Re: Local DNS

[Ramon Gandia <rfg nook net>]

David Hughes wrote:
> 
> I know this has been beat to a pulp, but need to ask. . . can anyone steer me
> towards a HOW-TO set up a local DNS on a RedHat server?
> 
> I'd like to be able to set up the ability for clients on a local network to
> use the mail server on the Linux box without having to be connected to the
> internet and its DNS services, but also be able to work as well when connected
> for use of email and web services.  And would like to be able to understand
> it.  Have poked around but have not found a functional (for me, and a class)
> tutorial.
> 
> Anyone point me to such a text or URL that details this?

First, ask yourself what kind of name services you need.  Do you need to
resolve addresses ONLY within your network, or do you need to get those
outside?

For instance, if you have an intranet, and your DNS will answer ONLY
lookups for your local network, that is one thing.  But if you want it
to also resolve www.prodigy.com, and www.hotsex.com, then taht is
another issue.

Lets call them Name Servers and Intranet or Internal Servers.

Regular name servers need to have access to the internet (obvioously)
and need to have a file called "cache", or sometimes db.cache or 
named.cache.  Its a zonefile of the top-level domain servers.  When
a request comes for www.hotsex.com, the FIRST request the DNS makes
to translate this is to go to the ".com" top level DNS and start a
IP search.  It may take several steps to get the answer.  The answer
will remain in memory (RAM) for the time that the "time to live"
statement is good for in the hotsex response.

Requests for addresses you are responsible for, come off different
files, like db.nook, or named.nook.  These are forward zone files
for compjuters that (in this case) I have control over.  If you
do a resolution on www.nook.net, you get 216.47.28.11.  Since I
own this network, I have that info in db.nook zone file.

I also need a reverse lookup file, so if you querry the IP
address, 216.47.28.11 you will get the answer "www.nook.net" or
one of its aliases.  

Since I control both the nook.net domain and the 216.47.28.X
network, I am responsible for the creation and maintenance of those
two files.

A DNS server can be set up with no "cache" file.  The "cache" 
implies that its held in RAM, but it is nothing of the sort.  The
db.cache file is the top-level domains.  Without this file,
my DNS (in the above example) answer queries for www.nook.net
or the reverse IP address, but it would fail on www.hotsex.com.

Therefore, a DNS with no cache file is an internal or intranet
DNS and no good to resolve outside addresses.

The maintainer of a DNS is responsible to keep his db.cache
file up to date.  There are utilities that can automate this, and
I use them.  But it can be done manually.

There are also "cache-only" server.  This SOUNDS like a DNS that
needs no hard drive, only RAM, but this is not the case at all.
A cache only, as you guess by now, is a DNS that has the 
db.cache file, but NO local zone files.  If I had one of those
here at nook net, I could ask it about www.hotsex.com no
problems.  But what about www.nook.net?  Well, in that case
MY dns would not have the answer, because it has no zone file,
but it would treat it like any other DNS request and would send
out for it in the wild blue.  Of course, if there is no other
DNS with the info, then I get no reply.

Cache only DNS are usually seen on the LAN side of slow internet
linkup.  That gets users a quick DNS response that does not have
to go out on the wire.

Lets say you have a small LAN, say 30 computers, and your
connection to the internet for the entire LAN is a 33.6K modem.
You could use the DNS on the ISP end of the link, but it would
add to the traffic on the 33.6K link and be slow.  It would
also slow down legitimate traffic.  But you can boost your
performance and LAN user satisfaction by putting in a cache-only
DNS on your LAN side of the 33.6K link.

Think of a cache-only DNS as a "speeder upper".

Then there are authoritative, master, slaves, primary, secondary
DNS's etc.  Easy.  An authoritative DNS is one that has the
zone files for your LAN and has been recognized as being the
ultimate authority for it.

A secondary DNS gets its information from the first one.  This
is via an automatic transfer.

Example.

At nook net I have a DNS which is authoritative.  It has the
db.nook files and other domains I manage, as well as the
reverse lookup files.

In other locations I have secondary DNS's.  They periodically
download COPIES of the zone files from the primary dns.  This
is an automated process, but it can also be done manually.

Typically, when I have to make a change, like add a server or
change an IP, I go to the nook.net dns and make the change in
db.nook and db.216.47.28   Besides changing or adding names
and IP's in those files, I also change the SERIAL number.  When
I finish editing those files, I give the command

ndc reload

The DNS then loads those files into RAM.  Sees the serial
number as being newer than the old one, and NOTIFIES the
secondary DNS's that there is now an update.  IN due course
the secondary DNS's have the new information.  Typically
this takes 60 seconds up to a couple of minutes.  That is
all.

On the other hand, if I now add a new domain (once registered
with Internic), I have to create new zone file called
db.newdomain.  If the IP block is different, then I do the
reverse files as well.  Typically the new domain is in MY
OWN LAN, so I only add entries to db.216.47.28

OK?

db.nook =============>
db.newdomain ========>  Just one reverse file db.216.47.28
db.onemore ==========>

If there are new files, the serial number can be anything.
But amended files need newer serial numbers.

Now I also have to edit my /etc/named.conf or /etc/named.boot
files to show that I have "newdomain.com" on my DNS.  This is
not too hard to do.  I use BIND 8 here, and the syntax is
different than 4.9, and more complex, but understandable.
Once these files are all edited (and serialed numbered in
the case of the zone files) I issue:

ndc restart

This kills the daemon, restarts it.  It reads in the new
named.conf or named.boot file, and then laods up the zone
files.  It also sends a NOTIFY to the secondary name servers.

The specific answer to your question:  Your DNS is for use
both internally and externally.  It needs to be connected
to the internet, needs to be a full blown DNS.

I hope this info is of use to you.... happy new year.


-- 
Ramon Gandia ==== Sysadmin ==== Nook Net ==== http://www.nook.net
285 West First Avenue                                rfg nook net
P.O. Box 970                                    tel. 907-443-7575
Nome, Alaska 99762-0970 ======================= fax. 907-443-2487