named - Setting up a Domain Name Service (daemon)



Introduction

The Domain Name Service (DNS) allow IP based networks to offer human friendly names for numerically labelled machines. Where it does not matter for computers whether other computers are addressed by letters or numbers, it is more convenient for human beings to use names and it was more convenient for the developers of IP space to use numbers for transferring data between locations.

named implements a DNS through OpenBSD.

Preliminary System Information

[ref: named(8), ]
[ref: Setting up DNS by Jeff Moe <jeffdns@verinet.com>]
[ref: SETTING UP YOUR OWN DNS by Gary Kessler ]

This page gives a guide to how you can configure DNS using named and OpenBSD 2.7. Although I attempt to provide useful documentation on why certain things are as they are in this document, further readings from the references above and the OpenBSD FAQ will most likely be more instructive rigerous on the intricacies of DNS.

The sample configuration which I would like to set up the DNS for will have three machines as servers (everything else on the lan are client-workstations only.)

The three servers I will use in this configuration are:

IP Address hostname services/aliases HINFO (cpu_type, OS_type)
192.168.101.1 iwill dns, mail PentiumII-300, OpenBSD 2.7
192.168.101.77 athlon www, ftp Athlon 600, Win2000Pro
192.168.101.130 compaq dns2, mail2 Pentium 100, OpenBSD 2.7

The files I will be using to configure named for my sample domain: mydomain.com are listed below:

Primary Domain Name Server
Filename Purpose
/etc/resolv.conf resolver configuration file
/var/named/named.boot named Configuration File
The following files are in /var/named/namedb (location and filenames dictated by named.boot configuration file.)
db.mydomain.com.zone forward address lookups for mydomain.com zone
db.mydomain.com.rev reverse address lookups for mydomain.com zone
db.localhost.zone forward address lookups for localhost zone
db.localhost.rev reverse address lookups for localhost zone
db.all-zero.rev reverse address lookups for all-zero (security item)
db.all-one.rev reverse address lookups for all-one (security item)
root.cache Specify data such as locations of root domain servers
   
Secondary Domain Name Server
/etc/resolv.conf  
/var/named/named.boot  
The following files are in /var/named/namedb (location and filenames dictated by named.boot configuration file.)
db.localhost.zone  
root.cache  

Text Layout, Documentation Convention

To hopefully improve the chances of applying this text to different sites, I have used the below colour coding scheme and text layout. (My apologies to those with colour blind-ness)

Line-numbers are in red
Site-specific details are in blue. This includes names and IP addresses used in my sample site that need to be changed to reflect your site details.
Filenames begin with db because it minimises my confusion between what are files and what are domain names.

The machine names have been chosen to make them easily recogniseable within this example, I know it isn't going to expand well into a site with 200 machines, so don't tell me.

Starting named - the DNS Server

To enable named, edit the file /etc/rc.conf and change the line that reads:

named_flags=NO
named_user=named
named_chroot=/var/named

To read as follows:

named_flags=""            # note use two double-quotes
named_user=named          # note to leave this as per standard setting
named_chroot=/var/named   # note to leave this as per standard setting

To test your settings without having to restart your machine you can use the following command-line to perform the same things as specified in the above configuration settings:

# named -t /var/named -u named

named.boot - Configuring named

The boot file contains information about where the name server is to get its initial data. Lines in the boot file cannot be continued on subsequent lines.

01 ; FILE: /var/named/named.boot
02 ; directory /var/named/namedb
03 directory /namedb
04 ;Type       Domain                         Data file
05 primary     mydomain.com                   db.mydomain.com.zone
06 primary     101.168.192.in-addr.arpa       db.mydomain.com.rev
07 primary     localhost                      db.localhost.zone
08 primary     0.0.127.in-addr.arpa           db.localhost.rev
09 primary     0.in-addr.arpa                 db.all-zero.rev
10 primary     255.in-addr.arpa               db.all-one.rev
11 cache       .                              root.cache
12 forwarders  207.124.73.129	
Figure 1 - /var/named/named.boot

Explanation:

01, 02, 04 Comments in the file are preceded by a semi-colon ";"
02 OpenBSD chroots named by default, but if you do not chroot named then you will need to specify the full path for the data files
03

The path to the data files from the chroot'ed named. This is the standard location for OpenBSDs 2.7 build.

The "directory" line causes the server to change its working directory to the directory specified. This can be important for the correct processing of $INCLUDE files in primary zone files.

05 The first example "primary" line states that the file "db.mydomain.com.zone" contains authoritative data for the "mydomain.com" zone. The file "db.mydomain.com.zone" contains data in the master file format described in RFC 883. All domain names are relative to the origin, in this case, "mydomain.com".

Change mydomain.com to your site domain.

06

The second "primary" line states that the file "db.mydomain.com.rev" contains authoritative data for the domain "101.168.192.in-addr.arpa", which is used to translate addresses in network 192.168.101 to hostnames.

Change mydomain.com and 101.168.192 to your site domain-name and IP range. (Note that 101.168.192 is the reverse address of the C-class IP address used in this example. 192.168.101.* becomes 101.168.192.addr.arpa)

07 localhost is a special IP address and we are specifying here that authoritative data for the domain localhost is in the file "db.localhost.zone"
08 The file "db.localhost.rev" contains authoritative data for the domain 0.0.127.in-addr.arpa, the reverse address for localhost. (The localhost IP is 127.0.0.1, and the reverse of the address is 0.0.127.)
09

10
0.in-addr.arpa and 255.in-addr.arpa: The all zeros (0) and all ones (255) addresses are reserved for special purposes in IP. These "domains" are defined in the db.all-zero.zone and db.all-one.zone file, respectively.

11

The "cache" line specifies where the DNS cache information for the domain root (".") can be found. This is not a "cache," as in short-term memory, but is a set of fixed pointers to the higher-level DNS databases.

12

This is my ISPs Primary DNS server. When a name cannot be resolved from our cache, named will 'forward' the query to servers listed as 'forwarders'. More than one line of forwarders can be listed here.

Change the IP address 207.124.73.129 to one your ISP has given you.

[ref: resolv.conf(5)] The forwarding facility is useful to cause a large sitewide cache to be generated on a master, and to reduce traffic over links to outside servers. It can also be used to allow servers to run that do not have direct access to the Internet, but wish to look up exterior names anyway.

resolv.conf - name resolution

[ref: resolv.conf(5)]

If the system's resolv.conf file does not exist, then the only database used is file.

The resolv.conf file specifies how the resolver(3) routines in the C library (which provide access to the Internet Domain Name System) should operate. The resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process.

On a normally configured system this file should not be necessary. The only name server to be queried will be on the local machine, the domain name is determined from the host name, and the domain search path is constructed from the domain name.

1 domain       mydomain.com
2 nameserver   192.168.101.1
3 nameserver   192.168.101.130
4 lookup       file bind
Figure 2 -/etc/resolv.conf

Explanation:

01

domain specifies the domain to use when given a shortname. We can do a query on host athlon, iwill, or compaq and the system will check that this is relative to mydomain.com.

If no domain entry is present, the domain is determined from the local host name returned by gethostname(3); the domain part is taken to be everything after the first ".". Finally, if the host name does not contain a domain part, the root domain is assumed.

Change mydomain.com to your site domain.

02,

03 nameserver specifies an internet address (in dot notation) that the name resolver will query. A maximum of 3 servers can be listed (on separate nameserver lines)

Change the 192.168.101.x to the host address you will use as the name server on your site.

  If no nameserver is listed then the standard behaviour is to query the name server on the host.
04

lookup specifies which databases should be searched, and the order to do so.

Assuming that your /etc/hosts will contain information more up-to-date than the dns records we specify file (/etc/hosts) and then bind. Otherwise, only have your local NICs listed in /etc/hosts and there will be no problem with specifying lookup as in the above.

db.mydomain.com.zone - Authoritative forward address lookup

"db.mydomain.com.zone" contains authoritative data for the "mydomain.com" zone. All domain names are relative to the origin, in this case, "mydomain.com".

01 ; Start of Authority (SOA) record
02 mydomain.com.   IN SOA  dns.mydomain.com.  dnsowner.mydomain.com.  (
03                   2000272400   ; serial # (date format) + [0-9][0-9]
04                        10800   ; refresh (3 hours)
05                         3600   ; retry (1 hour)
06                       604800   ; expire (1 week)
07                        86400)  ; TTL (1 day)
08 
09 ; Name Server (NS) records.
10                          IN NS   dns.mydomain.com.
11                          IN NS   dns2.mydomain.com.
12 
13 ; Mail Exchange (MX) records.
14                          IN MX   20  mail.mydomain.com.
15                          IN MX   50  mail2.mydomain.com.
16 ; Address (A) records. (real-names of machines)
17                          IN A      192.168.101.1
18 localhost.mydomain.com.  IN A      127.0.0.1
19 iwill.mydomain.com.      IN A      192.168.101.1
20 athlon.mydomain.com.     IN A      192.168.101.77
21 compaq.mydomain.com.     IN A      192.168.101.130
22 mail.mydomain.com.       IN A      192.168.101.1
23 ; We can continue Address records to list all machines (not only servers)
24 
25 ; Aliases in Canonical Name (CNAME) records...
26 
27 dns                      IN CNAME  iwill.mydomain.com.
28 www                      IN CNAME  athlon.mydomain.com.
29 ftp                      IN CNAME  athlon.mydomain.com.
30 dns2                     IN CNAME  compaq.mydomain.com.
31 mail2                    IN CNAME  compaq.mydomain.com.
Figure 3 - /var/named/namedb/db.mydomain.zone

Explanations

01 Comments are started by semi-colons ";"
02

mydomain.com. is the address name we are going to be working with (sometimes you will see this written as @)

dns.mydomain.com. is the authoritative dns for this domain. If you choose to use a different dns host naming convention or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention.

dnsowner.mydomain.com is the domain name address of the maintaner, e-mail contact (dnsowner@mydomain.com) On my machine I use root, but this option allows you to specify another e-mail address. Note the user-id is followed by a dot "." and not the @.

Change mydomain.com to your site domain.

03

Start of Authority (SOA) Record Items

(a) A serial Number for synchronising revisions of the file. Standard format is to use the current date (YYYYMMDD) and two digits to differentiate revisions for that date (ie. you should change this serial number each time you make changes.)

Change this value.

04 (b) refresh in seconds. The refresh value tells the secondary name server(s) how often to check for updated information (10,800 seconds is three hours). This value should be fine.
05 (c) retry in seconds. If the secondary name server is unable to contact the primary name server, it will re-attempt a connection every retry seconds (3600 seconds is one hour). This value should be fine.
06 (d) expire in seconds. If a secondary name server cannot contact the primary name server for expire seconds, the secondary will stop answering any queries about this domain. The theory here is that at some point, the data is so old as to be possibly harmful, and no answer is better than a bad answer (604,800 seconds is one week). This value should be fine.
07 (e) Time to Live in seconds. The TTL (time-to-live) value is returned with all responses to database queries, and tells the requester (or other servers) how long the information can safely be cached (86,400 seconds is one day). This TTL value is the default value for all records in the file; it may be over-ridden by a TTL value provided with a given RR. This value should be fine.
10

Our Name Server (NS) Authoritative Record pointing to the primary DNS server.

Change mydomain.com to your site domain.
Change dns.mydomain.com to the server-name hosting DNS.

11

Another Name Server (NS) Authoritative Record pointing to our secondary DNS server.

Change mydomain.com to your site domain.
Change dns2.mydomain.com to the server-name hosting DNS.

13,

14
Our Mail Exchange (MX) record. MX records tell mail-servers where to send mail destined for a domain. The lower the MX value, the higher the priority of the server, so mail sent to mydomain.com will be prioritised to mail.mydomain.com. If mail.mydomain.com is unavailable then the next lower MX value will be attempted (in our case mail2.mydomain.com.)

(Warning: CNAME records can not be used for MX records so technically mail2 has been incorrectly defined above; see 5.2.2 of RFC 1123 for details.)

Change mydomain.com to your site domain.
Change mail.mydomain.com to the server-name hosting mail.
Change mail2 and use an Address Record

17

I want queries for mydomain.com to be directed to one of the three servers, putting this A address resolves mydomain.com queries to the IP address 192.168.101.1

Change 192.168.101.1 to your IP address you want to resolve to.

18

Our localhost mapping which will force localhost to be mapped to 127.0.0.1 if not specified with a qualifying domain.

Change mydomain.com to your site domain.

19,

20, 21
The Server Machines we are using in this example. The A records contain an IP address to be associated with the host name in the first field of the record.

Change mydomain.com to your site domain.
Change host names to host names you are using.

22

We specify an A record for the mail server (although a similar effect should have been available by using CNAME records.) According to some documentation some mailers behave unpredictably when asked to resolve an MX hostname that uses a CNAME record rather than an explicit A record.

Change mydomain.com to your site domain.
Change 192.168.101.1 to the IP address of the machine to recieve mail.

24 To document your network you could specify here all assigned IPs and their hostnames in the same format as that shown above.
26

- 31
Aliases in Canonical Name (CNAME) records. The CNAME records contain an alias host name to associate with the host named in the first field of the record. Although a single A records and many CNAME records can be assigned to a single system, care must be taken; some mailers, for example, do unpredictable things when asked to resolve an MX host name that uses a CNAME record rather than an explicit A record. In the examples below, the address of both the backup DNS and mail servers are specified with separate A records, even though they point to the same machine.

Change mydomain.com to your site domain.
Change machine names to the configuration settings you have for your network.

db.mydomain.com.rev - Authoritative reverse address lookup

"db.mydomain.com.rev" contains authoritative data for the domain "101.168.192.in-addr.arpa", which is used to translate addresses in network 192.168.101 to hostnames

01 ; Start of Authority (SOA) record
02 101.168.192.in-addr.arpa. IN SOA dns.mydomain.com. dnsowner.mydomain.com.
03                          (2000072400   ; serial # (date format) + [0-9][0-9]
04                                10800   ; refresh (3 hours)
05                                 3600   ; retry (1 hour)
06                               604800   ; expire (1 week)
07                                86400)  ; minimum TTL (1 day)
08 
09 ; Name Server (NS) records.
10                            IN NS   dns.mydomain.com.
11                            IN NS   dns2.mydomain.com.
12 
13 ; Addresses point to canonical names (PTR) for reverse lookups
14 1                                IN PTR    iwill.mydomain.com.
15 130                              IN PTR    compaq.mydomain.com.
16 77                               IN PTR    athlon.mydomain.com.
Figure 4 -/var/named/namedb/db.mydomain.rev

Explanation

01 Comments are started by semi-colons ";"
02

101.168.192.in-addr.arpa. is the address name we are going to be working with (sometimes you will see this written as @)

dns.mydomain.com. is the authoritative dns for this domain. If you choose to use a different dns host naming convention or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention.

dnsowner.mydomain.com is the domain name address of the maintaner, e-mail contact (dnsowner@mydomain.com) On my machine I use root, but this option allows you to specify another e-mail address. Note the user-id is followed by a dot "." and not the @.

Change mydomain.com to your site domain.
Change 101.168.192 to the reverse IP of your selected IP range.

03, 04, 05, 06, 07 Start of Authority (SOA) Record Item
See documentation above.
10,

11
Change mydomain.com to your site domain.
Change 101.168.192 to the reverse IP of your selected IP range.

The Name Servers used to service this range of IPs

14, 15, 16
Match the reverse-ips on the left with servers on the system (noted on the right column.)
  To document your network you could specify here all assigned IPs (reversed) and their hostnames in the same format as that shown above.

db.localhost.zone - forward address lookup

Since localhost. does not exist in IP space, this mapping allows us to map localhost. to the special ip 127.0.0.1. Otherwise an nslookup or similar query will not resolve.

01 localhost.              IN SOA  dns.mydomain.com.  dnsowner.mydomain.com.
02                         ( 2000072400   ; serial # (date format) + [0-9][0-9]
03                                10800   ; refresh     (3 hours)
04                                 3600   ; retry       (1 hour)
05                               604800   ; expire      (1 week)
06                                86400)  ; minimum TTL (1 day)
07 
08 localhost.                IN NS   dns.mydomain.com.
09                           IN NS   dns2.mydomain.com.
10 
11 localhost.                IN A    127.0.0.1
Figure 5 - /var/named/namedb/db.localhost.zone

Explanation:

01

localhost. is the address name we are going to be working with (sometimes you will see this written as @)

dns.mydomain.com. is the authoritative dns for this domain. If you choose to use a different dns host naming convention or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention.

dnsowner.mydomain.com is the domain name address of the maintaner, e-mail contact (dnsowner@mydomain.com) On my machine I use root, but this option allows you to specify another e-mail address. Note the user-id is followed by a dot "." and not the @.

Change mydomain.com to your site domain.

02, 03, 04, 05, 06 Start of Authority (SOA) Record Items
See documentation above.
08

Specify the DNS server hosts.

Change mydomain.com to your site domain.
Change dns to the hostname of your DNS Server.

11 Specify that localhost. (rooted) is the IP address 127.0.0.1

db.localhost.rev - reverse address lookup

01 ; Start of Authority (SOA) record
02 0.0.127.in-addr.arpa.  IN SOA dns.mydomain.com. dnsowner.mydomain.com. (
03                         2000072400   ; serial # (date format) + [0-9][0-9]
04                            10800     ; refresh     (3 hours)
05                             3600     ; retry       (1 hour)
06                           604800     ; expire      (1 week)
07                            86400)    ; minimum TTL (1 day)
08 
09 ; Name Server (NS) records.
10 0.0.127.in-addr.arpa.     IN NS   dns.mydomain.com.
11                           IN NS   dns2.mydomain.com.
12 
13 ; Only one PTR record
14 1.0.0.127.in-addr.arpa.   IN PTR   localhost.
Figure 6 - /var/named/namedb/db.localhost.rev

Explanation:

01 Comments are started by semi-colons ";"
02

0.0.127.in-addr.arpa. is the address name we are going to be working with (sometimes you will see this written as @)

dns.mydomain.com. is the authoritative dns for this domain. If you choose to use a different dns host naming convention or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention.

dnsowner.mydomain.com is the domain name address of the maintaner, e-mail contact (dnsowner@mydomain.com) On my machine I use root, but this option allows you to specify another e-mail address. Note the user-id is followed by a dot "." and not the @.

Change mydomain.com to your site domain.

03, 04, 05, 06, 07 Start of Authority (SOA) Record Items
See documentation above.
10,

11
Specify the DNS server hosts.

Change mydomain.com to your site domain.
Change dns to the hostname of your DNS Server.

14, Leave as is.

db.all-zero.rev - reverse address lookup

As all-zero and all-one's in IP addresses are special IP addresses we create reverse address lookups for both IP addresses for control over how our name server resolves these addresses.

01 0.in-addr.arpa.         IN SOA dns.mydomain.com. dnsowner.mydomain.com. (
02                       2000072400   ; serial # (date format) + [0-9][0-9]
03                            10800   ; refresh (3 hours)
04                             3600   ; retry (1 hour)
05                           604800   ; expire (1 week)
06                            86400)  ; minimum TTL (1 day)
07 
08 0.in-addr.arpa.           IN NS   dns.mydomain.com.
09                           IN NS   dns2.mydomain.com.
Figure 7 - /var/named/namedb/db.all-zero.rev

Explanation:

01

Change mydomain.com to your site domain.

If you choose to use a different dns or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention.

02, 03, 04, 05, 06 Start of Authority (SOA)
See documentation above.
08,

09
Change mydomain.com to your site domain.

db.all-one.rev - reverse address lookup

01 255.in-addr.arpa.       IN SOA dns.mydomain.com. dnsowner.mydomain.com. (
02                       2000072400   ; serial # (date format) + [0-9][0-9]
03                            10800   ; refresh (3 hours)
04                             3600   ; retry (1 hour)
05                           604800   ; expire (1 week)
06                            86400)  ; minimum TTL (1 day)
07 
08 255.in-addr.arpa.         IN NS   dns.mydomain.com.
09                           IN NS   dns2.mydomain.com.
Figure 8 - /var/named/namedb/db.all-one.rev

Explanation:

01

Change mydomain.com to your site domain.

If you choose to use a different dns or use a specific hostname for the DNS server, then you should also change dns.* to your naming convention.

02, 03, 04, 05, 06 Start of Authority (SOA)
See documentation above.
08,

09
Change mydomain.com to your site domain.

 

root.cache -

Specify data such as locations of root domain servers. This is not a "cache," as in short-term memory, but is a set of fixed pointers to the higher-level DNS databases. This cache is not used during normal operation, but is used as "hints" to find the current root servers.

The file "root.cache" is in the same format as "db.mydomain.com.zone".

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     198.41.0.10
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
Figure 9 - /var/named/namedb/root.cache

I've just taken the root.cache that comes with OpenBSD and listed it here (without the comments in the file.) There can be more than one "cache" file specified. The "cache.root" file should be retrieved periodically from FTP.RS.INTERNIC.NET ftp://rs.internic.net/domain/named.cache since it contains a list of root servers, and this list changes periodically.

The single "." indicates the root domain, while the "3600000" is the TTL value, indicating that these entries should expire after about 6 weeks (3.6 million seconds).

Author and Copyright

Copyright (c) 2000 Samiuela LV Taufa. All Rights Reserved.

I reserve the right to be totally incorrect even at the best advice of betters.

You are permitted and encouraged to use this guide for fun or for profit as you see fit. If you republish this work in what-ever form, it would be nice (though not enforceable) to be credited.

 DNS - setting up named for Domain Name Services

Copyright  © 2000 Tonga on the 'NET All rights reserved.