The Domain Name Service (DNS) allow IP based networks to offer human friendly names for numerically labelled machines. Where it does not matter for computers whether other computers are addressed by letters or numbers, it is more convenient for human beings to use names and it was more convenient for the developers of IP space to use numbers for transferring data between locations.
named implements a DNS through OpenBSD. There are three major revisions of named (bind) 4.x, 8.x, and 9.x. This guide will review the 4.x revision shipped with OpenBSD 2.7. For more recent versions of OpenBSD (e.g. 3.x ~ 4.x) you should consider other documentation such as http://www.kernel-panic.it/openbsd.html.
For the ultimate collection of HOWTos for DNS, try Nicolai Langfeldt's http://www.langfeldt.net/DNS-HOWTO/
Otherwise, the mailing lists is chock-full of answers and different referencing include: ISC's - The BIND 9 Administrator Reference Manual which is apparently in the 3.3 default install.
[ref: named(8), ]
[ref: Setting up DNS by Jeff Moe <jeffdns@verinet.com>]
[ref: SETTING UP YOUR OWN DNS
by Gary Kessler ]
[ref: SoftPanorama]
This page gives a guide to how you can configure DNS using named and OpenBSD 2.7. Although I attempt to provide useful documentation on why certain things are as they are in this document, further readings from the references above and the OpenBSD FAQ will most likely be more instructive rigerous on the intricacies of DNS.
The sample configuration which I would like to set up the DNS for will have three machines as servers (everything else on the lan are client-workstations only.)
The three servers I will use in this configuration are:
| IP Address | hostname | services/aliases | HINFO (cpu_type, OS_type) |
| 192.168.101.1 | iwill | dns, mail | PentiumII-300, OpenBSD 2.7 |
| 192.168.101.77 | athlon | www, ftp | Athlon 600, Win2000Pro |
| 192.168.101.130 | compaq | dns2, mail2 | Pentium 100, OpenBSD 2.7 |
The files I will be using to configure named for my sample domain: mydomain.com are listed below:
| Primary Domain Name Server | |
| Filename | Purpose |
| /etc/resolv.conf | resolver configuration file |
| /var/named/named.boot | named Configuration File |
| The following files are in /var/named/namedb (location and filenames dictated by named.boot configuration file.) | |
| db.mydomain.com.zone | forward address lookups for mydomain.com zone |
| db.mydomain.com.rev | reverse address lookups for mydomain.com zone |
| db.localhost.zone | forward address lookups for localhost zone |
| db.localhost.rev | reverse address lookups for localhost zone |
| db.all-zero.rev | reverse address lookups for all-zero (security item) |
| db.all-one.rev | reverse address lookups for all-one (security item) |
| root.cache | Specify data such as locations of root domain servers |
| Secondary Domain Name Server | |
| /etc/resolv.conf | |
| /var/named/named.boot | |
| The following files are in /var/named/namedb (location and filenames dictated by named.boot configuration file.) | |
| db.localhost.zone | |
| root.cache | |
To hopefully improve the chances of applying this text to different sites, I have used the below colour coding scheme and text layout. (My apologies to those with colour blind-ness)
Line-numbers are in red
Site-specific details are in blue. This includes
names and IP addresses used in my sample site that need to be changed to reflect
your site details.
Filenames begin with db because it minimises my confusion between what
are files and what are domain names.
The machine names have been chosen to make them easily recogniseable within this example, I know it isn't going to expand well into a site with 200 machines, so don't tell me.
First off, we need to configure our OpenBSD box so named is started each time there is a restart. Thankfully, it is installed with a standard installation and all we need to do is set our configurations in /etc/rc.conf.local
To enable named:
Edit the file /etc/rc.conf.local and add the following
lines to Section 1:
named_flags="" #
note use two double-quotes
named_user=named #
note to leave this as per standard setting
named_chroot=/var/named # note to leave this as per standard
setting
The above changes will override the default settings in /etc/rc.conf which reads:
named_flags=NO
named_user=named
named_chroot=/var/named
To start named (and begin testing) without restarting your machine you can use the following command-line:
# named -t /var/named -u named
A tool for managing your named server is /usr/sbin/ndc
| usage: /usr/sbin/ndc (status|dumpdb|reload|stats|trace|notrace|querylog|start|stop|restart) |
As we noted above in the preliminary discussion, we now need to look at editing some configuration files which named will read at each start-up.
When named starts up, it will read its configuration file to determine its behaviour. The boot file contains information about where the name server is to get its initial data. named looks for the boot file named.boot in the startup (chroot) directory it is given "-t directory"
As we have used "-t /var/named" in our above startup command-line (which is the same as what rc (OpenBSD) will do, this means named will look for the file named.boot in the /var/named directory.
Note that lines in the boot file cannot be continued on subsequent lines.
01 ; FILE: /var/named/named.boot 02 ; directory /var/named/namedb 03 directory /namedb 04 ;Type Domain Data file Backup Data File 05 primary mydomain.com db.mydomain.com.zone 06 primary 101.168.192.in-addr.arpa db.mydomain.com.rev 07 primary localhost db.localhost.zone 08 primary 0.0.127.in-addr.arpa db.localhost.rev 09 primary 0.in-addr.arpa db.all-zero.rev 10 primary 255.in-addr.arpa db.all-one.rev 11 cache . root.cache 12 forwarders 207.124.73.129 |
| Figure 1 - /var/named/named.boot |
Explanation:
| 01, | 02, 04 Comments in the file are preceded by a semi-colon ";" |
| 02 | OpenBSD chroots named by default, but if you do not chroot named then you will need to specify the full path for the data files |
| 03 |
The path to the data files from the chroot'ed named. This is the standard location for OpenBSDs 2.7 build. The "directory" line causes the server to change its working directory to the directory specified. This can be important for the correct processing of $INCLUDE files in primary zone files. |
| 05 | The first example "primary" line states that the
file "db.mydomain.com.zone" contains
authoritative data for the "mydomain.com"
zone. The file "db.mydomain.com.zone"
contains data in the master file format described in RFC 883. All domain
names are relative to the origin, in this case, "mydomain.com".
Change mydomain.com to your site domain. |
| 06 |
The second "primary" line states that the file "db.mydomain.com.rev" contains authoritative data for the domain "101.168.192.in-addr.arpa", which is used to translate addresses in network 192.168.101 to hostnames. Change mydomain.com and 101.168.192 to your site domain-name and IP range. (Note that 101.168.192 is the reverse address of the C-class IP address used in this example. 192.168.101.* becomes 101.168.192.addr.arpa) |
| 07 | localhost is a special IP address and we are specifying here that authoritative data for the domain localhost is in the file "db.localhost.zone" |
| 08 | The file "db.localhost.rev" contains authoritative data for the domain 0.0.127.in-addr.arpa, the reverse address for localhost. (The localhost IP is 127.0.0.1, and the reverse of the address is 0.0.127.) |
| 09 |
10 |
| 11 |
The "cache" line specifies where the DNS cache information for the domain root (".") can be found. This is not a "cache," as in short-term memory, but is a set of fixed pointers to the higher-level DNS databases. |
| 12 |
This is my ISPs Primary DNS server. When a name cannot be resolved from our cache, named will 'forward' the query to servers listed as 'forwarders'. More than one line of forwarders can be listed here. Change the IP address 207.124.73.129 to one your ISP has given you. [ref: resolv.conf(5)] The forwarding facility is useful to cause a large sitewide cache to be generated on a master, and to reduce traffic over links to outside servers. It can also be used to allow servers to run that do not have direct access to the Internet, but wish to look up exterior names anyway. |
[ref: resolv.conf(5)]
If the system's resolv.conf file does not exist, then the only database used is file.
The resolv.conf file specifies how the resolver(3) routines in the C library (which provide access to the Internet Domain Name System) should operate. The resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process.
On a normally configured system this file should not be necessary. The only name server to be queried will be on the local machine, the domain name is determined from the host name, and the domain search path is constructed from the domain name.
1 domain mydomain.com 2 nameserver 192.168.101.1 3 nameserver 192.168.101.130 4 lookup file bind |
| Figure 2 -/etc/resolv.conf |
Explanation:
| 01 |
domain specifies the domain to use when given a shortname. We can do a query on host athlon, iwill, or compaq and the system will check that this is relative to mydomain.com. If no domain entry is present, the domain is determined from the local host name returned by gethostname(3); the domain part is taken to be everything after the first ".". Finally, if the host name does not contain a domain part, the root domain is assumed. Change mydomain.com to your site domain. |
| 02, |
03 nameserver specifies an internet address (in dot notation) that the name resolver will query. A maximum of 3 servers can be listed (on separate nameserver lines) Change the 192.168.101.x to the host address you will use as the name server on your site. |
| If no nameserver is listed then the standard behaviour is to query the name server on the host. | |
| 04 |
lookup specifies which databases should be searched, and the order to do so. Assuming that your /etc/hosts will contain information more up-to-date than the dns records we specify file (/etc/hosts) and then bind. Otherwise, only have your local NICs listed in /etc/hosts and there will be no problem with specifying lookup as in the above. |
"db.mydomain.com.zone" contains authoritative data for the "mydomain.com" zone. All domain names are relative to the origin, in this case, "mydomain.com".
01 ; Start of Authority (SOA) record 02 mydomain.com. IN SOA dns.mydomain.com. dnsowner.mydomain.com. ( 03 2000272400 ; serial # (date format) + [0-9][0-9] 04 10800 ; refresh (3 hours) 05 3600 ; retry (1 hour) 06 604800 ; expire (1 week) 07 86400) ; TTL (1 day) 08 09 ; Name Server (NS) records. 10 IN NS dns.mydomain.com. 11 IN NS dns2.mydomain.com. 12 13 ; Mail Exchange (MX) records. 14 IN MX 20 mail.mydomain.com. 15 IN MX 50 mail2.mydomain.com. 16 ; Address (A) records. (real-names of machines) 17 IN A 192.168.101.1 18 localhost.mydomain.com. IN A 127.0.0.1 19 iwill.mydomain.com. IN A 192.168.101.1 20 athlon.mydomain.com. IN A 192.168.101.77 21 compaq.mydomain.com. IN A 192.168.101.130 22 mail.mydomain.com. IN A 192.168.101.1 23 ; We can continue Address records to list all machines (not only servers) 24 25 ; Aliases in Canonical Name (CNAME) records... 26 27 dns IN CNAME iwill.mydomain.com. 28 www IN CNAME athlon.mydomain.com. 29 ftp IN CNAME athlon.mydomain.com. 30 dns2 IN CNAME compaq.mydomain.com. 31 mail2 IN CNAME compaq.mydomain.com. |
| Figure 3 - /var/named/namedb/db.mydomain.zone |
Explanations
| 01 | Comments are started by semi-colons ";" |
| 02 |
mydomain.com. is the address name we are going to be working with (sometimes you will see this written as @) dns.mydomain.com. is the authoritative dns for this domain. If you choose to use a different dns host naming convention or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention. dnsowner.mydomain.com is the domain name address of the maintaner, e-mail contact (dnsowner@mydomain.com) On my machine I use root, but this option allows you to specify another e-mail address. Note the user-id is followed by a dot "." and not the @. Change mydomain.com to your site domain. |
| 03 |
Start of Authority (SOA) Record Items (a) A serial Number for synchronising revisions of the file. Standard format is to use the current date (YYYYMMDD) and two digits to differentiate revisions for that date (ie. you should change this serial number each time you make changes.) Change this value. |
| 04 | (b) refresh in seconds. The refresh value tells the secondary name server(s) how often to check for updated information (10,800 seconds is three hours). This value should be fine. |
| 05 | (c) retry in seconds. If the secondary name server is unable to contact the primary name server, it will re-attempt a connection every retry seconds (3600 seconds is one hour). This value should be fine. |
| 06 | (d) expire in seconds. If a secondary name server cannot contact the primary name server for expire seconds, the secondary will stop answering any queries about this domain. The theory here is that at some point, the data is so old as to be possibly harmful, and no answer is better than a bad answer (604,800 seconds is one week). This value should be fine. |
| 07 | (e) Time to Live in seconds. The TTL (time-to-live) value is returned with all responses to database queries, and tells the requester (or other servers) how long the information can safely be cached (86,400 seconds is one day). This TTL value is the default value for all records in the file; it may be over-ridden by a TTL value provided with a given RR. This value should be fine. |
| 10 |
Our Name Server (NS) Authoritative Record pointing to the primary DNS server. Change mydomain.com to your site
domain. |
| 11 |
Another Name Server (NS) Authoritative Record pointing to our secondary DNS server. Change mydomain.com to your site
domain. |
| 13, |
14 (Warning: CNAME records can not be used for MX records so technically mail2 has been incorrectly defined above; see 5.2.2 of RFC 1123 for details.) Change mydomain.com to your site
domain. |
| 17 |
I want queries for mydomain.com to be directed to one of the three servers, putting this A address resolves mydomain.com queries to the IP address 192.168.101.1 Change 192.168.101.1 to your IP address you want to resolve to. |
| 18 |
Our localhost mapping which will force localhost to be mapped to 127.0.0.1 if not specified with a qualifying domain. Change mydomain.com to your site domain. |
| 19, |
20, 21 Change mydomain.com to your site
domain. |
| 22 |
We specify an A record for the mail server (although a similar effect should have been available by using CNAME records.) According to some documentation some mailers behave unpredictably when asked to resolve an MX hostname that uses a CNAME record rather than an explicit A record. Change mydomain.com to your site
domain. |
| 24 | To document your network you could specify here all assigned IPs and their hostnames in the same format as that shown above. |
| 26 |
- 31 (Warning: CNAME records can not be used for MX records so technically mail2 has been incorrectly defined above; see 5.2.2 of RFC 1123 for details.) Just as was done with the dns.mydomain.com and mail.mydomain.com you should also have mail2.mydomain.com as an A record. Change mydomain.com to your site
domain. |
"db.mydomain.com.rev" contains authoritative data for the domain "101.168.192.in-addr.arpa", which is used to translate addresses in network 192.168.101 to hostnames
01 ; Start of Authority (SOA) record 02 101.168.192.in-addr.arpa. IN SOA dns.mydomain.com. dnsowner.mydomain.com. 03 (2000072400 ; serial # (date format) + [0-9][0-9] 04 10800 ; refresh (3 hours) 05 3600 ; retry (1 hour) 06 604800 ; expire (1 week) 07 86400) ; minimum TTL (1 day) 08 09 ; Name Server (NS) records. 10 IN NS dns.mydomain.com. 11 IN NS dns2.mydomain.com. 12 13 ; Addresses point to canonical names (PTR) for reverse lookups 14 1 IN PTR iwill.mydomain.com. 15 130 IN PTR compaq.mydomain.com. 16 77 IN PTR athlon.mydomain.com. |
| Figure 4 -/var/named/namedb/db.mydomain.rev |
Explanation
| 01 | Comments are started by semi-colons ";" |
| 02 |
101.168.192.in-addr.arpa. is the address name we are going to be working with (sometimes you will see this written as @) dns.mydomain.com. is the authoritative dns for this domain. If you choose to use a different dns host naming convention or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention. dnsowner.mydomain.com is the domain name address of the maintainer, e-mail contact (dnsowner@mydomain.com) On my machine I use root, but this option allows you to specify another e-mail address. Note the user-id is followed by a dot "." and not the @. Change mydomain.com to your site
domain. |
| 03, | 04, 05, 06, 07
Start of Authority (SOA) Record Item See documentation above. |
| 10, |
11 The Name Servers used to service this range of IPs |
| 14, | 15, 16 Match the reverse-ips on the left with servers on the system (noted on the right column.) |
| To document your network you could specify here all assigned IPs (reversed) and their hostnames in the same format as that shown above. |
Since localhost. does not exist in IP space, this mapping allows us to map localhost. to the special ip 127.0.0.1. Otherwise an nslookup or similar query will not resolve.
01 localhost. IN SOA dns.mydomain.com. dnsowner.mydomain.com. 02 ( 2000072400 ; serial # (date format) + [0-9][0-9] 03 10800 ; refresh (3 hours) 04 3600 ; retry (1 hour) 05 604800 ; expire (1 week) 06 86400) ; minimum TTL (1 day) 07 08 localhost. IN NS dns.mydomain.com. 09 IN NS dns2.mydomain.com. 10 11 localhost. IN A 127.0.0.1 |
| Figure 5 - /var/named/namedb/db.localhost.zone |
Explanation:
| 01 |
localhost. is the address name we are going to be working with (sometimes you will see this written as @) dns.mydomain.com. is the authoritative dns for this domain. If you choose to use a different dns host naming convention or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention. dnsowner.mydomain.com is the domain name address of the maintaner, e-mail contact (dnsowner@mydomain.com) On my machine I use root, but this option allows you to specify another e-mail address. Note the user-id is followed by a dot "." and not the @. Change mydomain.com to your site domain. |
| 02, | 03, 04, 05, 06 Start of Authority (SOA)
Record Items See documentation above. |
| 08 |
Specify the DNS server hosts. Change mydomain.com to your site
domain. |
| 11 | Specify that localhost. (rooted) is the IP address 127.0.0.1 |
01 ; Start of Authority (SOA) record 02 0.0.127.in-addr.arpa. IN SOA dns.mydomain.com. dnsowner.mydomain.com. ( 03 2000072400 ; serial # (date format) + [0-9][0-9] 04 10800 ; refresh (3 hours) 05 3600 ; retry (1 hour) 06 604800 ; expire (1 week) 07 86400) ; minimum TTL (1 day) 08 09 ; Name Server (NS) records. 10 0.0.127.in-addr.arpa. IN NS dns.mydomain.com. 11 IN NS dns2.mydomain.com. 12 13 ; Only one PTR record 14 1.0.0.127.in-addr.arpa. IN PTR localhost. |
| Figure 6 - /var/named/namedb/db.localhost.rev |
Explanation:
| 01 | Comments are started by semi-colons ";" |
| 02 |
0.0.127.in-addr.arpa. is the address name we are going to be working with (sometimes you will see this written as @) dns.mydomain.com. is the authoritative dns for this domain. If you choose to use a different dns host naming convention or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention. dnsowner.mydomain.com is the domain name address of the maintaner, e-mail contact (dnsowner@mydomain.com) On my machine I use root, but this option allows you to specify another e-mail address. Note the user-id is followed by a dot "." and not the @. Change mydomain.com to your site domain. |
| 03, | 04, 05, 06, 07
Start of Authority (SOA) Record Items See documentation above. |
| 10, |
11 Change mydomain.com to your site
domain. |
| 14, | Leave as is. |
As all-zero and all-one's in IP addresses are special IP addresses we create reverse address lookups for both IP addresses for control over how our name server resolves these addresses.
01 0.in-addr.arpa. IN SOA dns.mydomain.com. dnsowner.mydomain.com. ( 02 2000072400 ; serial # (date format) + [0-9][0-9] 03 10800 ; refresh (3 hours) 04 3600 ; retry (1 hour) 05 604800 ; expire (1 week) 06 86400) ; minimum TTL (1 day) 07 08 0.in-addr.arpa. IN NS dns.mydomain.com. 09 IN NS dns2.mydomain.com. |
| Figure 7 - /var/named/namedb/db.all-zero.rev |
Explanation:
| 01 |
Change mydomain.com to your site
domain. If you choose to use a different dns or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention. |
| 02, | 03, 04, 05, 06
Start of Authority (SOA) See documentation above. |
| 08, |
09 |
01 255.in-addr.arpa. IN SOA dns.mydomain.com. dnsowner.mydomain.com. ( 02 2000072400 ; serial # (date format) + [0-9][0-9] 03 10800 ; refresh (3 hours) 04 3600 ; retry (1 hour) 05 604800 ; expire (1 week) 06 86400) ; minimum TTL (1 day) 07 08 255.in-addr.arpa. IN NS dns.mydomain.com. 09 IN NS dns2.mydomain.com. |
| Figure 8 - /var/named/namedb/db.all-one.rev |
Explanation:
| 01 |
Change mydomain.com to your site
domain. If you choose to use a different dns or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention. |
| 02, | 03, 04, 05, 06
Start of Authority (SOA) See documentation above. |
| 08, |
09 |
Specify data such as locations of root domain servers. This is not a "cache," as in short-term memory, but is a set of fixed pointers to the higher-level DNS databases. This cache is not used during normal operation, but is used as "hints" to find the current root servers.
The file "root.cache" is in the same format as "db.mydomain.com.zone".
. 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10 . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 |
| Figure 9 - /var/named/namedb/root.cache |
I've just taken the root.cache that comes with OpenBSD and listed it here (without the comments in the file.) There can be more than one "cache" file specified. The "cache.root" file should be retrieved periodically from FTP.RS.INTERNIC.NET ftp://rs.internic.net/domain/named.cache since it contains a list of root servers, and this list changes periodically.
The single "." indicates the root domain, while the "3600000" is the TTL value, indicating that these entries should expire after about 6 weeks (3.6 million seconds).
Just documenting some information garnered from misc@openbsd.org one of the OpenBSD mailing lists.
The following are two methods of determining the version of bind running on your server.
$ nslookup - <your server>
set class=chaos
set q=txt
version.bind
$ dig @nameserver version.bind chaos txt
Rob Thomas' Secure BIND Template http://www.cymru.com/Documents/secure-bind-template.html
http://www.acmebw.com - Ask Mr. DNS
http://www.guinix.com/technote/dualdns.html "Dualling" Nameservers on OpenBSD. "A "howto" article describing the use of Bernstein's tinydns on OpenBSD, serving both Internet and local network queries from a single host. Wayne's provided a guide which you can use to quickly set up split view DNS for yourself or your office using OpenBSD. (ref: http://www.deadly.org/article.php3?sid=20030226143145&mode=flat)
Copyright (c) 2000/1/2 Samiuela LV Taufa. All Rights Reserved.
I reserve the right to be totally incorrect even at the best advice of betters. In other words, I'm probably wrong in enough places for you to call me an idiot, but don't 'cause you'll hurt my sensibilities, just tell me where I went wrong and I'll try again.
You are permitted and encouraged to use this guide for fun or for profit as you see fit. If you republish this work in what-ever form, it would be nice (though not enforceable) to be credited.
|
DNS - setting up named for Domain Name Services |
Copyright © 2000/1/2 NoMoa.COM All rights reserved.