Friday, October 15, 2004
TriLUG meeting about DNS
I attended the monthly Triangle Linux Users' Group meeting on 10/14/04, at which Aaron Joyner gave a presentation entitled "DNS: How it works. Why it works. How you can work with it."
My notes from this meeting are as follows:
Introductory overview of DNS...
DNS Server Software:
BIND
DJBDNS
MS DNS Server
History of the servers:
BIND, originally written at UCB, funded by ARPS through v. 4.8.3
Picked up by DEC (now Compaq)
After 4.9.1 picket up by Paul Vixie and Bob Halley
v.8 was released in 1997
Current version is 9.12
If anything older than BIND 9 is used, upgrade is recommended
History of DJBDNS
written by Dan Bernstein, author of qmail
Written because Dan was unhappy with the status quo
Considered by some to be easier to config
History of MS-DNS
Has a somewhat bad rep, but runs largely on DynDNS
DNS Client/Tools
Resolver Library
(nslookup): about to go away
host: preferred alternative to nslookup for simple queries
dig: if you want to know it all. Very verbose. Originally a debugging tool. Output is config file.
host
command outputs name or IP addy
dig
does recursion
very recursive
Recursive DNS query
All queries start with a cache (sometimes ".") The "." is called the DNS root. The root can be a security concern.
The hints file contains all of the names and addresses of root servers.
DNS queries proceed right to left through the name.
The pattern can be followed with dig using the +norec option, which forces you to walk step by step.
The domain example.com is reserved by IANA to be used for example purposes only.
DNS is usually sent out over UDP. If you have a DNS server, it should really be on a high bandwidth connection. If there is a bottleneck in your WAN, using a local caching server is a really good idea, although it is not the answer to everything.
Alternate Record Types:
MX records
mail exchange. If there is no MX record, the query will talk to the A record. How well it works depends on the mail server type used. Unlike most record types, MX records have a priority assigned to them. An MX record should not point to an address or a CNAME but rather to a host name (A record)
PTR records
pointer record. What you get when you ask for an inverse query. Getting increasingly important to have these right, for example if you are sending mail to AOL since they do reverse lookups to see if DNS record is right to help in the fight against spam.
CNAME
canonical name. It is a reference. For example if www and ftp uses the same record, ftp can be associated with a CNAME.
SRV records
server record.
How to set up a domain in BIND
/etc/named.conf - all the major options, such as the hints file, are located here
/var/named
/var/named/domain.zone
Various locations for config files, varies by distro
type hint contains the cache of all of the root servers.
rndc
rndc reload: common way to reload a server, however it throws away the cache
rndc reconfig: great way to reload the information in name/conf
rndc reload - won't throw away the cache
Views
Allows you to define different "views" of the DNS, based on IP/Subnet matching
Extremely simple
Dynamic DNS
documentation on the web. Look it up there, since we're out of time here.
For the presentation Aaron used his Bluetooth phone to control his slides on the projector. A few jokers in the audience tried to throw him off-balance by sending heckles via SMS to his phone during the presentation.
Comments []
My notes from this meeting are as follows:
Introductory overview of DNS...
DNS Server Software:
BIND
DJBDNS
MS DNS Server
History of the servers:
BIND, originally written at UCB, funded by ARPS through v. 4.8.3
Picked up by DEC (now Compaq)
After 4.9.1 picket up by Paul Vixie and Bob Halley
v.8 was released in 1997
Current version is 9.12
If anything older than BIND 9 is used, upgrade is recommended
History of DJBDNS
written by Dan Bernstein, author of qmail
Written because Dan was unhappy with the status quo
Considered by some to be easier to config
History of MS-DNS
Has a somewhat bad rep, but runs largely on DynDNS
DNS Client/Tools
Resolver Library
(nslookup): about to go away
host: preferred alternative to nslookup for simple queries
dig: if you want to know it all. Very verbose. Originally a debugging tool. Output is config file.
host
command outputs name or IP addy
dig
does recursion
very recursive
Recursive DNS query
All queries start with a cache (sometimes ".") The "." is called the DNS root. The root can be a security concern.
The hints file contains all of the names and addresses of root servers.
DNS queries proceed right to left through the name.
The pattern can be followed with dig using the +norec option, which forces you to walk step by step.
The domain example.com is reserved by IANA to be used for example purposes only.
DNS is usually sent out over UDP. If you have a DNS server, it should really be on a high bandwidth connection. If there is a bottleneck in your WAN, using a local caching server is a really good idea, although it is not the answer to everything.
Alternate Record Types:
MX records
mail exchange. If there is no MX record, the query will talk to the A record. How well it works depends on the mail server type used. Unlike most record types, MX records have a priority assigned to them. An MX record should not point to an address or a CNAME but rather to a host name (A record)
PTR records
pointer record. What you get when you ask for an inverse query. Getting increasingly important to have these right, for example if you are sending mail to AOL since they do reverse lookups to see if DNS record is right to help in the fight against spam.
CNAME
canonical name. It is a reference. For example if www and ftp uses the same record, ftp can be associated with a CNAME.
SRV records
server record.
How to set up a domain in BIND
/etc/named.conf - all the major options, such as the hints file, are located here
/var/named
/var/named/domain.zone
Various locations for config files, varies by distro
type hint contains the cache of all of the root servers.
rndc
rndc reload: common way to reload a server, however it throws away the cache
rndc reconfig: great way to reload the information in name/conf
rndc reload
Views
Allows you to define different "views" of the DNS, based on IP/Subnet matching
Extremely simple
Dynamic DNS
documentation on the web. Look it up there, since we're out of time here.
For the presentation Aaron used his Bluetooth phone to control his slides on the projector. A few jokers in the audience tried to throw him off-balance by sending heckles via SMS to his phone during the presentation.
Comments []
