) • SOA record: indicates authority for the zone • NS record: gives a name authoritative name servers for the zone • Other records giving data on hosts in the zone • A: Name to address mapping records • PTR: Address to name mapping records • CNAME: canonical name data (aliases)
SOA record • zone IN SOA primarymasterNS contact ( serial refresh time retry time expire time negative caching ttl ) • Zone, primarymasterNS and contact must be fully qualified domain names ending in . • The contact is the mail address of the contact assuming that the first . in the domain name is replaced with @ • The parentheses allow the record to span more than one line
SOA record fields • serial is a serial number indicating the age of the data file (last update). Used when a slave server contacts the master server. The slave will update its database if the serial number indicates its database is older that the master’s. • Serial is incremented each time data in the DNS database is changed • You should use a tool to update your DNS database, this will prevent you from forgetting to update serial • refresh gives the interval at which the slave server should check with the master server to determine if an update is needed (RFC 1537 recommends 24 hours) • An update is needed if the serial number of the master server's data base is larger than the serial number of the slave server's
SOA record fields • Retry: if the slave cannot reach the master at the end of a refresh interval, it will retry after the interval specified in the retry field (recommended 2 hours) • Expire: If the slave fails to contact the master within the expire interval the slave stops giving answers about the zone. (recommended 30 days)
SOA record fields: TTL • For BIND versions before version 8 the TTL was set using the last field in the SOA record • For versions 8 and above of BIND the final field is used for the negative caching TTL, the time a remote name server can cache negative responses about our zone (non existent hosts) • In v8 and above the TTL is set using the $TTL statement. • $TTL 3h indicates a TTL of 3 hours • RFC 1537 recommends a default TTL of 4 days • Server supplies TTL in query responses, telling the server receiving the response how long it may cache the information.
Nameserver records • One record for each authoritative DNS name server for the zone is added to the zone file • Zone IN NS nameserver • Zone and nameserver must be fully qualified domain names ending in . • Nameservers should be well connected (stable, accessible) • One record for each name to address mapping. Each interface on a multihomed host must have its own record • Hostname IN A IPaddress • Hostname must be a fully qualified domain name Address records
Alias records • One record for each alias for a given host • hostalias IN CNAME hostname OR hostname IN A IPaddress • hostname and hostalias must be fully qualified domain names ending in . • Do not use aliases in the data portion of the database file ( • A server will replace the alias with the canonical name then look up the canonical name (both returned) • The second form can be used to differentiate between multiple interfaces on a single host • The first form will choose one of the multiple interfaces according to a simple algorithm (alternate, first in list, …)
PTR records • One record for each address to name mapping. Each interface on a multihomed host must have its own record • Arpaaddress IN PTR hostname • hostname must be a fully qualified domain name • Arpaaddress must have the form 123.123.123.123.in-addr.arpa. • Arpaaddress of host 123.15.87.23 is 23.87.15.123.in-addr.arpa.
Example from Albitz + Liu • We are making the database files for a DNS server on the machine terminator.movie.edu. This DNS server will serve zone movie.edu • terminator has two network interfaces one on network 192.249.249.0/24, and one on 192.253.253.0/24. • Since a DNS server must also service inverse queries we must also service the zones • 249.249.192.in-addr.arpa • 253.253.192.in-addr.arpa • We will need to make an initialization file for each of these zones. These files will be db.movie.edu, db.249.249.192, and db.253.253.192
bigt.movie.edu. 75012 IN CNAME terminator.movie.edu 4.253.253.192.in-addr.arpa. IN PTR carrie.movie.edu The second number in the first three records is the TTL, this is often omitted when records are input but appears in output of dig and other resolvers. Examples: resource records ns-ext.lga1.isc.org. 75012 IN A 192.228.91.19 isc.org. 2898 IN NS ns-ext.lga1.isc.org.
server data file db.movie.edu: 1 $TTL 3h Movie.edu. IN SOA terminatior.movie.edu. al.robocob.movie.edu.( 1 ; Serial 3h ; Refresh after 3 hours 1h ; Retry after 1 hour 1w ; Expire after 1 week 1h ) ; Negative caching TTL 1 hour ; ; Name servers ; Movie.edu. IN NS terminator.movie .edu. Movie.edu. IN NS wormhole.movie.edu. : :Addresses ; Localhost.movie.edu. IN A 127.0.0.1 robocop.movie.edu. IN A 192.249.249.2 terminator.movie.edu. IN A 192.249.249.3
server data file db.movie.edu: 2 diehard.movie.edu IN A 192.249.249.4 misery.movie.edu IN A 192.243.253.2 shining.movie.edu IN A 192.253.253.3 carrie.movie.edu IN A 192.253.253.4 Wormhole.movie.edu. IN A 192.249.249.1 Wormhole.movie.edu. IN A 192.253.253.1 : :Aliases ; bigtt.movie.edu IN CNAME terminatior.movie.edu. dh.movie.edu IN CNAME diehard.movie.edu. wh.movie.edu IN CNAME wormhole.movie.edu. ; ; Interface specific names ; Wh249.movie.edu. IN A 192.249.249.1 Wh253.movie.edu IN A 192.253.253.1
Aliases • The CNAME is used to look up the name of the host (not the alias) • Then the name is looked up to find the requested information describing the host • Requesting the information for a dns name for a multihomed host will return all information regarding all interfaces of the multihomed host (in a list) • If we ping, or execute another command that does a dns lookup it will use the first name in the list (which one is it?) not the interface we want. We also need interface specific names
server data file, db.249.249.192 $TTL 3h 249.249.192.in-addr.arpa..IN SOA terminatior.movie.edu. al.robocob.movie.edu.( 1 ; Serial 3h ; Refresh after 3 hours 1h ; Retry after 1 hour 1w ; Expire after 1 week 1h ) ; Negative caching TTL 1 hour ; ; Name servers ; 249.249.192.in-addr.arpa. IN NS terminator.movie .edu. 249.249.192.in-addr.arpa. IN NS wormhole.movie.edu. ; :Addresses point to canonical name ; 1.249.249.192.in-addr.arpa. IN PTR wormhole.movie.edu. 2,249.249.192.in-addr.arpa. IN PTR robocop.movie.edu. 3.249.249.192.in-addr.arpa. IN PTR terminator.movie.edu. 4.249.249.192.in-addr.arpa. IN PTR diehard.movie.edu.
Server data file, db.253.253.192 $TTL 3h 253.253.192.in-addr.arpa..IN SOA terminatior.movie.edu. al.robocob.movie.edu.( 1 ; Serial 3h ; Refresh after 3 hours 1h ; Retry after 1 hour 1w ; Expire after 1 week 1h ) ; Negative caching TTL 1 hour ; ; Name servers ; 253.253.192.in-addr.arpa. IN NS terminator.movie .edu. 253.253.192.in-addr.arpa. IN NS wormhole.movie.edu. ; :Addresses point to canonical name ; 1.253.253.192.in-addr.arpa. IN PTR wormhole.movie.edu. 2,253.253.192.in-addr.arpa. IN PTR misery.movie.edu. 3.253.253.192.in-addr.arpa. IN PTR shining.movie.edu.. 4.253.253.192.in-addr.arpa. IN PTR carrie.movie.edu.
Comments on the example • Aliases, alternate names for particular domains, can be implemented in different ways • Using a CNAME record. A CNAME record maps a alias onto its canonical name. A nameserver replaces the alias with the canonical name. • In a multihomed system we can have a name for each interface of the system, we do not want these names to be aliases. The name and address of each interface will be in a separate address record. • Using an additional address record to define an alias that are not due to multiple interfaces may confuse the sendmail or require additional configuration to make sure in understands all possible aliases
Root Hints Data • In addition to your local data you need to know where the name servers for the root zone are • Remember every DNS server needs to know the addresses of the root server • Download a copy of named.root from the root zone servers (ftp.rs.internic.net, 198.41.0.6) to make sure your list of root server information is current • The names and addresses of the root servers are stored in this file which should be renamed db.cache to prepare it for use
Sample contents of db.cache . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; . 3600000 IN NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.7 ; . 3600000 IN NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 ; ; more similar entries ; . 3600000 IN NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
Configuration File • The nameserver needs to be instructed to read all of the data files we have constructed • The file containing these instructions is the configuration file in • /etc/named-boot (BIND 4) • src/bin/named-bootconf (BIND 8) • contrib/named-bootconf (BIND 9)
Configuration file format ;BIND 4 configuration file Directory /var/named ;Directory contains the zone data files primary movie.edu db.movie.edu primary 249.249.192.in-addr.arpa db.192.249.249 primary 253.253.192.in-addr.arpa db.192.253.253 primary 0.0.127.in-addr.arpa db.127.0.0 cache . db.cache
Configuration file format (1) // BIND configuration file options{ directory “/var/named”; // additional options }; zone “movie.edu”{ type master; file “db.movie.edu”; }; zone “249.249.192.in-addr.arpa”{ type master; file “db.192.249.249” };
Configuration file format (1) zone “253.253.192.in-addr.arpa”{ type master; file “db.192.253.253” }; zone “0.0.127.in-addr.arpa”{ type master; file “db.127.0.0” }; zone “.”{ type hint; file “db.cache” };
Configuration file format (1) // BIND configuration file for slave server options{ directory “/var/named”; // additional options }; zone “movie.edu”{ type slave; file “bak.movie.edu”; masters{ 192.249.249.3; } }; zone “249.249.192.in-addr.arpa”{ type slave; file “bak.192.249.249” masters{ 192.249.249.3; } };
Configuration file format (1) zone “253.253.192.in-addr.arpa”{ type slave; file “bak.192.253.253” masters{ 192.249.249.3; } }; zone “0.0.127.in-addr.arpa”{ type master; file “db.127.0.0” }; zone “.”{ type hint; file “db.cache” };
Tools • Tools to help an administrator set up these files are available • Can make the zone data files using h2n which generates files based on your /etc/hosts file
Slave servers • Entries in the configuration of the form zone “movie.edu”{ type slave; masters{ 192.249.249.1 }; file “bak.movie.edu”; }; • Can have multiple levels of slaves (slaves using other slaves as masters) but it does take longer for updates
Caching only nameserver • Not authoritative for any domain (except 0.0.127.in-addr.arpa) • Needs a root hints file • Configuration file contains only options, zone “0.0.127.in-addr.arpa”, and zone “.”