DNS Explained. Hentzenwerke Whitepaper Series. By Whil Hentzen

Transcription

1 HentzenwerkeWhitepaperSeries DNSExplained ByWhilHentzen DNS. In a general sense, it's what tells your computer that is attached to , so that you can enter ' YoucanlivealongtimewithoutknowinganythingaboutDNS,and,ina perfectworld,that'showitshouldbe,justasyoudon'thavetoknowthe mixoffueltooxygenthatyourcarburetordeliverstoletyourcarengine run. But it's not a perfect world, not quite yet, and so there are times, particularlyasawebsitedeveloper,thatyou'llneedtoknowabit,oralot, aboutdns.

2 Page2 DNSExplained 1.Preface 1.1Copyright Copyright2006WhilHentzen.Somerightsreserved.ThisworkislicensedundertheCreativeCommonsAttribution NonCommercial NoDerivsLicense,whichbasicallymeansthatyoucancopy,distribute,anddisplayonlyunalteredcopies ofthiswork,butinreturn,youmustgivetheoriginalauthorcredit,youmaynotdistributetheworkforcommercialgain, norcreatederivativeworksbasedonitwithoutfirstlicensingthoserightsfromtheauthor.toviewacopyofthislicense, visithttp://creativecommons.org/licenses/by nc nd/2.0/. 1.2Revisions 1.2.1History Version Date Synopsis Author /11/21 Original WH 1.2.2Newversion Thenewestversionofthisdocumentwillbefoundatwww.hentzenwerke.com Feedbackandcorrections Ifyouhavequestions,comments,orcorrectionsaboutthisdocument,pleasefeelfreeto meat 1.3Referencesandacknowledgments ThankstothefolksontheMilwaukeeLinuxUserGrouplist( reviewedmultiplecopiesofthisdocument,aswellasallthatamazingstuffthatonecanfindontheinternet. 1.4Disclaimer Nowarranty!Thismaterialisprovidedasis,withnowarrantyoffitnessforanyparticularpurpose.Usetheconcepts, examplesandothercontentatyourownrisk.theremaybeerrorsandinaccuraciesthatinsomeconfigurationsmaybe damagingtoyoursystem.theauthor(s)disavowsallliabilityforthecontentsofthisdocument. Beforemakinganychangestoyoursystem,ensurethatyouhavebackupsandotherresourcestorestorethesystemto itsstatebeforemakingthosechanges. Allcopyrightsareheldbytheirrespectiveowners,unlessspecificallynotedotherwise.Useofaterminthisdocument shouldnotberegardedasaffectingthevalidityofanytrademarkorservicemark.namingofparticularproductsorbrands shouldnotbeseenasendorsements. 1.5Prerequisites ThisdocumentwaswrittenforfolkswhowanttodevelopWebsitesandputthemontheInternet.Itisnotintendedforfolks whowouldbeadministeringadnsserver,say,foranisp.rather,itprovidesahigh leveloverviewofthetechnologyand whatawebsitedeveloperneedstoknow.assuch,itglossesoversomeofthein depthtechnicalissuesandsimplifies others,eliminatingdetailsthatareunimportantforthislevelofdiscussion.

3 DNSExplained Page3 2.ThefourplayersintheDNSarchitecture Strictlyspeaking,DNS=DomainNameService,thearchitectureformappingIPaddressestohostnames.Unfortunately, sloppiness,slang,andjargonhasusurpedthetermtomeaneverythingfromthearchitecturetothesoftwarethatimplements thearchitecturetothedatabasethatholdstheactualhostname IPaddressmappings. Thereareseveralplayersinvolvedinthearchitecture thednsdatabase,adnsserver,andadnsclient. Thefirstplayeristhe"DNSdatabase",thedatabasewheretheactualmappingsofhostnamesandIPaddressesare stored.thesecondplayerisadnsserver,thesoftwarethatdishesoutinfofromthednsdatabasewhenasked.thedns databaseandthednsserversoftwarebothreside,obviously,onadnsservermachine.thednsclientistheprogram(in aloosesenseoftheword)thatsitsonanend user'scomputerthatdoestheaskingofadnsserverwhentheend useris tryingtoconnecttoanothercomputer. 2.1DNSdatabase Eachmappingisstoredina(verylarge)databasethatisdistributedacrossacollectionofspecialserversconnectedtothe Internet,sothatonlypartofthedatabaseisonanyoneserver.TheseserversarecalledDNSservers,or,sometimes,DNS nameservers.therearedifferentdnsserversfordifferenttopleveldomains thoseendingin'.com'arelocatedinone database,forexample,whilethoseendingin'.edu'arelocatedinanotherdatabase.whenyouwanttoaccesscontenton example.com,you'lltypethaturlintoyourbrowser.yourbrowserlooksuptheipaddressofexample.com'shostviathe appropriatednsdatabase.thisprocessiscalled'resolving'anaddress.ifeverythingworks(allthecorrectdataisfound), voila,yourbrowserisnowdisplayingdatasentfromexample.com'swebserversoftware. IntheearlydaysoftheInternet,therewereonlyafewDNSservers.TheentirelistofdomainnamesandIPaddresses wascontainedinasimpletextfile,andeverycomputerontheinternethadacopyofthattextfile.itwasrelativelyeasyto keepallofthecopiesofthistextfileinsync.decadeslater,however,thingshadgottenbusier.imagineifthetensof millionsofdomainsontheinternetwerealllistedinasingletextfile,andeveryoneofthe"billyunsandbillyuns"of computersontheinternethadtokeepanup to datecopyofthatenormoustextfile. 2.2DNSserver architecture EvenaftersplittinguptheDNSdatabaseintosubsetsforthevariousdomains,itcouldgetverycrowdedateachoftheDNS serversiftherewasonlyoneset particularlyiftherewasonlyonednsserverfor.comdomains!inaddition,havingallof thednsinformationinoneplacewouldcreateasinglepointoffailurethat,ifitdidindeedfail,wouldbringtheentire Internettoacrashinghalt.Asaresult,thearchitectsoftheInternetcreatedtheabilityformultiplecopiesoftheDNS databasestobeavailabletousersaroundtheworld.thatmeanstherearemanydnsserversscatteredaroundtheinternet. SowhenyourcomputertriestoresolveaURL,itlikelyusesacopy(or'mirror',or'slave')oftheprimaryDNSserverforthe typeofdomaininquestion,insteadofgoingtothemastercopy.thissystemofmultiplednsserversalsoprovides redundancy ifoneofthemgoesdown,yourcomputercanuseadifferentdnsserverinsteadofgettingstalled.kindof likehavingasparecopyofthephonebookathomewhenthemastercopyhasdisappearedsomewhereinyourteenager's room. TherearelogicallytwotypesofDNSservers authoritativeandcaching(alsoknownas'recursive').asinglephysical DNSservercanservebothrolesatonce,butforsimplicity'ssake,let'sassumethatahostisoneortheother Authoritative AuthoritativeserversaretheDNSserversoflastresort,sotospeak.Apurelyauthoritativeservergetsenteredwithdata abouthostname IPaddressmappings(called'zonefiles',whichI'lldiscussshortly)andthenrespondstorequestsforthat information itneverreliesonotherdnsserversforinformationthatitismissing.twospecialcasesofauthoritative serversarerootandtldservers. TherootserversformwhatyoumightthinkofastheapexoftheDNSpyramidofservers.Theycontaininformation aboutthetld topleveldomain servers.thenextlevelaretheparent,ortld topleveldomain servers.eachofthese

4 DNSExplained Page4 isauthoritativeforoneormoretopleveldomains.forexample,.comand.netarebothhandledby*.gtld servers.net.when youregisteryourdomain,oneofthetldserverswillknowwheretofindinformationforyourdomain Caching Caching/recursiveservers,ontheotherhand,arethetypethatgetlistedasnameserversonanend user(client)computer. WhenyousetupyourInternetconnection,youlikelyhavetoentertwoormore"DNSserver"or"nameserver"addresses. Thesecachingserverscanbethoughtofastheworkerbees millionsofmachinesscatteredacrosstheglobewherethe actualdnsmappingsofhostnamesandipaddressesarestored.manyarehostedatispsandsimilarlysecureandreliable locations,buttheycouldalsobeatprivatelyowned"dns'rus"typecompanies,locatedinatrailerparkskirtinga downtown'sredlightdistrict.youcanevenrunacachingserveronyourowncomputer. Roughlyspeaking,theTLDserverspointtothese'workerbee'DNSserverswhenaskedwhereyourdomain's informationis. 2.3DNSserver software DNSserversoftwareisaprogramrunningonacomputerthatgetsqueries(intheformofURLs)fromfolkslookingfor yourdomainanddishesoutresponses(intheformofipaddresses)inreturn,usingoneofthose'workerbee'dns databases.yourfriend'bob'hearsyouhaveawebsite, WebbrowserlooksuptheDNSserversthatheenteredinhisnetworkcardsettings,andasksoneofthemwhattheIP addressforyourwebsiteis.ifthatdnsserverhasthemappingforwww.example.com,it'lllookitupandreturntheip address, insomecases,thednsserverheisusingwon'thavewww.example.cominitsowndatabase,butit knowswheretogolook thetldserverthatfor'.com'. ThisDNSserversoftwareprogramisrunningconstantly,andistypicallyconfiguredtobea'service',sothatitstartsup whenthecomputerisstarted.thisissimilartoadatabaseserverorawebserver(bothofwhich,interestinglyenough,also lieinwaitforrequestsfromusersandthendishoutresponsesinreturn.)therearespecificinstancesofdnsprograms,just liketherearespecificinstancesofdatabaseservers(mysql,postgresql,oracle)andwebservers(apache,iis,etc.). CommonDNSprogramsincludeBIND,tinydns,anddjbdns. 2.4DNSclient ThethirdplayerinthisschemeisaDNS'client'.Youcanthinkofthisclientasaprogramrunningonyourdesktop(laptop) computerthatfetchestheipaddressfromadnsserver.whenyouenteraurlintoyourbrowser,yourbrowserthentalks toyourdnsclient,whichthengoesoutontotheinternettofindoneofthednsserversthatwereidentifiedinthenetwork cardsettingsonyourcomputer.whenthednsclientgetsananswer,itthenreturnsthatanswerbacktowhoeverrequested it,suchasthewebbrowser. Strictlyspeaking,theDNSclientisn'tactuallyaseparateprogramonyourcomputer,likeaWebbrowseroran client.instead,it'samoduleorpartofalargerprogram oftentheoperatingsystem thathandlesthework.thereisn'ta separateprogramthatcanbestartedupandshutdown.awebbrowser,forinstance,wouldjustasktheostodothe lookup. 2.5Zonefile Finally,althoughIsaid,'three',there'sonemoreplayerthatIshouldmentionnow thezonefile.thednsdatabaseconsists ofmillionsofhostname IPaddressmappings.Atfirstglance,youmightthinktheDNSdatabasejustlookslikethis: anacondasteel.com bestbuy.com crazyeddie.com digg.com example.com ford.com

5 Page5 DNSExplained Inreality,thedatabaseisconsiderablymorecomplexthanthis.AdomainhasmorethanjusttheIPaddressfortheWeb server.therecouldbeotherserversinvolved,suchasanftpserveroramailserver.therecouldbesubdomains(the ' eachdomainhasasetofrecordsthattogetherarecalleda'zonefile'.asinglezonefilelookssomethinglikethis: $TTL SOAns1.example.com ;serial 3H;refresh 15;retry 1w;expire 3h;minimum ) INNSns1.example.com. INNSns2.example.com. MX10mail.example.com. MX20mail.another.com. A wwwina INCNAMEwww.example.com. hostmaster.example.com.( Whilethismaylookconfusing,thisinformationrepresentswhatwouldbeneededforarathersimpledomain.Azone fileforabigdomain,suchasforfordmotorcompanyorgeneralelectric,isconsiderablymoreinvolved.thekeypointto bringawayfromthisisthatthednsrecordsforasingledomainaremoreinvolvedthanasimpleonetoonehostname IP addressmapping.additionally,nowyouknowthatthednsdatabaseisacollectionofmillionsofzonefiles. Revisitingtheterminology...yourzonefilecontainsyourDNSrecords.EachDNSrecordisforaspecificservice,such as'www'forawebserveror"mx"foramailserver.i'llusetheterms'zonefile'and'dnsrecords'somewhat interchangably,astheyrefertothesamegeneral'chunkofdata'. Let'slookatthepaththatDNSplaysbothontheendofanindividualsurfingtheWeborgettingtheir ,andasan administratorofawebsite. 3.IndividualSurfer Whenyouconfigureyourcomputer'snetworkcardormodemtoconnecttotheInternet,yourInternetServiceProvider (ISP)givesyoutheaddressesforyourDNSsettings.Typicallyyouaregivenatleasttwo,butsometimesthree.This duplicationissothatifoneofthednsserversisunreachableorslow,yourmachinewillhaveasecondchoice(andathird) totry. InWindows2000,yougettothisdialogviaStart Settings NetworkandDial upconnections Properties TCP/IP component Properties,asshowninFigure1.

6 DNSExplained Page6 Figure1.TheWindows2000dialogforenteringDNSnameservers. InFedoraCore6,yougettothedialogviaF Administration Network NetworkConfigurationdialog DNStab,as showninfigure.2. Figure2.TheFedoraCore6dialogforenteringDNSnameservers.

7 DNSExplained Page7 WhenyouenteraURLinyourWebbrowser,orconnecttoyourmailserverviayour client,orwhenyourIM programtriestoconnecttoanotherserver,yourcomputerwillsendaquerytothednsserversinyourdnssettingstolook upthedomainname.abunchofstuffhappens,andeventuallyaresponsewillcomebackwiththeipaddressofthe machineyou'retryingtoreach,andyourcomputerconnectstothatmachine.there'sobviouslyalotmoregoingonunder thehood,butforourpurposes,thisiscloseenough. SomenetworkcardconfigurationprogramscalltheDNSservera'nameserver'(typically,Linuxdistrosdo.) That'sallanend userreallyneedstoknow.let'stakealookatwhatanadministratorneedstoknow,behindthescenes. 4.SettingupaWebserver/Website SettingupaWebserverisasinvolvedasbeingacasualInternetuseriseasy.We'llstartbyassumingyoudon'tevenhavea domainnameyet. 4.1Domainname You'llneedadomainname,suchasexample.com.Youmaybeusedtothinkingofdomainnamesas' butinactuality,the'www'isanadd onthatwe'lldealwithlater.whenyougetadomainname,you'lljustbegettingthe 'example.com'part.(onceyouhavethe'example.com'part,youcansetupmultiplesites,calledsubdomains,withnames like' You'llgetadomainnamefromaregistrar.Therearemany,manyregistrarsoutthere,butmostofthemaresimply resellersfortheprimarydomainnameregistrars.primaryregistrarsincludenetworksolutions.com,register.com, godaddy.com,andsoon.forpurposesofthisarticle,i'llusegodaddy.comasthesampleregistrar,bothbecausethey'rethe oneiuse(but,no,idon'tgetacommissionforreferringthem)andbecausei'veusednetworksolutions.comand register.com,andfindthemlackinginmanysignificantareas.they'vebothbeenaroundforalongtime,butiwouldn'tever usethemagain.youmaychoosedifferently,butcaveatemptor. (Theonebigproblemwithgodaddy.comisthattheyarevery,verypushyabouttryingtosellyouextrastuffthatyou reallydon'tneed.ignoreitallforthetimebeing;youcanalwaysaddittoyoursitelaterifyouwant,andthey'reconstantly runningspecialstogiveyoudealsondoingso.) 4.2Navigatingtoabrandnewdomain OK,sonowyou'veplunkeddownyour$8.95atgodaddyandnowhaveyourveryowndomainname,say,'example.com'. Whathappenswhenyourmom,allproudthatherson/daughterhastheirveryownwebsite,typesin' intoherbrowser?absolutelynothing.that'sbecausethereisnowebsiteattachedtothatdomainnameyet,andsoyour mom'sbrowserendsupin'404 pagenotfound'land.soyouneedtodofourmoresteps.i'lldescribeingeneraltermswhat thosefourthingsare,andtheni'llwalkthroughaspecificexample. First,createawebsiteandputitonaWebserversomewhere.Second,findaDNSserver(oneofthoseauthoritative DNSserversImentionedearlier)thatyoucanuse.Third,createaDNSrecord(inyour'zonefile')thatmaps ' foundinstep2.andfourth,tellyourregistrar,godaddy.com,thatthednsserverthatcontainsyourzonefilefor Ifyouusedgodaddy.com(ormostanyotherpopularregistrar),you'llfindthattheprecedingdescriptionisn't completelyaccurate whenyourmomtyped' page.instead,shewasdirectedtoa"thissitehasrecentlybeenregistredwithgodaddy.com"page.whenyouregisteredthe domainnamewithgodaddy,theydidn'tjustletitsitoffthereintheether.theycreateadummywebpageforyourdomain ononeoftheirservers,andthentheycreateazonefilewithrecordsinitthatpointthedomaintothattemporarypage.this isbothtoinformnewvisitorsthatthesiteis,indeed,ok(elseavisitormightthinktheyjusttypedthedomainnamewrong), and,natch,toadvertisethemselvesatthesametime.inotherwords,theyprovideddefaultvaluesforsteps2,3,and4for you,andthey'llstaythatwayuntilyouchoosetochangethem.

8 DNSExplained Page8 OK,nowlets'dothissamething,butwith'realdata'. 4.3Liveexample Supposeyou'veregistered'example.com'withgodaddy.(GodaddyhasaWebserverandanauthoritativeDNSserverthat theyusefornewlyregistereddomainslikeyours.)azonefilewascreated,andthey'veputthatzonefileinapairoftheir DNSservers.They'vealsocreatedadummyWebpagefor' serversaswell.sothen,whenyou(oryourmom)navigatetowww.example.com,youarriveatthe'temporarilyparked here...'page.youcanlogintoyourgodaddyaccountandnavigatetothe'managedomains'link;doingsowilldisplaya pagethatlistsyournameservers,likeso: NameServers:(Lastupdate1/1/1980) PARK21.SECURESERVER.NET PARK22.SECURESERVER.NET ThesearethenamesforacoupleofDNSserversthatgodaddyruns.TheDNSrecordsinyourzonefileonthempoint togodaddy'swebserver.theactualwebpageforadministeringthemlookslikefigure3.youcanseethenameservers displayedintheverymiddleofthepage,slightlyunderandtheleftofthered"cancel"button. Figure3.TheGoDaddyWebpageformanagingdomainDNSinformation.

9 DNSExplained Page9 4.4Hostingyoursiteatathirdpartysite Nowwhat?First,youCANcontinuetohostyourDNSzonefileandyourWebsiteatgodaddy.UseofthegodaddyDNS servertostoreyourdnsrecordscomeswithyourregistrationfee(otherregistrarsmayormaynotincludednswiththe registration).notethattypicallyhostingyourwebsitewillcostyouacoupleofbucksextra. Ifthat'sthecase,yourjobisnearlydone.AfterpurchasingtheWebsiteoption,they'llgiveyousomespaceonaserver oftheirs.(theyhaveacresandacresofservers.)they'llalsogiveyoutheipaddressforyourspaceonthatserver.you'll createyourwebpagesandthenftpthosepagesuptotheirserver.they'llalsochangeyourzonefilesothatitpointstothe rootdirectoryofyourspaceontheserver,andyou'redone. 4.5Hostingyoursiteyourself SupposeyouwanttohostyourownWebserver.Therecanbeseveralreasonsforthis,suchastheneedtorunsoftwarethat isn'tsupportedongodaddy'sservers.inthiscase,you'dcreateyourownwebserver,installinglinuxandapache,say,onit, andthenmoveyourwebpagestothatmachine.butatthispoint,thiswebservermachineisanislandwithoutabridge connectingittotherestoftheinternet.timetogetconnected. You'llneedaconnectiontotheInternet,similartotheoneyoualreadyuse maybeeventhesameone.yourispwill giveyouapublicipaddressthatbecomesthegatewayforyourserver.(i'mtakingcomplicationslikeroutersandfirewalls outoftheequationrightforthetimebeing.)whenyourispbecameanisp(fromitshumblebeginningsasabaitandtackle shoporatelephonecompany),theyreceivedablockofipaddresses(their'netblock')thattheyinturndishouttotheir customers.theipaddressthattheygiveyouisoneoftheaddressesintheirnetblock.whileit's'your'ipaddress,they're actuallyjustlendingittoyouforaslongasyou'retheircustomer;ifyouchangeisps,you'lllosethatipaddressandneedto getonefromyournewisp.imentionthisbecausetheconceptthattheipaddressisundertheisp'scontrolwillbe importantlateron. BacktoyournewpublicIPaddressandyourWebserver.YouwouldneedtochangeyourDNSrecordsongodaddy's DNSserverstopoint' minutestothebetterpartofadayforthechangestoyourzonefiletofilterthroughoutallofthednsserversontheweb (thisiscalled'propagation'),butsoonenough,peoplesurfingto' Atthispoint,yourjobisdone.Well,exceptforthetrivialmatterofbuildingyourWebsite,garneringtraffic,thatsort ofthing.yourzonefilestillresidesongodaddy'sdnsservers,butthewebserverrecordinitpointstotheipaddressofthe Webserversittinginyourbasementorintheserverroomofyourcompany. Supposeyouhadaseparate server,runningonaboxsittingrightnexttotheWebserver?Youwouldchangeyour zonefiletopointyourmxrecordstotheipaddressforthatmachine.whatifyoudidn'thostyourown server, though?instead,youusedtheserverofan serviceprovider,suchasgodaddyoryourisp.inthosecases,themx recordinyourzonefilewouldpointtothat server'sipaddressinstead. 4.6TurningoveryourDNStoathirdparty Let'stakethingsastepfurther.Supposeyoudon'twanttokeepyourDNSzonefileongodaddy'sDNSservers?Justlikeyou aren'trequiredtohostyourwebsiteor ongodaddy'sservers,you'renotrequiredtohostyourdnsontheirservers. First,you'llneedanewDNSserver.ThiscanbeaboxofyoursrunningtheDNSserversoftware,justlikeyou'vegotabox runningwebserversoftware.oryoucouldoutsourceittoanyoneofanumberofcompaniesthatprovidednsservices, justliketherearecompaniesthatprovidewebsitehostingand services.youcanmoveyourzonefiletooneofthose companies.supposeyoudecidedtousezoneedit.comtohostyourzonefile.whenyousetupanaccountwiththem,they'll giveyouthenamesofthednsservers(muchlikegodaddy'swere"park21.secureserver.net"and "PARK22.SECURESERVER.NET"). Youjustneedtotellyourregistrar,godaddyinthiscase,thatyourdomain'snameserverisnowzoneedit.com,and changeyournameserversfrom"park21.secureserver.net"and"park22.secureserver.net"tothedns serversthatzoneedit'sgaveyou.

10 DNSExplained Page10 4.7"It'salotworsethanthat" There'smoretoDNSthanthis.TheDNSdatabaseisdistributedacrossmanyserversthroughouttheworld,andthere'sa complexandsophisticatedmechanismtokeepthemallinsync.forallpracticalpurposes,youdon'tneedtoknowanyof this.youjustneedtokeepthezonefileonyourowndnsserversetup,andyourmachinesconfiguredtouseyourdns servers,andyou'llbeok. 4.8Summaryofauthoritativeandcachingserverroles Insummary,whenyoucreateadomainname,youtellyourregistrarwheretheauthoritativeDNSserversforyourdomain are.yourzonefilesitsontheseauthoritativeservers.thiszonefileiscopied(or'propagated')tocachingserversalloverthe Internet.Thetimingvaluesinthezonefiletellsthecachingservershowoftentheyneedtorefreshtheirdata.Usermachines allovertheinternetpointtocachingservers.whenausermachinerequestsarecord,it'lllookatitscachingservers.ifthe dataisnotfound,there'saclearlydefinedpathforittolookat;thedetailsofwhicharen'timportanttous. Supposeoneofyourusermachine'scachingservershadjuststartedup,andhadn'tgoneouttopopulateitsdatabaseyet. It'llonlyknowabouttherootservers.Sointhiscase,thecachingserverwouldaskarootserverfortheinformationabout befoundattheserversforthatdomain.thecachingserverasksoneofthe.comserversfortheinformation.the.com serverrespondssayingthatitonlyknowswheretofindinformationforexample.com.iftheurlwaslongerandhadmore levels,thecachingservercontinuesonlikethatuntilitfinallygetsthealloftheinfoorendsupwithapermanenterror. Finally,thecachingserverreturnstheinfototheclientthatrequestedit. Thatsaid,it'snowtimetolookatthosezonefilesinmoredetail. 5.Zonefiles Zonefilescontroltwobasicthings themappingsofvarioustypesofservers,suchaswebservers,mailservers,ftpservers, sinceitmightnotbe onthesamemachine orinthesamecountry! thatservesupwebpagesforwww.example.com. ThesecondthingthatazonefilecontrolsishowoftenchangestothezonefilearepropagatedthroughouttheInternet. Unlessyouhavespecialneeds,thedefaultsettingsthatcamewithyourzonefilewhenitwassetupareprobablygood enough.mostpeople(particularlythefolksreadingthis)aretypicallygoingtosetuptheirzonefile,pointingtotheirweb site,mailserver,andsoon,andthenleaveitalone.ifyouwereinthebusinessofrunningmultiplewebsitesformany peopleororganizations,you'dprobablybedoingmoretweaking. Fortunately,thearcanesyntaxusedinazonefileisusuallyhiddenawayfromyou.MostDNSserverprovidersprovide aneditingfacilitythatallowsyoutomakechangesusingasimpleinterfaceasshowninfigure4.

11 Page11 DNSExplained Figure4.GoDaddy'sWebinterfaceforchangingDNSrecords. Whatyoudoneedtoknowistheconceptsbehindthechangesyou'remaking.Let'slookatourdummyzonefileagain. $TTL SOAns1.example.com ;serial 3H;refresh 15;retry 1w;expire 3h;minimum ) NSns1.example.com. NSns2.example.com. MX10mail.example.com. MX20mail.another.com. A wwwina bobina INCNAMEwww.example.com. hostmaster.example.com.(

12 DNSExplained Page12 SOAisanacronymfor"StartofAuthority".TheDNSdatabaseconsistsofzillionsofzonefiles,eachofwhichisthe responsibilityofsomeone.everythinginthatzonefileisthatperson'sresponsibility.whenyouthinkofthednsdatabase asapyramid,yourzonefilemakesuponeverysmallbrickinthatconstruction.thesoaindicateswhereinthatstackof bricksyourresponsibilitystarts.therestofthednsdatabase therootservers,tldservers,andworkerbeeserverscan onlypointtoyourzonefile.withinyourzonefile,youarethemaster.thesoarecordpointstothe'start'ofyourzonefile. thecurrentzone sortoflikeyou'repointingtoyourself.thenextimportantpieceis'ns1.example.com' it'stheprimary nameserverforyourdomain.thisentrymustbefollowedbyaperiod.andthelastpartofthelineisthe addressof period. Thesecondlineistheserialnumberofthezonefile thedatethatthezonefilewaslastupdated,followedbya sequencenumbersothatifthezonefileisupdatedmorethanonceaday,it'scleartootherserversthatgetupdatedwiththis zonefile'sinformationwhetherornottheyhavethemostrecentupdate.inotherwords,supposeyouupdateyourzonefile inthemorning.theserialnumberbecomes' '.laterthatday,thechangesyou'vemadearepropagated throughouttheinternet andnowotherdnsservershavethemostrecentdate,includingthe' 'serialnumber.if youthenupdateyourzonefileagainthatday(somepeoplecannevermakeuptheirminds...),theserialnumberbecomes ' '.Whenanotherserverchecksinonyourzonefile,itwillseethatitsserialnumberendsin'01'whileyours endsin'02'andthusknowstograbafreshcopyofyourzonefile. Thenextfourlinesinvolvetimespans.Thevaluescanbedescribedinseconds,inwhichcasenounitisneededtobe displayed,orinothertimeunits,inwhichcasetimeunits 'H'=hours,'w'=weeks,'m'=minutes arerequired.86,400= secondsinoneday,28800=8hours,604,800=1week,7200=twohours. Thethirdline,refresh,tellsanotherDNSserverhowoftenitshouldcheckyourzonefileforupdates.Thefourthline, retry,tellstheotherserverhowoftenitshouldtrytoconnecttoyourserverintheeventofaconnectionfailure.thefifth line,expiry,isthetotalamountoftimethattheotherservershouldtrycheckingbeforeitgivesup.ifitgivesup,itwillflag yourzonefileonitsdatabaseasexpiredandthenbegintoredirectrequestsforyourdnsinformationtotherootservers. Finally,thesixthline,TTL(timetolive)representstheamountoftimethatanotherserverwillcacheanswersfromyour server.asisaid,forthemostpart,you'llnotwanttomesswiththesevalues. Afterthetimespanvalues,thenextrecordsspecifythenameserversforthedomain therecordstotherightofthe'ns' recordtype.afterthatcomesan'mx'record whichstandsfor'mailexchanger'.youcanhavemorethanonemxrecord, eachofwhichpointstoadifferentmailserver.theorderinwhichmailisdirectedtoaserveriscontrolledbythetwodigit numberbetweenthe'mx'recordtypeandtheurlofth serveritself,whichthelowernumberbeingahigherpriority. TheArecordsmaphostnamestoIPaddresses.You'llusuallyhaveone'A'recordthatismappedtoa'catch all'ip address,andthen,possibly,subdomainsmappedtootheripaddresses.forexample,' ' 'while'bob.example.com'ismappedto' '.Ifyourmomtyped' browser,however,shewouldbedirectedtothe'catch all'' 'address. TheCNAMErecord(CNAMEisshortfor"canonicalname")isanaliasforanArecord. Finally,TXTrecords(notshownhere)areusedforSPF(SenderPolicyFramework)records.Thesearerecordsthat specifywhichmachinesareallowedtosendmailwiththesendersettoyourdomain.ifthesenderdomaindoesnothavean SPFrecord,orifthesenderdomainissendingfromamachinethatisnotlistedintheSPFrecord,thenth isclassified asspam.(moreinfoonspfcanbefoundatopenspf.org.) 6.ReverseDNS TheDNSrecordsallowprogramstolookuptheIPaddressfor'example.com'inallitsglory(aswellasanythingelse related,suchasftpormailservers).youmaybewonderingaboutthereverse ifyouhadanipaddress,couldyoulookup thedomainname?yes,youcould,andthisiscalled'reversedns'.thisisactuallyimportantbecausesomeprograms

13 DNSExplained Page13 (particularlymailservers)willrefuse fromdomainsifthereversednsresultsdonotmatchtheregular(alsocalled 'forward')dns. AreverseDNSrecordlookslikethis: zone" in addr.arpa"{ typemaster; file"pri in addr.arpa"; }; You'llseethatthefirstpartoftheaddress,' in addr.arpa'beginswiththereverseofthefirstthreepartsofthe example.comipaddress.thethirdlinecontainsthenameofthereversezonefile, in addr.arpa.thereversezone fileitselfcontains,insteadofaormxrecords,ptrrecords(ptrstandsfor'pointer'.) AreversezonefilewouldconsistofindividualrecordsforeachIPaddressassociatedwiththedomain.Followingour example,ourreversezonefilemightincludeptrrecordslikethis: 166PTRexample.com 167PTRns1.example.com 168PTRmail.example.com ReverseDNSissomethingthatmanyISPsdon'thaveaclearhandleon,orthattheydon'tbothertodountilyounag themto.youcantellifyourreversednsissetupthroughthelinuxcommandlinetool,'dig'.first,let'slookatadomain wherethereversednsisnotsetupproperly.findtheipaddressforanexampledomain: >digbozo_dns.com <somestuff> QUESTIONSECTION: bozo_dns.comina ANSWERSECTION: bozo_dns.com12837ina Andthen,withthe" x"switchontheipaddress,youcanseethatthereversednsisnotsetupproperly. >dig x <somestuff> QUESTIONSECTION: in addr.arpa.inptr ANSWERSECTION: in addr.arpa.inptr ded.pacbell.net. Asyoucanseefromthelastline,theIPaddressdoesnotresolvebacktothedomainname;instead,itresolvestothe ISPwhoownsthenetblock. ThisexampleshowsDNSsetupproperly: >digexample.com <somestuff> QUESTIONSECTION: example.comina ANSWERSECTION: example.com8702ina Andthen,withthe" x"switchontheipaddress,youcanseethatthereversednsissetupproperlyaswell. >dig x <somestuff>

14 Page14 DNSExplained QUESTIONSECTION: in addr.arpa.inptr ANSWERSECTION: in addr.arpa.inptrwww.example.com. ReverseDNSrecordsarestoredbyyourISPonserverssimilartotheauthoritativeDNSserverswe'vealreadylooked at,becausetheispcontrolsthenetblockofipaddresses.inordertogetreversednssetup,youhavetorequestyourispto doit,sincetheycontroltherecords.whileintheoryyoucouldhaveyourispdelegateauthorityforyourreversednsto anotherservice,mostispswon'tasamatterofconvenienceandconsistency. 7.Wheretogoformoreinformation ThisfreewhitepaperispublishedanddistributedbyHentzenwerkePublishing,Inc.Wehavethelargestlistsof Movingto Linux,OpenOffice.org,andVisualFoxProbooksontheplanet. Wealsohaveoodlesoffreewhitepapersonourwebsiteandmorearebeingaddedregularly.OurPreferredCustomer mailinglistgetsbi monthlyannouncementsofnewwhitepapers(andgetsdiscountsonourbooks,firstcrackatspecial deals,andotherstuffaswethinkofit.) Clickon YourAccount atwww.hentzenwerke.comtogetonourpreferredcustomerlist. Ifyoufoundthiswhitepaperhelpful,checkouttheseHentzenwerkePublishingbooksaswell: LinuxTransferforWindows NetworkAdmins: AroadmapforbuildingaLinuxfileandprintserver MichaelJang LinuxTransferforWindows PowerUsers: GettingstartedwithLinuxforthedesktop WhilHentzen