Andrew Hudson - Fedora™ Unleashed, 2008 edition

#/etc/resolv.conf

#nameserver 83.64.1.10

#nameserver 83.64.0.10

nameserver 127.0.0.1

Other machines on your network should have the IP of the local caching nameserver in their /etc/resolv.conffiles. Assuming that the IP address for the computer running the caching nameserver is 192.168.1.5, the /etc/resolv.conffiles on the other machines on your network should be the following:

#/etc/resolv.conf

#nameserver 83.64.1.10

#nameserver 83.64.0.10

nameserver 192.168.1.5

Another advantage of setting up a caching nameserver is that you can use it to block ads and objectionable sites by using bogus DNS zones to block specific domains. You do this by overriding the DNS lookup of the sites you want to block. Configuration is simple. First, determine the sites that you want to block. For example, you might want to block all access to doubleclick.net. Create an entry in /etc/named.conflike this:

zone "doublelick.net" { type master; file "fakes"; };

Then create a new /var/named/fakesfile. This should contain

$TTL 1D

@ IN SOA dns.companyname.com. hostmaster.companyname.com. (

2004081701 8H 2H 4W 1D)

@ IN NS dns.companyname .example.com.

@ IN A 127.0.0.1

* IN A 127.0.0.1

where dns.companyname.com should be replaced by the hostname of the caching nameserver. This points all DNS lookups of doubleclick.net to 127.0.0.1, where they will not be found. To make the change effective, you have to restart namedso that the new configuration information is read. Chapter 11 describes several different ways of restarting the namedservice; here is one of them:

# kill -HUP `pidof named`

When namedis restarted, attempts to resolve all doubleclick.net addresses fail, the ads are neither loaded nor displayed, and your browsing experience is faster.

It is possible to have your own domain name and provide third-party DNS service for it, meaning that you do not have to configure and administer a DNS nameserver for your self. You can even have a mail address for your domain without having a mail server.

Here is a summary of the major tasks involved in providing a third-party DNS service to your own domain name:

► Register and pay for a unique domain name— Several companies now offer to register these names, so shop around for the most reasonable price and perform some Google background checks on the company before using it.

► Use a third-party DNS provider to provide DNS services— One popular provider is ZoneEdit, which provides detailed steps to use the service. ZoneEdit also provides mail-forwarding services, so mail addressed to you@your.own.domain is forwarded to your regular ISP mail account. ZoneEdit also allows you to use Dynamic DNS, which enables you to run a server on a dynamically assigned IP (from a cable or dialup provider), yet still have DNS servers locate you. ZoneEdit can also provide a startup web page space for you or forward requests to an already established page with a long, complicated address.

► Return to your domain name registrar and tell it what nameservers are authoritative for your domain.

After you have completed the preceding tasks, it takes about three days for the information to propagate around the Internet.

BIND is the de facto standard DNS software suite for UNIX. It contains a nameserver daemon ( named) that answers DNS queries, a resolver library that enables programs to make such queries, and some utility programs. BIND is maintained by the ISC (Internet Software Consortium) at the websitehttp://www.isc.org/bind/.

Three major versions of BIND are in common use today: 4, 8, and 9. The use of BIND 4 is now strongly discouraged because of numerous security vulnerabilities and other bugs, and is not discussed here. BIND 8, with many new features and bug fixes, is now quite widely deployed. It is actively maintained, but still vulnerable to a variety of attacks; its use is strongly discouraged, too. Fedora now provides BIND 9.

If you are upgrading from BIND 8 to BIND 9, make sure to read the file /usr/share/doc/bind-9.5.0/misc/migrationfor any issues regarding configuration files (which will cause BIND not to run) and use of existing shell scripts. An HTML version of the BIND 9 manual is the Bv9ARM.htmlfile under the /usr/share/doc/bind-9.5.0/armdirectory.

In this chapter, we discuss the use of BIND 9, which ships with Fedora. BIND 9 was rewritten from scratch in an attempt to make the code more robust and leave behind the problems inherent in the old code. It is compliant with new DNS standards and represents a substantial improvement in features, performance, and security.

The bindRPM package contains the nameddaemon and a wealth of BIND documentation. The bind-utilsRPM package contains, among other things, the invaluable dig(1)utility. If you choose to compile BIND yourself, you can download the source distribution from the ISC's website and follow the build instructions therein.

You can find build instructions in the Read Me file under the /usr/share/doc/bind-9.5.0directory, too.

After you install the RPMs, the following directories are of special interest because they contain the file used by BIND and contain the information shown in the listing:

----------

/etc/ The rndc.conf, named.conf configuration files.

/usr/bin/ dig, host, nslookup, nsupdate.

/usr/sbin/ named, rndc, and various support programs.

/usr/share/doc/bind-9.5.0/ BIND documentation.

/usr/share/man/ Manual pages.

/var/named/* Zone files.

----------

If you install from source, the files will be in the locations you specified at configure time, with the default directories under /usr/local/.

The following example uses BIND to configure a nameserver and then expand it as necessary to provide useful DNS service. To accomplish this, you must configure named(the nameserverdaemon) and rndccomponents (a control utility that permits various interactions with a running instance of named). You also might need to configure the resolver software, as discussed later. Three configuration files are used:

► rndc.keyto specify the key used to authenticate between rndcand named

► rndc.confto configure rndc

► named.confto configure named

When rndccommunicates with named, it uses cryptographic keys to digitally sign commands before sending them over the network to named. The configuration file, /etc/rndc.key, specifies the key used for the authentication.

The only authentication mechanism currently supported by namedis the use of a secret key, encrypted with the HMAC-MD5 algorithm and shared between rndcand named.The easiest way to generate a key is to use the dnssec-keygenutility. In the following example, the utility is asked to generate a 128-bit HMAC-MD5 user key named rndc: