Chapter 15. DNS Servers
DNS(Domain Name System), is a distributed database system that is used to associate host names with their respective
IPaddresses. For users, this has the advantage that they can refer to machines on the network by names that are usually easier to remember than the numerical network addresses. For system administrators, using a
DNSserver, also known as a name server, enables changing the
IPaddress for a host without ever affecting the name-based queries. The use of the
DNSdatabases is not only for resolving
IPaddresses to domain names and their use is becoming broader and broader as DNSSEC is deployed.
15.1. Introduction to DNS
DNSis usually implemented using one or more centralized servers that are authoritative for certain domains. When a client host requests information from a name server, it usually connects to port 53. The name server then attempts to resolve the name requested. If the name server is configured to be a recursive name servers and it does not have an authoritative answer, or does not already have the answer cached from an earlier query, it queries other name servers, called root name servers, to determine which name servers are authoritative for the name in question, and then queries them to get the requested name. Name servers configured as purely authoritative, with recursion disabled, will not do lookups on behalf of clients.
15.1.1. Name server Zones
DNSserver, all information is stored in basic data elements called resource records (RR). Resource records are defined in RFC 1034. The domain names are organized into a tree structure. Each level of the hierarchy is divided by a period (
.). For example: The root domain, denoted by
., is the root of the
DNStree, which is at level zero. The domain name
com, referred to as the top-level domain (TLD) is a child of the root domain (
.) so it is the first level of the hierarchy. The domain name
example.comis at the second level of the hierarchy.
Example 15.1. A Simple Resource Record
An example of a simple resource record (RR):
example.com. 86400 IN A 192.0.2.1
The domain name,
example.com, is the owner for the RR. The value
86400is the time to live (TTL). The letters
IN, meaning “the Internet system”, indicate the class of the RR. The letter
Aindicates the type of RR (in this example, a host address). The host address
192.0.2.1is the data contained in the final section of this RR. This one line example is a RR. A set of RRs with the same type, owner, and class is called a resource record set (RRSet).
Zones are defined on authoritative name servers through the use of zone files, which contain definitions of the resource records in each zone. Zone files are stored on primary name servers (also called master name servers), where changes are made to the files, and secondary name servers (also called slave name servers), which receive zone definitions from the primary name servers. Both primary and secondary name servers are authoritative for the zone and look the same to clients. Depending on the configuration, any name server can also serve as a primary or secondary server for multiple zones at the same time.
Note that administrators of
DHCPservers, as well as any provisioning applications, should agree on the host name format used in an organization. See Section 6.1.1, “Recommended Naming Practices” for more information on the format of host names.
15.1.2. Name server Types
There are two name server configuration types:
- Authoritative name servers answer to resource records that are part of their zones only. This category includes both primary (master) and secondary (slave) name servers.
- Recursive name servers offer resolution services, but they are not authoritative for any zone. Answers for all resolutions are cached in a memory for a fixed period of time, which is specified by the retrieved resource record.
Although a name server can be both authoritative and recursive at the same time, it is recommended not to combine the configuration types. To be able to perform their work, authoritative servers should be available to all clients all the time. On the other hand, since the recursive lookup takes far more time than authoritative responses, recursive servers should be available to a restricted number of clients only, otherwise they are prone to distributed denial of service (DDoS) attacks.
15.1.3. BIND as a Name server
BIND consists of a set of DNS-related programs. It contains a name server called
named, an administration utility called
rndc, and a debugging tool called
dig. See Red Hat Enterprise Linux System Administrator's Guide for more information on how to run a service in Red Hat Enterprise Linux.