Опубликован: 06.08.2012 | Уровень: специалист | Доступ: платный
Лекция 21:

The Domain Name Service

Upgrading a Version 4 configuration

What we've seen so far applies to Versions 8 and 9 of named. The previous version was Version 4 (don’t ask what happened to 5, 6 and 7; until Version 9 came along, there were rumors that the next version would be 16). Version 8 of named introduced a completely new configuration file format. If you have an existing DNS configuration from Version 4, the main configuration file will be called /etc/named.boot or /etc/named/named.boot. You can convert it to the named.conf format with the script/usr/sbin/named-bootconf:

# named-bootconf </etc/namedb/named.boot> /etc/namedb/named.Conf

Looking up DNS information

You can use dig, host or nslookup to look up name information. It’s largely a matter of preference which you use, but you should note that nslookup uses the resolver interface, which can result in you getting different results from what your name server would get. The output format of dig gets on my nerves, so I use host. Others prefer dig because it formulates the queries exactly the same way the name server does, and its output is more suited as input to named. For example, the command dig@a.root-servers.net.axfr produces a named.root file that named understands. We'll look briefly at host. Here are some examples:

$ host hub.freebsd.org                                 look up an A record
hub.freebsd.org has address 216.136.204.18
hub.freebsd.org mail is handled (pri=10) by mx1.freebsd.org
$ host 216.136.204.18                                  perform a reverse lookup
18.204.136.216.IN-ADDR.ARPA domain name pointer hub.freebsd.org
$ host ftp.freebsd.org                                 another one
ftp.freebsd.org is a nickname for ftp.beastie.tdk.net  this is a CNAME
ftp.beastie.tdk.net has address 62.243.72.50           and the corresponding A record
ftp.beastie.tdk.net mail is handled (pri=20) by mail-in1.inet.tele.dk
ftp.beastie.tdk.net mail is handled (pri=30) by mail-in2.inet.tele.dk
$ host -v -t soa freebsd.org                           Get an SOA record
Trying null domain
rcode = 0 (Success), ancount=1
The following answer is not authoritative:
freebsd.org            3066  IN SOA  ns0.freebsd.org hostmaster.freebsd.org(
                                     103031602  ; serial (version)
                                     1800       ; refresh period
                                     900        ; retry refresh this often
                                     604800     ; expiration period
                                     1800       ; minimum TTL
                      )
For authoritative answers, see:
freebsd.org            3066  IN NS   ns0.freebsd.org
freebsd.org            3066  IN NS   ns1.iafrica.com
freebsd.org            3066  IN NS   ns1.downloadtech.com
freebsd.org            3066  IN NS   ns2.downloadtech.com
Additional information:
ns0.freebsd.org       92727  IN A    216.136.204.126
ns1.iafrica.com       92727  IN A    196.7.0.139
ns1.downloadtech.com  92727  IN A    170.208.14.3
ns2.downloadtech.com  92727  IN A    66.250.75.2
ns2.iafrica.com       22126  IN A    196.7.142.133

There are a number of things to look at in the last example:

  • We used the -v (verbose) option to get more information.
  • Note the message Trying null domain. This comes because the name supplied was not a fully qualified domain name: the period at the end was missing. Host decides that it looks like a fully qualified name, so it doesn’t append a domain name to the name.
  • The local name server at example.org already had the SOA record for FreeBSD.org in its cache; as a result, it didn’t need to ask the name server that was authoritative for the zone. Instead, it tells you that the answer was not authoritative and tells you where you can get a valid answer.
  • The output is in pretty much the same format as we discussed earlier in the chapter, but there are some numbers in front of IN in all the resource records. These are the time-to-live values for each individual record, in seconds. You can put these in the zone files, too, if you want, and they'll override the TTL value for the zone. In this printout, they specify how long it will be before the cached entry expires. Try it again and you'll see that the value is lower.

To get an answer from one of the authoritative name servers, we simply specify its name at the end of the request:

$ host -v -t soa freebsd.org.ns0.freebsd.org. 
host -v -t soa freebsd.org.ns0.sd.org.
Using domain server:
Name: ns0.freebsd.Org
Addresses: 216.136.204.126
rcode = 0 (Success), ancount=1
freebsd.org  3600  IN SOA  ns0.freebsd.org hostmaster.freebsd.org(
                           103031602  ; serial (version)
                           1800       ; refresh period 
                           900        ; retry refresh this often
                           604800     ; expiration period
                           180        ; minimum TTL
)

This time we specified the names as FQDNs, so the message about the null domain no longer appears. Also, the TTL value is now the correct value for the record, and it won't change. Apart from that, the only difference is the missing message that the answer is not authoritative. The rest of the printout is the same.

You can also use the -t option to look for a specific record:

$ host -t mx freebsd.org.            get the MX records
freebsd.org mail is handled (pri=10) by mx1.freebsd.org
$ host -t hinfo hub.freebsd.org.     get HINFO records
$ host -t hinfo freefall.freebsd.org. 
freefall.freebsd.org host information Intel FreeBSD

These invocations don't use the -v (verbose) option, so they're much shorter. In particular, hub.freebsd.org doesn’t have any HINFO records, so we got no output at all.

Checking DNS for correctness

Several programs are available for diagnosing DNS configuration problems. They're outside the scope of this book, but if you're managing large DNS configurations, take a look at the collection at http://www.isc.org/.

DNS security

named was written at a time when the Internet was run by gentlemen. In the last few years, a relatively large number of security issues have been found in it. The FreeBSD project fixes these problems quickly, and you can expect that the version you get will have no known security issues. That can change, though: keep an eye on the security advisories from the FreeBSD project and update your name server if necessary.

Ян Иванюк
Ян Иванюк
Россия, Санкт-Петербург