Network: DNS: setting up a dns server

(last edit: 2002-05-18)


In this document I will try to give an example of how to set up DNS server. Most of this info comes from the 'FreeBSD handbook' (the printed version). The default FreeBSD dns daemon is called 'named' and it is part of the 'bind' port (/usr/ports/bind8). The dir '/etc/namedb' is the place where named searches for configuration files / zone files. The following files are of interest for us and we will create/edit them allong the way:
  • named.conf
  • example-reverse
  • localhost.rev
In this document I will explain how to create/edit these file to configure a DNS server which will operate on a local network and queries two outside DNS servers if he doesn't know the answer. Here is a schema of the network: /-----------------------\ | The internet | \-----------------------/ | | |--------------------| | DNS server/gateway | | | | | |--------------------| | | |-------------------------------------------------| | | |-----------------| |------------------| | Host | | Host | | | | | | | | | |-----------------| |------------------|


This file is by default in the dir /etc/namedb and whe only have to edit it. Here is an example of how it should look like: --- options { directory "/etc/namedb"; forwarders { [dns-server 1]; [dns-server 2]; }; query-source address * port 53; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; zone "" { type master; file ""; }; zone "" { type master; file ""; }; --- Here is what all of this means: forwarders This should be a semicollon seperated (don't forget the last one) list of dns servers. If your dns server doesn't know the answer it will ask these dns servers.
query-source address With this option you can force the DNS server to use a specific port, this is usefull when using a firewall.
zone "." This zone is for the top level domains, the file 'named.root' contains all the root servers (the addresses haven't changed for years so you don't have to edit this file).
zone "" This specifies the file in which the DNS server can find the information about the domain ''
zone "" This zone is used for reverse DNS lookups. As you might notice the ip address is backwards and the last number misses. This is a work-around for a 'chicken and the egg' kind of problem. How does a DNS server know at which server it can find the information it looks for? It resolves the ip address and queries the authoritive server but how can he query the server? by resolving the host name. You see, this is a little problem. This is why this approach is chosen. I won't explain any deeper because it is not necesary to know for setting up the DNS server.

This is the zone file for your domain. Here is an example: --- $TTL 86400 IN SOA ( 2001220201 ; Serial (YYYYDDMM plus 2 digit serial) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400) ; minimum (1 day) IN NS IN MX 10 ns IN A sun IN A moon IN A maan IN CNAME moon --- Comments in the configuration files are unlike usually marked with semicollons in stead of hashes!!! Behind each domain a dot is marked bold. This is because this dot HAS to be there and it is a common mistake to forget it. $TTL This it the default time to life, should be in here. SOA This is short for Start Of Authority and it should be followed by the domain of the originating host and an e-mail address of the administrator of the DNS server. As you might notice: there is now add symbol in the e-mail address. This is because the add symbol has a differen meaning here and therefor the first dot is replaced by the add symbol whenever it is needed. Serial This is the serial number for this zone, it should be increased each time something has been changed. A good structure for the serial number is YYYYDDMM plus 2 digits. This means the year in 4 digits followed by the day, month and a sequence number. The latter is usefull when you udate the zone file more then once on a day. IN NS This tells the dns server that '' is authoritive for this zone. In this case thet authoritive dns server is on the same domain ( as the domain it is authoritive for. Here's an example of a more realistic zone: --- $TTL 86400 IN SOA ( 2001220201 ; Serial (YYYYDDMM plus 2 digit serial) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400) ; minimum (1 day) IN NS IN MX 10 A www IN A db IN A --- As you can see an mx record and an etry for the domain name without subdomain have been added to this example. The is still in here because it is the authoritive dns server.

This file is used for reverse lookups --- $TTL 86400 @ IN SOA ( 2001220200 ; Serial (date, 2 digits version) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400) ; minimum (1 day) IN NS 100 IN PTR 101 IN PTR --- PTR PTR stands for Pointer.


This file just maps to localhost. --- $TTL 3600 @ IN SOA ( 2001220200 ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ) ; Minimum IN NS 1 IN PTR ---

Starting the DNS server

So now you have created/edited all the necesary config files and want to start your server. You can do this by hand by typing in (as root) '/usr/sbin/named'. Now check /var/log/messages for errors. If your server runs without errors, change the '/etc/resolv.conf' file to match the following: --- domain nameserver --- Now start nslookup and query your server for one of the subdomains in your zone file. If all this works you'll probely want to start the DNS server automaticaly when your server boots. Put the following lines in '/etc/rc.conf' --- named_enable="YES" named_program="/usr/sbin/named" named_flags="-u bind -g bind" --- Make sure the user and group 'bind' exist. If you don't start named with this user/group it will be started as root:wheel (need I explain why you should't do this?) Well that should be all if you have questions you can try and if we have time and you said please we'll answer >;-)

Click here to go back to the index.