Chapter 17. DNS Servers
DNS (Domain Name System), also known as a nameserver, is a network system that associates host names with their respective IP addresses. For users, this has the advantage that they can refer to machines on the network by names that are usually easier to remember than the numerical network addresses. For system administrators, using the nameserver allows them to change the IP address for a host without ever affecting the name-based queries, or to decide which machines handle these queries.
17.1. Introduction to DNS
DNS is usually implemented using one or more centralized servers that are authoritative for certain domains. When a client host requests information from a nameserver, it usually connects to port 53. The nameserver then attempts to resolve the name requested. If it does not have an authoritative answer, or does not already have the answer cached from an earlier query, it queries other nameservers, called root nameservers, to determine which nameservers are authoritative for the name in question, and then queries them to get the requested name.
17.1.1. Nameserver Zones
In a DNS server such as BIND (Berkeley Internet Name Domain), all information is stored in basic data elements called resource records (RR). The resource record is usually a fully qualified domain name (FQDN) of a host, and is broken down into multiple sections organized into a tree-like hierarchy. This hierarchy consists of a main trunk, primary branches, secondary branches, and so on.
Example 17.1. A simple resource record
Each level of the hierarchy is divided by a period (that is, . ). In Example 17.1, “A simple resource record”, com defines the top-level domain, example its subdomain, and sales the subdomain of example . In this case, bob identifies a resource record that is part of the sales.example.com domain. With the exception of the part furthest to the left (that is, bob ), each of these sections is called a zone and defines a specific namespace.
Zones are defined on authoritative nameservers through the use of zone files, which contain definitions of the resource records in each zone. Zone files are stored on primary nameservers (also called master nameservers), where changes are made to the files, and secondary nameservers (also called slave nameservers), which receive zone definitions from the primary nameservers. Both primary and secondary nameservers are authoritative for the zone and look the same to clients. Depending on the configuration, any nameserver can also serve as a primary or secondary server for multiple zones at the same time.
17.1.2. Nameserver Types
Authoritative nameservers answer to resource records that are part of their zones only. This category includes both primary (master) and secondary (slave) nameservers.
Recursive nameservers offer resolution services, but they are not authoritative for any zone. Answers for all resolutions are cached in a memory for a fixed period of time, which is specified by the retrieved resource record.
Although a nameserver can be both authoritative and recursive at the same time, it is recommended not to combine the configuration types. To be able to perform their work, authoritative servers should be available to all clients all the time. On the other hand, since the recursive lookup takes far more time than authoritative responses, recursive servers should be available to a restricted number of clients only, otherwise they are prone to distributed denial of service (DDoS) attacks.
17.1.3. BIND as a Nameserver
BIND consists of a set of DNS-related programs. It contains a nameserver called named , an administration utility called rndc , and a debugging tool called dig . See Chapter 12, Services and Daemons for more information on how to run a service in Red Hat Enterprise Linux.
Chapter 15. DNS Servers
DNS (Domain Name System), is a distributed database system that is used to associate host names with their respective IP addresses. For users, this has the advantage that they can refer to machines on the network by names that are usually easier to remember than the numerical network addresses. For system administrators, using a DNS server, also known as a name server, enables changing the IP address for a host without ever affecting the name-based queries. The use of the DNS databases is not only for resolving IP addresses to domain names and their use is becoming broader and broader as DNSSEC is deployed.
15.1. Introduction to DNS
DNS is usually implemented using one or more centralized servers that are authoritative for certain domains. When a client host requests information from a name server, it usually connects to port 53. The name server then attempts to resolve the name requested. If the name server is configured to be a recursive name servers and it does not have an authoritative answer, or does not already have the answer cached from an earlier query, it queries other name servers, called root name servers, to determine which name servers are authoritative for the name in question, and then queries them to get the requested name. Name servers configured as purely authoritative, with recursion disabled, will not do lookups on behalf of clients.
15.1.1. Name server Zones
In a DNS server, all information is stored in basic data elements called resource records ( RR ). Resource records are defined in RFC 1034. The domain names are organized into a tree structure. Each level of the hierarchy is divided by a period ( . ). For example: The root domain, denoted by . , is the root of the DNS tree, which is at level zero. The domain name com , referred to as the top-level domain ( TLD ) is a child of the root domain ( . ) so it is the first level of the hierarchy. The domain name example.com is at the second level of the hierarchy.
Example 15.1. A Simple Resource Record
example.com. 86400 IN A 192.0.2.1
The domain name, example.com , is the owner for the RR. The value 86400 is the time to live ( TTL ). The letters IN , meaning “ the Internet system ” , indicate the class of the RR. The letter A indicates the type of RR (in this example, a host address). The host address 192.0.2.1 is the data contained in the final section of this RR. This one line example is a RR. A set of RRs with the same type, owner, and class is called a resource record set ( RRSet ).
Zones are defined on authoritative name servers through the use of zone files, which contain definitions of the resource records in each zone. Zone files are stored on primary name servers (also called master name servers), where changes are made to the files, and secondary name servers (also called slave name servers), which receive zone definitions from the primary name servers. Both primary and secondary name servers are authoritative for the zone and look the same to clients. Depending on the configuration, any name server can also serve as a primary or secondary server for multiple zones at the same time.
Note that administrators of DNS and DHCP servers, as well as any provisioning applications, should agree on the host name format used in an organization. See Section 6.1.1, “Recommended Naming Practices” for more information on the format of host names.
15.1.2. Name server Types
Authoritative name servers answer to resource records that are part of their zones only. This category includes both primary (master) and secondary (slave) name servers.
Recursive name servers offer resolution services, but they are not authoritative for any zone. Answers for all resolutions are cached in a memory for a fixed period of time, which is specified by the retrieved resource record.
Although a name server can be both authoritative and recursive at the same time, it is recommended not to combine the configuration types. To be able to perform their work, authoritative servers should be available to all clients all the time. On the other hand, since the recursive lookup takes far more time than authoritative responses, recursive servers should be available to a restricted number of clients only, otherwise they are prone to distributed denial of service (DDoS) attacks.
15.1.3. BIND as a Name server
BIND consists of a set of DNS-related programs. It contains a name server called named , an administration utility called rndc , and a debugging tool called dig . See Red Hat Enterprise Linux System Administrator’s Guide for more information on how to run a service in Red Hat Enterprise Linux.