Linux Network Administrator Manual (6)
2000-07-29 10:47
Publisher: NetBull Readings: 1252 Translation: Zhao Wei GoHigh@shtdu.edu.cn Chapter 6 Name Service and Analytical Configuration As in Chapter 2, TCP / IP network can rely on different solutions to convert names into address. If the advantages of being split into the zone is dispensed with the namespace, the easiest way is to use the host table stored in / etc / hosts. This is only useful for small local area networks managed by an administrator, and this LAN should have no IP communication with the outside world. The format of the HOSTS file has long been described in Chapter 5. As a selection, you can use Bind-Berkel Interconnect Name Services (Berkeley Internet Name Domain Service) to resolve the host name to the IP address. Configuring bind may be very complicated, but once you finish it, the change in the network topology is easy. On Linux, as in many other UNIX-like systems, the name service is provided through a program called NAMED. At startup, it puts a set of primary files into buffers, waiting for requests from remote or local user processes. Setting up bind has different methods, and not all methods require you to run the name server on each host. Although this chapter can narrate more detailed, but only gives a rough profile to operate a name server. If you plan to use bind without just a small LAN and there may be an Internet connection, you should get a good book for BIND, such as the "DNS and Bind" of the Crichet Liu (see [AlBitzliu92]). For current information, you can also review the release notes included in the original program. There is also a DNS issue newspaper (newsgroup) called Comp.Protocols.tcp-ip.domains. 6.1 Analytical Overview Direct discussions and "parsers", we don't refer to any special application, but a resolver library, a collection of functions that can be found in the standard C library. The main routines are gethostbyname (2) and gethostbyaddr (2), which look up all IP addresses belonging to a host and it is also. They can be configured to simply query information in Hosts, requiring one number of name servers, or using NIS's HOSTS database. Other applications, like SMAIL, may include any of these different drivers, and require special care. 6.1.1 Host.conf file Controls the main file of your parser settings is host.conf. It is stored in / etc and informs which service used by the parser, and what order is used. The options in Host.conf must appear on a different line. Each domain is isolated with a space (space or tab). A "#" indicates a comment line. There are some options: Order This determines the order in which the service test is analyzed. The effective option is: bind is used to request the name server, HOSTS is used to find in / etc / hosts, NIS is used for NIS search. You can specify any one or all of them. They determine the sequence of each related service test in the order of one line. Multi as an option in ON or OFF. This determines if a host in / etc / hosts can have several IP addresses, which usually refers to "multi-host". This flag is no effect on DNS or NIS requests. Nospoof is as explained in the previous chapter, DNS allows you to find host names belonging to an IP address by using the In-ADR.ARPA domain. The name server provides a fake host name is called "骗".
To prevent this, the parser can be configured to check if an original IP address is actually related to a host name obtained. If not, this name will be discarded and returned to an error. This behavior is opened by setting Nospoof to ON. Alert This option uses ON or OFF as a parameter. If it is opened, any kid attempt (see above) will cause the parser to write information into the Syslog log file. Trim This option uses a domain name as a parameter, which will be removed from the host name before the search. This is useful for HOSTS items, where you may just want to specify the host name without the local domain. Search of a host with a local domain name will be removed to the local domain, so that the lookup in / etc / hosts is successful. A sample file of VLAGER shows the following: # /etc/host.conf # we have named Running, But no nis (yet) Order Bind Hosts # allow multiplely addrs multi on # Guard Against Spoof Attempts Nospoof on # Trim Local Domain (Not Really ................................................. .. These environment variables are resolv_host_conf this specified to read a file instead of reading /etc/host.conf. Resolv_serv_order overrides the sequential options given in Host.conf. The server is given in Hosts, Bind, and NIS, separated by spaces, comma, colons, or sections. Resolv_spoof_check determines how to treat kids. You can use OFF to completely disable it. Value WARN and WARN OFF enable check, but open or close the logs separately. Value * Enable the kid check, but leave the log options defined in Host.conf. The resolv_multi value ON or OFF can be used to override the Multi options in Host.conf. Resolv_override_trim_domains This environment variable specifies a list of trimming fields that override the trimming domain given in Host.conf. Resolv_add_trim_domains This environment variable specifies a list of trimming domains, which increases the trimming field in Host.conf. 6.1.3 Configuring the name server to find -Resolv.conf When the parser library is configured to use the BIND name service to perform host findings, you must also inform which name server it uses. There is a separate file, called resolv.conf. If this file does not exist or empty, the parser assumes that the name server is on your local host. If you run a name server on your local host, you must set it separately as explained in the following section. This will always be a recommended approach if you have an existing name server on your local network and have an existing name server. The most important options in resolv.conf is Nameserver, which gives the IP address of the name server to use. If you specify several name servers several times a few times, they will be tried in order. Therefore, you should first give the most reliable server. Currently, the three name servers are supported. If there is no NAMSERVER option, the parser tries to connect to the name server on the local host. Other two options, Domain and Search involve the default domain that are attached to the host name if bind cannot use the first request to resolve the host name. The SEARCH option specifies a trial domain list. The list item is separated by spaces or tab. If you do not give a Search option, you will create a search list from the local domain name and the parent domain of the root by using the domain name itself.
The local domain name can be given using the Domain statement; if one is not given, the parser is acquired by the system calls GetDomainName (2). If this makes you feel confused, consider the resolv.conf sample file for virtual winery: # /etc/resolv.conf # Our domain domain vbrew.com # # we use Vlager AS Central Nameserver: Nameserver 191.72.1.1 When analyzing the name VALE The parser will query Vale and Vale.vbrew.com and Vale.com will fail. 6.1.4 The Rugity of the parser If you run a local area network in a large network, you will undoubtedly use the main name server if they exist. The advantage of doing this is that they will have a rich buffer because all requests are forwarded to them. However, this program also has a disadvantage: When a fire destroyed the backbone cable of our school, we can't do anything, because the parser no longer reaches any name server, not on the X-terminal Can you log in, and you have no printing, etc. Although the campus main network burns in the fire, it is not a common thing, but we must take preventive measures for this situation. One option is to set a local name server from the local parsing hostname and forward all requests to other hostnames to the primary server. Of course, this is only available when you run in your own background program. Another option is that you can maintain a backup host table for your domain or LAN in your / etc / hosts. Then, in /etc/host.conf, you want to include "Order Bind Hosts" so that the parser is not returned to the hosts file after the primary name server is not. 6.2 Running NAMED The program that provides a domain name service on most UNIX machines is often referred to as NAMED (pronunciation Name-deE). This is a server program that originally developed to provide a name service for the BSD, and other name server programs may also be like this. The version used in most Linux installations is BIND-4.8.3. Bind-4.9.3 is now in the beta test phase, and there will be no shortcomings. This section needs to have some understanding of the working principle of the domain name system. If you discuss the discussion, you can't understand at all, you can re-read Chapter 2, there are more information about DNS. NAMED usually starts during system boot and is running until the machine is again turned off. It acquires information from a configuration file called /etc/named.boot and various files containing domain named address mapping data. The latter is called zone files. The format and semantics of these files will be described in the next section. To run NAMED, simply type # / usr / sbin / named name simply in the prompt will start, read the named.boot file, and any area files specified. It uses its process ID in ASCII write /var/named.pid, if necessary, download any area file from the primary server, and start listening to DNS requests at port 53. [1] 6.2.1 named.boot file Named.boot file is usually small and only includes a pointer to a primary file containing zone information, and a pointer to the name server. The comment line in the boot file continues until the next new row starts with a semicolon. Before we discuss Named.boot, we will look at the sample file of the VLAGER given in Figure 6.1.
[2];; /etc/named.boot file for vlager.vbrew.com; Directory / var / named;; domain file; --------------------- ------------------------------ cache. named.ca primary vbrew.com named.hosts primary 0.0.127.in-addr .arpa named.local primary 72.191.in-addr.Arpa named.REV Figure 6.1 Vlager's named.boot file. The cache and primary commands in this example load the information into the named. This information is made from the primary file specified from the second parameter. They contain text representations with DNS resource records, let's take a look. In this example, we configure Named to the primary name server, as the primary statement at the end of the file pointed out. Where the first primary statement indicates NAMED as the primary server of VBrew.com and acquires zone data from the named.hosts file. The Directory key tells it to all of the area files in the / var / named directory. Cache is a very special item and actually exists on all machines running the name server. It features two: it indicates that Named activates its buffer and puts the root name server hint from the specified buffer file (Named.ca in this example). We will come back to discuss the name server prompt. Below is a list of very important options in Named.boot: Directory specifies the directory of the area file store. The file name can be given in the form of this directory. Several directories can be specified by repeated Directory. This should be / var / name according to the Linux file system standard. Primary It uses a domain name and a file name as a parameter, which announces the authorization of the local server named domain. As a primary server, NAMED is loaded from regional information from the main file. In general, at least one primary item is always in each .boot file, that is, the reverse mapping of network 127.0.0.0, which is a LOOPBACK network. Secondary This statement uses the domain name, address list (File Name) as a parameter. It announces the local server as the secondary primary server for the specified domain. A secondary server is also the authorization data of the domain, but it is not obtained from the file, but tries to download from the primary server. Therefore, at least one of the primary servers must be given in the list of NAMEDs. The local server will contact each primary server until it successfully transmits the zone database over, which is saved in the backup file specified in the third parameter. If the primary server does not respond, retrieve the area data from the backup file. Thereafter, NAMED will try to regularly refresh zone data. This will be discussed along with the SOA resource record type. Cache It uses a domain and file name as a parameter. This file contains a root server prompt, which is a list of root name servers. Only NS and A records will be identified. Domain parameters are usually rooted ".". This information is absolutely critical to NAMED: if there is no cache statement in the .boot file, the NAMED will not generate a local buffer at all.
If the next server request is not in the local network, this will seriously reduce performance and increase the network load. More serious is that Named will not reach any root name, thus, except for those authorized, it will not resolve any address. One exception to this rule uses the forwarding server (CF. The FORWARDERS option below). Forwarders This statement uses an address list as a parameter. The IP address in this list specifies a list of name servers that may query when NAMEDs cannot be queried from local buffers. They will be sequentially tried until one of the servers responds to the query. SLAVE This statement makes the name server a slave server. That is, it itself will never perform recursion queries, but only forward the query to the server specified by the Forwarders statement. There are two options, Sortlist and Domain, we will not discuss them here. In addition, there are two instructions that can be used in the regional database file. They are $ include and $ Origin. Because they are rarely used, here we will also do not describe them. 6.2.2 DNS Database file Named The main file, such as named.hosts, there is always a domain associated with them, called Origin. This is a domain name specified with cache and primary commands. In a master file, you allow you to specify domains and hostnames related to this domain. One name in the configuration file is considered absolute (Absolute) if a point is tail, otherwise it is considered to be related to Orgin. Orgin itself can be referenced by "@". All data contained in a primary file is split into resource records, or referred to as RRS. They constitute the smallest information unit in the DNS. There is a type of each resource record. For example, a record maps a hostname to an IP address, a CNAME record associates an aliasing alias with its formal host name. As an example, please watch 115 is shown in Figure 6.3, which shows the Named.hosts master file of the virtual winery. The resource record representation in the main file share a universal format, which is [Domain] [TTL] [Class] Type RData all domains separated by spaces or tab. If a left brace is before the first new row, one item can be across a few lines, and the last domain follows one right parentheses. Any information between semicolons and new rows is ignored. The domain name applies to the Domain entry. If the domain name is not given, the RR is assumed to be applied to the domain of the previous RR. TTL In order to force the parser to discard (discard) information after a period of time, each RR has a corresponding "Time to Live", or referred to as TTL. The TTL domain uses seconds to specify the time available from the information obtained from the server. It is a maximum number of decimers. If the TTL value is not given, its value defaults to the value of the minimum domain recorded in front SOA. Class This is an address class, as IP address of the IP address, or HS of the object in the Hesiod class. For TCP / IP networks, you must make it in. If the CLASS domain is not given, it is assumed to use the previous RR class. TYPE describes the type of RR. The most common type is A, SOA, PTR, and NS. The next section describes the various types of RR. RDATA saves data related to RR. The format of this domain depends on the type of RR. Each RR is made separately below. Below is an incomplete list of RRs for the DNS master file. There are many types of RRs, we will not discuss it. They are experimental and are usually very useful. SOA describes an authorization area (SOA refers to "Start of Authority"). It indicates that the record behind the SOA RR contains authorization information to this domain.
Each primary file included with a primary statement must contain a SOA record. The resource data contains the following domains: ORIGN This is the specification host name of the main name server of the domain. It usually gives a complete name. Contact This is an Email address that maintains the person in charge of the domain. Use a point to replace "@" characters. For example, the person in charge of the virtual winery domain is Janet, then this field domain will contain janet.vbrew.com. Serial This is a version number of the area file represented by a single decimal number. This value will increase whenever data in the zone file changes. This sequence (SERIAL) value is used for the secondary name server identification when regional information has changed. In order to maintain the latest, the secondary server requests the SOA record of the primary server after a certain interval, and the serial number value is compared to the sequence number value of the buffered SOA record. If the value changes, the secondary server will transmit the entire area database from the primary server. Refresh It specifies that the secondary server will wait for the SOA record of the SOA record of the primary server, in the same way, this is a maximum number of decimers. Usually the topology of the network does not change frequently, so this number should be specified as about one day for large networks. Retry This value determines an interval time, it is a request or a region refresh failure time the secondary server will retry the interval between the main server. It should not be too small, otherwise a temporary server fails or network issues will cause the secondary server to waste network resources. One hour, or one and a half hours, it may be a good choice. EXPIRE It specifies a time value in seconds, after this time, if the server does not contact the primary server, it will eventually discard all of the area data. This time value should usually be large. Graig hunt ([GetSt 92]) is recommended for 42 days. Minimum This is a default TTL value for resource records that do not specify TTL. This requires other name servers to discard RR after a period of time. However, it has nothing to do with the secondary server to start attempting to update the area information. Minimum should be a big value, especially for a local area network for network topology. A value about a week or a month is probably a good choice. For a single RR, you can still give them a different TTL value. A This associates an IP address with a hostname. The resource data domain contains the address represented by the point division group. For each host, there can be only one A record. The host name used for this A record is considered to be a formal or specified host name. All other hostnames are alias and must be mapped to this specification hostname using a CNAME record. Ns This points to a primary name server of a slave region. For the explanation of NS records, see Section 3.6. The resource data domain contains the host name of the name server. In order to parse this hostname, another A record is required, that is, a so-called bonding record of the name server IP address is given. CNAME It associates an aliahe of a host with its formal (or specification) host name. Specification host name is the main file to provide a host name of a record; the alias is just simply coupled to the specification host by a CNAME record, but they do not have any other records. PTR This type of record is used to associate the names in the IN-ADDR.ARPA domain. This is used for the reverse mapping of the IP address to the host name. The host name given must be a standard host name. The MX this RR declares a mail switch (Mail Exchange). The reason why there is a mail switch will be discussed in the "Mail Routing" section on Chapter 13. MX record syntax is [domain] [TTL] [class] MX Preference Host Host for the Domain Named Mail Switch. Each mail switch has an integer preference (priority) associated with it.
A mail transfer agent that wants to distribute mail to Domain will try all MX records recorded for this domain until success. The minimum priority will be tried first, and then other hosts are tried in the increase in priority. The record of Hinfo provides information about system hardware and software. Its syntact is [Domain] [TTL] [Class] HINFO HARDWARE SOFTWARE HARDWARE (Hardware) field to determine the hardware used by the host. There is a special agreement to specify it. A list of valid names is given in "Assigned NumBers" (RFC 1340). If you contain any space characters in the field, you must have a double quotation. Software field Specifies the operating system software used by the system. Similarly, the valid names in the "Assigned NumBers" RFC should be used. 6.2.3 Write the main files Figure 6.2, 6.3, 6.4 and 6.5 give the sample file of a name server on the winery VLAGER. This example is very intuitive in consideration of the characteristics of the network discussed (a single LAN). If your requirements are more complex, you can't run NAMED, see "DNS and Bind" of Cricket Liu and Paul Albitz ([AlBitzliu92]). Figure 6.2 The named.ca buffer shown in Figure 6.2 displays a sample prompt record of a root name server. A typical buffer file typically describes about one-to-face name server. You can use the NSLookup tool described in this chapter to get a list of the current name server of the root domain.
[3];; /VAR/NAMED/Named.ca cache file for the Brewery.;, Re-"T NEED; Any Root Servers. To Activate these; Records, Remove the SEMICOLONS. Ns ns.nic.ddn.mil; ns.nic.ddn.mil 99999999 in A 26.3.0.103;. 9999999 in ns ns.nasa.gov; ns.nasa.gov 99999999 in A 128.102.16.10 Figure 6.2 Named.ca file; /var/named/named.hosts local hosts at the brewry; Origin is vbrew.com; @ in SOA VLAGER.VBrew.com (Janet.vbrew.com. 16; Serial 86400; Refresh: ONCE Per Day 3600; Rery: One Hour 3600000; EXPIR: 42 Days 604800; Minimum: 1 Week) in ns vlager.vbrew.com.;; Local Mail Is Distributed on VLAGER IN MX 10 VLAGER;; LOOPBACK Address Localhost. in A 127.0 .0.1; brewery Ethernet vlager IN A 191.72.1.1 vlager-if1 IN CNAME vlager; vlager is also news server news IN CNAME vlager vstout IN A 191.72.1.2 vale IN A 191.72.1.3; winery Ethernet vlager-if2 IN A 191.72.2.1 Vbardolino in A 191.72.2.2 Vchianti in A 191.72.2.3 Vbeaujolais in A 191.72.2.4 Figure 6 .3 named.hosts file; /VAR/NAMED/Named.local reverse mapping of 127.0.0; Origin is 0.0.127.in-addr.arpa.; @ In SOA VLAGER.VBREW.COM. (Joe.vbrew. COM. 1; Serial 3600; Refresh: One Hour 3600000; Expire: 42 Days 360000; Minimum: 100 HRS) in ns vlager.vbrew.com. 1 in Ptr Localhost. Figure 6.4 named.local file; /Var/named/named.rev reverse mapping of our ip address; origin is 72.191.in-addr.arpa.; @ in SOA VLAGER.VBrew.com. (Joe.vbrew.com. 16; serial 86400; refresh: Once Per Day 3600; Retry: One Hour 3600000; EXPIRE: 42 Days 604800; Minimum: 1 Week) in ns vlager.vbrew.com.; Brewery 1.1 in Ptr Vlager.vbrew.com. 2.1 in Ptr vStout.vbrew.com. 3.1 in ptr valle.vbrew.com.
Winery 1.2 in Ptr Vlager-If1.vbrew.com. 2.2 in Ptr vbardolino.vbrew.com. 3.2 in Ptr vchianti.vbrew.com. 4.2 in Ptr Vbeaujolais.vbrew.com. Figure 6.5 named.rec file 6.2.4 Verification Name The server setting has a good tool to check the operation of the name server settings. It is called NSLOOKUP, which can be used interactively or can be used from the command line. In the latter case, you only need to simply call it nslookup hostname this will query the name server specified in resolv.conf. (If this file specifies multiple servers, NSLookup will randomly select one). However, interactive mode is more exciting. In addition to querying a single host, you can query any type of DNS record and transmit an entire area information of a domain. When you are invigible, Nslookup will display the name server used and enter interactive mode. At '>' prompt, you can type any domain name you want to query. By default, it requests class A record that includes IP addresses related to domain names. You can change this type by issuing "SET TYPE = Type", here Type is the resource record name, or Any, described in Section 6.2 above. For example, you can make the following conversations: $ nslookup default name Server: rs10.hrz.th-darmstadt.de address: 130.83.56.60> sunsite.Unc.edu name Server: rs10.hrz.th-darmstadt.de address : 130.83.56.60 Non-Authoritative Answer: Name: SunSite.Unc.edu Address: 152.2.22.81 If you try to query a name without the corresponding IP address, you can find other records in the DNS database, NSLookup will return an error The information says "No Type A Records Found" ("No Type A Record Discovery"). However, you can query not other records of type A by issuing the "SET TYPE" command.
For example, you have to get the SOA record of UNC.EDU, you have to issue:> UNC.EDU *** No Address (a) Records available for UNC.EDU Name Server: rs10.hrz.th-darmstadt.de address: 130.83.56.60 > set type = SOA> UNC.EDU Name Server: rs10.hrz.th-darmstadt.de address: 130.83.56.60 Non-Authoritative ANSWER: UNC.EDU Origin = ns.unc.edu mail addr = shava.ns.unc. Edu serial = 930408 refresh = 28800 (8 Hours) Retry = 3600 (1 hour) expire = 1209600 (14 days) minimum ttl = 86400 (1 day) Authoritative Answers Can Be found from: UNC.EDU Nameserver = Samba.acs.Unc You can query MX records, and so on. Use an Any type that will return all resource records associated with a given name. > Set type = MX> unc.edu Non-authoritative answer: unc.edu preference = 10, mail exchanger = lambada.oit.unc.edu lambada.oit.unc.edu internet address = 152.2.22.80 Authoritative answers can be found from : UNC.EDU Nameserver = Samba.acs.Unc.edu Samba.acs.Unc.edu Internet address = 128.109.157.30 In addition to debugging, an actual application of Nslookup is a current list of root name servers for the Named.ca file.
You can do:> set type = ns>. Name Server: fb0430.mathematik.th-darmstadt.de address: 130.83.2.30 Non-Authoritative Answer: (root) Nameserver = Ns.internic.net (root) Nameserver = aos.arl.army.mil (root) Nameserver = c.Nyser.Net (root) Nameserver = Terp.Umd.edu (root) Nameserver = ns.nasa.gov (root Nameserver = nic.nordu.net (root) Nameserver = ns.nic.ddn.mil Authoritative Answers Can Be Found from: (root) Nameserver = ns.internic.net (root) Nameserver = aos.arl.army.mil Root) Nameserver = c. Namer.Net (root) Nameserver = Terp.umd.edu (root) Nameserver = ns.nasa.gov (root) Nameserver = nic.nordu.net (root) Nameserver = ns.nic.ddn. Mil ns.internic.net internet address = 198.41.0.4 aos.arl.army.mil Internet address = 128.63.4.82 aos.arl.army.mil Internet address = 192.5.25.82 aos.arl.army.mil Internet address = 26.3. 0.29 C. Nyser.Net Internet Address = 192.33.4.12 Terp.umd.edu Internet Address = 128.8.10.90 NS.NASA.GOV Internet Address = 128.102.16.10 NS.NASA.GOV Internet Add ress = address address address nslookup complete command set 192.52.195.10 NS.NASA.GOV internet = 45.13.10.121 NIC.NORDU.NET internet = 192.36.148.17 NS.NIC.DDN.MIL internet = 192.112.36.4 through the nslookup Help command is obtained. 6.2.5 Other useful tools There are several tools to help you complete the task as a bind administrator. Here I will submit two of them. Please refer to how these tools will get information on how to use them. Hostcvt helps you perform initial bind configuration by converting your / etc / hosts file into named's primary file. It produces forward (a) and reverse mapping (PTR) entries, and manages alias, etc. Of course, it is impossible to do the whole job for you, just as you still want, for example, adjust the timeout value of the SOA record, add MX records, etc. However, it can still help you save a few aspirin. Hostcvt is part of the original code, but you can also find a separate package on several Linux FTP servers. After setting up your name server, you may want to test your configuration.
I doing this thing (and, as I know) The only tool is DNSWalk, a Perl-based package that provides your DNS database to find common errors and verify the consistency of information. Recently, Dnswalk is published on Comp.Sources.Misc and will be stored on all FTP sites that archive the group (if you don't know any such site near you, ftp.u.Net will be a reliable local). Note [1] There are various NAMED execution files on Linux's FTP site, each of which is slightly different, and some put their PID files in / etc, some will store the PID file in / tmp or / var / tmp in. [2] Note that the domain name in this example is given by a non-tracking point. The early version of Named seems to treat the track point as a mistake and quietly discard the line. Bind-4.9.3 is allegedly corrected. [3] Note that if you do not install any root server prompt, you cannot query the root server to your name server. Catch-22! In order to avoid this problem, you can or make NSlookup use a different name server, or you can use the sample file in Figure 6.2 as a starting point, then get a full list of valid servers. source:
Linux free pigeon