The Domain Name Service
Upgrading a Version 4 configuration
What we've seen so far applies to Versions 8 and 9 of named. The previous version was Version 4 (don’t ask what happened to 5, 6 and 7; until Version 9 came along, there were rumors that the next version would be 16). Version 8 of named introduced a completely new configuration file format. If you have an existing DNS configuration from Version 4, the main configuration file will be called /etc/named.boot or /etc/named/named.boot. You can convert it to the named.conf format with the script/usr/sbin/named-bootconf:
# named-bootconf </etc/namedb/named.boot> /etc/namedb/named.Conf
Looking up DNS information
You can use dig, host or nslookup to look up name information. It’s largely a matter of preference which you use, but you should note that nslookup uses the resolver interface, which can result in you getting different results from what your name server would get. The output format of dig gets on my nerves, so I use host. Others prefer dig because it formulates the queries exactly the same way the name server does, and its output is more suited as input to named. For example, the command dig@a.root-servers.net.axfr produces a named.root file that named understands. We'll look briefly at host. Here are some examples:
$ host hub.freebsd.org look up an A record
hub.freebsd.org has address 216.136.204.18
hub.freebsd.org mail is handled (pri=10) by mx1.freebsd.org
$ host 216.136.204.18 perform a reverse lookup
18.204.136.216.IN-ADDR.ARPA domain name pointer hub.freebsd.org
$ host ftp.freebsd.org another one
ftp.freebsd.org is a nickname for ftp.beastie.tdk.net this is a CNAME
ftp.beastie.tdk.net has address 62.243.72.50 and the corresponding A record
ftp.beastie.tdk.net mail is handled (pri=20) by mail-in1.inet.tele.dk
ftp.beastie.tdk.net mail is handled (pri=30) by mail-in2.inet.tele.dk
$ host -v -t soa freebsd.org Get an SOA record
Trying null domain
rcode = 0 (Success), ancount=1
The following answer is not authoritative:
freebsd.org 3066 IN SOA ns0.freebsd.org hostmaster.freebsd.org(
103031602 ; serial (version)
1800 ; refresh period
900 ; retry refresh this often
604800 ; expiration period
1800 ; minimum TTL
)
For authoritative answers, see:
freebsd.org 3066 IN NS ns0.freebsd.org
freebsd.org 3066 IN NS ns1.iafrica.com
freebsd.org 3066 IN NS ns1.downloadtech.com
freebsd.org 3066 IN NS ns2.downloadtech.com
Additional information:
ns0.freebsd.org 92727 IN A 216.136.204.126
ns1.iafrica.com 92727 IN A 196.7.0.139
ns1.downloadtech.com 92727 IN A 170.208.14.3
ns2.downloadtech.com 92727 IN A 66.250.75.2
ns2.iafrica.com 22126 IN A 196.7.142.133
There are a number of things to look at in the last example:
- We used the -v (verbose) option to get more information.
- Note the message Trying null domain. This comes because the name supplied was not a fully qualified domain name: the period at the end was missing. Host decides that it looks like a fully qualified name, so it doesn’t append a domain name to the name.
- The local name server at example.org already had the SOA record for FreeBSD.org in its cache; as a result, it didn’t need to ask the name server that was authoritative for the zone. Instead, it tells you that the answer was not authoritative and tells you where you can get a valid answer.
- The output is in pretty much the same format as we discussed earlier in the chapter, but there are some numbers in front of IN in all the resource records. These are the time-to-live values for each individual record, in seconds. You can put these in the zone files, too, if you want, and they'll override the TTL value for the zone. In this printout, they specify how long it will be before the cached entry expires. Try it again and you'll see that the value is lower.
To get an answer from one of the authoritative name servers, we simply specify its name at the end of the request:
$ host -v -t soa freebsd.org.ns0.freebsd.org.
host -v -t soa freebsd.org.ns0.sd.org.
Using domain server:
Name: ns0.freebsd.Org
Addresses: 216.136.204.126
rcode = 0 (Success), ancount=1
freebsd.org 3600 IN SOA ns0.freebsd.org hostmaster.freebsd.org(
103031602 ; serial (version)
1800 ; refresh period
900 ; retry refresh this often
604800 ; expiration period
180 ; minimum TTL
)
This time we specified the names as FQDNs, so the message about the null domain no longer appears. Also, the TTL value is now the correct value for the record, and it won't change. Apart from that, the only difference is the missing message that the answer is not authoritative. The rest of the printout is the same.
You can also use the -t option to look for a specific record:
$ host -t mx freebsd.org. get the MX records freebsd.org mail is handled (pri=10) by mx1.freebsd.org $ host -t hinfo hub.freebsd.org. get HINFO records $ host -t hinfo freefall.freebsd.org. freefall.freebsd.org host information Intel FreeBSD
These invocations don't use the -v (verbose) option, so they're much shorter. In particular, hub.freebsd.org doesn’t have any HINFO records, so we got no output at all.
Checking DNS for correctness
Several programs are available for diagnosing DNS configuration problems. They're outside the scope of this book, but if you're managing large DNS configurations, take a look at the collection at http://www.isc.org/.
DNS security
named was written at a time when the Internet was run by gentlemen. In the last few years, a relatively large number of security issues have been found in it. The FreeBSD project fixes these problems quickly, and you can expect that the version you get will have no known security issues. That can change, though: keep an eye on the security advisories from the FreeBSD project and update your name server if necessary.