Ensurepass

19. BIND
19.1 Overview
1. BIND 9
2. Resolves hostnames to IP addresses(forward lookup).
3. Resolves IP addresses to hostnames(reverse lookup).
4. Provides e-mail routing information.
5. Packages
o bind – Primary package. Provides binaries, documentation, configs, etc.
o bind-utils – Tools used to query DNS servers.
o bind-conf – Contains tools to configure a DNS server.
o caching-nameserver – Includes necessary configuration files to make BIND a caching only nameserver.
Important files provided by caching-nameserver:
/var/named/localhost.zone # Forward zone for localhost
/var/named/named.ca # “Hints” file. Contains root servers
/var/named/named.local # Reverse zone for localhost

o openssl – Needed for some of BIND’s security features.
6. Ports
o 53 UDP – DNS queries
o 53 TCP – Zone transfers and DNS queries > 512 bytes.
7. redhat-config-bindconf
GUI configuration utility provided by bindconf package.
19.2 Configuration Files
1. /etc/named.conf
o Specifies zones, options, and access controls.
o SEMI-COLON placement is critical!
o Sample named.conf
o options {
o directory “/var/named”; // Working directory of server
o allow-query { any; }; // Specify which hosts are allowed to query this server
o allow-transfer { 192.168.1.0/24; }; // Specify hosts that are allowed to receive zone
o // transfers from this server
o recursion yes; // Enable recursive queries
o allow-recursion {192.168.1.0/24; }; // Specify which hosts can perform recursive queries.
o version “Surely you must be joking”; // Set version reported by ndc and when querying
o // version.bind in the chaos class
o };
o
o // The following controls who can access this server using rndc.
o // Bind to 127.0.0.1 and allow only localhost access.
o controls {
o inet 127.0.0.1 allow { localhost; } keys { rndckey; };
o };
o
o zone “.” IN { // Hints file containing root servers
o type hint;
o file “named.ca”;
o };
o
o zone “localhost” IN {
o type master;
o file “localhost.zone”;
o allow-update { none; };
o };
o
o zone “0.0.127.in-addr.arpa” IN {
o type master;
o file “named.local”;
o allow-update { none; };
o };
o
o zone “xyz.com” IN { // Forward lookup zone for xyz.com
o type master; // This is a master zone
o file “db.xyz.com”; // Zone information stored in /var/named/db.xyz.com
o allow-update { none; };
o };
o
o zone “zyx.com” IN { // Forward lookup zone for zyx.com
o type master; // This is a master zone
o file “db.zyx.com”; // Zone information stored in /var/named/db.zyx.com
o allow-update { none; };
o };
o
o zone “somedomain.com” IN { // Forward lookup zone for somedomain.com
o type slave; // This is a slave zone
o file “db.somedomain.com”; // Optional for slave zones. If set, a copy of the zone
o // information is kept locally on disk under /var/named.
o };
o
o include “/etc/rndc.key”; // Private key used for secure remote administration
o
See the end of the named.conf man page for more configuration examples.
SECURITY NOTE:
If the following options are left unspecified, they default to allowing access from all hosts.
allow-query
allow-transfer
allow-recursion

2. /etc/nsswitch.conf
o Not part of BIND, but must be setup correctly in order for local processes to use BIND for host resolution.
o Specifies the order in which resources are queried in order to resolve hostnames, IP addresses, etc.
o Partial example:
o hosts: files dns
o networks: files
o protocols: files nisplus
o
The “hosts” line specifies that we should first check our local files (e.g. /etc/hosts for hostname resolution before consulting DNS services. The “networks” line states that only our local files (e.g. /etc/networks) should be consulted for network information. The “protocols” line says we should first consult our local files (e.g. /etc/protocols) for protocol information, and then consult nisplus services if it isn’t found in our local files.
3. /etc/hosts
o Not part of BIND, but must be setup correctly in order for host resolution to work.
o See host resolution above.
4. /etc/resolv.conf
o Not part of BIND, but must be setup correctly in order for host resolution to work.
o See host resolution above.
19.3 Caching Only Name Servers
1. Not authoritative for any zone.
2. Uses DNS root servers or another name server known as a forwarder to resolve DNS queries.
3. To create a Forwarding Name Server, put the following line in the “options” section of the /etc/named.conf file:
4. forwarders { 192.168.1.20; };
5. If you want BIND to only use it’s forwarders to resolve hosts and not the root name servers, put the following line in the “options” section of the /etc/named.conf file:
6. forward only;
The “forwarders” option specifies which DNS or DNS servers queries should be forwarded to for resolution.
19.4 Zones
1. Overview
o Specified in /etc/named.conf.
o No trailing “.” on FQDN.
o “IN” after zone name is optional (see sample named.conf above for example).
2. Master Zones
o DNS server is authoritative for that zone.
o All domains must have one.
o Example:
o zone “somedomain.com” {
o type master;
o file “db.somedomain.com”;
o allow-transfer { 192.168.3.4; };
o };
o
3. Slave Zones
o Provides backup service to “masters”.
o Example:
o zone “somedomain.com” {
o type slave;
o masters { 192.168.1.50; };
o file “db.somedomain.com”;
o };
o
o masters – Specifies the DNS server that is the “master” of this domain.
o file – Not required for slave. If specified, indicates the name of the local file where the zone information is kept.
o When a slave server starts, it checks the serial number for the zone on them master. If it’s been updated, the slave performs a zone transfer to get the latest information. If it hasn’t, and the slave has the zone on disk (e.g. the file directive was used), it will load the information directly from disk reducing network traffic.
o Slaves must be given permission to perform zone transfers by the master server. In /etc/named.conf:
o options {
o …
o allow-transfer { 192.168.1.45; };
o …
o };
o
Or you can specify the “allow-transfer” directive on a per zone basis as shown above.
4. Reverse Lookup Zones
o Used to resolve IP to hostname.
o Special domain .in-addr.arpa is used.
o Zone name is created by reversing the octets in the network portion of the IP address and appending .in-addr.arpa to it.
For example, to provide reverse lookups for all hosts in the IP range 192.168.1.0/24, use the following zone name:
1.168.192.in-addr.arpa

o Example:
o zone “1.168.192.in-addr.arpa” {
o type master;
o file “db.1.168.192.in-addr.arpa”;
o };
o
o zone “0.0.127.in-addr.arpa” { # Loopback zone
o type master; # Should NEVER be a slave
o file “db.0.0.127.in-addr.arpa”;
o };
o
5. Root Zone
o Special zone that specifies the root servers.
o Zone type is “hint”.
o Example:
o zone “.” {
o type hint;
o file “named.ca”; # Contains root DNS servers
o }
o
o Used when a query isn’t resolvable by any of the other configured zones.
o Update root servers from ftp://rs.internic.net/domain/named.ca or used dig:
o dig @
o dig @a.root-servers.net
o
6. Zone Delegation
o Divides up a larger domain into smaller, more manageable domains.
o For example, support.somedomain.com and development.somedomain.com can be delegated to someone else’s control to ease the management of the somedomain.com domain.
o Example. In the zone file for somedomain.com, put the following entries:
o support.somedomain.com. IN NS ns.support.somedomain.com.
o ns.support IN A 192.168.44.10
o
o development.somedomain.com IN NS ns.development.somedomain.com.
o ns.development IN A 192.168.45.10
o
o Both the NS and A records are required in order to delegate a zone.
o These are known as “glue” records that help queries go from one name server to another.
19.5 Resource Records
1. Format
2. [domain/@] [ttl] [class] [comment]
o domain/@ – Optional. If left blank, defaults to the same value as the last resource record. @ represents the domain name specified in /etc/named.conf for the zone. Otherwise, any name specified will have the domain appended to it unless it ends in a “.”.
o ttl – Optional. Time-to-Live. Defaults to the value specified by the $TTL directive if left unspecified. Specifies how long the record can be cached.
o class – Optional. If left unspecified, defaults to IN??
o type – Specifies the type of RR.
o rdata – Specifies RR related data.
o comment – Comments about the RR.
3. Character Restrictions
Hostnames can only consist of A-Z (case insensitive), 0-9, and -.
4. Start of Authority (SOA)
o Every zone must have one and only one.
o Preamble of the zone file.
o Example:
o @ 1D IN SOA ns root (
o 2002011201 ; serial
o 3H ; refresh
o 15M ; retry
o 1W ; expire
o 1D ) ; minimum
o
o @ 1D IN SOA ns.somedomain.com. root.somedomain.com. (
o 2002011201 ; serial
o 3H ; refresh
o 15M ; retry
o 1W ; expire
o 1D ) ; minimum
o
Both of the above two sample SOA RR are identical when the $ORIGIN is somedomain.com. The name server specified in the SOA record must be a machine with an A record. You cannot use machine named defined by a CNAME record in the SOA record.
Component Definitions:
1. serial – Used for version control. Every time an update is made to the zone, the serial number must be updated so the slave zones know there has been an update.
2. refresh – How often the slave servers should check the serial number on the master for changes.
3. retry – Amount of time a slave should wait before attempting another “refresh” after a previous refresh has failed.
4. expire – How long a slave should use it’s DNS information without a refresh from the master.
5. minimum – How long a server should cache negative hits (e.g. no such domain/host).
Values for the above entries can be specified in seconds (default), minutes (M), hours(H), days(D), and weeks(W). You must use a capital letter to specify the unit and there can’t be a space between the number and the unit.
86400 = 24H = 1D
5. Name Server (NS)
o Every zone must have at least the master name server specified.
o A FQDN must be used for NS resource records.
o Example:
o @ IN NS ns1.somewhere.com.
o somewhere.com. IN NS ns2.somewhere.com.
o IN NS ns3.somewhere.com.
o
All 3 lines refer to the same domain. The @ in the first line refers to the origin (specified by the zone directive in /etc/named.conf. The second line explicitly states the domain (notice the trailing “.”) The third line doesn’t specify the domain or an @ so it defaults to the domain in the RR above it.)
6. Address (A)
o Maps a hostname to an IP address.
o Used by forward lookups.
o Example:
o ns1.somewhere.com. IN A 192.168.20.10 # FQDN specified. Notice trailing “.”
o ns2 IN A 192.168.20.11 # FQDN isn’t required. In the last 4 lines,
o ns3 IN A 192.168.20.12 # somedomain.com. is appended to ns2, ns3,
o www IN A 192.168.20.15 # www, and mail
o mail IN A 192.168.20.20
o
7. Canonical Name (CNAME)
o Provides an “alias” or alternate name for an existing host.
o A CNAME record should never be referred to by another CNAME record, an MX record, or an SOA record.
o Example:
o pop IN CNAME mail
o imap IN CNAME mail
o
In this case, both pop and imap refer to the “mail” address (A) record in the previous example.
8. Pointer (PTR)
o Maps an IP address to hostname.
o Used in “in-addr.arpa” zones.
o Example (assume a zone of 1.168.192.in-addr.arpa):
o 10 IN PTR ns1.somewhere.com.
o 11 IN PTR ns2.somewhere.com.
o 12 IN PTR ns3.somewhere.com.
o 15.1.168.192.in-addr.arpa. IN PTR www.somewhere.com.
o 20 IN PTR mail.somewhere.com.
o
Again, if a FQDN isn’t specified, the domain is appended to the entry.
9. Mail Exchange (MX)
o Define a mail exchange for a zone.
o Requires a priority be specified right after the “MX” but before the hostname. The lower the number, the higher the priority.
o Used by MTAs to deliver mail to the zone.
o Should not be used in reverse lookup zones.
o Example:
o @ IN MX 5 mail.somewhere.com. ### Highest priority
o somewhere.com. IN MX 10 mail2.somewhere.com.
o IN MX 15 mail3.somewhere.com. ### Lowest priority
o
10. Host Information (HINFO)
o Provides information about your host.
o Generally not a good idea to give out any host information due to security concerns.
o Should not be used in reverse lookup zones.
o Example:
o mail IN HINFO i686 Linux-2.4.18
o www IN HINFO i686 Linux-2.4.17-pre2
o
19.6 Zone Files
1. Generally located in /var/named.
2. Must begin with a Start Of Authority (SOA) resource record.
3. Contain other resource records.
4. $TTL directive must be specified.
5. Always specify the last “.” for a FQDN.
6. Example Forward Zone File:
7. $TTL 86400
8. $ORIGIN xyz.com. ; If not specified, it’s taken from named.conf
9.
10. ; ns1 is a nameserver for the domain. root is the
11. ; e-mail address of the owner of the domain. The domain
12. ; is appended to each of these values since they don’t
13. ; end with a period. (e.g. they become ns1.xyz.com
14. ; and root.xyz.com);
15. @ 1D IN SOA ns1 root (
16. 2002011901 ; serial
17. 3H ; refresh
18. 15M ; retry
19. 1W ; expire
20. 1D ) ; minimum
21.
22.
23. ; These two lines specify the same domain.
24. ; @ means take it from the $ORIGIN or the zone
25. ; specified in named.conf
26. @ IN NS ns1.xyz.com.
27. xyz.com. IN NS ns2.xyz.com.
28.
29. ns1 IN A 192.168.1.20
30. ns2 IN A 192.168.1.21
31.
32. www IN A 192.168.1.22
33. kashyyyk IN CNAME www
34. coruscant IN CNAME kashyyyk # BAD IDEA!!
35.
36. www1.xyz.com. IN A 192.168.1.23
37. endor IN CNAME www1
38.
39. mail IN A 192.168.1.24
40. backup-mail IN A 192.168.1.25
41.
42. @ IN MX 5 mail # Both lines reference
43. xyz.com. IN MX 20 backup-mail # the same domain
44.
45. support.xyz.com. IN NS ns.support.xyz.com. # Zone delegation
46. ns.support IN A 192.168.2.20
47.
48. development.xyz.com. IN NS ns.development.xyz.com. # Zone delegation
49. ns.development.xyz.com. IN A 192.168.3.20
50. Example Reverse Zone File:
51. $TTL 86400
52. $ORIGIN 1.168.192.in-addr.arpa.
53.
54. @ 1D IN SOA ns1.xyz.com. root.xyz.com. (
55. 2002011901 ; serial
56. 3H ; refresh
57. 15M ; retry
58. 1W ; expire
59. 1D ) ; minimum
60.
61. ; These two lines specify the same domain.
62. ; @ means take it from the $ORIGIN or the zone specified in named.conf
63. @ IN NS ns1.xyz.com.
64. 1.168.192.in-addr.arpa. IN NS ns2.xyz.com.
65.
66. 20 IN PTR ns1.xyz.com. # Domain appended to 20
67. 21.1.168.192.in-addr.arpa. IN PTR ns2.xyz.com. # Domain not appended (ends with a “.” )
68.
69. 22 IN PTR www.xyz.com.
70. 23.1.168.192.in-addr.arpa. IN PTR www1.xyz.com.
71.
72. 24 IN PTR mail.xyz.com.
73. 25 IN PTR mail-backup.xyz.com.

Download the Ensurepass Latest 2013 RHCE EX300 Practise Test PDF to pass RHCE EX300 exam.

Comments are closed.