developerWorks 01.12.

2005

LPI: Domain Name System (DNS,

)
Linux, (LPIC-2) 207

DNS
(Domain Name System)
, IP-,
TCP/IP . Berkeley Internet Name Domain (BIND)
named, IP-
( , ). DNS
resolver, DNS
. BIND
, BIND 9 : dig,
nslookup, host, and rndc ( ndc). ,
, ,
DNS .
BIND
BIND 9.3.1.
BIND 9 2000.
BIND 8,
security patches ( 8.4.6), , ,
BIND 9 , .
BIND 4, ,
BIND 4 .
BIND Internet Systems Consortium (ISC; .
). , BIND,
.
BIND 8
BIND 8,
BIND 8 ISC, LPI 202.

Linux-,
man .
,
Linux.
HOWTO Linux Documentation Project (.
). ,

 TCP/IP Network Administration O'Reilly (

; . ).
DNS BIND
DNS and BIND, Fourth Edition O'Reilly (.
); 622 ,
. ,
BIND.

DNS
DNS .
,
.
, ,
, ,
( ,
, ). named
DNS , ,
( , ).
DNS ,
(top-level-domain -- TLD). DNS Wikipedia
(. ) --
.
, (. . 1 ).
DNS
. ,
www.wikipedia.org.
IP
, .
, DNS
(LAN) - (ISP).
- BIND named.
,
, , :
1. DNS

 , "DNS Recurser" -- DNS (named),

, .
DNS TCP UDP 53 .
DNS UDP ,
UDP .
, DNS
DNS ()
. /etc/resolve.conf,
"" DNS .
/etc/resolve.conf DNS ;
, DHCP , DHCP
handshaking' /etc/resolve.conf ( , DHCP,
).
, /etc/resolv.conf, "DNS resolver."
/etc/resolv.conf DNS ,
DNS ,
.
, -- .
, /etc/resolv.conf nameserver
<IP-addr>.
. , domain search ,
( ). options
DNS ,
DNS resolver'.
, :
1. DNS
# cat /etc/resolv.conf
search gnosis.lan
nameserver 0.0.0.0
nameserver 192.168.2.1
nameserver 151.203.0.84
options timeout:3

,
gnosis.lan, , bacchus
bacchus.gnosis.lan. ,
search.
DNS . -- ,
0.0.0.0 IP ,
loopback-. , nameserver,
, ( DHCP DNS

). nameserver -. ,
3- (timeout) ,
5 , .
DNS
BIND 9 . -dig, nslookup host -- ,
. ,
DNS resolver.
,
, STDOUT.
dig,

.
IP
,
, "A". , host -t MX
gnosis.cx gnosis.cx.
:
2. host google.com
$ host google.com
google.com has address 72.14.207.99
google.com has address 64.233.187.99

3. host MX gnosis.cx
$ host -t MX gnosis.cx
gnosis.cx mail is handled by 10 mail.gnosis.cx.

nslookup:
4. nslookup , (
)
$ nslookup gnosis.cx
Server:
0.0.0.0
Address:
0.0.0.0#53
Non-authoritative answer:
Name:
gnosis.cx
Address: 64.41.64.172

dig
:

 5. dig ,

$ dig @192.168.2.2 -x 64.233.187.99

; <<>> DiG 9.2.4 <<>> @192.168.2.2 -x 64.233.187.99
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3950
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;99.187.233.64.in-addr.arpa.

IN

PTR

;; AUTHORITY SECTION:
187.233.64.in-addr.arpa. 2613
IN SOA
admin.google.com.
2004041601 21600 3600 1038800 86400
;;
;;
;;
;;

ns1.google.com. dns-

Query time: 1 msec

SERVER: 192.168.2.2#53(192.168.2.2)
WHEN: Thu Nov 10 02:00:27 2005
MSG SIZE rcvd: 104

BIND 9, , -- rndc,
. ndc,
BIND. rndc
,
. . man
rndc.

BIND
BIND
named DNS :
master, slave caching-only. named
, /etc/bind/named.conf, .
master named
. , ,
, .
DNS -.
slave named , . , , ,
master' slave ,
master, slave caching-only .

 slave -
, , slave , -
.
caching-only named .
-
, .
. Caching-only
,
.
/etc/resolv.conf, 1, 0.0.0.0 --
caching-only , 192.168.2.1 -- slave 151.203.0.84 -- master .
, IP
, -IP
, caching-only .
named.conf
,
/etc/bind/named.conf. options,
. zone,
. ,
zone , IP ,
IP , "" .
, , .
named.conf ( BIND)
C .
C- (/* comment */) C++
(// comment), shell (# comment).
.
. /etc/bind/named.conf
:
6. named.conf
include "/etc/bind/named.conf.options";

options:
7. named.conf
options {
directory "/var/bind";
forwarders { 192.168.2.1; 192.168.3.1};
// forward only;
}

 , , ,
; , BIND
192.168.2.1 192.168.3.1 . forward
only ( ) ,
, .
zone
named.conf:
8. (Hint zone)
zone "." {
type hint;
file "/etc/bind/db.root";
};

db.root ( named.ca "certifying authority")

.
, .
,
ftp.rs.internic.net. ,
.
named.conf master / slave
. , loopback':
9. loopback
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

, named master (
):
10.
zone "example.com" {
type master;
file "example.com.hosts"; // file relative to /var/bind
};
// Reverse lookup for 64.41.* IP addresses (backward IP address)
zone "41.64.in-addr.arpa" {
type master;
file "41.64.rev";
};

 slave :
11. (slave)
zone "example.com" {
type slave;
file "example.com.hosts"; // file relative to /var/bind
masters { 192.168.2.1; };
};
// Reverse lookup for 64.41.* IP addresses (backward IP address)
zone "41.64.in-addr.arpa" {
type slave;
file "41.64.rev";
masters { 192.168.2.1; };
};

named.conf
file. ,
- , RFC 1033 (Domain
Administrators Operations Guide; . ). :
SOA
Start of authority ( ). , .
NS
Nameserver ( ). .
A
Address (). IP .
PTR
Pointer (). IP .
MX
Mail exchange ( ). .
CNAME
Canonical name ( ). .
TXT
Text (). .
: <name> <time-to-live> IN <type> <data>.
" " (time-to-live) ,
. IN Internet
.
, . , $TTL,
. ,
127.* localhost' :
12.
# cat /etc/bind/db.127
; BIND reverse data file for local loopback interface
;
$TTL
604800
@
IN
SOA
localhost. root.localhost. (

;
@
1.0.0

1
604800
86400
2419200
604800 )
IN
IN

NS
PTR

;
;
;
;
;

Serial
Refresh
Retry
Expire
Negative Cache TTL

localhost.
localhost.

-- $ORIGIN, ,
; $INCLUDE,
; $GENERATE, ,
IP .

DNS

( .rev) --
IP . ,
/var/bind/41.64.rev, :
13. 64.41.*
$TTL 86400
; IP address to hostname
@
IN
SOA
example.com. mail.example.com. (
2001061401 ; Serial
21600
; Refresh
1800
; Retry
604800
; Expire
900 )
; Negative cach TTL
IN
NS
ns1.example.com.
IN
NS
ns2.example.com.
; Define names for 64.41.2.1, 64.41.2.2, etc.
1.2
IN
PTR
foo.example.com.
2.2
IN
PTR
bar.example.com.
3.2
IN
PTR
baz.example.com.

( domain.hosts) --
"A" IP . ,
/var/bind/example.com.hosts, :

 14. example.com
$TTL 86400
; Hostname to IP address
@
IN
SOA
example.com. mail.example.com. (
2001061401
; Serial
21600
; Refresh
1800
; Retry
604800
; Expire
900 )
; Negative cach TTL

localhost
foo
www
bar
bar

IN
IN
IN
IN
IN
IN
IN

NS
NS
A
A
CNAME
A
A

ns1.example.com.
ns2.example.com.
127.0.0.1
64.41.2.1
foo.example.com
64.41.2.2
64.41.2.3

DNS
DNS
, BIND chroot jail
. BIND
, BIND .
BIND chroot
"Chroot-BIND HOWTO" (. ).
, BIND
root . "nobody".
BIND "named". , .
, , /chroot/named/,
.
BIND 9 chroot, BIND 8;

Makefile.
DNSSEC
,
BIND,
DNS. DNS Security Extensions (DNSSEC)
DNS, .
DNS UDP , TCP, ,
. ,
DNS ,

 . Transactional
Signatures (TSIG) DNS DNSSEC (spoofing)
DNS . BIND 9,
, DNSSEC. , ,
. DNS ,
, -
. , SSH
. :
15. DNSSEC
dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 128 -n HOST \
primary-secondary.my.dom
# ls Kprimary-secondary.my.dom.*
Kprimary-secondary.my.dom.+157+46713.key
Kprimary-secondary.my.dom.+157+46713.private

, (public)
(private)
. DNSSEC "The Basics of
DNSSEC" O'Reilly Network (. ).