A resolving, caching name server

Prev		Next

from http://www.ibiblio.org/pub/Linux/docs/HOWTO/DNS-HOWTO http://howtos.linux.com/howtos/DNS-HOWTO-3.shtml

A first stab at DNS config, very useful for dialup, cable-modem, ADSL and similar users.

On Red Hat and Red Hat related distributions you can achieve the same practical result as this HOWTO's first section by installing the packages bind, bind-utils and caching-nameserver. If you use Debian simply install bind (or bind9, as of this writing, BIND 9 is not supported by Debian Stable (potato)) and bind-doc. Of course just installing those packages won't teach you as much as reading this HOWTO. So install the packages, and then read along verifying the files they installed.

named.conf

First you need a file called /etc/named.conf (Debian: /etc/bind/named.conf). This is read when named starts. What comes default from RH8 contains:

 options {
         directory "/var/named";
         /*
          * If there is a firewall between you and nameservers you want
          * to talk to, you might need to uncomment the query-source
          * directive below.  Previous versions of BIND always asked
          * questions using port 53, but BIND 8.1 uses an unprivileged
          * port by default.
          */
         // query-source address * port 53;
 };

 //
 // a caching only nameserver config
 //
 controls {
         inet 127.0.0.1 allow { localhost; } keys { rndckey; };
 };
 zone "." IN {
         type hint;
         file "named.ca";
 };

 zone "localhost" IN {
         type master;
         file "localhost.zone";
         allow-update { none; };
 };

 zone "0.0.127.in-addr.arpa" IN {
         type master;
         file "named.local";
         allow-update { none; };
 };

 include "/etc/rndc.key";

The Linux distribution packages may use different file names for each kind of file mentioned here; they will still contain about the same things.

The `directory' line tells named where to look for files. All files named subsequently will be relative to this. /var/named is the right directory according to the Linux File system Standard.

The file named /var/named/name.ca describes the root name servers in the world. It contains the following. You do not need to modify it.

;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC registration services
;       under anonymous FTP as
;           file                /domain/named.root
;           on server           FTP.RS.INTERNIC.NET
;       -OR- under Gopher at    RS.INTERNIC.NET
;           under menu          InterNIC Registration Services (NSI)
;              submenu          InterNIC Registration Archives
;           file                named.root
;
;       last update:    Aug 22, 1997
;       related version of root zone:   1997082200

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
[...]
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File

The next section in named.conf is the last zone. You don't need to alter it either.

/var/named/named.local

$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS      localhost.

1       IN      PTR     localhost.

The called rndc key in the controls sections specify that your named can be remotely controlled by a program called rndc if it connects from the local host, and identifis itself with the encoded secret key. This key is like a password.

All configure files comes with caching-nameserver rpm package are:

/etc/named.conf /var/named/localhost.zone /var/named/named.ca /var/named/named.local

/etc/resolv.conf

/etc/resolv.conf looking something like this:

search ...
nameserver 127.0.0.1

echo "nameserver 127.0.0.1" > /etc/resolv.conf

Note:

Named never reads this file, the resolver that uses named does. Note 2:
In some resolv.conf files you find a line saying "domain". That's fine, but don't use both "search" and "domain", only one of them will work
please note the lack of periods at the end of the domain names.

With the configuration about, our DNS server will contact one of the name server machines named in your "name.ca" file, and asked its way from there.

Starting named

After all this it's time to start named. If you're using a dialup connection connect first. Now run named, either by running the boot script: /etc/init.d/named start or named directly: /usr/sbin/named. If you have tried previous versions of BIND you're probably used to ndc. In BIND 9 it has been replaced with rndc, which can controll your named remotely, but it can't start named anymore. If you view your syslog message file (usually called /var/log/messages, Debian calls it /var/log/daemon, another directory to look is the other files /var/log) while starting named (do tail -f /var/log/messages) you should see something like:

Oct 13 22:38:57 localhost named[18103]: starting BIND 9.2.1 -u named
Oct 13 22:38:57 localhost named[18103]: using 1 CPU
Oct 13 22:38:57 localhost named[18106]: loading configuration from '/etc/named.conf'
Oct 13 22:38:57 localhost named[18106]: no IPv6 interfaces found
Oct 13 22:38:57 localhost named[18106]: listening on IPv4 interface lo, 127.0.0.1#53
Oct 13 22:38:57 localhost named[18106]: listening on IPv4 interface eth0, 192.168.0.100#53
Oct 13 22:38:57 localhost named[18106]: listening on IPv4 interface ppp0, 64.7.158.155#53
Oct 13 22:38:57 localhost named[18106]: command channel listening on 127.0.0.1#953
Oct 13 22:38:57 localhost named[18106]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Oct 13 22:38:57 localhost named[18106]: zone localhost/IN: loaded serial 42
Oct 13 22:38:57 localhost named[18106]: running
Oct 13 22:38:57 localhost named: named startup succeeded

If there are any messages about errors then there is a mistake. Named will name the file it is reading. Go back and check the file. Start named over when it is fixed.

Starting named under Debian

% /etc/init.d/bind9 start

% tail /var/log/syslog
Jul  2 11:53:22 localhost named[21305]: no IPv6 interfaces found
Jul  2 11:53:22 localhost named[21305]: listening on IPv4 interface lo, 127.0.0.1#53
Jul  2 11:53:22 localhost named[21305]: listening on IPv4 interface eth0, 192.168.0.100#53
Jul  2 11:53:22 localhost named[21305]: command channel listening on 127.0.0.1#953
Jul  2 11:53:22 localhost named[21305]: zone 0.in-addr.arpa/IN: loaded serial 1
Jul  2 11:53:22 localhost named[21305]: zone 127.in-addr.arpa/IN: loaded serial 1
Jul  2 11:53:22 localhost named[21305]: zone 255.in-addr.arpa/IN: loaded serial 1
Jul  2 11:53:22 localhost named[21305]: zone localhost/IN: loaded serial 1
Jul  2 11:53:22 localhost named[21305]: running

Querying the caching name server

Now you can test your setup. Traditionally a program called nslookup is used for this. These days dig is recommended:

$ dig -x 127.0.0.1

; <<>> DiG 9.2.1 <<>> -x 127.0.0.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33807
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 86400   IN      PTR     localhost.

;; AUTHORITY SECTION:
0.0.127.in-addr.arpa.   86400   IN      NS      localhost.

;; ADDITIONAL SECTION:
localhost.              86400   IN      A       127.0.0.1

;; Query time: 40 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 13 22:58:31 2003
;; MSG SIZE  rcvd: 93

If that's what you get it's working. We hope. Anything very different, go back and check everything. Each time you change a file you need to run rndc reload.

Now you can enter a query. Try looking up some machine close to you.

$ dig google.com

[...]
;; ANSWER SECTION:
google.com.             300     IN      A       216.239.53.99
[...]
;; Query time: 1019 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

This time dig asked your named to look for google.com. It then contacted one of the name server machines named in your "name.ca" file, and asked its way from there. It might take tiny while before you get the result as it may need to search all the domains you named in /etc/resolv.conf.

If you ask the same again you get this:

$ dig google.com
[...]
;; Query time: 38 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

As you can plainly see this time it was much faster, 38ms versus more than one second earlier. The answer was cached.

With cached answers there is the possibility that the answer is out of date, but the origin servers can control the time cached answers should be considered valid, so there is a high probability that the answer you get is valid.

Forwarding

With the configuration about, our DNS server will contact one of the name server machines named in your "name.ca" file, and asked its way from there. But by using the DNS server of your network provider as a “forwarder” you can make the responses to queries faster and less of a load on your network. This works by your nameserver forwarding queries to your ISP nameserver. Each time this happens you will dip into the big cache of your ISPs nameserver, thus speeding your queries up, your nameserver does not have to do all the work itself. If you use a modem this can be quite a win.

For the sake of this example we assume that your network provider has two name servers they want you to use, with IP numbers 10.0.0.1 and 10.1.0.1. Then, in your named.conf file, inside the opening section called “options”, insert these lines:

forward first;
forwarders {
     10.0.0.1;
     10.1.0.1;
 };

There is also a nice trick for dialup machines using forwarders, it is described in the “qanda” section.

Restart your nameserver and test it with dig. Should still work fine.

$ dig google.com
[...]
;; Query time: 256 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

$ dig google.com
[...]
;; Query time: 38 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

You can see it took much less time than previously. This is the difference between doing it all by yourself and by your ISP. The good part is that even if the DNS of your ISP fails on you, your DNS can still do it by itself.

from man named.conf

Forwarding occurs only on those queries for which the server is not authori- tative and does not have the answer in its cache.

options {
        directory "/var/named";
        include "forward";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
};

Troubleshooting: bind failed!

% /etc/init.d/bind9 start
Starting domain name service...: bind failed!

% tail /var/log/syslog
Jul  2 11:48:43 localhost named[21132]: starting BIND 9.3.4
Jul  2 11:48:43 localhost named[21132]: found 1 CPU, using 1 worker thread
Jul  2 11:48:43 localhost named[21132]: loading configuration from '/etc/bind/named.conf'
Jul  2 11:48:43 localhost named[21132]: /etc/bind/named.conf.options:2: change directory to '/var/cache/bind' failed: file not found
Jul  2 11:48:43 localhost named[21132]: /etc/bind/named.conf.options:2: parsing failed
Jul  2 11:48:43 localhost named[21132]: loading configuration: file not found
Jul  2 11:48:43 localhost named[21132]: exiting (due to fatal error)

$ head -2 /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

mkdir /var/cache/bind

% /etc/init.d/bind9 start
Starting domain name service...: bind.