DNS How To

8/3/2019 DNS How To

1/31

How To Set Up Linux DNS Services

The material on thi s page was prepared using Sarge or Etch

configured using our Install ation and Packages pages.

If you did not use our pages to set up your system, what you

enc ounter on your system m ay be di fferent than what is given here.

As mentioned on the Networking page, every system on the Internet must have aunique IP address. (This does not include systems that are behind a NAT firewallbecause they are not directly on the Internet.) DNS acts as a directory service for all ofthese s ystems, allowing you to specify each one by its hos tname. A telephone bookallows you to look up an individual person by name and get their telephone number,their unique identifier on the telephone system's network. DNS allows you to look upindividual server by name and get its IP address, its unique identifer on the Internet.

There are other hostnam e-to-IP directory services in use, mainly for LANs. WindowsLANs can use WINS. UNIX LANs can use NIS. But because DNS is the directoryservice for the Internet (and can also be used for LANs) it is the mos t widely used.UNIX LANs could always use DNS instead of NIS, and starting with Windows 2000Server, Windows LANs could us e DNS ins tead of, or in addition to, WINS. And onsm all LANs where there are only a few machines you could jus t use HOSTS files oneach system ins tead of setting up a server running DNS, NIS, or WINS.

As a service, DNS is critical to the operation of the Internet. When you enter

www.some-domain.com in a Web browser, it's DNS that takes thewwwhost name

and translates it to an IP address . Without DNS, you could be connected to the Internetjust fine, but you ain't goin' no where. Not unless you keep a record of the IPaddresses of all of the resources you access on the Internet and use those instead ofhost/domain names .

So when you visit a Web s ite, you are actually doing s o using the site's IP addresseven though you specified a host and dom ain name in the URL. In the backgroundyour computer quickly queried a DNS server to get the IP address that corresponds tothe Web s ite's server and dom ain names. Now you know why you have to specify oneor two DNS server IP addresses in the TCP/IP configuration on your desktop PC (inthe resolv.conf file on a Linux system and the TCP/IP properties in the Network ControlPanel on Windows systems).

Linux DNS Server - How To Set Up Static or Dyna... http://www.aboutdebian.com/dns

of 31 11/21/2009 01:21

8/3/2019 DNS How To

2/31

A "cannot connect" error doesn't necessarily indicate there isn't a connection to thedestination server. There may very well be. The error may indicate a failure in"resolving" the domain name to an IP address. I use the open source Firefox Webbrowser on Windows systems because the status bar gives m ore informationalmessages like "Resolving host", "Connecting to", and "Transferring data" rather thanjust the generic "Opening page" with IE. (It also seems to render pages faster than IE.)

In short, always check for correct DNS operation when troubleshooting a probleminvolving the inability to access an Internet resource. The abil ity to resolve names iscritical, and later in this page we'll show you some tools you can us e to investigateand verify this ability.

When you are surfing the Web viewing Web pages or sending an e-mailyour workstation is sending queries to a DNS server to resolveserver/domain names. (Back on the Modems page we s howed you how toset up your resolv.conf file to do this.) When you have you own Web s ite thatother people visit you need a DNS server to respond to the queries fromtheir workstations.

When you visit Web sites, the DNS server your workstation queries for nameresolution is typically run by your ISP, but you could have one of your own. When youhave your own Web site the DNS servers which respond to visitors queries aretypically run by your Web hosting provider, but you could likewise have your own one ofthese too. Actually, if you set up your own DNS server it could be us ed to respond toboth "internal" (from your workstation) and "external" (from your Web s ite's visitors)queries.

Even if you don't have your own domain name, or even your own LAN, you can stillbenefit from using a DNS server to allow others to access your Debian system. If you

have a s ingle s ystem connected to the Interent via a cable or DSL connection, you canhave it act as a Web/e-mail/FTP server using a neat service called "dynamic DNS"which we'll cover later. Dynamic DNS will even work with a modem if you want to playaround with it.

DNS Server Functions

You can set up a DNS server for several different reasons:

Internet Domain Support: If you have a domain name andyou're operating Web, e-mail, FTP, or other Internet

servers, you'll use a DNS s erver ro respond to resolutionqueries s o others can find and access your server(s). Thisis a serious undertaking and you'd have to set up aminim um of two of them. On this page we'll refer to thesetypes of DNS servers as authoritative DNS servers forreasons you'll see later. However, there are alternatives tohaving your own authoritative DNS server if you have (orwant to have) your own domain name. You can have


2 of 31 11/21/2009 01:21

8/3/2019 DNS How To

3/31

someone else host your DNS records for you. Even ifsom eone else is taking care of your domain's DNSrecords you could still set up one of the following types ofDNS servers.

Local Name Resolution: Similar to the above scenario,this type of DNS server would resolve the hostnames of

systems on your LAN. Typically in this scenario there isone DNS server and it does both jobs. The first being thatit receives queries from workstations and the secondbeing that it serves as the authoritative source for theresponses (this will be more clear as we progress).Having this type of DNS server would el iminate the need tohave (and manually update) a HOSTS file on each systemon your LAN. On this page we'll refer to these as LAN DNSservers.

During the Debian installation youare asked to supply a domainname. This is an internal (private)domain nam e which is not visible tothe outside world so, like the privateIP address ranges you use on aLAN, it doesn't have to be registeredwith anyone. A LAN DNS serverwould be authoritative for thisinternal, private domain. For securityreasons, the name for this internaldomain should not be the same as

any public domain nam e you haveregistered. Private domain namesare not restricted to using one of theestablished public TLD (Top LevelDomain) names such as .com or

.net. You could use .corp or

.inc or anything else for your TLD.

Since a single DNS server can beauthoritative for m ultiple domains,you could use the same DNS serverfor both your public and private

domains. However, the server wouldneed to be accessible from both theInternet and the LAN so you'd needto locate it in a DMZ. Though youwant to use different public andprivate domain names , you can usethe same name for the second-leveldomain. For example,


3 of 31 11/21/2009 01:21

8/3/2019 DNS How To

4/31

my-domain.com for the public

name and my-domain.inc for the

private name.

Internet Name Resolution: LAN workstations and otherdesktop PCs need to send Internet domain nameresolution queries to a DNS server. The DNS server most

often used for this is the ISP's DNS servers. These areoften the DNS servers you s pecify in your TCP/IPconfiguration. You can have your own DNS server respondto these resolution queries instead of us ing your ISP'sDNS servers. My ISP recently had a problem where theywould intermittently lose connectivity to the networksegm ent that their DNS servers were connected to so theycouldn't be contacted. It took me about 30 seconds to turnone of my Debian systems into this type of DNS serverand I was surfing with no problems . On this page we'llrefer to these as simple DNS servers. If a simple DNS

server fails, you could just switch back to us ing your ISP'sDNS servers. As a matter of fact, given that you typicallyspecify two DNS servers in the TCP/IP configuration ofmost desktop PCs , you could have one of your ISP's DNSservers l isted as the second (fallback) entry and you'dnever miss a beat if your sim ple DNS server did go down.Turning your Debian system into a simple DNS server issim ply a matter of entering a single command.

Don't take from this that you need three different types of DNS servers. If you were toset up a couple authoritative DNS servers they could also provide the functionality ofLAN and s imple DNS servers. And a LAN DNS server can simultaneous ly provide the

functionality of a simple DNS server. It's a progres sive type of thing.

If you were going to set up authoritative DNS servers or a simple DNS server you'dhave to have a 24/7 broadband connection to the Internet. Naturally, a LAN DNS serverthat didn't resolve Internet host/domain names wouldn't need this.

A DNS server is just a Debian system running a DNS application. The most widelyused DNS application is BIND (Berkeley Internet Name Dom ain) and it runs a daemoncalled named that, among other things, responds to resolution queries. We'll see howto install it after we cover som e basics.

DNS Basics

Finding a s ingle s erver out of all of the servers on the Internet is like trying to find asingle file on drive with thousands of files. In both cases it helps to have somehierarchy built into the directory to logically group things. The DNS "namespace" ishierarchical in the same type of upside-down tree structure seen with file systems.Just as you have the root of a partition or drive, the DNS namespace has a root which


4 of 31 11/21/2009 01:21

8/3/2019 DNS How To

5/31

8/3/2019 DNS How To

6/31

8/3/2019 DNS How To

7/31

8/3/2019 DNS How To

8/31

8/3/2019 DNS How To

9/31

server gives the IP address for this server in the dom ain.

An MX (Mail eXchanger) record is specifically for mail servers. It's aspecial type of service-specifier record. It identifies a mail server forthe domain. That's why you don't have to enter a hos tname like 'www'in an e-mail address . If you're running Sendmail (mail server) andApache (Web server) on the sam e system (i.e. the same system is

acting as both your Web server and e-mail server), both the A recordfor the system and the MX record would refer to the same server.

To offer some fail-over protection for e-mail, MX records also have aPriority field (numeric). You can enter two or three MX records eachpointing to a different mail s erver, but the server specified in therecord with the highest priority (lowest number) will be chosen first. Amail server with a priority of 10 in the MX record wil l receive e-mailbefore a server with a priority of 20 in its MX record. Note that we areonly talking about receiving mail from other Internet mail servers here.When a mail server is sending mail, it acts like a desktop PC when it

comes to DNS. The mail server looks at the domain nam e in therecipient's e-mail address and the mail s erver then contacts its localDNS server (specified in the resolv.conf file) to get the IP address forthe mail server in the recipient's domain. When an authoriative DNSserver for the recipient's domain receives the query from the sender'sDNS server it sends back the IP addresses from the MX records ithas in that domain's zone file.

A CNAME (Canonical Name) record is an alias record. It's a way tohave the same physical server respond to two different hostnames.Let's say you're not only running Sendmail and Apache on yourserver, but you're also running WU-FTPD so it also acts as an FTP

server. You could create a CNAME record with the al ias name 'ftp' sopeople would use ftp.your-domain.com and www.your-

domain.com to access different services on the same server.

Another use for a CNAME record was illus trated in the example nearthe top of the page. Suppose you name your Web server 'debian'instead of 'www'. You could s imply create a CNAME record with thealias name 'www' but with the hostname 'debian' and debian's IPaddress.

NS (Name Server) records specify the authoritative DNS servers for a

domain.

There can multiples of all of the above record types. There is onespecial record type of which there is only one record in the zone file.That's the SOA (Start Of Authority) record and it's the first record in thezone file. An SOA record is only present in a zone file located onauthoritative DNS servers (non-authoritative DNS s ervers can cachezone records). It specifies s uch things as :


9 of 31 11/21/2009 01:21

8/3/2019 DNS How To

10/31

The primary authoritative DNS server for the zone(domain).The e-mail address of the zone's (domain's)adminis trator. In zone files , the '@' has a specificmeaning so the e-mai l address is written asme.my-domain.com.

Timing information as to when secondary DNSservers should refresh or expire a zone file and aserial number to indicate the version of the zonefile for the sake of comparison.

The SOA record is the one that takes up several lines.

Several important points to note about the records in a zone file:

Records can specify servers in other domains. This is mos t commonly used

with MX and NS records when backup s ervers are located in a different domainbut receive mail or resolve queries for your domain.

There must be an A record for systems specified in all MX, NS, and CNAMErecords.

A and CNAME records can s pecify workstations as well as servers (which you'llsee when we set up a LAN DNS server).

Now lets look at a typical zone file. When a Debian system is set up as a DNS serverthe zone files are stored in the /etc/bind directory. In a zone file the two

parantheses around the timer values act as line-continuation characters as does the

'\' character at the end of second line. The ';' is the comment character. The 'IN'indicates an INternet-class record.

$TTL 86400

my-name.com. IN SOA debns1.my-name.com. \

joe.my-name.com. {

2004011522 ; Serial no., based on date

21600 ; Refresh after 6 hours

3600 ; Retry after 1 hour

604800 ; Expire after 7 days

3600 ; Minimum TTL of 1 hour

)

;Name servers

debns1 IN A 192.168.1.41

debns2.joescuz.com. IN A 192.168.1.42

@ IN NS debns1

my-name.com. IN NS debns2.my-name.com.

;Mail servers

debmail1 IN A 192.168.1.51


0 of 31 11/21/2009 01:21

8/3/2019 DNS How To

11/31

debmail2.my-name.com. IN A 192.168.1.52

@ IN MX 10 debmail1

my-name.com. IN MX 20 debmail2.my-name.com.

;Aliased servers

debhp IN A 192.168.1.61

debdell.my-name.com. IN A 192.168.1.62

www IN CNAME debhp

ftp.my-name.com. IN CNAME debdell.my-name.com.

Several things to take note of when evaluating this example zone file:

Records are grouped in fours and then subgrouped in twos.The lines are spaced apart only to aid in the readability of this

example. You don't want any blank lines in a zone file.

The first two records in the group of four use A records tospecify the servers, and then the second two records are typeswhich specify what those servers are used for. Optionally, youcould lis t all A records together, all NS records together, allCNAME records together, etc.

The first record in the subgroup of two is a shorthand way ofentering the information (without the FQDN). The secondrecord is the longhand way. The '@' is a shorthand way ofspecifying "this zone" (domain).

Whenever you specify a domain in a zone file it must have atrailing period to make it a FQDN.

The $TTL 86400 line at the very top of the file specifies the

Time To Live value for the record (used by secondary DNSservers).

Notice that this zone file specifies the required two DNSservers (with the primary specified in the SOA record) and twomail servers (also for redundancy).

Also notice the priority numbers before the hostnames in theMX records.

If you had a simpler setup with only one server with the hostname 'debian' thatoperated as a Web, e-mail, and FTP server and you had your DNS records hosted bysom eone like EasyDNS, your zone file would look a lot s impler:


1 of 31 11/21/2009 01:21

8/3/2019 DNS How To

12/31

$TTL 86400

my-name.com. IN SOA ns1.easydns.com. \

me.my-name.com. (






)

debian IN A 192.168.1.51

ns1.easydns.com. IN A 216.220.40.243

ns2.easydns.com. IN A 205.210.42.20

@ IN NS ns1.easydns.com.


@ IN MX 10 debian

www IN CNAME debian

ftp IN CNAME debian

debian IN CNAME @

Naturally, the 192.168.1.51 private address in this example would have to be an

ISP-assigned public address for an Internet-accessible server. We jus t used a privateaddress as an example.

Notice that the las t CNAME record is a little different from the others. It specifies whichserver should handle reques ts when no hostname is specified, i.e. requests going tosimply my-name.com in a URL, etc. Notice also that you can specify other domains

in your zone file which is where the long-hand way of specifying a FQDN is us eful.

Dynamic DNS

If you set up a Debian s ystem to act as a combination firewall, NAT, and hom e Webserver you (and others if you wish) can access the Web pages on it (such as your Webcam im ages) from a remote location by entering the system's IP address in the URL.The IP address would be whatever is assigned to you by your ISP. The problem isthat, unles s you pay extra to have a static IP address, the IP address assigned by yourISP will change from time to time and trying keeping up with these changes can be apain. You can get around this by using a host and domain nam e to access yoursystem ins tead of an IP address . Being able to access your system using aconsis tent name in the URL even though the IP address changes is a major benefit of

dynamic DNS.

Dynamic DNS (DDNS) is the ability for a host (your Debian server) to update its ownDNS A record. A host's IP address (or what appears to be its IP address ) can changewhen you use a hom e broadband service such as cable or DSL, or when you dial intoan ISP (PPP connection) using a modem. If you have a broadband connection, DDNSallows you to have a full-time Internet server even though you don't have a static IPaddress.


2 of 31 11/21/2009 01:21

8/3/2019 DNS How To

13/31

You run a sm all DDNS client on your server that sends DNS record update requeststo the DDNS server. If you have your own domain name, the DDNS server is the onethat's listed as the primary name server in your domain record. Most DNS servers donot support dynamic updates by default. They have to be configured to lis ten fordynamic updates. When your server is booted up (or you run the client softwaremanually) it sends a request to the DDNS server to check/update the IP address in the

A record for your server. If you've pulled a different IP address from your ISP since thelast time a request was sent, the A record is updated with this new IP address .

When you use a firewall router, what appears to be your server's IP address is actuallythe IP address on the "external" router interface. As mentioned on the Networkingpage, the router does NAT and this address translation can cause difficulties fordynamic DNS. ddclient is a DDNS client that works with firewalls, is compatible with anumber of DDNS services, and is available as a Debian package.

Dynamic DNS with Your Own Domain

You can use dynamic DNS if you already have, or want to have, your own regis tereddomain name. You may want your own domain name for several reasons :

You want to set up production Internet servers for anorganization or business with static IP addresses.You want to use your own domain name with your homeserver(s).You want to (as in my case) s et up a "non-production" domainjust for playing around with. A non-production domain wouldallow you to investigate how DNS works by playing aroundwith the zone record values. Being that there's no production

servers in the domain, there's no problem if you screwsom ething up. (A non-production domain is a real domainwith whatever name you choose but you jus t use it with testservers. Naturally, you can make it a production domain at anytime just by setting up "real" servers.)

For this I use the Domain Name+DNS Only Service bundle from EasyDNS.combecause it kills two birds with one s tone (and because they have toll-free telephonetech support). EasyDNS will not only host your zone files on their DNS server, butregister your domain name (and annually renew the domain name registration) all for

$35/year. That's a pretty good deal as well as being convenient. You don't have to go toone place to register/renew your domain name, and then go to another place to hostyour DNS records. When you register a domain nam e with EasyDNS they'll set upsome prelim inary zone records for you and you just go in and add/modify/deleterecords.

EasyDNS provides a Web interface for DNS management so you can play around withthe settings, change server names, create alias records, etc.


3 of 31 11/21/2009 01:21

8/3/2019 DNS How To

14/31

The best part is s upport for dynamic DNS is included in their DNS offerings so youcan use them for home and test servers that don't have static IP addresses (andddclient will work with them too).

As a side note, what if you already have a dom ain name with servers that have staticIP address es? Most places that will host your DNS records (like your ISP or Webhosting provider) won't let you even see them much less work with them. HavingEasyDNS host your DNS records will allow you to have some control in themanagement of your DNS. Their straight DNS records hosting service (without thedomain registration/renewal piece) costs $20/year. Just be sure to update yourdomain record with the EasyDNS name servers information once you s ign up for the

service and get your DNS records set up. (You als o have the option of transferring yourdomain to them, i.e. making them the domain name registrar, if you want to takeadvantage of the single-payment convenience thing.)

Having your own non-production dom ain will not only let you play around with zonerecords, but you can experiment with having your own authoritative DNS server. One ofEasyDNS's servers would be the primary authoritative name server and you could setup your Debian server as a s econdary. Then you'd just use the 'nameservers' link in


4 of 31 11/21/2009 01:21

8/3/2019 DNS How To

15/31

the Web interface to enter your server's hostname and IP address as a secondaryserver entry. This way you could play with the "zone transfers" that take place betweenauthoritative servers.

But the benefits of having your own non-production dom ain go beyond jus t DNS. Italso comes in handy for testing Sendmail e-mail server and Apache Web serverconfigurations, etc. For instance, you can see if your Debian system properly sends

and receives e-mail for your non-production domain. Or you could install a testcerfificate (available for free from most certifying authorities like Thawte or Verisign) onyour Debian system acting as a Web server so you can investigate SSL functionality.Just about any type of Internet server you want to play with will have m ore functionalitywhen you can give it a registered domain name that has DNS resolution capabilities.And if you don't have any plans to eventually use it as a production dom ain, just let itexpire after the first year is up and the knowledge gained wil l be well worth the 35bucks.

ddclient Configuration File for EasyDNS

We'll ins tall ddclient in a bit. It'll prompt you for the necess ary configuration informationduring the ins tall. When it's finished it'll create the /etc/ddclient.conf file and it

should look som ething like this (the information you enter during the client install is inblue):

# Configuration file for ddclient generated by debconf#

# /etc/ddclient.conf

pid=/var/run/ddclient.pid

protocol=easydns

use=if, if=eth0

server=members.easydns.com

login=bgates

password=luvlinux


5 of 31 11/21/2009 01:21

8/3/2019 DNS How To

16/31

my-last-name.net

If your server is behind a cable/DSL router (such as a Linksys, DLink, or Netgear) orsome other type of firewall or proxy server, replace the line:

use=if, if=eth0

with the line:

use=web, web=support.easydns.com/utils/get_ip.php

This s imply uses a page on EasyDNS's Web site to display your 'outside' IP address .The ddclient software will read the IP address off the returned HTML code and send itto EasyDNS. It'll do this periodically which is necessary with the changing IPaddresses you get with cable and DSL services.

Support for dynamic DNS is disabled by default which is fine if you do have static IP

address (es) on your server(s). Enabling dynamic DNS using the EasyDNS Webinterface is sim ply a matter of clicking on the "disabled" link as illustrated below andacknowledging the change on the subsequent confirmation page.

Once you've got your configuration file set up and you've set your domain for dynamicDNS, you can test your ddclient configuration to make sure it's working with thecommand:

ddclient -daemon=0 -noquiet -debug -verbose

If you use Apache's virtual hosts feature to host multiple Web sites on your server andyou have multiple domain names registered with EasyDNS you can update thedynamic DNS for all the domains sim ultaneously by separating each of the domainswith a comma (,) like so:

# Configuration file for ddclient generated by debconf#



protocol=easydns

use=if, if=eth0

server=members.easydns.com

login=bgates


6 of 31 11/21/2009 01:21

8/3/2019 DNS How To

17/31

password=luvlinux

my-last-name.net,moe.com,larry.com,curly.com

The EasyDNS Web interface allows you to add/modify A records, MX records andpriorities, aliases (CNAME records), and even the time intervals in the SOA record, all

by clicking on the "dns" link shown in the figure above. The "names ervers" link takesyou to a page which lists the authoritative DNS server information (EasyDNS's nameservers) for your domain.

Your Own DNS Server ?

If you have your own domain name and you also want to try running your own DNSserver, EasyDNS.com has a Secondary DNS Service for $15/year which takes som eof the risk out of running your own DNS. You set their servers up to transfer zoneinformation from your DNS server. You would then enter your DNS server address asthe primary in your domain record, and the EasyDNS DNS server address es as thesecondary DNS servers in your domain record. Then, should your DNS server ever

fail, name resolution queries will go to the EasyDNS servers.


7 of 31 11/21/2009 01:21

8/3/2019 DNS How To

18/31

8/3/2019 DNS How To

19/31

8/3/2019 DNS How To

20/31

If you connect your Linux server to the Internet using a modem (we show you how onthe Modems page), you'll need to a way to keep your connection up long enough forany dynamic DNS changes to take effect and this could take up to 45 minutes. MostISPs will drop an inactive connection before that. You can use the ping command tokeep your PPP connection up. The trick is to run it in the background and set it so itonly sends a ping once every five minutes. Pick a Web site and enter:

ping -i 300 www.chosen-site.com > /dev/null &

Just don't forget to bring it to the foreground and s top it once you've dis connected yourmodem connection. To bring it to the foreground simply type:

fg ping

and then press Ctrl-C to exit the ping program.

ddclient Configuration File for dyndns.org

If you selected the dyndns .org service when you ins talled ddclient your

/etc/ddclient.conf file should look something like this:

# Configuration file for ddclient generated by debconf

#



protocol=dyndns2

use=if, if=ppp0

server=members.dyndns.org

login=bgatespassword=luvlinux

your-debian-box-hostname.dyndns.org

Note that this file indicates the ppp0 (dialup modem) interface was entered during theinstallation rather than the 'eth0' that you would use for a network card.

If your server is behind a cable/DSL router (such as a Linksys, DLink, or Netgear) orsome other type of firewall or proxy server, replace the line:

use=if, if=ppp0

with the line:

use=web, web=checkip.dyndns.com/, web-skip='Current IP Address:'

This s imply uses a page on dyndns.org's Web site to display your 'outside' IPaddress. The ddclient software will read the IP address off the returned HTML code.


20 of 31 11/21/2009 01:21

8/3/2019 DNS How To

21/31

Security Note: Even home Web/e-mail servers need to be setup securely. Spammers have a talent for quickly locatingimproperly secured e-mail servers and using them as spamrelay points. This not only puts your server at risk but gobbles upall your bandwidth. If you are going to set up a home Web/e-mailserver, be sure to do it securely. That not only involves setting upthe server in a secure fashion during the initial install, but also

includes configuring Apache and Sendmail in a secure manner.The procedures on these pages do not result in secureservers. If you are going to set up your own Web/e-mail serveryou'll need to buy som e books and do some research to learnhow to do it securely. More information is given on theSecuring Servers page. You'll also want to take a look at theFirewall page for information on how to use IPTABLES entries tohelp protect your server and your home network. (Remem berthat if you only have one server Apache and Sendm ail are goingto be running on the same system that is acting as yourNAT/firewall s ystem.) In addition, the Packages page shows you

how to use the cron scheduler and a s hell script toautomatically keep your system up to date with the latestsecurity patches.

Dynamic DNS is OK for home servers, but it's not really appropriate for businesses.Static IP addresses and having your ISP or a third party like EasyDNS hos t your DNSrecords would be more appropriate for Internet server implementations bybusinesses.

Installing ddclient

Before installing this package be sure to sign up for an account with EasyDNS or

dyndns.org. You'll need your account username and password when you install thepackage. With your account set up you ins tall the package by typing in

apt-get install ddclient

at the shell prom pt. You'll then be prompted for the following:

Select the service you want to use.1.

The next screen may seem confusing if you selectedEasyDNS in Step 1 because it prompts you for "yourDynDNS fully qualified domain names" and then givesexamples for dyndns.org. What they mean by the"DynDNS" is "Dynamic DNS", not "DynDNS.org". The "fullyqualified" is also a bit mis leading. You don't need to entera trailing period after the TLD (.com, .net, or .org Top LevelDomain). All you need to do is enter your server'shostname followed by your, or dyndns.org's, domainname. Examples:

2.


21 of 31 11/21/2009 01:21

8/3/2019 DNS How To

22/31

debian.gates.com

orvery-unique-hostname.dyndns.org

Enter the username you chose when you signed up withyour service.

3.

Enter the password you chose when you signed up withyour service.

4.

Enter the interface that will be connecting to the service.This will most likely be 'eth0' for an ethernet card (even if itis connected to a LAN which has a firewall router) or 'ppp0'for modem use (note that that's a zero on the end, not theletter O).

5.

If you entered 'ppp0' you'll be asked if you want ddcleint to

run automatically every time you connect. You may want toselect No here so you have the option of running it or not.

6.

You'll then be as ked if you want to run ddclient as adaemon. If this server is going to be a full-time Web ore-mail server with a broadband connection you shouldanswer Yes to this.

7.

The client will now be installed and the appropriate configuration file like the onesshown above will be created. Even though the file was created for you, we showed youthe typical files for both dyndns .org and EasyDNS services in case you need to editthem at a later point. If you want to examine your config file you can do so using the

nano text editor with the command:

nano /etc/ddclient.conf

If you're us ing a modem connection you'll want to first connect to your ISP with the pon

command. If you didn't set ddclient to run as a daem on then jus t type in:

ddclient

at the shell prompt once you're connected. The resulting message will tell you what IPaddress your external interface has (and what the DNS record will be updated with.

As mentioned earlier, it will take awhile for this update to take affect. To see if it hastaken affect yet, try pinging us ing your domain nam e and see if the returned IPaddress matches what was indicated in the message when you started ddclient. Notethat even if you used the above ping com mand in the background to keep yourconnection up you can still issue a second ping comm and in the foreground to checkthe returned IP address .


22 of 31 11/21/2009 01:21

8/3/2019 DNS How To

23/31

Other DNS Server Files

Given that a DNS server can hos t the zone files for many different domains, eachhaving two zone files, it needs a way to tell which zone files are for which domains . Itdoes this in the named.conf file which, like the zone files themselves, is located in the

/etc/binddirectory (which you'll see when we ins tall Bind shortly).

Of the two zone files for each domain the one we've been talking about all along hasbeen for forward lookups (resolving names to IP addresses). This zone file is typicallynamed db.my-last-name.net.

DNS also offers a "reverse lookup" function that allows you to translate IP addressesto host/domain names. The information that allows this to happen is s tored in thesecond zone file. Here's a reverse-lookup zone file that corresponds to the simplerzone file we showed earlier:

$TTL 864001.168.192.in-addr.arpa. IN SOA ns1.easydns.com. \

me.my-name.com. (






)

51 IN PTR debian



Note that the NS records are the same but there's no A records. And s ince we onlyhave one system handling all three Web, e-mail, and FTP server functions we onlyneed one PTR record. APTR (Pointer) record is the oppos ite of an A record. It has thehost part of the IP address and gives the corresponding hostname. Typically you wanta PTR record for every A record in the forward-lookup file provided the server is in thedomain. We don't have PTR records for the nam e servers above because they're in adifferent domain (and thus in a different address space).

Why is only the host part of the IP address needed in this file? Because the network

portion of the IP address is used when naming the reverse-lookup zone file, and it'sreversed. Because 192.168.1.x is a Class C network, the first three octets make upthe network portion of the IP address s o it's used in the zone file nam e. Only the lastoctet specifies the individual host so it's used to specify the host in PTR records. Withthe above example IP address, the zone file would be named:

db.1.168.192


23 of 31 11/21/2009 01:21

8/3/2019 DNS How To

24/31

The reverse-lookup zone file is also located in the /etc/bind directory. There's

another place this naming convention is us ed. Take a look at the start of the SOArecord. The domain is specified as

1.168.192.in-addr.arpa

in-addr.arpa is the default domain for all reverse lookups. As you'll see below, the

shorthand method of specifying this with the '@' is normally used.

DNS Tools, Testing, and Troubleshooting

When you're testing changes to your DNS records things may not act the way youexpect them to. What you need is s ome patience. Most DNS servers cache lookups . Ifyou make a change to a zone record on EasyDNS or dyndns.org, or the IP addressyou pulled from your ISP changes and ddclient sends the update, it'll take the DNSservers at EasyDNS or dyndns .org up to 15 minutes to update. Then the DNS serverthat your desktop system is using to resolve names may cache the old information for

another 20 to 30 minutes.

If you're using a Windows system to test DNS changes don't forget that it also has aDNS cache. You can clear it manually in a DOS window with the command:

ipconfig /flushdns

As a result, if you make a change to your zone records give it at least 45 minutesbefore you try to see if the changes had the des ired effect. Web brows ers also cachename-to-address information. If you're using a Web browser to test your changes, youmay want to go and delete all the files in the browser's cache directory as well.

The above makes playing around with dynamic DNS when using a modem kind of apain. You have to keep the connection up for for at least 45 minutes because if youdisconnect, you'll pull a different IP address when you reconnect and your DNSrecords will have invalid IP addresses. That's why I showed you how to run the pingcommand in the background to keep the dial-up connection alive.

A DNS problem will likely be in one of three places:

The DNS server addresses specified in the TCP/IP configuration on the PC youare using to do the pinging are not correct.

The registrar's domain record does not contain the correct name serverhostnames and/or addresses.The authoritative DNS servers for the dom ain do not have the domain's zonerecords configured correctly.

The mos t basic tool for testing DNS is the ping comm and. If you can ping a Webserver using its IP address but not it's domain name, you have a DNS problem. If you


24 of 31 11/21/2009 01:21

8/3/2019 DNS How To

25/31

can ping a s erver using its domain name you'll notice that the server's IP address isalso displayed. Verifying that this is the correct IP address will verify that DNS isworking properly. Another thing ping can tell you is if you're pinging an actual server oran alias. Using the MIT example again, you may type in

ping www.mit.edu

but the response will be something like

Pinging DANDELION-PATCH.mit.edu

Another common tool for testing DNS is nslookup (name server lookup) and it'savailable on Linux systems and NT-class Windows systems (NT-WS, 2000 Pro). Asyou saw earlier in this page this command will show you what name s erver your PC isusing to resolve names , as well as return hostname and address information on theserver that's specified as the target of the command. However, it also has aninteractive mode that increase its usefulness. If you simply type in:

nslookup

and you'll get a > prompt. There are several s tatements that you can enter at his

prompt. One helpful one is when you want your system to send queries to a different,other than the default, name server. At the prompt type in the 'server' commandfollowed by the IP address of the DNS server to use:

server 192.168.10.10

Then you jus t type in the domain nam e you want information on at the prompt. You'llsee in the response that the name server being queried has changed to the one youspecified. Type 'exit' at the prom pt when you're done. Another similar tool on Linuxsystems is the dig command. You can specify the alternate DNS server to use on thecommand line:

dig 192.168.10.10 mit.edu any

The any parameter tells it to return information on all record types. Check the man

pages for dig and nslookup for more information.

If you want to make sure that BIND isn't having a problem with your zone files, you cancheck the syslog after you boot the system (which is when BIND starts up and readsthe zone files ). At a shell prompt just type in:

nano /var/log/syslog

and look near the bottom of the file. You'll see messages when BIND was s tarted.Check to see if any of them refer to any errors that were encountered. If it didn't have aproblem with the zone file you'll see it referenced along with:

loaded serial 1


25 of 31 11/21/2009 01:21

8/3/2019 DNS How To

26/31

indicating that it has set the serial number (version) to 1.

Your Own DNS Server

Don't set up your Debian system as a DNS server if it doesn'thave access to the Internet. It will try and us e external DNSservers (called "root hints" which we explain later) to resolvenames and they won't be accessible. This will cause problemstrying to FTP or telnet to your Debian server even over a localLAN using only IP address es.

DNS is simply another server application. You can use your Linux system as anauthoritative, LAN, or simple DNS server. Simple DNS servers and LAN servers whichalso provide simple DNS services (resolving Internet host/domain names) need to be

connected to the Internet but being behind a firewall should not present a problem aslong as you have UDP port 53 is open on the firewall. If you're going to set up and testa secondary authoritative DNS s erver you'll als o need to have TCP port 53 open on thefirewall as well for zone transfers.

We'll show you how to set up simple and LAN DNS servers in this section. Setting upproduction ("real") authoritative DNS servers (remember that you need at least two) isbeyond the scope of this page because you'll need to do quite a bit more reading tolearn about zone transfers (insecure and secure) between primary and secondaryservers and you'll need to know a lot more about the named.conf file. The issue of

server security also becomes more im portant. However, seeing how to set up DNSserver files for a LAN DNS server will be a good start.

Where to learn more - The best of our bookshelves:

More info...

DNS and BIND is another case where an O'Reilly book isconsidered the bible in the indus try. I doubt there's a DNS serveradmin out there that doesn't have a copy. The 4th Edition coversBIND 9 with its security enhancements. The first three chaptersprovide a detailed foundation in the basics of DNS operation fromzone files to root name servers. From there it's al l about serverconfiguration. Setting up multiple servers, incremental zone

transfers, and round-robin load dis tribution are just a few of thethings covered. It also covers how to set up a server to respond toDDNS requests from clients and DHCP servers as well as how tocontrol which systems have this ability through ACLs (AccessControl Lis ts). How to use BIND's debugging levels and debuggeroutput to solve problems is also covered.


26 of 31 11/21/2009 01:21

8/3/2019 DNS How To

27/31

A Simple DNS Server

As mentioned earlier, the mos t widely used DNS application is called BIND andinstalling it is sim ply a matter of entering the command:

apt-get install bind9

Congratulations! You now have a sim ple DNS s erver. Now just change the DNSserver settings in the TCP/IP configuration files on the workstations on your LAN sothat they start using this server as their preferred DNS server. You can use your ISP'sDNS server(s) as alternate servers as this will provide some redundancy if your serverever goes down. You'll also want to modify the /etc/resolv.conf file on the DNS

server itself so that it points to itself. Do that by opening the file in a text editor with thecommand:

nano /etc/resolv.conf

and making sure the first nameserver line is:

nameserver 127.0.0.1

Why is setting up a sim ple DNS server so easy? Because of things called "root hints".The root hints are a lis t of root-level DNS servers in the /etc/bind/db.root file.

Your simple DNS server will query a root server to get the addresses of authoritativeDNS servers for each given domain (so it can contact those authoritative DNS serversto get the IP addresses of the desired hosts).

Just remember that your simple DNS server needs a 24/7 connection to the Internet.

Or it at leas t needs to be connected to the Internet any time any system on your LANneeds to access anything on the Internet.

A LAN DNS Server

We'll cover setting up a LAN DNS server for a small LAN where the workstationaddresses are statically assigned. If you have a larger LAN that uses DHCP, you'llneed to set up the server to respond to DDNS update requests because a system's Arecord will need to be updated when DHCP assigns the system a different address.

In setting up a LAN DNS server we need to:

Create the forward and reverse zone files.Update the named.conf configuration file with things called "forwarders"Update the named.conf configuration file so that the server knows it'sauthoritative for the LAN domain.

The zone files are jus t like the zone files we have above. You can even copy/paste thefollowing zone files into a text editor and edit them accordingly if you want. If you're


27 of 31 11/21/2009 01:21

8/3/2019 DNS How To

28/31

viewing this page on a Windows system, you can copy/paste them into Notepad andFTP them to your Debian system (remember to use ASCII mode when you FTP).Because the zone file nam es aren't Windows-friendly just save them in Notepad us ingnames like forward.txt and reverse.txt. You can rename them when we copy them fromyour home directory to the /etc/bind directory. Remember that FTP won't work with

the root account (it's a s ecurity thing) so use the user account you created when youinstalled Debian. When you FTP the files to your Debian system they'll go into this

account's home directory. We'll copy them over to the right place in a bit.

Here's the forward-lookup zone file for a LAN with the domain nam e kplan.net. Notethat the A records are grouped together, as are the other record types, and that thereare no blank lines . However, when trying to get my DNS server to work I did see anerror in the syslog file about the reverse-lookup zone file not ending in a "new line" somake s ure there's a blank line at the bottom of the file.

$TTL 86400

kplan.net. IN SOA woody.kplan.net. \

keith.kplan.net. (

2004011522 ; Serial no., based on date21600 ; Refresh after 6 hours




)

potato-gw IN A 192.168.10.1

w2kpro IN A 192.168.10.10

ntserver IN A 192.168.10.20

solarisintel IN A 192.168.10.30

solarissparc IN A 192.168.10.40

woody IN A 192.168.10.50

@ IN NS woody

@ IN MX 10 woody

www IN CNAME woody

ftp IN CNAME woodywoody IN CNAME @

And here's the reverse-lookup zone file for the same domain:

$TTL 86400

@ IN SOA woody.kplan.net. \

keith.kplan.net. (






)

1 IN PTR potato-gw

10 IN PTR w2kpro

20 IN PTR ntserver

30 IN PTR solarisintel

40 IN PTR solarissparc


28 of 31 11/21/2009 01:21

8/3/2019 DNS How To

29/31

50 IN PTR woody

@ IN NS woody

Notice that instead of us ing 10.168.192.in-addr.arpa at the start of the SOA

record I just used the shortcut. Now when I add a new system to my network I can jus t

add entries to these two files rather than editing the HOSTS files on all of the serversand workstations.

If you created these files on a Windows s ystem using Notepad and FTPed them toyour Debian server, go into the directory you FTPed them into and m ove/rename themlike so:

mv forward.txt /etc/bind/db.kplan.net

and

mv reverse.txt /etc/bind/db.10.168.192

While the zone file nam ing convention that BIND us es by default is db. followed by thedomain name, and the reverse-lookup zone file is sim ilar except that the domainname is replaced by the reversed network address, you can actually name themwhatever you want. You tell the server what zone files to use in the named.conf file.

named.conf

The named.conf file is the main configuration file for a DNS server. In it you tell the

server what, if any, forwarders to use, what domains it's authoritative for, and whichzone files it should use for each domain.

Forwarders let you specify other DNS servers to use when your DNS server receives aquery for a domain it isn't authoritative for. Your LAN DNS server wil l be authoritative foryour LAN's domain nam e, but it won't know about domains on the Internet. When itgets a query for an Internet domain it will forward the request out to a DNS serverspecified in the forwarders s ection of the named.conf file.

Open the /etc/bind/named.conf file using the ee text editor. In the options

section you'll see an indented block of text like this:

// forwarders {

// 0.0.0.0;

// };

You typically want to put your ISP's DNS servers here. The '//' are comment

characters in this file so you'll need to remove those also. You should end up with ablock of text that looks like this :


29 of 31 11/21/2009 01:21

8/3/2019 DNS How To

30/31

forwarders {

192.168.243.9;

192.168.253.9;

};

We used private addresses in the above example but naturally these would bepublically-access ible DNS servers (your ISP's). Now we have to add the content to thefile so the server knows it knows it's authoritative for the kplan.net domain. At thebottom of the file you'll see the line:

// add entries for other zones below here

Below this line we'll enter the following for the forward and reverse zone files :

zone "kplan.net" {

type master;

file "/etc/bind/db.kplan.net";};

zone "10.168.192.in-addr.arpa" {

type master;

file "/etc/bind/db.10.168.192";

};

Save the file and we're in bus iness from a server perspective. The named daemon isrunning, we already have a root hints database, our zone files our set up, and ourforwarders are set up in the configuration file. Now jus t change the

/etc/resolv.conf file on any Debian and UNIX systems so it looks like this:

search kplan.net

nameserver 192.168.10.50

On Windows systems you'd have to change the "Preferred DNS server" in the TCP/IPproperties to the 192.168.10.50 address.

Now that you've got a feel for what DNS does for you, and possibly have your owndomain name with name resolution capabilities, it's time to start setting up some

servers.


30 of 31 11/21/2009 01:21

8/3/2019 DNS How To

31/31

SECURITY WARNING

Do NOT pl an to use the system you will create using these gui de pages as a

"produc tion" (real) server. It wil l NOT be secure!

There are many steps involved in creating a secure Internet or LAN server.

While we do refer to some things you can do to make your system more secure,

there are many other measures related to system security that also need to be

taken i nto c onsideration and they are not covered on these pages.

These guide pages are meant as a learning tool only. The knowledge gained

on these pages will help you understand the m aterial c overed in security-

related publications when you are ready to consider setting up a production

server.

Did you find this page helpful ?

If so, please help keep this site operating

by using our CD, gear, o r book pages.

Site, content, documents, orig inal images Copyrig ht 2003-2009 Keith Parkansky All rig hts reserved

Dupli cation of any portion of this s ite or the material contained herein without

the express written consent of Keith Parkansky, USA is stri ctly prohibited.

This site is in no way affiliated with the Debian Project, the debian.org Web site, or

Software In The Public Interest, Inc. No endorsement of this s ite by the Debian Project

or Software In the Public Interest is expressed or implied. Debian and the Debian logo

are registered trademarks of Software In The Public Interest, Inc. Linux is a registered

trademark of Linus Torvalds. The Tux penguin graphic is the creation of Larry Ewing.

LIABILITY

IN NO EVENT WILL KEITH PARKANSKY OR HOSTWAY INCORPORATED OR ANY OF ITS' SUBSIDIARIES BE LIABLE TO ANY

PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT N OT LIMITED

TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFOR MATION, AND

THE LIKE), OR ANY OTHER D AMAGES ARISING IN ANY WAY OUT OF TH E AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO

USE THE INFORMATION, METHODS, HTM L OR COMPUTER C ODE, OR "KNOWLEDGE" PROVIDED ON OR THR OUGH TH IS

WEBSITE, COMM ONLY REFERRED TO AS TH E "ABOUT DEBIAN" WEBSITE, OR ANY OF ITS' ASSOCIATED D OCUM ENTS,

DIAGRAMS, IMAGES, REPRODU CTIONS, COMPUTER EXECUT ED CODE, OR ELECTR ONICALLY STORED OR TRANSMITTED

FILES OR GENERATED C OMMU NICATIONS OR DATA EVEN IF KEITH PARKANSKY OR HOSTWAY INCORPORATED OR ANY

OF ITS' SUBSIDIARIES SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE

FORM OF ACTION, WHETHER IN CONTR ACT, TORT, OR OTHER WISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS,OMISSIONS, OR OTHER INACCUR ACIES IN, OR D ESTRUCTIVE PROPERTIES OF ANY INFORM ATION, METHODS, HTML OR

COMPUT ER CODE, OR "KNOWLEDGE" PROVIDED ON OR TH ROUGH T HIS WEBSITE, COMMON LY REFERRED TO AS THE

"ABOUT DEBIAN" WEBSITE, OR ANY OF ITS' ASSOCIATED DOCU MENTS, DIAGRAMS, IMAGES, REPRODU CTIONS,

COMPUTER EXECUT ED CODE, OR ELECTRON ICALLY STORED, TRANSMITTED, OR GENERATED FILES,

COMM UNICATIONS, OR DATA. ALL INFORMATION, METHOD S, HTML OR COMPUTER CODE IS PROVIDED STRICTLY "AS IS"

WITH N O GUARANTY OF ACCUR ACY AND/OR COM PLETENESS. USE OF TH IS SITE CONSTITUTES ACCEPTANCE OF ALL

STATED TERMS AND COND ITIONS.


DNS How To

Documents

Transcript of DNS How To