UIT Alternative DNS Servers Jpmens

Alternative DNS Servers

Alternative DNS ServersChoice and deployment, and optional SQL/LDAP back-ends

Jan-Piet Mens

UIT CAMBRIDGE LTD.CAMBRIDGE, ENGLAND

First published in England in 2009.UIT Cambridge Ltd.

PO Box 145CambridgeCB4 1GQEngland

Tel: +44 1223 302 041Web: www.uit.co.uk

Copyright 2009 UIT Cambridge Ltd.All rights reserved.

ISBN 978-0-9544529-9-5

The right of Jan-Piet Mens to be identified as the author of this workhas been asserted by him in accordance with the Copyright, Designs

and Patents Act 1988.

The programs and instructions in this book have been included fortheir instructional value. Neither the publisher nor the author offersany warranties or representations in respect of their fitness for aparticular purpose, nor do they accept accept any liability for any

loss or damage arising from their use.

The publication is designed to provide accurate and authoritativeinformation in regard to the subject matter covered. Neither thepublisher nor the author makes any representation, express orimplied, with regard to the accuracy of information contained in

this book, nor do they accept any legal responsibility or liability forany errors or omissions that may be made. This work is supplied

with the understanding that UIT Cambridge Ltd and its authors aresupplying information, but are not attempting to render engineering

or other professional services. If such services are required, theassistance of an appropriate professional should be sought.

Many of the designations used by manufacturers and sellers todistinguish their products are claimed as trade-marks. UIT

Cambridge Ltd acknowledges trademarks as the property of theirrespective owners.

10 9 8 7 6 5 4 3 2 1

To Alexandra

For your interest, support, and enthusiasm (as well as relentlesspage-count-checking) during this project, and for being my greatest

fan.

Related Titles

Practical TCP/IP Designing, using, and troubleshooting TCP/IPnetworks on Linux andWindows, (Second edition)NiallMansfield

The Exim SMTPMail Server Official Guide for Release 4, (Secondedition) Philip Hazel

The Joy of X The architecture of the X window system, NiallMansfield

Contents at a glancePart I Preparation 11 Introduction to the DNS 3

2 How to represent zone data and where to store it 29

3 Preparing for your implementation 59

Part II The DNS servers 734 MaraDNS 75

5 MyDNS 95

6 PowerDNS Authoritative Server 113

7 An overview of BIND 167

8 BINDs Simplified Database Interface 187

9 Bind DLZ 213

10 Name Server Daemon (NSD) 261

11 tinydns 283

12 ldapdns 315

13 dnsmasq 331

14 DNS on Microsoft Windows 349

15 DNS and Perl 357

16 DNS blacklists 371

17 Caching name servers 387

18 Delegation and private DNS roots 435

Part III Operational Issues 45319 Updating DNS zones and their associated records 455

20 The Name Service Switch 487

21 Internationalized Domain Names 497

22 Introducing DNSSEC 505

23 Performance 545

24 Securing and monitoring your DNS servers 563

Appendixes 579A Getting started with (Open)LDAP 579

B Use $INCLUDE and fix your SOA 604C BIND SDB 607

D Bind DLZ 615

E Perl DNS name servers 621

F User Defined Functions in MySQL 629

G Bits and pieces 637

H Scripting PowerDNS Recursor with the Lua programming language 645

Copyright UIT Cambridge Ltd. 2009. All rights reserved. For personal and noncommercial use only. Cheats will have fingers removed.

Contents

Preface xxxi

Acknowledgments xxxv

Part I Preparation 1

1 Introduction to the DNS 31.1 The Domain Name System overview and terminology . . . . . . . . . . . . . 4

1.1.1 The DNS tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4How domains are named in the DNS . . . . . . . . . . . . . . . . . . . 4Subdomains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.1.2 Name resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.1.3 DNS packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.1.4 An example translating domain name www.qupps.biz to an address . 71.1.5 Step 1 the resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.1.6 Step 1, contd. caching DNS servers . . . . . . . . . . . . . . . . . . . . 101.1.7 Step 2 root DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . 101.1.8 Step 3 authoritative DNS servers . . . . . . . . . . . . . . . . . . . . . 11

Distribution of responsibility . . . . . . . . . . . . . . . . . . . . . . . . 121.1.9 Steps 1&5 v. 2-4 authoritative and caching servers contrasted . . . . 12

Recursive v. iterative queries . . . . . . . . . . . . . . . . . . . . . . . . 141.2 Deployment issues with DNS servers . . . . . . . . . . . . . . . . . . . . . . . 14

1.2.1 Where domain information is stored zones . . . . . . . . . . . . . . 151.2.2 Creating redundancy master/slave, primary/secondary servers . . . 16

A. Master and slave name servers . . . . . . . . . . . . . . . . . . . . . 16B. File or database replication . . . . . . . . . . . . . . . . . . . . . . . . 18

1.2.3 Special authoritative server configurations split horizon and hiddenservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Split horizon servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Hidden name servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.2.4 Special caching server configurations forwarding, forwarder, proxy . 201.2.5 Special authoritative and caching server configurations . . . . . . . . . 21

1.3 Features you might want to have in a name server . . . . . . . . . . . . . . . . 21


x CONTENTS

1.4 Scenarios of name server deployment . . . . . . . . . . . . . . . . . . . . . . . 231.4.1 ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231.4.2 SOHO network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241.4.3 Corporate environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Small to medium organizations . . . . . . . . . . . . . . . . . . . . . . . 25Large organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2 How to represent zone data and where to store it 292.1 dig a DNS lookup utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.1.1 dig overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302.1.2 Looking up an IP address (A record) . . . . . . . . . . . . . . . . . . . . 312.1.3 Find version of remote name server, using dig . . . . . . . . . . . . . . 322.1.4 Transfer a zone with dig . . . . . . . . . . . . . . . . . . . . . . . . . . . 322.1.5 Trace recursion using dig . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.2 Contents of a DNS query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332.3 Resource records define information about a domain name . . . . . . . . . . . 34

2.3.1 The format of a Resource Record . . . . . . . . . . . . . . . . . . . . . . 352.3.2 Resource record sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362.3.3 Resource records in detail . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Address (A) resource records . . . . . . . . . . . . . . . . . . . . . . . . 37Mail Exchanger (MX) resource records . . . . . . . . . . . . . . . . . . . 37Pointer (PTR) resource records . . . . . . . . . . . . . . . . . . . . . . . . 38Forward and reverse queries . . . . . . . . . . . . . . . . . . . . . . . . 38Canonical name (CNAME) resource records . . . . . . . . . . . . . . . . 39The Start of Authority (SOA) resource records . . . . . . . . . . . . . . . 41Name Server (NS) resource records . . . . . . . . . . . . . . . . . . . . . 43Text (TXT) resource records . . . . . . . . . . . . . . . . . . . . . . . . . . 44Service (SRV) resource records . . . . . . . . . . . . . . . . . . . . . . . . 44

2.4 Creating zones from resource records . . . . . . . . . . . . . . . . . . . . . . . 452.4.1 Define a minimal zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462.4.2 A more realistic minimal zone . . . . . . . . . . . . . . . . . . . . . . 462.4.3 Add desktop hosts, and Web and e-mail servers . . . . . . . . . . . . . 462.4.4 Add a reverse zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472.4.5 Inconsistencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Notes on master file syntax . . . . . . . . . . . . . . . . . . . . . . . . . 482.5 How and where zone data is stored . . . . . . . . . . . . . . . . . . . . . . . . . 49

2.5.1 Advantages and disadvantages of text files for zone data . . . . . . . . 492.5.2 Zone data in databases and directories . . . . . . . . . . . . . . . . . . 502.5.3 SQL databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Databases supported by DNS servers . . . . . . . . . . . . . . . . . . . 51Replication of zone data stored in an SQL back-end . . . . . . . . . . . 52Manipulating records in an SQL database . . . . . . . . . . . . . . . . . 52

2.5.4 LDAP Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53DNS servers that support LDAP . . . . . . . . . . . . . . . . . . . . . . 53Choice of LDAP directory servers . . . . . . . . . . . . . . . . . . . . . 53


CONTENTS xi

Replicating LDAP data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Manipulating entries in an LDAP directory . . . . . . . . . . . . . . . . 54

2.5.5 How you maintain zone data stored in a back-end . . . . . . . . . . . . 552.5.6 Provisioning text files from a database back-end . . . . . . . . . . . . . 57

3 Preparing for your implementation 593.1 Planning your implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

3.1.1 Planning your name server placement . . . . . . . . . . . . . . . . . . . 633.1.2 Capacity planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633.1.3 Business continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

3.2 The programs and why we chose them . . . . . . . . . . . . . . . . . . . . . . . 663.3 Operating system and software requirements . . . . . . . . . . . . . . . . . . . 67

3.3.1 Using pre-built packages . . . . . . . . . . . . . . . . . . . . . . . . . . 68Building software from source . . . . . . . . . . . . . . . . . . . . . . . 68

3.4 Back-ends supported by the various servers . . . . . . . . . . . . . . . . . . . . 693.5 Setting up a test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Part II The DNS servers 734 MaraDNS 75

4.1 Getting results quickly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774.1.1 Set up MaraDNS as a caching name server . . . . . . . . . . . . . . . . . 774.1.2 Set up MaraDNS as a caching and authoritative server . . . . . . . . . . 774.1.3 Set up MaraDNS as an authoritative name server . . . . . . . . . . . . . 774.1.4 Automatic zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

4.2 Format of MaraDNS zone files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Typical resource records . . . . . . . . . . . . . . . . . . . . . . . . . . . 80An example zone in csv2 format . . . . . . . . . . . . . . . . . . . . . . 81Reverse zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

4.3 Launch the maradns daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824.4 Configuring MaraDNS behavior with the mararc file . . . . . . . . . . . . . . . 82

4.4.1 Normal variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834.4.2 Dictionary variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4.5 Zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874.5.1 Using MaraDNS as a master DNS server . . . . . . . . . . . . . . . . . . 874.5.2 Using MaraDNS as a slave DNS server . . . . . . . . . . . . . . . . . . . 89

4.6 Recursion, roots and forwarders . . . . . . . . . . . . . . . . . . . . . . . . . . 904.6.1 Setting up private root servers . . . . . . . . . . . . . . . . . . . . . . . 904.6.2 Forwarding queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

4.7 Logging and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914.7.1 Logging and monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 914.7.2 Converting BIND master zone files to csv2 format . . . . . . . . . . . . 914.7.3 The duende utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924.7.4 Querying DNS servers with askmara . . . . . . . . . . . . . . . . . . . . 92


xii CONTENTS

5 MyDNS 955.1 Getting MyDNS up and running . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

5.1.1 Creating the MySQL database tables for MyDNS . . . . . . . . . . . . . 975.1.2 The MyDNS database tables . . . . . . . . . . . . . . . . . . . . . . . . . 97

The soa table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97The rr table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

5.1.3 Example Create a zone and its resource records . . . . . . . . . . . . 995.2 Changing the way MyDNS works . . . . . . . . . . . . . . . . . . . . . . . . . . 100

5.2.1 Configuration in mydns.conf . . . . . . . . . . . . . . . . . . . . . . . . 100Basic database information . . . . . . . . . . . . . . . . . . . . . . . . . 101Server options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Options to control internal caching . . . . . . . . . . . . . . . . . . . . . 102Options that affect the name server . . . . . . . . . . . . . . . . . . . . 103

5.3 Replicating zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045.3.1 Zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

5.4 Dynamic DNS updates in MyDNS . . . . . . . . . . . . . . . . . . . . . . . . . . 1065.4.1 Enable dynamic DNS updates . . . . . . . . . . . . . . . . . . . . . . . 1065.4.2 IP access rules for dynamic DNS updates . . . . . . . . . . . . . . . . . 106

5.5 Utilities included with MyDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075.5.1 Importing zones into MyDNS with mydnsimport . . . . . . . . . . . . . . 1075.5.2 Exporting zones from MyDNS with mydnsexport . . . . . . . . . . . . . . 1075.5.3 The MyDNS Web interface: admin.php . . . . . . . . . . . . . . . . . . . . 108

5.6 Monitoring MyDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095.6.1 Logging queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

6 PowerDNS Authoritative Server 1136.1 How PowerDNS stores zone data . . . . . . . . . . . . . . . . . . . . . . . . . . 114

6.1.1 Generic SQL or OpenDBX for SQL back-ends? . . . . . . . . . . . . . . 1166.2 Server roles master/slave, superslave, native . . . . . . . . . . . . . . . . . . 116

6.2.1 Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166.2.2 Slave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1176.2.3 Superslave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186.2.4 Native . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186.2.5 Mixing roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

6.3 Getting started quickly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196.3.1 A. Configure the BIND zone file back-end . . . . . . . . . . . . . . . . . 119

Using the BIND back-end as a slave server . . . . . . . . . . . . . . . . . 1226.3.2 B. Configure the generic MySQL back-end . . . . . . . . . . . . . . . . 1226.3.3 Database schema used by the gmysql and opendbx back-ends . . . . . . 124

The domains table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125The records table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

6.3.4 Managing zones in the database . . . . . . . . . . . . . . . . . . . . . . 126Create a new master or native zone in the database . . . . . . . . . . . 127Adding resource records to the database . . . . . . . . . . . . . . . . . 127Automating record inserts . . . . . . . . . . . . . . . . . . . . . . . . . . 128


CONTENTS xiii

Adding a slave zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128How you configure a Superslave . . . . . . . . . . . . . . . . . . . . . . 129

6.4 The OpenDBX database back-end . . . . . . . . . . . . . . . . . . . . . . . . . . 1306.4.1 Getting started with the OpenDBX back-end . . . . . . . . . . . . . . . . 1326.4.2 Configuration options for the OpenDBX back-end . . . . . . . . . . . . 1326.4.3 A General options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

6.5 The LDAP directory server back-end . . . . . . . . . . . . . . . . . . . . . . . . 1346.5.1 Designing the LDAP directory tree . . . . . . . . . . . . . . . . . . . . . 1346.5.2 LDAP schema used by the LDAP back-end . . . . . . . . . . . . . . . . 1356.5.3 Defining an LDAP back-end in pdns.conf . . . . . . . . . . . . . . . . 1366.5.4 The zone2ldap utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376.5.5 Limitations of the LDAP back-end . . . . . . . . . . . . . . . . . . . . . 139

6.6 The Pipe back-end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396.6.1 How PowerDNS and the coprocess communicate . . . . . . . . . . . . . 1406.6.2 Directives for the Pipe back-end . . . . . . . . . . . . . . . . . . . . . . 1416.6.3 An example load balancer coprocess for the Pipe back-end . . . . . . . 142

6.7 Global PowerDNS configuration directives . . . . . . . . . . . . . . . . . . . . . 1436.8 Monitoring PowerDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

6.8.1 pdns control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1496.8.2 Built-in Web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1516.8.3 pdns init.d script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

6.9 Deployment and provisioning scenarios . . . . . . . . . . . . . . . . . . . . . . 1536.9.1 Dont create a single point of failure . . . . . . . . . . . . . . . . . . . . 1536.9.2 Domain hoster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546.9.3 Set up NSD or BIND with a hidden/stealth MySQL PowerDNS . . . . . 1546.9.4 Set up BIND with hidden/stealth PowerDNS and LDAP back-end . . . 1566.9.5 Create your own provisioning tools . . . . . . . . . . . . . . . . . . . . 157

Update your database with PowerDNS::Backend::MySQL . . . . . . . . . 1576.9.6 Enforce correct CNAME usage in your database . . . . . . . . . . . . . . 158

Creating the trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Viewing the effects of the trigger . . . . . . . . . . . . . . . . . . . . . . 159

7 An overview of BIND 1677.1 Why use the BIND name server? . . . . . . . . . . . . . . . . . . . . . . . . . . . 1697.2 Scenarios for deployment of BIND . . . . . . . . . . . . . . . . . . . . . . . . . . 169

7.2.1 Authoritative name server . . . . . . . . . . . . . . . . . . . . . . . . . . 1697.2.2 Caching name server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1697.2.3 Front-end to stealth server . . . . . . . . . . . . . . . . . . . . . . . . . . 170

7.3 Configuring zones in BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1707.3.1 A sample configuration of an authoritative BIND name server . . . . . 1707.3.2 Defining zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

A,B. Master and slave zones . . . . . . . . . . . . . . . . . . . . . . . . . 174C. Forwarding zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174D. Stub zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175E. Root hints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175


xiv CONTENTS

7.4 Using TSIG to secure zone transfers and updates . . . . . . . . . . . . . . . . . 1761 Generating TSIG keys . . . . . . . . . . . . . . . . . . . . . . . . . . . 1772a Configure zones with TSIG keys . . . . . . . . . . . . . . . . . . . . 1782b Protect updatable zones . . . . . . . . . . . . . . . . . . . . . . . . 178

7.5 Configuring BIND to accept dynamic DNS updates . . . . . . . . . . . . . . . . 1787.5.1 How your zone is updated . . . . . . . . . . . . . . . . . . . . . . . . . 179

7.6 Split-horizon DNS using BIND views . . . . . . . . . . . . . . . . . . . . . . . . 1797.7 Aspects of implementing a BIND name server . . . . . . . . . . . . . . . . . . . 180

7.7.1 How you create your zone files . . . . . . . . . . . . . . . . . . . . . . . 1807.7.2 Monitoring your BIND name server . . . . . . . . . . . . . . . . . . . . . 181

Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Query logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181The BIND 9.5 stats Web server . . . . . . . . . . . . . . . . . . . . . . . . 182

7.8 Points to note when using BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

8 BINDs Simplified Database Interface 1878.1 Overview of BIND SDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

8.1.1 Existing BIND SDB drivers . . . . . . . . . . . . . . . . . . . . . . . . . . 1898.2 Overview of BIND SDB LDAP driver . . . . . . . . . . . . . . . . . . . . . . . . 190

8.2.1 Limitations of the BIND-sdb-LDAP driver . . . . . . . . . . . . . . . . . . 1908.3 Installing BIND SDB and configuring your LDAP server . . . . . . . . . . . . . 190

8.3.1 A Compile BIND SDB with the LDAP driver . . . . . . . . . . . . . . 1918.3.2 B Configure your LDAP directory server . . . . . . . . . . . . . . . . 1928.3.3 C Indexes required by BIND-sdb-LDAP . . . . . . . . . . . . . . . . . . 1928.3.4 D Define the zone in named.conf . . . . . . . . . . . . . . . . . . . . . 1938.3.5 E Creating DNS zones in your LDAP directory server . . . . . . . . . 193

How you organize LDAP entries . . . . . . . . . . . . . . . . . . . . . . 1958.3.6 F Adding a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1968.3.7 G Adding a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1978.3.8 Watching LDAP queries . . . . . . . . . . . . . . . . . . . . . . . . . . . 1978.3.9 Miscellaneous features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

LDAP over IPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Controlling zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . 199Create zone clauses for named.conf from LDAP . . . . . . . . . . . . . 200Convert master zone files to LDIF . . . . . . . . . . . . . . . . . . . . . . 201Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

8.4 Anatomy of a BIND SDB driver . . . . . . . . . . . . . . . . . . . . . . . . . . . 2028.4.1 Writing a Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

8.5 Load balancing with DNS, implemented using SDB . . . . . . . . . . . . . . . 2048.5.1 Implementing a simple load-balancer driver . . . . . . . . . . . . . . . 204

Initializing the driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Performing lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Returning all records in a zone transfer . . . . . . . . . . . . . . . . . . 207


CONTENTS xv

8.5.2 Adding an SDB zone to named.conf . . . . . . . . . . . . . . . . . . . . 2078.5.3 Building the driver and linking named . . . . . . . . . . . . . . . . . . . 2078.5.4 What happens when named starts? . . . . . . . . . . . . . . . . . . . . . 2108.5.5 Querying the new BIND SDB driver . . . . . . . . . . . . . . . . . . . . 2118.5.6 Retrieving a zone transfer from the BIND SDB driver . . . . . . . . . . . 211

9 Bind DLZ 2139.1 Architecture of Bind DLZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

9.1.1 How a Bind DLZ driver works . . . . . . . . . . . . . . . . . . . . . . . . 216Configuring a Bind DLZ driver overview . . . . . . . . . . . . . . . . . 216

9.2 Why should you use Bind DLZ? . . . . . . . . . . . . . . . . . . . . . . . . . . . 2179.2.1 Limitations of Bind DLZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

9.3 Order of processing with multiple Bind DLZ back-ends . . . . . . . . . . . . . . 2189.4 Choosing a DLZ driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2199.5 Getting started with Bind DLZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2209.6 How Bind DLZ retrieves information from your SQL or LDAP server . . . . . . 220

9.6.1 The five template queries that you have to configure . . . . . . . . . . 2209.6.2 Format of data returned by queries to the DLZ drivers . . . . . . . . . . 2229.6.3 Using tokens in your queries . . . . . . . . . . . . . . . . . . . . . . . . 224

9.7 The Bind DLZ MySQL driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2249.7.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2249.7.2 Minimal MySQL schema . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Configure the minimal schema in named.conf . . . . . . . . . . . . . . 227Observing queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Adding an in-addr.arpa zone to Bind DLZ . . . . . . . . . . . . . . . . . 229Limitations of the minimal schema . . . . . . . . . . . . . . . . . . . . . 230

9.7.3 MySQL schema proposed by Bind DLZ . . . . . . . . . . . . . . . . . . 231Adding a zone and resource records with the Bind DLZ MySQL schema 231

9.7.4 Alternative database queries with the MySQL driver . . . . . . . . . . 2339.8 The Bind DLZ LDAP driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

9.8.1 Configuring the LDAP driver . . . . . . . . . . . . . . . . . . . . . . . . 234Describing the LDAP directory connection . . . . . . . . . . . . . . . . 236Minimal schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Observing queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Enabling zone transfers in the minimal schema . . . . . . . . . . . . . . 238

9.8.2 LDAP schema suggested by the Bind DLZ project . . . . . . . . . . . . 2399.9 The Berkeley DB High Performance Text (BDBHPT) driver . . . . . . . . . . . 241

9.9.1 Configuring a BDBHPT zone . . . . . . . . . . . . . . . . . . . . . . . . 2429.9.2 BDBHPT operating modes . . . . . . . . . . . . . . . . . . . . . . . . . 2439.9.3 Layout of the BDBHPT databases . . . . . . . . . . . . . . . . . . . . . 2449.9.4 Creating your BDBHPT database . . . . . . . . . . . . . . . . . . . . . . 2469.9.5 Manipulating data in the BDBHPT databases: dlzdb-util . . . . . . . . . 2479.9.6 Pushing DNS records into a BDBHPT database . . . . . . . . . . . . . . 2489.9.7 Replication with Berkeley DB . . . . . . . . . . . . . . . . . . . . . . . . 2489.9.8 Zoned: the BDBHPT replicator . . . . . . . . . . . . . . . . . . . . . . . 249


xvi CONTENTS

9.10 Implementing Bind DLZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2509.10.1 Split-horizon DNS with views in Bind DLZ . . . . . . . . . . . . . . . . 250

An example: two views with different Bind DLZ drivers . . . . . . . . 250Using similar Bind DLZ drivers in views . . . . . . . . . . . . . . . . . 252

9.10.2 Dont create a single point of failure . . . . . . . . . . . . . . . . . . . . 2539.10.3 High-availability through heterogeneous replication . . . . . . . . . . 2539.10.4 Automatically creating PTR records . . . . . . . . . . . . . . . . . . . . . 253

9.11 How you can process Dynamic DNS Updates . . . . . . . . . . . . . . . . . . . 256

10 Name Server Daemon (NSD) 26110.1 Overview of NSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

10.1.1 NSDs architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26210.1.2 Setting up NSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26310.1.3 A minimal configuration file . . . . . . . . . . . . . . . . . . . . . . . . 26410.1.4 Compile your zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26410.1.5 Launch NSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

10.2 Configuring NSD with its nsd.conf file . . . . . . . . . . . . . . . . . . . . . . 265a. Server options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265b. Zone options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266c. Key declarations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

10.3 Controlling NSDs behavior with its utilities . . . . . . . . . . . . . . . . . . . . 268The NSD control script, nsdc . . . . . . . . . . . . . . . . . . . . . . . . . 268Check and parse the nsd.conf file with nsd-checkconf . . . . . . . . . . 270Manually perform a zone transfer with nsd-xfer . . . . . . . . . . . . . . 270

10.4 Monitoring NSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27010.5 The different NSD server roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

10.5.1 Running NSD as a master server . . . . . . . . . . . . . . . . . . . . . . 272Adding a new master zone . . . . . . . . . . . . . . . . . . . . . . . . . 272Changes in your master zone . . . . . . . . . . . . . . . . . . . . . . . . 273

10.5.2 Running NSD as a slave server . . . . . . . . . . . . . . . . . . . . . . . 273Adding a new slave zone . . . . . . . . . . . . . . . . . . . . . . . . . . 273

10.5.3 Running NSD as a private root server . . . . . . . . . . . . . . . . . . . 27510.6 Securing NSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

10.6.1 Transaction signatures (TSIG) . . . . . . . . . . . . . . . . . . . . . . . . 276A Generate TSIG keys for inclusion in nsd.conf . . . . . . . . . . . . 276B Set up ACLs for your zones . . . . . . . . . . . . . . . . . . . . . . . 277C Test a zone transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

10.6.2 Using NSD as a master and BIND as slave . . . . . . . . . . . . . . . . . 27810.6.3 Using BIND as a master and NSD as slave . . . . . . . . . . . . . . . . . 279

11 tinydns 28311.1 An overview of djbdns and its component parts . . . . . . . . . . . . . . . . . . 28411.2 The tinydns authoritative server . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

11.2.1 Setting up tinydns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Configuration files and environment variables overview . . . . . . . 285


CONTENTS xvii

Creating your configuration files, directories, and startup scripts . . . 28611.2.2 Where tinydns stores its zone data . . . . . . . . . . . . . . . . . . . . . . 28611.2.3 Format of information in the data file . . . . . . . . . . . . . . . . . . . 287

Line type % (percent) create a location . . . . . . . . . . . . . . . . . 289Line type . (period) create a complete name server . . . . . . . . . 289Line type Z create start of authority . . . . . . . . . . . . . . . . . . 290Line type & (ampersand) create a name server . . . . . . . . . . . . 291Line type = (equals) create a host . . . . . . . . . . . . . . . . . . . 291Line type + (plus) create an alias . . . . . . . . . . . . . . . . . . . . 292Line type @ (at) create a mail exchanger . . . . . . . . . . . . . . . . 292Line type - (dash) disable a line . . . . . . . . . . . . . . . . . . . . . 293Line type (single-quote) create a text . . . . . . . . . . . . . . . . 293Line type (circumflex) create a pointer . . . . . . . . . . . . . . . 293Line type C create a canonical name . . . . . . . . . . . . . . . . . . 294Line type : (colon) create generic record . . . . . . . . . . . . . . . 294Notes on data syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Using tinydns-edit to add records to the data file . . . . . . . . . . . . . 295Randomizing RR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Wild-cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

11.2.4 Starting tinydns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29611.2.5 Controlling tinydns with environment variables . . . . . . . . . . . . . . 29611.2.6 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29711.2.7 Provisioning DNS information for tinydns data file . . . . . . . . . . . 29711.2.8 Replication to other tinydns servers . . . . . . . . . . . . . . . . . . . . . 29911.2.9 Using AXFR zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . 30111.2.10 Private root name server . . . . . . . . . . . . . . . . . . . . . . . . . . . 30311.2.11 Useful utilities that assist in handling tinydns data files . . . . . . . . . 304

A pre-processor for the data file . . . . . . . . . . . . . . . . . . . . . . 304Creating the data file from BIND zone files . . . . . . . . . . . . . . . . 304Perl program to create SRV lines in the data file . . . . . . . . . . . . . . 304

11.3 Logging and statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30511.3.1 tinystats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

11.4 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30611.4.1 Query domain names with dnsip . . . . . . . . . . . . . . . . . . . . . . 30711.4.2 Qualify and query names with dnsipq . . . . . . . . . . . . . . . . . . . 30711.4.3 Lookup reverse names with dnsname . . . . . . . . . . . . . . . . . . . 30711.4.4 Query TXT records with dnstxt . . . . . . . . . . . . . . . . . . . . . . . . 30811.4.5 Query MX records with dnsmx . . . . . . . . . . . . . . . . . . . . . . . . 30811.4.6 Resolve addresses from a file with dnsfilter . . . . . . . . . . . . . . . . . 30811.4.7 Query a name and type with dnsqr . . . . . . . . . . . . . . . . . . . . . 30911.4.8 Tracing queries with dnstrace . . . . . . . . . . . . . . . . . . . . . . . . 309

11.5 Caching DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

12 ldapdns 31512.1 Choosing your LDAP schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316


xviii CONTENTS

12.2 Setting up ldapdns with ldapdns-conf . . . . . . . . . . . . . . . . . . . . . . . . . 31712.3 Environment variables for controlling ldapdns . . . . . . . . . . . . . . . . . . . 31912.4 Configuring zones and resource records . . . . . . . . . . . . . . . . . . . . . . 321

12.4.1 DNS resources supported by ldapdns . . . . . . . . . . . . . . . . . . . . 32212.4.2 Adding a zone to ldapdns . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Adding a minimal zone . . . . . . . . . . . . . . . . . . . . . . . . . . . 323Adding a zone with more records . . . . . . . . . . . . . . . . . . . . . 324

12.4.3 Adding an in-addr.arpa zone to ldapdns . . . . . . . . . . . . . . . . . . . 325Create the zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Create the PTR resource record . . . . . . . . . . . . . . . . . . . . . . . 326

12.5 Managing zone data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32612.6 Providing DNS over TCP with ldapdns . . . . . . . . . . . . . . . . . . . . . . . 32612.7 Integrate ldapdns with BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

13 dnsmasq 33113.1 Preliminary explorations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33313.2 Live running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33513.3 Advanced dnsmasq configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 335

13.3.1 Interfaces and addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 33513.3.2 Hosts and domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33613.3.3 DNS resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33713.3.4 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34013.3.5 Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

13.4 A complete example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34413.4.1 Booting a PC and watching it happen . . . . . . . . . . . . . . . . . . . 346

14 DNS on Microsoft Windows 34914.1 An overview of Microsoft Windows DNS Server . . . . . . . . . . . . . . . . . . . 350

14.1.1 Zone types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35114.1.2 Forwarders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35114.1.3 DNS on the command-line . . . . . . . . . . . . . . . . . . . . . . . . . 352

14.2 Using Open Source DNS servers on Windows . . . . . . . . . . . . . . . . . . 35214.2.1 DNS servers with native Win32 support . . . . . . . . . . . . . . . . . . 352

Running BIND on Win32 . . . . . . . . . . . . . . . . . . . . . . . . . . . 352Running Bind DLZ on Windows . . . . . . . . . . . . . . . . . . . . . . . 353Running MaraDNS on Win32 . . . . . . . . . . . . . . . . . . . . . . . . 353Running PowerDNS on Win32 . . . . . . . . . . . . . . . . . . . . . . . . 354

14.2.2 Cygwin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

15 DNS and Perl 35715.1 Querying the DNS from Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35815.2 Create your own dynamic name server in Perl . . . . . . . . . . . . . . . . . . 359

15.2.1 Why would I want to create my own name server? . . . . . . . . . . . 36015.2.2 Perl tools for creating name servers . . . . . . . . . . . . . . . . . . . . 361

15.3 Example A custom dynamic server using Stanford::DNSserver . . . . . . . . . 362


CONTENTS xix

Installing Stanford::DNSserver . . . . . . . . . . . . . . . . . . . . . . . . 362Using DNS to find a users telephone number . . . . . . . . . . . . . . 363The code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365Integrate your Perl name server into your organizations DNS . . . . . 368

16 DNS blacklists 37116.1 Why would I want to implement a DNS blacklist? . . . . . . . . . . . . . . . . 37316.2 How to use an existing blacklist in your e-mail server . . . . . . . . . . . . . . 37316.3 Implementing a simple DNS blacklist . . . . . . . . . . . . . . . . . . . . . . . 375

16.3.1 A Choose a domain to publish blacklist entries . . . . . . . . . . . . . 37516.3.2 B Add Address (and optionally Text) records to this zone . . . . . . . 37616.3.3 C Configure your MTA to query your new DNS blacklist . . . . . . . 377

16.4 Serving DNSBL with rbldnsd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37816.4.1 Running rbldnsd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37816.4.2 Zone file formats in rbldnsd . . . . . . . . . . . . . . . . . . . . . . . . . 37916.4.3 Running rbldnsd and a caching name server on the same system . . . . 380

16.5 Integrate DNS blacklists into your e-mail infrastructure . . . . . . . . . . . . . 38116.5.1 Exim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Telling Exim to use the blacklist . . . . . . . . . . . . . . . . . . . . . . . 381A sample SMTP dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382Black-lists and white-lists . . . . . . . . . . . . . . . . . . . . . . . . . . 382

16.5.2 Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38216.5.3 Postfix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38316.5.4 IBM Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

17 Caching name servers 38717.1 Deploying your caching name servers . . . . . . . . . . . . . . . . . . . . . . . 388

17.1.1 Where you place your caching name server . . . . . . . . . . . . . . . . 38817.1.2 Checklist for deployment . . . . . . . . . . . . . . . . . . . . . . . . . . 38917.1.3 Dont forget the stub resolver . . . . . . . . . . . . . . . . . . . . . . . . 38917.1.4 Special-case resolution requirements . . . . . . . . . . . . . . . . . . . . 39017.1.5 The recursive caching name servers . . . . . . . . . . . . . . . . . . . . 391

17.2 The BIND caching server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39117.2.1 Setting up a BIND caching name server . . . . . . . . . . . . . . . . . . 392

A Create named.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . 392B Create an rndc key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392C Hints file for the root servers . . . . . . . . . . . . . . . . . . . . . . 393D Master zones for localhost . . . . . . . . . . . . . . . . . . . . . . . . 393

17.2.2 Adding features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Reloading named . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

17.3 The PowerDNS Recursor caching server . . . . . . . . . . . . . . . . . . . . . . . 39517.3.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39617.3.2 Controlling PowerDNS Recursor . . . . . . . . . . . . . . . . . . . . . . . 40017.3.3 PowerDNS Recursor statistics . . . . . . . . . . . . . . . . . . . . . . . . . 40117.3.4 Graphing PowerDNS Recursor . . . . . . . . . . . . . . . . . . . . . . . . 402


xx CONTENTS

17.4 The dnscache caching server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40217.4.1 Installing and setting up dnscache . . . . . . . . . . . . . . . . . . . . . 40317.4.2 Scenarios for dnscache deployment . . . . . . . . . . . . . . . . . . . . . 404

Centralized cache on your local network . . . . . . . . . . . . . . . . . 404Caching DNS server on a Workstation . . . . . . . . . . . . . . . . . . . 404Workstation as forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . 406Central cache with forwarding . . . . . . . . . . . . . . . . . . . . . . . 406Inbound cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

17.4.3 Detailed dnscache configuration options . . . . . . . . . . . . . . . . . . 408The run script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

17.4.4 Testing dnscache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41017.4.5 Implicit answers returned by dnscache . . . . . . . . . . . . . . . . . . . 41117.4.6 Adding a forwarder for one or more domains . . . . . . . . . . . . . . 41117.4.7 Configuring client machines to use dnscache . . . . . . . . . . . . . . . 41117.4.8 Logging dnscache statistics . . . . . . . . . . . . . . . . . . . . . . . . . 411

Analyzing dnscache logs with dlog . . . . . . . . . . . . . . . . . . . . . 41217.5 The dnsproxy proxying server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

17.5.1 Installing dnsproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41417.5.2 Configuring dnsproxy with /etc/dnsproxy.conf . . . . . . . . . . . . 41417.5.3 Sending DNS queries to dnsproxy from external hosts . . . . . . . . . 41617.5.4 Sending DNS queries to dnsproxy from internal hosts . . . . . . . . . 416

17.6 The Unbound caching server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41717.6.1 Installing Unbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41817.6.2 Setting up Unbound as a caching server . . . . . . . . . . . . . . . . . . 418

Launching Unbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419Signaling and stopping Unbound . . . . . . . . . . . . . . . . . . . . . . 419

17.6.3 Configuring Unbound with unbound.conf . . . . . . . . . . . . . . . . . 42017.6.4 Intercepting domains: serving data locally . . . . . . . . . . . . . . . . 425

A Serving data authoritatively from a local file . . . . . . . . . . . . . 425B Stub zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427C Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427Scenarios for using local zones and forwarding . . . . . . . . . . . . . . 428

17.6.5 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43117.6.6 libunbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

18 Delegation and private DNS roots 43518.1 The root of the Domain Name System . . . . . . . . . . . . . . . . . . . . . . . 436

18.1.1 The root zone file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43618.1.2 Querying the root servers . . . . . . . . . . . . . . . . . . . . . . . . . . 437

18.2 Delegating a sub-domain to a name server . . . . . . . . . . . . . . . . . . . . 43818.2.1 Name Server (NS) records are used for delegation . . . . . . . . . . . . 43918.2.2 Delegation in the in-addr.arpa domain . . . . . . . . . . . . . . . . . . . 44018.2.3 A Normal in-addr.arpa delegation . . . . . . . . . . . . . . . . . . . . . 44018.2.4 B Classless in-addr.arpa delegation . . . . . . . . . . . . . . . . . . . . 44018.2.5 Examples of delegation by different brands of name server . . . . . . . 442


CONTENTS xxi

Delegation in NSD or BIND . . . . . . . . . . . . . . . . . . . . . . . . . . 442Delegation in MaraDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442Delegation in PowerDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 443Delegation in MyDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444Delegation in tinydns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444Delegation in ldapdns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

18.3 Creating your own private root name servers . . . . . . . . . . . . . . . . . . . 44518.3.1 A Install your root name servers . . . . . . . . . . . . . . . . . . . . . 44618.3.2 B Configuring name servers to serve the root zone . . . . . . . . . . . 446

B1 Using NSD as a root server . . . . . . . . . . . . . . . . . . . . . . . 446B2 Using MyDNS as a root server . . . . . . . . . . . . . . . . . . . . . 447B3 Using BIND-sdb-LDAP as a root server . . . . . . . . . . . . . . . . . 448Create the master . zone in named.conf . . . . . . . . . . . . . . . . 448LDIF for the root zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448How clients query the root zone . . . . . . . . . . . . . . . . . . . . . . 450

18.3.3 C Configure your caching servers . . . . . . . . . . . . . . . . . . . . 450Configuring Unbound and BIND to access your root servers . . . . . . . 450Configuring dnscache to access your root servers . . . . . . . . . . . . . 451

Part III Operational Issues 45319 Updating DNS zones and their associated records 455

19.1 Using a registry to manage your DNS operations . . . . . . . . . . . . . . . . . 45619.1.1 Do you need a registry? . . . . . . . . . . . . . . . . . . . . . . . . . . . 45619.1.2 How to set up a registry . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

19.2 How you update your DNS data . . . . . . . . . . . . . . . . . . . . . . . . . . 45819.3 Managing DNS data in text files . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

19.3.1 A Editing by hand with a text editor . . . . . . . . . . . . . . . . . . . 45819.3.2 B Generating file content from an external data source . . . . . . . . 459

19.4 Updating name server back-end data stores . . . . . . . . . . . . . . . . . . . . 46019.5 Web-based management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Web-based tools for PowerDNS . . . . . . . . . . . . . . . . . . . . . . . 462Web-based tools for BIND . . . . . . . . . . . . . . . . . . . . . . . . . . 462Web-based tools for Bind DLZ . . . . . . . . . . . . . . . . . . . . . . . . 463Web-based tools for tinydns . . . . . . . . . . . . . . . . . . . . . . . . . 463

19.6 Dynamic DNS Updates (RFC 2136) . . . . . . . . . . . . . . . . . . . . . . . . . 46419.6.1 Dynamic updates from the command-line with nsupdate . . . . . . . . 465

Commands understood by nsupdate . . . . . . . . . . . . . . . . . . . . 46519.6.2 Using nsupdate to add a host to MyDNS . . . . . . . . . . . . . . . . . . 466

Using nsupdate with TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . 46719.6.3 Net::DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

19.7 Dynamic DNS updates performed by DHCP client or server . . . . . . . . . . 46919.7.1 ISC DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47019.7.2 ISCs dhclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471


xxii CONTENTS

19.7.3 How an IP address is registered in the DNS . . . . . . . . . . . . . . . . 471Configure your DNS server . . . . . . . . . . . . . . . . . . . . . . . . . 472A The DHCP server updates the DNS . . . . . . . . . . . . . . . . . . 473B dhclient updates the DNS . . . . . . . . . . . . . . . . . . . . . . . . 474C Use dhclient-script to update the DNS . . . . . . . . . . . . . . . . . . 475D Processing the dhcpd.leases file . . . . . . . . . . . . . . . . . . . 475E Updating your DNS the poor mans way . . . . . . . . . . . . . . 476

19.8 Poor mans dynamic updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47619.8.1 pmc: the poor mans dynamic DNS client . . . . . . . . . . . . . . . . . 478

Invoking pmc on *nix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480Invoking pmc on Microsoft Windows . . . . . . . . . . . . . . . . . . . 480

19.8.2 pms: a server for pmc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

20 The Name Service Switch 48720.1 How the resolver operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

20.1.1 Unix stub resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488Configuring the resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

20.1.2 The lightweight resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . 48920.1.3 Microsoft Windows DNS Client . . . . . . . . . . . . . . . . . . . . . . 489

20.2 NSS the Name Service Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 49020.2.1 How NSS determines where to look for information . . . . . . . . . . 491

20.3 Using LDAP (RFC 2307) with the Name Service Switch . . . . . . . . . . . . . . 49220.3.1 A Configure NSS LDAP with /etc/ldap.conf . . . . . . . . . . . . . 49220.3.2 B Prepare your LDAP directory server . . . . . . . . . . . . . . . . . . 49220.3.3 C Migrating /etc/hosts to NSS LDAP . . . . . . . . . . . . . . . . . 49320.3.4 D Configure nsswitch.conf . . . . . . . . . . . . . . . . . . . . . . . 49420.3.5 E Testing your NSS LDAP . . . . . . . . . . . . . . . . . . . . . . . . . 49420.3.6 Points to note when you implement RFC 2307 LDAP in NSS . . . . . . 495

21 Internationalized Domain Names 49721.1 Converting internationalized domain names to ASCII . . . . . . . . . . . . . . 498

Homograph attacks on internationalized domain names . . . . . . . . 49921.2 Adding internationalized domains to your DNS server . . . . . . . . . . . . . 49921.3 Using IDNA in applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

21.3.1 Using IDNA in Web browsers . . . . . . . . . . . . . . . . . . . . . . . . 50121.3.2 Using IDNA in e-mail clients . . . . . . . . . . . . . . . . . . . . . . . . 50221.3.3 Programming IDNA applications . . . . . . . . . . . . . . . . . . . . . 503

22 Introducing DNSSEC 50522.1 The problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50622.2 A very brief introduction to cryptography . . . . . . . . . . . . . . . . . . . . . 507

22.2.1 Symmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50722.2.2 Asymmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 50822.2.3 Using public key encryption . . . . . . . . . . . . . . . . . . . . . . . . 509

Signatures, hashes and digests verifying the sender of a message . . 509


CONTENTS xxiii

Typical applications of public key cryptography . . . . . . . . . . . . . 511Ensuring public keys are genuine: certificates and authorities . . . . . 511

22.3 An overview of DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51222.3.1 The scope of DNS data integrity in DNSSEC . . . . . . . . . . . . . . . . 51322.3.2 How a zone file is signed for DNSSEC . . . . . . . . . . . . . . . . . . . 514

22.4 Implementing DNSSEC on an authoritative server . . . . . . . . . . . . . . . . . 51722.4.1 A Generating your keys . . . . . . . . . . . . . . . . . . . . . . . . . . 518

Why two separate keys? . . . . . . . . . . . . . . . . . . . . . . . . . . . 51822.4.2 B Sign the zone with your keys . . . . . . . . . . . . . . . . . . . . . . 52022.4.3 C Configure your authoritative servers . . . . . . . . . . . . . . . . . 52122.4.4 D Provide your public keys to caching server administrators . . . . . 523

22.5 Implementing DNSSEC on a caching name server . . . . . . . . . . . . . . . . . 52422.5.1 How a caching server validates a DNSSEC-signed answer . . . . . . . . 52522.5.2 Trust anchors, and islands of trust . . . . . . . . . . . . . . . . . . . . . 52622.5.3 Configuring trust anchors in your caching server Unbound . . . . . . 52722.5.4 Configuring trust anchors in your caching server BIND . . . . . . . . 52822.5.5 Example of a DNSSEC validation . . . . . . . . . . . . . . . . . . . . . . 529

22.6 The chain of trust for delegated zones; DS records . . . . . . . . . . . . . . . . . 53022.6.1 To configure the chain of trust from parent to child zone . . . . . . . . 531

22.7 Using DNSSEC automatically DLV, look-aside validation . . . . . . . . . . . . 53322.7.1 Authoritative server: create records to include in a DLV registry . . . . 53422.7.2 Caching server: configure to use a DLV registry . . . . . . . . . . . . . 534

Testing DLV: off to Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . 535Points to note about DLV . . . . . . . . . . . . . . . . . . . . . . . . . . 536

22.8 Housekeeping and DNSSEC key management . . . . . . . . . . . . . . . . . . . 53622.8.1 Organizing your keys to avoid confusion . . . . . . . . . . . . . . . . . 53722.8.2 Administering your keys . . . . . . . . . . . . . . . . . . . . . . . . . . 537

22.9 Points to note when you deploy DNSSEC . . . . . . . . . . . . . . . . . . . . . . 538

23 Performance 54523.1 How we carried out the performance tests . . . . . . . . . . . . . . . . . . . . . 546

23.1.1 Test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54623.1.2 Creating thousands of zone names . . . . . . . . . . . . . . . . . . . . . 547

Loading the zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54723.1.3 How we ran the tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54823.1.4 Queries per second . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54923.1.5 Testing the performance of zone transfers . . . . . . . . . . . . . . . . . 55123.1.6 Process sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

23.2 Performance results for the authoritative name servers . . . . . . . . . . . . . 55223.2.1 Performance results for MaraDNS . . . . . . . . . . . . . . . . . . . . . . 55223.2.2 Performance results for tinydns . . . . . . . . . . . . . . . . . . . . . . . 55223.2.3 Performance results for MyDNS . . . . . . . . . . . . . . . . . . . . . . . 55323.2.4 Performance results for BIND . . . . . . . . . . . . . . . . . . . . . . . . 55323.2.5 Performance results for PowerDNS . . . . . . . . . . . . . . . . . . . . . 554

A PowerDNS with the LDAP back-end . . . . . . . . . . . . . . . . . 554


xxiv CONTENTS

B PowerDNS with the OpenDBX back-end . . . . . . . . . . . . . . . . 555C PowerDNS with the BIND back-end . . . . . . . . . . . . . . . . . . 555

23.2.6 Performance results for Bind DLZ . . . . . . . . . . . . . . . . . . . . . . 555A LDAP driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555B MySQL driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556C Berkeley DB High Performance Text driver . . . . . . . . . . . . . . 556

23.2.7 Performance results for BIND-sdb-LDAP . . . . . . . . . . . . . . . . . . 55723.2.8 Performance results for NSD . . . . . . . . . . . . . . . . . . . . . . . . . 55723.2.9 Servers not included in the performance tests . . . . . . . . . . . . . . 558

23.3 How the back-ends influence performance . . . . . . . . . . . . . . . . . . . . 55823.3.1 Databases and LDAP directories . . . . . . . . . . . . . . . . . . . . . . 558

LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

23.3.2 Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55923.4 Performance results for caching name servers . . . . . . . . . . . . . . . . . . . 55923.5 How important is performance? . . . . . . . . . . . . . . . . . . . . . . . . . . 560

24 Securing and monitoring your DNS servers 56324.1 Securing your DNS name servers . . . . . . . . . . . . . . . . . . . . . . . . . . 56424.2 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

24.2.1 What does the monitoring system do? . . . . . . . . . . . . . . . . . . . 56624.2.2 What should you monitor? . . . . . . . . . . . . . . . . . . . . . . . . . 567

24.3 Gathering statistics about your DNS operation . . . . . . . . . . . . . . . . . . 57124.3.1 DNS Statistics Collector: dsc . . . . . . . . . . . . . . . . . . . . . . . . . 57224.3.2 Other interesting programs . . . . . . . . . . . . . . . . . . . . . . . . . 573

collectd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573dnstop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Appendixes 579

A Getting started with (Open)LDAP 579A.1 A brief introduction to directories . . . . . . . . . . . . . . . . . . . . . . . . . . 579

A.1.1 LDAP the Lightweight Directory Access Protocol . . . . . . . . . . . 579A.1.2 The Directory Information Tree . . . . . . . . . . . . . . . . . . . . . . . 579A.1.3 Entries in an LDAP directory . . . . . . . . . . . . . . . . . . . . . . . . 581A.1.4 Object classes and attribute types . . . . . . . . . . . . . . . . . . . . . . 582A.1.5 LDAP schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

A.2 The OpenLDAP directory server . . . . . . . . . . . . . . . . . . . . . . . . . . 583A.2.1 Symas OpenLDAP Silver . . . . . . . . . . . . . . . . . . . . . . . . . . 584

A Download Symas OpenLDAP . . . . . . . . . . . . . . . . . . . . . 584B Install Symas OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . 585C Configure the server with our silverinst.sh script . . . . . . . . . . . 585

A.3 Manipulating your LDAP directory . . . . . . . . . . . . . . . . . . . . . . . . 587Your LDAP directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587


CONTENTS xxv

A.3.1 LDIF LDAP Data Interchange Format . . . . . . . . . . . . . . . . . . 588A.3.2 Loading data into your OpenLDAP directory . . . . . . . . . . . . . . . 588A.3.3 Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589A.3.4 Adding entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590A.3.5 Introducing LDAP search filters . . . . . . . . . . . . . . . . . . . . . . 590A.3.6 Search scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591A.3.7 Searching entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592A.3.8 Modifying entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593A.3.9 Deleting entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593A.3.10 Interpreting slapds log-file . . . . . . . . . . . . . . . . . . . . . . . . . 594A.3.11 LDAP URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594A.3.12 Features you will probably want to add to your OpenLDAP server . . 595

Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 595Simple Authentication and Security Layer . . . . . . . . . . . . . . . . 596Overlays and back-ends . . . . . . . . . . . . . . . . . . . . . . . . . . . 596SLAPI plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

A.4 Extending your LDAP directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 597A.4.1 Objects and identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598A.4.2 Extending your schema . . . . . . . . . . . . . . . . . . . . . . . . . . . 599A.4.3 A sample schema file for storing songs . . . . . . . . . . . . . . . . . . 600A.4.4 A song in LDIF format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601A.4.5 Loading and finding songs . . . . . . . . . . . . . . . . . . . . . . . . . 602A.4.6 Finding entries with Perls Net::LDAP . . . . . . . . . . . . . . . . . . . . 602

B Use $INCLUDE and fix your SOA 604The fixserial.pl program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

C BIND SDB 607C.1 Generate zone clauses for BIND-sdb-LDAP . . . . . . . . . . . . . . . . . . . . . 607C.2 Simple BIND SDB load-balancer driver . . . . . . . . . . . . . . . . . . . . . . . 608

C.2.1 load.h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608C.2.2 load.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609C.2.3 named.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613

D Bind DLZ 615D.1 Load BDBHPT from an SQL database . . . . . . . . . . . . . . . . . . . . . . . 615D.2 Helper functions for automatically creating PTR records . . . . . . . . . . . . . 619

E Perl DNS name servers 621E.1 Stanford::DNSserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621E.2 Net::DNS::Nameserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625E.3 Net::DNS::Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626


xxvi CONTENTS

F User Defined Functions in MySQL 629F.1 A Raise an error in a MySQL trigger with a UDF . . . . . . . . . . . . . . . . 629

F.1.1 The source code of the raise error() UDF function . . . . . . . . . . . 629F.1.2 Install your UDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630F.1.3 Create the trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631F.1.4 Testing the trigger in PowerDNS . . . . . . . . . . . . . . . . . . . . . . . 632

F.2 B Use a UDF to update a file in the file system . . . . . . . . . . . . . . . . . 632

G Bits and pieces 637G.1 Using the DNS to store arbitrary (configuration) strings . . . . . . . . . . . . . 637

G.1.1 Use TXT records to configure an application . . . . . . . . . . . . . . . . 638G.1.2 A more sophisticated solution . . . . . . . . . . . . . . . . . . . . . . . 638

G.2 A DNSBL to look up country-codes . . . . . . . . . . . . . . . . . . . . . . . . . 639G.2.1 Mirror and serve the blacklist . . . . . . . . . . . . . . . . . . . . . . . . 640G.2.2 Using your new country blacklist . . . . . . . . . . . . . . . . . . . . . 641

Determine country of origin in Apache log files . . . . . . . . . . . . . 641G.3 Automatic DNS NOTIFY with OpenLDAP and slapi-dnsnotify . . . . . . . . . . 643

H Scripting PowerDNS Recursor with the Lua programming language 645H.1 A (very) short overview of Lua . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

H.1.1 Example embedding Lua into your program . . . . . . . . . . . . . . 646H.2 Add Lua scripting to PowerDNS Recursor . . . . . . . . . . . . . . . . . . . . . . 647

H.2.1 Configure PowerDNS Recursor to use Lua scripts . . . . . . . . . . . . . 648H.2.2 Writing a Lua function for PowerDNS Recursor . . . . . . . . . . . . . . . 649H.2.3 Example Override an NXDOMAIN . . . . . . . . . . . . . . . . . . . . 650H.2.4 Example Redirect a domain . . . . . . . . . . . . . . . . . . . . . . . . 650

Glossary 651

Index 655

Index 655

Colophon 695


List of Tables

3.1 Back-end support in authoritative name servers . . . . . . . . . . . . . . . . . 69

4.1 MaraDNS at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764.2 MaraDNS query types and logging codes . . . . . . . . . . . . . . . . . . . . . . 91

5.1 MyDNS at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

6.1 PowerDNS at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146.2 Roles in PowerDNS back-ends . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1176.3 OpenDBX drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1316.4 Attribute types used by PowerDNS LDAP back-end . . . . . . . . . . . . . . . 1356.5 pdns control variable (metric) names . . . . . . . . . . . . . . . . . . . . . . . . . 1516.6 Options that affect OpenDBX queries . . . . . . . . . . . . . . . . . . . . . . . . 165

7.1 BIND at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

8.1 BIND SDB at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1888.2 Resource records in the dNSZone & Cosine schemas . . . . . . . . . . . . . . . 194

9.1 Bind DLZ at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2149.2 DLZ driver attribute type order . . . . . . . . . . . . . . . . . . . . . . . . . . . 2239.3 Format of DNS records in BDBHPT . . . . . . . . . . . . . . . . . . . . . . . . . 245

10.1 NSD at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26210.2 NSD statistic codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

11.1 djbdns at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28411.2 tinydns-data record syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

12.1 ldapdns at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

13.1 dnsmasq at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33213.2 DHCP options supported by dnsmasqs DHCP server . . . . . . . . . . . . . . 341

15.1 Perl name servers at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358


xxviii LIST OF TABLES

16.1 rbldnsd at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

17.1 BIND caching name server at a glance . . . . . . . . . . . . . . . . . . . . . . . . 39117.2 PowerDNS Recursor at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39517.3 A selection of rec control variables . . . . . . . . . . . . . . . . . . . . . . . . . . 40117.4 dnscache at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40217.5 dnsproxy at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41317.6 Unbound at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

23.1 Performance results of MaraDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 55223.2 Performance results of tinydns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55223.3 Performance results of MyDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55323.4 Performance results of BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55423.5 Performance results of PowerDNS . . . . . . . . . . . . . . . . . . . . . . . . . . 55523.6 Performance results of Bind DLZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 55623.7 Performance results of BIND SDB LDAP . . . . . . . . . . . . . . . . . . . . . . 55723.8 Performance results of NSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55723.9 How the caching name servers performed . . . . . . . . . . . . . . . . . . . . . 559

H.1 Common query types and codes . . . . . . . . . . . . . . . . . . . . . . . . . . 649


List of Listings

4.1 Safe fetchzone for MaraDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896.1 Feed a zone transfer to zone2ldap . . . . . . . . . . . . . . . . . . . . . . . . . . 1396.2 PowerDNS Pipe back-end: load-balancer . . . . . . . . . . . . . . . . . . . . . 1426.3 Enumerate zones from MySQL for NSD with PowerDNS::Backend::MySQL . 1556.4 Enumerate PowerDNS zones from LDAP for BIND . . . . . . . . . . . . . . . . 1566.5 Create a zone in PowerDNS with PowerDNS::Backend::MySQL . . . . . . . . 1576.6 Trigger prevents CNAME and other data . . . . . . . . . . . . . . . . . . . . . . 1597.1 Parsing the XML produced by BINDs statistics server . . . . . . . . . . . . . . 1849.1 MySQL trigger copies records in Bind DLZ . . . . . . . . . . . . . . . . . . . . . 2559.2 Patch to Bind DLZ changes tokens . . . . . . . . . . . . . . . . . . . . . . . . . . 25911.1 isp2tiny.pl creates a tinydns data file from a MySQL database at an ISP . . . . . 29811.2 Example of Perls Time::TAI64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31312.1 ldapdnsrun: a script to start ldapdns . . . . . . . . . . . . . . . . . . . . . . . . 31913.1 dnsmasq configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34415.1 Query a hostname with Net::DNS . . . . . . . . . . . . . . . . . . . . . . . . . . 35916.1 Zone file with a DNS blacklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37616.2 An example input for rbldnsd . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37916.3 Adding a forwarder to BIND for rbldnsd . . . . . . . . . . . . . . . . . . . . . . . 38017.1 named.conf for a BIND caching name server . . . . . . . . . . . . . . . . . . . . 39217.2 Master zone file for the domain localhost . . . . . . . . . . . . . . . . . . . . . . 39317.3 Master zone file for the domain 0.0.127.in-addr.arpa . . . . . . . . . . . . . . . . 39317.4 dnsproxy.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41417.5 unboundq.c: a sample program for libunbound . . . . . . . . . . . . . . . . . . . 43218.1 Private root zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44619.1 Perform an RFC 2136 Dynamic DNS Update with Net::DNS . . . . . . . . . . . 46819.2 Perform an RFC 2136 Dynamic DNS Update with Net::DNS and TSIG . . . . . 46919.3 A dhcpd.conf file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47019.4 pmc.c: the poor mans dynamic DNS client (+D191) . . . . . . . . . . . . . . 47819.5 pms.php: the poor mans dynamic DNS server component (+D192) . . . . . 48120.1 ldap.conf for NSS LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49220.2 Migrating /etc/hosts to NSS LDAP . . . . . . . . . . . . . . . . . . . . . . . 49323.1 Generating queryperf.input . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54923.2 Zone transfers (AXFR) with Net::DNS . . . . . . . . . . . . . . . . . . . . . . . . 55124.1 NOTIFY handler with Perls Net::DNS::Nameserver . . . . . . . . . . . . . . . . . 569


xxx LIST OF LISTINGS

A.1 A schema file for songs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600A.2 Searching the directory for songs with Net::LDAP: songl . . . . . . . . . . . . 602B.1 Makefile for fixing SOA in zone files automatically . . . . . . . . . . . . . . . . 605B.2 fixserial.pl fixes a serial number in a zone file . . . . . . . . . . . . . . . . . . 606C.1 Generate zone clauses for BIND SDB from LDAP . . . . . . . . . . . . . . . . . 607C.2 Sample BIND SDB load balancer: jpload.h . . . . . . . . . . . . . . . . . . . . 608C.3 Sample BIND SDB load balancer: jpload.c . . . . . . . . . . . . . . . . . . . . 609C.4 Sample BIND SDB load balancer: named.conf . . . . . . . . . . . . . . . . . . . 613D.1 Convert SQL data to BDB databases for DLZs BDBHPT driver . . . . . . . . . 616D.2 Custom MySQL function revip4() in Bind DLZ . . . . . . . . . . . . . . . . . . 619D.3 Custom MySQL function ip4octet() in Bind DLZ . . . . . . . . . . . . . . . . . 619D.4 Custom MySQL function inarpa4() in Bind DLZ . . . . . . . . . . . . . . . . . 620E.1 Perl DNS Nameserver: Stanford::DNSserver . . . . . . . . . . . . . . . . . . . . . 621E.2 Handling Service (SRV) queries in Perl . . . . . . . . . . . . . . . . . . . . . . . 623E.3 Perl DNS Nameserver: Net::DNS::Nameserver example . . . . . . . . . . . . . . 625E.4 Perl DNS Nameserver: Net::DNS::Server example . . . . . . . . . . . . . . . . . 626F.1 User Defined RAISE ERROR Function for MySQL . . . . . . . . . . . . . . . . . 630F.2 Trigger uses raise error() UDF . . . . . . . . . . . . . . . . . . . . . . . . . . 631F.3 UDF that touches a file on the file system . . . . . . . . . . . . . . . . . . . . 634G.1 Query TXT RR for pms URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639G.2 Determine geographic location of Apache clients . . . . . . . . . . . . . . . . . 642H.1 Lua-enabled getconfig() function retrieves a variable . . . . . . . . . . . . . . 646H.2 Example Lua function for nxdomain . . . . . . . . . . . . . . . . . . . . . . . . . 650H.3 Example Lua function for preresolve . . . . . . . . . . . . . . . . . . . . . . . . . 650


Preface

Whats different about this book

This book concentrates on two particular aspects of using the DNS:

1. Whereas most DNS documentation discusses only the BIND program (Berkeley Inter-net Name Daemon), there are other implementations, which might be better suited toyour requirements. For example, MaraDNS is amazingly easy to set up, and NSD haswonderful performance. We cover all the important alternative programs (and somespecial features of BIND as well). We explain what environments they are particularlysuited for, and their advantages and disadvantages, and describe in detail how to im-plement and manage them.

2. Traditionally, DNS data is kept in flat, plain text, files. Many of the servers we cover,and the extensions to BIND, let you store your DNS data in SQL databases, LDAPdirectories, or other special formats. We explain why you might want to do this primarily because it lets you automate your DNS management, and integrate it withthe rest of your systems and how to implement these back-end data stores.

In addition we cover many other interesting topics, such as secure DNS (DNSSEC), Dy-namic DNS with DHCP, DNS blacklists especially for mail system administrators, load bal-ancing with the DNS, and implementing your own DNS servers in Perl.

Who should read this book

This book is aimed at three broad groups of people:

1. Systems administrators setting up a new DNS infrastructure, redesigning an existingone, or who just want to manage an existing system better.

2. Consultants recommending or implementing DNS solutions for customers, perhapsrunning them as an outsourced service.

3. IT or Network managers who need to understand whats involved in getting a DNSinfrastructure up and running.

We cover the needs of all sizes of organization, from small Small Office / Home Office net-works requiring simple DNS services, to corporate networks and ISPs requiring high perfor-


xxxii PREFACE

mance and very reliable services for public Internet use and for internal systems. Whichevergroup you belong to, this book addresses you requirements:

If you havent implemented a DNS server yet, or are considering moving to a differentserver:

We show whats involved, from installation through to ongoing management.

We help you choose the server best suited to your environment. For each serverwe include a feature chart, showing you at a glance the particular servers benefitsand drawbacks.

We show you how to build a simple test environment to evaluate the differentservers. We show how to run the performance tests, and give you our test results.

If you have an existing DNS system:

You may be using only basic features, and want to investigate further facilitiesthat might be useful.

You may want to investigate whether a change of server would improve perfor-mance, or streamline your system management or allow you to automate it.

Installing your chosen server is only the first step theres a lot more to running aprofessional DNS setup. Whether you are managing a new or existing DNS system:

You may want to simplify your system administration, or automate it, and/orintegrate your DNS data into a corporate database or LDAP directory. We discussthe storage schemes used by DNS servers that support relational databases orLDAP directories, and show you how to add and modify DNS entries

If you are currently expanding your network, we show you how to configurestandalone internal servers for private networks, as well as providing public DNSservice to users on the Internet connecting to your public services such as Weband e-mail servers.

We explain how to implement dynamic DNS, and provide workarounds if theserver software of your choice doesnt support the standard for updating DNSdirectly. We explain how to get Dynamic DNS and DHCP to work together.

We show you how to implement DNS blacklists, to reduce the spam load on youre-mail system.

If you like programming, we show you how you can create your own namespecial-purpose servers in Perl.

In addition to the security requirements of the individual programs, we show youhow to protect your DNS servers by implementing TSIG, and how you protect andvalidate DNS replies with DNSSEC.

We explain how to handle Internationalized Domain Names (IDNA).

All configurations tested are included in the book or on the companion Web site, so youcan use them as a basis for your own implementation. Sample code is provided whereappropriate, as well as detailed configuration descriptions.


PREFACE xxxiii

Organization of the book

The book is in three parts, as shown in the Figure. On first reading you should read Part I,i.e. chapters 13, in order, although you can skip chapters 1 and 2 if you are a DNS expert.If you havent decided which server to implement, skim through the individual servers inPart II, to familiarize yourself with whats available, and then concentrate on the relevantserver(s). Finally, but before you start your implementation so youre aware of the wholepicture in advance read Part III, which tells you about operational issues that you shouldfactor in right from the beginning.

At the end of each chapter, a section called Related topics points you to other chapters thatrelate to what you are currently reading. For example, when we discuss a programmableback-end for one brand1 of name server, we point you to other brands that have similarcapabilities, or to a chapter where we discuss a different way of solving a similar problem.

Installation instructions for servers are in the Notes sections at the end of each chapter,rather than in the chapter proper. This is for two reasons. First, many UNIX and GNU/Linuxdistributions have pre-built packages for the various brands of server, so you can install us-ing your distributions standard installation manager instead of using server-specific pro-cedures. Secondly, youre likely to install only one or two of the servers, so the installationinstructions for most of the servers will be irrelevant to you.

1We use the term brand of name server to distinguish between MyDNS, BIND, tinydns etc. Phrases such as typeof name server could be ambiguous, perhaps suggesting a particular feature (such as SQL support), rather thanmeaning brand X.


xxxiv PREFACE

What you need to know

This isnt a beginners book. We assume a basic understanding of the Domain Name System,although we do fast-forward you over the essentials, and scenarios for the many differenttypes of DNS installation. Also, you need basic to intermediate UNIX or GNU/Linux skillsto work with the programs in this book. For example, you should feel comfortable creatingand editing files, starting and stopping services, checking content of log files, etc.

We cover two broad categories of DNS servers: (a) servers that store their DNS datain text files. (b) servers that store their DNS data in an SQL database or LDAP directoryback-end. For the servers using flat-file data, you dont need to know anything about SQLor LDAP, and you can skip the SQL and LDAP sections completely. For servers with SQLor LDAP back-ends, you should additionally be familiar with your SQL database systemor LDAP directory server. For SQL, you should be able to create database tables, under-stand basic SQL statements, and understand how tomanage your SQL database system. ForLDAP, you should be familiar with entries, attribute types and LDIF, be able to add, modifyand delete entries in your directory, and know how to perform the basic administration ofyour directory server.

Some servers offer both SQL and LDAP back-ends. You can skip the parts that dontinterest you: if youre interested only in SQL, you dont need to know anything about LDAPand can skip the LDAP sections, and vice versa. Because of this, we occasionally duplicateinformation relevant to both types of back-end, so that each section is complete in itself.

In theNotes and further reading sections of each chapter, we point you to books, good toolsor interesting sites that complement this book.

Platforms supported

The programs discussed in this book run on most modern *nix2 flavors including UNIX,FreeBSD, GNU/Linux, and Mac OS X. Some of the programs also run natively on MicrosoftWindows and we show you how you implement them.

For some brands of name server, you will need an SQL database (such as PostgreSQL orMySQL) or an LDAP directory server in which DNS data is stored. We show you how toobtain a free, pre-packaged OpenLDAP server.

Conventions used in this book

Sample code, and names of directories, operating system functions and files, are set ina fixed-width font (e.g. resolv.conf).

In commands, scripts and files, we indicate a continuation line with a backslash (\)if the shell or whatever allows that syntax; otherwise we use . If the output of acommand is too wide, we break it onto more than a single line and indicate the breakwith .

2We use the term *nix throughout to indicate a UNIX or a GNU/Linux platform.


PREFACE xxxv

Command-line invocations are shown with their output (if any), although we do trun-cate output if necessary. Commands that you run as a non-privileged user have adollar prompt:

$ dig www.qupps.biz...

whereas privileged (root) commands have a hash (sharp) prompt:

# mkdir /etc/unbound

Throughout the book we refer to domain qupps.biz. We registered this for a fictitiouscompany invented for this book, called Quite Unusual People, Products and Services.

Throughout the book we discuss tools that weve created for demonstration purposes.You can download a file containing the whole lot at the books Web site (http://www.uit.co.uk/altdns), and we indicate individual files you can download with anumber, for example, (+D001), that points to a link specifically for that item.

Suggestions and comments on this bookThe author and publisher welcome feedback from all readers. If you have any commentson this book, would like to make a suggestion, or have noticed an error, please e-mail us [email protected]

AcknowledgmentsThis book would not have been possible without the brilliant people who devoted time andeffort to write the software I write about. Id like to thank all those who have reviewed draftsof parts of the book, for their help in answering innumerable questions and providing valu-able feedback: Simon Kelley (author of dnsmasq), Rob Butler (author of Bind DLZ), Bert Hu-bert (princ

UIT Alternative DNS Servers Jpmens

Documents

Transcript of UIT Alternative DNS Servers Jpmens