COMPUTER AND NETWORK
SYSTEM ADINISTRATION
CIS 5406-01
Summer 1997 - Lesson 17
DNS Configuration
A. Setting up clients
1. check if BIND is implemented in your OS
2. configure /etc/resolv.conf
domain cs.fsu.edu
; nu.cs.fsu.edu
nameserver 128.186.121.10
; mailer.cc.fsu.edu
nameserver 128.186.6.103
; trantor.umd.edu
nameserver 128.8.10.14
3. client will try "nu", then "mailer", then "trantor"
- you can comment out nu and/or mailer then use nslookup
and see results
- or put a bogus address in the first entry to see if the resolver
tries number 2
- the changes take effect immediately
nslookup chi
Server: TRANTOR.UMD.EDU
Address: 128.8.10.14
Name: chi.cs.fsu.edu
Address: 128.186.121.20
B. A look at "nu" as a DNS server
1. here's the file "/etc/named.boot" on nu (named looks here first)
** NOTE: this is an older configuration, when nu was a primary name server
for fsu.edu -- nu is now a secondary name server only (this makes for
a more interesting example, though)! **
domain fsu.edu
;
cache . /usr/named/named.ca
;
primary 0.0.127.IN-ADDR.ARPA /usr/named/named.local
;
primary fsu.edu /usr/named/fsu
primary 201.146.IN-ADDR.ARPA /usr/named/fddi
primary 186.128.IN-ADDR.ARPA /usr/named/revfsu
primary 121.12.192.IN-ADDR.ARPA /usr/named/csrev
primary 122.12.192.IN-ADDR.ARPA /usr/named/cs2rev
primary 82.5.192.IN-ADDR.ARPA /usr/named/statrev
primary 53.80.192.IN-ADDR.ARPA /usr/named/firewall
;
;primary firn.edu /usr/named/firn
;primary 176.150.IN-ADDR.ARPA /usr/named/revfirnb
;
secondary firn.edu 150.176.240.31 /usr/named/firn.bak
secondary 176.150.IN-ADDR.ARPA 150.176.240.31 /usr/named/revfirnb.bak
;
primary famu.edu /usr/named/famu
primary 147.82.192.IN-ADDR.ARPA /usr/named/revfamu
primary 223.168.IN-ADDR.ARPA /usr/named/revfamu2
;
;primary wku.edu /usr/named/wku
;
secondary SCRI.FSU.EDU 144.174.128.17 /usr/named/scri.bak
secondary 174.144.IN-ADDR.ARPA 144.174.128.17 /usr/named/scrib.bak
secondary 169.70.192.IN-ADDR.ARPA 144.174.128.17 /usr/named/scri1.bak
secondary 170.70.192.IN-ADDR.ARPA 144.174.128.17 /usr/named/scri2.bak
;
secondary magnet.fsu.edu 146.201.250.2 /usr/named/magnet.bak
secondary nhmfl.gov 146.201.250.2 /usr/named/nhmfl.bak
secondary 34.190.192.IN-ADDR.ARPA 146.201.250.2 /usr/named/nhmfl-1.bak
secondary 35.190.192.IN-ADDR.ARPA 146.201.250.2 /usr/named/nhmfl-2.bak
secondary 36.190.192.IN-ADDR.ARPA 146.201.250.2 /usr/named/nhmfl-3.bak
;
secondary UWF.EDU 143.88.1.202 /usr/named/uwf.bak
secondary coginst.uwf.edu 143.88.1.202 /usr/named/uwf1.bak
secondary cc.uwf.edu 143.88.1.202 /usr/named/uwfcc.bak
secondary 88.143.IN-ADDR.ARPA 143.88.1.202 /usr/named/revuwf.bak
secondary 50.88.143.IN-ADDR.ARPA 143.88.1.202 /usr/named/revuwf1.bak
;
2. here's the first part of /usr/named/fsu file
3. look at SOA record (Start Of Authority)
@ IN SOA nu.cs.fsu.edu. dns.mailer.fsu.edu. (
9707161 ;Serial number
3600 ;Secondaries check for refresh every hour
1200 ;Secondaries retry zone xfers every 20 mins
3600000 ;Secondaries expire zone after 1000 hours
86400 ;Minimum TTL of a day )
)
- "@" refers to fsu.edu since this was declared in named.boot
- Serial number follows "date + number" scheme
- TTL is one day
- Secondaries check every hour, retry every 20 minutes for 1000 hours
then give up
- So, if we add a new machine the secondaries will grab it in an hour
or less but caches will remain stale for up to 24 hours.
4. other zone entries in /usr/named/fsu
@ 604800 IN NS mailer.fsu.edu.
604800 IN NS nu.cs.fsu.edu.
604800 IN NS vaxmom.scri.fsu.edu.
604800 IN NS ns1.lbl.gov.
604800 IN NS trantor.umd.edu.
;
- @ sign in first column
- TTL is longer than the default (604800 seconds = 7 days)
- these 5 name servers are (actually were) authoritative for the fsu.edu zone
- the local names are informational only
- note the dots at the end names to indicate fully qualified host names
5. zone records that delegate authority
MAGNET 604800 IN NS magnet.fsu.edu.
604800 IN NS NU.CS.FSU.EDU.
604800 IN NS mailer.FSU.EDU.
SCRI 604800 IN NS dns.SCRI.FSU.EDU.
604800 IN NS NU.CS.FSU.EDU.
604800 IN NS VAXMOM.SCRI.FSU.EDU.
604800 IN NS DNS-WEST.NERSC.GOV.
604800 IN NS DNS-EAST.ES.NET.
6. CNAME, A, and HINFO records
- these are the meat of the IP-name map
;
;
$ORIGIN CS.FSU.EDU.
; Computer Science Department, Arts & Sciences
;
ftp IN CNAME export.cs.fsu.edu.
fsucs IN A 128.186.121.1
IN HINFO VAX11-780 UNIX
alpha IN A 128.186.121.2
IN HINFO Sparcstation UNIX
beta IN A 128.186.121.3
IN HINFO Sun2 UNIX
gamma IN A 128.186.121.4
IN HINFO Sun2 UNIX
omicron IN A 128.186.121.27
IN HINFO Sun3 UNIX
IN MX 10 nu
IN MX 20 gauss.math.fsu.edu.
- the CNAME record aliases ftp.cs.fsu.edu to the
machine export.cs.fsu.edu
- note the nonexistent machines
- HINFO should be removed for security reasons
- MX record sends email to nu if destined for
omicron (Mail eXchange)
7. PTR records - used in reverse lookup file
186.128.IN-ADDR.ARPA. IN PTR fsu.edu.
;
; Lot 121 - Computer Science
;
2.121 IN PTR alpha.cs.fsu.edu. ; 207a LOV
3.121 IN PTR beta.cs.fsu.edu. ; 211 LOV
4.121 IN PTR gamma.cs.fsu.edu. ; 203c LOV
5.121 IN PTR theta.cs.fsu.edu. ; 106 MCH
6.121 IN PTR iota.cs.fsu.edu. ; 106 MCH
C. setting up a caching-only server
- install named, named.boot and a good named.ca (list of root name servers)
D. zone transfers
- implemented uisng TCP via port 53
E. errors - routed through syslog
- can control via /etc/syslog.conf
Feb 11 07:56:05 nu named[225]: restarted
Feb 11 08:02:59 nu named[225]: No root nameservers for class 4
Feb 11 09:59:55 nu named[223]: zoneref: Masters for secondary zone
36.190.192.IN-ADDR.ARPA unreachable
Feb 23 12:24:02 nu named[110]: hedickmac.magnet.fsu.edu has CNAME
and other data (illegal)
F. security
- remove HINFO fields
- limit zone transfers (though can still query all IPs)