DNS for Rocket Scientists

This Open Source Guide is about DNS and (mostly) BIND 9.x on Linux (Fedora Core), BSD's (FreeBSD, OpenBSD and NetBSD) and Windows (Win 2K, XP, Server 2003). It is meant for newbies, Rocket Scientist wannabees and anyone in between.

This Guide was born out of our first attempts a number of years ago at trying to install a much needed DNS service on an early Redhat Linux system. We completed the DNS 'rite of passage' and found it a pretty unedifying and pointless experience.

Health Warning: This is still a work-in-progress. If you find errors don't grumble - tell us. Look at our to do list and if you want to contribute something please do so.

<gratuitous publicity> The newly published book Pro DNS and BIND was largely based on this material but significantly extends it - including DNS security (including DNSSEC.bis), IPv6, DNS APIs and complete reference sections on named.conf and RR types. We are outrageously biased but think it is an essential addition to the DNS admin's library. </gratuitious publicity>

Section 1 Overview

What's new in Guide version 0.1.36

1. Boilerplate and Terminology

1.1 Objectives and Scope
1.2 How to read this Guide
1.3 Terminology and Conventions used
1.4 Acknowledgements
1.5 Copyright and License

2. DNS - Overview

2.1 A brief History of Name Servers
2.2 DNS Concepts & Implementation

2.2.1 DNS Overview
2.2.2 Domains and Delegation
2.2.3 DNS Organization and Structure
2.2.4 DNS System Components
2.2.5 Zones and Zone Files
2.2.6 DNS Queries

2.2.6.1 Recursive Queries
2.2.6.2 Iterative Queries
2.2.6.3 Inverse Queries

2.2.7 Zone Updates

2.2.7.1 Full Zone Transfer (AXFR)
2.2.7.2 Incremental Zone Transfer (IXFR)
2.2.7.3 Notify (NOTIFY)
2.2.7.4 Dynamic Zone Updates
2.2.7.5 Alternative Dynamic DNS Approaches

2.3 DNS Security Overview

2.3.1 Security Threats
2.3.2 Security Types
2.3.3 Local Security
2.3.4 Server-Server (TSIG Transactions)
2.3.5 Server-Client (DNSSEC)

3. DNS Reverse Mapping

3.1 Reverse Mapping Overview
3.2 IN-ADDR.ARPA Files
3.3 Reverse Map Delegation

4. DNS Types

4.1 Master (a.k.a. Primary) DNS Server
4.2 Slave (Secondary) DNS Server
4.3 Caching (a.k.a. hint) DNS Server
4.4 Forwarding (a.k.a. Proxy, Client, Remote) DNS Server
4.5 Stealth (a.k.a. DMZ or Split) DNS Server
4.6 Authoritative Only DNS Server

Section 2 - Get Something Running

5. BIND (Berkeley Internet Name Daemon)

Installing on FreeBSD (4.x and 5.x+)
Installing on Linux (Fedora Core 2)
Installing on Windows (NT 4.0 and Windows 2000)
BIND Command Line

6. DNS Sample Configurations

6.1 Sample Configuration Overview

6.1.1 Zone File Naming Convention

6.2 Master (Primary) DNS
6.3 Slave (Secondary) DNS
6.4 Caching only DNS
6.5 Forwarding (a.k.a. Proxy, Client, Remote) DNS
6.6 Stealth (a.k.a. Split or DMZ) DNS
6.7 Authoritative Only DNS
6.8 Views based Authoritative Only DNS

Section 3 Mind Numbing Details

7. BIND named.conf Parameters

named.conf format, structure and overview
named.conf required zone files

named.conf acl section (statements)
named.conf controls section (statements)
named.conf include section (statements)
named.conf key section (statements)
named.conf logging section (statements)
named.conf options section (statements)
named.conf server section (statements)
named.conf trusted-keys section (statements)
named.conf views section (statements)
named.conf zone section (statements)

8. DNS Resource Records

Zone File Format
DNS Binary Record Formats
List of Record Types
A - IPv4 Address Record
A6 - IPv6 Address Record
CNAME - Host Alias Record
DNAME - Delegate Reverse Name Record
HINFO - System Information Record
KEY - DNSSEC Public Key Record
MX - Mail Exchanger Record
NS - Name Server Record
NXT - DNSSEC Content Record
PTR - Pointer Record
SIG - DNSSEC Signature Record
SOA - Start of Authority Record
SRV - Services Record
TXT - Text Record

Section 4 DNS Operations

Chapter 9 DNS HowTos

HOWTO - DNS Round Robin or Load Balancing
HOWTO - support http://domain.com
HOWTO - Configure Sub-domains (a.k.a. subzones)
HOWTO - Delegate a sub-domain (a.k.a. subzone)
HOWTO - Configure mail fail-over
HOWTO - Delegate Reverse Subnet Maps
HOWTO Fix SOA RR serial numbers
HOWTO - Define an SPF record
HOWTO Install BIND 9 on Fedora Core 2 (Linux)
HOWTO Install BIND 9 on FreeBSD
HOWTO Install BIND 9 on Windows
HOWTO Create a DNSBL (email black list)
HOWTO Close your DNS (to protect against DoS attacks and Cache Poisoning)

Chapter 10 Diagnostics and Tools

10.1 Introduction
10.2 nslookup
10.3 dig

Chapter 11 Trouble and Error Messages

Work in progress

Chapter 12 BIND APIs

Work in progress

Section 5 DNS Security

Chapter 13 DNS Security

13.1 DNS Security Overview

13.1.1 Security Threats
13.1.2 Security Types
13.1.3 Local Security
13.1.4 Server-Server (TSIG Transactions)
13.1.5 Server-Client (DNSSEC)

Section 6 DNS Bits and Bytes

Chapter 15 DNS Message Formats

15.1 Overview Generic Format
15.2 The Message Header
15.3 The DNS Question
15.4 The DNS Answer
15.5 Domain Authority
15.6 Additional Information

Appendices: Resources

Appendix A: DNS & BIND Notes and Explanations
Appendix B: Domains and Registration
Appendix C: DNS Alternate Software and Resources
Appendix D: DNS and Relevant RFCs

Maintenance Information