the DNS system is basically the yellow pages – the phone book of the internet or any network.

starting of as a single file (/etc/hosts) – to a world wide self-synchronizing system – that has grown over decades – meaning – it has gained more and more complexity over time – and probably seen different implementations on different systems – to confuse the heck out of everybody – and thus – become a science for itself – requiring dedicated specialists to keep it up, save and running.

just imagine – you could asign your server’s ip to domain names and some or all traffic would go to your proxy that captures all those amazon, ebay, paypal or mail passwords…. major security problem i would guess – everyone reverting back to paper.

if you have not been there right from the started and followed all changes – things might be pretty confusing for those that try to figure out or debug the wirering.

i hope i can shed some minimal light into the mysterious world of matching names with the (hopefully right) ip addressess. (resolve hostnames, host name resolution)

because that used to be all it is 😀

„named“ is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC

every distribution seems to have it’s own bind-named config structure and it is not easy to see:

  1. how does UNIX/LINUX DNS work in LAN (many not cross-distribution standardized config files and how do they play together)
  2. how does the internet DNS system work with all it’s AAA and AAAA and MX and other record types
  3. the ways DNS servers synchronize is also pretty complex

ps: complexity increases the likelyhood of mistakes and security-holes – unless you are god or nobody.

hostname resolution inside a private LAN vs hostname domainname resolution on the internet

there seems to be no clear cut between private LAN name resolution and internet name resolution… (your hostname should match your domainname)

you won’t need have to run a full blown name server to resolve hostnames inside a LAN.

You don’t need to run the named implementation of bind9 berkley name server system developed by the University of California at Berkeley in the in 1980s for this.

just change the /etc/hostname to whatever you want and try to ping that machine from another machine.

should work.

after you have done this – you can check out the arp cache – that not only displays MAC<->IP asignments but also the full hostname including domainname.

suse12:~ # arp
Address                  HWtype  HWaddress           Flags Mask            Iface
centos7.domainname.local    ether   00:15:5d:00:07:0d   C                     eth0
ccusrv1.domainname.local    ether   2c:76:8a:aa:60:3a   C                     eth0
172.20.0.1               ether   34:31:c4:53:37:8a   C                     eth0
debian8.domainname.local    ether   00:15:5d:00:07:08   C                     eth0
pc0032.domainname.local     ether   00:22:4d:6a:e5:c6   C                     eth0
/etc/hostname

this is straight-forward… it contains the network-visible name of your pc.

(so ping debian8 should work)

example content:

root@Debian8:~# cat /etc/hostname
Debian8

user@suse12:~> cat /etc/hostname
suse12.domain

[user@CentOS7 ~]$ cat /etc/hostname
CentOS7

hostname.man.txt

 

/etc/hosts

hosts.man.txt

static table lookup for hostnames.

the very first version of the DNS system so to speak, before it became a science for itself.

simple text file that associates IP addresses with hostnames format:
IP_address canonical_hostname [aliases…]

example content:

127.0.0.1       localhost
127.0.1.1       debian

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

172.20.0.12     debian.theurbanpenguin.com debianer lalelu

# on the host/server itself:

ping lalelu

ping debianer

# creates same result:

PING debian.theurbanpenguin.com (172.20.0.12) 56(84) bytes of data.
 64 bytes from debian.theurbanpenguin.com (172.20.0.12): icmp_seq=1 ttl=64 time=0.018 ms
 64 bytes from debian.theurbanpenguin.com (172.20.0.12): icmp_seq=2 ttl=64 time=0.033 ms

/etc/host.conf

etc_host.conf.man.txt: „The nsswitch.conf(5) file is the modern way of controlling the order of host lookups.“

example content:

user@Debian8:~$ cat /etc/host.conf
multi on

[user@CentOS7 ~]$ cat /etc/host.conf
multi on

user@suse12:~> cat /etc/host.conf
#
# /etc/host.conf - resolver configuration file
#
# Please read the manual page host.conf(5) for more information.
#
#
# The following option is only used by binaries linked against
# libc4 or libc5. This line should be in sync with the "hosts"
# option in /etc/nsswitch.conf.
#
order hosts, bind
#
# The following options are used by the resolver library:
#
multi on

order hosts, bind – means loolup hostnames first in /etc/hosts and then in the nameservers specified in /etc/resolv.conf

The multi on – option determines whether a host in the /etc/hosts file can have multiple IP addresses (src)

 

/etc/resolv.conf

resolv.conf.man.txt

contains the currently used domain and nameservers.

But what exactly is a domain? What is it used for?

„A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet.“ (src)

so basically every company has it’s own „domain controlling“ server… which could be google.com.

So the idea is – that google.com is not only a webserver – with a domain name asigned by ARPA.

example content:

user@Debian8:~$ cat /etc/resolv.conf
domain domainname.local
search domainname.local
# nameserver 208.67.222.222
nameserver 172.20.0.2

[user@CentOS7 ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
search domainname.local
nameserver 172.20.0.2

user@suse12:~> cat /etc/resolv.conf
### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# NETCONFIG_DNS_STATIC_SEARCHLIST
# NETCONFIG_DNS_STATIC_SERVERS
# NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
# NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
search domainname.local
nameserver 172.20.0.2


/etc/nsswitch.conf

nsswitch.conf.man.txt

example content:

user@Debian8:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


[user@CentOS7 ~]$ cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus


user@suse12:~> cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd: compat
group:  compat

hosts:          files dns
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files


comparison:

user@Debian8:~$ grep hosts /etc/nsswitch.conf
hosts: files mdns4_minimal [NOTFOUND=return] dns

user@suse12:~> grep hosts /etc/nsswitch.conf
hosts: files dns

[user@CentOS7 ~]$ grep hosts /etc/nsswitch.conf
hosts: files dns myhostname

so all three distributions first query local config files (/etc/hosts) for looking up computername<->ip address (dns (domain name resolution)) – then they query the dns server specified in /etc/resolv.conf

user@Debian8:~$ grep nameserver /etc/resolv.conf
nameserver 172.20.0.2
user@suse12:~> grep nameserver /etc/resolv.conf
nameserver 172.20.0.2
[user@CentOS7 ~]$ grep nameserver /etc/resolv.conf
nameserver 172.20.0.2

all three distros write the dhcp-acquired nameserver into /etc/resolv.conf (Generated by NetworkManager).

with dig you can see what nameserver was used to resolve a domain name or ip address…

user@Debian8:~$ dig yahoo.de

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> yahoo.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2135
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;yahoo.de. IN A

;; ANSWER SECTION:
yahoo.de. 276 IN A 98.137.236.24
yahoo.de. 276 IN A 124.108.105.24
yahoo.de. 276 IN A 77.238.184.24
yahoo.de. 276 IN A 106.10.212.24
yahoo.de. 276 IN A 74.6.50.24

;; Query time: 29 msec
;; SERVER: 172.20.0.2#53(172.20.0.2)
;; WHEN: Wed Jun 21 10:53:08 CEST 2017
;; MSG SIZE rcvd: 117

so if you modify and insert this line before any other nameserver line

vim /etc/resolv.conf
nameserver 208.67.222.222

and rerun the dig command – you will realize the newly inserted nameserver is used…

 dig yahoo.de

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> yahoo.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27801
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.de.                      IN      A

;; ANSWER SECTION:
yahoo.de.               271     IN      A       124.108.105.24
yahoo.de.               271     IN      A       106.10.212.24
yahoo.de.               271     IN      A       77.238.184.24
yahoo.de.               271     IN      A       98.137.236.24
yahoo.de.               271     IN      A       74.6.50.24

;; Query time: 39 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)

but as you might realize… if you try to lookup or ping a hostname of the LAN it won’t work anymore – because the OpenDNS nameserver does not know the hostnames of the computers in your private LAN.

and then there is still:

THE primary configuration file for the BIND DNS server named

okay it’s only one file on centos7 redhat – in Suse12 it’s a directory containing one file – in debian8 it’s many files.

„named“ is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC.

For more information on the DNS, see RFCs 1033, 1034, and 1035.

When invoked without arguments, named will read the default configuration file /etc/named.conf, read any initial data, and listen for queries.

named seems to be installed per default CentOS7 and SUSE12 but not on Debian8.

/etc/bind/named.conf

/etc/named.conf

/etc/named.d/rndc-access.conf

the config-file only shows up if bind9 is installed.

where does it come from?

yum provides /etc/named.conf

32:bind-9.9.4-37.el7.x86_64 : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Quelle      : base
 Übereinstimmung von:
 Dateiname     : /etc/named.conf

example content:

debian8

named is not installed per default

apt-get install bind9; # install bind9
apt-get install bind9utils; # probably also usefull

root@Debian8:~# ll /etc/bind
total 52K
-rw-r--r-- 1 root root 2.4K May 12 12:51 bind.keys
-rw-r--r-- 1 root root 237 May 12 12:51 db.0
-rw-r--r-- 1 root root 271 May 12 12:51 db.127
-rw-r--r-- 1 root root 237 May 12 12:51 db.255
-rw-r--r-- 1 root root 353 May 12 12:51 db.empty
-rw-r--r-- 1 root root 270 May 12 12:51 db.local
-rw-r--r-- 1 root root 3.0K May 12 12:51 db.root
-rw-r--r-- 1 root bind 463 May 12 12:51 named.conf
-rw-r--r-- 1 root bind 490 May 12 12:51 named.conf.default-zones
-rw-r--r-- 1 root bind 165 May 12 12:51 named.conf.local
-rw-r--r-- 1 root bind 890 Jun 21 11:14 named.conf.options
-rw-r----- 1 bind bind 77 Jun 21 11:14 rndc.key
-rw-r--r-- 1 root root 1.3K May 12 12:51 zones.rfc1918

root@Debian8:~# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

root@Debian8:~# cat /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

root@Debian8:~# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

root@Debian8:~# cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

suse12

suse12:~ # ll /etc/named.d/
insgesamt 4
-rw-r--r-- 1 root root 626  9. Okt 2003  rndc-access.conf

suse12:~ # cat /etc/named.d/rndc-access.conf
# ensure to find the key named 'rndc-key'
include "/etc/rndc.key";

controls {
        # Bind BIND's control channel to localhost and allow access from
        # loopback addresses only.
        # This control channel is used for the init script /etc/init.d/named,
        # rcnamed while called with the option reload or status
        inet 127.0.0.1 allow {
                127.0.0.0/8;
        } keys { rndc-key; };

        # In the following example BIND's control channel in addition is bound
        # to IP address 192.0.2.1 and access is granted to loopback addresses
        # and the 192.0.2.0/24 network.

        #inet 192.0.2.1 allow {
        #       127.0.0.0/8;
        #       192.0.2.0/24;
        #} keys { rndc-key; };
};

centos7

[root@CentOS7 user]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

manpages:

named.man.txt

named.conf.man.txt

named.messages.txt

Links:

http://dwaves.de/2017/05/09/bind-und-dns-das-telefonbuch-des-internets-berkeley-internet-name-domain/

NIS – https://en.wikipedia.org/wiki/Network_Information_Service

admin