| |
|
Home
|
| Red Hat Linux 7.2: The Official Red Hat Linux Reference Guide |
|---|
| Prev | Chapter 14. Berkeley Internet Name Domain (BIND) | Next |
The BIND nameserver named server uses the
/etc/named.conf file for configuration. All zone
files are placed in the /var/named directory.
 | Warning |
|---|
| | Do manually edit the /etc/named.conf file or any
files in the /var/named directory if you are
using the BIND Configuration Tool. Any
manual changes to those files will be overwritten the next time the
BIND Configuration Tool is used.
|
The /etc/named.conf file must be free of errors in
order for named to start. While some erroneous
options used in with some statements are not considered critical enough
to stop the server, any errors in the statements themselves will prevent
named from starting.
The /etc/named.conf file is a collection of
statements using nested options placed in ellipses {
}. A sample /etc/named.conf file
is organized similar to Figure 14-2.
The
"<statement-name>"
is only needed with acl, include,
server, view, and
zone statements. The
<statement-N-class>
may only be specified with the zone statement.
Comments may be placed in /etc/named in nested
C-style characters /* */ or after
// and
# characters.
The following statements may be used in
/etc/named.conf:
acl <acl-name>
— Configures an access control list of IP addresses to be
allowed or disallowed certain named
services. Most of the time, individual IP addresses or IP network
notation (such as 10.0.1.0/24) is
used identify the exact IPs.
A few access control lists are already defined, so you do not have
to configure an acl statement to define them:
any — Matches every IP address.
localhost — Matches any IP address in
use by the local system.
localnets — Matches any IP address on
any network that the local system connects to with its
interfaces.
none — Matches no IP addresses.
When utilized with other /etc/named.conf
statements and their options, acl statements can
be very useful in ensuring the proper use of your BIND
nameserver. Consider the example in Figure 14-3.
This named.conf contains two access control
lists (black-hats and
red-hats. controls — Configures various security
requirements necessary to use the rndc command
to administer the named service.
See the section called /etc/named.conf to see
how the controls statement should look, including
various options that may only be used with it.
include
"<file-name>" —
Includes the specified file within the current configuration file,
allowing sensitive configuration data (such as
keys) to be placed in a separate file with
permissions that prevent non-privileged users from reading it.
key "<key-name>"
— Defines a particular key by name. Keys are used to
authenticate various actions, such as secure updates or the use of
the rndc command. Two options are used with
key:
algorithm
<algorithm-name>
— The type of algorithm used, such as
dsa or hmac-md5.
secret "<key-value>"
— The encrypted key.
See Figure 14-22 for an example of a
key statement.
logging — Allows for the use of multiple
types of logs, called channels. By using
the channel option within the
logging statement, a customized type of log, with
its own file name (file), size limit
(size), versioning (version),
and level of importance (severity), can be
constructed. Once a customized channel has been defined, a
category option is used the categorize the
channel and begin logging when named is
restarted.
By default, named logs standard messages to the
syslog daemon, which places them in
/var/log/messages as its default. This occurs
due to the fact that several standard channels are built into BIND
with various severity levels, such as one that handles
informational logging messages (default_syslog) and
another that specifically handles debugging messages
(default_debug). A default category, called
default, uses the built-in channels to do normal
logging without any special configuration.
Customizing the logging process can be a very detailed process and
is beyond the scope of this chapter. For information on creating
custom BIND logs, see the BIND 9 Administrator
Reference Manual.
options — Assigns values to many assorted
options, including the use of forwarders, the location of the
named working directory, the names of the
various files, and much more.
The following options are among the most commonly used:
allow-query — Specifies which hosts
are allowed to query this nameserver. By default, all hosts
are allowed to query. An access control list or collection of
IP addresses or networks may be used here to only allow
particular hosts to query the nameserver.
allow-recursion — Similar to
allow-query, except it applies to recursive
queries. By default, all hosts are allowed to perform
recursive queries on the nameserver.
directory — Changes the
named working directory to something other
than the default /var/named.
forward — Controls how forwarding
occurs, if the forwarders option contains
valid IP addresses designating where to sent requests.
If the first option is used, then the
nameservers specified in the forwarders
option are queried first for the information, and if they do
not have it, named will attempt the
resolution itself.
If the only option is used,
named will not attempt the resolution
itself if the forwarders are not successful.
forwarders — Specifies a list of
nameservers where requests should be forwarded for
resolution.
listen-on — Specifies the network
interface that named will use to listen for
queries. By default, all interfaces are used.
This option is useful if you have more than one network
interface and would like to limit the systems that can make
requests of your nameserver. For example, if you have a
machine serving as a gateway and a nameserver, and you would
like to block any requests except those that originate from
your private network, your listen-on option
might look like Figure 14-4.
In this way, only requests that arrive from the network
interface serving the private network
(10.0.1.1) will be accepted.
notify — Controls whether
named notifies the slave servers when a
zone is updated. The default is yes, but
you can set this to no, to prevent slaves from
being notified, or explicit, to only notify
servers in an also-notify list.
pid-file — Allows you to specify the
location of the process ID file created by
named when it starts.
statistics-file — Allows you to specify
the location of where the statistics file is written. By
default, named statistics are saved in
/var/named/named.stats.
Dozens of other options are also available, many of which rely
upon one another to work properly. See the BIND 9
Administrator Reference Manual for more details.
server — Defines particular options that
affect how named should act toward remote
nameservers, especially regarding notifications and zone transfers.
The transfer-format option controls whether one
resource records is send with each message
(one-answer) or multiple resource records are
sent with each message (many-answers). While
many-answers is more efficient, only newer BIND
nameservers understand it.
trusted-keys — Contains assorted public
keys used for DNSSEC. See the section called Security for an introduction to BIND
security.
view
"<view-name>" —
Creates special views that respond with a particular type of
information depending upon the host contacting the
nameserver. This allows some hosts to receive one answer regarding
a particular zone while other hosts receive totally different
information. Alternatively, certain zones may only be made
available to particular trusted hosts while non-trusted hosts may
still make queries for other zones.
Multiple views may be used, so long as their names are unique. The
match-clients option specifies the IP addresses
that apply to a particular view. Any option
statements may also be used within a view, overriding the global
options already configured for named. Most
view statements contain multiple
zone statements that apply to the
match-clients list. The order in which
view statements are listed is important, as the
first view statement that matches a particular
client's IP address is used.
See the section called Multiple Views for more information
about the view statement.
zone
"<zone-name>" —
Specifies particular zones for which this nameserver is
authoritative. The zone statement is primarily
used to specify the file containing the zone's configuration and
pass certain options about that zone to named
that override other global option statements used
in /etc/named.conf.
The name of the zone is important, as it is the default value
assigned to the $ORIGIN directive used in the
zone file and is appended to non-FQDNs. So, for example, if this
zone statement defines the namespace for
domain.com, you should use
domain.com as the
<zone-name> so
it will be placed at the end of hostnames used in the zone file.
The most common zone statement options include:
allow-query — Specifies the clients
that are allowed to request information about this zone. The
default is to allow all query requests.
allow-transfer — Specifies the slave
servers that are allowed to request a transfer of the zone's
information. The default is to allow all transfer requests.
allow-update — Specifies the hosts that
are allowed to dynamically update information in their
zone. The default is to deny all dynamic update requests.
 | Caution |
|---|
| | Be very careful about allowing hosts to update information
about their zone. Do not enable this option unless the host
specified is completely trusted. It is a much better idea to
have an administrator manually update the zone's records and
reload the named service, if possible.
|
file — Specifies the name of the file
in the named working directory (by default
/var/named) that contains the zone's
configuration data.
masters — Used if the zone is defined
as a slave type. The masters
option tells a slave's named the IP
address(es) from which to request authoritative zone
information.
notify — Works in a similar manner to
the notify option used with the
option statement.
type — Defines the type of zone. The
following types may be used:
forward — Tells the nameserver to
forward all requests for information about this zone to
other nameservers.
hint — A special type of zone that
is used to point to the root nameservers, which are used
to resolve queries when a zone is not otherwise known. You
should not need to configure a hint zone beyond the
default in /etc/named.conf.
master — Designates this nameserver
as authoritative for this zone. A zone should be set as
the master type if you have the zone's
configuration files on this system.
slave — Designates this nameserver
as a slave server for this zone, telling
named to request the zone's
configuration files from the master nameserver's IP
address for that zone.
zone-statistics — Tells
named to keep statistics concerning this
zone, writing them to either the default location
(/var/named/named.stats) or the place
specially designated by the statistics-file
option in the server statement, if it exists.
Most changes to the /etc/named.conf file of a
master or slave nameserver concerns adding, modifying, or deleting
zone statements. While these zone
statements can contain many options, most nameservers use few of
them. The following zone statements are very basic
examples that may be used in a master-slave nameserver relationship.
A zone statement on a primary nameserver hosting
the domain domain.com may look like
Figure 14-5.
This zone statement names the zone
domain.com, sets the
type as master, tells
named to read the
/var/named/domain.com.zone file to configure
the zone, and to allow no updates by any other hosts.
A slave server's zone statement for
domain.com might look like Figure 14-6.
This zone statement tells named
on the slave server to look to the
192.168.0.1 master server to find
out the configuration information for the zone called
domain.com. The information the
slave server receives from the master server is saved in the
/var/named/domain.com.zone file.
Zone files, which contain information about a
particular namespace, are stored in the named
working directory. By default, this is
/var/named. Each zone file is named according to
the file option data in the zone
statement, usually in a way that relates to the domain in question and
identifies the file as containing zone data, such as
example.com.zone.
Each zone file may contain directives and resource
records. Directives tell the nameserver to do a
certain thing or apply a special setting to the
zone. Resource records define the parameters of
the zone, assigning an identity within the zone's namespace to
particular systems. Directives are optional, but resource records are
required to provide nameservice to that zone. All directives and
resource records should go on their own lines.
Comments can be placed after semicolon characters
(;) in zone files.
Directives are identified by the leading
$ character before the name of the
directive and usually placed at the top of the zone file.
The following directives are the most commonly used:
$INCLUDE — Tells named
to include another zone file in this zone file at the place
where the directive is used. This allows additional zone
settings to be stored apart from the main zone file.
$ORIGIN — Sets the domain name to be
appended to any unqualified records, such as those that only
specify the host and nothing more.
For example, a zone file may contains the following line:
At this point, any names that are used in resource records and
do not end in a trailing dot
(.) will have this domain name
added to them. So, in other words, when the zone record is read
by the nameserver, the first line below will be interpreted as
the second line:
ftp IN CNAME server1
ftp.domain.com. IN CNAME server1.domain.com. |
 | Note |
|---|
| | The use of the $ORIGIN directive is
unnecessary if you name the zone in
/etc/named.conf the same as the value you
would assign to $ORIGIN. The zone's name is
used as the $ORIGIN directive's value by
default.
|
$TTL — Sets the default Time
to Live (TTL) value for the zone. This is the
number, in seconds, given to nameservers that tells how long the
zone's resource records should continue to be valid. A resource
record can contains its own TTL value, which would override this
directive.
Increasing this value tells remote nameservers to cache this
zone's information for a longer time. This reduces the number of
queries made concerning this zone, but it also lengthens the
amount of time required to proliferate resource record changes.
Zone file resource records contain columns of data, separated by
whitespace, that define the record. All zone file resource records
are assigned a particular type, which designates the record's
purpose. The following types of resource records are the most
commonly used:
A — Address record, which specifies an IP
address to assign to a name.
If the <host>
value is omitted, then an A record points to a
default IP address for the top of the namespace. This system
will be the target of all non-FQDN requests.
Consider the following A record examples for
the domain.com zone file:
Requests for domain.com are
pointed to 10.0.1.3, while requests for
server1.domain.com are pointed
to 10.0.1.5.
CNAME — Canonical name record, which
tells the nameserver that one name is also known as another.
In Figure 14-9, any requests sent to
the <alias-name> will
point to the host named
<real-name>.
CNAME records are most commonly used to point
services that use a common naming scheme to the correct host.
Consider the example in Figure 14-10,
where an A record sets a particular hostname to
an IP address and a CNAME record points the
commonly used www hostname to
it.
MX — Mail eXchange record, which tells
where mail sent to a particular namespace controlled by this
zone should go.
In Figure 14-11, the
<preference-value>
allows you to numerically rank the email servers you would
prefer to receive email for this namespace, giving preference to
some email systems over others. The MX resource
record with the lowest
<preference-value> is
preferred over the others, but you can set multiple email
servers with the same value to distribute email traffic between
them.
The
<email-server-name>
may be a hostname or FQDN, as long as it points to the correct
system.
In this example, the first
mail.domain.com email server is
preferred to the
mail2.domain.com email server
when receiving email destined for the
domain.com domain.
NS — NameServer record, which announces
the authoritative nameservers for a particular zone.
The <nameserver-name>
should be a FQDN.
In Figure 14-14, two nameservers are
listed as authoritative for a domain. It is not important
whether these nameservers are slaves or if one is a master; they
are both still considered authoritative.
PTR — PoinTeR record, designed to point
to another part of the namespace.
PTR records are primarily used for reverse name
resolution, as they point IP addresses back to a particular
name. See the section called Reverse Name Resolution Zone Files
for more examples of PTR records in use.
SOA — Start Of Authority record,
proclaiming important authoritative information about the
namespace to the nameserver.
Located after the directives, an SOA record is
the first resource record in a zone file.
The @ symbol places the
$ORIGIN directive (or the zone's name, if the
$ORIGIN directive is not set) as the namespace
being defined by this SOA resource record. The
primary nameserver that is authoritative for this domain is used
for the
<primary-name-server>,
and the email of the person to contact about this namespace is
substituted for the
<hostmaster-email>.
The
<serial-number>
is incremented every time you change the zone file so that
named will know that it should reload this
zone. The
<time-to-refresh>
tells any slave servers how long to wait before asking the
master nameserver if any changes have been made to the zone. The
<serial-number>
value is used by the slave to determine if it is using outdated
zone data and should refresh it.
The
<time-to-retry>
tells the slave nameserver the interval to wait before issuing
another refresh request, if the master nameserver is not
answering. If the master has not replied to a refresh request
before the
<time-to-expire>
elapses, the slave stops responding as an authority for requests
concerning that namespace.
The
<minimum-TTL>
requests that other nameservers cache the zone's information for
at least this amount of time.
With BIND, all times refer to seconds. However, you can also use
abbreviations for other units of time other than seconds, such
as minutes (M), hours (H),
days (D), and weeks (W). The
table in Table 14-1 shows an amount of
time in seconds and the equivalent time in another format.
Table 14-1. Seconds compared to other time units | Seconds | Other Time Units |
|---|
| 60 | 1M | | 1800 | 30M | | 3600 | 1H | | 10800 | 3H | | 21600 | 6H | | 43200 | 12H | | 86400 | 1D | | 259200 | 3D | | 604800 | 1W |
The following example demonstrates how a basic
SOA resource record might look.
Seen individually, the directives and resource records can be
difficult to grasp. However, everything makes much more sense when
it is placed together in a common file.
In Figure 14-17, a very basic zone file
is shown.
In this example, standard directives and SOA values
are used. The authoritative nameservers are set to be
dns1.domain.com and
dns2.domain.com, which have
A records that tie them to
10.0.1.2 and
10.0.1.3, respectively.
The email servers configured with the MX records
point to server1 and
server2 via CNAME
records. Since the server1 and
server2 names do not end in a
trailing dot (.), the
$ORIGIN domain is placed after them, expanding them
to server1.domain.com and
server2.domain.com. Through the related
A resource records, their IP addresses can be
determined.
The popular FTP and Web services, available at the standard
ftp.domain.com and
www.domain.com names, are pointed
toward machines providing the appropriate services for those names
using CNAME records.
A reverse name resolution zone file is used to translate an IP
address in a particular namespace into a FQDN. It looks very similar
to a standard zone file, except that PTR resource
records are used to link the IP addresses to a certain system's name.
A PTR record is written in a manner similar to
Figure 14-18.
The
<last-IP-digit>
relates to the last number in an IP address that should point to a
particular system's FQDN.
In Figure 14-19, IP addresses
10.0.1.20 through
10.0.1.25 are pointed to
corresponding FQDNs.
This zone file would be called into service with a
zone statement in the
/etc/named.conf file that looks similar to
Figure 14-20.
There is very little difference between this example an a standard
zone statement, except for how the zone is
named. Note that a reverse name resolution zone requires the first
three blocks of the IP address to be reversed and
".in-addr.arpa" to be included
after them. This allows the single block of IP numbers used in the
reverse name resolution zone file to be correctly attached with this
zone.
|
|
|
|
|
|
|
|
Disclaimer: For authoritative source or latest update to this
documentation, please refer to http://www.redhat.com/docs/manuals/linux/ |
|
 |
|
|
|
Quotes: There are many ways of going forward, but there is only one way of standing still.
|
|
|
|
|
|
|
