![[Line]](/images/pixel.gif){kind=tracking}
These documents are a work in progress. This one was last updated
.
I've still got a bunch to add.
External DNS Configuration
To get things up and running I had to first get DNS setup.
DNS maps human readable names (i.e. www.sun.com) into machine readable IP addresses.
All of the domains I have are registered with
register.com. They allow
me to manage how I want my DNS to be set up and, as part of the annual fee, host
DNS for me. As far as the internet is concerned they are my only DNS server. I
then play some tricks inside of the firewall to allow things to work internally. I'll
admit that this may not be the worlds best setup but it does work and is fairly
easy to understand and implement.
The most important part of my external DNS configuration is that I have an "*" entry for all of my domains. That is, I configured my DNS at register.com so that if a naming request comes in for "blech.xigole.net" (one of the domains I host), it resolves to the same IP address as Sprint assigned me. In fact all my domains have the same setup. Additionally, their "MX" records (more on that in a moment) go to "smtp.<domainname>". Confused? Ok, here's the xigole.net configuration:
| hostname | IP address |
|---|---|
| www.xigole.net | the one I got from Sprint Broadband |
| *.xigole.net | also the one I got from Sprint Broadband |
But what the heck is an MX record? It is the mail exchange record of DNS. When sending mail an MTA (mail transfer agent, a program that accepts mail from one place and transfers it to another) will lookup the MX record for the domain that the mail is destined for and try to contact that host to deliver the mail. It's actually a little more complicated than that in that MX records have a "preference" rating or number tied to them. The lower the number the more that an MTA should prefer that host to deliver mail to. In a large corporation this is used for load balancing and, more inportantly, failover. You might have many MX records for your company. The one with the lowest number will almost always route your mail. But if that system goes down or gets overloaded, an MTA is allowed to pick another one based on the preference. Given that I have a grand total of one IP address (from the perspective of the internet) I don't have any secondary MX records.
xigole.net's MX record points to "smtp.xigole.net" which, because of the "*" entry in the register.com DNS record, really goes to the IP that Sprint assigned me. Why did I separate out the MX record from the rest if every request for xigole.net goes to the exact same IP address, regardless of the host name? I don't know. I guess I figure that it is more traditional to have a different hostname for the MX record. I could just as easily made it point to "www.xigole.net" or even just "xigole.net". It doesn't hurt the way it is.
Internal DNS configuration
I use Bind,
for my internal DNS, running on my firewall. BIND is a program that is
a pretty ancient but has a usable configuration. My DNS configuration
is a combination caching and authoritive setup. Basically the internal
DNS knows how to resolve IP addresses for anything internal and asks
Sprint's DNS servers for anything else. So internally if my BIND server
gets a request for "www.xigole.net" it knows that it is the
authoritative server for that domain (well, it thinks it is). It replys
with "192.168.1.2" since that is where my web server is running.
If I ask for www.sun.com it relays the request to the Sprint DNS servers
and the returns the answer. It's important to note that I don't allow
DNS requests into the firewall. As far as the outside world is
concerned register.com takes care of all DNS queries for my domains.
Building BIND
BIND is very easy to build in the default configuration. It has a standard "configure" script
that gets pretty much everything setup. After the configure step, run make
and a make install. That's the easy part.
Configuring bind
BIND is honestly not that bad but it is still a system that has fairly bizarre
configuration files. In a BIND configuration file you will constantly be
asking yourself, does this entry end in a dot or not? It is still way more difficult
that it needs to be, but works nonetheless.
The first file you need to worry about isn't even on your server and doesn't
come with the BIND distribution nor the operating system. Huh? You need to first
get the "root" name server file. To do this, you need to have ftp
access through your firewall. Again, I use ncftp so this isn't a problem.
To get the root name server file, you will need to ftp it from ftp.rs.internic.net
(I'm sorry that you have to interact with the world class idiots at
Verisign but it's a very brief time :)
Get the file /domain/named.root from them (or follow
this link).
It is a very small file, currently a little
less than 3K. This file serves as the basis for your DNS
configuration. The named.root file has several entries like this:
. 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 |
What this is telling BIND is where to find one or more "root" name servers. A root name server is used when your upstream name server doesn't know how to resolve a particular name. This will become a little more clear as I go along.
For my configuration I host several domains internally. The reality is that they almost all point to the same IP address, but the pattern will be the same for larger networks too. I want the forward resolution (name to IP address) to work for any of my domains. I mostly use this to learn and to test. Additionally, I want reverse resolution (IP address to name) to work also.
The first file you actually have to change is /etc/named.conf.
This file is one of the simplest to configure. Here is what mine looks like.
I haven't included all the domains, but the pattern is exactly the same for
any number of domains. Comments start with a semi-colon.
; This defines an "ACL" or access control list. In my case I will only allow hosts
; within my internal network or localhost to access my name server. This is extra
; insurance that only I can use my name server
acl "xigole" { 192.168.1.0/24; 127.0.0.0/8; };
; This defines some options for the name server. The directory entry defines the directory
; in which all the other files below will live. The most important entry is the forwarders
; entry. For my setup I have the IP address of the primary and secondary DNS Sprint Broadband
; servers (in my case they are the ones for the Denver Colorado area). Anything that my DNS
; server can't resolve (i.e. anything that isn't local) will be forwarded to these servers for
; resolution. Lastly, I only allow queries to my DNS server from the "xigole" ACL (as defined
; above).
options {
directory "/var/named";
pid-file "/var/named/named.pid";
forwarders {
24.221.208.5;
24.221.192.5;
};
allow-query { "xigole"; };
};
; This is where I used the named.root file downloaded from ftp.rs.internic.net. This
; file has to live in the directory specified by the "directory" directive above
; which is /var/named in my configuration
zone "." IN {
type hint;
file "named.root";
};
; For the seriously retentive (like me), I created a reverse mapping for 127.0.0.0/8
; i.e. to map to "localhost". This and the other maps are shown below.
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.rev";
};
; This defines the forward resolution for the xigole.net domain
zone "xigole.net" IN {
type master;
file "xigole.net.zone";
};
; This defines the forward resolution for the xigole.org domain
zone "xigole.org" IN {
type master;
file "xigole.org.zone";
};
; This map contains the reverse mapping for my internal network
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.rev";
};
|
The next file is the incredibly useful reverse map for the 127.0.0.0/8 network, a.k.a. localhost. It looks like this:
$TTL 86400 ; SOA rec @ IN SOA localhost. root.localhost ( 2001070730 ; serial number 10800 ; refresh every 3 hours 10800 ; retry every 3 hours 604800 ; expire after a week 86400 ) ; ttl of 1 day ; name servers @ IN NS localhost. ; The only really useful line in this file is this one. It defines what a ; request for 127.0.0.1 will return - localhost 1 IN PTR localhost. |
Next is a map that is slightly more useful, the forward map for the xigole.net domain. This is the primary domain within my network and has forward maps for all of the hosts I have. An important piece of information is that my nameserver is running on a machine named "fish".
$TTL 1 ; SOA rec @ IN SOA fish.xigole.net. hostmaster.xigole.net ( 2001120700 ; serial number 10800 ; refresh every 3 hours 10800 ; retry every 3 hours 604800 ; expire after a week 86400 ) ; ttl of 1 day ; name servers @ IN NS fish.xigole.net. ; hosts localhost IN A 127.0.0.1 bullfrog IN A 192.168.1.1 turtle IN A 192.168.1.2 jetdirect IN A 192.168.1.3 ; 4 is unused fish IN A 192.168.1.5 ; ; 6-29 are unassigned ; ; 30-40 are dhcp assigned ; dhcp30 IN A 192.168.1.30 dhcp31 IN A 192.168.1.31 dhcp32 IN A 192.168.1.32 dhcp33 IN A 192.168.1.33 dhcp34 IN A 192.168.1.34 dhcp35 IN A 192.168.1.35 dhcp36 IN A 192.168.1.36 dhcp37 IN A 192.168.1.37 dhcp38 IN A 192.168.1.38 dhcp39 IN A 192.168.1.39 dhcp40 IN A 192.168.1.40 ; ; aliases ; www CNAME turtle.xigole.net. ; ; This one took me a while to figure out. I wanted something like "http://xigole.net/" ; to resolve internally. By having this entry, I can now have that and *.xigole.net ; resolve internally. ; xigole.net. IN A 192.168.1.2 |
The xigole.org map is simpler. Again, xigole.net is the primary domain so I have most of the information in that file.
$TTL 1 ; SOA rec @ IN SOA fish.xigole.net. hostmaster.xigole.net ( 2001120700 ; serial number 10800 ; refresh every 3 hours 10800 ; retry every 3 hours 604800 ; expire after a week 86400 ) ; ttl of 1 day ; name servers @ IN NS fish.xigole.net. ; hosts localhost IN A 127.0.0.1 www IN A 192.168.1.2 xigole.org. IN A 192.168.1.2 |
Lastly is my reverse map.
$TTL 4 ; SOA rec @ IN SOA fish.xigole.net. hostmaster.xigole.net. ( 2001070730 ; serial number 10800 ; refresh every 3 hours 10800 ; retry every 3 hours 604800 ; expire after a week 86400 ) ; ttl of 1 day @ IN NS fish.xigole.net. ; hosts 1 IN PTR bullfrog.xigole.net. 2 IN PTR turtle.xigole.net. 3 IN PTR jetdirect.xigole.net. ; 4 is unused 5 IN PTR fish.xigole.net. ; 6-29 unused ; ; 30-40 are dhcp assigned ; 30 IN PTR dhcp30.xigole.net. 31 IN PTR dhcp31.xigole.net. 32 IN PTR dhcp32.xigole.net. 33 IN PTR dhcp33.xigole.net. 34 IN PTR dhcp34.xigole.net. 35 IN PTR dhcp35.xigole.net. 36 IN PTR dhcp36.xigole.net. 37 IN PTR dhcp37.xigole.net. 38 IN PTR dhcp38.xigole.net. 39 IN PTR dhcp39.xigole.net. 40 IN PTR dhcp40.xigole.net. |
The only part that still needed to be done was configuring DNS on any machine that
didn't use DHCP to configure it. For me this is only one machine, my Solaris 8
Ultra 5. To configure Solaris (and many other Unix machines) for DNS there are two
things that you have to do. First you have to get /etc/resolv.conf
correctly set up. Additionally you have to modify /etc/nsswitch.conf
to tell it to use DNS.
Configuring resolv.conf is a little different for me because I have multiple local domains. But it's not a big deal. Mine looks like this:
domainname xigole.net search xigole.net xigole.org nameserver 192.168.1.5 |
The only thing interesting here is that I'm telling the system that xigole.net and xigole.org are both local. If you only had one domain you would have only one entry.
The final DNS client side configuration needed was to change /etc/nsswitch.conf
so that any hostname lookups would, if needed, use DNS. The line:
hosts: files
Was changed to:
hosts: files dns
to tell the system to use DNS if needed to resolve hostnames.