Chapter 3. Name Server Configuration
Prev     Next

Chapter 3. Name Server Configuration

Table of Contents

Sample Configurations
A Caching-only Name Server
An Authoritative-only Name Server
Load Balancing
Name Server Operations
Tools for Use With the Name Server Daemon
Signals

In this chapter we provide some suggested configurations along with guidelines for their use. We suggest reasonable values for certain option settings.

Sample Configurations

A Caching-only Name Server

The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All queries from outside clients are refused using the allow-query option. Alternatively, the same effect could be achieved using suitable firewall rules. 

// Two corporate subnets we wish to allow queries from.
acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
options {
     // Working directory
     directory "/etc/namedb";

     allow-query { corpnets; };
};
// Provide a reverse mapping for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
     type master;
     file "localhost.rev";
     notify no;
};

An Authoritative-only Name Server

This sample configuration is for an authoritative-only server that is the master server for "example.com" and a slave for the subdomain "eng.example.com". 

options {
     // Working directory
     directory "/etc/namedb";
     // Do not allow access to cache
     allow-query-cache { none; };
     // This is the default
     allow-query { any; };
     // Do not provide recursive service
     recursion no;
};

// Provide a reverse mapping for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
     type master;
     file "localhost.rev";
     notify no;
};
// We are the master server for example.com
zone "example.com" {
     type master;
     file "example.com.db";
     // IP addresses of slave servers allowed to
     // transfer example.com
     allow-transfer {
          192.168.4.14;
          192.168.5.53;
     };
};
// We are a slave server for eng.example.com
zone "eng.example.com" {
     type slave;
     file "eng.example.com.bk";
     // IP address of eng.example.com master server
     masters { 192.168.4.12; };
};

Load Balancing

A primitive form of load balancing can be achieved in the DNS by using multiple records (such as multiple A records) for one name.

For example, if you have three WWW servers with network addresses of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the following means that clients will connect to each machine one third of the time:

Name

TTL

CLASS

TYPE

Resource Record (RR) Data

www

600

IN

A

10.0.0.1

600

IN

A

10.0.0.2

600

IN

A

10.0.0.3

When a resolver queries for these records, BIND will rotate them and respond to the query with the records in a different order. In the example above, clients will randomly receive records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients will use the first record returned and discard the rest.

For more detail on ordering responses, check the rrset-order sub-statement in the options statement, see RRset Ordering.

Name Server Operations

Tools for Use With the Name Server Daemon

This section describes several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the name server daemon.

Diagnostic Tools

The dig, host, and nslookup programs are all command line tools for manually querying name servers. They differ in style and output format.

dig

The domain information groper (dig) is the most versatile and complete of these lookup tools. It has two modes: simple interactive mode for a single query, and batch mode which executes a query for each in a list of several query lines. All query options are accessible from the command line.

dig [@server] domain [query-type] [query-class] [+query-option] [-dig-option] [%comment]

The usual simple use of dig will take the form

dig @server domain query-type query-class

For more information and a list of available commands and options, see the dig man page.

host

The host utility emphasizes simplicity and ease of use. By default, it converts between host names and Internet addresses, but its functionality can be extended with the use of options.

host [-aCdlnrsTwv] [-c class] [-N ndots] [-t type] [-W timeout] [-R retries] [-m flag] [-4] [-6] hostname [server]

For more information and a list of available commands and options, see the host man page.

nslookup

nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain.

nslookup [-option...] [[host-to-find] | [- [server]]]

Interactive mode is entered when no arguments are given (the default name server will be used) or when the first argument is a hyphen (`-') and the second argument is the host name or Internet address of a name server.

Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.

Due to its arcane user interface and frequently inconsistent behavior, we do not recommend the use of nslookup. Use dig instead.

Administrative Tools

Administrative tools play an integral part in the management of a server.

named-checkconf

The named-checkconf program checks the syntax of a named.conf file.

named-checkconf [-jvz] [-t directory] [filename]

named-checkzone

The named-checkzone program checks a master file for syntax and consistency.

named-checkzone [-djqvD] [-c class] [-o output] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-W (ignore|warn)] zone [filename]

named-compilezone

Similar to named-checkzone, but it always dumps the zone content to a specified file (typically in a different format).

rndc

The remote name daemon control (rndc) program allows the system administrator to control the operation of a name server. Since BIND 9.2, rndc supports all the commands of the BIND 8 ndc utility except ndc start and ndc restart, which were also not supported in ndc's channel mode. If you run rndc without any options it will display a usage message as follows:

rndc [-c config] [-s server] [-p port] [-y key] command [command...]

The command is one of the following:

reload

Reload configuration file and zones.

reload zone [class [view]]

Reload the given zone.

refresh zone [class [view]]

Schedule zone maintenance for the given zone.

retransfer zone [class [view]]

Retransfer the given zone from the master.

sign zone [class [view]]

Fetch all DNSSEC keys for the given zone from the key directory (see key-directory in the section called “options Statement Definition and Usage”). If they are within their publication period, merge them into the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the zone is automatically re-signed with the new key set.

This command requires that the auto-dnssec zone option be set to allow or maintain, and also requires the zone to be configured to allow dynamic DNS. See the section called “Dynamic Update Policies” for more details.

loadkeys zone [class [view]]

Fetch all DNSSEC keys for the given zone from the key directory (see key-directory in the section called “options Statement Definition and Usage”). If they are within their publication period, merge them into the zone's DNSKEY RRset. Unlike rndc sign, however, the zone is not immediately re-signed by the new keys, but is allowed to incrementally re-sign over time.

This command requires that the auto-dnssec zone option be set to maintain, and also requires the zone to be configured to allow dynamic DNS. See the section called “Dynamic Update Policies” for more details.

freeze [zone [class [view]]]

Suspend updates to a dynamic zone. If no zone is specified, then all zones are suspended. This allows manual edits to be made to a zone normally updated by dynamic update. It also causes changes in the journal file to be synced into the master and the journal file to be removed. All dynamic update attempts will be refused while the zone is frozen.

thaw [zone [class [view]]]

Enable updates to a frozen dynamic zone. If no zone is specified, then all frozen zones are enabled. This causes the server to reload the zone from disk, and re-enables dynamic updates after the load has completed. After a zone is thawed, dynamic updates will no longer be refused.

notify zone [class [view]]

Resend NOTIFY messages for the zone.

reconfig

Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. This is faster than a full reload when there is a large number of zones because it avoids the need to examine the modification times of the zones files.

stats

Write server statistics to the statistics file.

querylog

Toggle query logging. Query logging can also be enabled by explicitly directing the queries category to a channel in the logging section of named.conf or by specifying querylog yes; in the options section of named.conf.

dumpdb [-all|-cache|-zone] [view ...]

Dump the server's caches (default) and/or zones to the dump file for the specified views. If no view is specified, all views are dumped.

secroots [view ...]

Dump the server's security roots to the secroots file for the specified views. If no view is specified, security roots for all views are dumped.

stop [-p]

Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated zones. If -p is specified named's process id is returned. This allows an external process to determine when named had completed stopping.

halt [-p]

Stop the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the journal files when the server is restarted. If -p is specified named's process id is returned. This allows an external process to determine when named had completed halting.

trace

Increment the servers debugging level by one.

trace level

Sets the server's debugging level to an explicit value.

notrace

Sets the server's debugging level to 0.

flush

Flushes the server's cache.

flushname name

Flushes the given name from the server's cache.

status

Display status of the server. Note that the number of zones includes the internal bind/CH zone and the default ./IN hint zone if there is not an explicit root zone configured.

recursing

Dump the list of queries named is currently recursing on.

validation [on|off] [view ...]

Enable or disable DNSSEC validation. Note dnssec-enable also needs to be set to yes to be effective. It defaults to enabled.

tsig-list

List the names of all TSIG keys currently configured for use by named in each view. The list both statically configured keys and dynamic TKEY-negotiated keys.

tsig-delete keyname [view]

Delete a given TKEY-negotated key from the server. (This does not apply to statically configured TSIG keys.)

addzone zone [class [view]] configuration

Add a zone while the server is running. This command requires the allow-new-zones option to be set to yes. The configuration string specified on the command line is the zone configuration text that would ordinarily be placed in named.conf.

The configuration is saved in a file called hash.nzf, where hash is a cryptographic hash generated from the name of the view. When named is restarted, the file will be loaded into the view configuration, so that zones that were added can persist after a restart.

This sample addzone command would add the zone example.com to the default view:

$ rndc addzone example.com '{ type master; file "example.com.db"; };'

(Note the brackets and semi-colon around the zone configuration text.)

delzone zone [class [view]]

Delete a zone while the server is running. Only zones that were originally added via rndc addzone can be deleted in this matter.

A configuration file is required, since all communication with the server is authenticated with digital signatures that rely on a shared secret, and there is no way to provide that secret other than with a configuration file. The default location for the rndc configuration file is /etc/rndc.conf, but an alternate location can be specified with the -c option. If the configuration file is not found, rndc will also look in /etc/rndc.key (or whatever sysconfdir was defined when the BIND build was configured). The rndc.key file is generated by running rndc-confgen -a as described in the section called “controls Statement Definition and Usage”.

The format of the configuration file is similar to that of named.conf, but limited to only four statements, the options, key, server and include statements. These statements are what associate the secret keys to the servers with which they are meant to be shared. The order of statements is not significant.

The options statement has three clauses: default-server, default-key, and default-port. default-server takes a host name or address argument and represents the server that will be contacted if no -s option is provided on the command line. default-key takes the name of a key as its argument, as defined by a key statement. default-port specifies the port to which rndc should connect if no port is given on the command line or in a server statement.

The key statement defines a key to be used by rndc when authenticating with named. Its syntax is identical to the key statement in named.conf. The keyword key is followed by a key name, which must be a valid domain name, though it need not actually be hierarchical; thus, a string like "rndc_key" is a valid name. The key statement has two clauses: algorithm and secret. While the configuration parser will accept any string as the argument to algorithm, currently only the string "hmac-md5" has any meaning. The secret is a base-64 encoded string as specified in RFC 3548.

The server statement associates a key defined using the key statement with a server. The keyword server is followed by a host name or address. The server statement has two clauses: key and port. The key clause specifies the name of the key to be used when communicating with this server, and the port clause can be used to specify the port rndc should connect to on the server.

A sample minimal configuration file is as follows: 

key rndc_key {
     algorithm "hmac-md5";
     secret
       "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
options {
     default-server 127.0.0.1;
     default-key    rndc_key;
};

This file, if installed as /etc/rndc.conf, would allow the command:

$ rndc reload

to connect to 127.0.0.1 port 953 and cause the name server to reload, if a name server on the local machine were running with following controls statements: 

controls {
        inet 127.0.0.1
            allow { localhost; } keys { rndc_key; };
};

and it had an identical key statement for rndc_key.

Running the rndc-confgen program will conveniently create a rndc.conf file for you, and also display the corresponding controls statement that you need to add to named.conf. Alternatively, you can run rndc-confgen -a to set up a rndc.key file and not modify named.conf at all.

Signals

Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can be sent using the kill command.

SIGHUP

Causes the server to read named.conf and reload the database.

SIGTERM

Causes the server to clean up and exit.

SIGINT

Causes the server to clean up and exit.

Prev     Next
Chapter 2. BIND Resource Requirements  Home  Chapter 4. Advanced DNS Features