"server" is the name of the name server, and "lab265" is the name of the zone.
The color scheme used in this section is designed to make it easier to connect things which correspond to each other. For instance, the server IP address in the example files below is 192.168.1.150; when you change it for your server, every red 150 should be changed to the last octet of your IP address.All punctuation is required, and SOA (Start of Authority) and PTR resource records start in column 1.
The named.conf file installed on your system configures named as a caching server, with only a reverse lookup for 127.0.0.1 (defined in /srv/named/etc/namedb/pz/127.0.0). That reverse zone is mandatory for system operation, and should not be altered, except as follows:The following files are sample zone files, which you will create (modified as per the exercises below):
- the string "ns" must be changed to "server";
- the string "local.domain" must be changed to "lab265".
The statistics file is /var/run/named.stats, and the hints file (containing IP addresses for the root DNS servers) is /srv/named/etc/namedb/root.hints.
@ 86400 IN SOA server.lab265. root.server.lab265. ( 1 8H 2H 1W 1D) ; ; Start of Authority record begins each zone file ; ; 86400 is the time to live (in client resolver cache) in seconds ; ; "root.server.lab265" means "root@server.lab265", e-mail address for questions ; ; 1 = serial #, used by secondary server to check if updates have been made ; 8H = 8 hours, how often secondary server attempts to refresh data from primary ; 2H = 2 hours, how long to wait before retrying failed refresh ; 1W = 1 week, how long to wait before flushing data if no refreshes have been successful ; 1D = 1 day, how long answers from this server can be trusted without checking again ; NS server.lab265. ; ; NS record specifies name of name server (present in each zone file) ; localhost A 127.0.0.1 linux265 A 192.168.1.1 server A 192.168.1.150 c150 CNAME server ; ; server A record describes host "server.lab265" (lab265 from named.conf) ; ; need one A record for each host + localhost (mandatory) ; need one CNAME record for each alias (optional) ;
In general it is bad practice to serve reverse lookups for any address other than 127.0.0.1 unless they are needed for authentication.@ 86400 IN SOA server.lab265. root.server.lab265. ( 1 8H 2H 1W 1D) NS server.lab265. 1 PTR linux265.lab265. 150 PTR server.lab265. ; ; this pointer record is for 192.168.1.150 - can have one per host ;
In the examples above, the A record for server is such a binding in the zone lab265.
zone "lab265" { allow-transfer { 192.168.1.150; }; notify no; type master; file "lab265"; };
Do an ls -R /srv/named/ before and after each of the last two commands to see where the data is stored. Examine the data.
Using the length firewall rule we discussed previously, implement and test a new firewall rule designed to restrict buffer overflow exploits in Bind by dropping any query packets which are too long.
Remember to subtract 14 bytes for the Ethernet header when you create the firewall rules.The largest possible domain name (see RFC 1035) is 255 bytes. For hosts within your domain, who can use your DNS server as a caching server for external addresses, you would need to allow lookups up to the maximum length.
©2015, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.
Please send comments or suggestions to the author.