the DNS system is basically the yellow pages – the phone book of the internet or any network.
starting of as a single file (/etc/hosts) – to a world wide self-synchronizing system – that has grown over decades – meaning – it has gained more and more complexity over time – and probably seen different implementations on different systems – to confuse the heck out of everybody – and thus – become a science for itself – requiring dedicated specialists to keep it up, save and running.
just imagine – you could asign your server’s ip to domain names and some or all traffic would go to your proxy that captures all those amazon, ebay, paypal or mail passwords…. major security problem i would guess – everyone reverting back to paper.
if you have not been there right from the started and followed all changes – things might be pretty confusing for those that try to figure out or debug the wirering.
i hope i can shed some minimal light into the mysterious world of matching names with the (hopefully right) ip addressess. (resolve hostnames, host name resolution)
because that used to be all it is 😀
„named“ is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC
every distribution seems to have it’s own bind-named config structure and it is not easy to see:
- how does UNIX/LINUX DNS work in LAN (many not cross-distribution standardized config files and how do they play together)
- how does the internet DNS system work with all it’s AAA and AAAA and MX and other record types
- the ways DNS servers synchronize is also pretty complex
ps: complexity increases the likelyhood of mistakes and security-holes – unless you are god or nobody.
hostname resolution inside a private LAN vs hostname domainname resolution on the internet
there seems to be no clear cut between private LAN name resolution and internet name resolution… (your hostname should match your domainname)
you won’t need have to run a full blown name server to resolve hostnames inside a LAN.
You don’t need to run the named implementation of bind9 berkley name server system developed by the University of California at Berkeley in the in 1980s for this.
just change the /etc/hostname to whatever you want and try to ping that machine from another machine.
should work.
after you have done this – you can check out the arp cache – that not only displays MAC<->IP asignments but also the full hostname including domainname.
suse12:~ # arp Address HWtype HWaddress Flags Mask Iface centos7.domainname.local ether 00:15:5d:00:07:0d C eth0 ccusrv1.domainname.local ether 2c:76:8a:aa:60:3a C eth0 172.20.0.1 ether 34:31:c4:53:37:8a C eth0 debian8.domainname.local ether 00:15:5d:00:07:08 C eth0 pc0032.domainname.local ether 00:22:4d:6a:e5:c6 C eth0
/etc/hostname
this is straight-forward… it contains the network-visible name of your pc.
(so ping debian8 should work)
example content:
root@Debian8:~# cat /etc/hostname Debian8 user@suse12:~> cat /etc/hostname suse12.domain [user@CentOS7 ~]$ cat /etc/hostname CentOS7
/etc/hosts
static table lookup for hostnames.
the very first version of the DNS system so to speak, before it became a science for itself.
simple text file that associates IP addresses with hostnames format:
IP_address canonical_hostname [aliases…]
example content:
127.0.0.1 localhost 127.0.1.1 debian # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.20.0.12 debian.theurbanpenguin.com debianer lalelu # on the host/server itself: ping lalelu ping debianer # creates same result: PING debian.theurbanpenguin.com (172.20.0.12) 56(84) bytes of data. 64 bytes from debian.theurbanpenguin.com (172.20.0.12): icmp_seq=1 ttl=64 time=0.018 ms 64 bytes from debian.theurbanpenguin.com (172.20.0.12): icmp_seq=2 ttl=64 time=0.033 ms
/etc/host.conf
etc_host.conf.man.txt: “The nsswitch.conf(5) file is the modern way of controlling the order of host lookups.”
example content:
user@Debian8:~$ cat /etc/host.conf multi on [user@CentOS7 ~]$ cat /etc/host.conf multi on user@suse12:~> cat /etc/host.conf # # /etc/host.conf - resolver configuration file # # Please read the manual page host.conf(5) for more information. # # # The following option is only used by binaries linked against # libc4 or libc5. This line should be in sync with the "hosts" # option in /etc/nsswitch.conf. # order hosts, bind # # The following options are used by the resolver library: # multi on
order hosts, bind – means loolup hostnames first in /etc/hosts and then in the nameservers specified in /etc/resolv.conf
The multi on – option determines whether a host in the /etc/hosts file can have multiple IP addresses (src)
/etc/resolv.conf
contains the currently used domain and nameservers.
But what exactly is a domain? What is it used for?
“A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet.” (src)
so basically every company has it’s own “domain controlling” server… which could be google.com.
So the idea is – that google.com is not only a webserver – with a domain name asigned by ARPA.
example content:
user@Debian8:~$ cat /etc/resolv.conf domain domainname.local search domainname.local # nameserver 208.67.222.222 nameserver 172.20.0.2 [user@CentOS7 ~]$ cat /etc/resolv.conf # Generated by NetworkManager search domainname.local nameserver 172.20.0.2 user@suse12:~> cat /etc/resolv.conf ### /etc/resolv.conf file autogenerated by netconfig! # # Before you change this file manually, consider to define the # static DNS configuration using the following variables in the # /etc/sysconfig/network/config file: # NETCONFIG_DNS_STATIC_SEARCHLIST # NETCONFIG_DNS_STATIC_SERVERS # NETCONFIG_DNS_FORWARDER # or disable DNS configuration updates via netconfig by setting: # NETCONFIG_DNS_POLICY='' # # See also the netconfig(8) manual page and other documentation. # # Note: Manual change of this file disables netconfig too, but # may get lost when this file contains comments or empty lines # only, the netconfig settings are same with settings in this # file and in case of a "netconfig update -f" call. # ### Please remove (at least) this line when you modify the file! search domainname.local nameserver 172.20.0.2
/etc/nsswitch.conf
example content:
user@Debian8:~$ cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat group: compat shadow: compat gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis [user@CentOS7 ~]$ cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files nisplus user@suse12:~> cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # compat Use compatibility setup # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # [NOTFOUND=return] Stop searching if not found so far # # For more information, please read the nsswitch.conf.5 manual page. # # passwd: files nis # shadow: files nis # group: files nis passwd: compat group: compat hosts: files dns networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases: files
comparison:
user@Debian8:~$ grep hosts /etc/nsswitch.conf hosts: files mdns4_minimal [NOTFOUND=return] dns user@suse12:~> grep hosts /etc/nsswitch.conf hosts: files dns [user@CentOS7 ~]$ grep hosts /etc/nsswitch.conf hosts: files dns myhostname
so all three distributions first query local config files (/etc/hosts) for looking up computername<->ip address (dns (domain name resolution)) – then they query the dns server specified in /etc/resolv.conf
user@Debian8:~$ grep nameserver /etc/resolv.conf nameserver 172.20.0.2 user@suse12:~> grep nameserver /etc/resolv.conf nameserver 172.20.0.2 [user@CentOS7 ~]$ grep nameserver /etc/resolv.conf nameserver 172.20.0.2
all three distros write the dhcp-acquired nameserver into /etc/resolv.conf (Generated by NetworkManager).
with dig you can see what nameserver was used to resolve a domain name or ip address…
user@Debian8:~$ dig yahoo.de
; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> yahoo.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2135
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;yahoo.de. IN A
;; ANSWER SECTION:
yahoo.de. 276 IN A 98.137.236.24
yahoo.de. 276 IN A 124.108.105.24
yahoo.de. 276 IN A 77.238.184.24
yahoo.de. 276 IN A 106.10.212.24
yahoo.de. 276 IN A 74.6.50.24
;; Query time: 29 msec
;; SERVER: 172.20.0.2#53(172.20.0.2)
;; WHEN: Wed Jun 21 10:53:08 CEST 2017
;; MSG SIZE rcvd: 117
so if you modify and insert this line before any other nameserver line
vim /etc/resolv.conf
nameserver 208.67.222.222
and rerun the dig command – you will realize the newly inserted nameserver is used…
dig yahoo.de
; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> yahoo.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27801
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.de. IN A
;; ANSWER SECTION:
yahoo.de. 271 IN A 124.108.105.24
yahoo.de. 271 IN A 106.10.212.24
yahoo.de. 271 IN A 77.238.184.24
yahoo.de. 271 IN A 98.137.236.24
yahoo.de. 271 IN A 74.6.50.24
;; Query time: 39 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
but as you might realize… if you try to lookup or ping a hostname of the LAN it won’t work anymore – because the OpenDNS nameserver does not know the hostnames of the computers in your private LAN.
and then there is still:
THE primary configuration file for the BIND DNS server named
okay it’s only one file on centos7 redhat – in Suse12 it’s a directory containing one file – in debian8 it’s many files.
“named” is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC.
For more information on the DNS, see RFCs 1033, 1034, and 1035.
When invoked without arguments, named will read the default configuration file /etc/named.conf, read any initial data, and listen for queries.
named seems to be installed per default CentOS7 and SUSE12 but not on Debian8.
/etc/bind/named.conf /etc/named.conf /etc/named.d/rndc-access.conf
the config-file only shows up if bind9 is installed.
where does it come from?
yum provides /etc/named.conf 32:bind-9.9.4-37.el7.x86_64 : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Quelle : base Übereinstimmung von: Dateiname : /etc/named.conf
example content:
debian8
named is not installed per default
apt-get install bind9; # install bind9 apt-get install bind9utils; # probably also usefull root@Debian8:~# ll /etc/bind total 52K -rw-r--r-- 1 root root 2.4K May 12 12:51 bind.keys -rw-r--r-- 1 root root 237 May 12 12:51 db.0 -rw-r--r-- 1 root root 271 May 12 12:51 db.127 -rw-r--r-- 1 root root 237 May 12 12:51 db.255 -rw-r--r-- 1 root root 353 May 12 12:51 db.empty -rw-r--r-- 1 root root 270 May 12 12:51 db.local -rw-r--r-- 1 root root 3.0K May 12 12:51 db.root -rw-r--r-- 1 root bind 463 May 12 12:51 named.conf -rw-r--r-- 1 root bind 490 May 12 12:51 named.conf.default-zones -rw-r--r-- 1 root bind 165 May 12 12:51 named.conf.local -rw-r--r-- 1 root bind 890 Jun 21 11:14 named.conf.options -rw-r----- 1 bind bind 77 Jun 21 11:14 rndc.key -rw-r--r-- 1 root root 1.3K May 12 12:51 zones.rfc1918 root@Debian8:~# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; root@Debian8:~# cat /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; root@Debian8:~# cat /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; root@Debian8:~# cat /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
suse12
suse12:~ # ll /etc/named.d/ insgesamt 4 -rw-r--r-- 1 root root 626 9. Okt 2003 rndc-access.conf suse12:~ # cat /etc/named.d/rndc-access.conf # ensure to find the key named 'rndc-key' include "/etc/rndc.key"; controls { # Bind BIND's control channel to localhost and allow access from # loopback addresses only. # This control channel is used for the init script /etc/init.d/named, # rcnamed while called with the option reload or status inet 127.0.0.1 allow { 127.0.0.0/8; } keys { rndc-key; }; # In the following example BIND's control channel in addition is bound # to IP address 192.0.2.1 and access is granted to loopback addresses # and the 192.0.2.0/24 network. #inet 192.0.2.1 allow { # 127.0.0.0/8; # 192.0.2.0/24; #} keys { rndc-key; }; };
centos7
[root@CentOS7 user]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
manpages:
Links:
NIS – https://en.wikipedia.org/wiki/Network_Information_Service
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!