28/07/95 v3.0 README3: A LINUX-TO-DEMON-INTERNET CONFIGURATION GUIDE BIND: RUNNING A NAME SERVER UNDER SLACKWARE LINUX WITH DIS ========================================================== Copyright 1994-5 John A. Phillips. john@linux.demon.co.uk Please note that I don't really understand everything here, so some of the stuff below may be a little off-beam, but it works (so far) for me. Comments are welcome. As usual, use this information here at your own risk. Some of the files you need to install or modify are contained in the package, for you to copy directly into place. See the list at the end of this README. Configuration should be done as user "root". 3A Requirements and installation notes -------------------------------------- From amongst the optional packages of disk set N, these are required for basic network set-up. Other packages from disk set N may be needed in the other packages in this guide. Please see the relevant README(s). bind Required. This is the name server package. NOTE 1: The name server in this package will be of little use in saving network traffic for name resolution if you re-boot your machine very frequently (about as often as you log in to Demon). The name server cache is lost on shut-down and has to be re-generated from the network. NOTE 2: Off-line, processes such as mail and news posting may take longer to complete when you run a local name server, as name server time outs seem to take longer. NOTE 3: When running named I notice problems with netdate failing when the clock is being adjusted by setclock in the BASE package. A cure is to do a "nslookup ntp.demon.co.uk" whilst on line (assuming this is your ntp server). This caches the name and IP address. Otherwise, set the ntp server in setclock to another Demon machine, such as demon-du.demon.co.uk. 3B The simplest possible set-up ------------------------------- This is a very simple cache-only client. It is not authoritative at all (not even over localhost and 127.0.0.1). I have been told this is a security risk (but not why). However, it works. Section 3C adds the SOA (Start of Authority) records for localhost and 127.0.0.1. I recommend that you do this on the assumption that the advice I've heard about security is accurate. Create directory /var/named (this is FSSTND compliant), and set up /etc/named.boot (or copy it in place from named.boot1 in the package): ; /etc/named.boot: boot file for name server ; directory /var/named ; ; type domain source file or host ;---------------------------------------------------------- ; cache . named.root forwarders 158.152.1.65 158.152.1.193 192.68.174.95 This file says that further configuration files are to be found in /var/named; that named.root contains "hints" about where to look things up (the "root" nameservers); and that the nameservers in the forwarders line (the demon nameservers) should be asked first if the cache does not contain the name being looked up. It is perfectly ok to leave out the forwarders line. The root nameservers will be asked first for the answers to queries about names. As the cache of names builds up, including nameserver entries, I think that more appropriate nameservers will subsequently be asked for information. However including the forwarders line makes your system behave exactly like a system using the demon nameservers via the list in resolv.conf, except that the answers are cached, and the root nameservers are available as a backup. Set up /var/named/named.root thus (or copy it into place from the package): ; ; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . " ; configuration file of BIND domain name servers). ; ; This file is made available by InterNIC registration services ; under anonymous FTP as ; file /domain/named.root ; on server FTP.RS.INTERNIC.NET ; -OR- under Gopher at RS.INTERNIC.NET ; under menu InterNIC Registration Services (NSI) ; submenu InterNIC Registration Archives ; file named.root ; ; last update: Oct 5, 1994 ; related version of root zone: 1994100500 ; . 99999999 IN NS NS.INTERNIC.NET. NS.INTERNIC.NET. 99999999 A 198.41.0.4 . 99999999 NS NS1.ISI.EDU. NS1.ISI.EDU. 99999999 A 128.9.0.107 . 99999999 NS C.PSI.NET. C.PSI.NET. 99999999 A 192.33.4.12 . 99999999 NS TERP.UMD.EDU. TERP.UMD.EDU. 99999999 A 128.8.10.90 . 99999999 NS NS.NASA.GOV. NS.NASA.GOV. 99999999 A 128.102.16.10 99999999 A 192.52.195.10 . 99999999 NS NS.ISC.ORG. NS.ISC.ORG. 99999999 A 192.5.5.241 . 99999999 NS NS.NIC.DDN.MIL. NS.NIC.DDN.MIL. 99999999 A 192.112.36.4 . 99999999 NS AOS.ARL.ARMY.MIL. AOS.ARL.ARMY.MIL. 99999999 A 128.63.4.82 99999999 A 192.5.25.82 . 99999999 NS NIC.NORDU.NET. NIC.NORDU.NET. 99999999 A 192.36.148.17 ; End of File These are the top-level (root-domain) nameservers for the 'net. The latest version of this file can be found on ftp.rs.internic.net in file /domain/named.root. Uncomment the "named" stanza in /etc/rc.d/rc.inet2 to run named at boot time. ... # Start the NAMED/BIND name server. if [ -f ${NET}/named ] then echo -n " named" ${NET}/named fi ... Make sure /etc/host.conf is like this: order hosts, bind multi on This makes sure the look-up for 127.0.0.1 or localhost is satisfied from /etc/hosts (see below), because the cache-only non-authoritative nameserver (in this section) will not even answer this query. If you have the dummy interface in the kernel and it is set up in rc.inet1, this will also allow /etc/hosts to resolve your own IP address and hostname queries as well even when you are not connected. Make sure /etc/hosts has at least these entries (configured for your own hostname and IP address): # For looping back. 127.0.0.1 localhost # This machine. 158.152.XXX.YYY .demon.co.uk # A router. 158.152.1.222 demon-du.demon.co.uk demon-du If you have other demon machines in here, you can remove them, as named will put them into its cache and remember them for you. If you keep names and addresses here, they will be used before the names and addresses in the cache (see /etc/host.conf), and any updates will not be automatically made. Just keep the router (now demon-du, I believe) if you are using DIP/CSLIP. PPP doesn't need it. Some people have said that they prefer to leave key machine names in /etc/hosts because this speeds things up a bit. Fair enough. You can do this if you want. If the machine addresses ever change (which may be unlikely for important machines), you can update them manually. Make sure /etc/resolv.conf is like this: search demon.co.uk nameserver 127.0.0.1 The first line could be "search ." or "domain demon.co.uk" - see "man 5 resolver" for the differences in name look-up behaviour. I prefer "search . demon.co.uk", which looks up names as you supply them first, then tries adding .demon.co.uk if the first look-up fails. This, and the search line suggested in the example above, allow you to use "ping gate" for example, rather than having to use "ping gate.demon.co.uk". The second line just points to the named on your own host as your system's name server. I think other name servers (up to two more) could be added after "nameserver 127.0.0.1", and will be used in the event that your named goes down, but I haven't tried this. That's it! Reboot now or run named manually. You can't for now run nslookup (to make manual queries about names) on your machine whilst it's not on the net, since nslookup does not seem to go through the resolver library, and named seems to need to resolve localhost and/or 127.0.0.1 first in order to work with nslookup. However calls via the resolver library (e.g. from "telnet localhost" or "ftp 127.0.0.1") will work through the resolver library asking /etc/hosts. Errors and other informative comments from named are logged in the file /var/adm/syslog. You can cause a running named to re-load its configuration files with killall -HUP named The command /usr/sbin/named.reload does the same and could be used instead. You can cause the current data cache and hints to be dumped to the file /var/tmp/named_dump.db with the command killall -INT named It is instructive to do this and see the dump file on a newly started named, and then after a simple connection to Demon, and then again after a few FTPs to sites around the world. A further command /usr/sbin/named.restart is also available to kill and then re-start named if you wish to do this. 3C Adding SOA records for localhost and 127.0.0.1 ------------------------------------------------- This section adds the bits to run a named that is basically a cache-only client but is authoritative over localhost (and 127.0.0.1). The set-up is said to be more secure than the basic set-up in section 3B. The set-up is installed as in section 3B, above, with the extras explained below. I recommend you to follow this section as well. Add a couple of extra lines (those starting with "primary") to the original /etc/named.boot to make it look like this (or install the named.boot file from the package as /etc/named.boot): ; /etc/named.boot: boot file for name server ; directory /var/named ; ; type domain source file or host ;---------------------------------------------------------- ; cache . named.root primary localhost named.hosts primary 0.0.127.IN-ADDR.ARPA named.local forwarders 158.152.1.65 158.152.1.193 192.68.174.95 Create /var/named/named.hosts like this (or copy the file in the package into place): ; /var/named/named.hosts: local host ; origin is localhost. (see named.boot) ; @ IN SOA .demon.co.uk. ..demon.co.uk. ( 94122401 ; serial number 86400 ; refresh: 24 hours 3600 ; retry: 1 hour 3600000 ; expire: 42 days (approx) 604800 ) ; minimum: 1 week IN NS localhost. localhost. IN A 127.0.0.1 Configure as your hostname, as your local e-mail address, as appropriate (this entry should look like an Internet e-mail address with the "@" replaced by ".". Watch for the "."s at the end of names. They are important. How do you choose the timeouts etc? I copied them from examples. Any comments would be welcome. Create /var/named/named.local like this (or copy it into place from the package): ; /var/named/named.local: reverse mapping of 127.0.0 ; origin is 0.0.127.in-addr.arpa. (see named.boot) ; @ IN SOA .demon.co.uk. ..demon.co.uk. ( 94122401 ; serial number 360000 ; refresh: 100 hours 3600 ; retry: 1 hour 3600000 ; expire: 42 days (approx) 360000 ) ; minimum: 100 hours IN NS localhost. 1 IN PTR localhost. Configure as your hostname, as your local e-mail address, as appropriate (this entry should look like an Internet e-mail address with the "@" replaced by ".". Watch for the "."s at the end of names. They are important. How do you choose the timeouts etc? I copied them from examples. Again any comments would be welcome. That's it. Start or re-start named. Now it is possible to have "order bind, hosts" in /etc/host.conf (if you want). This allows /etc/hosts to be kept as a back-up rather than consulted first. Actually I currently run my server as in section 3C, but I still use "order hosts, binds", and a vestigial /etc/hosts file just like the one in section 3B. By the way, some people have advised me to be authoritative over localhost.demon.co.uk. However I have checked that Demon's nameservers return the correct answer for this name (127.0.0.1), which is then cached. However, Demon's name servers certainly do not recognize just localhost. 3D Conclusion -------------- That's how it works for me. As I said, I don't understand a lot of the "why's" yet, but the "how's" are in principle sorted (in the two simplest cases anyway). I recommend Olaf Kirch's Linux Network Administration Guide (superb in general), but supplemented by something like the Sun Answerbook chapter 17, which for me sorted out a great deal of my confusion over named. The O'Reilly book on DNS and BIND is also a good source of information. To return to using Demon's name servers, /etc/resolv.conf and /etc/host.conf should be restored to their original configurations from the BASE package. If you want to make this permanent, you should also stop named from being run by /etc/rc.d/rc.inet2, and kill the current process. The configuration files may be left in place. 3E Bugs -------- I still get occasional entries in /var/adm/syslog of the sort: Sep 3 05:04:25 linux named[47]: recvfrom: Connection refused I believe this is cured by getting the latest bind package. 3F Acknowledgments -------------------- Thanks to John Man (jman@home.org) for helpful comments. 3F Files in this package ------------------------ File name (Slackware) Location in this package ===================== ======================== /var/named/named.root bind/named.root /var/named/named.local bind/named.local /var/named/named.hosts bind/named.hosts /etc/named.boot bind/named.boot1 (section 3B) /etc/named.boot bind/named.boot (section 3C) END OF README3