5 ***Contributed by Chern Lee. ***
\r
7 ### 19.11.1 Overview
\r
9 DragonFly utilizes, by default, a version of BIND (Berkeley Internet Name Domain), which is the most common implementation of the DNS protocol. DNS is the protocol through which names are mapped to IP addresses, and vice versa. For example, a query for `www.dragonflybsd.org` will receive a reply with the IP address of The DragonFly Project's web server, whereas, a query for `ftp.dragonflybsd.org` will return the IP address of the corresponding FTP machine. Likewise, the opposite can happen. A query for an IP address can resolve its hostname. It is not necessary to run a name server to perform DNS lookups on a system.
\r
11 DNS is coordinated across the Internet through a somewhat complex system of authoritative root name servers, and other smaller-scale name servers who host and cache individual domain information.
\r
13 This document refers to BIND 9.x.
\r
15 RFC1034 and RFC1035 dictate the DNS protocol.
\r
17 Currently, BIND is maintained by the [Internet Software Consortium (www.isc.org)](http://www.isc.org/).
\r
19 ### 19.11.2 Terminology
\r
21 To understand this document, some terms related to DNS must be understood.
\r
25 Forward DNS | Mapping of hostnames to IP addresses
26 Origin | Refers to the domain covered in a particular zone file
27 **named** , BIND, name server | Common names for the BIND name server package within DragonFly
28 Resolver | A system process through which a machine queries a name server for zone information
29 Reverse DNS | The opposite of forward DNS; mapping of IP addresses to hostnames
30 Root zone | The beginning of the Internet zone hierarchy. All zones fall under the root zone, similar to how all files in a file system fall under the root directory.
31 Zone | An individual domain, subdomain, or portion of the DNS administered by the same authority |
\r
36 * `.` is the root zone
\r
38 * `org.` is a zone under the root zone
\r
40 * `example.org` is a zone under the `org.` zone
\r
42 * `foo.example.org.` is a subdomain, a zone under the `example.org.` zone
\r
44 * `1.2.3.in-addr.arpa` is a zone referencing all IP addresses which fall under the 3.2.1.* IP space.
\r
46 As one can see, the more specific part of a hostname appears to its left. For example, `example.org.` is more specific than `org.`, as `org.` is more specific than the root zone. The layout of each part of a hostname is much like a filesystem: the `/dev` directory falls within the root, and so on.
\r
48 ### 19.11.3 Reasons to Run a Name Server
\r
50 Name servers usually come in two forms: an authoritative name server, and a caching name server.
\r
52 An authoritative name server is needed when:
\r
55 * one wants to serve DNS information to the world, replying authoritatively to queries.
\r
57 * a domain, such as `example.org`, is registered and IP addresses need to be assigned to hostnames under it.
\r
59 * an IP address block requires reverse DNS entries (IP to hostname).
\r
61 * a backup name server, called a slave, must reply to queries when the primary is down or inaccessible.
\r
63 A caching name server is needed when:
\r
66 * a local DNS server may cache and respond more quickly than querying an outside name server.
\r
68 * a reduction in overall network traffic is desired (DNS traffic has been measured to account for 5% or more of total Internet traffic).
\r
70 When one queries for `www.dragonflybsd.org`, the resolver usually queries the uplink ISP's name server, and retrieves the reply. With a local, caching DNS server, the query only has to be made once to the outside world by the caching DNS server. Every additional query will not have to look to the outside of the local network, since the information is cached locally.
\r
72 ### 19.11.4 How It Works
\r
74 In DragonFly, the BIND daemon is called **named** for obvious reasons.
\r
78 **named** | the BIND daemon
79 `ndc` | name daemon control program
80 `/etc/namedb` | directory where BIND zone information resides
81 `/etc/namedb/named.conf` | daemon configuration file |
\r
83 Zone files are usually contained within the `/etc/namedb` directory, and contain the DNS zone information served by the name server.
\r
85 ### 19.11.5 Starting BIND
\r
87 Since BIND is installed by default, configuring it all is relatively simple.
\r
89 To ensure the named daemon is started at boot, put the following modifications in `/etc/rc.conf`:
\r
95 To start the daemon manually (after configuring it)
\r
101 ### 19.11.6 Configuration Files
\r
103 #### 19.11.6.1 Using `make-localhost`
\r
109 # sh make-localhost
\r
112 to properly create the local reverse DNS zone file in `/etc/namedb/localhost.rev`.
\r
114 #### 19.11.6.2 `/etc/namedb/named.conf`
\r
119 // Refer to the named(8) manual page for details. If you are ever going
\r
120 // to setup a primary server, make sure you've understood the hairy
\r
121 // details of how DNS is working. Even with simple mistakes, you can
\r
122 // break connectivity for affected parties, or cause huge amount of
\r
123 // useless Internet traffic.
\r
126 directory "/etc/namedb";
\r
128 // In addition to the "forwarders" clause, you can force your name
\r
129 // server to never initiate queries of its own, but always ask its
\r
130 // forwarders only, by enabling the following line:
\r
134 // If you've got a DNS server around at your upstream provider, enter
\r
135 // its IP address here, and enable the line below. This will make you
\r
136 // benefit from its cache, thus reduce overall DNS traffic in the
\r
146 Just as the comment says, to benefit from an uplink's cache, `forwarders` can be enabled here. Under normal circumstances, a name server will recursively query the Internet looking at certain name servers until it finds the answer it is looking for. Having this enabled will have it query the uplink's name server (or name server provided) first, taking advantage of its cache. If the uplink name server in question is a heavily trafficked, fast name server, enabling this may be worthwhile.
\r
148 **Warning:** `127.0.0.1` will ***not*** work here. Change this IP address to a name server at your uplink.
\r
153 * If there is a firewall between you and name servers you want
\r
155 * to talk to, you might need to uncomment the query-source
\r
157 * directive below. Previous versions of BIND always asked
\r
159 * questions using port 53, but BIND 8.1 uses an unprivileged
\r
164 // query-source address * port 53;
\r
168 * If running in a sandbox, you may have to specify a different
\r
170 * location for the dumpfile.
\r
173 // dump-file "s/named_dump.db";
\r
176 // Note: the following will be supported in a future release.
\r
186 // Setting up secondaries is way easier and the rough picture for this
\r
187 // is explained below.
\r
189 // If you enable a local name server, don't forget to enter 127.0.0.1
\r
190 // into your /etc/resolv.conf so this server will be queried first.
\r
191 // Also, make sure to enable it in /etc/rc.conf.
\r
198 zone "0.0.127.IN-ADDR.ARPA" {
\r
200 file "localhost.rev";
\r
204 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
\r
206 file "localhost.rev";
\r
209 // NB: Do not use the IP addresses below, they are faked, and only
\r
210 // serve demonstration/documentation purposes!
\r
212 // Example secondary config entries. It can be convenient to become
\r
213 // a secondary at least for the zone where your own domain is in. Ask
\r
214 // your network administrator for the IP address of the responsible
\r
217 // Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
\r
218 // (This is the first bytes of the respective IP address, in reverse
\r
219 // order, with ".IN-ADDR.ARPA" appended.)
\r
221 // Before starting to setup a primary zone, better make sure you fully
\r
222 // understand how DNS and BIND works, however. There are sometimes
\r
223 // unobvious pitfalls. Setting up a secondary is comparably simpler.
\r
225 // NB: Don't blindly enable the examples below. :-) Use actual names
\r
226 // and addresses instead.
\r
228 // NOTE!!! DragonFly runs bind in a sandbox (see named_flags in rc.conf).
\r
229 // The directory containing the secondary zones must be write accessible
\r
230 // to bind. The following sequence is suggested:
\r
232 // mkdir /etc/namedb/s
\r
233 // chown bind:bind /etc/namedb/s
\r
234 // chmod 750 /etc/namedb/s
\r
237 For more information on running BIND in a sandbox, see [network-dns.html#NETWORK-NAMED-SANDBOX Running named in a sandbox].
\r
241 zone "example.com" {
\r
243 file "s/example.com.bak";
\r
249 zone "0.168.192.in-addr.arpa" {
\r
251 file "s/0.168.192.in-addr.arpa.bak";
\r
260 In `named.conf`, these are examples of slave entries for a forward and reverse zone.
\r
262 For each new zone served, a new zone entry must be added to `named.conf`
\r
264 For example, the simplest zone entry for `example.org` can look like:
\r
267 zone "example.org" {
\r
269 file "example.org";
\r
273 The zone is a master, as indicated by the `type` statement, holding its zone information in `/etc/namedb/example.org` indicated by the `file` statement.
\r
276 zone "example.org" {
\r
278 file "example.org";
\r
282 In the slave case, the zone information is transferred from the master name server for the particular zone, and saved in the file specified. If and when the master server dies or is unreachable, the slave name server will have the transferred zone information and will be able to serve it.
\r
284 #### 19.11.6.3 Zone Files
\r
286 An example master zone file for `example.org` (existing within `/etc/namedb/example.org`) is as follows:
\r
291 example.org. IN SOA ns1.example.org. admin.example.org. (
\r
296 86400 ) ; Minimum TTL
\r
299 @ IN NS ns1.example.org.
\r
300 @ IN NS ns2.example.org.
\r
303 localhost IN A 127.0.0.1
\r
313 @ IN MX 10 mail.example.org.
\r
316 Note that every hostname ending in a ***.*** is an exact hostname, whereas everything without a trailing ***.*** is referenced to the origin. For example, `www` is translated into `www + origin`. In our fictitious zone file, our origin is `example.org.`, so `www` would translate to `www.example.org.`
\r
318 The format of a zone file follows:
\r
321 recordname IN recordtype value
\r
324 The most commonly used DNS records:
\r
326 SOA:: start of zone authorityNS:: an authoritative name serverA:: A host addressCNAME:: the canonical name for an aliasMX:: mail exchangerPTR:: a domain name pointer (used in reverse DNS)
\r
329 example.org. IN SOA ns1.example.org. admin.example.org. (
\r
331 10800 ; Refresh after 3 hours
\r
332 3600 ; Retry after 1 hour
\r
333 604800 ; Expire after 1 week
\r
334 86400 ) ; Minimum TTL of 1 day
\r
337 `example.org.`:: the domain name, also the origin for this zone file.`ns1.example.org.`:: the primary/authoritative name server for this zone`admin.example.org.`:: the responsible person for this zone, email address with @ replaced. (`<[mailto:admin@example.org admin@example.org]>` becomes `admin.example.org`)`5`:: the serial number of the file. this must be incremented each time the zone file is modified. Nowadays, many admins prefer a `yyyymmddrr` format for the serial number. 2001041002 would mean last modified 04/10/2001, the latter 02 being the second time the zone file has been modified this day. The serial number is important as it alerts slave name servers for a zone when it is updated.
\r
340 @ IN NS ns1.example.org.
\r
343 This is an `NS` entry. Every name server that is going to reply authoritatively for the zone must have one of these entries. The `@` as seen here could have been `example.org.` The `@` translates to the origin.
\r
346 localhost IN A 127.0.0.1
\r
353 The A record indicates machine names. As seen above, `ns1.example.org` would resolve to `3.2.1.2`. Again, the origin symbol, `@`, is used here, thus meaning `example.org` would resolve to `3.2.1.30`.
\r
359 The canonical name record is usually used for giving aliases to a machine. In the example, `www` is aliased to the machine addressed to the origin, or `example.org` (`3.2.1.30`). `CNAME`s can be used to provide alias hostnames, or round robin one hostname among multiple machines.
\r
362 @ IN MX 10 mail.example.org.
\r
365 The `MX` record indicates which mail servers are responsible for handling incoming mail for the zone. `mail.example.org` is the hostname of the mail server, and 10 being the priority of that mail server.
\r
367 One can have several mail servers, with priorities of 3, 2, 1. A mail server attempting to deliver to `example.org` would first try the highest priority MX, then the second highest, etc, until the mail can be properly delivered.
\r
369 For in-addr.arpa zone files (reverse DNS), the same format is used, except with `PTR` entries instead of `A` or `CNAME`.
\r
374 1.2.3.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. (
\r
381 @ IN NS ns1.example.org.
\r
382 @ IN NS ns2.example.org.
\r
384 2 IN PTR ns1.example.org.
\r
385 3 IN PTR ns2.example.org.
\r
386 10 IN PTR mail.example.org.
\r
387 30 IN PTR example.org.
\r
390 This file gives the proper IP address to hostname mappings of our above fictitious domain.
\r
392 ### 19.11.7 Caching Name Server
\r
394 A caching name server is a name server that is not authoritative for any zones. It simply asks queries of its own, and remembers them for later use. To set one up, just configure the name server as usual, omitting any inclusions of zones.
\r
396 ### 19.11.8 Running **named** in a Sandbox
\r
398 For added security you may want to run [named(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#named&section8) as an unprivileged user, and configure it to [chroot(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=chroot&section=8) into a sandbox directory. This makes everything outside of the sandbox inaccessible to the **named** daemon. Should **named** be compromised, this will help to reduce the damage that can be caused. By default, DragonFly has a user and a group called `bind`, intended for this use.
\r
400 **Note:** Various people would recommend that instead of configuring **named** to `chroot`, you should run **named** inside a [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail&section8). This section does not attempt to cover this situation.
\r
402 Since **named** will not be able to access anything outside of the sandbox (such as shared libraries, log sockets, and so on), there are a number of steps that need to be followed in order to allow **named** to function correctly. In the following checklist, it is assumed that the path to the sandbox is `/etc/namedb` and that you have made no prior modifications to the contents of this directory. Perform the following steps as `root`.
\r
405 * Create all directories that **named** expects to see:
\r
408 # mkdir -p bin dev etc var/tmp var/run master slave
\r
409 # chown bind:bind slave var/*./imagelib/callouts/1.png
\r
411 [network-dns.html#CHOWN-SLAVE ./imagelib/callouts/1.png]:: **named** only needs write access to these directories, so that is all we give it.
\r
413 * Rearrange and create basic zone and configuration files:
\r
415 # cp /etc/localtime etc./imagelib/callouts/1.png
\r
416 # mv named.conf etc && ln -sf etc/named.conf
\r
417 # mv named.root master
\r
418 # sh make-localhost && mv localhost.rev localhost-v6.rev master
\r
419 # cat > master/named.localhost
\r
422 @ IN SOA localhost. postmaster.localhost. (
\r
426 604800 ; expiration
\r
432 [network-dns.html#LOCALTIME ./imagelib/callouts/1.png]:: This allows **named** to log the correct time to [syslogd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#syslogd&section8)
\r
434 * Use [cp(1)](http://leaf.dragonflybsd.org/cgi/web-man?command#cp&section1) to copy `named-xfer` in `/usr/libexec` into your sandbox.
\r
436 * Make a `dev/null` that **named** can see and write to:
\r
438 # cd /etc/namedb/dev && mknod null c 2 2
\r
442 * Symlink ` /var/run/ndc` to `/etc/namedb/var/run/ndc`:
\r
444 # ln -sf /etc/namedb/var/run/ndc /var/run/ndc
\r
446 **Note:** This simply avoids having to specify the `-c` option to [ndc(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#ndc&section8) every time you run it. Since the contents of /var/run are deleted on boot, if this is something that you find useful you may wish to add this command to root's crontab, making use of the `@reboot` option. See [crontab(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=crontab&section=5) for more information regarding this.
\r
448 * Configure [syslogd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#syslogd&section8) to create an extra `log` socket that **named** can write to. To do this, add `-l /etc/namedb/dev/log` to the `syslogd_flags` variable in `/etc/rc.conf`.
\r
450 * Arrange to have **named** start and `chroot` itself to the sandbox by adding the following to `/etc/rc.conf`:
\r
453 named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"
\r
455 **Note:** Note that the configuration file `***/etc/named.conf***` is denoted by a full pathname ***relative to the sandbox***, i.e. in the line above, the file referred to is actually `/etc/namedb/etc/named.conf`.
\r
457 The next step is to edit `/etc/namedb/etc/named.conf` so that **named** knows which zones to load and where to find them on the disk. There follows a commented example (anything not specifically commented here is no different from the setup for a DNS server not running in a sandbox):
\r
461 directory "/";./imagelib/callouts/1.png
\r
462 named-xfer "/bin/named-xfer";./imagelib/callouts/2.png
\r
463 version ""; // Don't reveal BIND version
\r
464 query-source address * port 53;
\r
466 // ndc control socket
\r
468 unix "/var/run/ndc" perm 0600 owner 0 group 0;
\r
471 zone "localhost" IN {
\r
473 file "master/named.localhost";./imagelib/callouts/3.png
\r
474 allow-transfer { localhost; };
\r
477 zone "0.0.127.in-addr.arpa" IN {
\r
479 file "master/localhost.rev";
\r
480 allow-transfer { localhost; };
\r
483 zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
\r
485 file "master/localhost-v6.rev";
\r
486 allow-transfer { localhost; };
\r
491 file "master/named.root";
\r
493 zone "private.example.net" in {
\r
495 file "master/private.example.net.db";
\r
496 allow-transfer { 192.168.10.0/24; };
\r
498 zone "10.168.192.in-addr.arpa" in {
\r
500 masters { 192.168.10.2; };
\r
501 file "slave/192.168.10.db";./imagelib/callouts/4.png
\r
505 [network-dns.html#DIRECTORY ./imagelib/callouts/1.png]:: The `directory` statement is specified as `/`, since all files that **named** needs are within this directory (recall that this is equivalent to a ***normal*** user's `/etc/namedb`.[network-dns.html#NAMED-XFER ./imagelib/callouts/2.png]:: Specifies the full path to the `named-xfer` binary (from **named** 's frame of reference). This is necessary since **named** is compiled to look for `named-xfer` in `/usr/libexec` by default.[network-dns.html#MASTER ./imagelib/callouts/3.png]:: Specifies the filename (relative to the `directory` statement above) where **named** can find the zonefile for this zone.[network-dns.html#SLAVE ./imagelib/callouts/4.png]:: Specifies the filename (relative to the `directory` statement above) where **named** should write a copy of the zonefile for this zone after successfully transferring it from the master server. This is why we needed to change the ownership of the directory `slave` to `bind` in the setup stages above.
\r
507 After completing the steps above, either reboot your server or restart [syslogd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#syslogd&section8) and start [named(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=named&section=8), making sure to use the new options specified in `syslogd_flags` and `named_flags`. You should now be running a sandboxed copy of **named** !
\r
509 ### 19.11.9 Security
\r
511 Although BIND is the most common implementation of DNS, there is always the issue of security. Possible and exploitable security holes are sometimes found.
\r
513 It is a good idea to subscribe to [CERT](http://www.cert.org/) and [../handbook/eresources.html#ERESOURCES-MAIL freebsd-security-notifications] to stay up to date with the current Internet and FreeBSD security issues.
\r
515 **Tip:** If a problem arises, keeping sources up to date and having a fresh build of named would not hurt.
\r
517 ### 19.11.10 Further Reading
\r
519 BIND/named manual pages: [ndc(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#ndc&section8) [named(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=named&section=8) [named.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=named.conf&section=5)
\r
522 * [Official ISC Bind Page](http://www.isc.org/products/BIND/)
\r
524 * [BIND FAQ](http://www.nominum.com/getOpenSourceResource.php?id=6)
\r
526 * [O'Reilly DNS and BIND 4th Edition](http://www.oreilly.com/catalog/dns4/)
\r
528 * [RFC1034 - Domain Names - Concepts and Facilities](ftp://ftp.isi.edu/in-notes/rfc1034.txt)
\r
530 * [RFC1035 - Domain Names - Implementation and Specification](ftp://ftp.isi.edu/in-notes/rfc1035.txt)
\r
535 CategoryHandbook-advancednetworking
\r
537 [http%3A%2F%2Ffloopityjoop.com%2FLast+Name+Meanings.html Last Name Meanings]
\r
projects / ikiwiki.git / blob