DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th May 2008
spiderpig spiderpig is offline
Port Guard
 
Join Date: May 2008
Posts: 20
Thanked 0 Times in 0 Posts
Default caching DNS server?

I'm a real newbie when it comes to DNS, but I have been reading the Linux DNS howto for information (http://tldp.org/HOWTO/DNS-HOWTO.html).



I would like to set up DNS for a home network using OpenBSD 4.3. I'm using a private 192.168.0.0 IP range.

I have three questions at this point.
  • The end of /var/named/etc/name.conf has the following contents:
    Code:
    // Master zones
    //
    //zone "myzone.net" {
    //      type master;
    //      file "master/myzone.net";
    //};
    
    // Slave zones
    //
    //zone "otherzone.net" {
    //      type slave;
    //      file "slave/otherzone.net";
    //      masters { 192.0.2.1; [...;] };
    //};
    Am I correct that I will using this last "slave" zone for the caching nameserver?
  • /etc/resolv.conf on any client connecting to this caching server needs to specify a domain. Am I correct that I will still be using the ISP's domain, but specify the IP address for the local caching server?
  • For my last question, since I will not be configuring zone information for a caching nameserver, will I need to be concerned about setting up dynamic DNS?
Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 28th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,150
Thanked 182 Times in 149 Posts
Default

In http://www.bsdforums.org/forums/show...61&postcount=1 I explained the dual roles of a nameserver: authoritative and recursive resolver.

For a recursive resolver you only need the minimal configuration as explained in the 3dr chapter of the BIND 9 Administrator Reference Manual which you can find in /usr/share/doc/html/bind/Bv9ARM.ch03.html

You only need a master zone if you configure Bind as an primary/master authoritative nameserver. A master authoritative nameserver answers questions about the domains it is authoritative for from the zone file(s).

A slave authoritative nameserver get its zone information from a master nameserver.
The master/slave thing is just a way to replicate information from one authoritative nameserver to other nameservers.

The "/etc/resolv.conf" should only contain the ip addresses of caching nameservers

You can setup a local authoritative nameserver with a zone with non-official TLD.

On my local LAN at home I use xnet
Code:
$ dig +norecurse -t ns utp.xnet @192.168.222.11

; <<>> DiG 9.3.4 <<>> +norecurse -t ns utp.xnet @192.168.222.11
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9708
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;utp.xnet.                      IN      NS

;; ANSWER SECTION:
utp.xnet.               259200  IN      NS      ns1.utp.xnet.

;; ADDITIONAL SECTION:
ns1.utp.xnet.           259200  IN      A       192.168.222.11

;; Query time: 1 msec
;; SERVER: 192.168.222.11#53(192.168.222.11)
;; WHEN: Wed May 28 02:09:04 2008
;; MSG SIZE  rcvd: 60
I have a tinydns authoritative nameserver running at 192.168.222.11 which is an alias IP address. The aa flag in the dig query stands for Authoritative Answer.
On 192.168.222.10 is my dnscache recursive resolver.
Code:
$ dig ns1.utp.xnet

; <<>> DiG 9.3.4 <<>> ns1.utp.xnet
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53169
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.utp.xnet.                  IN      A

;; ANSWER SECTION:
ns1.utp.xnet.           258816  IN      A       192.168.222.11

;; Query time: 1 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Wed May 28 02:19:16 2008
;; MSG SIZE  rcvd: 46
This is from the recursive resolver which is listed in my /etc/resolv.conf file. Notice the missing aa flag, indicating that it is not authoritative answer.

Re: dynamic DNS

IMHO dynamic DNS is evil, it relies on the completely insecure DHCP protocol. For a home network I would just assign fixed IP addresses.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 29th May 2008
spiderpig spiderpig is offline
Port Guard
 
Join Date: May 2008
Posts: 20
Thanked 0 Times in 0 Posts
Default

Thanks for your reply.

After reading both your response and the BIND Reference Manual mentioned above, it appears that caching nameservers are only useful for increasing performance and distributing the load on authoritative nameservers. As such, they don't store A records as I originally assumed. If I am correct, it also doesn't appear that caching nameservers have to reference authoritative nameservers within the zone as they can just begin queries directly through the TLD nameservers. At least this is what I appear to have found out when tinkering with a box I will be using for DNS here.

So, I will study further about what you mention as far as using a domain not officially registered since I will need an authoritative nameserver to store local A records for the machines I have at home.

So thanks for giving direction. I will likely be back with more questions in a few days.
Reply With Quote
  #4   (View Single Post)  
Old 29th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,150
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by spiderpig View Post
..... it appears that caching nameservers are only useful for increasing performance and distributing the load on authoritative nameservers.
No, a responsible caching nameserver will not be satisfied by the answer of a caching nameserver. It will only be satisfied if it sees the aa (Authoritative Answer) flag in the DNS reply packet.
The proper way to distribute load on authoritative nameservers is to have several from them.

Caching nameserver are useful for a network to reduce DNS traffic. That is why your ISP usually gives you the addresses of his two caching nameservers to enter into your /etc/resolv.conf file.
Quote:
As such, they don't store A records as I originally assumed.
A nameserver like Bind can be configured to act as a caching nameserver, as well as an authoritative nameserver, answering queries from the stored A records. In other words two different tasks ran by a single program.
In a professional environment, this however should be avoided for security reasons.

For example, if you configure a zone file for msn.com and enter 127.0.0.1 as A record, the caching nameserver will not do the traversal starting from the DNS root '.' , but will answer with the 127.0.0.1 address from the zone file.

Quote:
If I am correct, it also doesn't appear that caching nameservers have to reference authoritative nameservers within the zone as they can just begin queries directly through the TLD nameservers.
That is partially correct, they start their inquiries from the [a-m].rootserver.net servers from the DNS root '.' servers. The "." (dot) is the root of the DNS hierarchy, just like "/" is the root of a filesystem.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 30th May 2008
spiderpig spiderpig is offline
Port Guard
 
Join Date: May 2008
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
For example, if you configure a zone file for msn.com and enter 127.0.0.1 as A record, the caching nameserver will not do the traversal starting from the DNS root '.' , but will answer with the 127.0.0.1 address from the zone file.
I'm assuming you are saying that msn.com could be treated as the local domain if the address of its nameserver is set to 127.0.0.1 in named.conf. Where is this A record to be defined?
Quote:
That is partially correct, they start their inquiries from the [a-m].rootserver.net servers from the DNS root '.' servers. The "." (dot) is the root of the DNS hierarchy, just like "/" is the root of a filesystem.
Okay, previously /etc/resolv.conf pointed to two (caching?) nameservers of the ISP to resolve all DNS queries. Is it worth and is it possible to continue passing all requests to these two servers except when resolving a fictious local domain?
Reply With Quote
  #6   (View Single Post)  
Old 30th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,150
Thanked 182 Times in 149 Posts
Default

Re: msn.com zone file
Each zone file you configure to be used for a caching nameserver, will be used to answer queries, independent of which records are there, and whether they reflect reality.

The example I gave of a msn.com zone file with the 127.0.0.1 loopback address is used by some system administrator to prevent people from using MSN.

Re: local domain

Yes, you can tell your caching nameserver to pass on all non-local domain queries to the nameservers of your ISP. In Bind terminology, you have to define these nameservers as forwarders. A "forwarding-only" nameserver will hand off, or "forward" all the queries it receives to these nameservers. It will still cache the answers of the "forwarders" for possible reuse.

All these things can be found in the Bind 9 administrators manual. A good second source is Craig Hunt's book "TCP/IP Network Administration"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 3rd June 2008 at 12:12 AM. Reason: Minor grammar improvements
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Caching-only DNS server on OpenBSD Oko OpenBSD General 1 13th September 2009 08:30 PM
exclude URL from caching at squid 3 ccc FreeBSD General 1 31st January 2009 06:20 PM
Sun Java System Web Server - Active Server Pages (yes ASP) hopla FreeBSD General 0 26th September 2008 08:22 AM


All times are GMT. The time now is 01:10 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick