S'il n'y a pas de solution c'est qu'il n'y a pas de problème!

Bind

When I moved to Nerim ISP, I got a static IP, so I decided to buy a domain name at Gandi and to setup my own DNS.

I did not find that setting up a DNS was straightforward (configuration file syntax looks like Stone Age :)) and some friends of Linux-sottises pushed me to write down a light manual for bind.
This page is the result.

This page is based on DNS-HOWTO, which is useful, but a little "dark" in some places... I also used the book DNS and Bind from Paul Albitz & Cricket Liu at O'Reilly. Obviuously, this pages has not the ambition to replace this book, but should help people to setup a primary DNS, while understanding "a little" what they are doing :)

Some words on how DNS work

To begin, some words to briefly (and naturally incompletely) explain how the resolution works: what happens when you type www.domain.com in your prefered browser?

Well, your browser must find what is the IP corresponding to www.domain.com, because you already knwo that every server on the Internet is known by its IP adress. A programm which looks for an IP from a name (or a name from an IP) is called a resolver.

The full information of these associations "name-IP" is "distributed" among the Internet and not stored in a unique place. Nowhere exists a machine with all this information!

Then begins a "treasure hunt" in which several machines will give a "clue", a piece of information to the resolver to help it to find the adress of www.domain.com.

The resolver will first ask a question to "God" for a first clue: who is in charge of names ending by .com? God here are the root DNS servers which adresses are in /var/named/root.hint (have a look at this file, I will tell you further how to maintain this file)

On of the root server will tell the resolver which DNS are in charge of .com domains. Those servers are called GTLD servers (Generic Top Level Domains). The resolver will then ask one of those GTLD servers ot ask: who is in charge of domain.com?

With the adresses of those servers, the resolvers wil ask one of then: what is the adress of www.domain.com? and the resolver job is over.

Naturally, ther would be a huge traffic if each time those operation were made. To avoid such traffic, each DNS has a cache system in which it looks if it already answered the same question... Ok, but what happens if the adress changed? Well, each DNS give the validity time for the information it gives at the ame time it gives an information. When this time is over, the answer is not taken in the cache, but a new question is asked. This cache behaviour exists at each level of DNS. Each DNS is responsible for the validity time (TTL=Time To Live): if TTL is very short, more traffic will be generated, if it is very long, it will take a long time for modification of the DNS to be taken into account by other DNS.

Practical test
Run:

nslookup

then

server a.root-servers.net

(we are going to use root server a.root-servers.net). Type:

net.

(with . th the end, which means "who is in charge of the branch .net? The list of GTLD servers in charge of .net appears. Chose one, for example:

server k.gtld-servers.net

Ask it who, is in charge of linux-sottises.net, type (do not forget the . at the end):

linux-sottises.net.

you have the information about the servers in charge of linux-sottises.net. You should have 3 servers: ns0.linux-sottises.net, ns6.gandi.net and metroid.nerim.net. Chose one of them, for example, type:

server ns0.linux-sottises.net

now ask it what is the adress of www.linux-sottises.net (with or without . at the end, at this level it is the same):

www.linux-sottises.net

You get the adress 62.4.22.49

Setup

A All that follows is about bind 8.2.3. Install it by a package from your distribution, or by compiling it from Internet Software Consortium.

You are the owner of a domain name, you have a static IP, you have chosen a name for your DNS (and have declared it when you baught your domain). You also knwo the the name and IP of the machine which will be used as secondary DNS.
I will take the example I know best (8-D) linux-sottises, so the domain is linux-sottises.net, IP=62.4.22.49, and I have in fact 3 DNS, DNS1=ns0.linux-sottises.net, DNS2=metroid.nerim.net,DNS3=ns6.gandi.net.

There are two kinds of configuration files: the general configuration file of bind (in general /etc/named.conf) and the description files of the zones. Il y a deux types de fichiers de configuration: le fichier de configuration générale de bind (en général /etc/named.conf) et les fichiers de description de "zones" (in general in /var/named). When you install bind, you also have a file /var/named/root.hint or /var/named.root which contains the adresses of the root servers (you can also download it at ftp.rs.internic.net, directory /domain, file named.root)

The file /etc/named.conf have different sections which describe options, logging, and the zones files names. An example is better: download or have a look at mine, and let us give some comments:

The part between { }; contains all the options

• directory shows the directory where the zone files will be searched for
• pid-file is the file containing the process number
• forwarders indicates that the queries to bind will be transfered to the corresponding IP (ithey are the DNS of my ISP Nerim) and bind will make the query by itself if the ISP DNS don't answer. This option is not mandotary.
• forward first asks for the behaviour previoulsy described (first ask the forwarders, the other option is "only", bind never make a query by itself)
• query-source indicates the port where to listen queries (behind a firewall, port * is recommanded
• allow-query indicates the IP which are allowed to make queries to the server. Put here only local adresses, local network and public Internet IP
• allow-recursion indicates for which interfaces bind makes "all the work" (and not only find the adress where to find the answer to the query)
• listen-on indicates which interfaces are listened to. This is to avoid bind listening to useless interfaces

Use man named.conf to see more options

The logging part I use is simple and standard. Look man named.conf for more information.

Then come the general caracteristics of the zones of your server. The first order "zone" is about the root of the name servers (.) and use the file root.hint (all the files are in the directory indicated at the beginning of the file). IN indicates an INternet class (in fact it is the only class really used). You can see here my file root.hint.

Then comme the caracteristics of the "linux-sottises.net" zone which bind is master.

• type master; indicates that bind is the master of the domain (it is responsible for the validity of the information about the zone for all Internet)
• file "zone/linux-sottises.net"; indicates the location of the zone configuration file (relative path to the directory declared at the beginning, here /var/named/zone/linux-sottises.net)
• allow-transfer{}; gives the IP list to which information tradfers are allowed, this means the IP of the secondary DNS.
• allow-query{}; indicates who is allowed to make queries to your servers, any means "anyone", it is mandatory!! your DNS has to be asked to know adresses on your domain.

The next zone is a "reverse" zone (IP to name) and is about the local loop (the relation of the server with itself). The name before .in-addr.arpa will be used in the zone file, for example 0.0.127.in-addr.arpa will be able to describe adresses of the form 127.0.0.X

Remark: if you suppress the master zone of the configuration file and keep the the part 0.0.127.in-addr.arpa and the corresponding file (see further), you have a simple DNS which will be useful when the DNS of your ISP are out!

Let us go to the zone files. Download or have a look at linux-sottises.net which I stored in /var/named/zone as mentionned in bind configuration files.

• $TTL 86400 indicates a Time To Live by default of 86400 seconds (one day) for the records where no TTL is mentionned
• @ is a shorcut for the zone name indicated in named.conf followed by a "." This means that @ is equivalent to linux-sottises.net.
• SOA is the Start of Authority record, it is followed by the name of the primary DNS server and the email adress of the personn in charge (in the email adress @ is replaced by . and the adress itself must ne terminated by a . (I know this is weird :))
• next, you put between ( ) information on the validity time of the record:
  • to begin with, put a serial number of the record. When you change you configuration do not forget to upgrade this serial number, this will allow slaves servers to request the new data when necessary Use a serial number of the form YYYYMMDDXX where YYYY is the year, MM is the month (with two digits), DD is the day (with two digits) and XX is a two digits number that you start by 00 and you add 1 for every change in a day.
  • Then there are 4 times:
    • first one is a refresh intervall between 2 verifications from slave servers
    • second one is the intervall between a retry of verification if your server does not answer the verefication request
    • the third one is the max time when slave servers will answer queries without being able to contact the master server
    • the fourth one is the TTL given by your server fo any query.
  • Then comes the NS records (name server) which indicates which are the servers for your domain (master and slaves)
  • MX are the mail servers of your domain (MX=Mail Exchanger). The number indicates the priority level of those servers. A small number indicates a high priority. If your machine is stopped, or your connection down, mails coming to you domain will be sent to one of the mail exchangers (in the order of priority). The Mail Echangers are programmed to reguraly check your server and send the received mails as soon as your server is up. MX are necessary only if you run a mail server :)
  • TXT is a comment
• Then come the information of the machines on you domain. The name you put here are automatically suffixed by you domain name and a . For example, in my configuration file, yoda is "read" as yoda.linux-sottises.net. (with a . at the end)
  • "A" record, gives the adress of the machine
  • Hinfo is made of two strings, first one for the processor, second one for the OS
  • TXT is a comment
• I am not sure that localhost is mandatory, a lot of example files on Internet mentionned it, idem for the O'Reilly book. I do not really understand the reason for this line

Finally, you have to configure the reverse file for the local loop with name zone/127.0.0 din the configuration file /var/named.conf. You can download it or have a look here.

There appears a new type of record: PTR, pointer. 1 at the beginning of the line means 127.0.0.1

If you want to see all these information "online", run:

nslookup
server ns0.linux-sottises.net
set q=any
linux-sottises.net.

without forgetting the last .

For your own server, you still have to launch the named daemon from your boot srcipt or following the rules of your distribution

How to keep a good root.hint file...

You can maintain a "good" root.hint file (which does not vary a lot!!) with the script hintupdate that you can launch by cron every month or week if you are as paranoid as me!!

There are french comments at the beginning of the script.... you need:

• hosmaster in /etc/aliases (or modify the script)
• a name dns1 with its IP in /etc/hosts (or modify the script)
• replace "rcnamed restart" by the correct restart order of bind for you (this is the restart order on SuSE with bind installed as a package)
• sendmail programm to advise root of the upgrade state (sendmail programm comes with sendmail software but postfix provides a compatible sendmail programm)

Naturally, comments or questions are welcome to tnka at linux-sottises.net