Wednesday, June 18, 2014

DNS by example

Start of Zone Authority
The SOA resource records provide the information that’s needed to resolve domain names to IP
addresses. These files are typically stored in the /var/named directory, but you can name them
anything you want. For this example, I’ll name my SOA file /var/named/

The SOA resource records require a number of fields.
You can include comments in the resource file by typing a semicolon (;) before the comment.

The file entry is as follows,
@ IN SOA sama.expanor.local root.expanor.local (
 2014061601 ; serial number
 3600 ; refresh (1hrs)
 3600 ; retry (1hr)
 151200 ; expire (1 week)
 86400 ) ; default TTL
here, the SOA resource file gives you some detail about the SOA record.
1. The @ symbol represent the dmain name of for the zone.
2. The IN statement stands for Internet Name, and SOA tells that we are defining the SOA for
our domain (ie expanor.local).
3. The first domain name after SOA defines the primary name server for this domain
4. The second field is the administractive email address (root@sama.expanor.local.
(Note: email address uses . (period) rather than @ character in SOA record.
5. After the email address, you start with an opening parenthesis to start the numeric
statements. The next lines indicate parameters for the server.
6. The first number is the serial number, eg, date.01 ( 2014061601; dateVERSION).
Note: Every time you change the resource record, you need to increase the serial number by one
before you restart the service 'named'. When secondary checks for the new information, it first
checks the serial number to make sure it gets the latest information. If serial number is
larger than on the slave, then slave performs a zone transfer. If you never increase this
number, your changes will never take effect.
7. The second number is the refresh rate in second. What this mean is that the value tells the
DNS servers how ofter they should query the primary server to if if there is change in records
that need to be updated.
8. The third number is to check for updates (retires) in seconds if it (slave server) can't
contact it (master) at first attempt.
9. The fourth number is for the slave server which cache the entry. If some reason slave
(secondary) server can't communicate with primary (master) server for a update, they will
discard the cache value after the specified number of seconds. Normally the value is defined
for a week.
10. The last number is for how long the caching servers should wait before allowing an entry to
expire if they can't contact the primary (master) DNS server. Normal value is 5-7 days.
11. Now, you clise the statement with parenthesis.

NS servers
Now, the next entries should be the authoritative NS (Name Server) servers for your domain.
Using the previous example, we would type something like this:

NS sama.expanor.local.
NS sam.expanor.local.
There are two authoritative name servers for the expanor.local domain: sama.expanor.local (the
computer that we’re currently setting up) and sam.expanor.local (a secondary or backup or slave
DNS server). Since both are fully qualified hostnames, they need to have periods after their
Note: If you write the above lines as sama.expanor.local and not as sama.expanor.local, the
server would translate the addresses as sama.expanor.local.expanor.local
MX records
The next etry is for MX (Mail exchanger) record. This entry tells the outside world that the
defined machine will receive mail from external networks. Depending on your environment, you
can have one or two mail (primary/secondary or backup) server. for eg,
MX 10 sama.expanor.local
MX 20 sam.expanor.local

The lines above tells the external networks to try to deliver the mails to sama.expanor.local
first and if its not available, then try to deliver to sam.expanor.local. The number on second
coloum is the priority number. Lower the number higher the priority. So sama will recieve all
the mails unless it is not reachable on the network.

A records
The next entry is A (Address record) records. The address records (A) translates hostname to
ipaddress. You should have A record for all the machines in a network if you want to have a
recognized hostnames. The entry can be as follows.
sama A
sam A
jay A
These lines tell the DNS server that sama.expanor.local is mapped with ip address and jay is mapped with
Note: Since there is no period after the hostname, the DNS server assumes that the domain name
is retain from the current SOA record (expanor.local SOA).
CNAME records (Canonical Name)
Canonical Name (CNAME) records also known as hostname aliases is any other name (common names)
that you want to define for the hostname. That is using CNAME, you can use friendly name to
represent the host. For eg, if you have to define a mail serverm, you can do as follows,
which represent the same server and can be reached through either name.
Note: For CNAME to work, you must define an address (A) or Mail Exchange (MX) record. for eg,
sama IN A
mail IN CNAME sama
www IN CNAME sama
ftp IN CNAME sama
mail2 IN CNAME sam

mail.expanor.local, www.expanor.local and ftp.expanor.local map to sama.expanor.local. You also
have to define the alias for mail2.expanor.local which points to sam.expanor.local.
Now, the final forward lookup resolution for the domain expanor.local looks like follows,

$ cat /var/named/expanor.frwd
@ IN SOA sama.expanor.local root.expanor.local (
 2014061601 ; serial number
 3600 ; refresh (1hrs)
 3600 ; retry (1hr)
 151200 ; expire (1 week)
 86400 ) ; default TTL
; specify the name servers for the domain.
NS sama.expanor.local.
NS sam.expanor.local.
; define mail servers
MX 10 sama.expanor.local
MX 20 sam.expanor.local
; define the ipaddress for the server
sama A
sam A
jay A
; define alias
mail IN CNAME sama
www IN CNAME sama
ftp IN CNAME sama
mail2 IN CNAME sam

Reverse address resolution database
Now, we have primary SOA and we have to define the reverse lookup information to match the

$ cat /var/named/expanor.frwd
@ IN SOA sama.expanor.local root.expanor.local (
 2014061601 ; serial number
 3600 ; refresh (1hrs)
 3600 ; retry (1hr)
 151200 ; expire (1 week)
 86400 ) ; default TTL
; define name servers
NS sama.expanor.local.
NS sam.expanor.local.

110 IN PTR sama
8 IN PTR sam
160 IN PTR jay
so the SOA and the NS records are exactly the same. The new record type here is the pointer
(PTR) record which is also called reverse resolution record and maps the ipaddress to hostname.
 We define the last octet of the ip address for the defined hostnames which the 'named' service
 points to the ip address to host sama. which resolves to sama.expanor.local and
so on.


[root@sama named]# more /etc/named.conf
// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.

options {
        listen-on port 53 {;; };       #Specify your DNS server
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost;; };                # Range of IP
#       allow-transfer  { localhost;;};            # Secondary DNS server
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

logging {
        channel default_debug {
                file "data/";
                severity dynamic;

zone "." IN {
        type hint;
        file "";

//zone "" in {
//      type master;
//      file "home.local";

// Define your zone here

zone    "expanor.local" IN {
        type master;
        file "";
        allow-update { none; };

// Specify your reverse zone info
zone    "" IN {
        type master;
        file "";
        allow-update { none; };

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


[root@sama named]# more
$TTL 86400
@       IN      SOA     sama.expanor.local. root.expanor.local.(
        201504191; Serial #
        3600    ; Refress interval
        1800    ; Retry time
        604800  ; Expire time
        86400   ; Max time to live TTL
@       IN NS   sama.expanor.local.  ; Primary DNS server
@       IN NS   sam.expanor.local.  ; secondary DNS server
@       IN MX 10 mail.expanor.local. ; Mail server MX record
sama    IN A
sam     IN A
suvi    IN A
chandra IN A
surya   IN A
jay     IN A
devi    IN A
pramila IN A
myu     IN A
ram     IN CNAME        sama
mail    IN CNAME        sama
vmware  IN A
beena   IN A
mohan   IN A
bikash  IN A
kuldeep IN A
fairfax IN A


[root@sama named]# more
$TTL    864000;
@       IN SOA  sama.expanor.local. root.expanor.local. (
        201504191       ; Serial #
        3600            ; Refresh time
        1800            ; Retry time
        604800          ; Expire
        86400)          ; Minimum TTL

;$TTL 1D
;@       IN      SOA     sama.expanor.local root.expanor.local. (
;201406110       ; serial
;2H              ; refresh slaves
;5M              ; retry
;1W              ; expire
;1M              ; Negative TTL

           NS   sama.expanor.local.
           NS   sam.expanor.local.
110     IN PTR  sama.expanor.local.
8       IN PTR  sam.expanor.local.
150     IN PTR  chandra.expanor.local.
160     IN PTR  surya.expanor.local.
180     IN PTR  devi.expanor.local.
170     IN PTR  jay.expanor.local.
190     IN PTR  pramila.expanor.local.
20      IN PTR  myu.expanor.local.
99      IN PTR  vmware.expanor.local.
250     IN PTR  fairfax.expanor.local.
[root@sama named]#

[root@sama named]# cat /etc/resolv.conf
# Generated by NetworkManager
search expanor.local

[root@sama named]# more /etc/nsswitch.conf
hosts:      files dns

updated info,

[root@localhost opt]# dig sama.expanor.local

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> sama.expanor.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6583
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;sama.expanor.local. IN A

sama.expanor.local. 86400 IN A

expanor.local. 86400 IN NS sam.expanor.local.
expanor.local. 86400 IN NS sama.expanor.local.

sam.expanor.local. 86400 IN A

;; Query time: 2 msec
;; WHEN: Mon Apr 20 07:47:16 2015
;; MSG SIZE  rcvd: 100

Let's examine the some dig output values:

Look at the section between Got answer and Question Section,  you will see the header information.
The line beginning with ->> HEADER <<- is the first part of the header of the reply message that dig received from the remote name server. The opcode in the header is always QUERY, just as it is with nslookup. The status is NOERROR; "Showing the Query and Response Messages". The ID is the message ID, a 16-bit number used to match responses to queries.

Just belo the line, you see the 'flags'. glags tell us more about the response. qr indicates that the message was a response, not a query. dig decodes responses, not queries, so qr will always be present. Not so with aa or rd, though. aa indicates that the response was authoritative, and rd indicates that the recursion desired bit was set in the query (since the responding name server just copies the bit from the query to the response). Most of the time rd is set in the query, you'll also see ra set in the response, indicating that recursion was available from the remote name server.

The next field tells you that dig asked one question and received one answer in ANSWER section, 2 on AUTHORITY section and 1 additional information.

At the end, dig gives the summary information about the query and response. The first line shows you how long it took the remote name server to return the response after dig sent the query. The second line shows you from which host you sent the query and to which name server you sent it. The third line is a timestamp showing when the response was received. And the fourth line shows you the size of the query and the response, in bytes.

No comments:

Post a Comment