#1
  1. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    15

    Advice on named.conf and master zone file config


    Hi,

    I've just setup named on FreeBSD 4.6-STABLE:
    Code:
    [11:26:46] munk@munkboxen /etc/namedb# named -v
    named 8.3.3-REL Tue Jul 23 20:31:29 GMT 2002
            root@munkboxen.mine.nu:/usr/obj/usr/src/usr.sbin/named
    and I'm after a 'sanity' check from someone more knowledgeable than myself on my named and master zone file configuration.

    I won't skip the details at all, seems pretty stupid configuring a set of DNS records and then withholding it when asking for help seeing as the DNS records are to be publicly accessible anyway!!!

    My configuration then is as follows:
    Code:
    [11:31:43] munk@munkboxen /etc/namedb# cat named.conf
    options {
            directory "/etc/namedb";
    };
    
    zone "." {
            type hint;
            file "named.root";
    };
    
    zone "0.0.127.IN-ADDR.ARPA" {
            type master;
            file "localhost.rev";
    };
    
    zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
            type master;
            file "localhost-v6.rev";
    };
    
    zone "munk.nu" {
            type master;
            file "db.munk.nu";
    };
    [11:32:02] munk@munkboxen /etc/namedb# cat db.munk.nu
    munk.nu. IN SOA ns1.munk.nu. munk.munk.nu. (
            20020906110212
            10800                           ; Refresh after 3 hours
            3600                            ; Retry after 1 hour
            604800                          ; Expire after 1 week
            86400 ) ; Minimum TTL 1 day
    
    ;
    ; NS Records
    ;
                                            IN NS   ns1.munk.nu.
                                            IN NS   ns2.munk.nu.
    
    ;
    ; Host Records
    ;
    localhost                       IN A            127.0.0.1
    ns1                                     IN A            213.152.51.194
    ns2                                     IN A            213.152.51.195
    www                                     IN A            213.152.51.194
    freebie                         IN A            213.152.51.194
    mail                            IN A            213.152.51.194
    sparky                          IN A            213.152.51.195
    winnie                          IN A            213.152.51.196
    winnie                          IN A            213.152.51.196
    
    ;
    ; Mail Records
    ;
    @                                       IN MX 10        mail.munk.nu.
    
    [11:50:38] munk@munkboxen /etc# cat namedb/localhost.rev
    ;       From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
    ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.6 2000/01/10 15:31:40 peter Exp $
    ;
    ; This file is automatically edited by the `make-localhost' script in
    ; the /etc/namedb directory.
    ;
    
    $TTL    3600
    
    @       IN      SOA     munk.nu. root.munk.nu.  (
                                    20020906        ; Serial
                                    3600    ; Refresh
                                    900     ; Retry
                                    3600000 ; Expire
                                    3600 )  ; Minimum
            IN      NS      ns1.munk.nu.
    1       IN      PTR     localhost.nu.
    I followed Chapter 4. Setting Up BIND, from the O'Reilly book DNS and BIND to get this far. I've tested it as follows thus far:
    Code:
    [11:32:55] munk@munkboxen /etc/namedb# nslookup www
    Server:  localhost.nu
    Address:  127.0.0.1
    
    Name:    www.munk.nu
    Address:  213.152.51.194
    
    [11:36:10] munk@munkboxen /etc/namedb# nslookup www.google.com.
    Server:  localhost.nu
    Address:  127.0.0.1
    
    Name:    www.google.com
    Address:  216.239.39.101
    however when I go to lookup a local hostname on a remote nameserver it does not resolve:
    Code:
    [11:42:27] munk@nova /home/munk# nslookup www.munk.nu
    Server:  pazs001o.blueyonder.co.uk
    Address:  62.30.64.113
    
    *** pazs001o.blueyonder.co.uk can't find www.munk.nu: Non-existent host/domain
    A 'whois' lookup on 'munk.nu' reveals:
    Code:
    [11:50:43] munk@munkboxen /etc# whois munk.nu
    ------------------------------------------------------------------------
    .NU Domain Ltd Whois service
    
    Domain Name (UTF-8): munk.nu
    Record ID: 437528.
    
    Record expires on 28-Aug-2004.
    Record created on 28-Aug-2002.
    Record status: Active.
    
    Domain servers in listed order:
        ns1.munk.nu 213.152.51.194
        ns2.munk.nu 213.152.51.195
    
    Copyright by .NU Domain Ltd - http://www.nunames.nu
    ------------------------------------------------------------------------
    Database last updated: Fri Sep  6 06:46:15 2002
    ------------------------------------------------------------------------
    My questions:
    1. Do the master zone files look ok and if not how could they be optimized?
    2. Assuming the config is correct, how long should it (normally) take for the DNS to propogate to remote nameservers across the internet? Is there any known method for speeding this up? (I noticed that everydns.net's nameservers seem to propogate very quickly after changes are made, literally in minutes.)

    TIA,
    Jez
  2. #2
  3. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    15
    mmm, *doh*

    The reason it wasn't resolving queries from remote hosts was because I forgot to add a rule to my ipf firewall ruleset to allow inbound tcp/udp on port 53.

    Speaking of which can anyone comment on these ipf rules for allowing DNS queries?:
    Code:
    # dns incoming:
    pass in quick on fxp0 proto tcp from any to 213.152.51.194 port = 53 flags S keep state
    pass in quick on fxp0 proto udp from any to 213.152.51.194 port = 53
    Thanks in advance.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    Keep state on udp ruleset as well.

    As far as your named setup:
    1) Rename your localhost.rev to db.127 and change that in named.conf accordingly

    2) Create a new zone record named db.localhost or whatever. As far as sample you can search google.
    The reason of this because localhost related zone records should be separated from your db.munk.nu zone. That is to remove the A record of localhost in your db.munk.nu. Right now localhost.munk.nu resolves to 127.0.0.1 on my end, which is a common misconfiguration to many named servers

    3) There are many reasons to set your hostname to ns1.munk.nu instead of munkboxen.mine.nu

    4) Drop mail.munk.nu and use ns1.munk.nu as your MX because ns1.munk.nu is glued at roots.
  6. #4
  7. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    15
    Keep state on udp ruleset as well.
    >> mmm ok thanks, forgot you could keep state on udp. Out of interest, given that noone will be performing zone transfers from me, how often would tcp requests typically be made to port 53 (ie requests made to my named server externally)? Am I to understand that it is only 'broken' resolvers that submit DNS resolution requests on port 53 via TCP?

    1) Rename your localhost.rev to db.127 and change that in named.conf accordingly
    >> I was following the FreeBSD named setup instructions in handbook - the unfortunate naming convention used in the 'make-localhost' sh script seems an oddity for FreeBSD.

    2) Create a new zone record named db.localhost or whatever.
    >> Thanks, corrected.

    3) There are many reasons to set your hostname to ns1.munk.nu instead of munkboxen.mine.nu
    >> I currently set:
    Code:
    [2:18:59] munk@freebie /etc/namedb# hostname
    freebie.munk.nu
    although:
    Code:
    [2:20:47] munk@freebie /etc/namedb# cat /etc/hosts
    127.0.0.1                       localhost
    213.152.51.193          router
    213.152.51.194          ns1 freebie munkboxen.mine.nu munkboxen www.console-pimps.net \
                                            munk.nu freebie.munk.nu www.munk.nu ns1.munk.nu freebie.munk.nu
    213.152.51.195          sparky \
                                            sparky.munk.nu
    213.152.51.196          winnie winnie.munk.nu
    and this is a real mess.
    ('console-pimps.net' is another domain I'm running from this machine as well!!!)

    Should I set 'hostname ns1.munk.nu'? Should I trim /etc/hosts?

    4) Drop mail.munk.nu and use ns1.munk.nu as your MX because ns1.munk.nu is glued at roots.
    >> I had untold issues with
    Code:
    Sep  8 12:03:30 freebie sm-mta[86701]: g88C3TMi086699: SYSERR(root): mail.munk.nu. config error: mail loops back to me (MX problem?)
    *UNTIL* I echoed "munk.nu" to /etc/mail/local-host-names. After this all was fine.

    I will be moving to djbdns soon because I don't like the way BIND cobbles all the DNS features together as one - recursive resolution, caching, zone transfers, etc... - and would prefer to use djbdns (I did set it up for a while and found the caching name service / dns-cache and the main named tinydns to be sweet. BIND does seem very 'clutzy' and open to attack by piling so much functionality into one single daemon.

    One very quick question, I can't for the life of me (really daft this I'm sure) work out how to assign a zone record for 'munk.nu' using BIND (ie when I type in 'host munk.nu' I want it to resolve to 213.152.51.194). Can you clarify how this is done?

    Really glad you got to this thread freebsd Thanks a lot.

    Jez
    Last edited by munkfish; September 8th, 2002 at 08:34 PM.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    Am I to understand that it is only 'broken' resolvers that submit DNS resolution requests on port 53 via TCP?
    In addition, when a query size is larger than 512 bytes (not a misconfiguration on your end) it retries with tcp. If you remove tcp 53 I'd say you wouldn't even lose 0.1% of legitimate queries.

    You really shouldn't have any routable IP entry in /etc/hosts. Relying on /etc/hosts to resolve FQDNs is just a workaround for some clueless newbies. Don't forget, /etc/hosts was never meant to be a way to configure FQDN to create valid DNS entry. If removing a line in /etc/hosts makes you unable to resolve a name, then that name really have a DNS misconfiguration itself that need to be fixed.

    BTW, some software like any djbware never read /etc/hosts file.

    >> Should I set 'hostname ns1.munk.nu'?

    Yes, it's a very common setup to set your hostname to be ns1.xxx.yyy or even mail.xxx.yyy.

    >> how to assign a zone record for 'munk.nu' using BIND

    Just add another A record like so:
    Code:
    munk.nu.                         IN A            213.152.51.194
  10. #6
  11. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    15
    Many thanks.

IMN logo majestic logo threadwatch logo seochat tools logo