Библиотека сайта rus-linux.net
7.2. Domain Name Server (DNS) Configuration and Administration
At my place of employment, we are using Linux as a DNS server. It performs exceptionally well. This section will address configuration of DNS tables for these services using the BIND 8.x package which comes standard with the Red Hat distribution.
Note: Note: Red Hat versions 5.1 and earlier used the BIND 4.x package, which used a slightly different format for its configuration file. BIND 8.x offers more functionality over that offered by BIND 4.x, and as 4.x is no longer being developed, you should probably consider upgrading your BIND package to the latest version. Simply install the BIND RPM package (see Section 10.1 for details on using the RPM utility), then convert your configuration file to the new format.
Fortunately, converting your existing BIND 4.x configuration file to be compliant with BIND 8.x is easy! In the documentation directory provided as part of BIND (for example, ``
'' for BIND version 8.1.2), there exists a file called ``
/usr/doc/bind-8.1.2/
'', which is an executable Perl program. Assuming you have Perl installed on your system, you can use this program to convert your configuration file. To do so, type the following commands (as root):
named-bootconf.pl
cd /usr/doc/bind-8.1.2
./named-bootconf.pl < /etc/named.boot > /etc/named.conf
mv /etc/named.boot /etc/named.boot-obsolete
You should now have an ``
'' file which should work with BIND 8.x "out-of-the-box". Your existing DNS tables will work as-is with the new version of BIND, as the format of the tables remains the same.
/etc/named.conf
Configuration of DNS services under Linux involves the following steps:
To enable DNS services, the ``
'' file should look like this:/etc/host.conf
# Lookup names via /etc/hosts first, then by DNS query order hosts, bind # We don't have machines with multiple addresses multi on # Check for IP address spoofing nospoof on # Warn us if someone attempts to spoof alert on
The extra spoof detection adds a bit of a performance hit to DNS lookups (although negligible), so if you're not too worried about this you may wish to disable the "nospool" and "alert" entries.
Configure the ``
'' file as needed. Typically there doesn't need to be much in here, but for improved performance you can add any hosts you access often (such as local servers) to avoid performing DNS lookups on them./etc/hosts
The ``
'' file should be configured to point to your DNS tables according to the example below./etc/named.conf
Note: (Note: IP addresses shown are examples only and must be replaced with your own class addresses!):
options { // DNS tables are located in the /var/named directory directory "/var/named"; // Forward any unresolved requests to our ISP's name server // (this is an example IP address only -- do not use!) forwarders { 123.12.40.17; }; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; // Enable caching and load root server info zone "named.root" { type hint; file ""; }; // All our DNS information is stored in /var/named/mydomain_name.db // (eg. if mydomain.name = foobar.com then use foobar_com.db) zone "mydomain.name" { type master; file "mydomain_name.db"; allow-transfer { 123.12.41.40; }; }; // Reverse lookups for 123.12.41.*, .42.*, .43.*, .44.* class C's // (these are example Class C's only -- do not use!) zone "12.123.IN-ADDR.ARPA" { type master; file "123_12.rev"; allow-transfer { 123.12.41.40; }; }; // Reverse lookups for 126.27.18.*, .19.*, .20.* class C's // (these are example Class C's only -- do not use!) zone "27.126.IN-ADDR.ARPA" { type master; file "126_27.rev"; allow-transfer { 123.12.41.40; }; };
Tip: Tip: Make note of the
allow-transfer
options above, which restricts DNS zone transfers to a given IP address. In our example, we are allowing the host at 123.12.41.40 (probably a slave DNS server in our domain) to request zone transfers. If you omit this option, anyone on the Internet will be able to request such transfers. As the information provided is often used by spammers and IP spoofers, I strongly recommend you restrict zone transfers except to your slave DNS server(s), or use the loopback address, ``127.0.0.1
'' instead.Now you can set up your DNS tables in the ``
'' directory as configured in the ``var/named/
'' file in step three. Configuring DNS database files for the first time is a major undertaking, and is beyond the scope of this document. There are several guides, online and in printed form that should be referred to. However, several examples are provided below./etc/named.conf
Sample entries in the ``
'' forward lookup file:/var/named/mydomain_name.db
; This is the Start of Authority (SOA) record. Contains contact ; & other information about the name server. The serial number ; must be changed whenever the file is updated (to inform secondary ; servers that zone information has changed). @ IN SOA mydomain.name. postmaster.mydomain.name. ( 19990811 ; Serial number 3600 ; 1 hour refresh 300 ; 5 minutes retry 172800 ; 2 days expiry 43200 ) ; 12 hours minimum ; List the name servers in use. Unresolved (entries in other zones) ; will go to our ISP's name server isp.domain.name.com IN NS mydomain.name. IN NS isp.domain.name.com. ; This is the mail-exchanger. You can list more than one (if ; applicable), with the integer field indicating priority (lowest ; being a higher priority) IN MX mail.mydomain.name. ; Provides optional information on the machine type & operating system ; used for the server IN HINFO Pentium/350 LINUX ; A list of machine names & addresses spock.mydomain.name. IN A 123.12.41.40 ; OpenVMS Alpha mail.mydomain.name. IN A 123.12.41.41 ; Linux (main server) kirk.mydomain.name. IN A 123.12.41.42 ; Windows NT (blech!) ; Including any in our other class C's twixel.mydomain.name. IN A 126.27.18.161 ; Linux test machine foxone.mydomain.name. IN A 126.27.18.162 ; Linux devel. kernel ; Alias (canonical) names gopher IN CNAME mail.mydomain.name. ftp IN CNAME mail.mydomain.name. www IN CNAME mail.mydomain.name.
Sample entries in the ``
'' reverse lookup file:/var/named/123_12.rev
; This is the Start of Authority record. Same as in forward lookup table. @ IN SOA mydomain.name. postmaster.mydomain.name. ( 19990811 ; Serial number 3600 ; 1 hour refresh 300 ; 5 minutes retry 172800 ; 2 days expiry 43200 ) ; 12 hours minimum ; Name servers listed as in forward lookup table IN NS mail.mydomain.name. IN NS isp.domain.name.com. ; A list of machine names & addresses, in reverse. We are mapping ; more than one class C here, so we need to list the class B portion ; as well. 40.41 IN PTR spock.mydomain.name. 41.41 IN PTR mail.mydomain.name. 42.41 IN PTR kirk.mydomain.name. ; As you can see, we can map our other class C's as long as they are ; under the 123.12.* class B addresses 24.42 IN PTR tsingtao.mydomain.name. 250.42 IN PTR redstripe.mydomain.name. 24.43 IN PTR kirin.mydomain.name. 66.44 IN PTR sapporo.mydomain.name. ; No alias (canonical) names should be listed in the reverse lookup ; file (for obvious reasons).
Any other reverse lookup files needed to map addresses in a different class B (such as 126.27.*) can be created, and would look much the same as the example reverse lookup file above.
Make sure the named daemon is running. This daemon is usually started from the ``
'' file upon system boot. You can also start and stop the daemon manually; type ``/etc/rc.d/init.d/named
named start
'' and ``named stop
'', respectively.Whenever changes are made to the DNS tables, the DNS server should be restarted by typing ``
/etc/rc.d/init.d/named restart
''. You may then wish to test your changes by using a tool such as "nslookup
" to query the machine you have added or changed.
More information on configuring DNS services can be found in the ``DNS-HOWTO'' guide at http://metalab.unc.edu/Linux/HOWTO/DNS-HOWTO-5.html.
Prev | Home | Next |
Web Server and HTTP Caching Proxy Administration | Up | Internet User Authentication with TACACS |