book

DNS and BIND, 5th Edition

by Cricket Liu, Paul Albitz

May 2006

Intermediate to advanced

640 pages

18h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

VersionsWhat’s New in the Fifth Edition?OrganizationAudienceObtaining the Example ProgramsHow to Contact UsConventions Used in This BookUsing Code ExamplesSafari® EnabledQuotationsAcknowledgments
1.1. A (Very) Brief History of the Internet1.2. On the Internet and Internets1.2.1. The History of the Domain Name System1.3. The Domain Name System, in a Nutshell1.4. The History of BIND1.5. Must I Use DNS?
2.1. The Domain Namespace2.1.1. Domain Names2.1.2. Domains2.1.3. Resource Records2.2. The Internet Domain Namespace2.2.1. Top-Level Domains2.2.1.1. Country-code top-level domains2.2.1.2. New top-level domains2.2.2. Further Down2.2.3. Reading Domain Names2.3. Delegation2.4. Nameservers and Zones2.4.1. Delegating Subdomains2.4.2. Types of Nameservers2.4.3. Zone Datafiles2.5. Resolvers2.6. Resolution2.6.1. Root Nameservers2.6.2. Recursion2.6.3. Iteration2.6.4. Choosing Between Authoritative Nameservers2.6.5. The Whole Enchilada2.6.6. Mapping Addresses to Names2.7. Caching2.7.1. Time to Live
3.1. Getting BIND3.1.1. Handy Mailing Lists and Usenet Newsgroups3.1.2. Finding IP Addresses3.2. Choosing a Domain Name3.2.1. On Registrars and Registries3.2.2. Where in the World Do I Fit?3.2.2.1. whois3.2.3. Back in the U.S.A.3.2.3.1. The generic top-level domains3.2.3.2. Choosing a registrar3.2.4. Checking That Your Network Is Registered3.2.5. Registering Your Zones
4.1. Our Zone4.2. Setting Up Zone Data4.2.1. The Zone Datafiles4.2.2. Comments4.2.3. Setting the Zone’s Default TTL4.2.4. SOA Records4.2.5. NS Records4.2.6. Address and Alias Records4.2.7. PTR Records4.2.8. The Completed Zone Datafiles4.2.9. The Loopback Address4.2.10. The Root Hints Data4.3. Setting Up a BIND Configuration File4.4. Abbreviations4.4.1. Appending Domain Names4.4.2. The @ Notation4.4.3. Repeat Last Name4.4.4. The Shortened Zone Datafiles4.5. Hostname Checking4.6. Tools4.6.1. BIND 9 Tools4.7. Running a Primary Nameserver4.7.1. Starting Up the Nameserver4.7.2. Check for Syslog Errors4.7.3. Testing Your Setup with nslookup4.7.3.1. Set the local domain name4.7.3.2. Look up a local domain name4.7.3.3. Look up a local address4.7.3.4. Look up a remote domain name4.7.3.5. One more test4.7.4. Editing the Startup Files4.8. Running a Slave Nameserver4.8.1. Setup4.8.2. Backup Files4.8.3. SOA Values4.8.4. Multiple Master Servers4.9. Adding More Zones4.10. What’s Next?
5.1. MX Records5.2. Movie.edu’s Mail Server5.3. What’s a Mail Exchanger, Again?5.4. The MX Algorithm5.5. DNS and Email Authentication5.5.1. The Sender Policy Framework
6.1. The Resolver6.2. Resolver Configuration6.2.1. The Local Domain Name6.2.2. The Search List6.2.2.1. The BIND 4.9 and later search list6.2.2.2. The BIND 4.8.3 search list6.2.3. The search Directive6.2.4. The nameserver Directive6.2.4.1. One nameserver configured6.2.4.2. More than one nameserver configured6.2.5. The sortlist Directive6.2.6. The options Directive6.2.7. Comments6.2.8. A Note on the 4.9 Resolver Directives6.3. Sample Resolver Configurations6.3.1. Resolver Only6.3.2. Local Nameserver6.4. Minimizing Pain and Suffering6.4.1. Differences in Service Behavior6.4.2. Electronic Mail6.4.3. Updating .rhosts, hosts.equiv, etc.6.4.4. Providing Aliases6.5. Additional Configuration Files6.5.1. nsswitch.conf6.6. The Windows XP Resolver6.6.1. Caching6.6.2. Subnet Prioritization
7.1. Controlling the Nameserver7.1.1. ndc and controls (BIND 8)7.1.2. rndc and controls (BIND 9)7.1.2.1. Using rndc to control multiple servers7.1.2.2. New rndc commands7.1.3. Using Signals7.2. Updating Zone Datafiles7.2.1. Adding and Deleting Hosts7.2.2. SOA Serial Numbers7.2.3. Starting Over with a New Serial Number7.2.4. Additional Zone Datafile Entries7.2.4.1. General text information7.2.4.2. Responsible Person7.2.5. Generating Zone Datafiles from the Host Table7.2.6. Keeping the Root Hints Current7.3. Organizing Your Files7.3.1. Using Several Directories7.3.2. Changing the Origin in a Zone Datafile7.3.3. Including Other Zone Datafiles7.4. Changing System File Locations7.5. Logging7.5.1. The logging Statement7.5.2. Channel Details7.5.2.1. File channels7.5.2.2. syslog channels7.5.2.3. stderr channel7.5.2.4. null channel7.5.2.5. Data formatting for all channels7.5.3. Category Details7.5.3.1. BIND 8 categories7.5.3.2. BIND 9 categories7.5.3.3. Viewing all category messages7.6. Keeping Everything Running Smoothly7.6.1. Common Syslog Messages7.6.2. Understanding the BIND Statistics7.6.2.1. BIND 8 statistics7.6.2.2. BIND 9 statistics7.6.2.3. Using the BIND statistics
8.1. How Many Nameservers?8.1.1. Where Do I Put My Nameservers?8.1.2. Capacity Planning8.2. Adding More Nameservers8.2.1. Primary Master and Slave Servers8.2.2. Caching-Only Servers8.2.3. Partial-Slave Servers8.3. Registering Nameservers8.4. Changing TTLs8.4.1. Changing Other SOA Values8.5. Planning for Disasters8.5.1. Outages8.5.2. Recommendations8.6. Coping with Disaster8.6.1. Long Outages (Days)8.6.2. Really Long Outages (Weeks)

9.1. When to Become a Parent9.2. How Many Children?9.3. What to Name Your Children9.4. How to Become a Parent: Creating Subdomains9.4.1. Creating a Subdomain in the Parent’s Zone9.4.2. Creating and Delegating a Subdomain9.4.3. An fx.movie.edu Slave9.4.4. On the movie.edu Primary Nameserver9.4.5. Delegating an in-addr.arpa Zone9.4.6. Adding a movie.edu Slave9.5. Subdomains of in-addr.arpa Domains9.5.1. Subnetting on an Octet Boundary9.5.2. Subnetting on a Nonoctet Boundary9.5.2.1. /8 (Class A-sized) and /16 (Class B-sized) networks9.5.2.2. /24 (Class C-sized) networks9.5.2.2.1. Solution 19.5.2.2.2. Solution 29.5.2.2.3. Solution 39.6. Good Parenting9.6.1. Using host9.6.2. Managing Delegation9.6.2.1. Managing delegation with stubs9.7. Managing the Transition to Subdomains9.7.1. Removing Parent Aliases9.8. The Life of a Parent
10.1. Address Match Lists and ACLs10.2. DNS Dynamic Update10.2.1. Dynamic Update and Serial Numbers10.2.2. Dynamic Update and Zone Datafiles10.2.3. Update Access Control Lists10.2.4. TSIG-Signed Updates10.3. DNS NOTIFY (Zone Change Notification)10.4. Incremental Zone Transfer (IXFR)10.4.1. IXFR Limitations10.4.2. IXFR from Differences10.4.3. IXFR Files10.4.4. BIND 8 IXFR Configuration10.4.5. BIND 9 IXFR Configuration10.5. Forwarding10.5.1. A More Restricted Nameserver10.5.2. Forward Zones10.6. Views10.7. Round-Robin Load Distribution10.7.1. Multiple CNAMEs10.7.2. The rrset-order Substatement10.8. Nameserver Address Sorting10.9. Preferring Nameservers on Certain Networks10.10. A Nonrecursive Nameserver10.11. Avoiding a Bogus Nameserver10.12. System Tuning10.12.1. Zone Transfers10.12.1.1. Limiting transfers requested per nameserver10.12.1.2. Limiting the total number of zone transfers requested10.12.1.3. Limiting the total number of zone transfers served10.12.1.4. Limiting the duration of a zone transfer10.12.1.5. Limiting the frequency of zone transfers10.12.1.6. More efficient zone transfers10.12.2. Resource Limits10.12.2.1. Changing the data segment size limit10.12.2.2. Changing the stack size limit10.12.2.3. Changing the core size limit10.12.2.4. Changing the open files limit10.12.2.5. Limiting the number of clients10.12.2.6. Limiting SOA queries10.12.3. Maintenance Intervals10.12.3.1. Cleaning interval10.12.3.2. Interface interval10.12.3.3. Statistics interval10.12.4. TTLs10.13. Compatibility10.14. The ABCs of IPv6 Addressing10.15. Addresses and Ports10.15.1. Configuring the IPv4 Transport10.15.2. Configuring the IPv6 Transport10.15.3. EDNS010.15.4. IPv6 Forward and Reverse Mapping10.15.5. AAAA and ip6.arpa10.15.6. A6, DNAMEs, Bitstring Labels, and ip6.arpa10.15.6.1. A6 records and forward mapping10.15.6.2. DNAME records and reverse mapping
11.1. TSIG11.1.1. One-Way Hash Functions11.1.2. The TSIG Record11.1.3. Configuring TSIG11.1.4. Using TSIG11.2. Securing Your Nameserver11.2.1. BIND Version11.2.2. Restricting Queries11.2.2.1. Restricting all queries11.2.2.2. Restricting queries in a particular zone11.2.3. Preventing Unauthorized Zone Transfers11.2.4. Running BIND with Least Privilege11.2.5. Split-Function Nameservers11.2.5.1. “Advertising” nameserver configuration11.2.5.2. “Resolving” nameserver configuration11.2.6. Two Nameservers in One11.3. DNS and Internet Firewalls11.3.1. Types of Firewall Software11.3.1.1. Packet filters11.3.1.2. Proxies11.3.2. A Bad Example11.3.3. Internet Forwarders11.3.3.1. The trouble with forwarding11.3.3.2. Using forward zones11.3.4. Internal Roots11.3.4.1. Where to put internal root nameservers11.3.4.2. Forward-mapping delegation11.3.4.3. in-addr.arpa delegation11.3.4.4. The db.root file11.3.4.5. Configuring other internal nameservers11.3.4.6. How internal nameservers use internal roots11.3.4.7. Mail from internal hosts to the Internet11.3.4.8. Mail to specific Internet domain names11.3.4.9. The trouble with internal roots11.3.5. A Split Namespace11.3.5.1. Configuring the bastion host11.3.5.2. Protecting zone data on the bastion host11.3.5.3. The final configuration11.3.5.4. Using views on the bastion host11.4. The DNS Security Extensions11.4.1. Public-Key Cryptography and Digital Signatures11.4.2. The DNSKEY Record11.4.3. The RRSIG Record11.4.4. The NSEC Record11.4.5. The DS Record and the Chain of Trust11.4.5.1. Islands of security11.4.5.2. Delegating to unsigned zones11.4.6. DO, AD, and CD11.4.7. How the Records Are Used11.4.8. DNSSEC and Performance11.4.9. Zone-Signing Keys and Key-Signing Keys11.4.10. Signing a Zone11.4.10.1. Generating your key pairs11.4.10.2. Signing your zone11.4.10.3. Sending your keys to be signed11.4.10.4. Signing a parent zone11.4.11. DNSSEC and Dynamic Update11.4.12. Changing Keys11.4.13. What Was That All About?
12.1. Is nslookup a Good Tool?12.1.1. Multiple Servers12.1.2. Timeouts12.1.3. The Search List12.1.4. Zone Transfers12.1.5. Using NIS and /etc/hosts12.2. Interactive Versus Noninteractive12.3. Option Settings12.3.1. The .nslookuprc File12.4. Avoiding the Search List12.5. Common Tasks12.5.1. Looking Up Different Record Types12.5.2. Authoritative Versus Nonauthoritative Answers12.5.3. Switching Nameservers12.6. Less Common Tasks12.6.1. Showing the Query and Response Messages12.6.2. Querying Like a BIND Nameserver12.6.3. Zone Transfers12.7. Troubleshooting nslookup Problems12.7.1. Looking Up the Right Data12.7.2. No Response from Server12.7.3. No PTR Record for Nameserver’s Address12.7.4. Query Refused12.7.5. First resolv.conf Nameserver Not Responding12.7.6. Finding Out What Is Being Looked Up12.7.7. Unspecified Error12.8. Best of the Net12.9. Using dig12.9.1. dig’s Output Format12.9.2. Zone Transfers with dig12.9.3. dig Options
13.1. Debugging Levels13.1.1. What Information Is at Each Level?13.1.1.1. BIND 8 debugging levels13.1.1.2. BIND 9 debugging levels13.2. Turning On Debugging13.2.1. Debugging Command-Line Option13.2.2. Changing the Debugging Level with Control Messages13.3. Reading Debugging Output13.3.1. Nameserver Startup (BIND 8, Debug Level 1)13.3.2. Nameserver Startup (BIND 9, Debug Level 1)13.3.3. A Successful Lookup (BIND 8, Debug Level 1)13.3.4. A Successful Lookup (BIND 9, Debug Level 1)13.3.5. A Successful Lookup with Retransmissions (BIND 8, Debug Level 1)13.3.6. A Slave Nameserver Checking Its Zone (BIND 8, Debug Level 1)13.3.7. A Slave Nameserver Checking Its Zone (BIND 9 Debug Level 1)13.4. The Resolver Search Algorithm and Negative Caching (BIND 8)13.5. The Resolver Search Algorithm and Negative Caching (BIND 9)13.6. Tools
14.1. Is NIS Really Your Problem?14.2. Troubleshooting Tools and Techniques14.2.1. How to Use named-xfer14.2.2. What if I Don’t Have named-xfer?14.2.3. How to Read a BIND 8 Database Dump14.2.4. How to Read a BIND 9 Database Dump14.2.5. Logging Queries14.3. Potential Problem List14.3.1. 1. Forgot to Increment Serial Number14.3.2. 2. Forgot to Reload Primary Nameserver14.3.3. 3. Slave Nameserver Can’t Load Zone Data14.3.4. 4. Added Name to Zone Datafile but Forgot to Add PTR Record14.3.5. 5. Syntax Error in Configuration File or Zone Datafile14.3.6. 6. Missing Dot at the End of a Domain Name in a Zone Datafile14.3.7. 7. Missing Root Hints Data14.3.8. 8. Loss of Network Connectivity14.3.9. 9. Missing Subdomain Delegation14.3.10. 10. Incorrect Subdomain Delegation14.3.11. 11. Syntax Error in resolv.conf14.3.12. 12. Local Domain Name Not Set14.3.13. 13. Response from Unexpected Source14.4. Transition Problems14.4.1. Resolver Behavior14.4.2. Nameserver Behavior14.5. Interoperability and Version Problems14.5.1. Zone Transfer Fails Because of Proprietary WINS Record14.5.2. Nameserver Reports “no NS RR for SOA MNAME”14.5.3. Nameserver Reports “Too many open files”14.5.4. Resolver Reports “asked for PTR, got CNAME”14.5.5. Nameserver Startup Fails Because UDP Checksums Disabled14.5.6. Other Nameservers Don’t Cache Your Negative Answers14.5.7. TTL Not Set14.6. TSIG Errors14.7. Problem Symptoms14.7.1. Local Name Can’t Be Looked Up14.7.2. Remote Names Can’t Be Looked Up14.7.3. Wrong or Inconsistent Answer14.7.4. Lookups Take a Long Time14.7.5. rlogin and rsh to Host Fails Access Check14.7.6. Access to Services Denied14.7.7. Can’t Get Rid of Old Data14.7.7.1. Old delegation information14.7.7.2. Registration of a non-nameserver14.7.7.3. What have I got?
15.1. Shell Script Programming with nslookup15.1.1. A Typical Problem15.1.2. Solving This Problem with a Script15.2. C Programming with the Resolver Library Routines15.2.1. DNS Message Format15.2.2. Domain Name Storage15.2.3. Domain Name Compression15.2.4. The Resolver Library Routines15.2.4.1. herror and h_errno15.2.4.2. res_init15.2.4.3. res_mkquery15.2.4.4. res_query15.2.4.5. res_search15.2.4.6. res_send15.2.5. The _res Structure15.2.6. The Nameserver Library Routines15.2.6.1. ns_get16 and ns_put1615.2.6.2. ns_get32 and ns_put3215.2.6.3. ns_initparse15.2.6.4. ns_msg_base, ns_msg_end, and ns_msg_size15.2.6.5. ns_msg_count15.2.6.6. ns_msg_get_flag15.2.6.7. ns_msg_id15.2.6.8. ns_name_compress15.2.6.9. ns_name_skip15.2.6.10. ns_name_uncompress15.2.6.11. ns_parserr15.2.6.12. ns_rr routines15.2.7. Parsing DNS Responses15.2.8. A Sample Program: check_soa15.3. Perl Programming with Net::DNS15.3.1. Resolver Objects15.3.2. Packet Objects15.3.3. Header Objects15.3.4. Question Objects15.3.5. Resource Record Objects15.3.6. A Perl Version of check_soa
External, Authoritative DNS InfrastructureForwarder InfrastructureInternal DNS InfrastructureOperationsKeeping Up with DNS and BIND
17.1. Using CNAME Records17.1.1. CNAMEs Attached to Interior Nodes17.1.2. CNAMEs Pointing to CNAMEs17.1.3. CNAMEs in the Resource Record Data17.1.4. Multiple CNAME Records17.1.5. Looking Up CNAMEs17.1.6. Finding Out a Host’s Aliases17.2. Wildcards17.3. A Limitation of MX Records17.4. Dial-up Connections17.4.1. What Causes Dialouts17.4.2. Avoiding Dialouts17.4.3. Manual Dial-up with One Host17.4.4. Manual Dial-up with Multiple Hosts17.4.5. Dial-on-Demand with One Host17.4.6. Dial-on-Demand with Multiple Hosts17.4.7. Running Authoritative Nameservers over Dial-on-Demand17.5. Network Names and Numbers17.6. Additional Resource Records17.6.1. AFSDB17.6.2. LOC17.6.3. SRV17.7. ENUM17.7.1. Translating E.164 Numbers into Domain Names17.7.2. The NAPTR Record17.7.3. Registering ENUM Domain Names17.7.4. Privacy and Security Issues with ENUM17.8. Internationalized Domain Names17.9. DNS and WINS17.10. DNS, Windows, and Active Directory17.10.1. How Windows Uses Dynamic Update17.10.2. Problems with Active Directory and BIND17.10.3. Secure Dynamic Update17.10.3.1. BIND and GSS-TSIG17.10.4. What to Do?17.10.4.1. Handling Windows clients17.10.4.2. Handling Windows servers
A.1. Master File FormatA.1.1. Character CaseA.1.2. TypesA.1.2.1. A addressA.1.2.2. CNAME canonical nameA.1.2.3. HINFO host informationA.1.2.4. MX mail exchangerA.1.2.5. NS name serverA.1.2.6. PTR pointerA.1.2.7. SOA start of authorityA.1.2.8. TXT textA.1.2.9. WKS well-known servicesA.1.3. New Types from RFC 1183A.1.3.1. AFSDB Andrew File System Data Base (experimental)A.1.3.2. ISDN Integrated Services Digital Network address (experimental)A.1.3.3. RP Responsible Person (experimental)A.1.3.4. RT Route Through (experimental)A.1.3.5. X25 X.25 address (experimental)A.1.4. New Types from RFC 1664A.1.4.1. PX pointer to X.400/RFC 822 mapping informationA.1.5. New Types from RFC 3596A.1.5.1. AAAA IPv6 AddressA.1.6. New Types from RFC 2782A.1.6.1. SRV Locate ServicesA.1.7. New Types from RFC 2915A.1.7.1. NAPTR Naming Authority PointerA.1.8. ClassesA.2. DNS MessagesA.2.1. Message FormatA.2.2. Header Section FormatA.2.3. Question Section FormatA.2.3.1. QCLASS valuesA.2.3.2. QTYPE valuesA.2.4. Answer, Authority, and Additional Section FormatA.2.5. Data Transmission OrderA.3. Resource Record DataA.3.1. Data FormatA.3.1.1. Character stringA.3.1.2. Domain nameA.3.1.3. Message compression
C.1. Instructions for BIND 8C.1.1. Get the Source CodeC.1.2. Unpack the Source CodeC.1.3. Use the Proper Compiler SettingsC.1.4. Build EverythingC.2. Instructions for BIND 9C.2.1. Get the Source CodeC.2.2. Unpack the Source CodeC.2.3. Run configure, and Build Everything
E.1. BIND Nameserver Boot File Directives and Configuration File StatementsE.2. BIND 8 Configuration File StatementsE.2.1. E.2.1.1. aclE.2.1.2. controls (8.2+)E.2.1.3. includeE.2.1.4. key (8.2+)E.2.1.5. loggingE.2.1.6. optionsE.2.1.7. serverE.2.1.8. trusted-keys (8.2+)E.2.1.9. zoneE.3. BIND 9 Configuration File StatementsE.3.1. CommentsE.3.1.1. aclE.3.1.2. controlsE.3.1.3. includeE.3.1.4. keyE.3.1.5. loggingE.3.1.6. lwresE.3.1.7. mastersE.3.1.8. optionsE.3.1.9. serverE.3.1.10. trusted-keysE.3.1.11. viewE.3.1.12. zoneE.4. BIND Resolver StatementsE.4.1. E.4.1.1. ; and #E.4.1.2. domainE.4.1.3. nameserverE.4.1.4. options attempts (8.2+)E.4.1.5. options debugE.4.1.6. options ndotsE.4.1.7. options no-check-names (8.2+)E.4.1.8. options timeout (8.2+)E.4.1.9. options rotate (8.2+)E.4.1.10. searchE.4.1.11. sortlistE.5. BIND 9 Options StatementE.5.1. Definition and UsageE.5.2. Boolean OptionsE.5.3. ForwardingE.5.4. Dual-Stack ServersE.5.5. Access ControlE.5.6. InterfacesE.5.7. Query AddressE.5.8. Zone TransfersE.5.9. Bad UDP Port ListsE.5.10. Operating System Resource LimitsE.5.11. Server Resource LimitsE.5.12. Periodic Task IntervalsE.5.13. TopologyE.5.14. The sortlist StatementE.5.15. RRset OrderingE.5.16. TuningE.5.17. Built-in Server Information Zones

Content preview from DNS and BIND, 5th Edition

Chapter 11. Security

“I hope you’ve got your hair well fastened on?” he continued, as they set off.

“Only in the usual way,” Alice said, smiling.

“That’s hardly enough,” he said, anxiously. “You see the wind is so very strong here. It’s as strong as soup.”

“Have you invented a plan for keeping the hair from being blown off?” Alice enquired.

“Not yet,” said the Knight. “But I’ve got a plan for keeping it from falling off.”

Why should you care about DNS security? Why go to the trouble of securing a service that mostly maps names to addresses? Let us tell you a story.

In July 1997, during two periods of several days, users around the Internet who typed www.internic.net into their web browsers thinking they were going to the InterNIC’s web site instead ended up at a web site belonging to the AlterNIC. (The AlterNIC runs an alternate set of root nameservers that delegate to additional top-level domains with names like med and porn.) How’d it happen? Eugene Kashpureff, then affiliated with the AlterNIC, had run a program to “poison” the caches of major nameservers around the world, making them believe that www.internic.net’s address was actually the address of the AlterNIC web server.

Kashpureff hadn’t made any attempt to disguise what he had done; the web site that users reached was plainly the AlterNIC’s, not the InterNIC’s. But imagine someone poisoning your nameserver’s cache to direct www.amazon.com or www.wellsfargo.com to his own web server, conveniently located well outside local law ...