About DNS

About DNS

This section discusses how DNS works and provides resources for additional information on DNS.

How DNS Works

Application programs do not issue DNS queries directly but rather use the gethostbyname() system call. How the system comes up with the corresponding IP address is transparent to the calling program. The gethostbyname() call examines the hosts line in /etc/nsswitch.conf file (page 435) to determine which files it should examine and/or which services it should query and in what order to obtain the IP address corresponding to a domain name. When it needs to query DNS, the local system (i.e., the DNS client) queries the DNS database by calling the resolver library on the local system. This call returns the required information to the application program.

Prerequisites

Install the following packages:

• bind

• bind-utils

• bind-config (FEDORA, optional, used to set up a caching-only nameserver; see the following caution box for an important note)

• caching-nameserver (RHEL, optional, used to set up a caching-only nameserver)

• system-config-bind (FEDORA, optional)

• bind-chroot (optional, used to set up BIND to run in a chroot jail)

Run chkconfig to cause named to start when the system enters multiuser mode:

# /sbin/chkconfig named on

After you have configured named, start it with service:

# /sbin/service named start
Starting named:                                            [  OK  ]

Caution: Remove caching-nameserver and install bind-config

The released version of Centos Linux 5, including the version on the DVD enclosed with this book, includes the caching-nameserver package.

Shortly after Centos Linux 5 was released, the caching-nameserver package was replaced by the bind-config package.

To follow the examples in this chapter, you must remove the caching-nameserver package and install the bind-config package. The following commands use yum (page 478) to accomplish these tasks. In addition, it may be helpful to remove or rename /etc/named.conf as shown below.

# yum remove caching-nameserver
...
# yum install bind-config
...
# mv /etc/named.conf /etc/named.conf.old

If you cannot or do not want to replace the caching-nameserver package, read the parts of this chapter that are labeled RHEL and that describe the named.caching-nameserver.conf file.

RHEL includes the caching-nameserver package.

More Information

DNS for Rocket Scientists is an excellent site that makes good use of links to present information on DNS in a very digestible form.

Local

Bind Administrator Reference Manual /usr/share/doc/bind*/arm/Bv9ARM.html or see the tip "Using this JumpStart" on page 735.

Web

DNS for Rocket Scientists www.zytrax.com/books/dns

BIND www.isc.org/products/BIND

DNS security www.sans.org/rr/papers/index.php?id=1069

HOWTO

DNS HOWTO

Book

DNS & BIND, fourth edition, by Albitz & Liu, O'Reilly & Associates (April 2001)

Notes

Firewall

The named server normally accepts queries on TCP and UDP port 53. If the server system is running a firewall, you need to open these ports. For information on using the Red Hat graphical firewall tool, see "Opening Other Ports" on page 768. For more general information, see Chapter 25, which details iptables.

SELinux

According to the Red Hat named man page, the default Red Hat SELinux policy for named is very secure and prevents known BIND security vulnerabilities from being exploited. This setup has some limitations, however. Refer to the named man page for more information.

If the system is running SELinux with a targeted policy and you want to modify the SELinux named settings, you must turn on one or more of the SELinux settings under the Name Service section as displayed by system-config-securitylevel (page 402).

chroot jail

The bind-chroot package sets up named to run in a chroot jail. With this package installed, all files that control BIND are located within this jail. In this case the filenames used in this chapter are symbolic links to the files in the chroot jail. See page 750 for more information.

named options

See the comments in the /etc/sysconfig/named file for information about named options that you can set there. One of the most important of these options sets the value of the ROOTDIR variable that controls the location of the chroot jail (page 750) that BIND runs in.

named.conf (FEDORA)

Traditionally, named looks for configuration information in the /etc/named.conf file. The caching-only nameserver, which is part of the bind-config package, places named configuration information in /etc/named.caching-nameserver.conf.

For the caching-only nameserver to work without any setup, and so that named will work normally if you create a /etc/named.conf file, the CentOS Linux named init script (/etc/rc.d/init.d/named) first looks for configuration information in /etc/named.conf. If that file does not exist, it looks for configuration information in /etc/named.caching-nameserver.conf.