Notes for Week 11

Domain Name Service is our example of a directory service. It is the service which translates alphanumerical names into IP addresses.

  1. Terms

  2. A lookup for anything less than an FQDN results in multiple queries until one (or none) is successful. The first query is for the name as requested. Each subsequent query is for that name followed by "search domains" (as specified in resolv.conf - see below), and finally by the local domain.

    For instance, if the local domain is "lab265" and the search domains are "" and "", the lookup of "mickey.mouse" would involve queries for:

    1. mickey.mouse
    4. mickey.mouse.lab265

    Note that a search for "mickey.mouse." would only involve the first lookup.

    The use of search domains is discouraged, since it can result in excessive waits for DNS lookups.

  3. Reverse queries (or pointer queries) are formed by reversing the octets of the IP address and appending the domain "". Hence a reverse query for would be:
    You can also perform this query using dig -x (dig is a souped-up version of NSLOOKUP in Windows).
  4. DNS uses UDP port 53, except for zone transfers from a primary to a secondary server, in which case it uses TCP port 53.
  5. Configuration files for client resolver:

  6. named is the DNS daemon (Bind is the package, named is the program). named has been installed in a chroot jail located in /srv/named. The directories and files installed in /srv/named permit named to be run with /srv/named as its root directory; during operation, nothing in the filesystem above /srv/named is visible to the server software. This means that if named is compromised, the hacker has no access to any other directory or file on the system.
  7. EXERCISES for Week 11:

    1. Start named using /etc/rc.d/init.d/bind start. Examine the tail of the system log file using tail -n200 /var/log/sys.log.
    2. Test your server using dig @ Examine the resource records.
    3. Using the information in the week 10 notes, add firewall rules to permit access to your DNS server from other PCs in the lab, for both TCP and UDP (DNS is port 53). Re-run your firewall script and test access to your server from other stations:

      • dig @your-partner's-IP-address
      • dig @your-partner's-IP-address
      • dig @your-partner's-IP-address +trace

        Do the last one from multiple PCs and cross check the results. What do you notice about the order of the resource records in the answer and authority sections? (See question 3 in the Question and Answer chapter of the DNS HOWTO.)

      dig @server-ip -t AXFR domain can be used to test access through TCP after we reconfigure named.

    4. Modify your /etc/resolv.conf file to only use your name server.
    5. Modify your /etc/inittab file so that runlevel 4 is the default. This will cause named (as well as apache and samba) to be started each time you boot.
      Recall from our discussion in weeks 1, 2 and 5 that in our distribution, there are two copies of inittab: one on the root filesystem, and one on the /var filesystem, and that these two must agree. Changing the one in /var is easy; to change the one on /:

      1. mount --bind / /mnt
      2. mount -wo remount /mnt
      3. sed -i /mnt/etc/inittab -e 's/3:initdef/4:initdef/'
      4. umount /mnt

      The first mount allows you to access the partition containing the root partition at /mnt, without the links to /var. The second mount allows you to write to the root partition at /mnt (it does not affect the read-only mount at /). The sed changes the default runlevel from 3 to 4, and the final umount removes our access to the root partition through /mnt.

©2015, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.

Please send comments or suggestions to the author.