RHEL 4 and 5 Name Resolution DNS, Files, NIS
Host name services
-
Files - i.e. /etc/hosts
-
DNS - bind, bind-utils, bind-chroot, caching-nameserver /etc/named.conf (resolves names to IPs) /usr/sbin/named, /usr/sbin/rndc also see http://www.unbound.net/ for a good alternative DNS server
-
NIS - Network Information Services
Resolvers
-
dig- flexible tool enabling trace of DNS queries and RFC-standard zone file format - Domain Information Groper
-
host - similar to dig with more minimal output by default
-
nslookup - the standard DNS query tool in Unix
- stub - generic resolver library for applications - gethostbyname() calls
rpm -qd bind will list available bind documentation on the system
Using dig command
Performing a DNS trace with dig:dig +trace google.com
; <<>> DiG 9.4.2-P2 <<>> +trace google.com
;; global options: printcmd
. 362789 IN NS I.ROOT-SERVERS.NET.
. 362789 IN NS J.ROOT-SERVERS.NET.
. 362789 IN NS K.ROOT-SERVERS.NET.
. 362789 IN NS L.ROOT-SERVERS.NET.
. 362789 IN NS M.ROOT-SERVERS.NET.
. 362789 IN NS A.ROOT-SERVERS.NET.
. 362789 IN NS B.ROOT-SERVERS.NET.
. 362789 IN NS C.ROOT-SERVERS.NET.
. 362789 IN NS D.ROOT-SERVERS.NET.
. 362789 IN NS E.ROOT-SERVERS.NET.
. 362789 IN NS F.ROOT-SERVERS.NET.
. 362789 IN NS G.ROOT-SERVERS.NET.
. 362789 IN NS H.ROOT-SERVERS.NET.
;; Received 500 bytes from 68.87.77.130#53(68.87.77.130) in 36 ms
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.
;; Received 488 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 93 ms
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; Received 164 bytes from 192.43.172.30#53(I.GTLD-SERVERS.NET) in 184 ms
google.com. 300 IN A 64.233.187.99
google.com. 300 IN A 209.85.171.99
google.com. 300 IN A 72.14.207.99
google.com. 345600 IN NS ns4.google.com.
google.com. 345600 IN NS ns1.google.com.
google.com. 345600 IN NS ns2.google.com.
google.com. 345600 IN NS ns3.google.com.
;; Received 212 bytes from 216.239.34.10#53(ns2.google.com) in 143 ms
;; global options: printcmd
. 362789 IN NS I.ROOT-SERVERS.NET.
. 362789 IN NS J.ROOT-SERVERS.NET.
. 362789 IN NS K.ROOT-SERVERS.NET.
. 362789 IN NS L.ROOT-SERVERS.NET.
. 362789 IN NS M.ROOT-SERVERS.NET.
. 362789 IN NS A.ROOT-SERVERS.NET.
. 362789 IN NS B.ROOT-SERVERS.NET.
. 362789 IN NS C.ROOT-SERVERS.NET.
. 362789 IN NS D.ROOT-SERVERS.NET.
. 362789 IN NS E.ROOT-SERVERS.NET.
. 362789 IN NS F.ROOT-SERVERS.NET.
. 362789 IN NS G.ROOT-SERVERS.NET.
. 362789 IN NS H.ROOT-SERVERS.NET.
;; Received 500 bytes from 68.87.77.130#53(68.87.77.130) in 36 ms
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.
;; Received 488 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 93 ms
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; Received 164 bytes from 192.43.172.30#53(I.GTLD-SERVERS.NET) in 184 ms
google.com. 300 IN A 64.233.187.99
google.com. 300 IN A 209.85.171.99
google.com. 300 IN A 72.14.207.99
google.com. 345600 IN NS ns4.google.com.
google.com. 345600 IN NS ns1.google.com.
google.com. 345600 IN NS ns2.google.com.
google.com. 345600 IN NS ns3.google.com.
;; Received 212 bytes from 216.239.34.10#53(ns2.google.com) in 143 ms
Replies to the trace are resource records consisting of five fields each:
In the example above NS responses in bold show the referrals, whereas, the final answer in the output is the three A records in bold near the end.| domain | ttl | class | type | rdata |
| google.com. | 172800 | IN Internet, CH Chaos, HS Hesiod | A,MX,NS,PTR, SOA, CNAME, quad A | ns1.google.com. |
Perform a default query with dig:
dig google.com
; <<>> DiG 9.4.2-P2 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7205
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 294 IN A 72.14.207.99
google.com. 294 IN A 64.233.187.99
google.com. 294 IN A 209.85.171.99
;; Query time: 39 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Tue Oct 14 20:48:28 2008
;; MSG SIZE rcvd: 76
default flags - ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7205
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 294 IN A 72.14.207.99
google.com. 294 IN A 64.233.187.99
google.com. 294 IN A 209.85.171.99
;; Query time: 39 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Tue Oct 14 20:48:28 2008
;; MSG SIZE rcvd: 76
qr = query response
rd = recursion desired
ra = recursion available
status: NOERROR is always good to see
ANSWER: 3 means exactly what it says and AUTHORITY: 0 means that the dns server providing the responses was not authoritative for any of them
For an Authoritative answer use @nameofauthoritativeserver (note the aa in the flags section):
dig @ns4.google.com google.com ANY
; <<>> DiG 9.4.2-P2 <<>> @ns4.google.com google.com ANY
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21988
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 8
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;google.com. IN ANY
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21988
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 8
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;google.com. IN ANY
;; ANSWER SECTION:
google.com. 86400 IN SOA ns1.google.com. dns-admin.google.com. 2008101401 7200 1800 1209600 300
google.com. 300 IN TXT "v=spf1 include:_netblocks.google.com ~all"
google.com. 300 IN A 72.14.207.99
google.com. 300 IN A 64.233.187.99
google.com. 300 IN A 209.85.171.99
google.com. 10800 IN MX 10 smtp3.google.com.
google.com. 10800 IN MX 10 smtp4.google.com.
google.com. 10800 IN MX 10 smtp1.google.com.
google.com. 10800 IN MX 10 smtp2.google.com.
google.com. 345600 IN NS ns4.google.com.
google.com. 345600 IN NS ns1.google.com.
google.com. 345600 IN NS ns3.google.com.
google.com. 345600 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
smtp1.google.com. 3600 IN A 209.85.237.25
smtp2.google.com. 3600 IN A 64.233.165.25
smtp3.google.com. 3600 IN A 64.233.183.25
smtp4.google.com. 3600 IN A 72.14.221.25
ns1.google.com. 345600 IN A 216.239.32.10
ns2.google.com. 345600 IN A 216.239.34.10
ns3.google.com. 345600 IN A 216.239.36.10
ns4.google.com. 345600 IN A 216.239.38.10
;; Query time: 54 msec
;; SERVER: 216.239.38.10#53(216.239.38.10)
;; WHEN: Tue Oct 14 21:12:00 2008
;; MSG SIZE rcvd: 464
google.com. 86400 IN SOA ns1.google.com. dns-admin.google.com. 2008101401 7200 1800 1209600 300
google.com. 300 IN TXT "v=spf1 include:_netblocks.google.com ~all"
google.com. 300 IN A 72.14.207.99
google.com. 300 IN A 64.233.187.99
google.com. 300 IN A 209.85.171.99
google.com. 10800 IN MX 10 smtp3.google.com.
google.com. 10800 IN MX 10 smtp4.google.com.
google.com. 10800 IN MX 10 smtp1.google.com.
google.com. 10800 IN MX 10 smtp2.google.com.
google.com. 345600 IN NS ns4.google.com.
google.com. 345600 IN NS ns1.google.com.
google.com. 345600 IN NS ns3.google.com.
google.com. 345600 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
smtp1.google.com. 3600 IN A 209.85.237.25
smtp2.google.com. 3600 IN A 64.233.165.25
smtp3.google.com. 3600 IN A 64.233.183.25
smtp4.google.com. 3600 IN A 72.14.221.25
ns1.google.com. 345600 IN A 216.239.32.10
ns2.google.com. 345600 IN A 216.239.34.10
ns3.google.com. 345600 IN A 216.239.36.10
ns4.google.com. 345600 IN A 216.239.38.10
;; Query time: 54 msec
;; SERVER: 216.239.38.10#53(216.239.38.10)
;; WHEN: Tue Oct 14 21:12:00 2008
;; MSG SIZE rcvd: 464
MX Mail records lookup:
dig google.com MX
or dig -t mx google.com
dig google.com ANY +noall +answer
Reverse Lookups:
dig -x 209.85.171.99
For an SOA answer the translation is as follows
;; ANSWER SECTION:
domain ttl class type master NS contact email serial # refresh del. retry expire ttl for neg. answers (no such host)
google.com. 84529 IN SOA ns1.google.com. dns-admin.google.com. 2008101401 7200 1800 1209600 300
translation for contact email is dns-admin@google.com - in bind @ has a special purpose so it is replaced with a "."
Times are in sec. by default but W = weeks D=days H=hours M=minutes may also be used and must be caps with no spaces between number and unit i.e W3
Perform a domain transfer where permitted i.e. from slave to master (Also useful for testing permissions on master when run on a slave):
dig -t axfr domain.com. @localhost
dig google.com MX
or dig -t mx google.com
; <<>> DiG 9.4.2-P2 <<>> google.com MX
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15965
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;google.com. IN MX
;; ANSWER SECTION:
google.com. 6741 IN MX 10 smtp3.google.com.
google.com. 6741 IN MX 10 smtp4.google.com.
google.com. 6741 IN MX 10 smtp1.google.com.
google.com. 6741 IN MX 10 smtp2.google.com.
;; ADDITIONAL SECTION:
smtp4.google.com. 2695 IN A 72.14.221.25
smtp1.google.com. 433 IN A 209.85.237.25
smtp2.google.com. 1143 IN A 64.233.165.25
smtp3.google.com. 361 IN A 64.233.183.25
;; Query time: 40 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Tue Oct 14 21:14:53 2008
;; MSG SIZE rcvd: 180
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15965
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;google.com. IN MX
;; ANSWER SECTION:
google.com. 6741 IN MX 10 smtp3.google.com.
google.com. 6741 IN MX 10 smtp4.google.com.
google.com. 6741 IN MX 10 smtp1.google.com.
google.com. 6741 IN MX 10 smtp2.google.com.
;; ADDITIONAL SECTION:
smtp4.google.com. 2695 IN A 72.14.221.25
smtp1.google.com. 433 IN A 209.85.237.25
smtp2.google.com. 1143 IN A 64.233.165.25
smtp3.google.com. 361 IN A 64.233.183.25
;; Query time: 40 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Tue Oct 14 21:14:53 2008
;; MSG SIZE rcvd: 180
dig google.com ANY +noall +answer
; <<>> DiG 9.4.2-P2 <<>> google.com ANY +noall +answer
;; global options: printcmd
google.com. 290 IN A 209.85.171.99
google.com. 290 IN A 72.14.207.99
google.com. 290 IN A 64.233.187.99
google.com. 26276 IN NS ns1.google.com.
google.com. 26276 IN NS ns2.google.com.
google.com. 26276 IN NS ns4.google.com.
google.com. 26276 IN NS ns3.google.com.
google.com. 85794 IN SOA ns1.google.com. dns-admin.google.com. 2008101401 7200 1800 1209600 300
google.com. 7679 IN MX 10 smtp1.google.com.
google.com. 7679 IN MX 10 smtp2.google.com.
google.com. 7679 IN MX 10 smtp3.google.com.
google.com. 290 IN A 209.85.171.99
google.com. 290 IN A 72.14.207.99
google.com. 290 IN A 64.233.187.99
google.com. 26276 IN NS ns1.google.com.
google.com. 26276 IN NS ns2.google.com.
google.com. 26276 IN NS ns4.google.com.
google.com. 26276 IN NS ns3.google.com.
google.com. 85794 IN SOA ns1.google.com. dns-admin.google.com. 2008101401 7200 1800 1209600 300
google.com. 7679 IN MX 10 smtp1.google.com.
google.com. 7679 IN MX 10 smtp2.google.com.
google.com. 7679 IN MX 10 smtp3.google.com.
google.com. 7679 IN MX 10 smtp4.google.com.
The additional rdata in an MX record corresponds to the priority assigned to the mail servers; in this case they all share an = priority of 10
The additional rdata in an MX record corresponds to the priority assigned to the mail servers; in this case they all share an = priority of 10
dig -x 209.85.171.99
; <<>> DiG 9.4.2-P2 <<>> -x 209.85.171.99
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31226
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;99.171.85.209.in-addr.arpa. IN PTR
;; ANSWER SECTION:
99.171.85.209.in-addr.arpa. 86400 IN PTR cg-in-f99.google.com.
;; Query time: 58 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Tue Oct 14 21:20:38 2008
;; MSG SIZE rcvd: 78
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31226
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;99.171.85.209.in-addr.arpa. IN PTR
;; ANSWER SECTION:
99.171.85.209.in-addr.arpa. 86400 IN PTR cg-in-f99.google.com.
;; Query time: 58 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Tue Oct 14 21:20:38 2008
;; MSG SIZE rcvd: 78
For an SOA answer the translation is as follows
;; ANSWER SECTION:
domain ttl class type master NS contact email serial # refresh del. retry expire ttl for neg. answers (no such host)
google.com. 84529 IN SOA ns1.google.com. dns-admin.google.com. 2008101401 7200 1800 1209600 300
translation for contact email is dns-admin@google.com - in bind @ has a special purpose so it is replaced with a "."
Times are in sec. by default but W = weeks D=days H=hours M=minutes may also be used and must be caps with no spaces between number and unit i.e W3
Perform a domain transfer where permitted i.e. from slave to master (Also useful for testing permissions on master when run on a slave):
dig -t axfr domain.com. @localhost
or
dig -t axfr domain.com. @w.x.y.z
Delegation: host -rt ns google.com
Reverse: host 72.14.207.99
MX: host -t mx google.com
SOA: host -t soa google.com
Zone: host -t axfr localhost 127.0.0.1
Using host command:
Host is similar to dig when -v option is used; however, host has no trace capabilities.Delegation: host -rt ns google.com
google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns4.google.com.
google.com name server ns3.google.com.
Iterative: host -r google.comgoogle.com name server ns2.google.com.
google.com name server ns4.google.com.
google.com name server ns3.google.com.
google.com has address 209.85.171.99
google.com has address 72.14.207.99
google.com has address 64.233.187.99
google.com mail is handled by 10 smtp1.google.com.
google.com mail is handled by 10 smtp2.google.com.
google.com mail is handled by 10 smtp3.google.com.
google.com mail is handled by 10 smtp4.google.com.
google.com has address 72.14.207.99
google.com has address 64.233.187.99
google.com mail is handled by 10 smtp1.google.com.
google.com mail is handled by 10 smtp2.google.com.
google.com mail is handled by 10 smtp3.google.com.
google.com mail is handled by 10 smtp4.google.com.
Reverse: host 72.14.207.99
99.207.14.72.in-addr.arpa domain name pointer eh-in-f99.google.com.
MX: host -t mx google.com
google.com mail is handled by 10 smtp1.google.com.
google.com mail is handled by 10 smtp2.google.com.
google.com mail is handled by 10 smtp3.google.com.
google.com mail is handled by 10 smtp4.google.com.
google.com mail is handled by 10 smtp2.google.com.
google.com mail is handled by 10 smtp3.google.com.
google.com mail is handled by 10 smtp4.google.com.
SOA: host -t soa google.com
google.com has SOA record ns1.google.com. dns-admin.google.com. 2008101401 7200 1800 1209600 300
Zone: host -t axfr localhost 127.0.0.1
or
host -t ixfr=serial example.com. xx.xx.xx.xx
- master server is the name of the server which will hold master data files.
- contact email is the email address for the zone contact. (Note that the @ is substituted for a . because @ has a special meaning in DNS)
- serial numbers are used for notifying slave servers that the zone has been updated. Typically, serial numbers are based upon ISO dates and updated every time the zone file has changed.
- refresh is the time slave servers should wait between checking for master server updates. Typically one hour.
- retry is the time that a slave should wait after a failed update to retry the refresh. Typically one minute.
- expire is the limit slave servers use in serving DNS info for lack of refresh from the master. Typically set to seven days.
- minimum time to live for negative answers specifies length of time the DNS server should cache a "no such host" response from an authoritative server for a domain.
- All times are in seconds by default but W, D, H, M may be used for Weeks, Days, Hours, and Minutes
The SOA record indicates the master DNS server for the domain and a server is authoritative if it has delegation from the parent domain (NS record plus A record) and a local copy of the domain data, including the SOA record.
If you are running SELinux with bind you may need to fix file contexts when moving files in from other locations by running:
restorecon -R /var/named/chroot
If SELinux booleans have been changes then they should be persisted in /etc/selinux/targeted/booleans.local to avoid overwriting customizations during patching or upgrades.
Posts
1 comment:
Great information on bind, lots of great tips.
Post a Comment