The Concise Guide to DNS and BIND ********************************************************************* CHAPTER 1 DNS CONCEPTS ********************************************************************* TLDs is top level domains. The last domains before root . .com .net .gov .org .edu iso 3166 country codes www.amazon.com is a FQDN, the full DNS name of a host. DNS is a distributed database. The DNS database is too important and too large to be implemented in one location, so it is spread all over the place. Registrars have authority over .com and other TLDs. www.amazon.com The Registrars make the amazon.com, and point it to the IP that IS people at Amazon want. Thereafter, all the responsibility of amazon.com is that of IS peolpe at amazon.com. Likewise, now if the IS people at amazon.com, decided to make a video.amazon.com, they have full and completely authrority to make any additions to amazon.com they need to. Plus they can delegate the domain of video.amazon.com, to say the video department of amazon.com. And say, the video department, made their on DNS server, then domestic.video.amazon.com, and international.video.amazon.com. www. amazon. com . host amazon DNS server TLD DNS server root DNS server DNS Caching --------------------------------------------------------------------------------------- A DNS server has a cache, and it remembers all the recent DNS queries it has made. This way, it doesn't have to ask the same questions again if asked. It only caches these DNS queries for a while, not forever. The reason it cannot cache DNS queries permanently is, that changes in the DNS would not propogate. Say if you made www.amazon.com, and today added teddy.amazon.com. If people that had already queried your DNS server previously, had cached the answer paermantly, it would never need your DNS server again. This is sort of like asking someone, how's their family every once in a while. If someone new was born you would know about it. But if you asked them only once, then someone asked you hows the Smith family? and you said "Okay. They have 5 members." This information could be quite wrong! Giving out the wrong information is worse than not answering at all!! -------------------------------------------------------------------- Another important factor that caching also does is reduce the load on the root servers. If all 13 root servers had to answer every DNS query, the Internet would crash very quickly. Fortunatetely, each DNS server on the Interent does its share of the work, so the root servers have a fighting chance. If you assk me, 13 root servers is pretty weak. They should have like 100 or more. Zones and Authority ------------------- The lines of authority in DNS is not betwqeen domains and subdomains. The lines of authority in DNS are between ZONES. If you have a line of authority, then you have two ZONES. A zone is like your property. Your responsible for your property. The line between you and your neighbourhood is the linme of authority. He is responsible for his zone, your responsible for your zone. In between is the line. ------------------------------------------------------------ A zone is DNS responsible for itself. A subdomain is the DNS responsibility of its parent domain. ------------------------------------------------------------ REVERSE ZONES -------------- Forward-resolving DNS can provide only the IP. If the client needs the DNS or the NAME of the server, then a REVERSE DNS record orr REVERSE ZONE is required. Some weird stuff like email needs the reverse to be there. FORWARD DNS (normal) is providing the NAME, and getting an IP back. REVERSE DNS is providing the IP, and getting a name back. Say your IP is 200.100.50.4 To do REVERSE DNS, you look up 4.50.100.200.in-addr.arpa , and this will provide the name, IF their sysadmin has REVERSE DNS working and setup correctly. DUPLICATION AND DISTRIBUTION OF ZONES ------------------------------------- Because DNS is so important, it needs to be redundant. For each ZONE, many servers exist. Mosdt registrars require that you provide at least 2 IPs for your DNS servers, for that new zone. The DNS root servers are the most important servers in the world. With those 13 servers, the Internet would quickly come to a screeching halt. Everywhere. These 13 root servers are geographically all over the world, and all 13 would have to go down, not 11, not 12, all 13. Of these 13 root servers, one is the MASTER, the other 12 are slaves...if so where is the master root server located? Is it A.ROOTSERVERS.NET? If so then the master root server is at RS.INTERNIC.NET, which last I heard was at Herndon, Virgina near Tysons Corner. This means that we have to do DNS ZONETRANSFERS from MASTER to ALL ITS SLAVES. They are called MASTER/SLAVE. They used to be called PRIMARY/SECONDARY. When a DNS change is made on the MASTER DNS SERVER, all the SLAVES may recieve the update message. If its been a very long time since the SLAVE has contacted his MASTER, the SLAVE will contact his MASTER repeatedly at intervals. If after many failed attempts at contacting his MASTER, that SLAVE will get lazy and not answer any of your DNS questions. Actually the SLAVE is doing the right thing, I mean if your not sure its the "right answer", its safest to not give any answer at all. HOW DNS RESOLUTION WORKS ------------------------- After you got DNS working properly in FORWARD and REVERSE, you need to be able to get from zone to zone. Getting from zone to zone is crucial and trips up many DNS admins and users. When a client makes a DNS query, it specifies 2 things ------------------------------------------------------ 1. the RR Resource Record (what kind of DNS information it needs) 2. LOOKUPKEY = the domain name of that RR record A RECORDS --------- To find the address of www.amazon.com, the client requests the A-RECORD of www.amazon.com. dig www.amazon.com A (find the address ip of www.amazon.com using the CACHE) dig www.ibm.com A (find the address ip of www.ibm.com, NO CACHE) the second one with NO CACHE will have to ask the root servers for help. The first one will try and find the answer in its local DNS cache, if it cannot find the answer there, then it will ask the root servers for help. NS RECORDS ---------- NS records are the nameservers of that zone. Each zone has NS records showing what nameservers to ask about this zone. Every zone that has subzones, must have NS records that subzone so servers and hosts can be found in that zone. CNAME RECORDS (cnames are aliases) --------------------------------- CNAME is canonical. A CNAME is an alias. An alias of www.amazon.com is www.hp.com FORWARD RESOLUTION is finding the ip from a DNS name. REVERSE RESOLUTION is finding the DNS name from the IP. PTR RECORDS ---------- Service that log hostnames instead of just ips, or check against a list of hostnames, would use REVERSE DNS to verify or log that information. Very often, if your REVERSE is not working, it can cause lots of weird problems. dig ******************************************************************************** CHAPTER 2 DNS IN PRACTICE ******************************************************************************** BIND can run on Windows as well as unix. Strange to think of a BIND name server running on Windows, but its a solution. ISC, Internet Software Consortium makes BIND, INN, and DHCP software available to the public. Never ever run BIND4. If you come across this el-crappy version, upgrade it as soon as possible. Any version that needs a "named.boot" file is probably a BIND4. Configuring BIND ----------------