Network: DNS: setting up a dns server

(last edit: 2002-05-18)

Introduction

In this document I will try to give an example of how to set up DNS server. Most of this info comes from the 'FreeBSD handbook' (the printed version). The default FreeBSD dns daemon is called 'named' and it is part of the 'bind' port (/usr/ports/bind8). The dir '/etc/namedb' is the place where named searches for configuration files / zone files. The following files are of interest for us and we will create/edit them allong the way:
  • named.conf
  • db.example.org
  • example-reverse
  • localhost.rev
In this document I will explain how to create/edit these file to configure a DNS server which will operate on a local network and queries two outside DNS servers if he doesn't know the answer. Here is a schema of the network: /-----------------------\ | The internet | \-----------------------/ | | |--------------------| | DNS server/gateway | | ns.example.org | | 192.168.1.1 | |--------------------| | | |-------------------------------------------------| | | |-----------------| |------------------| | Host | | Host | | sun.example.org | | moon.example.org | | 192.168.1.100 | | 192.168.1.101 | |-----------------| |------------------|

named.conf

This file is by default in the dir /etc/namedb and whe only have to edit it. Here is an example of how it should look like: --- options { directory "/etc/namedb"; forwarders { [dns-server 1]; [dns-server 2]; }; query-source address * port 53; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; zone "example.org" { type master; file "db.example.org"; }; zone "1.168.192.in-addr.arpa" { type master; file "example.org-reverse"; }; --- Here is what all of this means: forwarders This should be a semicollon seperated (don't forget the last one) list of dns servers. If your dns server doesn't know the answer it will ask these dns servers.
query-source address With this option you can force the DNS server to use a specific port, this is usefull when using a firewall.
zone "." This zone is for the top level domains, the file 'named.root' contains all the root servers (the addresses haven't changed for years so you don't have to edit this file).
zone "example.org" This specifies the file in which the DNS server can find the information about the domain 'example.org'
zone "1.168.192.in-addr.arpa" This zone is used for reverse DNS lookups. As you might notice the ip address is backwards and the last number misses. This is a work-around for a 'chicken and the egg' kind of problem. How does a DNS server know at which server it can find the information it looks for? It resolves the ip address and queries the authoritive server but how can he query the server? by resolving the host name. You see, this is a little problem. This is why this approach is chosen. I won't explain any deeper because it is not necesary to know for setting up the DNS server.

db.example.org

This is the zone file for your domain. Here is an example: --- $TTL 86400 example.org. IN SOA ns.example.org. admin.example.org. ( 2001220201 ; Serial (YYYYDDMM plus 2 digit serial) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400) ; minimum (1 day) IN NS ns.example.org. IN MX 10 mail.example.org. ns IN A 192.168.1.1 sun IN A 192.168.1.100 moon IN A 192.168.1.101 maan IN CNAME moon --- Comments in the configuration files are unlike usually marked with semicollons in stead of hashes!!! Behind each domain a dot is marked bold. This is because this dot HAS to be there and it is a common mistake to forget it. $TTL This it the default time to life, should be in here. SOA This is short for Start Of Authority and it should be followed by the domain of the originating host and an e-mail address of the administrator of the DNS server. As you might notice: there is now add symbol in the e-mail address. This is because the add symbol has a differen meaning here and therefor the first dot is replaced by the add symbol whenever it is needed. Serial This is the serial number for this zone, it should be increased each time something has been changed. A good structure for the serial number is YYYYDDMM plus 2 digits. This means the year in 4 digits followed by the day, month and a sequence number. The latter is usefull when you udate the zone file more then once on a day. IN NS ns.example.org. This tells the dns server that 'dns.example.org' is authoritive for this zone. In this case thet authoritive dns server is on the same domain (example.org) as the domain it is authoritive for. Here's an example of a more realistic zone: --- $TTL 86400 mydomain.org. IN SOA ns.example.org. admin.example.org. ( 2001220201 ; Serial (YYYYDDMM plus 2 digit serial) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400) ; minimum (1 day) IN NS ns.example.org. IN MX 10 mail.example.org. mydomain.org. A 211.211.211.211 www IN A 212.212.212.212 db IN A 213.213.213.213 --- As you can see an mx record and an etry for the domain name without subdomain have been added to this example. The example.org is still in here because it is the authoritive dns server.

example.org-reverse

This file is used for reverse lookups --- $TTL 86400 @ IN SOA ns.example.org. admin.example.org. ( 2001220200 ; Serial (date, 2 digits version) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400) ; minimum (1 day) IN NS ns.example.org. 100 IN PTR sun.example.org. 101 IN PTR moon.example.org. --- PTR PTR stands for Pointer.

localhost.rev

This file just maps 127.0.0.1 to localhost. --- $TTL 3600 @ IN SOA ns.example.org. admin.example.org. ( 2001220200 ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ) ; Minimum IN NS ns.example.org. 1 IN PTR localhost.example.org. ---

Starting the DNS server

So now you have created/edited all the necesary config files and want to start your server. You can do this by hand by typing in (as root) '/usr/sbin/named'. Now check /var/log/messages for errors. If your server runs without errors, change the '/etc/resolv.conf' file to match the following: --- domain example.org nameserver 192.168.1.1 --- Now start nslookup and query your server for one of the subdomains in your zone file. If all this works you'll probely want to start the DNS server automaticaly when your server boots. Put the following lines in '/etc/rc.conf' --- named_enable="YES" named_program="/usr/sbin/named" named_flags="-u bind -g bind" --- Make sure the user and group 'bind' exist. If you don't start named with this user/group it will be started as root:wheel (need I explain why you should't do this?) Well that should be all if you have questions you can try i_dont_get_it@lowlife.org and if we have time and you said please we'll answer >;-)

Click here to go back to the index.