View Single Post
  #2   (View Single Post)  
Old 28th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,780
Default

In http://www.bsdforums.org/forums/show...61&postcount=1 I explained the dual roles of a nameserver: authoritative and recursive resolver.

For a recursive resolver you only need the minimal configuration as explained in the 3dr chapter of the BIND 9 Administrator Reference Manual which you can find in /usr/share/doc/html/bind/Bv9ARM.ch03.html

You only need a master zone if you configure Bind as an primary/master authoritative nameserver. A master authoritative nameserver answers questions about the domains it is authoritative for from the zone file(s).

A slave authoritative nameserver get its zone information from a master nameserver.
The master/slave thing is just a way to replicate information from one authoritative nameserver to other nameservers.

The "/etc/resolv.conf" should only contain the ip addresses of caching nameservers

You can setup a local authoritative nameserver with a zone with non-official TLD.

On my local LAN at home I use xnet
Code:
$ dig +norecurse -t ns utp.xnet @192.168.222.11

; <<>> DiG 9.3.4 <<>> +norecurse -t ns utp.xnet @192.168.222.11
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9708
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;utp.xnet.                      IN      NS

;; ANSWER SECTION:
utp.xnet.               259200  IN      NS      ns1.utp.xnet.

;; ADDITIONAL SECTION:
ns1.utp.xnet.           259200  IN      A       192.168.222.11

;; Query time: 1 msec
;; SERVER: 192.168.222.11#53(192.168.222.11)
;; WHEN: Wed May 28 02:09:04 2008
;; MSG SIZE  rcvd: 60
I have a tinydns authoritative nameserver running at 192.168.222.11 which is an alias IP address. The aa flag in the dig query stands for Authoritative Answer.
On 192.168.222.10 is my dnscache recursive resolver.
Code:
$ dig ns1.utp.xnet

; <<>> DiG 9.3.4 <<>> ns1.utp.xnet
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53169
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.utp.xnet.                  IN      A

;; ANSWER SECTION:
ns1.utp.xnet.           258816  IN      A       192.168.222.11

;; Query time: 1 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Wed May 28 02:19:16 2008
;; MSG SIZE  rcvd: 46
This is from the recursive resolver which is listed in my /etc/resolv.conf file. Notice the missing aa flag, indicating that it is not authoritative answer.

Re: dynamic DNS

IMHO dynamic DNS is evil, it relies on the completely insecure DHCP protocol. For a home network I would just assign fixed IP addresses.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote