3. Operation¶
In this chapter we provide some suggested configurations along with guidelines for their use. We suggest reasonable values for certain option settings.
3.1. Sample Configurations¶
3.1.1. A Caching-only Name Server¶
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All queries
from outside clients are refused using the allow-query
option.
Alternatively, the same effect could be achieved using suitable firewall
rules.
// Two corporate subnets we wish to allow queries from.
acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
options {
// Working directory
directory "/etc/namedb";
allow-query { corpnets; };
};
// Provide a reverse mapping for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev";
notify no;
};
3.2. Load-balancing¶
A primitive form of load-balancing can be achieved in the DNS by using multiple records (such as multiple A records) for one name. For example, if you have three webservers with network addresses of 10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following means that clients will connect to each machine one third of the time:
Name |
TTL |
RRCLASS |
RRTYPE |
Resource Record Data (RDATA) |
---|---|---|---|---|
www |
600 |
IN |
A |
10.0.0.1 |
www |
600 |
IN |
A |
10.0.0.2 |
www |
600 |
IN |
A |
10.0.0.3 |
When a resolver queries for these records, Loop will rotate them and respond to the query with the records in a different order. In the example above, clients will randomly receive records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients will use the first record returned and discard the rest.
For more detail on ordering responses, see RRset ordering.
3.3. Name Server Operations¶
3.3.1. Tools for Use With the Name Server Daemon¶
This section describes several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the name server daemon.
3.3.1.1. Diagnostic Tools¶
The dig
and host
programs are command line tools for manually
querying name servers. They differ in style and output format.
dig
dig
is the most versatile and complete of these lookup tools. It has two modes: simple interactive mode for a single query, and batch mode which executes a query for each in a list of several query lines. All query options are accessible from the command line.dig @ server domain query-type query-class + query-option - dig-option % comment The usual simple use of
dig
will take the formdig @server domain query-type query-class
For more information and a list of available commands and options, see the
dig
man page.host
The
host
utility emphasizes simplicity and ease of use. By default, it converts between host names and Internet addresses, but its functionality can be extended with the use of options.host -aCdlnrsTwv -c class -N ndots -t type -W timeout -R retries -m flag -4 -6 hostname server For more information and a list of available commands and options, see the
host
man page.
3.3.1.2. Administrative Tools¶
Administrative tools play an integral part in the management of a server.
named-checkconf
The
named-checkconf
program checks the syntax of anamed.conf
file.named-checkconf -jvz -t directory filename
named-checkzone
The
named-checkzone
program checks a master file for syntax and consistency.named-checkzone -djqvD -c class -o output -t directory -w directory -k (ignore|warn|fail) -n (ignore|warn|fail) -W (ignore|warn) zone filename
named-compilezone
Similar to
named-checkzone,
but it always dumps the zone content to a specified file (typically in a different format).rndc
The remote name daemon control (
rndc
) program allows the system administrator to control the operation of a name server. If you runrndc
without any options it will display a usage message as follows:rndc -c config -s server -p port -y key command command See ??? for details of the available
rndc
commands.rndc
requires a configuration file, since all communication with the server is authenticated with digital signatures that rely on a shared secret, and there is no way to provide that secret other than with a configuration file. The default location for therndc
configuration file is/etc/loop/rndc.conf
, but an alternate location can be specified with the-c
option. If the configuration file is not found,rndc
will also look in/etc/loop/rndc.key
. Therndc.key
file is generated by runningrndc-confgen -a
as described in section_title.The format of the configuration file is similar to that of
named.conf
, but limited to only four statements, theoptions
,key
,server
andinclude
statements. These statements are what associate the secret keys to the servers with which they are meant to be shared. The order of statements is not significant.The
options
statement has three clauses:default-server
,default-key
, anddefault-port
.default-server
takes a host name or address argument and represents the server that will be contacted if no-s
option is provided on the command line.default-key
takes the name of a key as its argument, as defined by akey
statement.default-port
specifies the port to whichrndc
should connect if no port is given on the command line or in aserver
statement.The
key
statement defines a key to be used byrndc
when authenticating withnamed
. Its syntax is identical to thekey
statement innamed.conf
. The keywordkey
is followed by a key name, which must be a valid domain name, though it need not actually be hierarchical; thus, a string like "rndc_key
" is a valid name. Thekey
statement has two clauses:algorithm
andsecret
. While the configuration parser will accept any string as the argument to algorithm, currently only the strings "hmac-md5
", "hmac-sha1
", "hmac-sha224
", "hmac-sha256
", "hmac-sha384
" and "hmac-sha512
" have any meaning. The secret is a Base64 encoded string as specified in RFC 3548.The
server
statement associates a key defined using thekey
statement with a server. The keywordserver
is followed by a host name or address. Theserver
statement has two clauses:key
andport
. Thekey
clause specifies the name of the key to be used when communicating with this server, and theport
clause can be used to specify the portrndc
should connect to on the server.A sample minimal configuration file is as follows:
key rndc_key { algorithm "hmac-sha256"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; options { default-server 127.0.0.1; default-key rndc_key; };
This file, if installed as
/etc/loop/rndc.conf
, would allow the command:$
rndc reload
to connect to 127.0.0.1 port 953 and cause the name server to reload, if a name server on the local machine were running with following controls statements:
controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; };
and it had an identical key statement for
rndc_key
.Running the
rndc-confgen
program will conveniently create arndc.conf
file for you, and also display the correspondingcontrols
statement that you need to add tonamed.conf
. Alternatively, you can runrndc-confgen -a
to set up arndc.key
file and not modifynamed.conf
at all.