HentzenwerkeWhitepaperSeries DNSExplained ByWhilHentzen DNS. In a general sense, it's what tells your computer that www.example.com is attached to 192.0.34.166, so that you can enter 'www.example.cominyourwebbrowserinsteadoftheipaddressitself. YoucanlivealongtimewithoutknowinganythingaboutDNS,and,ina perfectworld,that'showitshouldbe,justasyoudon'thavetoknowthe mixoffueltooxygenthatyourcarburetordeliverstoletyourcarengine run. But it's not a perfect world, not quite yet, and so there are times, particularlyasawebsitedeveloper,thatyou'llneedtoknowabit,oralot, aboutdns. www.hentzenwerke.com
Page2 DNSExplained 1.Preface 1.1Copyright Copyright2006WhilHentzen.Somerightsreserved.ThisworkislicensedundertheCreativeCommonsAttribution NonCommercial NoDerivsLicense,whichbasicallymeansthatyoucancopy,distribute,anddisplayonlyunalteredcopies ofthiswork,butinreturn,youmustgivetheoriginalauthorcredit,youmaynotdistributetheworkforcommercialgain, norcreatederivativeworksbasedonitwithoutfirstlicensingthoserightsfromtheauthor.toviewacopyofthislicense, visithttp://creativecommons.org/licenses/by nc nd/2.0/. 1.2Revisions 1.2.1History Version Date Synopsis Author 1.0.0 2006/11/21 Original WH 1.2.2Newversion Thenewestversionofthisdocumentwillbefoundatwww.hentzenwerke.com. 1.2.3Feedbackandcorrections Ifyouhavequestions,comments,orcorrectionsaboutthisdocument,pleasefeelfreetoemailmeat 'articles@hentzenwerke.com'.ialsowelcomesuggestionsforpassagesyoufindunclear. 1.3Referencesandacknowledgments ThankstothefolksontheMilwaukeeLinuxUserGrouplist(www.milwaukeelug.org),particularlyAaronSchrab,who reviewedmultiplecopiesofthisdocument,aswellasallthatamazingstuffthatonecanfindontheinternet. 1.4Disclaimer Nowarranty!Thismaterialisprovidedasis,withnowarrantyoffitnessforanyparticularpurpose.Usetheconcepts, examplesandothercontentatyourownrisk.theremaybeerrorsandinaccuraciesthatinsomeconfigurationsmaybe damagingtoyoursystem.theauthor(s)disavowsallliabilityforthecontentsofthisdocument. Beforemakinganychangestoyoursystem,ensurethatyouhavebackupsandotherresourcestorestorethesystemto itsstatebeforemakingthosechanges. Allcopyrightsareheldbytheirrespectiveowners,unlessspecificallynotedotherwise.Useofaterminthisdocument shouldnotberegardedasaffectingthevalidityofanytrademarkorservicemark.namingofparticularproductsorbrands shouldnotbeseenasendorsements. 1.5Prerequisites ThisdocumentwaswrittenforfolkswhowanttodevelopWebsitesandputthemontheInternet.Itisnotintendedforfolks whowouldbeadministeringadnsserver,say,foranisp.rather,itprovidesahigh leveloverviewofthetechnologyand whatawebsitedeveloperneedstoknow.assuch,itglossesoversomeofthein depthtechnicalissuesandsimplifies others,eliminatingdetailsthatareunimportantforthislevelofdiscussion. www.hentzenwerke.com
DNSExplained Page3 2.ThefourplayersintheDNSarchitecture Strictlyspeaking,DNS=DomainNameService,thearchitectureformappingIPaddressestohostnames.Unfortunately, sloppiness,slang,andjargonhasusurpedthetermtomeaneverythingfromthearchitecturetothesoftwarethatimplements thearchitecturetothedatabasethatholdstheactualhostname IPaddressmappings. Thereareseveralplayersinvolvedinthearchitecture thednsdatabase,adnsserver,andadnsclient. Thefirstplayeristhe"DNSdatabase",thedatabasewheretheactualmappingsofhostnamesandIPaddressesare stored.thesecondplayerisadnsserver,thesoftwarethatdishesoutinfofromthednsdatabasewhenasked.thedns databaseandthednsserversoftwarebothreside,obviously,onadnsservermachine.thednsclientistheprogram(in aloosesenseoftheword)thatsitsonanend user'scomputerthatdoestheaskingofadnsserverwhentheend useris tryingtoconnecttoanothercomputer. 2.1DNSdatabase Eachmappingisstoredina(verylarge)databasethatisdistributedacrossacollectionofspecialserversconnectedtothe Internet,sothatonlypartofthedatabaseisonanyoneserver.TheseserversarecalledDNSservers,or,sometimes,DNS nameservers.therearedifferentdnsserversfordifferenttopleveldomains thoseendingin'.com'arelocatedinone database,forexample,whilethoseendingin'.edu'arelocatedinanotherdatabase.whenyouwanttoaccesscontenton example.com,you'lltypethaturlintoyourbrowser.yourbrowserlooksuptheipaddressofexample.com'shostviathe appropriatednsdatabase.thisprocessiscalled'resolving'anaddress.ifeverythingworks(allthecorrectdataisfound), voila,yourbrowserisnowdisplayingdatasentfromexample.com'swebserversoftware. IntheearlydaysoftheInternet,therewereonlyafewDNSservers.TheentirelistofdomainnamesandIPaddresses wascontainedinasimpletextfile,andeverycomputerontheinternethadacopyofthattextfile.itwasrelativelyeasyto keepallofthecopiesofthistextfileinsync.decadeslater,however,thingshadgottenbusier.imagineifthetensof millionsofdomainsontheinternetwerealllistedinasingletextfile,andeveryoneofthe"billyunsandbillyuns"of computersontheinternethadtokeepanup to datecopyofthatenormoustextfile. 2.2DNSserver architecture EvenaftersplittinguptheDNSdatabaseintosubsetsforthevariousdomains,itcouldgetverycrowdedateachoftheDNS serversiftherewasonlyoneset particularlyiftherewasonlyonednsserverfor.comdomains!inaddition,havingallof thednsinformationinoneplacewouldcreateasinglepointoffailurethat,ifitdidindeedfail,wouldbringtheentire Internettoacrashinghalt.Asaresult,thearchitectsoftheInternetcreatedtheabilityformultiplecopiesoftheDNS databasestobeavailabletousersaroundtheworld.thatmeanstherearemanydnsserversscatteredaroundtheinternet. SowhenyourcomputertriestoresolveaURL,itlikelyusesacopy(or'mirror',or'slave')oftheprimaryDNSserverforthe typeofdomaininquestion,insteadofgoingtothemastercopy.thissystemofmultiplednsserversalsoprovides redundancy ifoneofthemgoesdown,yourcomputercanuseadifferentdnsserverinsteadofgettingstalled.kindof likehavingasparecopyofthephonebookathomewhenthemastercopyhasdisappearedsomewhereinyourteenager's room. TherearelogicallytwotypesofDNSservers authoritativeandcaching(alsoknownas'recursive').asinglephysical DNSservercanservebothrolesatonce,butforsimplicity'ssake,let'sassumethatahostisoneortheother. 2.2.1.Authoritative AuthoritativeserversaretheDNSserversoflastresort,sotospeak.Apurelyauthoritativeservergetsenteredwithdata abouthostname IPaddressmappings(called'zonefiles',whichI'lldiscussshortly)andthenrespondstorequestsforthat information itneverreliesonotherdnsserversforinformationthatitismissing.twospecialcasesofauthoritative serversarerootandtldservers. TherootserversformwhatyoumightthinkofastheapexoftheDNSpyramidofservers.Theycontaininformation aboutthetld topleveldomain servers.thenextlevelaretheparent,ortld topleveldomain servers.eachofthese www.hentzenwerke.com
DNSExplained Page4 isauthoritativeforoneormoretopleveldomains.forexample,.comand.netarebothhandledby*.gtld servers.net.when youregisteryourdomain,oneofthetldserverswillknowwheretofindinformationforyourdomain. 2.2.2.Caching Caching/recursiveservers,ontheotherhand,arethetypethatgetlistedasnameserversonanend user(client)computer. WhenyousetupyourInternetconnection,youlikelyhavetoentertwoormore"DNSserver"or"nameserver"addresses. Thesecachingserverscanbethoughtofastheworkerbees millionsofmachinesscatteredacrosstheglobewherethe actualdnsmappingsofhostnamesandipaddressesarestored.manyarehostedatispsandsimilarlysecureandreliable locations,buttheycouldalsobeatprivatelyowned"dns'rus"typecompanies,locatedinatrailerparkskirtinga downtown'sredlightdistrict.youcanevenrunacachingserveronyourowncomputer. Roughlyspeaking,theTLDserverspointtothese'workerbee'DNSserverswhenaskedwhereyourdomain's informationis. 2.3DNSserver software DNSserversoftwareisaprogramrunningonacomputerthatgetsqueries(intheformofURLs)fromfolkslookingfor yourdomainanddishesoutresponses(intheformofipaddresses)inreturn,usingoneofthose'workerbee'dns databases.yourfriend'bob'hearsyouhaveawebsite,www.example.com,andenterstheurlintohiswebbrowser.the WebbrowserlooksuptheDNSserversthatheenteredinhisnetworkcardsettings,andasksoneofthemwhattheIP addressforyourwebsiteis.ifthatdnsserverhasthemappingforwww.example.com,it'lllookitupandreturntheip address,192.0.34.166.insomecases,thednsserverheisusingwon'thavewww.example.cominitsowndatabase,butit knowswheretogolook thetldserverthatfor'.com'. ThisDNSserversoftwareprogramisrunningconstantly,andistypicallyconfiguredtobea'service',sothatitstartsup whenthecomputerisstarted.thisissimilartoadatabaseserverorawebserver(bothofwhich,interestinglyenough,also lieinwaitforrequestsfromusersandthendishoutresponsesinreturn.)therearespecificinstancesofdnsprograms,just liketherearespecificinstancesofdatabaseservers(mysql,postgresql,oracle)andwebservers(apache,iis,etc.). CommonDNSprogramsincludeBIND,tinydns,anddjbdns. 2.4DNSclient ThethirdplayerinthisschemeisaDNS'client'.Youcanthinkofthisclientasaprogramrunningonyourdesktop(laptop) computerthatfetchestheipaddressfromadnsserver.whenyouenteraurlintoyourbrowser,yourbrowserthentalks toyourdnsclient,whichthengoesoutontotheinternettofindoneofthednsserversthatwereidentifiedinthenetwork cardsettingsonyourcomputer.whenthednsclientgetsananswer,itthenreturnsthatanswerbacktowhoeverrequested it,suchasthewebbrowser. Strictlyspeaking,theDNSclientisn'tactuallyaseparateprogramonyourcomputer,likeaWebbrowseroranemail client.instead,it'samoduleorpartofalargerprogram oftentheoperatingsystem thathandlesthework.thereisn'ta separateprogramthatcanbestartedupandshutdown.awebbrowser,forinstance,wouldjustasktheostodothe lookup. 2.5Zonefile Finally,althoughIsaid,'three',there'sonemoreplayerthatIshouldmentionnow thezonefile.thednsdatabaseconsists ofmillionsofhostname IPaddressmappings.Atfirstglance,youmightthinktheDNSdatabasejustlookslikethis: anacondasteel.com99.20.4.160 bestbuy.com68.7.7.14 crazyeddie.com100.203.40.57 digg.com8.12.66.48 example.com192.0.34.166 ford.com44.29.151.40 www.hentzenwerke.com
Page5 DNSExplained Inreality,thedatabaseisconsiderablymorecomplexthanthis.AdomainhasmorethanjusttheIPaddressfortheWeb server.therecouldbeotherserversinvolved,suchasanftpserveroramailserver.therecouldbesubdomains(the 'www.'partoftheurl),andadditionalinformation,suchastimeforupdatestobechecked,arealsoneeded.asaresult, eachdomainhasasetofrecordsthattogetherarecalleda'zonefile'.asinglezonefilelookssomethinglikethis: $TTL 86400 $ORIGINexample.com. @1DIN SOAns1.example.com. 2005010101;serial 3H;refresh 15;retry 1w;expire 3h;minimum ) INNSns1.example.com. INNSns2.example.com. MX10mail.example.com. MX20mail.another.com. A192.0.34.166 wwwina192.0.34.167 INCNAMEwww.example.com. hostmaster.example.com.( Whilethismaylookconfusing,thisinformationrepresentswhatwouldbeneededforarathersimpledomain.Azone fileforabigdomain,suchasforfordmotorcompanyorgeneralelectric,isconsiderablymoreinvolved.thekeypointto bringawayfromthisisthatthednsrecordsforasingledomainaremoreinvolvedthanasimpleonetoonehostname IP addressmapping.additionally,nowyouknowthatthednsdatabaseisacollectionofmillionsofzonefiles. Revisitingtheterminology...yourzonefilecontainsyourDNSrecords.EachDNSrecordisforaspecificservice,such as'www'forawebserveror"mx"foramailserver.i'llusetheterms'zonefile'and'dnsrecords'somewhat interchangably,astheyrefertothesamegeneral'chunkofdata'. Let'slookatthepaththatDNSplaysbothontheendofanindividualsurfingtheWeborgettingtheiremail,andasan administratorofawebsite. 3.IndividualSurfer Whenyouconfigureyourcomputer'snetworkcardormodemtoconnecttotheInternet,yourInternetServiceProvider (ISP)givesyoutheaddressesforyourDNSsettings.Typicallyyouaregivenatleasttwo,butsometimesthree.This duplicationissothatifoneofthednsserversisunreachableorslow,yourmachinewillhaveasecondchoice(andathird) totry. InWindows2000,yougettothisdialogviaStart Settings NetworkandDial upconnections Properties TCP/IP component Properties,asshowninFigure1. www.hentzenwerke.com
DNSExplained Page6 Figure1.TheWindows2000dialogforenteringDNSnameservers. InFedoraCore6,yougettothedialogviaF Administration Network NetworkConfigurationdialog DNStab,as showninfigure.2. Figure2.TheFedoraCore6dialogforenteringDNSnameservers. www.hentzenwerke.com
DNSExplained Page7 WhenyouenteraURLinyourWebbrowser,orconnecttoyourmailserverviayouremailclient,orwhenyourIM programtriestoconnecttoanotherserver,yourcomputerwillsendaquerytothednsserversinyourdnssettingstolook upthedomainname.abunchofstuffhappens,andeventuallyaresponsewillcomebackwiththeipaddressofthe machineyou'retryingtoreach,andyourcomputerconnectstothatmachine.there'sobviouslyalotmoregoingonunder thehood,butforourpurposes,thisiscloseenough. SomenetworkcardconfigurationprogramscalltheDNSservera'nameserver'(typically,Linuxdistrosdo.) That'sallanend userreallyneedstoknow.let'stakealookatwhatanadministratorneedstoknow,behindthescenes. 4.SettingupaWebserver/Website SettingupaWebserverisasinvolvedasbeingacasualInternetuseriseasy.We'llstartbyassumingyoudon'tevenhavea domainnameyet. 4.1Domainname You'llneedadomainname,suchasexample.com.Youmaybeusedtothinkingofdomainnamesas'www.example.com', butinactuality,the'www'isanadd onthatwe'lldealwithlater.whenyougetadomainname,you'lljustbegettingthe 'example.com'part.(onceyouhavethe'example.com'part,youcansetupmultiplesites,calledsubdomains,withnames like'www.example.com','customers.example.com','private.example.com'and'bob.example.com'.) You'llgetadomainnamefromaregistrar.Therearemany,manyregistrarsoutthere,butmostofthemaresimply resellersfortheprimarydomainnameregistrars.primaryregistrarsincludenetworksolutions.com,register.com, godaddy.com,andsoon.forpurposesofthisarticle,i'llusegodaddy.comasthesampleregistrar,bothbecausethey'rethe oneiuse(but,no,idon'tgetacommissionforreferringthem)andbecausei'veusednetworksolutions.comand register.com,andfindthemlackinginmanysignificantareas.they'vebothbeenaroundforalongtime,butiwouldn'tever usethemagain.youmaychoosedifferently,butcaveatemptor. (Theonebigproblemwithgodaddy.comisthattheyarevery,verypushyabouttryingtosellyouextrastuffthatyou reallydon'tneed.ignoreitallforthetimebeing;youcanalwaysaddittoyoursitelaterifyouwant,andthey'reconstantly runningspecialstogiveyoudealsondoingso.) 4.2Navigatingtoabrandnewdomain OK,sonowyou'veplunkeddownyour$8.95atgodaddyandnowhaveyourveryowndomainname,say,'example.com'. Whathappenswhenyourmom,allproudthatherson/daughterhastheirveryownwebsite,typesin'www.example.com' intoherbrowser?absolutelynothing.that'sbecausethereisnowebsiteattachedtothatdomainnameyet,andsoyour mom'sbrowserendsupin'404 pagenotfound'land.soyouneedtodofourmoresteps.i'lldescribeingeneraltermswhat thosefourthingsare,andtheni'llwalkthroughaspecificexample. First,createawebsiteandputitonaWebserversomewhere.Second,findaDNSserver(oneofthoseauthoritative DNSserversImentionedearlier)thatyoucanuse.Third,createaDNSrecord(inyour'zonefile')thatmaps 'www.example.com'totheipaddressofthewebserverfromstep1,andstuffitintothatauthoritativednsserverthatyou foundinstep2.andfourth,tellyourregistrar,godaddy.com,thatthednsserverthatcontainsyourzonefilefor www.example.com,istheauthoritativednsserveryoupickedinstep2. Ifyouusedgodaddy.com(ormostanyotherpopularregistrar),you'llfindthattheprecedingdescriptionisn't completelyaccurate whenyourmomtyped'www.example.com'inherbrowser,shedidn'tcomeacrossa'pagenotfound' page.instead,shewasdirectedtoa"thissitehasrecentlybeenregistredwithgodaddy.com"page.whenyouregisteredthe domainnamewithgodaddy,theydidn'tjustletitsitoffthereintheether.theycreateadummywebpageforyourdomain ononeoftheirservers,andthentheycreateazonefilewithrecordsinitthatpointthedomaintothattemporarypage.this isbothtoinformnewvisitorsthatthesiteis,indeed,ok(elseavisitormightthinktheyjusttypedthedomainnamewrong), and,natch,toadvertisethemselvesatthesametime.inotherwords,theyprovideddefaultvaluesforsteps2,3,and4for you,andthey'llstaythatwayuntilyouchoosetochangethem. www.hentzenwerke.com
DNSExplained Page8 OK,nowlets'dothissamething,butwith'realdata'. 4.3Liveexample Supposeyou'veregistered'example.com'withgodaddy.(GodaddyhasaWebserverandanauthoritativeDNSserverthat theyusefornewlyregistereddomainslikeyours.)azonefilewascreated,andthey'veputthatzonefileinapairoftheir DNSservers.They'vealsocreatedadummyWebpagefor'www.example.com'foryouandputitononeoftheirWeb serversaswell.sothen,whenyou(oryourmom)navigatetowww.example.com,youarriveatthe'temporarilyparked here...'page.youcanlogintoyourgodaddyaccountandnavigatetothe'managedomains'link;doingsowilldisplaya pagethatlistsyournameservers,likeso: NameServers:(Lastupdate1/1/1980) PARK21.SECURESERVER.NET PARK22.SECURESERVER.NET ThesearethenamesforacoupleofDNSserversthatgodaddyruns.TheDNSrecordsinyourzonefileonthempoint togodaddy'swebserver.theactualwebpageforadministeringthemlookslikefigure3.youcanseethenameservers displayedintheverymiddleofthepage,slightlyunderandtheleftofthered"cancel"button. Figure3.TheGoDaddyWebpageformanagingdomainDNSinformation. www.hentzenwerke.com
DNSExplained Page9 4.4Hostingyoursiteatathirdpartysite Nowwhat?First,youCANcontinuetohostyourDNSzonefileandyourWebsiteatgodaddy.UseofthegodaddyDNS servertostoreyourdnsrecordscomeswithyourregistrationfee(otherregistrarsmayormaynotincludednswiththe registration).notethattypicallyhostingyourwebsitewillcostyouacoupleofbucksextra. Ifthat'sthecase,yourjobisnearlydone.AfterpurchasingtheWebsiteoption,they'llgiveyousomespaceonaserver oftheirs.(theyhaveacresandacresofservers.)they'llalsogiveyoutheipaddressforyourspaceonthatserver.you'll createyourwebpagesandthenftpthosepagesuptotheirserver.they'llalsochangeyourzonefilesothatitpointstothe rootdirectoryofyourspaceontheserver,andyou'redone. 4.5Hostingyoursiteyourself SupposeyouwanttohostyourownWebserver.Therecanbeseveralreasonsforthis,suchastheneedtorunsoftwarethat isn'tsupportedongodaddy'sservers.inthiscase,you'dcreateyourownwebserver,installinglinuxandapache,say,onit, andthenmoveyourwebpagestothatmachine.butatthispoint,thiswebservermachineisanislandwithoutabridge connectingittotherestoftheinternet.timetogetconnected. You'llneedaconnectiontotheInternet,similartotheoneyoualreadyuse maybeeventhesameone.yourispwill giveyouapublicipaddressthatbecomesthegatewayforyourserver.(i'mtakingcomplicationslikeroutersandfirewalls outoftheequationrightforthetimebeing.)whenyourispbecameanisp(fromitshumblebeginningsasabaitandtackle shoporatelephonecompany),theyreceivedablockofipaddresses(their'netblock')thattheyinturndishouttotheir customers.theipaddressthattheygiveyouisoneoftheaddressesintheirnetblock.whileit's'your'ipaddress,they're actuallyjustlendingittoyouforaslongasyou'retheircustomer;ifyouchangeisps,you'lllosethatipaddressandneedto getonefromyournewisp.imentionthisbecausetheconceptthattheipaddressisundertheisp'scontrolwillbe importantlateron. BacktoyournewpublicIPaddressandyourWebserver.YouwouldneedtochangeyourDNSrecordsongodaddy's DNSserverstopoint'www.example.com'tothatnewpublicIPaddressfromyourISP.It'lltakeanywherefromafew minutestothebetterpartofadayforthechangestoyourzonefiletofilterthroughoutallofthednsserversontheweb (thisiscalled'propagation'),butsoonenough,peoplesurfingto'www.exmaple.com'willendupatyourwebsite! Atthispoint,yourjobisdone.Well,exceptforthetrivialmatterofbuildingyourWebsite,garneringtraffic,thatsort ofthing.yourzonefilestillresidesongodaddy'sdnsservers,butthewebserverrecordinitpointstotheipaddressofthe Webserversittinginyourbasementorintheserverroomofyourcompany. Supposeyouhadaseparateemailserver,runningonaboxsittingrightnexttotheWebserver?Youwouldchangeyour zonefiletopointyourmxrecordstotheipaddressforthatmachine.whatifyoudidn'thostyourownemailserver, though?instead,youusedtheserverofanemailserviceprovider,suchasgodaddyoryourisp.inthosecases,themx recordinyourzonefilewouldpointtothatemailserver'sipaddressinstead. 4.6TurningoveryourDNStoathirdparty Let'stakethingsastepfurther.Supposeyoudon'twanttokeepyourDNSzonefileongodaddy'sDNSservers?Justlikeyou aren'trequiredtohostyourwebsiteoremailongodaddy'sservers,you'renotrequiredtohostyourdnsontheirservers. First,you'llneedanewDNSserver.ThiscanbeaboxofyoursrunningtheDNSserversoftware,justlikeyou'vegotabox runningwebserversoftware.oryoucouldoutsourceittoanyoneofanumberofcompaniesthatprovidednsservices, justliketherearecompaniesthatprovidewebsitehostingandemailservices.youcanmoveyourzonefiletooneofthose companies.supposeyoudecidedtousezoneedit.comtohostyourzonefile.whenyousetupanaccountwiththem,they'll giveyouthenamesofthednsservers(muchlikegodaddy'swere"park21.secureserver.net"and "PARK22.SECURESERVER.NET"). Youjustneedtotellyourregistrar,godaddyinthiscase,thatyourdomain'snameserverisnowzoneedit.com,and changeyournameserversfrom"park21.secureserver.net"and"park22.secureserver.net"tothedns serversthatzoneedit'sgaveyou. www.hentzenwerke.com
DNSExplained Page10 4.7"It'salotworsethanthat" There'smoretoDNSthanthis.TheDNSdatabaseisdistributedacrossmanyserversthroughouttheworld,andthere'sa complexandsophisticatedmechanismtokeepthemallinsync.forallpracticalpurposes,youdon'tneedtoknowanyof this.youjustneedtokeepthezonefileonyourowndnsserversetup,andyourmachinesconfiguredtouseyourdns servers,andyou'llbeok. 4.8Summaryofauthoritativeandcachingserverroles Insummary,whenyoucreateadomainname,youtellyourregistrarwheretheauthoritativeDNSserversforyourdomain are.yourzonefilesitsontheseauthoritativeservers.thiszonefileiscopied(or'propagated')tocachingserversalloverthe Internet.Thetimingvaluesinthezonefiletellsthecachingservershowoftentheyneedtorefreshtheirdata.Usermachines allovertheinternetpointtocachingservers.whenausermachinerequestsarecord,it'lllookatitscachingservers.ifthe dataisnotfound,there'saclearlydefinedpathforittolookat;thedetailsofwhicharen'timportanttous. Supposeoneofyourusermachine'scachingservershadjuststartedup,andhadn'tgoneouttopopulateitsdatabaseyet. It'llonlyknowabouttherootservers.Sointhiscase,thecachingserverwouldaskarootserverfortheinformationabout www.example.com.therootserverwouldrespond,sayingthattherootserverdoesn'tknow,butinformationon.comcan befoundattheserversforthatdomain.thecachingserverasksoneofthe.comserversfortheinformation.the.com serverrespondssayingthatitonlyknowswheretofindinformationforexample.com.iftheurlwaslongerandhadmore levels,thecachingservercontinuesonlikethatuntilitfinallygetsthealloftheinfoorendsupwithapermanenterror. Finally,thecachingserverreturnstheinfototheclientthatrequestedit. Thatsaid,it'snowtimetolookatthosezonefilesinmoredetail. 5.Zonefiles Zonefilescontroltwobasicthings themappingsofvarioustypesofservers,suchaswebservers,mailservers,ftpservers, andsoon.thisway,mailtobob@example.comknowswheretheexample.commailserverislocated sinceitmightnotbe onthesamemachine orinthesamecountry! thatservesupwebpagesforwww.example.com. ThesecondthingthatazonefilecontrolsishowoftenchangestothezonefilearepropagatedthroughouttheInternet. Unlessyouhavespecialneeds,thedefaultsettingsthatcamewithyourzonefilewhenitwassetupareprobablygood enough.mostpeople(particularlythefolksreadingthis)aretypicallygoingtosetuptheirzonefile,pointingtotheirweb site,mailserver,andsoon,andthenleaveitalone.ifyouwereinthebusinessofrunningmultiplewebsitesformany peopleororganizations,you'dprobablybedoingmoretweaking. Fortunately,thearcanesyntaxusedinazonefileisusuallyhiddenawayfromyou.MostDNSserverprovidersprovide aneditingfacilitythatallowsyoutomakechangesusingasimpleinterfaceasshowninfigure4. www.hentzenwerke.com
Page11 DNSExplained Figure4.GoDaddy'sWebinterfaceforchangingDNSrecords. Whatyoudoneedtoknowistheconceptsbehindthechangesyou'remaking.Let'slookatourdummyzonefileagain. $TTL 86400 $ORIGINexample.com. @1DIN SOAns1.example.com. 2005010101;serial 3H;refresh 15;retry 1w;expire 3h;minimum ) NSns1.example.com. NSns2.example.com. MX10mail.example.com. MX20mail.another.com. A192.0.34.166 wwwina192.0.34.167 bobina192.0.34.168 INCNAMEwww.example.com. hostmaster.example.com.( www.hentzenwerke.com
DNSExplained Page12 SOAisanacronymfor"StartofAuthority".TheDNSdatabaseconsistsofzillionsofzonefiles,eachofwhichisthe responsibilityofsomeone.everythinginthatzonefileisthatperson'sresponsibility.whenyouthinkofthednsdatabase asapyramid,yourzonefilemakesuponeverysmallbrickinthatconstruction.thesoaindicateswhereinthatstackof bricksyourresponsibilitystarts.therestofthednsdatabase therootservers,tldservers,andworkerbeeserverscan onlypointtoyourzonefile.withinyourzonefile,youarethemaster.thesoarecordpointstothe'start'ofyourzonefile. Youdon'thavetoworryaboutmostofthepiecesoftheSOArecord.Thefirstpiece,the'@'sign,issimplyapointerto thecurrentzone sortoflikeyou'repointingtoyourself.thenextimportantpieceis'ns1.example.com' it'stheprimary nameserverforyourdomain.thisentrymustbefollowedbyaperiod.andthelastpartofthelineistheemailaddressof thepersonresponsibleforthedomain,exceptthatthe'@'signisreplacedbyaperiod,andtheaddressisfollowedbya period. Thesecondlineistheserialnumberofthezonefile thedatethatthezonefilewaslastupdated,followedbya sequencenumbersothatifthezonefileisupdatedmorethanonceaday,it'scleartootherserversthatgetupdatedwiththis zonefile'sinformationwhetherornottheyhavethemostrecentupdate.inotherwords,supposeyouupdateyourzonefile inthemorning.theserialnumberbecomes'2006103101'.laterthatday,thechangesyou'vemadearepropagated throughouttheinternet andnowotherdnsservershavethemostrecentdate,includingthe'2006103101'serialnumber.if youthenupdateyourzonefileagainthatday(somepeoplecannevermakeuptheirminds...),theserialnumberbecomes '2006103102'.Whenanotherserverchecksinonyourzonefile,itwillseethatitsserialnumberendsin'01'whileyours endsin'02'andthusknowstograbafreshcopyofyourzonefile. Thenextfourlinesinvolvetimespans.Thevaluescanbedescribedinseconds,inwhichcasenounitisneededtobe displayed,orinothertimeunits,inwhichcasetimeunits 'H'=hours,'w'=weeks,'m'=minutes arerequired.86,400= secondsinoneday,28800=8hours,604,800=1week,7200=twohours. Thethirdline,refresh,tellsanotherDNSserverhowoftenitshouldcheckyourzonefileforupdates.Thefourthline, retry,tellstheotherserverhowoftenitshouldtrytoconnecttoyourserverintheeventofaconnectionfailure.thefifth line,expiry,isthetotalamountoftimethattheotherservershouldtrycheckingbeforeitgivesup.ifitgivesup,itwillflag yourzonefileonitsdatabaseasexpiredandthenbegintoredirectrequestsforyourdnsinformationtotherootservers. Finally,thesixthline,TTL(timetolive)representstheamountoftimethatanotherserverwillcacheanswersfromyour server.asisaid,forthemostpart,you'llnotwanttomesswiththesevalues. Afterthetimespanvalues,thenextrecordsspecifythenameserversforthedomain therecordstotherightofthe'ns' recordtype.afterthatcomesan'mx'record whichstandsfor'mailexchanger'.youcanhavemorethanonemxrecord, eachofwhichpointstoadifferentmailserver.theorderinwhichmailisdirectedtoaserveriscontrolledbythetwodigit numberbetweenthe'mx'recordtypeandtheurlofthemailserveritself,whichthelowernumberbeingahigherpriority. TheArecordsmaphostnamestoIPaddresses.You'llusuallyhaveone'A'recordthatismappedtoa'catch all'ip address,andthen,possibly,subdomainsmappedtootheripaddresses.forexample,'www.example.com'ismappedto '192.0.34.167'while'bob.example.com'ismappedto'192.0.34.168'.Ifyourmomtyped'http://example.com'intoher browser,however,shewouldbedirectedtothe'catch all''192.0.34.166'address. TheCNAMErecord(CNAMEisshortfor"canonicalname")isanaliasforanArecord. Finally,TXTrecords(notshownhere)areusedforSPF(SenderPolicyFramework)records.Thesearerecordsthat specifywhichmachinesareallowedtosendmailwiththesendersettoyourdomain.ifthesenderdomaindoesnothavean SPFrecord,orifthesenderdomainissendingfromamachinethatisnotlistedintheSPFrecord,thenthemailisclassified asspam.(moreinfoonspfcanbefoundatopenspf.org.) 6.ReverseDNS TheDNSrecordsallowprogramstolookuptheIPaddressfor'example.com'inallitsglory(aswellasanythingelse related,suchasftpormailservers).youmaybewonderingaboutthereverse ifyouhadanipaddress,couldyoulookup thedomainname?yes,youcould,andthisiscalled'reversedns'.thisisactuallyimportantbecausesomeprograms www.hentzenwerke.com
DNSExplained Page13 (particularlymailservers)willrefuseemailfromdomainsifthereversednsresultsdonotmatchtheregular(alsocalled 'forward')dns. AreverseDNSrecordlookslikethis: zone"34.0.192.in addr.arpa"{ typemaster; file"pri.34.0.192.in addr.arpa"; }; You'llseethatthefirstpartoftheaddress,'34.0.192.in addr.arpa'beginswiththereverseofthefirstthreepartsofthe example.comipaddress.thethirdlinecontainsthenameofthereversezonefile,34.0.192.in addr.arpa.thereversezone fileitselfcontains,insteadofaormxrecords,ptrrecords(ptrstandsfor'pointer'.) AreversezonefilewouldconsistofindividualrecordsforeachIPaddressassociatedwiththedomain.Followingour example,ourreversezonefilemightincludeptrrecordslikethis: 166PTRexample.com 167PTRns1.example.com 168PTRmail.example.com ReverseDNSissomethingthatmanyISPsdon'thaveaclearhandleon,orthattheydon'tbothertodountilyounag themto.youcantellifyourreversednsissetupthroughthelinuxcommandlinetool,'dig'.first,let'slookatadomain wherethereversednsisnotsetupproperly.findtheipaddressforanexampledomain: >digbozo_dns.com <somestuff> QUESTIONSECTION: bozo_dns.comina ANSWERSECTION: bozo_dns.com12837ina1.2.3.4 Andthen,withthe" x"switchontheipaddress,youcanseethatthereversednsisnotsetupproperly. >dig x1.2.3.4 <somestuff> QUESTIONSECTION: 4.3.2.1.in addr.arpa.inptr ANSWERSECTION: 4.3.2.1.in addr.arpa.inptr1.2.3.4.ded.pacbell.net. Asyoucanseefromthelastline,theIPaddressdoesnotresolvebacktothedomainname;instead,itresolvestothe ISPwhoownsthenetblock. ThisexampleshowsDNSsetupproperly: >digexample.com <somestuff> QUESTIONSECTION: example.comina ANSWERSECTION: example.com8702ina192.0.34.166 Andthen,withthe" x"switchontheipaddress,youcanseethatthereversednsissetupproperlyaswell. >dig x192.0.34.166 <somestuff> www.hentzenwerke.com
Page14 DNSExplained QUESTIONSECTION: 166.34.0.192.in addr.arpa.inptr ANSWERSECTION: 166.34.0.192.in addr.arpa.inptrwww.example.com. ReverseDNSrecordsarestoredbyyourISPonserverssimilartotheauthoritativeDNSserverswe'vealreadylooked at,becausetheispcontrolsthenetblockofipaddresses.inordertogetreversednssetup,youhavetorequestyourispto doit,sincetheycontroltherecords.whileintheoryyoucouldhaveyourispdelegateauthorityforyourreversednsto anotherservice,mostispswon'tasamatterofconvenienceandconsistency. 7.Wheretogoformoreinformation ThisfreewhitepaperispublishedanddistributedbyHentzenwerkePublishing,Inc.Wehavethelargestlistsof Movingto Linux,OpenOffice.org,andVisualFoxProbooksontheplanet. Wealsohaveoodlesoffreewhitepapersonourwebsiteandmorearebeingaddedregularly.OurPreferredCustomer mailinglistgetsbi monthlyannouncementsofnewwhitepapers(andgetsdiscountsonourbooks,firstcrackatspecial deals,andotherstuffaswethinkofit.) Clickon YourAccount atwww.hentzenwerke.comtogetonourpreferredcustomerlist. Ifyoufoundthiswhitepaperhelpful,checkouttheseHentzenwerkePublishingbooksaswell: LinuxTransferforWindows NetworkAdmins: AroadmapforbuildingaLinuxfileandprintserver MichaelJang LinuxTransferforWindows PowerUsers: GettingstartedwithLinuxforthedesktop WhilHentzen www.hentzenwerke.com