Chapter 11. DNS Servers

DNS (Domain Name System), is a distributed database system that is used to associate host names with their respective IP addresses. For users, this has the advantage that they can refer to machines on the network by names that are usually easier to remember than the numerical network addresses. For system administrators, using a DNS server, also known as a name server, enables changing the IP address for a host without ever affecting the name-based queries. The use of the DNS databases is not only for resolving IP addresses to domain names and their use is becoming broader and broader as DNSSEC is deployed.

11.1. Introduction to DNS

DNS is usually implemented using one or more centralized servers that are authoritative for certain domains. When a client host requests information from a name server, it usually connects to port 53. The name server then attempts to resolve the name requested. If the name server is configured to be a recursive name servers and it does not have an authoritative answer, or does not already have the answer cached from an earlier query, it queries other name servers, called root name servers, to determine which name servers are authoritative for the name in question, and then queries them to get the requested name. Name servers configured as purely authoritative, with recursion disabled, will not do lookups on behalf of clients.

11.1.1. Name server Zones

In a DNS server, all information is stored in basic data elements called resource records (RR). Resource records are defined in RFC 1034. The domain names are organized into a tree structure. Each level of the hierarchy is divided by a period (.). For example: The root domain, denoted by ., is the root of the DNS tree, which is at level zero. The domain name com, referred to as the top-level domain (TLD) is a child of the root domain (.) so it is the first level of the hierarchy. The domain name example.com is at the second level of the hierarchy.

Example 11.1. A Simple Resource Record

An example of a simple resource record (RR):
example.com.      86400    IN         A           192.0.2.1
The domain name, example.com, is the owner for the RR. The value 86400 is the time to live (TTL). The letters IN, meaning the Internet system, indicate the class of the RR. The letter A indicates the type of RR (in this example, a host address). The host address 192.0.2.1 is the data contained in the final section of this RR. This one line example is a RR. A set of RRs with the same type, owner, and class is called a resource record set (RRSet).
Zones are defined on authoritative name servers through the use of zone files, which contain definitions of the resource records in each zone. Zone files are stored on primary name servers (also called master name servers), where changes are made to the files, and secondary name servers (also called slave name servers), which receive zone definitions from the primary name servers. Both primary and secondary name servers are authoritative for the zone and look the same to clients. Depending on the configuration, any name server can also serve as a primary or secondary server for multiple zones at the same time.
Note that administrators of DNS and DHCP servers, as well as any provisioning applications, should agree on the host name format used in an organization. See Section 3.1.1, “Recommended Naming Practices” for more information on the format of host names.

11.1.2. Name server Types

There are two name server configuration types:
authoritative
Authoritative name servers answer to resource records that are part of their zones only. This category includes both primary (master) and secondary (slave) name servers.
recursive
Recursive name servers offer resolution services, but they are not authoritative for any zone. Answers for all resolutions are cached in a memory for a fixed period of time, which is specified by the retrieved resource record.
Although a name server can be both authoritative and recursive at the same time, it is recommended not to combine the configuration types. To be able to perform their work, authoritative servers should be available to all clients all the time. On the other hand, since the recursive lookup takes far more time than authoritative responses, recursive servers should be available to a restricted number of clients only, otherwise they are prone to distributed denial of service (DDoS) attacks.

11.1.3. BIND as a Name server

BIND consists of a set of DNS-related programs. It contains a name server called named, an administration utility called rndc, and a debugging tool called dig. See Red Hat Enterprise Linux System Administrator's Guide for more information on how to run a service in Red Hat Enterprise Linux.