HP DNS Configuration and Management Manual Abstract This manual describes how to implement Domain Name System (DNS) on the HP NonStop server in the HP NonStop Open System Services (OSS) environment. This manual is intended for network administrators responsible for managing DNS. Product Version DNS 9.2.3 DNS 9.3 Supported Release Version Updates (RVUs) This publication supports G06.27 and all subsequent G-series RVUs and H06.
Document History Part Number Product Version Published 529432-001 DNS 9.2.3, DNS 9.3 December 2004 529432-002 DNS 9.2.3, DNS 9.3 September 2005 529432-003 DNS 9.2.3, DNS 9.
HP DNS Configuration and Management Manual Glossary Index What’s New in This Manual vii Manual Information vii New and Changed Information Examples Figures Tables vii About This Manual ix Manual Organization ix Statement for Ported Software and Related Documentation Related Manuals x Additional Resources xi Notation Conventions xiii Abbreviations xvii x 1.
Contents 2. BIND 9.x on the NonStop Server (continued) 2. BIND 9.x on the NonStop Server (continued) DNS Tools and Utilities (continued) named-bootconf 2-12 nsupdate 2-12 DNS Security Extensions (DNSSEC) Tools 2-13 IPv6 Address Support 2-14 Application Programmatic Interface (API) for DNS 2-17 3.
4. Scaling DNS Contents 4. Scaling DNS Physical Network Separation 4-1 DNS Round-Robin Address Rotation 4-2 5. Troubleshooting Troubleshooting DNS Logging in DNS 5-3 5-1 A. DNS and BIND Basics Components of DNS A-1 DNS Name Space A-1 The Resolver A-3 The Name Server A-3 Lightweight Resolver Library and Demon How BIND Works A-4 Overview A-4 The Resolution Process A-6 The BIND Configuration File A-18 The /etc/named.conf Statements A-18 A-4 B.
Examples (continued) Contents Examples (continued) Example 2-10. Example 2-11. Example 2-12. Example 2-13. Example 2-14. Example 2-15. Example 3-1. Example 3-2. Example 3-3. Example 3-4. Example 3-5. Example 3-6. Example 5-1. Example 5-2. Example B-1. Example B-2. Example B-3.
Figures (continued) Contents Figures (continued) Figure A-8. Figure A-9. Figure A-10. Figure A-11. Figure B-1. Local Server Sends Query to Next Referred Server A-15 Authoritative Server Returns IP Address to Local Server A-16 Local Server Answers Original Request A-17 Client Resolver Receives IP Address of Requested Server A-18 Structure of a Master Server and Slave Servers B-2 Tables Table i. Table ii. Table 2-1. Table 2-2. Table 2-3. Table 3-1. Table 3-2.
Contents HP DNS Configuration and Management Manual—529432-003 vi
What’s New in This Manual Manual Information HP DNS Configuration and Management Manual Abstract This manual describes how to implement Domain Name System (DNS) on the HP NonStop server in the HP NonStop Open System Services (OSS) environment. This manual is intended for network administrators responsible for managing DNS. Product Version DNS 9.2.3 DNS 9.3 Supported Release Version Updates (RVUs) This publication supports G06.27 and all subsequent G-series RVUs and H06.
What’s New in This Manual Changes Made for 529432-002 Changes Made for 529432-002 The manual was updated to include new features for DNS 9.3 and to provide more background information about DNS in general. The procedure Stopping the named Process as a Persistent Process on page 3-23 was corrected. The procedure Configuring the named Process as a Persistent Process on page 3-22 was corrected. Changes Made for 529432-001 This was the first version of this manual.
About This Manual This manual describes how to implement the Domain Name System (DNS) on the NonStop Server in the HP NonStop Open System Services (OSS) environment. For general information about BIND 9.x, see the BIND 9 Administrator Reference Manual in the NonStop Technical Library (NTL).
Statement for Ported Software and Related Documentation About This Manual Statement for Ported Software and Related Documentation (C) Copyright 2000, 2001 Internet Software Consortium. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
About the BIND 9 Administrator Reference Manual About This Manual About the BIND 9 Administrator Reference Manual The BIND 9 Administrator Reference Manual provides basic information about the concepts and management of the Internet Software Consortium (ISC) BIND version 9 software package for system administrators, and includes the following topics: • • • • • • Introduction to basic DNS and BIND concepts More advanced concepts that may be needed for implementing certain options A reference section to a
RFCs About This Manual RFCs All of the following DNS RFCs may be found at http://www.ietf.org/rfc.
Notation Conventions About This Manual • • • • • RFC 3110 – RSA/SHA-1 SIGs and RSA keys in the Domain Name System RFC 3226 – DNSSEC and IPv6 A6 aware server/resolver message size RFC 3445 – Limiting the Scope of the KEY Resource Record (RR) RFC 3658 – Delegation Signer (DS) Resource Record (RR) RFC 3833 – Threat Analysis of the Domain Name System (DNS) Notation Conventions Hypertext Links Blue underline is used to indicate a hypertext link within text.
General Syntax Notation About This Manual A group of items enclosed in brackets is a list from which you can choose one item or none. The items in the list can be arranged either vertically, with aligned brackets on each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example: FC [ num ] [ -num ] [ text ] K [ X | D ] address { } Braces. A group of items enclosed in braces is a list from which you are required to choose one item.
Notation for Messages About This Manual If there is no space between two items, spaces are not permitted. In this example, no spaces are permitted between the period and any other items: $process-name.#su-name Line Spacing. If the syntax of a command is too long to fit on a single line, each continuation line is indented three spaces and is separated from the preceding line by a blank line. This spacing distinguishes items in a continuation line from items in a vertical list of selections.
Notation for Messages About This Manual Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown. For example: Backup Up. lowercase italic letters. Lowercase italic letters indicate variable items whose values are displayed or returned. For example: p-register process-name [ ] Brackets. Brackets enclose items that are sometimes, but not always, displayed.
Change Bar Notation About This Manual Change Bar Notation Change bars are used to indicate substantive differences between this manual and its preceding version. Change bars are vertical rules placed in the right margin of changed portions of text, figures, tables, examples, and so on. Change bars highlight new or revised information. For example: The message types specified in the REPORT clause are different in the COBOL environment and the Common Run-Time Environment (CRE).
Abbreviations About This Manual HP DNS Configuration and Management Manual—529432-003 xviii
1 Quick Start This section provides examples of preparing to start Domain Name System (DNS), starting DNS, and stopping DNS. This section does not provide background information about DNS or the TCP/IP subsystems.
Start DNS Quick Start 3. List the files in the directory by typing the following command: /etc/dns923>ls -al You should see a display that shows a list of DNS files along with their permissions. • • • • NonStop TCP/IP, Parallel Library TCP/IP, or NonStop TCP/IPv6 is running. If you plan to use IPv6 communications, verify that NonStop TCP/IPv6 is running in DUAL or INET6 mode; refer to the TCP/IPv6 Configuration and Management Manual in NTL for more information.
Start Secure DNS With Default Options Quick Start Start Secure DNS With Default Options 1. Log on and switch to the OSS shell by typing OSH at the TACL prompt: >OSH 2. Change directories to the nonsecure DNS directory: $ cd /etc/dns_secure/ Note. In this manual, the dollar sign ($) indicates the OSS shell prompt. 3. Start named by typing the following command: $ named -c /etc/dns_secure/named.conf 4.
Stop DNS Quick Start HP DNS Configuration and Management Manual—529432-003 1 -4
2 BIND 9.x on the NonStop Server This section provides information about the implementation of BIND 9.x on the NonStop Server, including: • • • DNS and BIND 9.x on the NonStop Server on page 2-1 DNS Tools and Utilities on page 2-4 Application Programmatic Interface (API) for DNS on page 2-17 DNS and BIND 9.x on the NonStop Server This subsection provides information about DNS and BIND 9.
System Requirements BIND 9.x on the NonStop Server Secure DNS is based on BIND 9.
BIND 9.x on the NonStop Server Running DNS in the Open System Services (OSS) Environment Locating DNS man Pages in OSS Nonsecure DNS (product ID T0685) is located in OSS in the /etc/923/ directory and secure DNS (product ID T0708) is located in /etc/dns_secure/. The default location of man pages in the OSS environment is /usr/share/man. Table 2-1.
DNS Tools and Utilities BIND 9.x on the NonStop Server Locating DNS Files in OSS Table 2-2. Files for Nonsecure and Secure DNS Products Nonsecure DNS Files Located in /etc/dns923/ Secure DNS Files Located in /etc/dns_secure/ named named lwresd lwresd named-bootconf.sh named-bootconf.sh dig dig nsupdate nsupdate rndc rndc db.cache db.cache db.myzone.com.in db.myzone.com.in named.conf named.conf rndc.conf rndc.
BIND 9.x on the NonStop Server Dynamic Update For dynamic updates to be processed by the name server, you must specify the IP addresses of the systems from where the requests can be received in the configuration file under the zone entry. Note. In this manual, configuration file and named.conf file are used interchangeably. You can enable dynamic update on a zone-by-zone basis by including an allow-update or update-policy clause in the zone statement.
BIND 9.x on the NonStop Server Dynamic Update DHCP server must have dynamic update capability; however, the DHCP server and the DNS server need not reside on the same subnetwork.
rndc BIND 9.x on the NonStop Server This example indicates that the name server is a master server for the zone example.com and the name server can update the zone data file db.example upon receiving the update requests from the system configured with IP address 10.53.0.24. The allow-update clause specifies which hosts are allowed to submit dynamic DNS updates for master zones. The default is to deny updates from all hosts.
rndc BIND 9.x on the NonStop Server Table 2-3. rndc Commands (page 2 of 2) Command Description stats Write server statistics to the statistics file. querylog Toggle query logging. dumpdb Dump the current contents of the cache into the file specified by the dump-file option in the named.conf file. stop Stop the server after saving recent changes to the master files of the updated zones. halt Stop the server immediately without saving recent changes to the master files.
BIND 9.x on the NonStop Server Incremental Zone Transfer (IXFR) 3. Run the rndc command: $ rndc -c /etc/dns_secure/rndc.conf reload This command results in a connection to the 127.0.0.1 port 953 and reloads the name server. Example: Using rndc to Stop the Name Server In the following example, rndc stops the name server running on 10.53.0.1. Example 2-2. rndc Command > rndc -c /etc/dns_secure/rndc.conf -s 10.53.0.1 stop The communication between the name server and rndc is secured by a shared secret key.
BIND 9.x on the NonStop Server Incremental Zone Transfer (IXFR) The server statements used to enable and disable the IXFR feature for the master server are: • • [Provide-ixfr yes_or_no;] [Request-ixfr yes_or_no;] The syntax for setting the server statement in the configuration file for the master server is: Server ip-address { provide-ixfr no[yes]; }; Example 2-3. Setting the Server Statement to Disable IXFR Server 10.53.0.
BIND 9.x on the NonStop Server dig Remember, the default for both the master and slave for IXFR is yes. Note. A BIND master name server that reloads an entire zone data file cannot compute the differences between that zone and the previous zone. Nor can a BIND slave that gets a full zone transfer figure out what changed between the new zone and the previous zone. Therefore, to take full advantage of IXFR, you should modify your zone only by using dynamic update and never edit the zone data file manually.
BIND 9.x on the NonStop Server named-bootconf Example 2-9. Look Up the Domain Name Corresponding to an IP Address $ dig -x 15.16.118.1 Refer to the dig man page for more information about the output format. named-bootconf The named-bootconf tool is a shell script that converts a DNS 4.8.3 configuration file to a DNS 9.x configuration file. The syntax for this tool is: $named-bootconf.sh < DNS 4.8.3 configuration file (input) > DNS 9.x configuration file (output) Note.
BIND 9.x on the NonStop Server DNS Security Extensions (DNSSEC) Tools -k option sign updates with TSIG -d sets the debug mode -v tells nsupdate to use TCP/IP to communicate with the server Example: Running nsupdate The following example illustrates the interactive use of nsupdate. In this example, nsupdate connects to a name server running on 10.53.0.1. Then the existing record old.example.com is deleted, and a new record new.example.com is added. Example 2-11.
BIND 9.x on the NonStop Server IPv6 Address Support dnssec-keygen prints the basename of the files to which it writes the generated keys on the terminal. The public key is written to the file basename.key. The private key is written to the file basename.private. dnssec-signzone—DNSSEC zone signing tool dnssec-signzone signs a zone file. It generates NSEC and RRSIG records and produces a signed version of the zone file.
IPv6 Address Support BIND 9.x on the NonStop Server Example 2-14. Setting named to Listen on IPv6 Interfaces options { listen-on-v6 { any; }; }; The listen-on-v6 option accepts only any and none as arguments. BIND 9.x lets you determine which IPv6 address to use in Notify messages, by using the notify-source option statement. The IPv6 option statement is called notifysource-v6. Example 2-15.
IPv6 Address Support BIND 9.x on the NonStop Server The first 48 bits of the prefix in subnet1.v6.hp.com's record-specific data are set to zero since they are not significant here. These records tell us to look up two A6 records next, one at hp-res.lab1.net and one at hp.lab2.net. By following a chain of A6 records, a name server can assemble all 128 bits of the two inventor.hp.com IPv6 addresses. Note.
Application Programmatic Interface (API) for DNS BIND 9.x on the NonStop Server server to synthesize an alias from courses.hpedu.com to courses.hpuniv.com, replacing hpedu.com with hpuniv.com: courses.hpedu.com. IN CNAME courses.hpuniv.com. The hpedu.com name server replies with this CNAME record. If the hpedu.
BIND 9.x on the NonStop Server • • • • • • Application Programmatic Interface (API) for DNS lwres_gai_strerror lwres_getnameinfo lwres_getipnodebyname lwres_getipnodebyaddr lwres_freehostent lwres_hstrerror For information about these library calls as well as the standard ones, see the OSS man pages or the TCP/IP Programming Manual.
3 DNS Configuration on the NonStop Server This section provides background information, procedures, and examples for configuring the lightweight resolver, security and other tasks specific to NonStop systems.
DNS Configuration on the NonStop Server Lightweight Resolver demon running on the local host. Since the lightweight demon runs on every host and regularly caches DNS data, the network communication is greatly reduced and results in improved performance. Lightweight Resolver demon The lightweight demon (lwresd) runs only in the OSS environment. It listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1, or the IPv6 loopback interface ::1.
DNS Configuration on the NonStop Server Understanding DNS Security Threats h_errno is replaced by lwres_h_errno getipnodebyname is replaced by lwres_getipnodebyname getipnodebyaddr is replaced by lwres_getipnodebyaddr freehostent is replaced by lwres_freehostent Understanding DNS Security Threats Different levels of security exist for your DNS implementation on the NonStop server depending on whether you are using DNS servers for local address resolution or using them in the broader domain name sy
Local Threats DNS Configuration on the NonStop Server Local Threats The primary source of zone data is normally the zone files, as well as the named.conf file, which contains sensitive data as well. This data should be secure and securely backed up. This threat is classified as local and is typically handled by good system administration. Figure 3-1.
Zone Transfer Threat DNS Configuration on the NonStop Server Zone Transfer Threat If you run slave servers you will do zone transfers, which introduce a potential serverto-server threat. Figure 3-2. Zone Transfer Threat, IP Address Spoofing Possible Security Threats DHCP server Client Zone transfers master server master server remote caching server Client zone files slave server slave server vst005.
Dynamic Update Threat DNS Configuration on the NonStop Server Dynamic Update Threat The BIND default is to deny dynamic zone updates. If you have enabled this service, it may pose a threat to the integrity of your zone files and may need to be protected. Dynamic zone updates are also classified as a server-to-server threat. Note.
Remote Query Threat DNS Configuration on the NonStop Server Remote Query Threat There is a possibility of remote cache poisoning due to IP spoofing or data interception and other hacks if you are running a simple web site. Remote cache poisoning is classified as a server-to-client threat. Figure 3-4.
Remote Caching Corruption Threat DNS Configuration on the NonStop Server Remote Caching Corruption Threat At this time, securing resolvers is not standardized. Resolver queries are classified as a client-to-client threat. Figure 3-5. Remote Caching Corruption Threat, Client to Client Possible Security Threats DHCP server Client Resolver Queries master server master server remote caching server zone files slave server slave server Client vst006.
Use ACLs DNS Configuration on the NonStop Server Table 3-2.
DNS Configuration on the NonStop Server • • Use ACLs Queries—By default, a DNS server answers recursive queries from any node. In some cases, this arrangement may expose the name server to denial-of-service attacks from the Internet, where a malicious user floods the name server with recursive queries. Zone Transfers—By default, a DNS server sends the contents of its zone databases to any node that requests this content.
Use ACLs DNS Configuration on the NonStop Server Use ACLs to Restrict Recursion Figure 3-6 shows how a corporation like HP might use BIND security options to connect to the Internet. Figure 3-6. ACL Example: Internet Internet HP internal Firewall HP external HP-internal roots ! internal hp.com root servers (update manage db.hp, db.15; an SOA for DP.HP, DB.
DNS Configuration on the NonStop Server Use ACLs To avoid your name server being flooded with inappropriate recursive queries, you can restrict the name server not to accept recursive queries at all or only to accept recursive queries from certain clients. (This restriction might be sensible for a secondlevel name server which does not appear in the /etc/resolv.conf file of any resolving clients.) Use the option allow-recursion to restrict recursive queries.
Use ACLs DNS Configuration on the NonStop Server You can use four predefined ACLs alone or with address specifications: any allows all hosts none denies all hosts localhost allows the IP addresses of all interfaces on the system localnets allows any host on a network for which the system has an interface When an ACL definition contains multiple elements, the elements are evaluated from left to right. The ACL "no-badguy" allows all addresses on the 18.1.1 network except 18.1.1.66.
Use ACLs DNS Configuration on the NonStop Server Figure 3-7. ACL Example: Restricting Zone Transfers 15.19.8.119 15.19.8.197 master server slave server slave server 15.19.8.64 /etc/named.conf acl "DNS-SERVERS" { 15.19.8.119 15.19.8.197 15.19.8.64 zone "animals.hp.com: { type master; file "db.animals:; allow-transfer {dns-servers; }; zone "8.19.15.in-addr.arpa" { type master; file "db.15.19.8";}; allow-transfer {dns-servers; }; vst0025.vsd In Figure 3-7, the named.
DNS Configuration on the NonStop Server Conceal the BIND Version transfer directive once in the options statement instead of repeating it for each zone: options { allow-transfer { dns-servers; }; }; Note. This solution is not completely secure because a rogue system could spoof one of the slave servers and obtain a zone update by using the slave server's IP address. Conceal the BIND Version By default, your name server returns its BIND version information to version.bind queries.
Use TSIG DNS Configuration on the NonStop Server Use TSIG Figure 3-8. Updates Secured Through TSIG The name server adds a TSIG record to the additional data section of a DNS message. DNS update message 15.10.40.76 is nt4652 additional data DHCP server TSIG Record DNS server vst027.vsd TSIG provides secure server-to-server communication securing DNS messages by providing authentication and data integrity.
DNS Configuration on the NonStop Server Use TSIG Steps to Configure TSIG for Securing Zone Updates: 1. Create the shared key using the dnssec-keygen tool. (See Generating a Key Pair on page 3-21.) 2. Share the generated key between the name servers among which secure communication is desired. 3. Include the key in the key statement of the named.conf file of the primary name server: Key key-name { algorithm hmac-md5; secret "generated-secret-key"; }; This example specifies a TSIG key for the name server.
DNS Configuration on the NonStop Server Configure Views Configure Views Views allow you to present one name server configuration to one set of hosts and a different configuration to another set. Whether you choose to use views depends on your overall architecture, firewall configuration, and security policy.
DNS Configuration on the NonStop Server Use Firewalls and a Bastion Host Example 3-3. Sample Configuration File for Views options { query-source address 10.53.0.2; port 5300; pid-file “named.pid”; listen-on {10.53.0.2;}; recursion no; notify yes; }; view “internal” [ match-clients {10.53.0.2; 10.53.0.3;}; zone “.” { type hint; file “root.hint”; }; zone “example” { type master; file “internal.db”; allow-update {any;}; }; }; view “external” { match-clients {any;}; zone “.” { type hint; file “root.
DNS Configuration on the NonStop Server Use Public Key Cryptography: DNSSEC that can communicate with Internet name servers is called a bastion host, and all other name servers communicate with the Internet through the bastion host. See DNS and BIND 4th edition by Paul Albitz and Cricket Liu 4th Edition for an in-depth discussion of using DNS with firewalls, forwarding, and forward zones.
DNS Configuration on the NonStop Server Use Public Key Cryptography: DNSSEC servers have enough memory to load the new, larger zones. If your name servers are resolving more records in secure zones, make sure they have enough processor power to verify all those digital signatures and remember that BIND 9 can take advantage of any processors you can add to the host it runs on. Note.
DNS Configuration on the NonStop Server Managing Persistence for the named Process Specifying a Trusted Key For the name servers requiring secure communication with the above configured name server, you must add a trusted-keys statement in their configuration files (named.conf). The following example shows the trusted-keys statement for the named.conf file of the affected name server: trusted-keys { myzone.com.
DNS Configuration on the NonStop Server Stopping the named Process as a Persistent Process Stopping the named Process as a Persistent Process 1. To stop the named process if it is configured as a persistent process (autorestart > 0), issue the SCF ABORT command to the NonStop Kernel subsystem as shown: ->abort process $zzkrn.#named For more information about managing persistence, see the SCF Reference Manual for the Kernel Subsystem in NTL.
DNS Configuration on the NonStop Server Specifying Multiple Names in the Resolver by Using Sections Example 3-4. Specifying a Different resolv.conf File Through an Application putenv ("TCPIP_RESOLVER_NAME=/etc/dns/resolv.conf"); h = gethostbyname(argv[1]); if(h==NULL) { printf("%s: unknown host '%s'\n",argv[0],argv[1]); exit(1); } Example 3-5. Specifying a Different resolv.conf File Through the OSS Shell /etc/dns923> export TCPIP_RESOLVER_NAME=’/etc/dns/resolv.
DNS Configuration on the NonStop Server Specifying Multiple Names in the Resolver by Using Sections options Allows internal resolver variables to be modified. The most common variables that can be modified are ndots, timeout, retrans, attempts, retry. Note. For more information about the above directives, refer to the resolv.conf man page. (See Table 2-1, OSS Commands to Access man Pages, on page 2-3.
DNS Configuration on the NonStop Server Tips and Important Tasks The query is then sent to the listed name servers until the host name is resolved or all listed name servers have been tried. For example, the host-name is machine1, machine1.abc.com is sent to the name server running on 10.53.0.1. If the host name is not resolved by this name server, the next section of resolv.conf is used. That is, machine1.def.com is sent to the name server running on 10.53.0.2.
4 Scaling DNS You can scale DNS in two ways: • • by separating traffic over physical networks by using the DNS round-robin address rotation feature. Physical Network Separation Network scalability refers to distributing incoming requests across multiple network interfaces. You can achieve network scalability by having multiple network interfaces on multiple hosts/servers or by having a multi-homed host (a system that has multiple network interfaces).
DNS Round-Robin Address Rotation Scaling DNS Figure 4-1. Physical Separation of Network Traffic Four servers for MyCompany Webserver 1 Webserver 2 Webserver 3 Webserver 4 DNS server (named) 1 DNS server (named) 2 DNS server (named) 3 DNS server (named) 4 Subnet 192.168.1.1 DNS server 1 returns IP address of Weserver 1 Subnet 192.168.2.1 DNS server 2 returns IP address of Weserver 2 Subnet 192.168.3.1 DNS server 3 returns IP address of Weserver 3 Subnet 192.168.4.
DNS Round-Robin Address Rotation Scaling DNS different IP addresses on a rotating basis. This method of dividing network traffic uses a DNS feature called DNS round-robin address rotation. Note. Round-robin address resolution is the default DNS configuration; unless you add an option statement to the named.conf file that specifies no-round-robin, round-robin address resolution is enabled. Figure 4-2. DNS Round-Robin Address Rotation Four servers for MyCompany.
Scaling DNS DNS Round-Robin Address Rotation HP DNS Configuration and Management Manual—529432-003 4 -4
5 Troubleshooting This section provides guidelines for troubleshooting various problems you may encounter with DNS. This section contains the following information: • • Troubleshooting DNS on page 5-1 Logging in DNS on page 5-3 Troubleshooting DNS In most cases, the primary cause of the process named failing to start is faulty configuration.
Troubleshooting DNS Troubleshooting Example 5-1. Sample named.conf File 1 /*Sample configuration file */ 2 3 options { 4 directory "/user/dns/nameddir"; 5 pid-file "named.pid" 6 listen-on { 172.31.45.115; }; /*semicolon missing*/ 7 }; 8 9 logging { 10 channel my_syslog { 11 syslog demon; 12 severity info; 13 } /*semicolon missing*/ 14 15 channel my_file { 16 file "log.
Logging in DNS Troubleshooting As shown, the error is displayed along with date, time and line numbers (5 and 13 in this case). Logging in DNS There are two main phrases in logging: • • Channels specify where the data is logged. Categories specify what kind of data (queries, updates, statistics, and so on) has to be logged in specified channels.
Logging in DNS Troubleshooting Figure 5-1. Logging Categories to Channels statistics category syslog channel queries category log_file channel vst001.vsd The name server can be instructed to enable this feature by specifying the logging statement in the named.conf file. Example 5-2 shows a statement in the named.conf file. Example 5-2. Logging Statement in named.conf File logging { channel my_ems { syslog demon; severity info; }; channel my_file { file "mylog.
Logging in DNS Troubleshooting • • statistics instructs the name server to send the statistical data to both EMS and a local file. queries instructs the name server to send the logging data on queries to a local file only. Refer to the BIND 9 Administrator Reference Manual in NTL for additional information on the logging statement, channels, and categories.
Logging in DNS Troubleshooting HP DNS Configuration and Management Manual—529432-003 5 -6
A DNS and BIND Basics The Berkeley Internet Name Domain (BIND) is a Berkeley implementation of the Domain Name System (DNS). BIND is a distributed-network, information-lookup service that maps host names to Internet addresses and maps Internet addresses to host names. BIND also facilitates Internet mail routing by supplying a list of hosts that accept mail for other hosts. This appendix describes the BIND features and components and how they work.
DNS Name Space DNS and BIND Basics Figure A-1. Structure of the DNS Name Space .(root) host domain com edu inc nmt div purdue cs econ venus indigo arthur VST002.vsd Note. Throughout this document, the terms zone and domain are used interchangeably, though they describe different concepts. A zone describes the domain name space that a name server has authority over. Normally, a zone does not contain any delegated subdomains, whereas a domain can contain data delegated to other name servers.
The Resolver DNS and BIND Basics SOA record from the master and then initiating a zone transfer if the record has changed). The DNS Notify feature is enabled in the master server by default. In some environments, the master server in a zone may be an 8.1.2 or later server with DNS Notify enabled, while the other servers in the zone are 4.x servers (without the DNS Notify feature). In such environments, whenever the master changes and sends a notification to other servers, the 4.
Lightweight Resolver Library and Demon DNS and BIND Basics If the named process is configured as a persistent process, the system automatically starts it upon reload or whenever the process is stopped. Alternatively, you can start it at the command line or by running a script. The named process, when it starts, reads the named.conf to determine: • • If the server is a master, slave, or cache-only domain name server for the specified domains.
Overview DNS and BIND Basics Typically, the client resolver gives a DNS node name and requests as an answer the node’s IP address, or the client resolver gives a DNS node name’s IP address and requests as an answer the node’s name. However, the name server may have different data it is seeking, such as addresses of other domain name servers.
The Resolution Process DNS and BIND Basics 4. The name server demon, named, receives the query from the resolver. Because the name server has information about only the hosts in its local domain (nmt.edu), it cannot answer the query using the information in its local database. 5. The local name server queries a root name server to find the address of indigo.div.inc.com. The root name server serves the root domain.
The Resolution Process DNS and BIND Basics the host name. (The default value of ndots is 1; therefore, if the input host name contains one dot, the input host name is looked up as is before any domains are appended to it.) • • If the input host name contains a single component (that is, the host name without any dots), and you have set up a host aliases file, BIND looks in your aliases file to translate the alias to a fully qualified host name.
The Resolution Process DNS and BIND Basics • • Interprets responses (which may be resource records or an error). Returns the information to the programs that requested it. Each time a service is invoked, such as Telnet or FTP, specifying a target hostname, you indirectly launch a resolver routine like gethostbyname(). The networking software uses IP addresses, not names. The host name must be resolved or mapped to an IP address.
The Resolution Process DNS and BIND Basics 1. The client resolver sends the query request to the local name server. (In this example, a recursive query for www.mit.edu is sent.) Figure A-2. Recursive Query Is Sent by the Client Resolver local name server . "root" name server edu name server client resolver mit .edu name server edu com mit ... www ... VST014.
The Resolution Process DNS and BIND Basics 2. The local name server receives the recursive query request from the resolver supporting the client TCP/IP program and asks a name server in its domain to resolve the domain name to an IP address. Figure A-3. Local Name Server Receives Recursive Query local name server . "root" name server edu name server client resolver mit .edu name server edu com mit ... www ... VST015.
The Resolution Process DNS and BIND Basics 3. The requested name is not a local one, and it is not in the cache of the server, so the request goes to the root server. (In this example, the name server sends a nonrecursive query to the root for address www.mit.edu.) Figure A-4. Name Server Sends Nonrecursive Query to Root local name server . "root" name server edu name server client resolver mit .edu name server edu com mit ... www ... VST016.
The Resolution Process DNS and BIND Basics 4. The root server provides the best answer it can: a referral that gives the address of the next closest name server to the destination (edu). This action begins the iterative part of the resolution process. Figure A-5. Root Server Refers Local Name Server to a Closer Server local name server . "root" name server edu name server client resolver mit .edu name server edu com mit ... www ... VST017.
The Resolution Process DNS and BIND Basics 5. The next name server is queried (nonrecursively). (In this example, the local name server sends a query to edu for the address of www.mit.edu.) Figure A-6. Local Name Server Sends Query to Referred Server local name server . "root" name server edu name server client resolver mit .edu name server edu com mit ... www ... VST018.
The Resolution Process DNS and BIND Basics 6. The next name server is queried (nonrecursively), and it responds with a referral to the next server. (In this example, the edu name server sends a referral to mit.edu.) Figure A-7. The Next Server Refers Local Server to Next Closer Server local name server edu name server client resolver d . "root" name server mit .edu name server edu com mit ... www ... VST019.
The Resolution Process DNS and BIND Basics 7. The local name server sends its query to the next server. (In this example, the local name server sends a nonrecursive query to mit.edu for the address of www.mit.edu.) Figure A-8. Local Server Sends Query to Next Referred Server local name server edu name server client resolver . "root" name server mit .edu name server edu com mit ... www ... VST021.
The Resolution Process DNS and BIND Basics 8. The server responsible for the requested domain is reached. The provided answer is an authoritative answer. This answer is authoritative because this server has the complete set of information for the requested domain. (In this example, the mit.edu name server returns the IP address of www.mit.edu.) Figure A-9. Authoritative Server Returns IP Address to Local Server local name server edu name server client resolver . "root" name server mit .
The Resolution Process DNS and BIND Basics 9. The local server sends the IP address to the client resolver. (In this example, the local name server answers the recursive query for www.mit.edu with the IP address of www.mit.edu.) Figure A-10. Local Server Answers Original Request local name server edu name server client resolver . "root" name server mit .edu name server edu com mit ... www ... VST023.
The BIND Configuration File DNS and BIND Basics 10. The client resolver receives the IP address to www.mit.edu. Figure A-11. Client Resolver Receives IP Address of Requested Server . "root" name server local name server edu name server client resolver mit .edu name server edu com mit ... www ... VST024.vsd The BIND Configuration File The BIND configuration file, named.conf, enables you to specify many features by using statements and comments.
The /etc/named.conf Statements DNS and BIND Basics • • • • • The options statement The server statement The zone statement The view statement The sortlist statement The acl statement is discussed further in Use ACLs on page 3-9, logging is discussed in Logging in DNS on page 5-3, and the options statement is discussed in Section 2, BIND 9.x on the NonStop Server as well as in the BIND Administrator Reference Manual. The options statement is complex, currently containing 84 configurable options.
The /etc/named.
The /etc/named.conf Statements DNS and BIND Basics (query-source-v6 is not shown in the Options Statement Grammar section of the BIND Administrator Reference Manual but is described in the subsection Query Address.
The /etc/named.
B DNS Server Configuration This appendix describes configuring the master server. Topics include: • • • • Master Server Configuration File on page B-1 Master Server Cache File on page B-4 The db.127.0.0 File on page B-8 Master Server db.domain Files on page B-10 Master Server Configuration File The configuration file, named.conf, informs the master server of the location of all the required data files. The master name server loads its database from these data files. You create the named.
Master Server Configuration File DNS Server Configuration Example B-1. Configuration File for Master Server Authoritative for Domain div.inc.com and Network 15.19.8 # # type domain source file # option { directory "/etc/dns-secure/named.data"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "div.inc.com" { type master; file "db.div"; }; zone "8.19.15.IN-ADDR.ARPA" { type master; file "db.15.19.8"; }; zone "." { type hint; file "db.
DNS Server Configuration Master Server Configuration File Example B-2. named.conf Sample File // type domain source file // // option { directory "/etc/dns-secure/named.data"; }; zone "0.0.127.IN.ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "div.inc.com" { type master; file "db.div"; }; zone "8.19.15.IN.ADDR.ARPA" { type master; file "db.15.19.8"; }; zone "." { type master; file "db.root"; }; The fields used in this sample named.
DNS Server Configuration Master Server Cache File file specifies the database file for that zone. If you are moving your name server data and configuration files from earlier versions of BIND 4.x to this version, you must migrate your old configuration file format to the new file format. The configuration file in versions prior to BIND 8 was called named.boot. You can convert named.boot to named.conf by using the following command: /etc/dns923> named-bootconf.sh < named.boot > named.
DNS Server Configuration Master Server Cache File Following is a sample db.cache file for a master server: ; This file holds the information on root name servers ; needed to initialize cache of Internet domain name servers ; (for example, reference this file in the "cache." ; configuration file of BIND domain name servers). ; This file is made available by InterNIC registration ; services under anonymous FTP as ; file /domain/named.root ; on server FTP.RS.INTERNIC.
DNS Server Configuration Master Server Cache File ; ; formerly NS.NASA.GOV ; . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; ; formerly NS.ISC.ORG ; . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ; ; formerly NS.NIC.DDN.MIL ; . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; ; formerly AOS.ARL.ARMY.MIL ; . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 ; ; formerly NIC.NORDU.NET ; .
DNS Server Configuration Master Server Cache File K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 ; ; temporarily housed at ISI (IANA) ; . 3600000 NS L.ROOT-SERVERS.NET L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 ; ; housed in Japan, operated by WIDE ; . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 The fields used in the db.
The db.127.0.0 File DNS Server Configuration data The data field for an NS record provides the fully qualified name of a name server. The data field for an A record specifies an Internet address of the name server. The db.127.0.0 File Each name server must have an /etc/dns_secure/db.127.0.0 file. Hosts running Berkeley networking use 127.0.0.1 as the address of the loopback interface. Because the network number 127.0.
DNS Server Configuration The db.127.0.0 File The NS record designates a name server for the current origin (0.0.127.inaddr.arpa). PTR records are usually associate an address in the in-addr.arpa domain with the canonical name of a host. The PTR record in the example db.127.0.0 file associates the name localhost with the address 1, that is, 1.0.0.127.inaddr.arpa. (The current origin 0.0.127.in-addr.arpa is appended to the 1 in the name field because it does not end with a dot.
DNS Server Configuration Master Server db.domain Files Master Server db.domain Files A master server has one /etc/dns-secure/db. domain file for each domain for which it is authoritative. This file must contain an A (address) record for every host in the zone. Example B-3. Sample db.domain File ; ; db.div ; $TTL 86400 @ IN SOA rabbit.div.inc.com root.moon.div.inc.com ( 1 ; Serial 10800 ; Refresh every 3 hours 3600 ; Retry every hour 604800 ; Expires after a week 86400 ; Minimum ttl of 1 day IN NS rabbit.
DNS Server Configuration Master Server db.domain Files The SOA record specifies the name of the host this data file was created on, an electronic mail address of the name server’s technical contact, and the following values: Serial indicates the version number of this file, incremented whenever the data is changed. Refresh indicates (in seconds) how often a slave name server must try to update its data from a master server.
DNS Server Configuration Master Server db.domain Files All other resource records must use the canonical name instead of the actual host name. WKS Well Known Service records. The WKS record describes the services provided by a particular protocol on a particular interface. The protocol is any entry in the /etc/protocols file. The list of services is as specified in the host’s /etc/services file. You can specify only one WKS record for each protocol for each address. MX Mail Exchanger records.
Glossary Advanced Research Projects Agency (ARPA). An agency of the United States Department of Defense, ARPA underwrote the development of the Internet beginning in 1969. Known as ARPANET, it was designed so that, in case of war and the loss of any group of sites, remaining sites would still be able to communicate along alternate routes. No site would be critical to the operation of the network.
Internet protocol (IP) Glossary Internet protocol (IP). A data communications protocol that handles the routing of data through a network, which typically consists of many different subnetworks. IP is connectionless. It routes data from a source address to a destination address. Internet protocol version 4 (IPv4). The most widely deployed version of the Internet protocol. IPv4 provides some basic traffic classification mechanisms with its IP Precedence/CBQ and Type of Service header fields.
Request for Comment (RFC) Glossary Request for Comment (RFC). A formal document from the Internet Engineering Task Force (IETF) that is the result of committee drafting and subsequent review by interested parties. Some RFCs are informational in nature. Of those that are intended to become Internet standards, the final version of the RFC becomes the standard and no further comments or changes are permitted.
zone file Glossary HP DNS Configuration and Management Manual—529432-003 Glossary- 4
Index A D A record B-11 Abbreviations -xvii Abort command 3-23 Acl statement A-18 Add process command 3-22 Db.
G Index G Gethostbyname2 library call, man pages 2-3 I Include statement A-18 INET6 mode 1-2 K Key statement A-18 Key, shared secret 2-9 Kill command 1-3 L Lightweight Resolver daemon A-4 Library A-4 Locating DNS files 2-4 Logging in DNS 9.2.
O Index Named process (secure) file location 2-4 man pages 2-3 Named-bootconf.sh 2-4 Named.
U Index U Utilities 2-4 V View statement A-19 W WKS record B-12 Z Zone entry 2-5 Zone file 2-12 Zone file sample location 2-4 Zone statement A-19 Zone, compared to domain A-2 Special Characters $ZTC0 3-23 $ZZKRN 2-2, 3-22 -c option, with named command 1-2 -g option 5-1 -t option 3-23 HP DNS Configuration and Management Manual—529432-003 Index -4
