Objectives
To describe the structure and function of Domain Name Services (DNS)
How to test name services (DNS)
About the Berkeley Internet Name Domain (BIND)
How to use the client configuration files
How to set up a caching name server
How to configure the iptables firewall for DNS services
How to create a primary1 name server from a caching name server including both forward and reverse zones
How to use several types of records commonly found in zone files
Introducing Domain Name Services
Surfing the Web is fun and easy, but think what it would be like if you had to type in the IP address of every web site you wanted to view. For example, locating a web site would look like this when you type it in – https://93.184.216.34 – which would be nearly impossible for most of us to remember. Of course, using bookmarks would help but suppose your friend tells you about a cool new web site and tells you to go to 93.184.216.34. How would you remember that? Telling someone to go to “Opensource.com,” for example, is far easier to remember than 54.204.39.132.
The Domain Name Services system provides the database to be used in the translation from human-readable hostnames, such as www.opensource.com, to IP addresses, like 54.204.39.132, so that your Internet-connected computers and other devices can access them. The primary function of the BIND software (Berkeley Internet Name Domain software) is that of a domain name resolver which utilizes that database. There are other name resolver software, but BIND is currently the most widely used DNS software on the Internet. I will use the terms name server, DNS, and resolver pretty much interchangeably throughout this chapter.
Without these name resolver services, it would be nearly impossible to surf the Web as freely and easily as we do. As humans, we tend to do better with names like Opensource.com, while computers do much better with numbers like 54.204.39.132. So we need a translation service to convert the names that are easy for us to the IP addresses that are easy for our computers.
The /etc/hosts file
In small networks, the /etc/hosts file on each host can be used as a simple local name resolver. The SysAdmin would add and manage entries in the hosts file. Maintaining copies of this file on several hosts can become very time-consuming and errors can cause much confusion and wasted time before they are found. Experiment 4-1 shows a simple /etc/hosts file. A default hosts file is always present but it would contain only the first two lines. Those two lines enable internal services and commands to translate the localhost hostname to 127.0.0.1 – this is an explicitly defined standard to enable services and commands to deal with the local host.
Experiment 4-1
This experiment must be performed as root on StudentVM1.
Notice that IP addresses can have multiple hostnames associated with them. Only a single host can be assigned an address so these hostnames are aliases and all point to the same host. This can be a way to maintain backward compatibility with previous naming systems, for example. We have also added some hostnames and IP addresses that are not actually present on our network.
Try pinging the hosts that do not exist.
In the second part of this experiment, we pinged the same host – at IP address 192.168.56.1 – using the hostnames of server and studentvm2. Both of these hostnames were correctly resolved to the IP address of 192.168.56.1.
Comment out the lines you added to /etc/hosts by prepending a # character to each line. This is necessary so that the /etc/hosts file will not contain the host resolutions we will be testing with BIND.
I used the /etc/hosts file to manage name services for my network for several years. It ultimately became too much trouble to maintain even with only the usual 8 to 12 computers I usually have operational. As a result, I converted to running my own name server to resolve both internal and external hostnames.
Most networks of any size require centralized management of this service with name services software such as BIND. BIND is called that because it was developed by the University of California Berkeley (UCB) in the early 1980s. Hosts use the Domain Name System (DNS) to locate IP addresses from the names given in software such as web browsers, email clients, SSH, FTP, and many other Internet services.
How a name search works
- 1.
First, I type in the URL or select a bookmark containing that URL. In this case, the URL is www.opensource.com.
- 2.
The browser client, whether it is Opera, Firefox, Chrome, Min, Lynx, Links, or any other browser, sends the request to the operating system.
- 3.
The operating system first checks the /etc/hosts file to see if the hostname is there. If so, the IP address of that entry is returned to the browser. If not, we proceed to the next step. In this case, we assume that the name is not in /etc/hosts.
- 4.
The hostname is then sent to the first name server specified in /etc/resolv.conf. In this case, the IP address of the first name server is my own internal name server. For this example, my name server does not have the IP address for www.opensource.com cached and must look further afield. So we go on to the next step.
- 5.
The local name server sends the request to a remote name server. This can be one of two destination types, one type of which is a forwarder. A forwarder is simply another name server such as the ones at your ISP, or a public name server such as Google at 8.8.8.8 or 8.8.4.4. The other destination type is that of the top-level root name servers. The root servers don't usually respond with the desired target IP address or www.opensource.com; they respond with the authoritative name server for that domain. The authoritative name servers are the only ones that have the authority to maintain and modify the data for a domain.
- 6.
The local name server is configured to use the root name servers so the root name server for the com. top-level domain returns the IP address of the authoritative name server for opensource.com. That IP address could be for any one of the three (at the time of this writing) name servers, ns1.redhat.com, ns2.redhat.com, or ns3.redhat.com.
- 7.
The local name server then sends the query to the authoritative name server which returns the IP address for www.opensource.com.
- 8.
The browser uses the IP address for www.opensource.com to send a request for a web page which is downloaded to the browser.
One of the important side effects of this name search is that the results are cached for a period of time by my local name server. That means that the next time I, or anyone on my network, wants to access Opensource.com, the IP address is probably already stored in the local cache which prevents doing another remote lookup.
The DNS database
The DNS system is dependent upon its database to perform lookups on hostnames to locate the correct IP address. The DNS database is a general-purpose distributed, hierarchical, replicated database. It also defines the style of hostname used on the Internet, properly called a fully qualified domain name (FQDN).
- 1.
The top-level domain names (TLDNs) such as .com, .net, .biz, .org, .info, .edu, and so on provide the last segment of a FQDN. All TLDNs are managed on the root name servers. Aside from the country top-level domains such as .us, .uk, and so on, there were originally only a few main top-level domains. As of February 2017, there are 1,528 top-level domains.
- 2.
The second-level domain name is always immediately to the left of the top-level domain when specifying a hostname or URL. So names like redhat.com, opensource.com, getfedora.org, and example.com provide the organizational address portion of the FQDN.
- 3.
The third level of the FQDN is the hostname portion of the name. So the FQDN of a specific host in a network would be something like host1.example.com.
A very simplified representation of the DNS database hierarchical structure
The true top level consists of the root name servers. These are a limited number of servers that maintain the top-level DNS databases. The root level may contain the IP addresses for some domains and the root servers will directly provide those IP addresses where they are available. In other cases, the root servers provide the IP addresses of the authoritative server for the desired domain.
For example, assume we want to browse www.opensource.com. Our browser makes the request of the local name server which does not contain that IP address. My local name server is configured to use the root servers when an address is not found in the local cache, so it sends the request for www.opensource.com to one of the root servers. Of course, the local name server must know how to locate the root name servers so it uses the /var/named/named.ca file which contains the names and IP addresses of the root name servers. The named.ca file is also known as the hints file.
In this example, the IP address for www.opensource.com is not stored by the root servers. The root server uses its database to locate the name and IP address of the authoritative name server for www.opensource.com. The local name server queries the authoritative name server which returns the IP address of www.opensource.com. The local name server then responds to the browser's request and provides it with the IP address. The authoritative name server for Opensource.com contains the zone files for that domain.
The Internet Assigned Numbers Authority (IANA)2 is responsible for global coordination and management of IP address and autonomous system (AS) number assignments. This organization coordinates the assignments of IP addresses to large geographic–political entities. Registries within those divisions are responsible for assigning addresses to customers such as ISPs. The IANA web site has a great deal of information that you may find useful.
The dig command is a powerful tool that can tell us a lot of information about the DNS configuration for a host. The dig command returns the actual records from the DNS database and displays the results in four main sections.
Experiment 4-2
Refer to the results of this experiment as you read the descriptions of these sections.
QUESTION: The first section of specific interest in Experiment 4-1 is the QUESTION section. For our example, it states that we are looking for the A record of “www.opensource.com”. Notice the dot at the end of the top-level domain name. This explicitly indicates that .com. is the final domain name component in the hostname.
ANSWER: This section shows two entries, a CNAME record and an A record. A records are the primary name resolver records, and there must be an A record which contains the IP address for each host. CNAME stands for canonical name, and this record type is an alias for the A record and points to it. It is not typical practice to use “www” as the hostname for a web server. It is common to see a CNAME record that points to the A record of the FQDN. However, that is not quite the case here. Notice that the A record for opensource.com does not have a hostname associated with it. It is possible to have a record that applies to the domain as a whole as is the case here.
AUTHORITY: The AUTHORITY section lists the authoritative name servers for the opensource.com domain. In this case, those are the Red Hat name servers. Notice that the record type is NS for these entries.
ADDITIONAL: The ADDITIONAL section lists the A records for the Red Hat name servers.
Following the ADDITIONAL section, you can find some additional interesting information, including the IP address of the server that returned the information shown in the results. In this case, it was my own internal name server.
Common DNS record types
There are a number of different DNS record types, and I want to introduce some of the more common ones here. Later in this chapter, you will create your own name server using BIND and will use many of these record types. These record types are used in the zone files that comprise the DNS database. One common field in all of these records is “IN” which specifies that these are INternet records. You can find a complete list of DNS record types at Wikipedia.3
I will make the assertion in this discussion that studentvm2.example.com is the BIND name server which is why its hostname appears in these records. The example.com domain is a valid domain and is used for testing purposes on the Internet. It can also be used for internal testing and we will be doing that later in this chapter. Therefore, the sample listings in the following figures will use example.com for the domain name.
SOA
The first line of the SOA record contains the name of the server for the zone and the zone administrator, in this case root.
The second line is a serial number. In this example, I use the date in YYYYMMDDXX format where XX is a counter for 00 to 99. The serial number in the SOA record represents the first version of this file on October 15, 2018. This format ensures that all changes to the serial number are incremented in a numerically sequential manner. That is important because secondary name servers only replicate from the primary server when the serial number of the zone file on the primary is greater than the serial number on the secondary. Be sure to increment the serial number when you make changes or the secondary server will not sync up with the modified data.
The rest of the SOA record consists of various times that secondary servers should perform a refresh from the primary and wait for retries if the first refresh fails. It also defines the amount of time before the zone's authoritative status expires.
Times all used to be specified in seconds, but recent versions of BIND allow other options defined with W=week, D=day, H=hour, and M=minute. Seconds are assumed if no other specifier is used.
$ORIGIN
The @ symbol is used as a shortcut for this variable and any occurrence of @ in the file is replaced by the value of $ORIGIN.
NS
Note that the host, studentvm2.example.com, must also have an A record in the zone. The A record can point to the external IP address of the host or to the localhost address, 127.0.0.1.
A
The A record is the most common type of DNS database record.
AAAA
The AAAA records are used for IPv6 addresses in the DNS system. They perform exactly the same function as A records do for IPv4 addresses.
CNAME
It is good practice to have the A record contain the true hostname of the host. All of the other alias hostnames can be set using CNAME records. It is possible to have multiple A records, each with a different hostname, point to the same IP address, but this is not a good practice because it requires more work if the host’s IP address is changed. The lazy SysAdmin types as little as possible and keeps things like configuration files as simple as possible.
Lookups with the dig command on www.example.com and mail.example.com will return the CNAME record for mail or www and the A record for server.example.com. These records contain only the hostnames with no terminating dot (.), so the domain name as defined in the $ORIGIN variable will be appended to the hostname.
PTR
The PTR records are to provide for reverse lookups. This is when you already know the IP address and need to know fully qualified hostname. For example, many mail servers do a reverse lookup on the alleged IP address of a sending mail server to verify that the name and IP address given in the email headers match. PTR records are located in reverse zone files. Reverse lookups can also be used when attempting to determine the source of suspect network packets.
Be aware that not all hosts have PTR records. Most ISPs create and manage the PTR records for home and small business accounts, so reverse lookups may not provide the needed information. For example, I use Spectrum business class for my Internet connection. I use Google Domains to manage my several external domains including both.org, linux-databook.info, and mtc-llc.net. Google Domains does allow me to create PTR records, but my ISP has already created an authoritative PTR record for my external IP address. I have not taken much time to explore whether this can be changed or not but early experiments indicate not.
MX
Domains may have multiple mail servers defined. The number “10” in the above MX record is a priority value. Other servers may have the same priority or different ones. The lower numbers define higher priorities. So if all mail servers have the same priority, they would be used in round-robin fashion. If they have different priorities, the mail delivery would first be attempted to the mail server with the highest priority – the lowest number – and if that mail server did not respond, delivery would be attempted to the mail server with the next highest priority.
Other records
There are other types of records that you may encounter in the DNS database. One type, the TXT records, are used to record comments about the zone or hosts in the DNS database. TXT records can also be used for DNS security. The rest of the DNS record types are outside the scope of this chapter.
Using BIND
BIND is the Berkeley Internet Name Daemon (Domain). It is used to centrally manage name services, generally in medium and large environments. It can, however, be used very successfully in smaller environments as well. Configuring BIND requires editing a number of files. The BIND configuration can be very picky about syntax, and I have found that some syntactical elements that should work apparently do not.
We will first configure a caching name server and then add the necessary configuration components to convert it into a primary name server. We will also configure the DHCP server for client-side DNS configuration.
Preparation
A caching name server cannot replace our use of /etc/hosts to resolve hostnames on the internal network. Compared to using an ISP or other public name server, however, a caching name server can improve both reliability and performance when resolving external names that are commonly used, such as www.cnn.com. I have experienced loss of DNS services from my ISP many times and have found my own name server is far more reliable than most ISPs. The best part is that setting up a caching name server is quite easy. It is also the first step in creating a primary name server that we can use for name resolution inside our own network.
Experiment 4-3
To enable your StudentVM2 host to use itself as a caching name server, you must change the DNS1 line in /etc/sysconfig/network-scripts/ifcfg-enp0s3 to point to your own host. We could change /etc/resolv.conf, but that change would not be persistent through a reboot or a restart of NetworkManager. The /etc/resolv.conf file is recreated by NetworkManager every time the host is booted or NetworkManager is restarted.
Comment out the DNS2 line so that the secondary server will not be listed.
We have now prepared our host so that it can be configured as a caching name server.
Setting up the caching name server
It is necessary to make a couple modifications to the /etc/named.conf file. First, add the IP address of your local student host to the “listen-on port 53” line. This enables named to listen on the external IP address of your host so that other computers can use it as a name server as well.
Note
The named.conf file is very particular about syntax and especially punctuation. Semi-colons are used to delineate the end of an entry and the end of a stanza as well as the end of a line. Be sure to add them in correctly as shown in the samples.
Experiment 4-4
This experiment must be performed as root. In this experiment, we alter the default /etc/named.conf file to create our caching name server. The lines that need to be changed are highlighted in bold. I have removed some comment lines from the version of named.conf shown here to save some space.
By default, BIND refers to the Internet’s root name servers to locate the authoritative name servers for a domain. It is possible to specify other servers that are called “forwarders” to which the local instance of BIND will send requests instead of the root servers. This does increase the possibility of DNS hijacking.
Add a “forwarders” line as shown in the following. This tells your caching DNS server where to obtain IP addresses when they are not already cached locally. The IP address listed there is for the virtual router and DNS server of the virtual network. You could use your local ISP or OpenDNS or some other public name server as your forwarder.
It is not necessary to define any forwarders at all. By default, BIND will use the Internet root servers as defined in the file /var/named/named.ca to locate the authoritative name servers for domains if no forwarders are defined. However, for this part of the exercise, you will define two forwarders in /etc/named.conf. We will use the virtual router/name server of our virtual network with IP address 192.168.56.1 and one of the Google public name servers at IP address 8.8.8.8.
Also add the local network address, 192.168.56.0/24, to the allow-query line. This line specifies the network(s) from which DNS queries will be accepted by this DNS server. Multiple networks can be specified.
Keep the named.conf file open in your editor as you will be making several changes to it during the rest of this chapter.
Configuring IPTables for DNS
The firewall on your student host currently blocks everything except SSH. The firewall must be configured to allow UDP and TCP packets inbound on your name server in order for other hosts to use it for name resolution.
We will take this opportunity to switch from firewalld to IPTables. Firewalld is a wrapper around IPTables and it can be used to create complex and flexible rules for IPTables. Firewalld is overly complex for many networks and many of the rules it creates by default are used to create a zoning structure that is simply not required in most environments. A simple IPTables firewall is just as effective and much easier to manage and understand, especially while learning about firewall rules. This falls under the tenet, “Find the Simplicity,” of my book The Linux Philosophy for SysAdmins.5 Simple things are easier for us as SysAdmins to manage.
We will discuss firewalls using IPTables in more detail in Chapter 6 in this volume. If you are interested in more information about firewalld, Opensource.com has an excellent article6 to get you started.
Experiment 4-5
This experiment must be performed as root on StudentVM2. We will create a simple rule set for IPTables and then we will disable firewalld and enable IPTables.
I have not reproduced the output here because you can see for yourself how complex it is.
This simple set of rules rejects all incoming packets except SSH (tcp port 22) and DNS (udp port 53) which it accepts.
Now we need to switch services. We start by turning down the network interface to ensure that black hat hackers cannot take advantage of the moments in which our server’s firewall is down. Next we need to turn off and disable firewalld, turn on and enable iptables, and finally turn the network interface on again.
The firewall is much simplified and will now accept DNS queries from other hosts on our network.
Start the name service
Now we start the named service and configure the named service to start at every boot.
Experiment 4-6
The named resolver service is now up and ready for local testing.
To test your caching name server, use the dig command to obtain the IP address(es) for some common Internet web sites, such as CNN, Wired, and any others you like. Notice that the results should now show your host as the responding server rather than the virtual router or the Google name server.
Note that on the first attempt, the responding server might be one of the upstream resolvers because your host as client may have timed out waiting for the result from your host as DNS server. Additional attempts will be resolved from the cache of your host as DNS server.
Experiment 4-7
That is a lot of information, so I have snipped out large sections of it to save space here. Clearly, the dig command did return the correct information for CNN. The important bit of data in this result is that the responding server (located near the bottom of the output) is 192.168.56.1 which is the IP address of our new caching DNS server.
The local caching server does not respond immediately the first time a new domain name is resolved. This delay, usually a few hundred milliseconds, should be very small and is the result of having to query the forwarder for the information. After that, query times should be minimal.
This abundance of data is the result of using forwarders. This is not a problem and does not affect the results or speed of queries from application programs and utilities. The dig command is intended to provide data that can be used by a SysAdmin for use in problem determination when there is an issue of some type. You should also be aware that different servers and forwarders may produce different amounts of data in the Authority and Additional sections of the dig output.
Do some additional queries using both dig and nslookup to further verify the results from our server.
We are not quite finished. The caching name server is working as we expect it to, but we do need to ensure that hosts configured by DHCP services now have the correct IP address for our new name server.
Reconfiguring DHCP
This step is important so that hosts being booted on our virtual network are served the correct IP address for the name server. We do not need to turn off the name server in the virtual router, and we do not want to do that anyway because we are using it as a forwarder. Also, I have not found a way to turn off DNS services on the virtual router.
Experiment 4-8
Perform this experiment as root. In this experiment, we change the DNS server to the new one we just created. We will leave the DNS server in the virtual router as an alternative in case our primary name server fails.
Now let’s ensure that the host StudentVM1 receives the correct name server.
Experiment 4-9
It shows the name data for example.net and it also proves that the resolver used to obtain this data is our own name server. Try some additional lookups for additional testing and verification.
Using the top-level DNS servers
We could continue to use the forwarders as the source of our DNS information. Forwarders are not a bad thing and they are very useful in many environments. The problem is that most forwarders are configured to be the DNS servers of the ISP providing the Internet connection. My personal experience is that some ISPs DNS reliability is significantly less than stellar. For a while I used public DNS servers to test them, including Google public DNS which is reliable, fast, and not censored. Some other public DNS systems are censored or redirect you to places you did not intend and subject you to things like advertisements or pages flogging domains for sale.
However, I decided years ago that I would use my own DNS server and that I would also use the top-level DNS servers rather than forwarders. One reason for this is that the top-level servers reflect database record changes much faster than down-level servers. As a SysAdmin I find this helpful when I make changes for my own domains. I also use the top-level servers as a learning experience so that I can more fully understand how to manage that environment for my networks and others.
A really good forwarder is perfectly fine, but let’s now use the top-level servers.
Experiment 4-10
There was a significant delay in getting the return data because of the fact we restarted the named service which flushed the cache. Additional searches on the same name will return much faster because the data is now cached. Notice the difference in the output data. Leave named.conf open in your editor because we will be making more changes to it in this chapter.
Creating a primary name server
Once a caching name server has been created, it is not too difficult to convert it into a full-fledged master name server. We need to change named.conf again and create a couple new files. We will create a domain called example.com which is a valid public domain name reserved for testing labs and classes.
The two new files we will create are the forward and reverse zone files. They will be located in the /var/named directory. Remember that this location is specified by the “directory” directive in the named.conf configuration file.
Creating the forward zone file
The forward zone files are the name database files that are used to cross-reference hostnames with their assigned IP addresses. Each zone file contains the database for a single domain. Each host has at least one A record entry in the zone file with the name of the host and its IP address. Each host may also have one or more CNAME records that provide aliases for the primary hostname.
We are going to create a simple zone file for our example.com domain. This will be our local test instance of the example.com domain and not the public instance.
Experiment 4-11
These entries will give you a few hostnames to experiment with even though some do not exist on the virtual network. Be sure to use today's date and a sequence number for the serial number.
Adding the forward zone files to named.conf
Before your DNS server will work, however, you need to create an entry in /etc/named.conf that will point to your new zone file.
Experiment 4-12
Ping the router and the studentvm1 host. Also ping some external hosts to verify that external name services are still working as expected. You can use the example.org domain for this because we have used example.com for our test domain.
Be aware that it is necessary to use the FQDN for the dig command but not for the nslookup command so long as the domain and search entries are provided in the /etc/resolv.conf file. Ping one of the hosts that does exist, such as the studentvm1 host. Notice that it is not necessary to use the FQDN for this command.
Our name server is up and responding to requests but there is more to do.
Adding CNAME records
Now we will add some CNAME records; these are like aliases. These records can be added almost anywhere after the name server (NS) line in the zone file, but I like to keep them with the A record to which they point which makes it easier to find related records. The example.com.zone file below is what yours should look like when you have finished adding the CNAME entries.
Experiment 4-13
Note that some of the CNAME records ultimately point to the same host IP address for the studentvm1 host. CNAME records can be nested to as many levels as necessary, but it tends to complicate things when there are too many levels of indirection.
Also use the ping command with these CNAME aliases to verify that the end result is a correct ping response.
Creating the reverse zone file
A reverse zone for your domain will provide the ability to do reverse lookups. Many organizations do not do these internally, but reverse lookups can be helpful in doing problem determination. Many spam-fighting configurations such as SpamAssassin look for reverse lookups to verify valid email servers.
Experiment 4-14
You could also name your reverse zone file /var/named/25.168.192.in-addr.arpa which follows older conventions. You can actually name it anything you want because you will point to it explicitly in the named.conf file, but using one of the two conventions will make it easier for others to follow your work.
The serial numbers for the named.conf file, and the forward and reverse zones do not need to be the same. It is important to remember to update the serial number of any given file every time its content is altered. This does provide a way to determine the last time a file was modified if you use the same numbering strategy that I do. It is also critical in an environment where the primary server updates secondary name servers when the primary is changed.
Add the reverse zone to named.conf
We need to add a stanza for the reverse zone file to named.conf to complete the reverse lookup function.
Experiment 4-15
The lines indicating that a network is unreachable refer to the IPV6 network which we have not activated.
Perform some additional testing as you see fit to ensure that the reverse lookup is working. Be sure to test the name services from StudentVM1, too.
At this point, you have a working name server using BIND. Do not turn it off or disable it. You will use your own name server for the rest of these experiments and you will be adding some entries to it.
Chapter summary
Name services is a very important part of making the Internet easily accessible. It binds the myriad disparate hosts connected to the Internet into a cohesive unit that makes it possible to communicate with the far reaches of the planet with ease. It has a complex distributed database structure that is perhaps even unknowable in its totality, yet which can be rapidly searched by any connected device to locate the IP address of any other device that has an entry in that database.
If you are a system administrator on a network of almost any size, you will find it helpful to know how to build your own name server as we did in this chapter.
Exercises
- 1.
Why do local networks and the Internet need name services?
- 2.
What is the sequence of events that will take place in order to obtain the IP address for a host on our own network if we enter the command ping router? Assume the setup is identical to the one which we have created in this course.
- 3.
What difference is there – if any – if we use the command ping router.example.com?
- 4.
Is a reverse zone required for DNS services to work for forward lookups?
- 5.
How is it possible for organizations to use DNS to redirect – not block – web browsing to one or more outside web sites?
- 6.
Can a single name server provide name services for more than one domain such that it can be the authoritative name server for both example.com and example.org – for example?