DNS/BIND/named Configuration

[Ruler2112]

I'm in the process of rebuilding an internal server on a different machine. I'd like to make it a resolver for the PCs in my workplace, but have been thus far unable to do so. Given that I really don't understand the internal workings of DNS, the fact I can't make it work doesn't really surprise me. I've tried to learn about it, but just can't seem to get a firm grasp on it. (It doesn't help matters that the present machine dies every few days and I'm in a time crunch to get the replacement ready before it doesn't come back on... I tried once before when building my mail server and it seems to work, but that was using a public accessible domain name registered with GoDaddy; I'm pretty sure it could be set up more efficiently, but was so geeked when I got it to actually work that I didn't want to touch it for fear of breaking it.)

I'd like to have the machine be a master resolver for the names (all of which are invalid for the internet) that I define in named.conf so that people can reference the names of my various internal boxes by name rather than by IP for items like internal web pages, instant messaging, video surveillance, etc. For all other name queries, I'd like them to hit either the DNS provided by our network provider or OpenDNS. (Our network provider's DNS dies periodically, so I definitely want a backup in place.)

No matter what I try - adding forwarders, adding master zone definitions, changing resolv.conf, etc - I can't seem to make this work. I'd appreciate any advice or pointers in this regard.

 

[Alt]

Emm... where the question itself ? xD

 

[Ruler2112]

Emm... where the question itself ? xD

There's no specific question in my OP, more just a request for information on the assumption that somebody has either done this before or knows where to find information on how to do it. If I had to rephrase to include a question, I'd have to go with 'Does anybody have any advice or pointers to aid me in setting up this box to accomplish the above stated goal?' instead of 'I'd appreciate any advice or pointers in this regard.'



I could start posting the configs that I've tried, but it'd do little but fill up the thread with crap that doesn't work and annoy the very people I'd like help from. I've started over with the default named.conf configuration several times already and am no closer to getting it right than I was 4 hours ago.

 

[Ruler2112]

Nevermind - I figured it out. I cannot believe it was that simple and I've been screwing around with it for nearly 5 hours!

In [cmd=]/etc/namedb/named.conf[/cmd]:

  listen-on { <global IP on our network>; 192.168.100.1; 127.0.0.1; };
...blah blah blah...
  forwarders {
    <provider DNS IP>;
    208.67.222.222;
    208.67.220.220;
  };

And in [cmd=]/etc/resolv.conf[/cmd]:

search boxname
nameserver 127.0.0.1

If somebody familiar sees a problem with this configuration or is willing to suggest a more efficient one, I'd be grateful. Otherwise, it's working so I'm happy. (Though still a frustrated angry-at-myself-for-not-getting-it-sooner kind of happy...)

 

[SirDice]

Set search in /etc/resolv.conf to your local domain. The search string will be added to the query when that client tries to resolve a hostname.

 

[Alt]

You wanna caching DNS server ? It should work in near default config xD

 

[Ruler2112]

Set search in /etc/resolv.conf to your local domain. The search string will be added to the query when that client tries to resolve a hostname.

What will this help? Sorry for the stupid question - I still feel like I know squat about DNS, even after all the hours of reading I've spent trying to understand. DNS is pretty much the only thing I feel this way with... just something about it that's seems to avoid my understanding.

I have the domain of the store, or what it resolves to in BIND, as cityname.storename - totally illegal as a true domain name, so I don't have to worry about it blocking sites on the internet. (As happened at the last company I was with; they named an internal server the same as an unrelated company out on the internet.) It's for internal use only and cannot even be accessed from the internet without using our VPN, so I don't think I have to worry about upsetting people on the internet by setting it up this way. It'll be nice to be able to reference by a logical name rather than by IP.

 

[J65nko]

I have search utp.xnet, the name of my local domain, in /etc/resolv.conf. Now I can be lazy and do things like

$  host vintrax
vintrax.utp.xnet has address 192.168.222.244

 

[Ruler2112]

Ahhhh.... I think I understand that part now. Does it have any effect on the machines using the box for DNS queries or only the console of the server? If only on the console, is it permissible to eliminate the search line from /etc/resolv.conf and if so, what effects would it have?

 

[J65nko]

The contents of /etc/resolv.conf is only accessible for programs which read this file, so AFAIK only the local box itself.

My box's /etc/resolv.conf, besides the "search utp.xnet" directive, also contains nameserver 192.168.222.10

This explains what tcpdump reports when I do that host query for "vintrax":

# tcpdump -ni re0 -s4096 port 53
tcpdump: listening on re0, link-type EN10MB
00:34:54.681711 192.168.222.20.12298 > 192.168.222.10.53: 47070+ A? vintrax.utp.xnet. (34)

My box, 192.168.222.20 issues a dns query from source port 12298 to the 192.168.222.10 nameserver defined in my "resolv.conf" file.

00:34:54.728140 192.168.222.10.53 > 192.168.222.20.12298: 47070 1/0/0 A 192.168.222.244 (50)

This is the answer "192.168.222.244".

00:34:54.728565 192.168.222.20.23820 > 192.168.222.10.53: 8027+ AAAA? vintrax.utp.xnet. (34)

Now the host program does a request for the IPv6 AAAA record

00:34:54.730803 192.168.222.10.53 > 192.168.222.20.23820: 8027 0/0/0 (34)

No such record.

00:34:54.730908 192.168.222.20.19706 > 192.168.222.10.53: 7662+ MX? vintrax.utp.xnet. (34)

A queries for the Mail eXchanger, the mail server.

00:34:54.732732 192.168.222.10.53 > 192.168.222.20.19706: 7662 0/0/0 (34)

But here also no answer.

For a more detailed view use # tcpdump -ni re0 -s4096 -vv port 53 Of course you have to replace the "re0" by the name of your own network interface.

The directives or options for the /etc/resolv.conf are described in the resolv.conf(5)

Now a simple homework assignment for you:

According to that man page, Which other option in my resolv.conf could I have used instead of search?​

 

[Ruler2112]

I understand how DNS works on a practical level (such as your packet captures), but have trouble understanding the underlying theory and therefore how the config files should be set up for maximum efficiency. There are warnings in named.conf to be sure it's right because you could screw something up or cause massive amounts of useless internet traffic, so I'm not entirely comfortable changing things I don't understand.

As for the homework, I'd guess you could use domain instead of search, but only the last one listed in the file (either domain or search) would be active for DNS queries done from your box.


Thank you for taking so much time responding - I appreciate it.