Notes for Week 11
Domain Name Service is our example of a directory service. It is the service which translates alphanumerical names into IP addresses.
domain - part of the Internet namespace tree; "." (the root domain), "edu",
"uc.edu" and "rwc.uc.edu" are all domains; linux265.rwc.uc.edu is a domain name but not a domain:
Here is a list of the top-level country domains.
domain names are bound to IP addresses; such an association is a binding; IP addresses
are a list, domain names form a tree and DNS provides the bindings from a leaf on the tree to an address in the list
Fully Qualified Domain Name (FQDN) - name of a host on the Internet, ending with a period
zone - that part of name space which has been delegated to a particular server; that
server is authoritative for that zone
Queries are answered by responses, which contain resource records.
Queries can be
- recursive, in which case a single query should return the
required response, and the server is responsible for asking other servers if necessary;
- not recursive, in which case the resolver (the client-side DNS software
which queries servers) must find out which server is authoritative and then ask it.
Responses can be authoritative, coming from an authoritative server, or not,
coming from a caching server.
They can also be truncated, which means that not all
of the information available from the server fits in the 512 byte limit.
Resource records can be
- A or address records, providing the IP address of an FQDN;
- NS records, which describe name servers to go to for more information;
- PTR or "pointer" records, which provide the FQDN associated with an IP address; or
- CNAME records, which provide "canonical names", or aliases.
provide a time for which the data is to be trusted (the Time-To-Live). If a domain name does not exist,
the response is NXDOMAIN: non-existant domain.
Name servers can be:
- root, have responsibility for the root zone;
- primary (or master), having authoritative responsibility for a zone;
- secondary (or slave), having backup responsibility for a zone; and
- caching, having no authority, but relaying DNS data from authoritative servers.
Primary and secondary servers can also be caching servers for zones for which they are not
A lookup for anything less than an FQDN results in multiple queries until one (or none) is successful.
The first query
is for the name as requested. Each subsequent query is for that name followed by
"search domains" (as specified in resolv.conf - see below), and finally by the local domain.
For instance, if the local domain is "lab265" and the search domains are "rwc.uc.edu" and "uc.edu",
the lookup of "mickey.mouse" would involve queries for:
Note that a search for "mickey.mouse." would only involve the first lookup.
The use of search domains is discouraged, since it can result in excessive waits for DNS lookups.
Reverse queries (or pointer queries) are formed by reversing the octets of the IP address and appending
the domain "in-addr.arpa". Hence a reverse query for 18.104.22.168 would be:
You can also perform this query using dig -x 22.214.171.124 (dig is a souped-up version of NSLOOKUP in Windows).
DNS uses UDP port 53, except for zone transfers from a primary to a secondary server,
in which case it uses TCP port 53.
Configuration files for client resolver:
- /etc/hosts - specifies known hosts in a static file
- /etc/resolv.conf - specifies one or more name servers, and search domains
- /etc/host.conf - specifies lookup order on older systems
- /etc/nsswitch.conf - specifies lookup order, and whether NIS is used
named is the DNS daemon (Bind is the package, named is the program).
named has been installed in a chroot jail located in /srv/named. The directories
and files installed in /srv/named permit named to be run with /srv/named as its root directory;
during operation, nothing in the filesystem above /srv/named is visible to the server software.
This means that if named is compromised, the hacker has no access to any other directory or file
on the system.
EXERCISES for Week 11:
Start named using /etc/rc.d/init.d/bind start. Examine the tail of the system log file using
tail -n200 /var/log/sys.log.
Test your server using dig @127.0.0.1 www.uc.edu. Examine the resource records.
Using the information in the week 10 notes, add firewall rules to permit
access to your DNS server from other PCs in the lab, for both TCP and UDP (DNS is port 53). Re-run your firewall script and test
access to your server from other stations:
dig @server-ip -t AXFR domain can be used to test access through TCP after we reconfigure named.
Modify your /etc/resolv.conf file to only use your name server.
Modify your /etc/inittab file so that runlevel 4 is the default. This will cause named (as well as apache and samba)
to be started each time you boot.
Recall from our discussion in weeks 1, 2 and 5 that
in our distribution, there are two copies of inittab: one on the root filesystem, and one on the /var
filesystem, and that these two must agree. Changing the one in /var is easy; to change the one on /:
- mount --bind / /mnt
- mount -wo remount /mnt
- sed -i /mnt/etc/inittab -e 's/3:initdef/4:initdef/'
- umount /mnt
The first mount allows you to access the partition containing the root partition at /mnt, without the
links to /var. The second mount allows you to write to the root partition at /mnt (it does not affect the
read-only mount at /). The sed changes the default runlevel from 3 to 4, and the final umount removes
our access to the root partition through /mnt.
©2015, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.
Please send comments or suggestions to the author.