Configuring a DNS Server

Configuring a DNS Server

Now that we’ve examined DNS from a client viewpoint, and explored concepts like SOAs, IP-to-address mapping, and address-to-IP mapping, it should be obvious what kind of services a DNS server needs to provide to clients. In addition, DNS servers need to be able to support both primary and secondary services as described earlier.

The Berkeley Internet Daemon (BIND) is the most commonly used DNS server for Solaris. It is supplied in a package that is generally installed during the initial system configuration. Its main configuration file is /etc/named.conf for BIND 8 supplied with Solaris 9.

Caution 

BIND 4 and earlier used a configuration file called /etc/named.boot; however, these versions are no longer supported by the ISC, and administrators running BIND 4 should upgrade to BIND 8 or 9.

The /etc/named.conf file is responsible for controlling the behavior of the DNS servers and provides the following keywords, which are used to define operational statements:

acl

Defines an access control list that determines which clients can use the server.

include

Reads an external file that contains statements in the same format as /etc/named.conf. This is very useful when your configuration file becomes very large, as different sections can be divided into logically related files.

logging

Determines which activities of the server are logged in the log file specified by the statement.

options

Defines local server operational characteristics.

server

Defines operational characteristics of other servers.

zone

Creates local DNS zones.

Let’s examine a sample statement involving each of these keywords.

acl

If we want to define an access control list for all hosts on the local network (10.24.58.*), we would insert this statement:

acl local_network {
10.24.58/24
};

Here, 24 indicates the netmask 255.255.255.0 in prefix notation. Now, if our router was the host 10.24.58.32, and we wanted to prevent any access to the DNS server from that address, we would amend the previous statement to the following:

acl local_network {
!10.24.58.32; 10.24.58/24
};

Note that the negation of a specific address from a subnet that is also permitted must precede the definition of that subnet in the statement.

include

A little later, we’ll examine how to configure DNS zones. Since these definitions can be very long for large networks, administrators often place them in a separate file so that they can be managed separately from ACL definitions and system options. Thus, to include all of the zone definitions from the file /var/named/zones.conf, we would insert the following statement into the /etc/named.conf file:

include "/var/named/zones.conf"

options

The options section sets key parameters that affect the runtime behavior of the BIND server. Typically, these are the directories in which the zone databases are stored, and the file in which the process ID of the named process is stored. The following example gives the standard options for BIND 8:

options {
directory "/var/named";
pid-file "/var/named/pid";
}

server

The server statement defines characteristics of remote name servers. There are two main options that can be set with a server statement: whether or not a remote server is known to transmit incorrect information, and whether or not the remote server can answer multiple queries during a single request. A sample server statement would look like this:

server 10.24.58.32
{
     bogus yes;
     transfer-format many-answers;
}

zone

A zone must be created for each network or subdomain that your DNS server manages. Zones can either be created as primary or secondary, depending on which server is authoritative for a particular domain. Entries for IP-to-name and name-to-IP mappings must also be included to correctly resolve both IP address and domain names. For the domain cassowary.net, the following zone entries would need to be created:

zone "cassowary.net"
{
     type master;
     file "cassowary.net.db";
}
zone "58.24.10.in-addr.arpa"
{
     type master;
     file "cassowary.net.rev";
}

In this case, the two zone files /var/named/cassowary.net.db and /var/named/cassowary .net.rev need to be populated with host information. A sample /var/named/cassowary.net .db file would contain SOA entries like this:

@    IN    SOA    cassowary.net.    root.cassowary.net.    (
        2000011103  ;serial number
        10800       ;refresh every three hours
        1800        ;retry every 30 mins
        1209600     ;Two week expiry
        604800)     ;Minimum one week expiry
        IN    NS    ns.cassowary.net.
        IN    MX    10    firewall.cassowary.net.
        firewall    IN    A    10.24.58.1    ;firewall
        natalie         IN    A    10.24.58.2    ;webserver
        catherine       IN    A    10.24.58.3    ;webserver
        tazdevil    IN    A    10.24.58.4    ;kerberos
        security    IN    CNAME    tazdevil

A sample /var/named/cassowary.net.rev file would contain SOA entries like this:

@    IN    SOA    58.24.10.in-addr.arpa.    root.cassowary.net.  (
        2000011103   ;serial number
        10800        ;refresh every three hours
        1800         ;retry every 30 mins
        1209600      ;Two week expiry
        604800)      ;Minimum one week expiry
        IN    NS     ns.cassowary.net.
1       IN    PTR    firewall.cassowary.net.
2       IN    PTR    natalie.cassowary.net.
3       IN    PTR    catherine.cassowary.net.
4       IN    PTR    tazdevil.cassowary.net.

Each host within the domain must have an IP-to-domain mapping as well as a domain-to-IP mapping. Once a change is made to the zone file, the serial number should be incremented as appropriate. Note that in addition to address (A) and pointer (PTR) records for IP address and domain names, it is also possible to identify hosts as mail exchangers (MX) and by canonical names (CNAME). The former is required to define which host is responsible for handling mail within a domain, while the latter is used to create aliases for specific machines (thus, the tazdevil Kerberos server is also known as security.cassowary.net).



Part I: Solaris 9 Operating Environment, Exam I
 
ASPTreeView.com
 
Evaluation has ГОУexpired.
Info...