UnixWorld Online: ``PC-Unix Connection'' Column: No. 005 DNS Database Files By Tom Yager With the foundation of the previous column beneath you, you should be ready to start building your own DNS databases. There's a lot of ground to cover, so I'll dispense with the preliminaries, save one: the examples given here are actual DNS databases, pulled from my network. The host names, IP addresses and other data are real, so don't try to use them on your site. If you use these files as templates for your own DNS databases, please remember to replace all the supplied data. The listings will display without the need to scroll horizontally if you resize your browser window until you can display this entire line in the window: |---------------------------------------------------------------------| The file /etc/named.boot tells the named software on your system where to find its configuration tables. On Maxx, I chose to place this data under /usr/local/bind to distinguish it from system data that would be replaced in an OS update or re-install. The named.boot file on my system looks like this: 1 directory /usr/local/bind 2 primary maxx.net maxx.net.hosts 3 primary 0.0.127.in-addr.arpa named.local 4 primary 17.251.204.in-addr.arpa maxx.net.revhosts 5 cache . named.ca The line numbers are shown for reference; don't enter them. Line 1 tells named where to find the files, and also saves you having to type the fully qualified path names. You're free to place your database files anywhere, but I recommend you use a file system on your primary (boot) drive. If a secondary drive fails or gets unmounted, you can keep your name server running. Line 2 starts with the key word primary, indicating that the database file contains primary server data. A primary server maintains all its databases locally. A secondary server loads DNS data from another server (primary or secondary). To keep these examples simple, we'll stick with definitions for a primary server. The line 2 entry, maxx.net tells named which domain the file (here, maxx.net.hosts) defines. You may define multiple domains with one invocation of named. Just create a database file for each domain you wish to define. Here are the contents of the primary host database for the domain maxx.net: ; ; Addresses for the local domain maxx.net. IN SOA maxx.maxx.net. tyager.maxx.maxx.net. ( 9602171 ; Serial 36000 ; Refresh every 10 hours 3600 ; Retry after 1 hour 360000 ; Expire after 100 hours 36000 ; Minimum TTL is 10 hours ) ; Define name servers ; maxx.net. IN NS maxx.maxx.net. maxx.net. IN A 204.251.17.241 ; Define localhost ; localhost IN A 127.0.0.1 ; Set up hosts ; maxx IN A 204.251.17.241 IN MX 5 maxx.maxx.net. maxx.net. IN MX 5 maxx.maxx.net. ; ; All mail for net delivered to maxx ; ;* IN MX 10 maxx.maxx.net. www IN CNAME maxx.maxx.net. ftp IN CNAME maxx.maxx.net. news IN CNAME maxx.maxx.net. mail IN CNAME maxx.maxx.net. ns IN CNAME maxx.maxx.net. loghost IN CNAME maxx.maxx.net. lucy IN A 204.251.17.242 linux IN CNAME lucy.maxx.net. lucy IN MX 10 lucy.maxx.net. messdos IN A 204.251.17.243 messdos IN MX 10 messdos.maxx.net. pentium IN CNAME messdos.maxx.net. solaris IN A 204.251.17.244 solaris IN MX 10 solaris.maxx.net. maxx4 IN CNAME solaris.maxx.net. maxx5 IN A 204.251.17.245 maxx5 IN MX 10 maxx5.maxx.net. maxx6 IN A 204.251.17.246 maxx6 IN MX 10 maxx6.maxx.net. Most database file entries are known as DNS resource records. Generally, the resource records are shown ordered: SOA, NS, followed by the other types, but this ordering isn't required. The data in each entry may be entered in upper-, lower-, or mixed case. All entries in the database file must start at the beginning of the line. Blank lines as well as any text following a semicolon is ignored. SOA stands for Start of Authority. This self-impressed acronym clues named that operational parameters follow. By far the most important is the Serial field. Every time you make a change to a database file, you must increment its serial number. Only by doing this will secondary servers know they need to reach into your system and pull out new name server data, a procedure known as a ``zone transfer.'' Many DNS administrators use a date-time stamp for this field, like 9602171 for the first version on February 17, 1996. First, let's focus on the SOA section: maxx.net. IN SOA maxx.maxx.net. tyager.maxx.maxx.net. ( The ``maxx.net.'' field tells named the domain defined by this file. The name server will automatically append it to any host name that appears in the file. The trailing dot is not a typo: it keeps named from trying to tack on your domain name. Without it, the resolver would be confused by named's expansion of my domain name to ``maxx.net.maxx.net.'' The IN stands for the ``Internet'' class of data. Even though other classes exist, they aren't in common usage. The ``maxx.maxx.net'' field is the host on which these database files reside. Finally, ``tyager.maxx.maxx.net'' represents the e-mail address of the DNS administrator, where the first dot (between tyager and maxx) would be replaced by the at-sign (@) to create a valid address. (The at-sign can't be used here because it has a reserved meaning in DNS database files.) The open parenthesis at the end of the line lets you to split the SOA record across physical lines for readability: 9602171 ; Serial 36000 ; Refresh every 10 hours 3600 ; Retry after 1 hour 360000 ; Expire after 100 hours 36000 ; Minimum TTL is 10 hours ) We discussed the ``serial'' field above. The remaining four fields specify various time intervals (all values in seconds) used by the secondary name server: Refresh The time interval that must elapse between each poll of the primary by the secondary name server (here 36,000 seconds or 10 hours). If the ``serial number'' has been updated on the primary, the secondary assumes its data is stale and requests updated information as a ``zone transfer''. Retry The time interval used between successive connection attempts by the secondary to reach the primary name server in case the first attempt failed (here 3,600 seconds or one hour). Generally, less than the ``refresh'' time. Expire The time interval after which the secondary expires its data if it can't reach the primary name server (here 360,000 seconds or 100 hours). The secondary will refuse to service requests after this interval. Minimum The minimum time-to-live value, which specifies how long other servers should cache data from the name server (here 36,000 seconds or 10 hours). There are several types of resource records, identified by the key word in field three of each record. You may present records in any order, but try to organize them for clarity (whatever that suggests to you). The NS (name server) record tells the hosts that query your server where the name servers for this domain can be found: maxx.net. IN NS maxx.maxx.net. The address of the host maxx.maxx.net isn't defined until later, but it doesn't matter. It gets used in the SOA record as well, so I relax my backward-reference ban in this case. You may list multiple name servers for your domain. In fact, your domain should have at least two name servers. As I said, your Internet service provider will probably allow you to use their name server as a secondary for your domain. Don't forget the trailing dots! The first A record, which resolves a fully-qualified host name to an IP address, is a special one. It defines an IP address for unqualified queries, that is, queries for the host maxx.net. It's easy for my small network, which only has one host that offers any services to the outside world. Users can access it with a few saved keystrokes, and my users have the luxury of simplified e-mail addresses (for instance, tyager@maxx.net). Other A records like this one: lucy IN A 204.251.17.242 provide name-to-address mapping for a specific named host. The domain defined in this file (maxx.net) is appended to the host name you show in the first field. The CNAME records create aliases for existing hosts. These examples illustrate a few common uses: www IN CNAME maxx.maxx.net. ftp IN CNAME maxx.maxx.net. You may give a host any alias you like, and as many aliases as you like. The host needn't answer to that name, that is, the alias doesn't need to be the host's true name as reported by hostname or uname. The other vital type of record is MX. This tells SMTP e-mail software where to send mail for each named host: lucy IN MX 10 lucy.maxx.net. When a remote host's mail delivery program sees an e-mail address in your domain, it will query your name server for its applicable MX record or records. This is wonderfully versatile. Every user on your LAN can receive e-mail, even if not every host is running its own e-mail software. The MX record for lucy, for instance, could easily redirect e-mail to another host on the LAN. The number (10 in this case) in the fourth field represents a preference value. If you define multiple MX records for a host, delivery is attempted to lower-preference value hosts first. The actual value isn't important, only its relationship to other preference values. On larger LANs it's a good idea to create backup e-mail servers. Smaller LANs, like mine, can simply rely on the fact that most SMTP mailers will retry deliveries to my site for three days before returning a message to its sender. The line--shown commented out here--would arrange to redirect e-mail for all hosts in this domain to a single machine: ; ; All mail for net delivered to maxx ; ;* IN MX 10 maxx.maxx.net. This is an exceedingly good idea for company LANs that benefit from a central e-mail repository. Address-to-name mapping Reverse-mapping files let resolvers post queries armed with only the IP address. This reverse mapping is used, for example, by Internet server software that prefers to log host names rather than less informative IP addresses. Your host will require at least two reverse-mapping files. The first, defined on line two of the sample named.boot file, sets up the reverse mapping of the localhost entry: ; ; Addresses in the local domain ; @ IN SOA maxx.maxx.net tyager.maxx.maxx.net. ( 9602171 ; Serial 36000 ; Refresh every 100 hours 3600 ; Retry after 1 hour 3600000 ; Expire after 1000 hours 36000 ; Minimum TTL is 100 hours ) maxx.net. IN NS maxx.maxx.net. 1 IN PTR localhost. There's only one host in this database. The at-sign in the first column of the SOA record is shorthand for ``insert my domain here.'' The domain, as defined by this database file's entry in the named.boot file, is 0.0.127.in- addr.arpa. As discussed in my previous column, this domain is recognized as special. Among its special qualities is that the network address identified in the domain (127.0.0 in this case) is reversed before it is is processed. Therefore, the PTR entry in the above example uses one (1) as the suffix to the IP address given in named.boot, creating the IP address 127.0.0.1. The reverse-mapping database for the rest of the domain, set up in line four of the sample named.boot, looks like this: ; ; Reverse addressing for the local domain ; @ IN SOA maxx.maxx.net. tyager.maxx.maxx.net. ( 9602171 ; Serial 36000 ; Refresh every 10 hours 3600 ; Retry after 1 hour 360000 ; Expire after 100 hours 36000 ; Minimum TTL is 10 hours ) ; ; Define name server ; IN NS maxx.maxx.net. ; ; Addresses point to canonical names: ; 241 IN PTR maxx.maxx.net. 242 IN PTR lucy.maxx.net. 243 IN PTR messdos.maxx.net. 244 IN PTR solaris.maxx.net. 245 IN PTR maxx5.maxx.net. 246 IN PTR maxx6.maxx.net. If you leave field one blank (as in the NS record for this example) named will use previous record's field-one entry. In this case, the at-sign gets replaced by the domain name from line four of named.boot. Only one line from named.boot remains to be discussed, the ``cache'' entry. This is a bit of a misnomer as it doesn't have anything to do with local caching. Instead, it defines the master root domain name servers for the Internet. You can retrieve this list from ftp://nic.ddn.mil/netinfo/root-servers.txt. You will need to check this site periodically to ensure you have the latest list. This file lists the root domain servers in human-readable format. You'll need to reformat it for consumption by named. Here's what the cache file looks like, using the root servers defined when this article was written (February 1996). ; Servers from the root domain ; ftp://nic.ddn.mil/netinfo/root-servers.txt ; . 99999999 IN NS A.ROOT-SERVERS.NET . 99999999 IN NS B.ROOT-SERVERS.NET . 99999999 IN NS C.ROOT-SERVERS.NET . 99999999 IN NS D.ROOT-SERVERS.NET . 99999999 IN NS E.ROOT-SERVERS.NET . 99999999 IN NS F.ROOT-SERVERS.NET . 99999999 IN NS G.ROOT-SERVERS.NET . 99999999 IN NS H.ROOT-SERVERS.NET . 99999999 IN NS I.ROOT-SERVERS.NET ; Root servers by address A.ROOT-SERVERS.NET 99999999 IN A 198.41.0.4 B.ROOT-SERVERS.NET 99999999 IN A 128.9.0.107 C.ROOT-SERVERS.NET 99999999 IN A 192.33.4.12 D.ROOT-SERVERS.NET 99999999 IN A 128.8.10.90 E.ROOT-SERVERS.NET 99999999 IN A 192.203.230.10 F.ROOT-SERVERS.NET 99999999 IN A 192.5.5.241 G.ROOT-SERVERS.NET 99999999 IN A 192.112.36.4 H.ROOT-SERVERS.NET 99999999 IN A 128.63.2.53 I.ROOT-SERVERS.NET 99999999 IN A 192.36.148.17 Here, the dot (.) refers to the root domain and the 99999999 means a very long time-to-live value. The TTL value is no longer used for caching because the data isn't discarded if it times out, but administrators generally keep it around because it does no harm. Testing your name server The book, DNS and BIND by Paul Albitz and Cricket Liu, published by O'Reilly and Associates, includes instructions for detailed diagnostics. However, you can perform some simple checks on your name server's health with nslookup. This utility is standard with every TCP/IP-network aware version of Unix I've used. There are other similar tools--such as dig--in Internet archives; check DNS and BIND for details. You can find the source code for dig at several anonymous FTP archive sites, including ftp://ftp.wonderland.org/NetBSD/NetBSD-current/src/usr.sbin/named/dig/ for the NetBSD release. Use Archie to find other sites. The nslookup utility can be used interactively, much like other programs, such as ftp. That is, if you invoke this program without command-line arguments, it displays a prompt and waits for your command: Default Server: localhost Address: 127.0.0.1 > By default, nslookup performs queries based on host names you submit. Just enter a host name after the prompt: > messdos Server: localhost Address: 127.0.0.1 Name: messdos.maxx.net Address: 204.251.17.243 because nslookup will tack on your domain name. Check your reverse-mapping entries by entering an IP address: > 204.251.17.245 Server: localhost Address: 127.0.0.1 Name: maxx5.maxx.net Address: 204.251.17.245 You can check your MX and NS records by using nslookup's set type command: > set type=mx > maxx.net Server: localhost Address: 127.0.0.1 maxx.net preference = 5, mail exchanger = maxx.maxx.net maxx.maxx.net internet address = 204.251.17.241 > lucy.maxx.net Server: localhost Address: 127.0.0.1 lucy.maxx.net preference = 10, mail exchanger = lucy.maxx.net lucy.maxx.net internet address =3D 204.251.17.242 > set type=ns > maxx.net Server: localhost Address: 127.0.0.1 maxx.net nameserver = maxx.maxx.net maxx.maxx.net internet address = 204.251.17.241 The Fat Lady Sings I also recommend using nslookup to check host names outside your domain. This will help ensure you got your root domain cache database right and that your host's named can forward queries to other servers. You should also avail yourself of a system outside your LAN to make sure your name server can be seen and understood by others. This will also show you when the NIC has added your entries to the root servers. Until that's done, no one outside your LAN can see your name server without having its IP address. Once the NIC gets your domain set up, nslookup on another host will suddenly know where to look to resolve names and addresses in your domain. Make sure you're ready to roll before you start publishing any host names in your domain. Internet users have a notoriously low tolerance for sites which are advertised but unreachable. From here, administration is simple as long as your domain doesn't grow by a huge leap. Just download the root servers list from the NIC periodically and keep your ears open for mail from users about sites on your LAN that can't be seen. As simple as all these files seem, it's ridiculously easy to make basic mistakes that are hard to find. I had the devil's own time getting my DNS databases configured; Becca Thomas (my UWOL editor) patiently struggled squeezing e-mail through my initially -busted DNS setup. A messed-up DNS configuration can make your system hard to reach from the outside, and the symptoms of that difficulty don't always make the problem clear. It helps, too, to have some experts around. It should be a criteria in choosing an Internet provider that good help is easily available. I owe my provider, FastLane Communications (http://www.fastlane.net), a link for being so helpful when I was getting maxx.net on line. That's it for our series on DNS. It's no replacement for a more thorough text, but we hope it helps you get started. Next month we'll help you face what you may (or may not!) dread: connecting Windows 95 systems to your TCP/IP LAN. Until then, thanks for reading. ---------------------------------------------------------------------------- Copyright © 1995 The McGraw-Hill Companies, Inc. All Rights Reserved. Edited by Becca Thomas / Online Editor / UnixWorld Online / editor@unixworld.com [Go to Content] [Search Editorial] Last Modified: Sunday, 10-Mar-96 10:02:24 PST